2

I'm sorry my English is not good.

In protection mode, Out of segment limit will trigger #GP. But I have a strange problem on 64 bit processor(I7-3840,i5-3540): initialize DS or ES to 0 in real mode, then switch to protection mode, and still use the loaded descriptor cache value of real mode:(DS_base_address = 0, limit = 0xFFFF.) At this time, if I access the memory over 0xFFFF through DS or ES, it will not trigger #GP.

code snippet

.code16
start.1:
    cli
    xor cx,cx           #
    mov ds,cx
    mov es,cx
    mov ss,cx
    mov sp,0x7c00
main:
    lgdt    gdtr
    lidt    idtr

    mov eax,cr0
    or  al,1
    mov cr0,eax

    jmp $+2          #CS_BASE=DS_BASE=ES_BASE=0
                        #CS_SEL=DS_SEL=ES_SEL=0
                        #LIMIT = 0xFFFF
                        #

    mov edi,0x40000     #DS ES 16bit segment ,exceeding the segment limit
    mov [edi],eax       #i386 will trigger #GP

    jmp $
Michael Petch
  • 46,082
  • 8
  • 107
  • 198
lgj1107
  • 21
  • 1
  • 2
  • 3
    It is possible on your i7 that the BIOS actually put your processor in something called [**unreal mode**](https://en.wikipedia.org/wiki/Unreal_mode) which is real mode where the segment limits are set to 0xffffffff (using page granularity). If the processor did that then a #GP won't be raised. There are many processors that do this when booting legacy BIOS, but many do not. – Michael Petch Mar 07 '20 at 16:16
  • 3
    I will point out that `mov ds,cx` in real mode loads the base in the descriptor cache with a new value, but doesn't touch the limit in the descriptor cache. So after you do `mov ds,cx` the base will be set to zero, but the limit will be whatever the BIOS left in the descriptor cache at boot time (or could be the original default of the processor at power on) – Michael Petch Mar 07 '20 at 16:31
  • 2
    I don't get it. You enable PM but never do a far jump? or change the default operand size to 32bit? And is the question title correct? – Margaret Bloom Mar 08 '20 at 09:32
  • 2
    @MichaelPetch Yes, you are right.Some BIOS did not lock SMM SPACE. By triggering SMI, I successfully read the descriptor cache: the LIMIT of all data segments were set to 0xFFFF_FFFF. – lgj1107 Mar 09 '20 at 04:40

0 Answers0