Intel IA-32 User Manual
Page 161
Vol. 3A 4-31
PROTECTION
When SYSRET transfers control to 64-bit mode user code using REX.W, the processor gets the
privilege level 3 target instruction and stack pointer from:
•
Target code segment — Reads a non-NULL selector from IA32_STAR[63:48] + 16.
•
Target instruction — Copies the value in RCX into RIP.
•
Stack segment — IA32_STAR[63:48] + 8.
•
EFLAGS — Loaded from R11.
When SYSRET transfers control to 32-bit mode user code using a 32-bit operand size, the
processor gets the privilege level 3 target instruction and stack pointer from:
•
Target code segment — Reads a non-NULL selector from IA32_STAR[63:48].
•
Target instruction — Copies the value in ECX into EIP.
•
Stack segment — IA32_STAR[63:48] + 8.
•
EFLAGS — Loaded from R11.
It is the responsibility of the OS to ensure the descriptors in the GDT/LDT correspond to the
selectors loaded by SYSCALL/SYSRET (consistent with the base, limit, and attribute values
forced by the instructions).
Any address written to IA32_LSTAR is first checked by WRMSR to ensure canonical form. If
an address is not canonical, an exception is generated (#GP).
See Figure 4-14 for the layout of IA32_STAR, IA32_LSTAR and IA32_FMASK.
Figure 4-14. MSRs Used by SYSCALL and SYSRET
63
32 31
0
63
0
63
0
Target RIP for 64-bit Mode Calling Program
SYSRET CS and SS
SYSCALL CS and SS
48 47
IA32_STAR
IA32_LSTAR
IA32_FMASK
32 31
SYSCALL EFLAGS Mask
Reserved
Reserved