1 direct calls or jumps to code segments – Intel IA-32 User Manual

4-14 Vol. 3A

PROTECTION

A JMP or CALL instruction can reference another code segment in any of four ways:

•

The target operand contains the segment selector for the target code segment.

•

The target operand points to a call-gate descriptor, which contains the segment selector for
the target code segment.

•

The target operand points to a TSS, which contains the segment selector for the target code
segment.

•

The target operand points to a task gate, which points to a TSS, which in turn contains the
segment selector for the target code segment.

The following sections describe first two types of references. See Section 6.3, “Task Switching,”
for information on transferring program control through a task gate and/or TSS.

The SYSENTER and SYSEXIT instructions are special instructions for making fast calls to and
returns from operating system or executive procedures. These instructions are discussed briefly
in Section 4.8.7, “Performing Fast Calls to System Procedures with the SYSENTER and
SYSEXIT Instructions.”

4.8.1

Direct Calls or Jumps to Code Segments

The near forms of the JMP, CALL, and RET instructions transfer program control within the
current code segment, so privilege-level checks are not performed. The far forms of the JMP,
CALL, and RET instructions transfer control to other code segments, so the processor does
perform privilege-level checks.

When transferring program control to another code segment without going through a call gate,
the processor examines four kinds of privilege level and type information (see Figure 4-6):

•

The CPL. (Here, the CPL is the privilege level of the calling code segment; that is, the code
segment that contains the procedure that is making the call or jump.)

Figure 4-6. Privilege Check for Control Transfer Without Using a Gate

CPL

RPL

DPL

Privilege

Check

CS Register

Segment Selector

For Code Segment

Destination Code

Segment Descriptor

C