#SS is not generated in real mode on some CPUs
 Radim Picha (EliCZ) <apihooks com seznamcz> |
Thursday, June 8 2006 08:33.50 CDT |
http://www.anticracking.sk/EliCZ/bugs/SSGP.zip
Some processors do not generate 'Stack Exception' (#SS, Vector 12) when a stack segment limit is overrun in real mode. This is not vendor-specific behaviour.
Example:
MOV SP, 0FFFFH
POP AX
should generate #SS. If it doesn't so, SP is normally adjusted, AL contains byte from SS:[0FFFFH] and AH is undefined (0 or higher byte of CS? value). Even constructions that would stop CPU are allowed:
MOV SP, 1
PUSH AX
or
MOV SP, 5
INT xxH
IRET from such INT will succeed even if stack contains incomplete iret information (higher byte of CS is lost). Is there some stack cache?.
SSGP.com's output:
a) Standard behaviour, (e.g. AMD 00020F32)
#SS IP=014E SI=FFFF EAX=FFFFFFFF
#GP IP=0170 SI=FFFF EAX=FFFFFFFF
#SS IP=018E SI=FFFF EAX=FFFFFFFF
#GP IP=01AC SI=FFFF EAX=FFFFFFFF
b) No #SS (e.g. Intel 00000F34, AMD 00000FC0)
#NN IP=AAA0 SI=0003 EAX=00000033
#GP IP=0170 SI=FFFF EAX=FFFFFFFF
#NN IP=AAA2 SI=FFFF EAX=00000033
#GP IP=01AC SI=FFFF EAX=FFFFFFFF
#NN IP=AAA4 SI=FFFF EAX=00000033
#NN IP=AAA5 SI=FFFF EAX=00004227
------
See you next week at REcon.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |