System Calls and Traps


See also system_calls

Overview

Calls to the system must cross the user-kernel protection barrier. The barrier is hardware enforced. The i386 architecture has 4 levels of protection, ring 0 through 3. Nt uses ring 0 for the kernel and ring 3 for the user. The other rings are not used. Call gates are flow-of-control constructs vectoring through the IDT. According to the software people, IDT stands for Interrupt Dispatch Table (see Solomon's Inside Windows NT); according to the hardware people, it stands for Interrupt Descriptor Table. This table is pointed to by a hardware register in the I386 called the IDTR, the Interrupt Descriptor Table Register. Call gates include the interrupt, the trap, the task gate and the call gate. We are most interested here in the int 3 and int 2e traps. Traps differ from interrupts in that interrupts disable all interrupts on occurance, traps do not, hence leading to the situation of double-traps.

Are int 3 and int 2e traps or interrupts? Is a double trap an interrupt? Is it the same as a double fault?

call gates

traps

Exhibits

The Details

The Interrupt Descriptor Table should be seen in the context of two other tables, the Global Descriptor Table and the Local Descriptor, in that each is a vector of Descriptors. The descriptors of the IDT are Gate Descriptors. The GDT and LDT can also hold segment descriptors. The GDT is pointed to by the hardware register GDTR, and the LDT is pointed to by the hardware register LDTR. The gate descriptor format is:

  1. 16 bits selector
  2. 16 bit offset 15 ... 0
  3. 16 bit offset contiuned 31 ..16
  4. 16 bits of flags:
    1. P bit: 0 invalid/1 valid
    2. DPL (2 bits): descriptor privilege level
    3. one bit equal to 0
    4. Type (4 bits):
      • 4 = i286 Call Gate
      • 5 = i286/i486 Task Gate
      • 6 = i286 Interrupt Gate
      • 7 = i286 Trap Gate
      • C = i486 Call Gate
      • E = i486 Interrupt Gate
      • F = i486 Trap Gate
    5. Byte of "word count" - lowest 5 bits are depth of call stack, in case of a Call Gate only.
Given the little endianess of intel, here's a sample entry with interpretation:
  00084374 8014ee00
Flags are ee00, this is a valid, DPL level 3 (least privileged), i486 Interrupt Gate. The target offset is 0x8014,4374, using selection 8.

Intel protection lets data access down towards less privileged segements and gates upwards toward more privileged code. I do not know what the DPL level 3 indicates: for certain that anyone can vector through this trap. But now do levels change?

These are virtual addresses. The !pcr KD command will display the descriptor registers. Apparantly the IDT is located staticly in kernel memroy around 0x80036400, at least its been seen twice at that location.

The following exhibit shows a remote kernel debug setup, with the target halted by ^C.

Author

Burton Rosenberg
11:28 AM 9/28/98


Exhibits