Intel IA-32 User Manual
Page 165
Vol. 3A 4-35
PROTECTION
5.
If the privilege level and type checks pass, loads the unscrambled limit (the limit scaled
according to the setting of the G flag in the segment descriptor) into the destination register
and sets the ZF flag in the EFLAGS register. If the segment selector is not visible at the
current privilege level or is an invalid type for the LSL instruction, the instruction does not
modify the destination register and clears the ZF flag.
Once loaded in the destination register, software can compare the segment limit with the offset
of a pointer.
4.10.4
Checking Caller Access Privileges (ARPL Instruction)
The requestor’s privilege level (RPL) field of a segment selector is intended to carry the privi-
lege level of a calling procedure (the calling procedure’s CPL) to a called procedure. The called
procedure then uses the RPL to determine if access to a segment is allowed. The RPL is said to
“weaken” the privilege level of the called procedure to that of the RPL.
Operating-system procedures typically use the RPL to prevent less privileged application
programs from accessing data located in more privileged segments. When an operating-system
procedure (the called procedure) receives a segment selector from an application program (the
calling procedure), it sets the segment selector’s RPL to the privilege level of the calling proce-
dure. Then, when the operating system uses the segment selector to access its associated
segment, the processor performs privilege checks using the calling procedure’s privilege level
(stored in the RPL) rather than the numerically lower privilege level (the CPL) of the operating-
system procedure. The RPL thus insures that the operating system does not access a segment on
behalf of an application program unless that program itself has access to the segment.
Figure 4-15 shows an example of how the processor uses the RPL field. In this example, an
application program (located in code segment A) possesses a segment selector (segment selector
D1) that points to a privileged data structure (that is, a data structure located in a data segment
D at privilege level 0).
The application program cannot access data segment D, because it does not have sufficient priv-
ilege, but the operating system (located in code segment C) can. So, in an attempt to access data
segment D, the application program executes a call to the operating system and passes segment
selector D1 to the operating system as a parameter on the stack. Before passing the segment
selector, the (well behaved) application program sets the RPL of the segment selector to its
current privilege level (which in this example is 3). If the operating system attempts to access
data segment D using segment selector D1, the processor compares the CPL (which is now 0
following the call), the RPL of segment selector D1, and the DPL of data segment D (which is
0). Since the RPL is greater than the DPL, access to data segment D is denied. The processor’s
protection mechanism thus protects data segment D from access by the operating system,
because application program’s privilege level (represented by the RPL of segment selector B) is
greater than the DPL of data segment D.