I'm trying to switch to user-mode (ring 3) on x86_64 with the following code:
Code:
mov rcx, 0x80000000
xor r11, r11
sysretq
I have some virtual memory mapped at 0x80000000 with the flags Flags::PRESENT | Flags::WRITABLE | Flags::USER_ACCESSIBLE. At 0x80000000 I wrote a simple nop instruction (0x90).
I'm expecting the cpu to load rcx (0x80000000) into rip and execute the nop instruction, but the cpu resets before the nop is executed.
I enabled the system call extensions in EFER and wrote the segment selector to STAR.
I have interrupt handlers for almost all cpu exceptions enabled (including double fault), but the cpu resets without causing an exception/calling the handlers when the sysretq instruction is executed.
The qemu log shows the cpu reset:
Code:
CPU Reset (CPU 0)
RAX=0000000080000001 RBX=0000000000006882 RCX=0000000080000000 RDX=0000000000000000
RSI=0000000080000001 RDI=000057ac001fffcc RBP=000000000000626a RSP=000057ac001fff38
R8 =fffffffffffffffd R9 =0000000000000802 R10=0000000000000001 R11=0000000000000000
R12=000000000000626a R13=0000000140200000 R14=000000b0071f0000 R15=0000000000006882
RIP=0000000080000000 RFL=00010002 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
ES =0010 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
CS =001b 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
SS =0013 0000000000000000 ffffffff 00c0f300 DPL=3 DS [-WA]
DS =0010 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
FS =0000 0000000000000000 0000ffff 00009300 DPL=0 DS [-WA]
GS =0000 0000000000000000 0000ffff 00009300 DPL=0 DS [-WA]
LDT=0000 0000000000000000 0000ffff 00008200 DPL=0 LDT
TR =0020 000000000024a209 00000067 00008b00 DPL=0 TSS64-busy
GDT= 000000000024a288 0000003f
IDT= 00000000002491f0 00000fff
CR0=80010011 CR2=fffffffffffffff8 CR3=0000000000001000 CR4=00000020
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
CCS=0000000000000000 CCD=0000000000000000 CCO=DYNAMIC
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000
XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000