forked from NRZCode/ia32-64
185 lines
6.4 KiB
HTML
185 lines
6.4 KiB
HTML
<!DOCTYPE html>
|
||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg" xmlns:x86="http://www.felixcloutier.com/x86"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><link rel="stylesheet" type="text/css" href="style.css"></link><title>WRSSD/WRSSQ
|
||
— Write to Shadow Stack</title></head><body><header><nav><ul><li><a href='index.html'>Index</a></li><li>December 2023</li></ul></nav></header><h1>WRSSD/WRSSQ
|
||
— Write to Shadow Stack</h1>
|
||
|
||
|
||
<table>
|
||
<tr>
|
||
<th>Opcode/Instruction</th>
|
||
<th>Op/En</th>
|
||
<th>64/32 bit Mode Support</th>
|
||
<th>CPUID Feature Flag</th>
|
||
<th>Description</th></tr>
|
||
<tr>
|
||
<td>0F 38 F6 !(11):rrr:bbb WRSSD m32, r32</td>
|
||
<td>MR</td>
|
||
<td>V/V</td>
|
||
<td>CET_SS</td>
|
||
<td>Write 4 bytes to shadow stack.</td></tr>
|
||
<tr>
|
||
<td>REX.W 0F 38 F6 !(11):rrr:bbb WRSSQ m64, r64</td>
|
||
<td>MR</td>
|
||
<td>V/N.E.</td>
|
||
<td>CET_SS</td>
|
||
<td>Write 8 bytes to shadow stack.</td></tr></table>
|
||
<h2 id="instruction-operand-encoding">Instruction Operand Encoding<a class="anchor" href="#instruction-operand-encoding">
|
||
¶
|
||
</a></h2>
|
||
<table>
|
||
<tr>
|
||
<th>Op/En</th>
|
||
<th>Operand 1</th>
|
||
<th>Operand 2</th>
|
||
<th>Operand 3</th>
|
||
<th>Operand 4</th></tr>
|
||
<tr>
|
||
<td>MR</td>
|
||
<td>ModRM:r/m (w)</td>
|
||
<td>ModRM:reg (r)</td>
|
||
<td>N/A</td>
|
||
<td>N/A</td></tr></table>
|
||
<h2 id="description">Description<a class="anchor" href="#description">
|
||
¶
|
||
</a></h2>
|
||
<p>Writes bytes in register source to the shadow stack.</p>
|
||
<h2 id="operation">Operation<a class="anchor" href="#operation">
|
||
¶
|
||
</a></h2>
|
||
<pre>IF CPL = 3
|
||
IF (CR4.CET & IA32_U_CET.SH_STK_EN) = 0
|
||
THEN #UD; FI;
|
||
IF (IA32_U_CET.WR_SHSTK_EN) = 0
|
||
THEN #UD; FI;
|
||
ELSE
|
||
IF (CR4.CET & IA32_S_CET.SH_STK_EN) = 0
|
||
THEN #UD; FI;
|
||
IF (IA32_S_CET.WR_SHSTK_EN) = 0
|
||
THEN #UD; FI;
|
||
FI;
|
||
DEST_LA = Linear_Address(mem operand)
|
||
IF (operand size is 64 bit)
|
||
THEN
|
||
(* Destination not 8B aligned *)
|
||
IF DEST_LA[2:0]
|
||
THEN GP(0); FI;
|
||
Shadow_stack_store 8 bytes of SRC to DEST_LA;
|
||
ELSE
|
||
(* Destination not 4B aligned *)
|
||
IF DEST_LA[1:0]
|
||
THEN GP(0); FI;
|
||
Shadow_stack_store 4 bytes of SRC[31:0] to DEST_LA;
|
||
FI;
|
||
</pre>
|
||
<h2 id="flags-affected">Flags Affected<a class="anchor" href="#flags-affected">
|
||
¶
|
||
</a></h2>
|
||
<p>None.</p>
|
||
<h2 id="c-c++-compiler-intrinsic-equivalent">C/C++ Compiler Intrinsic Equivalent<a class="anchor" href="#c-c++-compiler-intrinsic-equivalent">
|
||
¶
|
||
</a></h2>
|
||
<pre>WRSSD void _wrssd(__int32, void *);
|
||
</pre>
|
||
<pre>WRSSQ void _wrssq(__int64, void *);
|
||
</pre>
|
||
<h2 class="exceptions" id="protected-mode-exceptions">Protected Mode Exceptions<a class="anchor" href="#protected-mode-exceptions">
|
||
¶
|
||
</a></h2>
|
||
<table>
|
||
<tr>
|
||
<td rowspan="6">#UD</td>
|
||
<td>If the LOCK prefix is used.</td></tr>
|
||
<tr>
|
||
<td>If CR4.CET = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL = 3 and IA32_U_CET.SH_STK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL < 3 and IA32_S_CET.SH_STK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL = 3 and IA32_U_CET.WR_SHSTK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL < 3 and IA32_S_CET.WR_SHSTK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td rowspan="4">#GP(0)</td>
|
||
<td>If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.</td></tr>
|
||
<tr>
|
||
<td>If destination is located in a non-writeable segment.</td></tr>
|
||
<tr>
|
||
<td>If the DS, ES, FS, or GS register is used to access memory and it contains a NULL segment selector.</td></tr>
|
||
<tr>
|
||
<td>If linear address of destination is not 4 byte aligned.</td></tr>
|
||
<tr>
|
||
<td>#SS(0)</td>
|
||
<td>If a memory operand effective address is outside the SS segment limit.</td></tr>
|
||
<tr>
|
||
<td rowspan="2">#PF(fault-code)</td>
|
||
<td>If a page fault occurs if destination is not a user shadow stack when CPL3 and not a supervisor shadow stack when CPL < 3.</td></tr>
|
||
<tr>
|
||
<td>Other terminal and non-terminal faults.</td></tr></table>
|
||
<h2 class="exceptions" id="real-address-mode-exceptions">Real-Address Mode Exceptions<a class="anchor" href="#real-address-mode-exceptions">
|
||
¶
|
||
</a></h2>
|
||
<table>
|
||
<tr>
|
||
<td>#UD</td>
|
||
<td>The WRSS instruction is not recognized in real-address mode.</td></tr></table>
|
||
<h2 class="exceptions" id="virtual-8086-mode-exceptions">Virtual-8086 Mode Exceptions<a class="anchor" href="#virtual-8086-mode-exceptions">
|
||
¶
|
||
</a></h2>
|
||
<table>
|
||
<tr>
|
||
<td>#UD</td>
|
||
<td>The WRSS instruction is not recognized in virtual-8086 mode.</td></tr></table>
|
||
<h2 class="exceptions" id="compatibility-mode-exceptions">Compatibility Mode Exceptions<a class="anchor" href="#compatibility-mode-exceptions">
|
||
¶
|
||
</a></h2>
|
||
<table>
|
||
<tr>
|
||
<td rowspan="6">#UD</td>
|
||
<td>If the LOCK prefix is used.</td></tr>
|
||
<tr>
|
||
<td>If CR4.CET = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL = 3 and IA32_U_CET.SH_STK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL < 3 and IA32_S_CET.SH_STK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL = 3 and IA32_U_CET.WR_SHSTK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL < 3 and IA32_S_CET.WR_SHSTK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td rowspan="2">#PF(fault-code)</td>
|
||
<td>If a page fault occurs if destination is not a user shadow stack when CPL3 and not a supervisor shadow stack when CPL < 3.</td></tr>
|
||
<tr>
|
||
<td>Other terminal and non-terminal faults.</td></tr></table>
|
||
<h2 class="exceptions" id="64-bit-mode-exceptions">64-Bit Mode Exceptions<a class="anchor" href="#64-bit-mode-exceptions">
|
||
¶
|
||
</a></h2>
|
||
<table>
|
||
<tr>
|
||
<td rowspan="6">#UD</td>
|
||
<td>If the LOCK prefix is used.</td></tr>
|
||
<tr>
|
||
<td>If CR4.CET = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL = 3 and IA32_U_CET.SH_STK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL < 3 and IA32_S_CET.SH_STK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL = 3 and IA32_U_CET.WR_SHSTK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td>If CPL < 3 and IA32_S_CET.WR_SHSTK_EN = 0.</td></tr>
|
||
<tr>
|
||
<td rowspan="2">#GP(0)</td>
|
||
<td>If a memory address is in a non-canonical form.</td></tr>
|
||
<tr>
|
||
<td>If linear address of destination is not 4 byte aligned.</td></tr>
|
||
<tr>
|
||
<td rowspan="2">#PF(fault-code)</td>
|
||
<td>If a page fault occurs if destination is not a user shadow stack when CPL3 and not a supervisor shadow stack when CPL < 3.</td></tr>
|
||
<tr>
|
||
<td>Other terminal and non-terminal faults.</td></tr></table><footer><p>
|
||
This UNOFFICIAL, mechanically-separated, non-verified reference is provided for convenience, but it may be
|
||
inc<span style="opacity: 0.2">omp</span>lete or b<sub>r</sub>oke<sub>n</sub> in various obvious or non-obvious
|
||
ways. Refer to <a href="https://software.intel.com/en-us/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4">Intel® 64 and IA-32 Architectures Software Developer’s Manual</a> for anything serious.
|
||
</p></footer></body></html>
|