Intel 253668-032US User Manual
5-28 Vol. 3
PROTECTION
dure, one of the parameters can be a pointer to a data structure, or the saved
contents of the SS and ESP registers may be used to access parameters in the old
stack space. The size of the data items passed to the called procedure depends on
the call gate size, as described in Section 5.8.3, “Call Gates.”
contents of the SS and ESP registers may be used to access parameters in the old
stack space. The size of the data items passed to the called procedure depends on
the call gate size, as described in Section 5.8.3, “Call Gates.”
5.8.5.1
Stack Switching in 64-bit Mode
Although protection-check rules for call gates are unchanged from 32-bit mode,
stack-switch changes in 64-bit mode are different.
When stacks are switched as part of a 64-bit mode privilege-level change through a
call gate, a new SS (stack segment) descriptor is not loaded; 64-bit mode only loads
an inner-level RSP from the TSS. The new SS is forced to NULL and the SS selector’s
RPL field is forced to the new CPL. The new SS is set to NULL in order to handle
nested far transfers (CALLF, INTn, interrupts and exceptions). The old SS and RSP
are saved on the new stack.
On a subsequent RETF, the old SS is popped from the stack and loaded into the SS
register. See Table 5-2.
stack-switch changes in 64-bit mode are different.
When stacks are switched as part of a 64-bit mode privilege-level change through a
call gate, a new SS (stack segment) descriptor is not loaded; 64-bit mode only loads
an inner-level RSP from the TSS. The new SS is forced to NULL and the SS selector’s
RPL field is forced to the new CPL. The new SS is set to NULL in order to handle
nested far transfers (CALLF, INTn, interrupts and exceptions). The old SS and RSP
are saved on the new stack.
On a subsequent RETF, the old SS is popped from the stack and loaded into the SS
register. See Table 5-2.
In 64-bit mode, stack operations resulting from a privilege-level-changing far call or
far return are eight-bytes wide and change the RSP by eight. The mode does not
support the automatic parameter-copy feature found in 32-bit mode. The call-gate
count field is ignored. Software can access the old stack, if necessary, by referencing
the old stack-segment selector and stack pointer saved on the new process stack.
In 64-bit mode, RETF is allowed to load a NULL SS under certain conditions. If the
target mode is 64-bit mode and the target CPL< >3, IRET allows SS to be loaded with
a NULL selector. If the called procedure itself is interrupted, the NULL SS is pushed on
the stack frame. On the subsequent RETF, the NULL SS on the stack acts as a flag to
tell the processor not to load a new SS descriptor.
far return are eight-bytes wide and change the RSP by eight. The mode does not
support the automatic parameter-copy feature found in 32-bit mode. The call-gate
count field is ignored. Software can access the old stack, if necessary, by referencing
the old stack-segment selector and stack pointer saved on the new process stack.
In 64-bit mode, RETF is allowed to load a NULL SS under certain conditions. If the
target mode is 64-bit mode and the target CPL< >3, IRET allows SS to be loaded with
a NULL selector. If the called procedure itself is interrupted, the NULL SS is pushed on
the stack frame. On the subsequent RETF, the NULL SS on the stack acts as a flag to
tell the processor not to load a new SS descriptor.
5.8.6
Returning from a Called Procedure
The RET instruction can be used to perform a near return, a far return at the same
privilege level, and a far return to a different privilege level. This instruction is
privilege level, and a far return to a different privilege level. This instruction is
Table 5-2. 64-Bit-Mode Stack Layout After CALLF with CPL Change
32-bit Mode
IA-32e mode
Old SS Selector
+12
+24
Old SS Selector
Old ESP
+8
+16
Old RSP
CS Selector
+4
+8
Old CS Selector
EIP
0
ESP
RSP
0
RIP
< 4 Bytes >
< 8 Bytes >