What is the effect of RPL when it's loaded into a non-SS segment register? Is it ignored by the processor? Or does it fault in some cases only(undocumented behaviour)?
There is a CPL to compare to, but no DPL, as NULL selectors don't have any?
Apkafe
Well, in CS it has the effect of lowering the privilege level of CPL to a lower level than DPL(conforming code segment).
And of course in the segment registers(DS,ES,FS,GS) it has the same lowering effect.
And in SS it isn't allowed to mismatch with CS's RPL(stack fault if so).
With NULL selectors it's effectively ignored afaik.
Author of the UniPCemu emulator.
UniPCemu Git repository
UniPCemu for Android, Windows, PSP, Vita and Switch on itch.io
Just been thinking: Is loading a NULL selector with RPL<CPL in DS/ES/FS/GS register allowed? Or does that #GP fault when loading? What about it's behaviour with RETF after being loaded?
Edit: According to Bochs, such a load is allowed: https://sourceforge.net/p/bochs/code/HEAD/tre … ent_ctrl_pro.cc
see load_seg_reg calling load_null_selector
So loading it is allowed, dereferencing isn't(obviously) and rpl only has effect on instructions like arpl?
Of course, that's another can of worms. ARPL might be used on it. What does it do with NULL selectors?
Would it allow privilege escalation? Loading DS with 0(Thus RPL of 0) and passing it to the kernel?
Author of the UniPCemu emulator.
UniPCemu Git repository
UniPCemu for Android, Windows, PSP, Vita and Switch on itch.io
Loading NULL with any RPL is allowed, since there's nothing to check.
ARPL doesn't work on selectors, it's only for registers that you'd move into a selector later. You can load DS with 00. That doesn't introduce any issue because you'll still need to assign a non-zero selector later in order to access memory, and at that point the RPL will be assigned.
