background image

5-16 Vol. 3A

PROTECTION

The privilege checking rules are different depending on whether the control transfer was initiated with a CALL or a 
JMP instruction, as shown in Table 5-1.

The DPL field of the call-gate descriptor specifies the numerically highest privilege level from which a calling proce-
dure can access the call gate; that is, to access a call gate, the CPL of a calling procedure must be equal to or less 
than the DPL of the call gate. For example, in Figure 5-15, call gate A has a DPL of 3. So calling procedures at all 
CPLs (0 through 3) can access this call gate, which includes calling procedures in code segments A, B, and C. Call 
gate B has a DPL of 2, so only calling procedures at a CPL or 0, 1, or 2 can access call gate B, which includes calling 
procedures in code segments B and C. The dotted line shows that a calling procedure in code segment A cannot 
access call gate B.
The RPL of the segment selector to a call gate must satisfy the same test as the CPL of the calling procedure; that 
is, the RPL must be less than or equal to the DPL of the call gate. In the example in Figure 5-15, a calling procedure 
in code segment C can access call gate B using gate selector B2 or B1, but it could not use gate selector B3 to 
access call gate B.
If the privilege checks between the calling procedure and call gate are successful, the processor then checks the 
DPL of the code-segment descriptor against the CPL of the calling procedure. Here, the privilege check rules vary 
between CALL and JMP instructions. Only CALL instructions can use call gates to transfer program control to more 
privileged (numerically lower privilege level) nonconforming code segments; that is, to nonconforming code 
segments with a DPL less than the CPL. A JMP instruction can use a call gate only to transfer program control to a 
nonconforming code segment with a DPL equal to the CPL. CALL and JMP instruction can both transfer program 
control to a more privileged conforming code segment; that is, to a conforming code segment with a DPL less than 
or equal to the CPL.

Figure 5-11.  Privilege Check for Control Transfer with Call Gate

Table 5-1.  Privilege Check Rules for Call Gates

Instruction

Privilege Check Rules

CALL

CPL ≤ call gate DPL; RPL ≤ call gate DPL
Destination conforming code segment DPL ≤ CPL
Destination nonconforming code segment DPL ≤ CPL

JMP

CPL ≤ call gate DPL; RPL ≤ call gate DPL
Destination conforming code segment DPL ≤ CPL
Destination nonconforming code segment DPL = CPL

CPL

RPL

DPL

DPL

Privilege

Check

Call Gate (Descriptor)

Destination Code-

CS Register

Call-Gate Selector

Segment Descriptor