4

After the kernel loads a native userland Linux application on first entry the x86-64 CPU registers are mostly zero, apart from the RSP and RIP which have their usual meanings, the registers CS SS and R11 are non-zero:

cs             0x33 51
ss             0x2b 43
r11            0x200    512

It was my understanding that the CS and SS registers are unused on x86-64 as in long mode we have a flat 64-bit address model.

Do the CS and SS registers mean anything from/to the kernel? Is userland expected to simply leave them alone?

Also does the initial 512 value in the R11 mean anything?

Andrew Tomazos
  • 66,139
  • 40
  • 186
  • 319
  • CS is still used for privilege levels and other mode bits. Are you sure you're on 64 bit mode? – Leeor Oct 21 '13 at 19:36
  • @Leeor: Well the ELF header specifies x86-64 architecture, and the kernel is x86-64, the mmaps are shown in 64-bit addresses. I assumed the initial state of userland would be 64-bit mode? – Andrew Tomazos Oct 21 '13 at 19:42
  • @Leeor: Can you determine from gdb somehow what mode the application is in? – Andrew Tomazos Oct 21 '13 at 19:43
  • 3
    `info target` will tell you if it's in 32 or 64 bit mode. Also you won't have access to 64 bit registers in 32 bit mode, so if you see any that means you are de facto in 64 bit mode. `r11` is leaking the `rflags`. – Jester Oct 21 '13 at 23:15
  • If truly in 64 bit mode, i'd expect the CS.L bit to be switched (as Martin also states), and that's above the lower byte. I'm not sure however if GDB bothers printing these bits correctly. Anyway, Jesters' suggestion sounds the best. – Leeor Oct 22 '13 at 08:08
  • superset: http://stackoverflow.com/questions/7844963/how-to-interpret-segment-register-accesses-on-x86-64 – Ciro Santilli OurBigBook.com Sep 20 '15 at 15:37

1 Answers1

8

In 64-bit mode the segment registers still point to IDT or GDT entries. However the IDT/GDT entries only contain limited information:

Data segment selectors (valid for DS, ES, SS, FS and GS) only contain a single bit: The "P" bit indicating that the segment is present. This only makes sense for segments loaded into the FS and GS registers.

Code segment selectors (valid for CS) contain access right information and the long mode bit indicating that 64-bit mode is active when CS points to such a segment.

The segment base and segment length are not present.

Martin Rosenau
  • 17,897
  • 3
  • 19
  • 38