Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
FS and GS registers in 64 bit mode from the intel architecture manual
3.4.4 Segment Loading Instructions in IA-32e Mode
Because ES, DS, and SS segment registers are not used in 64-bit mode, their fields (base, limit, and attribute) in
segment descriptor registers are ignored. Some forms of segment load instructions are also invalid (for example,
LDS, POP ES). Address calculations that reference the ES, DS, or SS segments are treated as if the segment base
is zero.
The processor checks that all linear-address references are in canonical form instead of performing limit checks.
Mode switching does not change the contents of the segment registers or the associated descriptor registers.
These registers are also not changed during 64-bit mode execution, unless explicit segment loads are performed.
In order to set up compatibility mode for an application, segment-load instructions (MOV to Sreg, POP Sreg) work
normally in 64-bit mode. An entry is read from the system descriptor table (GDT or LDT) and is loaded in the
hidden portion of the segment register. The descriptor-register base, limit, and attribute fields are all loaded.
However, the contents of the data and stack segment selector and the descriptor registers are ignored.
When FS and GS segment overrides are used in 64-bit mode, their respective base addresses are used in the linear
address calculation: (FS or GS).base + index + displacement. FS.base and GS.base are then expanded to the full
linear-address size supported by the implementation. The resulting effective address calculation can wrap across
positive and negative addresses; the resulting linear address must be canonical.
In 64-bit mode, memory accesses using FS-segment and GS-segment overrides are not checked for a runtime limit
nor subjected to attribute-checking. Normal segment loads (MOV to Sreg and POP Sreg) into FS and GS load a
standard 32-bit base value in the hidden portion of the segment register. The base address bits above the standard
32 bits are cleared to 0 to allow consistency for implementations that use less than 64 bits.
The hidden descriptor register fields for FS.base and GS.base are physically mapped to MSRs in order to load all
address bits supported by a 64-bit implementation. Software with CPL = 0 (privileged software) can load all
supported linear-address bits into FS.base or GS.base using WRMSR. Addresses written into the 64-bit FS.base
and GS.base registers must be in canonical form. A WRMSR instruction that attempts to write a non-canonical
address to those registers causes a #GP fault.
When in compatibility mode, FS and GS overrides operate as defined by 32-bit mode behavior regardless of the
value loaded into the upper 32 linear-address bits of the hidden descriptor register base field. Compatibility mode
ignores the upper 32 bits when calculating an effective address.
A new 64-bit mode instruction, SWAPGS, can be used to load GS base. SWAPGS exchanges the kernel data structure
pointer from the IA32_KERNEL_GS_BASE MSR with the GS base register. The kernel can then use the GS
prefix on normal memory references to access the kernel data structures. An attempt to write a non-canonical
value (using WRMSR) to the IA32_KERNEL_GS_BASE MSR causes a #GP fault.
Copy link

rhoughton commented Apr 21, 2019

Just want to make sure I'm reading this right: there is no way to override the FS or GS registers to accept a 64-bit address? Even when you use SWAPGS the use of non-canonical values will cause a fault?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment