The following is how the stacks look at entry to the more privileged program:
RING 3 STACK RING 0 STACK <-- INITIAL R0 ESP
--------------- high ---------------
| | addresses | SS |
|---------------| |---------------|
| P3 | | ESP |
|---------------| |---------------|
| P2 | | P3 |
|---------------| |---------------|
| P1 | | P2 |
|---------------| |---------------|
| P0 | | P1 |
|---------------| |---------------|
| | | P0 |
|---------------| |---------------|
| | | CS |
|---------------| |---------------|
| | | EIP |
|---------------| |---------------|
| | low | |
addresses
Note: There is NO RETURN ADDRESS on the less privileged stack.
Note: The two items at the top of the more privileged stack are the less privileged SS and ESP.
Note: Subtract 8 from the SP value found in the TSS to find where the less privileged ESP and SS are stored. The values in the TSS are initial values, not the address of the first item pushed.
Note: A trap C in Ring 0 is usually a double fault.
When the processor detects a Stack Exception it needs to push an error code and a return address onto the stack of the exception handler. If this happens in Ring 0, there will be no privilege level transition, which includes switching to a new, protected stack. If the exception is due to stack growth, there is no place to push the error code or return address.
RESULT: TRAP 8