I386_GET_LDT(2) System Calls Manual I386_GET_LDT(2)

i386_get_ldt, i386_set_ldtmanage i386 per-process Local Descriptor Table entries

Standard C Library (libc, -lc)

#include <architecture/i386/table.h>
#include <i386/user_ldt.h>

int
i386_get_ldt(int start_sel, union ldt_entry *descs, int num_sels);

int
i386_set_ldt(int start_sel, union ldt_entry *descs, int num_sels);

The () system call will return the list of i386 descriptors that the process has in its LDT. The i386_set_ldt() system call will set a list of i386 descriptors for the current process in its LDT. Both routines accept a starting selector number start_sel, an array of memory that will contain the descriptors to be set or returned descs, and the number of entries to set or return num_sels.

The argument descs can be either code_desc_t, data_desc_t or call_gate_t and are defined in <architecture/i386/desc.h>. These structures are defined by the architecture as disjoint bit-fields, so care must be taken in constructing them.

If start_sel is , num_sels is 1 and the descriptor pointed to by descs is legal, then () will allocate a descriptor and return its selector number.

If num_descs is 1, start_sels is valid, and descs is NULL, then () will free that descriptor (making it available to be reallocated again later).

If num_descs is 0, start_sels is 0 and descs is NULL then, as a special case, () will free all descriptors.

() and i386_get_ldt() may be used by 64-bit processes to create 32-bit (compatibility mode) code segments (in addition to the set of other segments already specified), that, together with additional infrastructure not provided by macOS, enables 32-bit code execution. Some platforms may reject segments with non-zero base addresses by returning -1 and setting errno to EINVAL.

Upon successful completion, i386_get_ldt() returns the number of descriptors currently in the LDT. The i386_set_ldt() system call returns the first selector set. In the case when a descriptor is allocated by the kernel, its number will be returned. Otherwise, a value of -1 is returned and the global variable errno is set to indicate the error.

The i386_get_ldt() and i386_set_ldt() system calls will fail if:

[]
An inappropriate value was used for start_sel or num_sels, or the platform does not support non-zero base addresses in custom descriptors and the descriptor base address passed to i386_set_ldt() is non-zero.
[]
The caller attempted to use a descriptor that would circumvent protection or cause a failure.

i386 Microprocessor Programmer's Reference Manual, Intel

You can really hose your process using this.

February 14, 2020 Mac OS X 12