StackOverflow.c File Reference

#include "precomp.h"
#include <pseh/pseh2.h>

Include dependency graph for StackOverflow.c:

Go to the source code of this file.

Functions
static void	infinite_recursive (void)
	START_TEST (StackOverflow)

Variables
static int	iteration = 0
static PVOID	StackAllocationBase
static PVOID	LastStackAllocation
static ULONG	StackSize

Function Documentation

infinite_recursive()

static void infinite_recursive ( void  )

static

Definition at line 23 of file StackOverflow.c.

{
    MEMORY_BASIC_INFORMATION MemoryBasicInfo;
    NTSTATUS Status;
    char Buffer[0x500];

    sprintf(Buffer, "Iteration %d.\n", iteration++);

    Status = NtQueryVirtualMemory(
        NtCurrentProcess(),
        &Buffer[0],
        MemoryBasicInformation,
        &MemoryBasicInfo,
        sizeof(MemoryBasicInfo),
        NULL);
    ok_ntstatus(Status, STATUS_SUCCESS);
    /* This never changes */
    ok_ptr(MemoryBasicInfo.AllocationBase, StackAllocationBase);
    /* Stack is committed one page at a time */
    ok_ptr(MemoryBasicInfo.BaseAddress, (PVOID)PAGE_ROUND_DOWN(&Buffer[0]));
    /* This is the protection of the memory when it was reserved. */
    ok_long(MemoryBasicInfo.AllocationProtect, PAGE_READWRITE);
    /* Windows commits the whole used stack at once, +2 pages. */
#if 0
    ok_long(MemoryBasicInfo.RegionSize, ((ULONG_PTR)StackAllocationBase + StackSize + 2* PAGE_SIZE) - PAGE_ROUND_DOWN(&Buffer[0]));
#endif
    /* This is the state of the queried address */
    ok_long(MemoryBasicInfo.State, MEM_COMMIT);
    /* This is the protection of the queried address */
    ok_long(MemoryBasicInfo.Protect, PAGE_READWRITE);
    /* Of course this is private memory. */
    ok_long(MemoryBasicInfo.Type, MEM_PRIVATE);

    LastStackAllocation = &Buffer[-0x500];

    infinite_recursive();
}

Referenced by START_TEST().

START_TEST()

START_TEST

(

StackOverflow

)

Definition at line 61 of file StackOverflow.c.

{
    NTSTATUS Status;
    MEMORY_BASIC_INFORMATION MemoryBasicInfo;

    /* Get the base of the stack */
    Status = NtQueryVirtualMemory(
        NtCurrentProcess(),
        &Status,
        MemoryBasicInformation,
        &MemoryBasicInfo,
        sizeof(MemoryBasicInfo),
        NULL);
    ok_ntstatus(Status, STATUS_SUCCESS);
    StackAllocationBase = MemoryBasicInfo.AllocationBase;
    trace("Stack allocation base is %p.\n", StackAllocationBase);
    StackSize = MemoryBasicInfo.RegionSize;

    /* Check TEB attributes */
    ok_ptr(NtCurrentTeb()->DeallocationStack, StackAllocationBase);
    ok_ptr(NtCurrentTeb()->NtTib.StackBase, (PVOID)((ULONG_PTR)MemoryBasicInfo.BaseAddress + MemoryBasicInfo.RegionSize));
#ifdef _WIN64
    ok_ptr(NtCurrentTeb()->NtTib.StackLimit, (PVOID)((ULONG_PTR)MemoryBasicInfo.BaseAddress - 2 * PAGE_SIZE));
#else
    ok_ptr(NtCurrentTeb()->NtTib.StackLimit, (PVOID)((ULONG_PTR)MemoryBasicInfo.BaseAddress - PAGE_SIZE));
#endif
    trace("Guaranteed stack size is %lu.\n", NtCurrentTeb()->GuaranteedStackBytes);

    /* Get its size */
    Status = NtQueryVirtualMemory(
        NtCurrentProcess(),
        StackAllocationBase,
        MemoryBasicInformation,
        &MemoryBasicInfo,
        sizeof(MemoryBasicInfo),
        NULL);
    ok_ntstatus(Status, STATUS_SUCCESS);

    /* This is the complete stack size */
    StackSize += MemoryBasicInfo.RegionSize;
    trace("Stack size is 0x%lx.\n", StackSize);

    trace("Stack limit %p, stack base %p.\n", NtCurrentTeb()->NtTib.StackLimit, NtCurrentTeb()->NtTib.StackBase);

    /* Take a look at what is beyond the stack limit */
    Status = NtQueryVirtualMemory(
        NtCurrentProcess(),
        NtCurrentTeb()->NtTib.StackLimit,
        MemoryBasicInformation,
        &MemoryBasicInfo,
        sizeof(MemoryBasicInfo),
        NULL);
    ok_ntstatus(Status, STATUS_SUCCESS);

    ok_ptr(MemoryBasicInfo.BaseAddress, NtCurrentTeb()->NtTib.StackLimit);
    ok_ptr(MemoryBasicInfo.AllocationBase, StackAllocationBase);
    ok_long(MemoryBasicInfo.AllocationProtect, PAGE_READWRITE);
#ifdef _WIN64
    ok_long(MemoryBasicInfo.RegionSize, 3 * PAGE_SIZE);
#else
    ok_long(MemoryBasicInfo.RegionSize, 2 * PAGE_SIZE);
#endif
    ok_long(MemoryBasicInfo.State, MEM_COMMIT);
    ok_long(MemoryBasicInfo.Protect, PAGE_READWRITE);
    ok_long(MemoryBasicInfo.Type, MEM_PRIVATE);

    /* Accessing below stack limit is OK, as long as we don't starve the reserved space. */
    _SEH2_TRY
    {
        volatile CHAR* Pointer = (PVOID)((ULONG_PTR)NtCurrentTeb()->NtTib.StackLimit - PAGE_SIZE / 2);
        CHAR Value = *Pointer;
        (void)Value;
        Status = STATUS_SUCCESS;
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        Status = _SEH2_GetExceptionCode();
    }
    _SEH2_END;
    ok_ntstatus(Status, STATUS_SUCCESS);

    _SEH2_TRY
    {
        infinite_recursive();
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        trace("Exception after %d iteration.\n", iteration);
        Status = _SEH2_GetExceptionCode();
    }
    _SEH2_END;

    ok_ntstatus(Status, STATUS_STACK_OVERFLOW);

    /* Windows lets 2 pages between the reserved memory and the smallest possible stack address */
    ok((ULONG_PTR)LastStackAllocation > (ULONG_PTR)StackAllocationBase, "\n");
#ifdef _WIN64
    ok_long(PAGE_ROUND_DOWN(LastStackAllocation), (ULONG_PTR)StackAllocationBase + 4 * PAGE_SIZE);
#else
    ok_long(PAGE_ROUND_DOWN(LastStackAllocation), (ULONG_PTR)StackAllocationBase + 3 * PAGE_SIZE);
#endif

    /* And in fact, this is the true condition of the stack overflow */
    ok_ptr(NtCurrentTeb()->NtTib.StackLimit, (PVOID)((ULONG_PTR)StackAllocationBase + PAGE_SIZE));

    trace("Stack limit %p, stack base %p.\n", NtCurrentTeb()->NtTib.StackLimit, NtCurrentTeb()->NtTib.StackBase);

    /* Of course, accessing above the stack limit is OK. */
    _SEH2_TRY
    {
        volatile CHAR* Pointer = (PVOID)((ULONG_PTR)NtCurrentTeb()->NtTib.StackLimit + PAGE_SIZE / 2);
        CHAR Value = *Pointer;
        (void)Value;
        Status = STATUS_SUCCESS;
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        Status = _SEH2_GetExceptionCode();
    }
    _SEH2_END;
    ok_ntstatus(Status, STATUS_SUCCESS);

    /* But once stack is starved, it's starved. */
    _SEH2_TRY
    {
        volatile CHAR* Pointer = (PVOID)((ULONG_PTR)NtCurrentTeb()->NtTib.StackLimit - PAGE_SIZE / 2);
        CHAR Value = *Pointer;
        (void)Value;
        Status = STATUS_SUCCESS;
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        trace("Exception after %d iteration.\n", iteration);
        Status = _SEH2_GetExceptionCode();
    }
    _SEH2_END;
    ok_ntstatus(Status, STATUS_ACCESS_VIOLATION);
}

Variable Documentation

iteration

int iteration = 0

static

Definition at line 16 of file StackOverflow.c.

Referenced by ClasspGetHwFirmwareInfo(), infinite_recursive(), shader_arb_handle_instruction(), and START_TEST().

LastStackAllocation

PVOID LastStackAllocation

static

Definition at line 18 of file StackOverflow.c.

Referenced by infinite_recursive(), and START_TEST().

StackAllocationBase

PVOID StackAllocationBase

static

Definition at line 17 of file StackOverflow.c.

Referenced by infinite_recursive(), and START_TEST().

StackSize

ULONG StackSize

static

Definition at line 19 of file StackOverflow.c.

Referenced by infinite_recursive(), and START_TEST().