da/dac/StackOverflow_8c_source.html

/*

 * PROJECT:         ReactOS api tests

 * LICENSE:         GPL - See COPYING in the top level directory

 * PURPOSE:         Test for stack overflow

 * PROGRAMMER:      Jérôme Gardou

 */


#include "precomp.h"


#include <pseh/pseh2.h>


#ifdef _MSC_VER

#pragma warning(disable : 4717) // disable warning about recursive function

#endif


static int iteration = 0;

static PVOID StackAllocationBase;

static PVOID LastStackAllocation;

static ULONG StackSize;


static

void

infinite_recursive(void)

{

    MEMORY_BASIC_INFORMATION MemoryBasicInfo;

    NTSTATUS Status;

    char Buffer[0x500];


    sprintf(Buffer, "Iteration %d.\n", iteration++);


    Status = NtQueryVirtualMemory(

        NtCurrentProcess(),

        &Buffer[0],

        MemoryBasicInformation,

        &MemoryBasicInfo,

        sizeof(MemoryBasicInfo),

        NULL);

    ok_ntstatus(Status, STATUS_SUCCESS);

    /* This never changes */

    ok_ptr(MemoryBasicInfo.AllocationBase, StackAllocationBase);

    /* Stack is committed one page at a time */

    ok_ptr(MemoryBasicInfo.BaseAddress, (PVOID)PAGE_ROUND_DOWN(&Buffer[0]));

    /* This is the protection of the memory when it was reserved. */

    ok_long(MemoryBasicInfo.AllocationProtect, PAGE_READWRITE);

    /* Windows commits the whole used stack at once, +2 pages. */

#if 0

    ok_long(MemoryBasicInfo.RegionSize, ((ULONG_PTR)StackAllocationBase + StackSize + 2* PAGE_SIZE) - PAGE_ROUND_DOWN(&Buffer[0]));

#endif

    /* This is the state of the queried address */

    ok_long(MemoryBasicInfo.State, MEM_COMMIT);

    /* This is the protection of the queried address */

    ok_long(MemoryBasicInfo.Protect, PAGE_READWRITE);

    /* Of course this is private memory. */

    ok_long(MemoryBasicInfo.Type, MEM_PRIVATE);


    LastStackAllocation = &Buffer[-0x500];


    infinite_recursive();

}


START_TEST(StackOverflow)

{

    NTSTATUS Status;

    MEMORY_BASIC_INFORMATION MemoryBasicInfo;


    /* Get the base of the stack */

    Status = NtQueryVirtualMemory(

        NtCurrentProcess(),

        &Status,

        MemoryBasicInformation,

        &MemoryBasicInfo,

        sizeof(MemoryBasicInfo),

        NULL);

    ok_ntstatus(Status, STATUS_SUCCESS);

    StackAllocationBase = MemoryBasicInfo.AllocationBase;

    trace("Stack allocation base is %p.\n", StackAllocationBase);

    StackSize = MemoryBasicInfo.RegionSize;


    /* Check TEB attributes */

    ok_ptr(NtCurrentTeb()->DeallocationStack, StackAllocationBase);

    ok_ptr(NtCurrentTeb()->NtTib.StackBase, (PVOID)((ULONG_PTR)MemoryBasicInfo.BaseAddress + MemoryBasicInfo.RegionSize));

#ifdef _WIN64

    ok_ptr(NtCurrentTeb()->NtTib.StackLimit, (PVOID)((ULONG_PTR)MemoryBasicInfo.BaseAddress - 2 * PAGE_SIZE));

#else

    ok_ptr(NtCurrentTeb()->NtTib.StackLimit, (PVOID)((ULONG_PTR)MemoryBasicInfo.BaseAddress - PAGE_SIZE));

#endif

    trace("Guaranteed stack size is %lu.\n", NtCurrentTeb()->GuaranteedStackBytes);


    /* Get its size */

    Status = NtQueryVirtualMemory(

        NtCurrentProcess(),

        StackAllocationBase,

        MemoryBasicInformation,

        &MemoryBasicInfo,

        sizeof(MemoryBasicInfo),

        NULL);

    ok_ntstatus(Status, STATUS_SUCCESS);


    /* This is the complete stack size */

    StackSize += MemoryBasicInfo.RegionSize;

    trace("Stack size is 0x%lx.\n", StackSize);


    trace("Stack limit %p, stack base %p.\n", NtCurrentTeb()->NtTib.StackLimit, NtCurrentTeb()->NtTib.StackBase);


    /* Take a look at what is beyond the stack limit */

    Status = NtQueryVirtualMemory(

        NtCurrentProcess(),

        NtCurrentTeb()->NtTib.StackLimit,

        MemoryBasicInformation,

        &MemoryBasicInfo,

        sizeof(MemoryBasicInfo),

        NULL);

    ok_ntstatus(Status, STATUS_SUCCESS);


    ok_ptr(MemoryBasicInfo.BaseAddress, NtCurrentTeb()->NtTib.StackLimit);

    ok_ptr(MemoryBasicInfo.AllocationBase, StackAllocationBase);

    ok_long(MemoryBasicInfo.AllocationProtect, PAGE_READWRITE);

#ifdef _WIN64

    ok_long(MemoryBasicInfo.RegionSize, 3 * PAGE_SIZE);

#else

    ok_long(MemoryBasicInfo.RegionSize, 2 * PAGE_SIZE);

#endif

    ok_long(MemoryBasicInfo.State, MEM_COMMIT);

    ok_long(MemoryBasicInfo.Protect, PAGE_READWRITE);

    ok_long(MemoryBasicInfo.Type, MEM_PRIVATE);


    /* Accessing below stack limit is OK, as long as we don't starve the reserved space. */

    _SEH2_TRY

    {

        volatile CHAR* Pointer = (PVOID)((ULONG_PTR)NtCurrentTeb()->NtTib.StackLimit - PAGE_SIZE / 2);

        CHAR Value = *Pointer;

        (void)Value;

        Status = STATUS_SUCCESS;

    }

    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)

    {

        Status = _SEH2_GetExceptionCode();

    }

    _SEH2_END;

    ok_ntstatus(Status, STATUS_SUCCESS);


    _SEH2_TRY

    {

        infinite_recursive();

    }

    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)

    {

        trace("Exception after %d iteration.\n", iteration);

        Status = _SEH2_GetExceptionCode();

    }

    _SEH2_END;


    ok_ntstatus(Status, STATUS_STACK_OVERFLOW);


    /* Windows lets 2 pages between the reserved memory and the smallest possible stack address */

    ok((ULONG_PTR)LastStackAllocation > (ULONG_PTR)StackAllocationBase, "\n");

#ifdef _WIN64

    ok_long(PAGE_ROUND_DOWN(LastStackAllocation), (ULONG_PTR)StackAllocationBase + 4 * PAGE_SIZE);

#else

    ok_long(PAGE_ROUND_DOWN(LastStackAllocation), (ULONG_PTR)StackAllocationBase + 3 * PAGE_SIZE);

#endif


    /* And in fact, this is the true condition of the stack overflow */

    ok_ptr(NtCurrentTeb()->NtTib.StackLimit, (PVOID)((ULONG_PTR)StackAllocationBase + PAGE_SIZE));


    trace("Stack limit %p, stack base %p.\n", NtCurrentTeb()->NtTib.StackLimit, NtCurrentTeb()->NtTib.StackBase);


    /* Of course, accessing above the stack limit is OK. */

    _SEH2_TRY

    {

        volatile CHAR* Pointer = (PVOID)((ULONG_PTR)NtCurrentTeb()->NtTib.StackLimit + PAGE_SIZE / 2);

        CHAR Value = *Pointer;

        (void)Value;

        Status = STATUS_SUCCESS;

    }

    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)

    {

        Status = _SEH2_GetExceptionCode();

    }

    _SEH2_END;

    ok_ntstatus(Status, STATUS_SUCCESS);


    /* But once stack is starved, it's starved. */

    _SEH2_TRY

    {

        volatile CHAR* Pointer = (PVOID)((ULONG_PTR)NtCurrentTeb()->NtTib.StackLimit - PAGE_SIZE / 2);

        CHAR Value = *Pointer;

        (void)Value;

        Status = STATUS_SUCCESS;

    }

    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)

    {

        trace("Exception after %d iteration.\n", iteration);

        Status = _SEH2_GetExceptionCode();

    }

    _SEH2_END;

    ok_ntstatus(Status, STATUS_ACCESS_VIOLATION);

}

StackAllocationBase
static PVOID StackAllocationBase
Definition: StackOverflow.c:17

StackSize
static ULONG StackSize
Definition: StackOverflow.c:19

LastStackAllocation
static PVOID LastStackAllocation
Definition: StackOverflow.c:18

iteration
static int iteration
Definition: StackOverflow.c:16

infinite_recursive
static void infinite_recursive(void)
Definition: StackOverflow.c:23

ok_ntstatus
#define ok_ntstatus(status, expected)
Definition: atltest.h:135

ok_long
#define ok_long(expression, result)
Definition: atltest.h:133

trace
#define trace
Definition: atltest.h:70

ok
#define ok(value,...)
Definition: atltest.h:57

START_TEST
#define START_TEST(x)
Definition: atltest.h:75

ok_ptr
#define ok_ptr(expression, result)
Definition: atltest.h:108

NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26

Buffer
Definition: bufpool.h:45

NULL
#define NULL
Definition: types.h:112

PAGE_SIZE
#define PAGE_SIZE
Definition: env_spec_w32.h:49

_SEH2_END
#define _SEH2_END
Definition: filesup.c:22

_SEH2_TRY
#define _SEH2_TRY
Definition: filesup.c:19

Status
Status
Definition: gdiplustypes.h:25

EXCEPTION_EXECUTE_HANDLER
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85

void
Definition: nsiface.idl:2307

NtCurrentTeb
#define NtCurrentTeb
Definition: iphlpapi_private.h:4

sprintf
#define sprintf(buf, format,...)
Definition: sprintf.c:55

MemoryBasicInformation
@ MemoryBasicInformation
Definition: mmtypes.h:183

PAGE_ROUND_DOWN
#define PAGE_ROUND_DOWN(x)
Definition: mmtypes.h:36

PAGE_READWRITE
#define PAGE_READWRITE
Definition: nt_native.h:1304

MEM_PRIVATE
#define MEM_PRIVATE
Definition: nt_native.h:1318

NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657

MEM_COMMIT
#define MEM_COMMIT
Definition: nt_native.h:1313

NtQueryVirtualMemory
NTSTATUS NTAPI NtQueryVirtualMemory(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN MEMORY_INFORMATION_CLASS MemoryInformationClass, OUT PVOID MemoryInformation, IN SIZE_T MemoryInformationLength, OUT PSIZE_T ReturnLength)
Definition: virtual.c:4409

STATUS_STACK_OVERFLOW
#define STATUS_STACK_OVERFLOW
Definition: ntstatus.h:489

STATUS_ACCESS_VIOLATION
#define STATUS_ACCESS_VIOLATION
Definition: ntstatus.h:242

pseh2.h

_SEH2_GetExceptionCode
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:159

_SEH2_EXCEPT
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:34

STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65

_MEMORY_BASIC_INFORMATION
Definition: mmtypes.h:971

_MEMORY_BASIC_INFORMATION::RegionSize
SIZE_T RegionSize
Definition: mmtypes.h:975

_MEMORY_BASIC_INFORMATION::AllocationBase
PVOID AllocationBase
Definition: mmtypes.h:973

_MEMORY_BASIC_INFORMATION::AllocationProtect
ULONG AllocationProtect
Definition: mmtypes.h:974

_MEMORY_BASIC_INFORMATION::State
ULONG State
Definition: mmtypes.h:976

_MEMORY_BASIC_INFORMATION::Type
ULONG Type
Definition: mmtypes.h:978

_MEMORY_BASIC_INFORMATION::BaseAddress
PVOID BaseAddress
Definition: mmtypes.h:972

_MEMORY_BASIC_INFORMATION::Protect
ULONG Protect
Definition: mmtypes.h:977

PVOID
void * PVOID
Definition: typedefs.h:50

ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:65

ULONG
uint32_t ULONG
Definition: typedefs.h:59

Value
_Must_inspect_result_ _In_ WDFKEY _In_ PCUNICODE_STRING _Out_opt_ PUSHORT _Inout_opt_ PUNICODE_STRING Value
Definition: wdfregistry.h:413

precomp.h

CHAR
char CHAR
Definition: xmlstorage.h:175