How does the window stack protection page mechanism work in case of uninitialized local variables?

In Windows, for virtual memory of the x86 architecture stack | x64 architecture consists of "Reserved Part" "Part", "Sentinel-Page" and "Reserved Page".


Imagine I have 1 page of commit memory and 1MB of spare memory for the thread stack. I am allocating on the stack some memory equal to K Pages without initialization. K equals, for example, 10. It seems that at the start of a frame, a frame on the stack will be allocated by user-space code like this:

sub esp, K*4096


The watchdog mechanism works when an existing read write request exists to protect the page.

But what will I perform to read | write to some memory outside of this protective page?


source to share

2 answers

Typically, you run test code that has been compiled with runtime checking enabled. / RTC on MSVC ++ , enabled by default in Debug config, it introduces a function call _chkstk () in the function prologue. GCC / g ++ has something very similar .

Which checks the allocation pages in the function prologue, reading every 4096 byte. This will ensure that you are always taken to the protection page when you make a mistake by calling that site name and helping you fix the error.

Without this check, you could technically access a page that is not part of the stack at all. While it is quite likely to trigger a #GP processor trap, it is not guaranteed to be because the page might have been mapped to another unrelated allocation. You would be out of luck, it was done. Fundamental UB, absolutely terrible to diagnose since you never suspect a stack, / RTC is quite valuable.



Your program will crash when accessing an address outside the protected page, but by default the compiler will call the __chkstk () function every time the local allocation exceeds 4K.

Here is an article that explains how the stack protection page works in windows:



All Articles