flat assembler
Message board for the users of flat assembler.

Index > Windows > 64 bit not understood sub rsp,8 !

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author
Thread Post new topic Reply to topic
Furs



Joined: 04 Mar 2016
Posts: 2566
Furs 18 May 2022, 13:50
Well that's clearly not what Raymond said, when he mentioned that "the memory may be overwritten at any time". Granted, even if it's true that it cannot be today, is there guarantee that it won't even be used in the future? Considering people are told to not mess with it (it's like relying on undocumented APIs and so on).

What do you understand from this?
Raymond Chen wrote:
Suppose your thread gets pre-empted immediately after you store the data beyond the red zone. While your thread is waiting for a chance to resume execution, the memory manager pages out the code. Eventually, your thread resumes execution, and the memory manager tries to page it back in. Oh no, there’s an I/O error during the page-in! The operating system pushes an exception frame onto the stack for the STATUS_IN_PAGE_ERROR, clobbering the data you had been hiding beyond the red zone.
Maybe he got it wrong but it does seem like paging in can lead to exceptions (there's even a status code for it).

Note that it's not even required to read any memory. The whole exception example he gave is before the read from the red zone.
Post 18 May 2022, 13:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 18 May 2022, 14:01
The only reason for the OS to push a stack frame to your stack is if there is an exception and you asked to receive them.

Consider the case where you don't ask to receive exceptions, the normal case for a program like fasm. Then it simply crashes with the "you app has been terminated" message. Meaning you neither gain or lose anything, either way your app dies. Remember all exceptions have to be dealt with, you can't ignore them.

Fix the problem your app caused, or die: are the only two options when an exception is forwarded to your app. And simply die: if the exception isn't forwarded and you let the OS decide for you.
Post 18 May 2022, 14:01
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 18 May 2022, 14:31
Furs wrote:
What do you understand from this?
Raymond Chen wrote:
Suppose your thread gets pre-empted immediately after you store the data beyond the red zone. While your thread is waiting for a chance to resume execution, the memory manager pages out the code. Eventually, your thread resumes execution, and the memory manager tries to page it back in. Oh no, there’s an I/O error during the page-in! The operating system pushes an exception frame onto the stack for the STATUS_IN_PAGE_ERROR, clobbering the data you had been hiding beyond the red zone.
Maybe he got it wrong but it does seem like paging in can lead to exceptions (there's even a status code for it).

Didn’t bother to check but if my memory serves me about the context, this part is talking of the case when someone stores data at Address < ESP (for x86 case). Then it definitely can be rewritten, since any part of the stack where Address < ESP is defined as not used at the moment.

Doing sub rsp, 1 just somewhat increases the amount of stack memory that is guaranteed to not be overwritten. The problem could be with add rsp, 1 if there is some data in that byte that gets from under the RSP “protection”, but it would be about overwriting the data, not exceptions.

Whether any version of Windows pushes something onto the application thread’s stack on exception occurence is another question. If it does (or did) in any version, one would better avoid arbitrary RSP values for compatibility. Values that fall into the stack address range should still cause no new exception (unless some alignment checking happens while processing the exception), only data before the old [RSP] would get rewritten.
Post 18 May 2022, 14:31
View user's profile Send private message Visit poster's website Reply with quote
Ville



Joined: 17 Jun 2003
Posts: 308
Ville 18 May 2022, 14:37
In general, interrupts and exceptions should be handled fully at the OS side (OS stack mem.), unless otherwise requested by the application.
Post 18 May 2022, 14:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 18 May 2022, 14:40
DimonSoft wrote:
Whether any version of Windows pushes something onto the application thread’s stack on exception occurence is another question. If it does (or did) in any version, one would better avoid arbitrary RSP values for compatibility.
Oh dear.

Clearly the explanation I gave is insufficient. There is no need to guess for this. It is 100% characterisable. You only ever get exceptions delivered if you ask for them, they are relevant to an instruction you just executed, and you can do something to fix it.

Windows doesn't deliver informative exceptions that you can only look at but not fix. It won't deliver paged-out exceptions to you. What could you do about it? You can't rewrite the page tables to fix it. Only a ring-0 process can do that.
Post 18 May 2022, 14:40
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 18 May 2022, 15:10
revolution wrote:
DimonSoft wrote:
Whether any version of Windows pushes something onto the application thread’s stack on exception occurence is another question. If it does (or did) in any version, one would better avoid arbitrary RSP values for compatibility.
Oh dear.

Clearly the explanation I gave is insufficient. There is no need to guess for this. It is 100% characterisable. You only ever get exceptions delivered if you ask for them, they are relevant to an instruction you just executed, and you can do something to fix it.

Windows doesn't deliver informative exceptions that you can only look at but not fix. It won't deliver paged-out exceptions to you. What could you do about it? You can't rewrite the page tables to fix it. Only a ring-0 process can do that.

Oh dear.

You haven’t given a link to a place where this behaviour is clearly documented. I didn’t bother checking. That’s why I used the word IF.

That’s the way people do when they learn to be cautious about information they see in the Internet, no matter how trustworthy the source is considered to be. It’s about informational hygiene and avoiding to spread claims that one is not completely sure about (whether they’re true or not).
Post 18 May 2022, 15:10
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1042
Location: Russia
macomics 18 May 2022, 18:08
IntelSDM-vol-2b: SUB wrote:
SUB—Subtract
...
Operation
Code:
DEST := (DEST – SRC);    

Flags Affected
The OF, SF, ZF, AF, PF, and CF flags are set according to the result.
I don't find any possible exceptions in the description of the algorithm of the instruction.
IntelSDM-vol-2b: SUB wrote:
Code:
Instruction Operand Encoding
Op/En|  Operand 1     | Operand 2   |Operand 3|Operand 4
  I  | AL/AX/EAX/RAX  | imm8/16/32  |   NA    |   NA
  MI |ModRM:r/m (r, w)| imm8/16/32  |   NA    |   NA     << sub rsp, 1
  MR |ModRM:r/m (r, w)|ModRM:reg (r)|   NA    |   NA
  RM |ModRM:reg (r, w)|ModRM:r/m (r)|   NA    |   NA    

...
64-Bit Mode Exceptions
Code:
#SS(0) - If a memory address referencing the SS segment is in a non-canonical form.    
No memory reference
Code:
#GP(0) - If the memory address is in a non-canonical form.    
No memory reference
Code:
#PF(fault-code) - If a page fault occurs.    
No memory reference
Code:
#AC(0) - If alignment checking is enabled and an unaligned memory reference is made while the current privilege level is 3.    
No memory reference
Code:
#UD - If the LOCK prefix is used but the destination is not a memory operand.    
No LOCK.
If you are still discussing the action of the sub rsp, 1 instruction, then it will not cause any exceptions. They are simply not provided.

Indirect exceptions that occur when switching tasks or loading pages from disk are processed in ring-0 and are not delivered to ring-3.
Post 18 May 2022, 18:08
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 794
Location: Adelaide
sinsi 18 May 2022, 21:19
Raymond wrote about exceptions and exception handling, he basically said to forget about exception handling.
If you handle an exception, you are hiding why the exception occurred. Better to have your app crash and fix the bad code, since properly written code should never cause an exception.
Post 18 May 2022, 21:19
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1042
Location: Russia
macomics 18 May 2022, 21:28
This is great, but exceptions do not occur in random places. They are generated by certain conditions. And we are talking about a specific instruction that does not generate a exceptions. But some argue that the stack pointer cannot be adjusted using times 8:sub esp, 1.
Post 18 May 2022, 21:28
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 18 May 2022, 23:28
What about OS context switch? What if it interupted between times 8:sub esp, 1 ? Just asking Smile
Post 18 May 2022, 23:28
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1042
Location: Russia
macomics 19 May 2022, 00:11
Read it

Hardware interrupts and exceptions are handled first by the system task. That is, when an interrupt signal is received, the CPU switches to the system task, preserving the context of the user task. Each TSS has not only 4 stack pointers for each protection ring, but also ShadowStack.
To save the context of the task, there are TSS that do not require a block in the stack for any data. The entire execution context is saved in the TSS segment and a new system task context is loaded. Even the value in CR3 is updated.
Then the interrupt procedure is called with the return address stored in the stack. Upon returning from an interruption, the system must manually restore the context of the interrupted user task itself or switch to another one.

But not all interrupts require switching tasks. Some can switch only the protection ring from ring3 to ring0 by reloading the rsp0 value from TSS into rsp, get a symbol from the keyboard, put it in the system data structures and return back. For all this charm, the ring0 stack will be filled.

I tried to simplify the explanation to focus on stack operations.


Last edited by macomics on 19 May 2022, 01:00; edited 1 time in total
Post 19 May 2022, 00:11
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 19 May 2022, 00:56
Does Windows use all of that hardware to conrol usermode? Doesn't it stores context to 'reserved stack space'?
Post 19 May 2022, 00:56
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1042
Location: Russia
macomics 19 May 2022, 01:06
All the mechanisms described above are related to the peculiarity of the functioning of the processor itself. Windows has no choice how to handle interrupts. Windows can only build its own model of working with this hardware.

It is enough for you to execute one call task_gate command to generate a huge amount of CPU work on reloading task contexts. After switching the context, the CPU in priority order may cause several more interrupts. For example, to update the FPU/XMM context.

Overclick wrote:
Doesn't it stores context to 'reserved stack space'?

SEH/VEH calls reaching ring3 are already made by the system code as an alternative to the processing procedure. By this point, the processing of the hardware interrupt has already been completed.


Last edited by macomics on 19 May 2022, 01:11; edited 1 time in total
Post 19 May 2022, 01:06
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 19 May 2022, 01:10
Overclick wrote:
Does Windows use all of that hardware to conrol usermode?
Yes.
Overclick wrote:
Doesn't it stores context to 'reserved stack space'?
Not for unrelated events like mouse move. But it will for exceptions your app causes if you ask for them.
Post 19 May 2022, 01:10
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 19 May 2022, 01:15
sinsi wrote:
Raymond wrote about exceptions and exception handling, he basically said to forget about exception handling.
If you handle an exception, you are hiding why the exception occurred. Better to have your app crash and fix the bad code, since properly written code should never cause an exception.
I disagree there. An app can use reserved un-committed memory to allocate on demand. Then use exceptions to allocate each new piece.

I showed this for console fasm a few years ago, to reduce the memory footprint and not be greedy and hog all the RAM.

Also DIV/0 is another place where user controlled scripting can do unexpected things, and catching exceptions is very handy and tidy.

So I don't believe there is a one-exception-style that suits all apps equally.
Post 19 May 2022, 01:15
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1042
Location: Russia
macomics 19 May 2022, 01:21
revolution wrote:
Not for unrelated events like mouse move.
++
Code:
 TSS  | ring0    ring3
ss:sp0|          ss:sp3+$38 = ip
ss:sp1|          ss:sp3+$30 = bp
ss:sp2|          ss:sp3+$20 = xword
ss:sp3|          ss:sp3+$00 = $20 bytes for calls
------+         interrupt here (vector/trap handler) ss:sp = TSS.ss:sp0 (TSS.ss:sp3 doesn't change)
        ss:sp0+$20 = ss3
        ss:sp0+$18 = sp3
        ss:sp0+$10 = fl
        ss:sp0+$08 = cs3
        ss:sp0+$00 = ip3
                iret
                 ss:sp3+$00 = $20 bytes for calls    


revolution wrote:
I disagree there. An app can use reserved un-committed memory to allocate on demand. Then use exceptions to allocate each new piece.
For example, at the system level, this is how stack expansion works. Therefore, it is not necessary to allocate more than 4 KB of memory in the stack at a time. When the program goes beyond the boundary of the stack page, the next one is marked as reserved and the build-up occurs. All this is true after going abroad committed stack. see fasm1 directive:
Code:
stack <commit>,<reserv>    


Last edited by macomics on 19 May 2022, 01:29; edited 1 time in total
Post 19 May 2022, 01:21
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 669
Location: Ukraine
Overclick 19 May 2022, 01:26
Quote:

Not for unrelated events like mouse move. But it will for exceptions your app causes if you ask for them.

What winapi SetTimer does then? I was thinking that all usermode under programmable interupts exept kernel or something.
Post 19 May 2022, 01:26
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 19 May 2022, 01:30
So let's discuss asynchronous exception like CTRL-C. How does Windows provide those if is is not allowed to interrupt your thread with random exceptions you didn't cause?

The answer is really very nice. But let's clear this up first.

If you do nothing and don't ask to receive them, then CTRL-C will do as all unhandled exceptions do in Windows, kill your app.

But you can tell Windows to deliver CTRL-C into the keystroke buffer it maintains for your app. So when you read the keystrokes then CTRL-C is just another entry in the buffer.

If you don't want CTRL-C in the key buffer then you can elect to receive it as an exception. But it won't interrupt any existing thread. Windows isn't permitted to interrupt your code randomly. What it does is it creates a new thread in your process, with its associated new register set and new stack, and sends the exception to that thread executing your designated exception handler in the new thread.
Post 19 May 2022, 01:30
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 19 May 2022, 01:32
Overclick wrote:
What winapi SetTimer does then? I was thinking that all usermode under programmable interupts exept kernel or something.
SetTimer isn't an exception. You need to monitor your message loop.
Post 19 May 2022, 01:32
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1042
Location: Russia
macomics 19 May 2022, 01:33
To determine whether the timer is triggered, it is enough to keep an array of trigger tick counters sorted in ascending order and check whether the nearest one has fired on a cyclic interrupt.
Post 19 May 2022, 01:33
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.