2

Suppose that I have these two consecutive x64 instructions (running under Windows platform):

ADD RSP, 8
MOV RAX, QWORD PTR [RSP - 8]

As you see it's the equivalent to POP RAX. The location of [RSP - 8] is not allocated anymore and I'm accessing to it!!

  1. Can I expect that value at [RSP - 8] not to be altered by a system interrupt or Windows?

I mean, can something happen (interrupt, context switch....) between the execution of those two instructions that modified the content of RSP - 8, so the MOV RAX, [RSP - 8] will read a garbage value?

  1. What if those two runs in a device driver? Does the same apply?
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
raff
  • 339
  • 2
  • 12
  • On Windows, no it's not *guaranteed* to be safe. (It would be safe in user-space under Linux or other non-Windows OS, since the x86-64 System V ABI guarantees a red-zone). In user-space under Windows, there aren't many things that can user your process's stack, though. See [Is it valid to write below ESP?](https://stackoverflow.com/q/52258402) - SEH handlers are one thing. (AFAIK, the situation for x64 Windows isn't much different from 32-bit x86, unlike for non-Windows.) In kernel code, RSP will be used by hardware interrupts. – Peter Cordes Jul 29 '23 at 03:30
  • I think this is a duplicate of [Is it valid to write below ESP?](https://stackoverflow.com/q/52258402) - someone correct me if I'm wrong and there's some important difference or something else that makes this worth answering separately. – Peter Cordes Jul 29 '23 at 03:32
  • 1
    @PeterCordes, you are right, it's duplicated. Didn't put the correct "search words" to find it before asking. Sorry about that and thanks for the link – raff Jul 29 '23 at 05:50
  • 1
    with `QueueUserAPC2` data below rsp can be overwritten at any time. un kernel mode - with any interrupt. so you can not except this – RbMm Jul 29 '23 at 11:03

0 Answers0