3

Windows Internals, 6th Edition from Microsoft Press says that in Windows NT, each thread has 2 stacks: one used when running in user mode, and one used in kernel mode.

Why is this so? It seems that the user-mode stack could also be used while in a system call. Is there some advantage to this design?

Alex D
  • 29,755
  • 7
  • 80
  • 126
  • 1
    Because the thread would almost instantly crash if that wasn't done. The kernel mode code uses very a different virtual memory mapping. Getting kernel code to access the user address space of the process that makes the call requires explicitly mapping it. Every thread you create automatically gets a 24 KB kernel mode stack so it can make system calls. – Hans Passant Aug 07 '14 at 14:17
  • @HansPassant, so basically, it's not possible for the kernel to "return" into user code using the return address pushed on the user stack, because it is an address in the process' virtual memory space, not the kernel's memory space? That is an answer, you should post it as such. – Alex D Aug 07 '14 at 17:11
  • @HansPassant, more accurate, a thread gets a 24KB stack on 64bit and 12KB on 32bit operation system. – Roy Miloh Sep 13 '15 at 23:13

1 Answers1

5

The main reason is that the kernel mode cannot trust user mode. If the kernel used a user-mode stack, some other user mode thread could observe the values on that stack and modify them at will. It would be trivial for malware to gain complete control of the system.

1000 Bites
  • 1,010
  • 9
  • 9