Switching to thread with PAGE_GUARD stack causes one page to have Executable and Readable Rights.

[tomasgdejesus]

Information

• x32dbg Apr 29 2020. No plug-ins other than Scylla are installed.
• Windows x64 10 Pro Version 10.0.18362 Build 18362
• Debugging a 32-bit console application that prints "Hello World." Reproducible at any time during debugging.

Issue
When setting all the pages in a thread's stack to PAGE_GUARD, switching back to that thread will cause the page where the value of EBP is to have Executable and Readable rights. However, changing the EBP and ESP register to a different page before switching to another thread and switching back will not change any pages' rights. Changing EBP and ESP back to what it originally was will cause this to happen again. As far as I know, this has a 100% chance of reproduction and occurs on other applications. This is not a visual bug because doing this and then resuming execution on the thread will cause an access violation if there is a future stack operation.

Reproduction (Don't change EBP)

EBP of thread 1C80 is 00AFF768
Page Permissions of thread 1C80 Stack

Setting Page Guard flag on all pages

Page permissions after switching to another thread, and then back to thread 1C80

Reproduction (Changing EBP)

EBP of thread 2DEC is 009CF920. I changed it to 009CE920.
ESP of thread 2DEC is 009CF8F4. I changed it to 009CE920.
Page Permissions of thread 2DEC Stack.

Setting Page Guard flag on all pages

Page permissions after switching to another thread, and then back to thread 45C0.

[mrexodia]

This is probably caused by reading the memory of the stack when switching threads (to populate the call stack). If the debuggee is not paused it's difficult to guarantee there is no race without suspending the process on each memory read.