From nobody Sat May 21 10:33:12 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 08DCE1B45922
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Sat, 21 May 2022 10:33:46 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4L50Lc6bv1z4rWB
	for <freebsd-hackers@freebsd.org>; Sat, 21 May 2022 10:33:44 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged))
	by hz.grosbein.net (8.16.1/8.16.1) with ESMTPS id 24LAXZAk010980
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <freebsd-hackers@freebsd.org>; Sat, 21 May 2022 10:33:35 GMT
	(envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: <freebsd-hackers@freebsd.org>
Received: from [10.58.0.11] (dadvw [10.58.0.11] (may be forged))
	by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 24LAXYsg037481
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <freebsd-hackers@freebsd.org>; Sat, 21 May 2022 17:33:34 +0700 (+07)
	(envelope-from eugen@grosbein.net)
To: Freebsd hackers list <freebsd-hackers@freebsd.org>
From: Eugene Grosbein <eugen@grosbein.net>
Subject: kernel stack abuse
Message-ID: <759b17ce-b2a1-4f95-f33e-6af546552831@grosbein.net>
Date: Sat, 21 May 2022 17:33:12 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
	autolearn=disabled version=3.4.2
X-Spam-Report: 
	* -0.0 SHORTCIRCUIT No description available.
	* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 4L50Lc6bv1z4rWB
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=fail (mx1.freebsd.org: domain of eugen@grosbein.net does not designate 2a01:4f8:c2c:26d8::2 as permitted sender) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [0.43 / 15.00];
	 ARC_NA(0.00)[];
	 R_SPF_FAIL(1.00)[-all];
	 FREEFALL_USER(0.00)[eugen];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-0.35)[-0.346];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	 DMARC_NA(0.00)[grosbein.net];
	 RCPT_COUNT_ONE(0.00)[1];
	 RCVD_COUNT_THREE(0.00)[3];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 TO_DN_ALL(0.00)[];
	 NEURAL_SPAM_SHORT(0.88)[0.878];
	 MLMMJ_DEST(0.00)[freebsd-hackers];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE];
	 RCVD_TLS_ALL(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

Hi!

Nearly five years ago I performed small examination of binary code produced
building 32 bits FreeBSD i386 kernel and found some functions that abused stack
with large structures:

https://lists.freebsd.org/pipermail/svn-src-head/2017-December/107294.html

Now I updated old script for llvm-objdump and ran it for 13.1-STABLE/amd64 GENERIC kernel
and found it went much worse.

The script:

#!/bin/sh
dir=/usr/obj/usr/src/amd64.amd64/sys/GENERIC
objdump=llvm-objdump
set -e

cd $dir
for o in *.o
do
  $objdump -d $o | awk -vn=$o '
    /subq?.*, ?%[er]sp/ {
      split ($(NF-1),a,/[,$]/); printf "%u %s %s\n", a[2], a[2], n }'
done | sort -rn > top.sub

head -50 top.sub | while read d h o
do
  $objdump -d $o | egrep -B8 "subq?.*$h, ?%[er]sp" |\
    awk -vo=$o -vd=$d '/>:$/ {print d, o, $2}'
done > top2.sub
EOF

Results:

33296 fse_decompress.o <FSE_buildDTable>:
21024 fse_decompress.o <FSE_decompress>:
18456 huf_decompress.o <HUF_decompress1X2>:
18456 huf_decompress.o <HUF_decompress4X2>:
18456 huf_decompress.o <HUF_decompress1X2>:
18456 huf_decompress.o <HUF_decompress4X2>:
14352 fse_compress.o <FSE_compress2>:
14352 fse_compress.o <FSE_compress>:
14352 fse_compress.o <FSE_compress2>:
14352 fse_compress.o <FSE_compress>:
10264 huf_decompress.o <HUF_decompress1X1>:
10264 huf_decompress.o <HUF_decompress4X1>:
10264 huf_decompress.o <HUF_decompress1X1>:
10264 huf_decompress.o <HUF_decompress4X1>:
6400 huf_compress.o <HUF_compress1X>:
6400 huf_compress.o <HUF_compress2>:
6400 huf_compress.o <HUF_compress>:
6400 huf_compress.o <HUF_compress1X>:
6400 huf_compress.o <HUF_compress2>:
6400 huf_compress.o <HUF_compress>:
6400 huf_compress.o <HUF_compress1X>:
6400 huf_compress.o <HUF_compress2>:
6400 huf_compress.o <HUF_compress>:
4632 in6_proto.o <icmp6stat_sysctl>:
4352 huf_compress.o <HUF_buildCTable>:
4168 ixl_pf_main.o <ixl_sysctl_dump_debug_data>:
4136 ck_rhs.o <ck_rhs_put_robin_hood>:
4112 fse_compress.o <FSE_buildCTable>:
4104 hist.o <HIST_countFast>:
4096 hist.o <HIST_count>:
3320 in6_proto.o <ip6stat_sysctl>:
2264 md_ddf.o <g_raid_md_ctl_ddf>:
2200 ip6_output.o <ip6_ctloutput>:
2120 ar9300_eeprom.o <ar9300_eeprom_restore_internal_address>:
2104 rt2860.o <rt2860_raw_xmit>:
2088 rt2860.o <rt2860_tx>:
2064 huf_decompress.o <HUF_decompress4X_hufOnly>:
2064 huf_decompress.o <HUF_decompress1X_DCtx>:
2064 huf_decompress.o <HUF_decompress4X_hufOnly>:
2064 huf_decompress.o <HUF_decompress1X_DCtx>:
2056 huf_decompress.o <HUF_decompress1X1_DCtx>:
2056 huf_decompress.o <HUF_decompress1X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X1_DCtx>:
2056 huf_decompress.o <HUF_decompress4X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X_DCtx>:
2056 huf_decompress.o <HUF_decompress1X1_DCtx>:
2056 huf_decompress.o <HUF_decompress1X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X1_DCtx>:
2056 huf_decompress.o <HUF_decompress4X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X_DCtx>:
2056 huf_decompress.o <HUF_decompress1X1_DCtx>:
2056 huf_decompress.o <HUF_decompress1X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X1_DCtx>:
2056 huf_decompress.o <HUF_decompress4X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X_DCtx>:
2056 huf_decompress.o <HUF_decompress1X1_DCtx>:
2056 huf_decompress.o <HUF_decompress1X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X1_DCtx>:
2056 huf_decompress.o <HUF_decompress4X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X_DCtx>:
2056 huf_decompress.o <HUF_decompress1X1_DCtx>:
2056 huf_decompress.o <HUF_decompress1X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X1_DCtx>:
2056 huf_decompress.o <HUF_decompress4X2_DCtx>:
2056 huf_decompress.o <HUF_decompress4X_DCtx>:
2048 huf_decompress.o <HUF_readDTableX1>:
2048 huf_decompress.o <HUF_readDTableX2>:
2048 huf_decompress.o <HUF_readDTableX1>:
2048 huf_decompress.o <HUF_readDTableX2>:
1880 kern_proc.o <kern_proc_out>:
1816 blkback.o <xbb_connect>:
1672 zstd_compress.o <ZSTD_compress>:
1576 fse_compress.o <FSE_compress_wksp>:
1496 scsi_sa.o <saioctl>:
1496 nfs_nfsdserv.o <nfsrvd_rename>:
1480 uipc_shm.o <sysctl_posix_shm_list>:
1448 ar9300_paprd.o <create_pa_curve>:
1432 scsi_enc_ses.o <ses_devids_iter>:
1416 xgbe-sysctl.o <sysctl_coalesce_handler>:
1352 fortuna.o <random_fortuna_pre_read>:

First column shows stack usage in bytes (decimal), then come module name
and function name in question.

For example, sys/contrib/zstd/lib/common/fse_decompress.c, function FSE_buildDTable()
allocates over 32KB on stack. I wonder how it is supposed to run
with default kern.kstack_pages=4 that should be 16KB?