kernel stack abuse
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 21 May 2022 10:33:12 UTC
Hi! Nearly five years ago I performed small examination of binary code produced building 32 bits FreeBSD i386 kernel and found some functions that abused stack with large structures: https://lists.freebsd.org/pipermail/svn-src-head/2017-December/107294.html Now I updated old script for llvm-objdump and ran it for 13.1-STABLE/amd64 GENERIC kernel and found it went much worse. The script: #!/bin/sh dir=/usr/obj/usr/src/amd64.amd64/sys/GENERIC objdump=llvm-objdump set -e cd $dir for o in *.o do $objdump -d $o | awk -vn=$o ' /subq?.*, ?%[er]sp/ { split ($(NF-1),a,/[,$]/); printf "%u %s %s\n", a[2], a[2], n }' done | sort -rn > top.sub head -50 top.sub | while read d h o do $objdump -d $o | egrep -B8 "subq?.*$h, ?%[er]sp" |\ awk -vo=$o -vd=$d '/>:$/ {print d, o, $2}' done > top2.sub EOF Results: 33296 fse_decompress.o <FSE_buildDTable>: 21024 fse_decompress.o <FSE_decompress>: 18456 huf_decompress.o <HUF_decompress1X2>: 18456 huf_decompress.o <HUF_decompress4X2>: 18456 huf_decompress.o <HUF_decompress1X2>: 18456 huf_decompress.o <HUF_decompress4X2>: 14352 fse_compress.o <FSE_compress2>: 14352 fse_compress.o <FSE_compress>: 14352 fse_compress.o <FSE_compress2>: 14352 fse_compress.o <FSE_compress>: 10264 huf_decompress.o <HUF_decompress1X1>: 10264 huf_decompress.o <HUF_decompress4X1>: 10264 huf_decompress.o <HUF_decompress1X1>: 10264 huf_decompress.o <HUF_decompress4X1>: 6400 huf_compress.o <HUF_compress1X>: 6400 huf_compress.o <HUF_compress2>: 6400 huf_compress.o <HUF_compress>: 6400 huf_compress.o <HUF_compress1X>: 6400 huf_compress.o <HUF_compress2>: 6400 huf_compress.o <HUF_compress>: 6400 huf_compress.o <HUF_compress1X>: 6400 huf_compress.o <HUF_compress2>: 6400 huf_compress.o <HUF_compress>: 4632 in6_proto.o <icmp6stat_sysctl>: 4352 huf_compress.o <HUF_buildCTable>: 4168 ixl_pf_main.o <ixl_sysctl_dump_debug_data>: 4136 ck_rhs.o <ck_rhs_put_robin_hood>: 4112 fse_compress.o <FSE_buildCTable>: 4104 hist.o <HIST_countFast>: 4096 hist.o <HIST_count>: 3320 in6_proto.o <ip6stat_sysctl>: 2264 md_ddf.o <g_raid_md_ctl_ddf>: 2200 ip6_output.o <ip6_ctloutput>: 2120 ar9300_eeprom.o <ar9300_eeprom_restore_internal_address>: 2104 rt2860.o <rt2860_raw_xmit>: 2088 rt2860.o <rt2860_tx>: 2064 huf_decompress.o <HUF_decompress4X_hufOnly>: 2064 huf_decompress.o <HUF_decompress1X_DCtx>: 2064 huf_decompress.o <HUF_decompress4X_hufOnly>: 2064 huf_decompress.o <HUF_decompress1X_DCtx>: 2056 huf_decompress.o <HUF_decompress1X1_DCtx>: 2056 huf_decompress.o <HUF_decompress1X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X1_DCtx>: 2056 huf_decompress.o <HUF_decompress4X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X_DCtx>: 2056 huf_decompress.o <HUF_decompress1X1_DCtx>: 2056 huf_decompress.o <HUF_decompress1X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X1_DCtx>: 2056 huf_decompress.o <HUF_decompress4X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X_DCtx>: 2056 huf_decompress.o <HUF_decompress1X1_DCtx>: 2056 huf_decompress.o <HUF_decompress1X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X1_DCtx>: 2056 huf_decompress.o <HUF_decompress4X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X_DCtx>: 2056 huf_decompress.o <HUF_decompress1X1_DCtx>: 2056 huf_decompress.o <HUF_decompress1X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X1_DCtx>: 2056 huf_decompress.o <HUF_decompress4X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X_DCtx>: 2056 huf_decompress.o <HUF_decompress1X1_DCtx>: 2056 huf_decompress.o <HUF_decompress1X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X1_DCtx>: 2056 huf_decompress.o <HUF_decompress4X2_DCtx>: 2056 huf_decompress.o <HUF_decompress4X_DCtx>: 2048 huf_decompress.o <HUF_readDTableX1>: 2048 huf_decompress.o <HUF_readDTableX2>: 2048 huf_decompress.o <HUF_readDTableX1>: 2048 huf_decompress.o <HUF_readDTableX2>: 1880 kern_proc.o <kern_proc_out>: 1816 blkback.o <xbb_connect>: 1672 zstd_compress.o <ZSTD_compress>: 1576 fse_compress.o <FSE_compress_wksp>: 1496 scsi_sa.o <saioctl>: 1496 nfs_nfsdserv.o <nfsrvd_rename>: 1480 uipc_shm.o <sysctl_posix_shm_list>: 1448 ar9300_paprd.o <create_pa_curve>: 1432 scsi_enc_ses.o <ses_devids_iter>: 1416 xgbe-sysctl.o <sysctl_coalesce_handler>: 1352 fortuna.o <random_fortuna_pre_read>: First column shows stack usage in bytes (decimal), then come module name and function name in question. For example, sys/contrib/zstd/lib/common/fse_decompress.c, function FSE_buildDTable() allocates over 32KB on stack. I wonder how it is supposed to run with default kern.kstack_pages=4 that should be 16KB?