Bug 1276858

Summary: [abrt] rng-tools: x86_rdseed_or_rdrand_bytes(): rngd killed by SIGSEGV
Product: [Fedora] Fedora Reporter: George Constantinou <georgec20001>
Component: rng-toolsAssignee: Jeff Garzik <jgarzik>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: guyyur, jgarzik, lmacken, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/0938c2f2e991563ecfc296df57c5f3c89d816d92
Whiteboard: abrt_hash:0e37c787c1765d0d6d50fd7d8d1cab64af33cee0;
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 18:22:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description George Constantinou 2015-10-31 15:02:33 UTC
Version-Release number of selected component:
rng-tools-5-4.fc22

Additional info:
reporter:       libreport-2.6.2
backtrace_rating: 4
cmdline:        /sbin/rngd -f
crash_function: x86_rdseed_or_rdrand_bytes
executable:     /usr/sbin/rngd
global_pid:     811
kernel:         4.2.3-200.fc22.i686+PAE
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (3 frames)
 #0 x86_rdseed_or_rdrand_bytes at rdrand_asm.S:165
 #1 xread_drng at rngd_rdrand.c:217
 #2 do_loop at rngd.c:249

Comment 1 George Constantinou 2015-10-31 15:02:39 UTC
Created attachment 1088179 [details]
File: backtrace

Comment 2 George Constantinou 2015-10-31 15:02:40 UTC
Created attachment 1088180 [details]
File: cgroup

Comment 3 George Constantinou 2015-10-31 15:02:42 UTC
Created attachment 1088181 [details]
File: core_backtrace

Comment 4 George Constantinou 2015-10-31 15:02:44 UTC
Created attachment 1088182 [details]
File: dso_list

Comment 5 George Constantinou 2015-10-31 15:02:46 UTC
Created attachment 1088183 [details]
File: environ

Comment 6 George Constantinou 2015-10-31 15:02:48 UTC
Created attachment 1088184 [details]
File: limits

Comment 7 George Constantinou 2015-10-31 15:02:50 UTC
Created attachment 1088185 [details]
File: maps

Comment 8 George Constantinou 2015-10-31 15:02:52 UTC
Created attachment 1088186 [details]
File: mountinfo

Comment 9 George Constantinou 2015-10-31 15:02:54 UTC
Created attachment 1088187 [details]
File: namespaces

Comment 10 George Constantinou 2015-10-31 15:02:56 UTC
Created attachment 1088188 [details]
File: open_fds

Comment 11 George Constantinou 2015-10-31 15:02:58 UTC
Created attachment 1088189 [details]
File: proc_pid_status

Comment 12 George Constantinou 2015-10-31 15:02:59 UTC
Created attachment 1088190 [details]
File: var_log_messages

Comment 13 Fedora End Of Life 2016-07-19 18:22:58 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 14 Guy Yur 2017-04-13 19:40:54 UTC
The problem is wrong conditionals for the jump instructions after count subtraction for rdrand in the 32-bit version of x86_rdseed_or_rdrand_bytes.
The 64-bit version of the function has the correct sequence of jump instructions.

Once rdseed fails and the function has to use rdrand, it will subtract 4 from the count for each iteration but if the count reaches zero it won't jump to label 4 (to finish and return from the function) instead it will continue and reach a negative count and will write beyond the rdrand_buf bounds leading to the segfault.

It should be possible to replicate on Fedora 25 i386 for a cpu with rdseed.

Patch:

--- rdrand_asm.S.orig	2014-03-05 02:05:37.000000000 +0200
+++ rdrand_asm.S	2017-04-13 20:07:48.914006878 +0300
@@ -165,8 +165,8 @@ ENTRY(x86_rdseed_or_rdrand_bytes)
 	mov	%eax, (%edx)
 	add	$4, %edx
 	sub	$4, %esi
-	jnz	1b
-	ja	4b
+	ja	1b
+	jmp	4b
 5:
 	dec	%ecx
 	rep;nop