Bug 1276858
Summary: | [abrt] rng-tools: x86_rdseed_or_rdrand_bytes(): rngd killed by SIGSEGV | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | George Constantinou <georgec20001> | ||||||||||||||||||||||||||
Component: | rng-tools | Assignee: | Jeff Garzik <jgarzik> | ||||||||||||||||||||||||||
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||||||||||||||||||
Priority: | unspecified | ||||||||||||||||||||||||||||
Version: | 22 | CC: | guyyur, jgarzik, lmacken, ovasik | ||||||||||||||||||||||||||
Target Milestone: | --- | ||||||||||||||||||||||||||||
Target Release: | --- | ||||||||||||||||||||||||||||
Hardware: | i686 | ||||||||||||||||||||||||||||
OS: | Unspecified | ||||||||||||||||||||||||||||
URL: | https://retrace.fedoraproject.org/faf/reports/bthash/0938c2f2e991563ecfc296df57c5f3c89d816d92 | ||||||||||||||||||||||||||||
Whiteboard: | abrt_hash:0e37c787c1765d0d6d50fd7d8d1cab64af33cee0; | ||||||||||||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||||||||||||
Last Closed: | 2016-07-19 18:22:58 UTC | Type: | --- | ||||||||||||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||||
Embargoed: | |||||||||||||||||||||||||||||
Attachments: |
|
Description
George Constantinou
2015-10-31 15:02:33 UTC
Created attachment 1088179 [details]
File: backtrace
Created attachment 1088180 [details]
File: cgroup
Created attachment 1088181 [details]
File: core_backtrace
Created attachment 1088182 [details]
File: dso_list
Created attachment 1088183 [details]
File: environ
Created attachment 1088184 [details]
File: limits
Created attachment 1088185 [details]
File: maps
Created attachment 1088186 [details]
File: mountinfo
Created attachment 1088187 [details]
File: namespaces
Created attachment 1088188 [details]
File: open_fds
Created attachment 1088189 [details]
File: proc_pid_status
Created attachment 1088190 [details]
File: var_log_messages
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. The problem is wrong conditionals for the jump instructions after count subtraction for rdrand in the 32-bit version of x86_rdseed_or_rdrand_bytes. The 64-bit version of the function has the correct sequence of jump instructions. Once rdseed fails and the function has to use rdrand, it will subtract 4 from the count for each iteration but if the count reaches zero it won't jump to label 4 (to finish and return from the function) instead it will continue and reach a negative count and will write beyond the rdrand_buf bounds leading to the segfault. It should be possible to replicate on Fedora 25 i386 for a cpu with rdseed. Patch: --- rdrand_asm.S.orig 2014-03-05 02:05:37.000000000 +0200 +++ rdrand_asm.S 2017-04-13 20:07:48.914006878 +0300 @@ -165,8 +165,8 @@ ENTRY(x86_rdseed_or_rdrand_bytes) mov %eax, (%edx) add $4, %edx sub $4, %esi - jnz 1b - ja 4b + ja 1b + jmp 4b 5: dec %ecx rep;nop |