Bug 597221
Summary: | rngd -r /dev/urandom segfaults | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | David Howells <dhowells> | ||||||
Component: | rng-tools | Assignee: | David Howells <dhowells> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | urgent | ||||||||
Version: | 6.0 | CC: | borgan, syeghiay, vbenes | ||||||
Target Milestone: | beta | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | rng-tools-2.7.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-07-02 19:49:34 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 591154 | ||||||||
Attachments: |
|
Description
David Howells
2010-05-28 12:36:10 UTC
This is needed on systems used to build kernels that use module signing because the kernel build creates a new GPG key each time, and requires random data to do it. If it can't get sufficient the random data immediately, it will just stall until it can. (gdb) r -f -r /dev/urandom Starting program: /sbin/rngd -f -r /dev/urandom Program received signal SIGSEGV, Segmentation fault. 0x00000002 in ?? () (gdb) bt #0 0x00000002 in ?? () #1 0x08048a76 in do_loop (random_step=64, poll_timeout=60) at rngd.c:217 #2 0x08048c2f in main (argc=4, argv=0xbffff744) at rngd.c:262 (gdb) up #1 0x08048a76 in do_loop (random_step=64, poll_timeout=60) at rngd.c:217 217 retval = iter->xread(buf, sizeof buf, iter); (gdb) p iter $1 = (struct rng *) 0xbffff63c (gdb) p *iter $2 = {rng_name = 0x91735f4 <Address 0x91735f4 out of bounds>, rng_fd = 134519317, xread = 0x2, fipsctx = 0xcbe73567, next = 0x0} (gdb) list 212 213 for (;;) { 214 struct rng *iter; 215 for (iter = rng_list; iter; iter = iter->next) 216 { 217 retval = iter->xread(buf, sizeof buf, iter); 218 if (retval > 0) 219 update_kernel_random(random_step, 220 poll_timeout, buf, 221 iter->fipsctx); Starting program: /sbin/rngd Breakpoint 1, main (argc=1, argv=0xbffff754) at rngd.c:232 232 argp_parse(&argp, argc, argv, 0, 0, arguments); (gdb) p rng_list $3 = (struct rng *) 0x675f5f00 Shouldn't rng_list be allocated from .bss and so be NULL at this point? (gdb) i files ... 0x0804b6a4 - 0x0804b6b8 is .bss 0x0804b6b8 - 0x0804b81c is .dynstr ... (gdb) p &rng_list $1 = (struct rng **) 0x804b6b8 [root@andromeda rng-tools-2]# valgrind ./rngd -f -r /dev/urandom ==21664== Memcheck, a memory error detector ==21664== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==21664== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info ==21664== Command: ./rngd -f -r /dev/urandom ==21664== ==21664== Use of uninitialised value of size 4 ==21664== at 0x8048A73: do_loop (rngd.c:217) ==21664== by 0x8048D2E: main (rngd.c:262) ==21664== ==21664== Jump to the invalid address stated on the next line ==21664== at 0x2: ??? ==21664== by 0x8048D2E: main (rngd.c:262) ==21664== Address 0x2 is not stack'd, malloc'd or (recently) free'd ==21664== ==21664== ==21664== Process terminating with default action of signal 11 (SIGSEGV) ==21664== Bad permissions for mapped region at address 0x2 ==21664== at 0x2: ??? ==21664== by 0x8048D2E: main (rngd.c:262) ==21664== ==21664== HEAP SUMMARY: ==21664== in use at exit: 136 bytes in 1 blocks==21664== total heap usage: 2 allocs, 1 frees, 557 bytes allocated ==21664== ==21664== LEAK SUMMARY: ==21664== definitely lost: 0 bytes in 0 blocks ==21664== indirectly lost: 0 bytes in 0 blocks ==21664== possibly lost: 0 bytes in 0 blocks ==21664== still reachable: 136 bytes in 1 blocks ==21664== suppressed: 0 bytes in 0 blocks ==21664== Rerun with --leak-check=full to see details of leaked memory ==21664== ==21664== For counts of detected and suppressed errors, rerun with: -v ==21664== Use --track-origins=yes to see where uninitialised values come from ==21664== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 12 from 8) (gdb) up #1 0x08049258 in init_entropy_source (ent_src=0x804b528) at rngd_entsource.c:173 173 list_add(&ent_src); Shouldn't that be: list_add(ent_src); In fact, that occurs twice in rngd_entsource.c Not only that, but list_add() isn't declared in a header file, so though this warning occurs: rngd_entsource.c: In function ‘init_entropy_source’: rngd_entsource.c:173: warning: implicit declaration of function ‘list_add’ the compiler doesn't notice the fact that list_add() isn't being called correctly. Created attachment 417633 [details]
Fix compile warnings and SEGV in rngd
This patch fixes various compile time warnings in rngd, and thus fixes the SEGV. I recommend that the %configure line in the specfile be changed as follows:
CFLAGS="$RPM_OPT_FLAGS -Werror" %configure
However, this doesn't make the program actually work. It just sits there sucking data continuously from /dev/urandom, but doesn't actually add anything to the /dev/random pool.
Created attachment 417643 [details]
Make do_loop() correctly interpret the return value of iter->xread()
After this patch, rngd works correctly.
[root@andromeda rng-tools-2]# strace ./rngd -r /dev/urandom -o /dev/random -f
execve("./rngd", ["./rngd", "-r", "/dev/urandom", "-o", "/dev/random", "-f"], [/* 26 vars */]) = 0
brk(0) = 0x95b4000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb777b000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=27550, ...}) = 0
mmap2(NULL, 27550, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7774000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \216<\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1855552, ...}) = 0
mmap2(0x3b2000, 1620360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b2000
mprotect(0x537000, 4096, PROT_NONE) = 0
mmap2(0x538000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x185) = 0x538000
mmap2(0x53b000, 10632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x53b000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7773000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb77736c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0x538000, 8192, PROT_READ) = 0
mprotect(0x3aa000, 4096, PROT_READ) = 0
munmap(0xb7774000, 27550) = 0
brk(0) = 0x95b4000
brk(0x95d5000) = 0x95d5000
open("/dev/urandom", O_RDONLY) = 3
read(3, "\221A\251*", 4) = 4
read(3, "\364\210\374\371", 4) = 4
open("/dev/tpm0", O_RDWR) = -1 ENOENT (No such file or directory)
open("/dev/random", O_RDWR) = 4
read(3, "P\177\204\377^\305\3024\32'\321x)n\206i\17\17\17l:t\327\2\277\361\232\373\17m\234\3"..., 2500) = 2500
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
poll([{fd=4, events=POLLOUT}], 1, 60000) = 1 ([{fd=4, revents=POLLOUT}])
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
ioctl(4, RNDADDENTROPY, 0xbfc1a240) = 0
ioctl(4, RNDGETENTCNT, 0xbfc1a2ac) = 0
poll([{fd=4, events=POLLOUT}], 1, 60000^C <unfinished ...>
no segfaults now.. Red Hat Enterprise Linux Beta 2 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |