Red Hat Bugzilla – Bug 1276858
[abrt] rng-tools: x86_rdseed_or_rdrand_bytes(): rngd killed by SIGSEGV
Last modified: 2017-04-13 15:40:54 EDT
Version-Release number of selected component:
cmdline: /sbin/rngd -f
runlevel: N 5
Thread no. 1 (3 frames)
#0 x86_rdseed_or_rdrand_bytes at rdrand_asm.S:165
#1 xread_drng at rngd_rdrand.c:217
#2 do_loop at rngd.c:249
Created attachment 1088179 [details]
Created attachment 1088180 [details]
Created attachment 1088181 [details]
Created attachment 1088182 [details]
Created attachment 1088183 [details]
Created attachment 1088184 [details]
Created attachment 1088185 [details]
Created attachment 1088186 [details]
Created attachment 1088187 [details]
Created attachment 1088188 [details]
Created attachment 1088189 [details]
Created attachment 1088190 [details]
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.
The problem is wrong conditionals for the jump instructions after count subtraction for rdrand in the 32-bit version of x86_rdseed_or_rdrand_bytes.
The 64-bit version of the function has the correct sequence of jump instructions.
Once rdseed fails and the function has to use rdrand, it will subtract 4 from the count for each iteration but if the count reaches zero it won't jump to label 4 (to finish and return from the function) instead it will continue and reach a negative count and will write beyond the rdrand_buf bounds leading to the segfault.
It should be possible to replicate on Fedora 25 i386 for a cpu with rdseed.
--- rdrand_asm.S.orig 2014-03-05 02:05:37.000000000 +0200
+++ rdrand_asm.S 2017-04-13 20:07:48.914006878 +0300
@@ -165,8 +165,8 @@ ENTRY(x86_rdseed_or_rdrand_bytes)
mov %eax, (%edx)
add $4, %edx
sub $4, %esi
- jnz 1b
- ja 4b
+ ja 1b
+ jmp 4b