1276858 – [abrt] rng-tools: x86_rdseed_or_rdrand_bytes(): rngd killed by SIGSEGV

Bug 1276858 - [abrt] rng-tools: x86_rdseed_or_rdrand_bytes(): rngd killed by SIGSEGV

Summary: [abrt] rng-tools: x86_rdseed_or_rdrand_bytes(): rngd killed by SIGSEGV

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rng-tools
Sub Component:
Version:	22
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jeff Garzik
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:0e37c787c1765d0d6d50fd7d8d1...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-31 15:02 UTC by George Constantinou
Modified:	2017-04-13 19:40 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-19 18:22:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (5.47 KB, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: cgroup (175 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: core_backtrace (437 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: dso_list (211 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: environ (72 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: limits (1.29 KB, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: maps (1001 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: mountinfo (3.05 KB, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: namespaces (85 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: open_fds (220 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: proc_pid_status (823 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
File: var_log_messages (251 bytes, text/plain) 2015-10-31 15:02 UTC, George Constantinou	no flags	Details
View All

Description George Constantinou 2015-10-31 15:02:33 UTC

Version-Release number of selected component:
rng-tools-5-4.fc22

Additional info:
reporter:       libreport-2.6.2
backtrace_rating: 4
cmdline:        /sbin/rngd -f
crash_function: x86_rdseed_or_rdrand_bytes
executable:     /usr/sbin/rngd
global_pid:     811
kernel:         4.2.3-200.fc22.i686+PAE
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (3 frames)
 #0 x86_rdseed_or_rdrand_bytes at rdrand_asm.S:165
 #1 xread_drng at rngd_rdrand.c:217
 #2 do_loop at rngd.c:249

Comment 1 George Constantinou 2015-10-31 15:02:39 UTC

Created attachment 1088179 [details]
File: backtrace

Comment 2 George Constantinou 2015-10-31 15:02:40 UTC

Created attachment 1088180 [details]
File: cgroup

Comment 3 George Constantinou 2015-10-31 15:02:42 UTC

Created attachment 1088181 [details]
File: core_backtrace

Comment 4 George Constantinou 2015-10-31 15:02:44 UTC

Created attachment 1088182 [details]
File: dso_list

Comment 5 George Constantinou 2015-10-31 15:02:46 UTC

Created attachment 1088183 [details]
File: environ

Comment 6 George Constantinou 2015-10-31 15:02:48 UTC

Created attachment 1088184 [details]
File: limits

Comment 7 George Constantinou 2015-10-31 15:02:50 UTC

Created attachment 1088185 [details]
File: maps

Comment 8 George Constantinou 2015-10-31 15:02:52 UTC

Created attachment 1088186 [details]
File: mountinfo

Comment 9 George Constantinou 2015-10-31 15:02:54 UTC

Created attachment 1088187 [details]
File: namespaces

Comment 10 George Constantinou 2015-10-31 15:02:56 UTC

Created attachment 1088188 [details]
File: open_fds

Comment 11 George Constantinou 2015-10-31 15:02:58 UTC

Created attachment 1088189 [details]
File: proc_pid_status

Comment 12 George Constantinou 2015-10-31 15:02:59 UTC

Created attachment 1088190 [details]
File: var_log_messages

Comment 13 Fedora End Of Life 2016-07-19 18:22:58 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 14 Guy Yur 2017-04-13 19:40:54 UTC

The problem is wrong conditionals for the jump instructions after count subtraction for rdrand in the 32-bit version of x86_rdseed_or_rdrand_bytes.
The 64-bit version of the function has the correct sequence of jump instructions.

Once rdseed fails and the function has to use rdrand, it will subtract 4 from the count for each iteration but if the count reaches zero it won't jump to label 4 (to finish and return from the function) instead it will continue and reach a negative count and will write beyond the rdrand_buf bounds leading to the segfault.

It should be possible to replicate on Fedora 25 i386 for a cpu with rdseed.

Patch:

--- rdrand_asm.S.orig	2014-03-05 02:05:37.000000000 +0200
+++ rdrand_asm.S	2017-04-13 20:07:48.914006878 +0300
@@ -165,8 +165,8 @@ ENTRY(x86_rdseed_or_rdrand_bytes)
 	mov	%eax, (%edx)
 	add	$4, %edx
 	sub	$4, %esi
-	jnz	1b
-	ja	4b
+	ja	1b
+	jmp	4b
 5:
 	dec	%ecx
 	rep;nop

Note You need to log in before you can comment on or make changes to this bug.