lib/56824: modulo by 0 in arc4random_uniform()

[guilherme.janczak%yandex.com@localhost]

>Number:         56824
>Category:       lib
>Synopsis:       modulo by 0 in arc4random_uniform()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 08 22:20:01 +0000 2022
>Originator:     Guilherme Janczak
>Release:        9.2
>Organization:
>Environment:
NetBSD localhost 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
arc4random_uniform performs a modulo by 0 if it receives 0 as an argument, causing the program that calls it to be terminated with SIGFPE.
 
I've included an example C program that triggers the bug and also the fix.
>How-To-Repeat:
#include <stdio.h>
#include <stdlib.h>

int
main(void)
{
	uint32_t rnd;

	printf("arc4random_uniform(0): ");
	fflush(stdout);
	rnd = arc4random_uniform(0);
	printf("%llu\n", (unsigned long long)rnd);
}
>Fix:
Index: lib/libc/gen/arc4random.c
===================================================================
RCS file: /cvsroot/src/lib/libc/gen/arc4random.c,v
retrieving revision 1.33
diff -u -p -u -r1.33 arc4random.c
--- lib/libc/gen/arc4random.c	19 Apr 2022 20:32:15 -0000	1.33
+++ lib/libc/gen/arc4random.c	7 May 2022 19:35:37 -0000
@@ -623,6 +623,8 @@ arc4random_uniform(uint32_t bound)
 {
 	struct arc4random_prng *prng;
 	uint32_t minimum, r;
+	if (bound <= 1)
+		return 0;
 
 	/*
 	 * We want a uniform random choice in [0, n), and arc4random()