Date: Mon, 12 Dec 2022 14:56:45 -0500 From: Ed Maste <emaste@freebsd.org> To: freebsd-security@freebsd.org Subject: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow Message-ID: <CAPyFy2AMKEorH6v2VLG_g0UOyZdcpXb0YjZbc%2B-0=-d=MiHckw@mail.gmail.com> In-Reply-To: <CAPyFy2APL-QEQ4tEERv51v8qRaG9Ue2tUmHKzef-UzTgmkv%2BwQ@mail.gmail.com> References: <CAPyFy2DVBr_fGZqY5VbB__v=QSeLxtznJaNus4RSYpPdNsO4jQ@mail.gmail.com> <CAPyFy2DWHugQMeAzTR7FGScGXwNHPrRM560BvBRA128%2Bub3kRg@mail.gmail.com> <CAPyFy2APL-QEQ4tEERv51v8qRaG9Ue2tUmHKzef-UzTgmkv%2BwQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
We've seen many blog posts and news articles about this issue and unfortunately most of them get the details wrong. So, to clarify: - This issue affects only /sbin/ping, not kernel ICMP handling. - The issue relies on receipt of malicious packet(s) while the ping utility is running (i.e., while pinging a host). - ping(8) is setuid root, but drops privilege (to that of the user executing it) after opening sockets but before sending or receiving data. - ping(8) runs in a Capsicum capability sandbox, such that even in the event of a compromise the attacker is quite limited (has no access to global namespaces, such as the filesystem). - It is believed that exploitation is not possible due to the stack layout on affected platforms.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2AMKEorH6v2VLG_g0UOyZdcpXb0YjZbc%2B-0=-d=MiHckw>