From nobody Mon Dec 12 19:56:45 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NWC7w1gf2z4Y0dP for ; Mon, 12 Dec 2022 19:57:00 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NWC7t71wSz43qN for ; Mon, 12 Dec 2022 19:56:58 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com; dmarc=none Received: by mail-pf1-f170.google.com with SMTP id n3so657270pfq.10 for ; Mon, 12 Dec 2022 11:56:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=azKvFzFXsjoJs6xaFsn4ZiUEJ2DST/fCuL/gUMCwhJM=; b=iNDsH2hH8xca2FHfOmxm1Wj8pl/L//mu5935OCNt6+42biuJPN4U0EKCkSRqOc4u/P iQmqH4mp/RJfuZL7rq+0ea7U5djJPVGAh//DIGt771L5xzgGJXgHRQTbtTv2A/iSHSpS F7ylO71AsJdDgXOY+tborTZq/rasdvd2JUE72ZCmlhdREUY2USFHw7c00g0S1qmn2CBp CvoqARJ/kIlJnNnrUR5rlvu65E7Vg4TZVA1RcdzbojBLe5oGzdHDG5rw4jWi3sSfOsCx jcsE5IB7prJFkh/mcxwzrBDcj9W5U69xSY2J6gPv4BipmZcdeB4AZpr4PIXMQXLiepCB vfzw== X-Gm-Message-State: ANoB5pna+BDESFOfdVpBBzVl3ZuTzq4wHkCangJbT/JcirnroxL7F+cg Qwfq6wS0NpFxHFi9B+cd0007rflJcCSrctj5tvQ3KSGL X-Google-Smtp-Source: AA0mqf6x0hc4TEG7yU1CQt0T4DC+9YaKsZoQSvJgSzYDsgtqQY5bUk87AH8Z1oGtXtUClcL017NpEivXhcTbK91W7Co= X-Received: by 2002:a63:e547:0:b0:473:e2bb:7fc7 with SMTP id z7-20020a63e547000000b00473e2bb7fc7mr68239349pgj.40.1670875017084; Mon, 12 Dec 2022 11:56:57 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Mon, 12 Dec 2022 14:56:45 -0500 Message-ID: Subject: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.01 / 15.00]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.96)[-0.965]; NEURAL_HAM_MEDIUM(-0.95)[-0.948]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RWL_MAILSPIKE_GOOD(-0.10)[209.85.210.170:from]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[209.85.210.170:from]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; RCVD_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DOM_EQ_FROM_DOM(0.00)[] X-Rspamd-Queue-Id: 4NWC7t71wSz43qN X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N We've seen many blog posts and news articles about this issue and unfortunately most of them get the details wrong. So, to clarify: - This issue affects only /sbin/ping, not kernel ICMP handling. - The issue relies on receipt of malicious packet(s) while the ping utility is running (i.e., while pinging a host). - ping(8) is setuid root, but drops privilege (to that of the user executing it) after opening sockets but before sending or receiving data. - ping(8) runs in a Capsicum capability sandbox, such that even in the event of a compromise the attacker is quite limited (has no access to global namespaces, such as the filesystem). - It is believed that exploitation is not possible due to the stack layout on affected platforms.