From nobody Tue Dec 13 08:35:36 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NWWzP5pJKz4kX4w
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 13 Dec 2022 08:35:45 +0000 (UTC)
	(envelope-from ted@io-tx.com)
Received: from io-tx.com (io-tx.com [205.166.246.111])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "*.io-tx.com", Issuer "AlphaSSL CA - SHA256 - G2" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NWWzP3HFJz4RxJ;
	Tue, 13 Dec 2022 08:35:45 +0000 (UTC)
	(envelope-from ted@io-tx.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: from io-tx.com (io-tx.com [205.166.246.111])
	(authenticated bits=0)
	by io-tx.com (8.17.1/8.16.1) with ESMTPSA id 2BD8Za8k099511
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
	Tue, 13 Dec 2022 02:35:36 -0600 (CST)
	(envelope-from ted@io-tx.com)
Date: Tue, 13 Dec 2022 02:35:36 -0600 (CST)
From: Ted Hatfield <ted@io-tx.com>
To: Ed Maste <emaste@freebsd.org>
cc: freebsd-security@freebsd.org
Subject: Re: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8)
 stack overflow
In-Reply-To: <CAPyFy2AMKEorH6v2VLG_g0UOyZdcpXb0YjZbc+-0=-d=MiHckw@mail.gmail.com>
Message-ID: <3fe5bf2-768-fe18-e8c7-a4135c37a87c@io-tx.com>
References: <CAPyFy2DVBr_fGZqY5VbB__v=QSeLxtznJaNus4RSYpPdNsO4jQ@mail.gmail.com> <CAPyFy2DWHugQMeAzTR7FGScGXwNHPrRM560BvBRA128+ub3kRg@mail.gmail.com> <CAPyFy2APL-QEQ4tEERv51v8qRaG9Ue2tUmHKzef-UzTgmkv+wQ@mail.gmail.com>
 <CAPyFy2AMKEorH6v2VLG_g0UOyZdcpXb0YjZbc+-0=-d=MiHckw@mail.gmail.com>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,AWL,
	KAM_DMARC_STATUS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on io-tx.com
X-Rspamd-Queue-Id: 4NWWzP3HFJz4RxJ
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:55103, ipnet:205.166.246.0/24, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N


On Mon, 12 Dec 2022, Ed Maste wrote:

> We've seen many blog posts and news articles about this issue and
> unfortunately most of them get the details wrong. So, to clarify:
>
> - This issue affects only /sbin/ping, not kernel ICMP handling.
> - The issue relies on receipt of malicious packet(s) while the ping
>  utility is running (i.e., while pinging a host).
> - ping(8) is setuid root, but drops privilege (to that of the user
>  executing it) after opening sockets but before sending or receiving
>  data.
> - ping(8) runs in a Capsicum capability sandbox, such that even in the
>  event of a compromise the attacker is quite limited (has no access to
>  global namespaces, such as the filesystem).
> - It is believed that exploitation is not possible due to the stack
>  layout on affected platforms.
>
>

Thanks for the detailed summation.

Ted