From nobody Mon Dec 12 19:56:45 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NWC7w1gf2z4Y0dP
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 12 Dec 2022 19:57:00 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NWC7t71wSz43qN
	for <freebsd-security@freebsd.org>; Mon, 12 Dec 2022 19:56:58 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com;
	dmarc=none
Received: by mail-pf1-f170.google.com with SMTP id n3so657270pfq.10
        for <freebsd-security@freebsd.org>; Mon, 12 Dec 2022 11:56:58 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=azKvFzFXsjoJs6xaFsn4ZiUEJ2DST/fCuL/gUMCwhJM=;
        b=iNDsH2hH8xca2FHfOmxm1Wj8pl/L//mu5935OCNt6+42biuJPN4U0EKCkSRqOc4u/P
         iQmqH4mp/RJfuZL7rq+0ea7U5djJPVGAh//DIGt771L5xzgGJXgHRQTbtTv2A/iSHSpS
         F7ylO71AsJdDgXOY+tborTZq/rasdvd2JUE72ZCmlhdREUY2USFHw7c00g0S1qmn2CBp
         CvoqARJ/kIlJnNnrUR5rlvu65E7Vg4TZVA1RcdzbojBLe5oGzdHDG5rw4jWi3sSfOsCx
         jcsE5IB7prJFkh/mcxwzrBDcj9W5U69xSY2J6gPv4BipmZcdeB4AZpr4PIXMQXLiepCB
         vfzw==
X-Gm-Message-State: ANoB5pna+BDESFOfdVpBBzVl3ZuTzq4wHkCangJbT/JcirnroxL7F+cg
	Qwfq6wS0NpFxHFi9B+cd0007rflJcCSrctj5tvQ3KSGL
X-Google-Smtp-Source: AA0mqf6x0hc4TEG7yU1CQt0T4DC+9YaKsZoQSvJgSzYDsgtqQY5bUk87AH8Z1oGtXtUClcL017NpEivXhcTbK91W7Co=
X-Received: by 2002:a63:e547:0:b0:473:e2bb:7fc7 with SMTP id
 z7-20020a63e547000000b00473e2bb7fc7mr68239349pgj.40.1670875017084; Mon, 12
 Dec 2022 11:56:57 -0800 (PST)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
References: <CAPyFy2DVBr_fGZqY5VbB__v=QSeLxtznJaNus4RSYpPdNsO4jQ@mail.gmail.com>
 <CAPyFy2DWHugQMeAzTR7FGScGXwNHPrRM560BvBRA128+ub3kRg@mail.gmail.com> <CAPyFy2APL-QEQ4tEERv51v8qRaG9Ue2tUmHKzef-UzTgmkv+wQ@mail.gmail.com>
In-Reply-To: <CAPyFy2APL-QEQ4tEERv51v8qRaG9Ue2tUmHKzef-UzTgmkv+wQ@mail.gmail.com>
From: Ed Maste <emaste@freebsd.org>
Date: Mon, 12 Dec 2022 14:56:45 -0500
Message-ID: <CAPyFy2AMKEorH6v2VLG_g0UOyZdcpXb0YjZbc+-0=-d=MiHckw@mail.gmail.com>
Subject: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Spamd-Result: default: False [-3.01 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-0.999];
	NEURAL_HAM_SHORT(-0.96)[-0.965];
	NEURAL_HAM_MEDIUM(-0.95)[-0.948];
	FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
	R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c];
	RWL_MAILSPIKE_GOOD(-0.10)[209.85.210.170:from];
	MIME_GOOD(-0.10)[text/plain];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	DMARC_NA(0.00)[freebsd.org];
	R_DKIM_NA(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_IN_DNSWL_NONE(0.00)[209.85.210.170:from];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[];
	FREEFALL_USER(0.00)[carpeddiem];
	RCVD_COUNT_TWO(0.00)[2];
	MIME_TRACE(0.00)[0:+];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	TO_DOM_EQ_FROM_DOM(0.00)[]
X-Rspamd-Queue-Id: 4NWC7t71wSz43qN
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

We've seen many blog posts and news articles about this issue and
unfortunately most of them get the details wrong. So, to clarify:

- This issue affects only /sbin/ping, not kernel ICMP handling.
- The issue relies on receipt of malicious packet(s) while the ping
  utility is running (i.e., while pinging a host).
- ping(8) is setuid root, but drops privilege (to that of the user
  executing it) after opening sockets but before sending or receiving
  data.
- ping(8) runs in a Capsicum capability sandbox, such that even in the
  event of a compromise the attacker is quite limited (has no access to
  global namespaces, such as the filesystem).
- It is believed that exploitation is not possible due to the stack
  layout on affected platforms.