Bug 16677

Summary: "ping -c 1 -s 65690 localhost" segfaults
Product: [Retired] Red Hat Linux Reporter: Daniel Roesen <dr>
Component: iputilsAssignee: Crutcher Dunnavant <crutcher>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-10-18 14:44:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Roesen 2000-08-21 13:54:07 UTC 
[root@james /root]$ ping -c 1 -s 65690  localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)
[root@james /root]$ gdb ping core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you 
are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
Core was generated by `ping -c 1 -s 65690 localhost'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libresolv.so.2...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
#0  0x4006e451 in _IO_vfprintf (s=0x40115980,
    format=0x804b52b "PING %s (%s) ", ap=0xbffff9ac) at vfprintf.c:1259
1259    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x4006e451 in _IO_vfprintf (s=0x40115980,
    format=0x804b52b "PING %s (%s) ", ap=0xbffff9ac) at vfprintf.c:1259
#1  0x40075070 in printf (format=0x804b52b "PING %s (%s) ") at printf.c:31
#2  0x8049cb8 in setuid () at ../sysdeps/unix/sysv/linux/i386/setuid.c:32
#3  0x4003f9cb in __libc_start_main (main=0x8048e34 <setuid+280>, argc=6,
    argv=0xbffffb14, init=0x8048a1c, fini=0x804b0bc <setuid+9120>,
    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb0c)
    at ../sysdeps/generic/libc-start.c:92
(gdb) info registers
eax            0x0      0
ecx            0xffffffff       -1
edx            0xbffff983       -1073743485
ebx            0x401171ec       1074885100
esp            0xbffff2f0       -1073745168
ebp            0xbffff984       -1073743484
esi            0x4006e3a0       1074193312
edi            0xbfff9998       -1073768040
eip            0x4006e451       1074193489
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
cwd            0x0      0
swd            0x0      0
twd            0x0      0
fip            0x0      0
fcs            0x0      0
fopo           0x0      0
fos            0x0      0

Not reproducable as non-root.

There is a discussion about this problem going on on the vuln-dev 
mailinglist @ securitfocus.com.

It was confirmed that Pinstripe's ping also segfaults.
Comment 1 Matt Wilson 2000-08-21 15:08:27 UTC 
The code path problem is explicitly on the root execution path:
        if (datalen > 0xFFFF - 8 - optlen - 20) {
                if (uid) {
                        fprintf(stderr, "Error: packet size %d is too large.
Ma\ximum is %d\n", datalen, 0xFFFF-8-20-optlen);
                        exit(1);
                }
                fprintf(stderr, "WARNING: packet size %d is too large. Maximum
\is %d\n", datalen, 0xFFFF-8-20-optlen);
	}

Note that if !uid (running as root), we don't exit.

Now, the problem is that the outgoing packet buffer is an array on the stack. 
We overflow this buffer with such a large packet size.

This path is not exploitable as you have to be root to experience the bug.
Comment 2 Jeff Johnson 2000-10-09 17:42:11 UTC 
ping from iputils-20001007-1 does not segfault (on alpha at least) with
	ping -c 1 -s 65690  localhost
Comment 3 Daniel Roesen 2000-10-09 17:50:35 UTC 
The bug is filed against i386, not alpha. And was verified by several people, 
including msw. So why do you mark it "resolved"?

Reopening.
Comment 4 Matt Wilson 2000-10-09 17:52:55 UTC 
It still segfaults on ia32, we need to test this against alexey's new release.
Comment 5 Alan Cox 2000-10-10 15:17:30 UTC 
This is exploitable in some of the web cgi ping applications people run too. See
previous discussions on other security lists..
Comment 6 Daniel Roesen 2000-10-10 15:38:58 UTC 
ok, so changing severity/priority to "security"/"high" again.
Comment 7 Jeff Johnson 2000-10-10 20:22:37 UTC 
Fixed in iputils-20001010-1.
Comment 8 Daniel Roesen 2000-10-18 14:15:07 UTC 
hm, and where can we find that errata update?
Comment 9 Daniel Roesen 2000-10-18 14:44:46 UTC 
It's now more than a week since RESOLVED/ERRATA and no errata update announced 
or on ftp. Reopening until the update hits the street.
Comment 10 Jeff Johnson 2000-10-18 15:22:58 UTC 
Patience, grasshopper :-)
Comment 11 Daniel Roesen 2000-10-18 15:54:38 UTC 
I take this comment as a personal offense. Is that RH's culture in dealing with 
security problems?