[root@james /root]$ ping -c 1 -s 65690 localhost WARNING: packet size 65690 is too large. Maximum is 65507 Segmentation fault (core dumped) [root@james /root]$ gdb ping core GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... Core was generated by `ping -c 1 -s 65690 localhost'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libresolv.so.2...done. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. Reading symbols from /lib/libnss_files.so.2...done. #0 0x4006e451 in _IO_vfprintf (s=0x40115980, format=0x804b52b "PING %s (%s) ", ap=0xbffff9ac) at vfprintf.c:1259 1259 vfprintf.c: No such file or directory. (gdb) bt #0 0x4006e451 in _IO_vfprintf (s=0x40115980, format=0x804b52b "PING %s (%s) ", ap=0xbffff9ac) at vfprintf.c:1259 #1 0x40075070 in printf (format=0x804b52b "PING %s (%s) ") at printf.c:31 #2 0x8049cb8 in setuid () at ../sysdeps/unix/sysv/linux/i386/setuid.c:32 #3 0x4003f9cb in __libc_start_main (main=0x8048e34 <setuid+280>, argc=6, argv=0xbffffb14, init=0x8048a1c, fini=0x804b0bc <setuid+9120>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb0c) at ../sysdeps/generic/libc-start.c:92 (gdb) info registers eax 0x0 0 ecx 0xffffffff -1 edx 0xbffff983 -1073743485 ebx 0x401171ec 1074885100 esp 0xbffff2f0 -1073745168 ebp 0xbffff984 -1073743484 esi 0x4006e3a0 1074193312 edi 0xbfff9998 -1073768040 eip 0x4006e451 1074193489 eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 cwd 0x0 0 swd 0x0 0 twd 0x0 0 fip 0x0 0 fcs 0x0 0 fopo 0x0 0 fos 0x0 0 Not reproducable as non-root. There is a discussion about this problem going on on the vuln-dev mailinglist @ securitfocus.com. It was confirmed that Pinstripe's ping also segfaults.
The code path problem is explicitly on the root execution path: if (datalen > 0xFFFF - 8 - optlen - 20) { if (uid) { fprintf(stderr, "Error: packet size %d is too large. Ma\ximum is %d\n", datalen, 0xFFFF-8-20-optlen); exit(1); } fprintf(stderr, "WARNING: packet size %d is too large. Maximum \is %d\n", datalen, 0xFFFF-8-20-optlen); } Note that if !uid (running as root), we don't exit. Now, the problem is that the outgoing packet buffer is an array on the stack. We overflow this buffer with such a large packet size. This path is not exploitable as you have to be root to experience the bug.
ping from iputils-20001007-1 does not segfault (on alpha at least) with ping -c 1 -s 65690 localhost
The bug is filed against i386, not alpha. And was verified by several people, including msw. So why do you mark it "resolved"? Reopening.
It still segfaults on ia32, we need to test this against alexey's new release.
This is exploitable in some of the web cgi ping applications people run too. See previous discussions on other security lists..
ok, so changing severity/priority to "security"/"high" again.
Fixed in iputils-20001010-1.
hm, and where can we find that errata update?
It's now more than a week since RESOLVED/ERRATA and no errata update announced or on ftp. Reopening until the update hits the street.
Patience, grasshopper :-)
I take this comment as a personal offense. Is that RH's culture in dealing with security problems?