Bug 16677 - "ping -c 1 -s 65690 localhost" segfaults
Summary: "ping -c 1 -s 65690 localhost" segfaults
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iputils
Version: 6.2
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-08-21 13:54 UTC by Daniel Roesen
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-10-18 14:44:49 UTC
Embargoed:


Attachments (Terms of Use)

Description Daniel Roesen 2000-08-21 13:54:07 UTC
[root@james /root]$ ping -c 1 -s 65690  localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)
[root@james /root]$ gdb ping core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you 
are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
Core was generated by `ping -c 1 -s 65690 localhost'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libresolv.so.2...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
#0  0x4006e451 in _IO_vfprintf (s=0x40115980,
    format=0x804b52b "PING %s (%s) ", ap=0xbffff9ac) at vfprintf.c:1259
1259    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x4006e451 in _IO_vfprintf (s=0x40115980,
    format=0x804b52b "PING %s (%s) ", ap=0xbffff9ac) at vfprintf.c:1259
#1  0x40075070 in printf (format=0x804b52b "PING %s (%s) ") at printf.c:31
#2  0x8049cb8 in setuid () at ../sysdeps/unix/sysv/linux/i386/setuid.c:32
#3  0x4003f9cb in __libc_start_main (main=0x8048e34 <setuid+280>, argc=6,
    argv=0xbffffb14, init=0x8048a1c, fini=0x804b0bc <setuid+9120>,
    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb0c)
    at ../sysdeps/generic/libc-start.c:92
(gdb) info registers
eax            0x0      0
ecx            0xffffffff       -1
edx            0xbffff983       -1073743485
ebx            0x401171ec       1074885100
esp            0xbffff2f0       -1073745168
ebp            0xbffff984       -1073743484
esi            0x4006e3a0       1074193312
edi            0xbfff9998       -1073768040
eip            0x4006e451       1074193489
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
cwd            0x0      0
swd            0x0      0
twd            0x0      0
fip            0x0      0
fcs            0x0      0
fopo           0x0      0
fos            0x0      0

Not reproducable as non-root.

There is a discussion about this problem going on on the vuln-dev 
mailinglist @ securitfocus.com.

It was confirmed that Pinstripe's ping also segfaults.

Comment 1 Matt Wilson 2000-08-21 15:08:27 UTC
The code path problem is explicitly on the root execution path:
        if (datalen > 0xFFFF - 8 - optlen - 20) {
                if (uid) {
                        fprintf(stderr, "Error: packet size %d is too large.
Ma\ximum is %d\n", datalen, 0xFFFF-8-20-optlen);
                        exit(1);
                }
                fprintf(stderr, "WARNING: packet size %d is too large. Maximum
\is %d\n", datalen, 0xFFFF-8-20-optlen);
	}

Note that if !uid (running as root), we don't exit.

Now, the problem is that the outgoing packet buffer is an array on the stack. 
We overflow this buffer with such a large packet size.

This path is not exploitable as you have to be root to experience the bug.


Comment 2 Jeff Johnson 2000-10-09 17:42:11 UTC
ping from iputils-20001007-1 does not segfault (on alpha at least) with
	ping -c 1 -s 65690  localhost

Comment 3 Daniel Roesen 2000-10-09 17:50:35 UTC
The bug is filed against i386, not alpha. And was verified by several people, 
including msw. So why do you mark it "resolved"?

Reopening.

Comment 4 Matt Wilson 2000-10-09 17:52:55 UTC
It still segfaults on ia32, we need to test this against alexey's new release.


Comment 5 Alan Cox 2000-10-10 15:17:30 UTC
This is exploitable in some of the web cgi ping applications people run too. See
previous discussions on other security lists..


Comment 6 Daniel Roesen 2000-10-10 15:38:58 UTC
ok, so changing severity/priority to "security"/"high" again.

Comment 7 Jeff Johnson 2000-10-10 20:22:37 UTC
Fixed in iputils-20001010-1.

Comment 8 Daniel Roesen 2000-10-18 14:15:07 UTC
hm, and where can we find that errata update?

Comment 9 Daniel Roesen 2000-10-18 14:44:46 UTC
It's now more than a week since RESOLVED/ERRATA and no errata update announced 
or on ftp. Reopening until the update hits the street.

Comment 10 Jeff Johnson 2000-10-18 15:22:58 UTC
Patience, grasshopper :-)

Comment 11 Daniel Roesen 2000-10-18 15:54:38 UTC
I take this comment as a personal offense. Is that RH's culture in dealing with 
security problems?


Note You need to log in before you can comment on or make changes to this bug.