File iputils-CVE-2025-47268.patch of Package iputils.38678

From f6c0ffd3fe705c5699fe01b76308599bb221ea15 Mon Sep 17 00:00:00 2001
From: Petr Vorel <pvorel@suse.cz>
Date: Fri, 9 May 2025 16:30:27 +0200
Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation

Crafted ICMP Echo Reply packet can cause signed integer overflow in

1) triptime calculation:
triptime = tv->tv_sec * 1000000 + tv->tv_usec;

2) tsum2 increment which uses triptime
rts->tsum2 += (double)((long long)triptime * (long long)triptime);

3) final tmvar:
tmvar = (rts->tsum2 / total) - (tmavg * tmavg)

    $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
    $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer"
    $ meson setup .. -Db_sanitize=address,undefined
    $ ninja
    $ ./ping/ping -c2 127.0.0.1

    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms
    ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int'
    ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int'
    ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int'
    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
    ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures
    ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures
    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
    ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int'
    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms

    --- 127.0.0.1 ping statistics ---
    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms
    ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int'
    rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms

To fix the overflow check allowed ranges of struct timeval members:
* tv_sec <0, LONG_MAX/1000000>
* tv_usec <0, 999999>

Fix includes 2 new error messages (needs translation).
Also existing message "time of day goes back ..." needed to be modified
as it now prints tv->tv_sec which is a second (needs translation update).

After fix:

    $ ./ping/ping -c2 127.0.0.1
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms
    ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us
    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
    ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us
    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
    ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us
    ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures
    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms

    --- 127.0.0.1 ping statistics ---
    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms
    rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms

Fixes: https://github.com/iputils/iputils/issues/584
Fixes: CVE-2025-472
Link: https://github.com/Zephkek/ping-rtt-overflow/
Co-developed-by: Cyril Hrubis <chrubis@suse.cz>
Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Reviewed-by: Noah Meyerhans <noahm@debian.org>
[ pvorel: backport of upstream 070cfacd7348386173231fb16fad4983d4e6ae40 to s20161105 ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 ping.h        |  3 +++
 ping_common.c | 20 ++++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

Index: iputils-s20121221/ping_common.c
===================================================================
--- iputils-s20121221.orig/ping_common.c
+++ iputils-s20121221/ping_common.c
@@ -869,8 +869,21 @@ int gather_statistics(__u8 *icmph, int i
 
 restamp:
 		tvsub(tv, &tmp_tv);
-		triptime = tv->tv_sec * 1000000 + tv->tv_usec;
-		if (triptime < 0) {
+
+		if (tv->tv_usec >= 1000000) {
+			fprintf(stderr, "Warning: invalid tv_usec %ld us\n", tv->tv_usec);
+			tv->tv_usec = 999999;
+		}
+
+		if (tv->tv_usec < 0) {
+			fprintf(stderr, "Warning: invalid tv_usec %ld us\n", tv->tv_usec);
+			tv->tv_usec = 0;
+		}
+
+		if (tv->tv_sec > TV_SEC_MAX_VAL) {
+			fprintf(stderr, "Warning: invalid tv_sec %ld s\n", tv->tv_sec);
+			triptime = 0;
+		} else if (tv->tv_sec < 0) {
 			fprintf(stderr, "Warning: time of day goes back (%ldus), taking countermeasures.\n", triptime);
 			triptime = 0;
 			if (!(options & F_LATENCY)) {
@@ -878,7 +891,10 @@ restamp:
 				options |= F_LATENCY;
 				goto restamp;
 			}
+		} else {
+			triptime = tv->tv_sec * 1000000 + tv->tv_usec;
 		}
+
 		if (!csfailed) {
 			tsum += triptime;
 			tsum2 += (long long)triptime * (long long)triptime;
Index: iputils-s20121221/ping_common.h
===================================================================
--- iputils-s20121221.orig/ping_common.h
+++ iputils-s20121221/ping_common.h
@@ -43,6 +43,9 @@
 
 #define SCHINT(a)	(((a) <= MININTERVAL) ? MININTERVAL : (a))
 
+/* 1000001 = 1000000 tv_sec + 1 tv_usec */
+#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
+
 /* various options */
 extern int options;
 #define	F_FLOOD		0x001