/sbin/ping -G sweepmax has no bounds check on macOS: deterministic BSS out-of-bounds write, confirmed by Apple

The -s flag in /sbin/ping has a maxpayload bounds check. -G sweepmax doesn’t. An #ifndef __APPLE__ block removed the original uid guard without adding an equivalent check, so the fill loop walks past the end of the 65,535-byte outpackhdr[] BSS global and into adjacent globals. The write is byte-precise and deterministic: byte at offset N gets value (N-1) % 256, fully controlled by -G. Empirically confirmed on macOS 26.4.1 arm64e: – sweepmax=65637: overwrites the static int s socket fd at BSS+128 with 0x63. Every subsequent setsockopt() returns EBADF. Exit 71. – sweepmax=65636: runs clean. Binary-searchable threshold, invariant across runs. At higher sweepmax values the loop reaches pointer-type globals (*outpack, *hostname, *shostname). On x86_64 that’s a write-what-where bounded by the sequential value constraint. On arm64e, PAC blocks code-pointer hijack; state corruption is still demonstrable. ping isn’t setuid on macOS 11+, so no direct priv-esc. Local only. Fix is one line — symmetric maxpayload check matching what -s already does. Apple confirmed 16 April 2026, fix scheduled Fall 2026. Source is open: github.com/apple-oss-distributions/network_cmds Full write-up with memory dump evidence: https://stuart-thomas.com/research/ping-sweepmax-bss/ submitted by /u/Prize-Unlucky [link] [comments]Technical Information Security Content & DiscussionRead More