On Mon, Feb 11, 2008 at 10:56:28PM -0500, Ross S. W. Walker wrote:
Yes, but conceivable an application can make use of such a system call since it is exploitable from user land and hence the concern.
Well, the point is there's nothing wrong with the system call *inherently*. There's just a flaw in its implementation which a carefully-crafted program can exploit. A program which just happens to use the system call as it is intended to be used isn't any more dangerous than any other code.
Sorry this thread keeps getting taken further out of context on each reply.
Yes I understand there is nothing inherently wrong with the concept of the vmsplice() system call and it adds a lot of benefit to the Linux kernel.
But if an application uses a system call, and that call to the system API depends on user input that isn't properly checking bounds, then said application can be used as a vector to system penetration.
That is all I am saying and was asking if anybody knew if such a vector existed in any PHP, Perl or CGI module as it would be the most likely method of leveraging the flaw if one did not have a shell account on that machine.
And here's what I'm saying. :) The exploit requires a certain amount of specialized setup before the vmsplice call. And, this stuff isn't likely to be user-supplied input since we're talking about memory management. To say that a flaw in an existing program (let alone a script) made to do that setup is an unlikely vector is an understatement. I'd be a lot more worried about sloppy PHP, Perl, or CGI code having exploits which let you run arbitrary user-level code (happens all the time), because that + this = remote root.