On Mon, Feb 11, 2008 at 10:56:28PM -0500, Ross S. W. Walker wrote: > > > Yes, but conceivable an application can make use of such a system > > > call since it is exploitable from user land and hence the concern. > > Well, the point is there's nothing wrong with the system call > > *inherently*. There's just a flaw in its implementation which a > > carefully-crafted program can exploit. A program which just happens to > > use the system call as it is intended to be used isn't any more > > dangerous than any other code. > Sorry this thread keeps getting taken further out of context on each > reply. > > Yes I understand there is nothing inherently wrong with the concept > of the vmsplice() system call and it adds a lot of benefit to the > Linux kernel. > > But if an application uses a system call, and that call to the system > API depends on user input that isn't properly checking bounds, then said > application can be used as a vector to system penetration. > > That is all I am saying and was asking if anybody knew if such a > vector existed in any PHP, Perl or CGI module as it would be the most > likely method of leveraging the flaw if one did not have a shell account > on that machine. And here's what I'm saying. :) The exploit requires a certain amount of specialized setup before the vmsplice call. And, this stuff isn't likely to be user-supplied input since we're talking about memory management. To say that a flaw in an existing program (let alone a script) made to do that setup is an unlikely vector is an understatement. I'd be a lot more worried about sloppy PHP, Perl, or CGI code having exploits which let you run arbitrary user-level code (happens all the time), because that + this = remote root. -- Matthew Miller mattdm at mattdm.org <http://mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>