Post Syndicated from original https://lwn.net/Articles/920544/

The Google Project Zero page shows
how to compromise the kernel by using a NULL pointer to repeatedly
force an oops and overflow a reference count.

Back when the kernel was able to access userland memory without
restriction, and userland programs were still able to map the zero
page, there were many easy techniques for exploiting null-deref
bugs. However with the introduction of modern exploit mitigations
such as SMEP and SMAP, as well as mmap_min_addr preventing
unprivileged programs from mmap’ing low addresses, null-deref bugs
are generally not considered a security issue in modern kernel
versions. This blog post provides an exploit
technique demonstrating that treating these bugs as universally
innocuous often leads to faulty evaluations of their relevance to
security.

This is the sort of vulnerability that the
oops-limit patch is meant to block.