Exploiting null-dereferences in the Linux kernel (Project Zero)

The Google Project Zero page showshow to compromise the kernel by using a NULL pointer to repeatedlyforce an oops and overflow a reference count.

Back when the kernel was able to access userland memory withoutrestriction, and userland programs were still able to map the zeropage, there were many easy techniques for exploiting null-derefbugs. However with the introduction of modern exploit mitigationssuch as SMEP and SMAP, as well as mmap_min_addr preventingunprivileged programs from mmap'ing low addresses, null-deref bugsare generally not considered a security issue in modern kernelversions. This blog post provides an exploittechnique demonstrating that treating these bugs as universallyinnocuous often leads to faulty evaluations of their relevance tosecurity.

This is the sort of vulnerability that theoops-limit patch is meant to block.