This bug allows regular users to put whatever code they want at location zero, and then trick the kernel into executing it. Lovely.

“Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit,” security researcher Julien Tinnes writes here. “An attacker can just put code in the first page that will get executed with kernel privileges.”

Tinnes and fellow researcher Tavis Ormandy released proof-of-concept code that they said took just a few minutes to adapt from a previous exploit they had. They said all 2.4 and 2.6 version since May 2001 are affected.

Rightly or no, this will blow a big hole in the “Linux is so secure” smugness I often see. Personally, I’ve always thought it was a bad idea to leave user space mapped when you’re in the kernel – for reasons much like this. The model of having completely separate user and kernel/supervisor maps, and special instructions (or instruction variants) to access user space from kernel mode, is less convenient but far more secure.