Would you rephrase the article to make it clear it's a module designed to make the kernel vulnerable and not a vulnerability of a kernel currently in use?

And if I read the article correctly, you have to be root to load the module

I don't think you understand what's going on. A kernel-side null-pointer dereference is normally a denial of service, but this article explains how to convert it into privilege escalation.

Using a kernel module with the bug in it lets the article talk about that particular transformation, without emboldening a bunch of script kiddies with a new rootme script. You can of course replace that kernel module with any null-pointer dereference you happen to notice in the kernel changelog.

> A kernel-side null-pointer dereference is normally a denial of service, but this article explains how to convert it into privilege escalation

Still, the title can be misinterpreted. The vulnerability being used is not a "real one" but one injected by a kernel module.

It's: "If there was a vulnerability, here's how to exploit it. And here's a sample one you can practice with."

Actually there are several different things working in concert here. 1) The ability to mmap adress 0 2) Code which knows how to escalate privileges of an entire process if run in kernel space. 3) A kernel module which intentionally calls a bad pointer, to illustrate the point.

3 by itself is not a vulnerability. In fact, it is by itself just a stupidly written peice of code, the real vulnerability is in 1 & 2 which take advantage of a vulnerability in null pointer handling.

In fact, even if I didn't know anything other than 1 and 2, It is possible to start fuzzing syscalls until I accidentally cause one to dereference a null pointer, in which case it is game over.

Edit: another way to say this is: Kernel null pointer vulnerabilities are a class of vulnerability, much like buffer overflows are a class of vulnerability. Even if there is just a toy example of the exploit in an article, it doesn't change the concept. Much like the classic "Smashing the stack for fun an profit"

"Dereferencing null pointers for fun and profit" would have been a great title.

The module used in the article was simply to demo the exploit. It could be used against any null deference vulnerabilities found in current kernels (the article uses a recent one as an example as well).

The point of the article is to demonstrate why they are dangerous, and how they are exploited, not to provide an example of a current vulnerabilty.

If you found such a vulnerabilty (which does happen, hence the example given in the article) you would be able to use this technique to root. (Assuming you were able to circumvent mid address limition on mmap, which the author says used to be, and possibly still is feasible.)

The title seems to accurately describe the article, given a "kernel NULL pointer vulnerabilty" here is how to root it.

There are plenty of such such vulnerabilities in the wild: http://www.google.com/#hl=en&q=kernel+null+pointer+deref...

There are so many things we take for granted when programming. It's always enlightening to see how simple bugs can turn into serious vulnerabilities for the clever hacker.

As programmers we really should educate ourselves about these things because there can be unusual interactions which you don't expect, such as caching behavior, or spreading your data across many virtual pages on a heavily-used machine.