On Mon, Jan 05, 2004 at 04:08:36PM -0800, Linus Torvalds wrote:
> 
> 
> The only page that should matter is likely the one at 0xC0000000, where 
> there can be extra complications from the fact that we use 4MB pages for 
> the kernel, so when fork/exit tries to walk the page table, it would get 
> bogus results.
> 
This is right, the proof-of-concept exploit to be found on full-disclosure
exactly uses that memory address.

> Still, I'd expect that to lead to a triple fault (and thus a reboot) 
> rather than any elevation of privileges..
> 
I agree with Linus. I tested the POC-exploit here on Linux 2.4.22-rc2
and Linux 2.4.23 and everything it does is to simply reboot the box. As 
for Linux 2.6.0-test9, I get something like a hangup (the same sound is
played again and again and only reset helps).

I actually am not sure whether this should be called 'local privlige
escalation' or rather 'possibility for Denial of Service attacks'.

> Interesting, in any case. Good catch from whoever found it.
> 
> 		Linus
> -

-- 
  .''`.   Martin Loschwitz           Debian GNU/Linux developer
 : :'  :  madkiss@madkiss.org        madkiss@debian.org
 `. `'`   http://www.madkiss.org/    people.debian.org/~madkiss/
   `-     Use Debian GNU/Linux 3.0!  See http://www.debian.org/