CVE-2009-2695
其实应该是指一些利用空指针的方法，包括绕过SELinux和SELinux没开启的情况

The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs.


前段时间那个沸沸扬扬的linux kernel null pointer漏洞，折腾了好一段时间。

今天看到cnbeta上一篇很不错的分析

翻了一下，原来是翻译的老外的英文版本

Fun with NULL pointers, part 1

Fun with NULL pointers, part 2

其中关于GCC的那段说明极可能国内某大牛想在blog上写，但转眼就给删了，不过还是让我们的planet给抓到个头，可惜一直无缘得窥真容的那篇文章想要提到的问题。

"This is where the next interesting step in the chain of failures happens: the GCC compiler will, by default, optimize the NULL test out. The reasoning is that, since the pointer has already been dereferenced (and has not been changed), it cannot be NULL. So there is no point in checking it. "

中文版：
"这正是这一系列错误中的下一个：GCC编译器缺省会优化掉 NULL 的彻底检验。原因在于，因为这个指针已经被解引用过了（而且也什么都没发生），所以它不可能是 NULL。所以，没有理由再去检查它了。"