Dereferencing a NULL pointer always segfaults, right? Not if you're clever...

My first reaction to this headline was "Surely there is never any circumstance where this is genuinely a smart thing to do, no matter how <i>clever</i>" but I confess I wasn't thinking in terms of security vulnerabilities.

In a related bit of cleverness I've heard that the JVM doesn't actually put NULL checks in it's generated ASM, instead it installs a SIGSEGV handler that catchs the null pointer exception and does the right thing.

I'm not sure who's the intended audience of this. It is called an Introduction to Virtual Memory that is aimed at C programmers.<p>How many C programmers are out there that do not know how VM works?

I'll stick around for the second installment, I guess, but this was a bit too basic for my tastes.

Check it out: <a href="http://lwn.net/Articles/347006/" rel="nofollow">http://lwn.net/Articles/347006/</a><p>These null pointers are sometimes <i>function pointers</i>. Wow. You don't even need to muck with the stack and change the return address to get arbitrary code execution.<p>I admit I'm surprised Linux even lets you mmap 0x0. I suppose most systems won't, since mmap_min_addr will probably be set to a sane address, but it's still a legit vulnerability.

Not under HP-UX on a "PA" processor. The page at 0x0 isn't neccessarily unmapped or marked noread/nowrite/nonothing. As I recall one or the other HP C compilers has a way around this, but unless you take care, you won't use that compiler flag, and you end up having NULL pointer de-refs.