In article <Pine.NEB.4.21.0011211818390.3489-100000@gandalf.starwolf.com> you write:
>I discovered today from a security pundit that despite the separated VM,
>processes' kernel segments are allocated all from the same pool, and thus
>there is really no security across the kernel mem pool.

By "processes' kernel segments", do you mean their u areas and kernel stacks
(pointed to by p_addr)?  If so, then yes, anything that can access one of
them can access all of them, but only kernel code can access any of them,
and the kernel is meant to be trustworthy.

>  I don't remember
>the mechanics of it all, but he demonstrably crashed my system by pointing
>a process of his to skrog something in inetd, of all things.

Interesting.  Sounds like something in the kernel using a user-supplied
pointer for something it shouldn't.  A buggy copyin/out implementation
springs to mind.  What architecture was this on?

>If I can extricate more detail from him, I'll keep y'all posted.
>It strikes me so odd that something like this is still a bug.

Indeed, but since some of the code to do this has to be rewritten for each
CPU, it's an easy kind of bug to re-introduce.

-- 
Ben Harris                                                   <bjh21@netbsd.org>
Portmaster, NetBSD/arm26               <URL:http://www.netbsd.org/Ports/arm26/>