yea right !
so, assume you have a bug in your kernel that simply calls panic() and does nothing else wrong. They do exist, take the fpathconf() bug in osx for example.
A lot of people don’t believe these are security bugs.
I beg to differ. THEY ARE SECURITY BUGS. for one, a panic effectively causes a shutdown. SHUTTING DOWN A BOX IS A PRIVILEGE NO ONE EXCEPT THE SUPERUSER SHOULD HAVE ! maybe this isn’t entirely true on a desktop, but this sure makes sense on something that’s used as a server. So for this fact alone it’s a security bug. But it gets worse. kernel panics often lead to loss of data on disk. This is because at the time of panic not all data is synced to disk. I’ve had this happen to me quite a few times when toying with some kernel bugs on OpenBSD and NetBSD. I assume this is probably common among most operating systems, and that none that I’m aware of have special disk sync code in the panic() function (or BugCheck[Ex](), depending on which os you’re using).
When I was playing with some osx kernel bugs in late 2004 and early 2005 I once had my entire home directory removed after a kernel panic, something you really don’t want. But wait, it gets even worse. Kernel panics are unnatural, they interrupt everything you do and basicly panic your system. That means, that some weak hardware might not like it and you might cause hardware to break (while this is probably rare these days, I’ve been told by some oldtimers that this used to be a big problem for some hardware).
I’ve talked to lmh (of the month of the kernel bugs) and he told me that if you use filevault on osx, and have a kernel panic that whatever filevault is protecting gets garbled, certainly not something you want.
So, in conclusion, if an unprivileged user can arbitrarily cause a kernel panic, then that is a security bug!