[wasn't sure whether I should cross-post to oss-sec or not]

In case some people would be interested, Nicolas Economou and Enrique Nissim
gave a presentation last week at CanSecWest about what you can do with a
kernel arbitrary write with current paging situation on Intel hardware, in
Linux and Windows. The slides (and code for Linux) are available at:

https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_
Based_Paging_Systems/

There might be (a lot of) other way to exploit a running kernel with an
arbitrary write, but it's still quite interesting.

The authors give some advice at the end (slide 84 “Linux conclusion”):

- Paging tables shouldn’t be in *fixed addresses*
  - It can be abused by LOCAL and REMOTE kernel exploits
- All fixed paging structures should be *read-only*
- Some advice, compile the kernel with Grsec ;-)

Regards,
-- 
Yves-Alexis