Actually that's not true. Kernels aren't infallible and while there's the 'many eyes' aspect of Open Source kernels, Linux is huge, so tracking stuff down often crosses multiple files, sometimes unrelated.
I went to a really excellent talk at the last DC4420 (http://www.dc4420.org/) on 0day in the Linux Kernel. The example provided was a double free bug that was really just a basic schoolboy error. A brief look through the source code tree found about 4 or 5 other examples in less than half an hour. Now I can write fairly obvious buffer overflow exploits, but I'm not exactly a ninja in this space by a long stretch. However, there are 253 advisories for 2.6 according to Secunia, and it's not over yet: http://secunia.com/advisories/product/2719/?task=advisories
AFAIK the 2.6 Linux kernel hasn't been fully audited for bugs, it isn't audited (at least AFAICR the Linux Kernel Auditing Project only looked at 2.2 and 2.4).
I went to a really excellent talk at the last DC4420 (http://www.dc4420.org/) on 0day in the Linux Kernel. The example provided was a double free bug that was really just a basic schoolboy error. A brief look through the source code tree found about 4 or 5 other examples in less than half an hour. Now I can write fairly obvious buffer overflow exploits, but I'm not exactly a ninja in this space by a long stretch. However, there are 253 advisories for 2.6 according to Secunia, and it's not over yet: http://secunia.com/advisories/product/2719/?task=advisories
AFAIK the 2.6 Linux kernel hasn't been fully audited for bugs, it isn't audited (at least AFAICR the Linux Kernel Auditing Project only looked at 2.2 and 2.4).
Slide 31 gives an overview of how kernel pointer overwrite bugs can be exploited here: http://jon.oberheide.org/files/source10-linuxkernel-jonoberh... - It's a fairly good slide deck in general but for the straight dope you're probably better looking through Phrack (here's a good article http://www.phrack.org/issues.html?issue=64&id=6#article).