A flaw was reported in the Linux kernel, versions 2.6.9 to 2.6.17, when running on x86_64, where a user could use a regular 32bit process to trigger a kernel panic, without any special privileges. The bug occurs when a 32bit user process triggers a segfault (i.e. de-reference a null-pointer) after having performed a mprotect() to restrict any rwx access on its VDSO page. In version 2.6.18 and on, the internal mechanism to access the VDSO uses the find_vma() wrapper which fixes the problem as a side-effect. The reporter indicates that this only occurs on a 64bit machine with a program compiled in 32bit mode. Acknowledgements: Red Hat would like to thank STMicroelectronics for responsibly reporting this issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0146 https://rhn.redhat.com/errata/RHSA-2010-0146.html