A flaw was reported in the Linux kernel, versions 2.6.9 to 2.6.17, when running on x86_64, where a user could use a regular 32bit process to trigger a kernel panic, without any special privileges. The bug occurs when a 32bit user process triggers a segfault (i.e. de-reference a null-pointer) after having performed a mprotect() to restrict any rwx access on its VDSO page.
In version 2.6.18 and on, the internal mechanism to access the VDSO uses the find_vma() wrapper which fixes the problem as a side-effect.
The reporter indicates that this only occurs on a 64bit machine with a program compiled in 32bit mode.
Red Hat would like to thank STMicroelectronics for responsibly reporting this issue.
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Via RHSA-2010:0146 https://rhn.redhat.com/errata/RHSA-2010-0146.html