Published: 17 August 2010
The do_anonymous_page function in mm/memory.c in the Linux kernel before 126.96.36.199, 2.6.32.x before 188.8.131.52, 2.6.34.x before 184.108.40.206, and 2.6.35.x before 220.127.116.11 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.
From the Ubuntu security team
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory manager did not properly handle when applications grow stacks into adjacent memory regions. A local attacker could exploit this to gain control of certain applications, potentially leading to privilege escalation, as demonstrated in attacks against the X server.
There seem to be three follow-up patches upstream (one of them is not CCed to stable, but should be (gets fixed up actually)).
caused regression in Xen on hardy