The copy functions in locore.s such as copyout in OpenBSD 3.5 and 3.6, and possibly other BSD based operating systems, may allow attackers to exceed certain address boundaries and modify kernel memory.
https://exchange.xforce.ibmcloud.com/vulnerabilities/19531
http://www.securityfocus.com/bid/12825
http://www.openbsd.org/errata35.html#locore
http://www.openbsd.org/errata.html#copy