The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
http://grsecurity.net/~spender/wunderbar_emporium.tgz
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://rhn.redhat.com/errata/RHSA-2009-1222.html
http://rhn.redhat.com/errata/RHSA-2009-1223.html
http://secunia.com/advisories/36278
http://secunia.com/advisories/36289
http://secunia.com/advisories/36327
http://secunia.com/advisories/36430
http://secunia.com/advisories/37298
http://secunia.com/advisories/37471
http://support.avaya.com/css/P8/documents/100067254
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121
http://www.debian.org/security/2009/dsa-1865
http://www.exploit-db.com/exploits/19933
http://www.exploit-db.com/exploits/9477
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
http://www.openwall.com/lists/oss-security/2009/08/14/1
http://www.redhat.com/support/errata/RHSA-2009-1233.html
http://www.securityfocus.com/archive/1/505751/100/0/threaded
http://www.securityfocus.com/archive/1/505912/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/archive/1/512019/100/0/threaded
http://www.securityfocus.com/bid/36038
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2272
http://www.vupen.com/english/advisories/2009/3316
http://zenthought.org/content/file/android-root-2009-08-16-source
https://bugzilla.redhat.com/show_bug.cgi?id=516949
https://issues.rpath.com/browse/RPL-3103
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657