http://www.cr-secure.net
Found by: borg (ChrisR-)

A small bug in PaX was found.

What is PaX?
-----------------------

PaX is a collection of intrusion prevention patches for the Linux Kernel 
2.2, 2.4, and 2.6.
This advisory only affects the PaX patches for the 2.6 linux kernel.
PaX is located at http://pax.grsecurity.net

Impact?
------------------

Denial of service through putting the kernel into an infinite loop when 
ASLR is enabled.

Vulnerable PaX code?
-----------------------
(sorry for white space)
====================================================
'linux/mm/mmap.c'

 if (start_addr != TASK_UNMAPPED_BASE) {

#ifdef CONFIG_PAX_RANDMMAP
                                if (current->flags & PF_PAX_RANDMMAP)
                                        start_addr = addr = 
TASK_UNMAPPED_BASE + mm->delta_mmap;
                                else
#endif
                                                                                                                                              
 
                                start_addr = addr = TASK_UNMAPPED_BASE;
                                goto full_search;
                        }
                        return -ENOMEM;


====================================================
And the correct code,

grab the patch at 
http://pax.grsecurity.net/pax-linux-2.6.5-200405011700.patch

=====================================================

Exploit Code?
-----------------------

Im not releasing my exploit code for this just yet. Pherhaps I never will.
But its very simple code, simple enough to do in 2 lines. Your not getting
anymore proof of concept code from me on any advisories.

Fix?
-----------------------

PaX team is aware of the problem and has already released a fix for this 
on the PaX homepage.

Thanks and greets:
Mattjf, TLharris, Shrike, think, and efnet #cryptography

http://www.cr-secure.net
chris@cr-secure.net