Brad Spengler <spender@grsecurity.net> found an exploitable bug in the proc handler
of cpufreq, where a user-supplied unsigned int is cast to a signed int and then
passed on to copy_[to|from]_user() allowing arbitary amounts of memory to be written
(root only thankfully), or read (as any user).

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0228 to this issue.