This vulnerability is caused by a stack-based buffer overflow in the second level exception handler for undefined instruction exceptions. The bug is that we can force copyin to fail by unmapping the page containing the undefined instruction while it's being handled. This PoC has an undefined instruction (0xdeadbeef) on its own page and spins up a thread to keep switching the protection of that page between VM_PROT_NONE and VM_PROT_READ|VM_PROT_EXECUTE. We then keep spinning up threads which try to execute that undefined instruction. If the race windows align the thread executes the undefined instruction but when the sleh code tries to copyin the page is unmapped, the copying fails and the exception message we get has stale stack memory.