Of course, we can
imagine to use jump to call a supervisor code, like ARM does. That means the
user code must provide the supervisor code start address, provided this one
resides on a supervisor address space.
Jump can have flags to indicate a supervisor
mode entering or leaving.
But such a thing suppose that a user code is unable
to turn a user address space area in a supervisor address space
area.
Just take an example :
An user code allocates via "mmap" a
writable user space. It writes an executable code into it. it call "mprotect" to
change the access rights so the writable user space turns into an
executable supervisor space. The user space just need to use the "jmp"
with providing a start address in the executable supervisor space... the user
code thru its troyan horse would be now able to spy all the supervisor
regions of kernel.
|