Code inspection of entry.S on i386 showed a potential problem - load 
through segment without verifying "flatness" on the sysenter path.  
Turns out this code is safe, but only by a thread ..

ENTRY(sysenter_entry)
        movl TSS_sysenter_esp0(%esp),%esp
sysenter_past_esp:
        sti
        pushl $(__USER_DS)
        pushl %ebp
        pushfl
        pushl $(__USER_CS)
        pushl $SYSENTER_RETURN

/*
 * Load the potential sixth argument from user stack.
 * Careful about security.
 */
        cmpl $__PAGE_OFFSET-3,%ebp
        jae syscall_fault
1:      movl (%ebp),%ebp

If it weren't for the fact that %ebp relative addresses default to using 
the SS segment, we could have loaded through a user segment here to read 
arbitrary memory (sysenter does nothing to DS segment).  Perhaps this 
was considered before, but because of the implications, I thought this 
might be worth annotating in the source.   Also provided a test case.  
Obviously only works on sysenter capable processors.  Tested on 2.6.8.

Zach Amsden
zach@vmware.com