I am not clear how that would work. The system call itself it through an interrtupt handler and only a syscall number is attached. But, yes, there is no checking of system call arguments if that is what you are referring to.while looking at PROTECTED build, i noticed that it was trivial for userspace code to bypass the protection and access kernel memory. eg. by passing kernel pointer to system calls. and it seems that it isn't the only way for userspace to trick the kernel.
Greg
