0
Explanation
There’s two kind of address space virtual and physical. On the physical model (typically used by the kernel) the memory is bounded and each address correspond to physical ones.
The virtual one is used by processes. There’s no limit (except the one due to pointer size). To get more memory the program simply request it (ignoring what amount can be requested). Each address is mapped to different physical ones.
That’s how process are restricted in what they can read from ram.
The problem
The reasoning is system calls uses ring0, but at the same time (at least on linux) the process state is update to interruptible, suggesting system calls uses the virtual address space.
As far I understand, CPU rings are about privileged instructions, not about address space (as it is MMU related).
So if an out of bound read (due to a vulnerability) occurs during the execution of a system call in kernel code. Can it return memory from other processes ?
Sorry but this is incorrect. Once the OS is booted and enables paging, it stays enabled for the life of the boot. Hence you're using virtual addresses both in user and kernel mode. – Jamie Hanrahan – 2018-04-05T05:44:27.340