Matthew Garrett demonstrates how to use the kexec() system call to change parameters in a running kernel. “The beauty of this approach is that it doesn’t rely on any kernel bugs – it’s using kernel functionality that was explicitly designed to let you do this kind of thing (ie, run arbitrary code in ring 0). There’s not really any way to fix it beyond adding a new system call that has rather tighter restrictions on the binaries that can be loaded. If you’re using signed modules but still permit kexec, you’re not really adding any additional security.“
Read more at LWN