The filename problem is solved by two steps.
First, all system calls which have filenames as arguments are called as though they were invoked from inside the kernel rather than by a process. This disables the address checks which would otherwise fail.
However, there are system calls which a filename as an argument which also have an output buffer as an argument. With argument checking disabled, this would open the system call hole described previously.
To deal with this, all such system calls were identified, and those buffers are checked for validity by the UML system call code before entering the actual system call. If a buffer fails the verify_area test, EFAULT is returned directly from the UML system call handler rather than from the system call itself.