>The module's name is a relative path, priocntl will search the module file >in only /kernel/sched and /usr/kernel/sched/ dirs. >but unfortunately, priocntl() never check '../' in pc_clname arg >we can use '../../../tmp/module' to make priocntl() load a module from anywhere The "pc_clname[]" argument is limited in size; to prevent this particular bug from being exploited you could: for dir in /kernel /usr/kernel do cd $dir mkdir -p a/b/c/d/e/f/g/h mv sched a/b/c/d/e/f/g/h ln -s a/b/c/d/e/f/g/h/sched . done Casper
