On Wed, Mar 30, 2011 at 10:03:48AM +0800, Zhang Rui wrote: > On Tue, 2011-03-29 at 20:33 +0800, Thomas Renninger wrote: > > With /sys/kernel/debug/acpi/custom_method root can write > > to arbitrary memory and increase his priveleges, even if > > these are restricted. > > > Sorry, I don't quite understand. > > This interface just allocates a new piece of memory, copy the asl code > from user space and then attach it to ACPI namespace. > > can you give more details about how it is misused to increase root's > privileges please? Identify the lid switch GPE. Start a shell, and identify the address of that processes's capabilities structure. Write some ASL that includes an opregion that covers that structure and a GPE handler that writes new values to it. Insert via custom_method. Close lid. -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-acpi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
