From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Zhang Rui <rui.zhang@intel.com>
Cc: Thomas Renninger <trenn@suse.de>,
"lenb@kernel.org" <lenb@kernel.org>,
"Rafael J. Wysocki" <rjw@sisk.pl>,
"linux-acpi@vger.kernel.org" <linux-acpi@vger.kernel.org>
Subject: Re: [PATCH 3/3] acpi: Split out custom_method functionality into an own driver
Date: Wed, 30 Mar 2011 09:53:32 +0100 [thread overview]
Message-ID: <20110330085332.GA28247@srcf.ucam.org> (raw)
In-Reply-To: <1301450628.31460.116.camel@rui>
On Wed, Mar 30, 2011 at 10:03:48AM +0800, Zhang Rui wrote:
> On Tue, 2011-03-29 at 20:33 +0800, Thomas Renninger wrote:
> > With /sys/kernel/debug/acpi/custom_method root can write
> > to arbitrary memory and increase his priveleges, even if
> > these are restricted.
> >
> Sorry, I don't quite understand.
>
> This interface just allocates a new piece of memory, copy the asl code
> from user space and then attach it to ACPI namespace.
>
> can you give more details about how it is misused to increase root's
> privileges please?
Identify the lid switch GPE. Start a shell, and identify the address of
that processes's capabilities structure. Write some ASL that includes an
opregion that covers that structure and a GPE handler that writes new
values to it. Insert via custom_method. Close lid.
--
Matthew Garrett | mjg59@srcf.ucam.org
next prev parent reply other threads:[~2011-03-30 8:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1301401990-35469-1-git-send-email-trenn@suse.de>
2011-03-29 12:33 ` [PATCH 1/3] acpi ec: Cleanup unused stuff Thomas Renninger
2011-03-29 12:33 ` [PATCH 2/3] acpi: Cleanup custom_method debug stuff Thomas Renninger
2011-03-29 19:27 ` Rafael J. Wysocki
2011-03-30 1:37 ` Zhang Rui
2011-03-30 9:06 ` Thomas Renninger
2011-03-31 1:14 ` Zhang Rui
2011-03-29 12:33 ` [PATCH 3/3] acpi: Split out custom_method functionality into an own driver Thomas Renninger
2011-03-29 19:36 ` Rafael J. Wysocki
2011-03-29 21:11 ` Thomas Renninger
2011-03-29 21:29 ` Rafael J. Wysocki
2011-03-30 2:03 ` Zhang Rui
2011-03-30 8:53 ` Matthew Garrett [this message]
2011-03-31 11:36 [PATCH 1/3] acpi ec: Cleanup unused stuff Thomas Renninger
2011-03-31 11:36 ` [PATCH 3/3] acpi: Split out custom_method functionality into an own driver Thomas Renninger
2011-03-31 21:41 ` Rafael J. Wysocki
2011-04-01 7:47 ` Thomas Renninger
2011-04-01 7:50 ` [PATCH 3/3] ACPI: " Thomas Renninger
2011-04-01 23:50 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110330085332.GA28247@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=rjw@sisk.pl \
--cc=rui.zhang@intel.com \
--cc=trenn@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.