Red Hat Bugzilla – Bug 680841
CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
Last modified: 2016-05-22 19:36:06 EDT
Since /sys/kernel/debug/acpi/custom_method can be used to write arbitrary kernel memory (http://jon.oberheide.org/files/american-sign-language.c), it should be able to be left out of the kernel for system owners that want to be as defensive as possible to potential attacks, even from the root user. See as examples: CONFIG_DEVKMEM, CONFIG_STRICT_DEVMEM, and /proc/sys/kernel/modules_disabled.
I believe this is the upstream solution
The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the problem. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1253.html.
This requires debugfs to be mounted on a local system in order to have access
to the custom_method file. Debugfs is not mounted by default. You need to run
"mount -t debugfs nodev /sys/kernel/debug" as root first.
(In reply to comment #5)
> I believe this is the upstream solution
No this is not the upstream solution. This patch is for CVE-2010-4347. For CVE-2011-1021, please refer to https://lkml.org/lkml/2011/2/22/369.
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html