Package: busybox / 1:1.22.0-19

CVE-2014-9645.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
From 4e314faa0aecb66717418e9a47a4451aec59262b
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 20 Nov 2014 17:24:33 +0000
Subject: modprobe,rmmod: reject module names with slashes

--- a/modutils/modprobe.c
+++ b/modutils/modprobe.c
@@ -239,6 +239,17 @@ static void add_probe(const char *name)
 {
 	struct module_entry *m;
 
+	/*
+	 * get_or_add_modentry() strips path from name and works
+	 * on remaining basename.
+	 * This would make "rmmod dir/name" and "modprobe dir/name"
+	 * to work like "rmmod name" and "modprobe name",
+	 * which is wrong, and can be abused via implicit modprobing:
+	 * "ifconfig /usbserial up" tries to modprobe netdev-/usbserial.
+	 */
+	if (strchr(name, '/'))
+		bb_error_msg_and_die("malformed module name '%s'", name);
+
 	m = get_or_add_modentry(name);
 	if (!(option_mask32 & (OPT_REMOVE | OPT_SHOW_DEPS))
 	 && (m->flags & (MODULE_FLAG_LOADED | MODULE_FLAG_BUILTIN))