Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537978 (CVE-2014-9645) - <sys-apps/busybox-1.23.1: unprivileged arbitrary module load via basename abuse (CVE-2014-9645)
Summary: <sys-apps/busybox-1.23.1: unprivileged arbitrary module load via basename abu...
Status: RESOLVED FIXED
Alias: CVE-2014-9645
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cleanup]
Keywords:
: 530688 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-01-27 13:35 UTC by Agostino Sarubbo
Modified: 2015-03-29 17:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-27 13:35:17 UTC
From ${URL} :

Matthias Krause reports:

modprobe uses the "basename" of the module argument as the module to load, as
can be seen here:

bbox:~# lsmod | grep vfat
bbox:~# modprobe foo/bar/baz/vfat
bbox:~# lsmod | grep vfat
vfat                   17135  0
fat                    61984  1 vfat
bbox:~# find /lib/modules/`uname -r` -name vfat.ko
/lib/modules/3.18.0-rc5+/vfat.ko

It should instead fail to load the module -- actually fail to *find* the
module.

This can even be abused to load arbitrary modules by nullifying enforced module
prefixes some of the Linux kernel's subsystems try to apply to prevent just
that:

bbox:~# lsmod | grep usb
bbox:~# ifconfig /usbserial up
ifconfig: SIOCGIFFLAGS: No such device
bbox:~# lsmod | grep usb
usbserial              32201  0

The actual modprobe invocation, done by the kernel was:
/sbin/modprobe -q -- netdev-/usbserial

Due to the bug, the "netdev-" prefix including the "/" are ignored and the
usbserial.ko module gets loaded.

The same works for filesystems, e.g.:

bbox:~# lsmod | grep snd_pcm
bbox:~# mount -t /snd_pcm none /
mount: mounting none on / failed: No such device
bbox:~# lsmod | grep snd_pcm
snd_pcm                88826  0
snd_timer              26606  1 snd_pcm
snd                    61141  2 snd_pcm,snd_timer

This time the kernel called out to:
/sbin/modprobe -q -- fs-/snd_pcm

Note the "fs-" prefix.

External reference:
https://bugs.busybox.net/show_bug.cgi?id=7652 (cert maybe expired)


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2015-02-02 16:49:19 UTC
(In reply to Agostino Sarubbo from comment #0)
> 
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please let us know if it is ready for the stabilization or not.

We have 1.23.0 stabilized which was not mentioned in that bug report, only 1.22 is.  But upstream released 1.23.1 on jan 27, which they are expliticly saying fixes the bug, so I'll add 1.23.1 to the tree now and we'll see about stabilizing it soon.
Comment 2 Anthony Basile gentoo-dev 2015-02-02 17:28:02 UTC
(In reply to Anthony Basile from comment #1)
> (In reply to Agostino Sarubbo from comment #0)
> > 
> > @maintainer(s): after the bump, in case we need to stabilize the package,
> > please let us know if it is ready for the stabilization or not.
> 
> We have 1.23.0 stabilized which was not mentioned in that bug report, only
> 1.22 is.  But upstream released 1.23.1 on jan 27, which they are expliticly
> saying fixes the bug, so I'll add 1.23.1 to the tree now and we'll see about
> stabilizing it soon.

It looks like they lumped all their commits after 1.23.0 into one commit when backporting to the 1_23_stable branch.  It does include a lot of modprobe path stuff so it looks like we need 1.23.1.

http://git.busybox.net/busybox/commit/?h=1_23_stable&id=1ecfe811fe2f70380170ef7d820e8150054e88ca
Comment 3 Anthony Basile gentoo-dev 2015-02-04 21:34:48 UTC
We should rapid stabilze 1.23.1.  Arch teams, the targets are

KEYWORDS="alpha amd64 arm hppa ia64 m68k ppc ppc64 sparc x86"
Comment 4 William Hubbs gentoo-dev 2015-02-04 21:37:37 UTC
*** Bug 530688 has been marked as a duplicate of this bug. ***
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-05 01:32:55 UTC
Arch teams, please test and mark stable:
=sys-apps/busybox-1.23.1
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-05 11:30:43 UTC
Stable for HPPA.
Comment 7 William Hubbs gentoo-dev 2015-02-06 06:01:49 UTC
Arch teams, the target is now 1.23.1-r1.
Please continue stabilization.
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-06 11:34:05 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-06 11:35:47 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2015-02-08 21:11:38 UTC
arm stable
Comment 11 Anthony Basile gentoo-dev 2015-02-08 22:38:49 UTC
ppc and ppc64 are stable.  I also marked amd64 and x86 stable for the -r1.
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-16 10:23:19 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-02-23 11:37:25 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-02-24 10:57:53 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-18 18:23:14 UTC
GLSA request filed
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-03-29 17:11:40 UTC
This issue was resolved and addressed in
 GLSA 201503-13 at https://security.gentoo.org/glsa/201503-13
by GLSA coordinator Mikle Kolyada (Zlogene).