2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch b/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch
new file mode 100644
index 0000000000..4e76067b3c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch
@@ -0,0 +1,41 @@
+Upstream-status: Backport
+http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b
+CVE-2014-9645 fix.
+[YOCTO #7257]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+From 4e314faa0aecb66717418e9a47a4451aec59262b Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 20 Nov 2014 17:24:33 +0000
+Subject: modprobe,rmmod: reject module names with slashes
+function                                             old     new   delta
+add_probe                                             86     113     +27
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+Index: busybox-1.22.1/modutils/modprobe.c
+===================================================================
+--- busybox-1.22.1.orig/modutils/modprobe.c
+++ busybox-1.22.1/modutils/modprobe.c
+@@ -238,6 +238,17 @@ static void add_probe(const char *name)
+ {
+        struct module_entry *m;
+ 
+       /*
+        * get_or_add_modentry() strips path from name and works
+        * on remaining basename.
+        * This would make "rmmod dir/name" and "modprobe dir/name"
+        * to work like "rmmod name" and "modprobe name",
+        * which is wrong, and can be abused via implicit modprobing:
+        * "ifconfig /usbserial up" tries to modprobe netdev-/usbserial.
+        */
+       if (strchr(name, '/'))
+               bb_error_msg_and_die("malformed module name '%s'", name);
+
+        m = get_or_add_modentry(name);
+        if (!(option_mask32 & (OPT_REMOVE | OPT_SHOW_DEPS))
+         && (m->flags & MODULE_FLAG_LOADED)
diff --git a/meta/recipes-core/busybox/busybox_1.22.1.bb b/meta/recipes-core/busybox/busybox_1.22.1.bb
index dd61a2680c..a41879c23f 100644
--- a/meta/recipes-core/busybox/busybox_1.22.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.22.1.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://0001-build-system-Specify-nostldlib-when-linking-to-.o-fi.patch \
           file://recognize_connmand.patch \
           file://busybox-cross-menuconfig.patch \
+           file://CVE-2014-9645_busybox_reject_module_names_with_slashes.patch \
 "
 SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e"

diff --git a/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch b/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch new file mode 100644 index 0000000000..4e76067b3c --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2014-9645_busybox_reject_module_names_with_slashes.patch
@@ -0,0 +1,41 @@
		1	Upstream-status: Backport
		2	http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b
		3
		4	CVE-2014-9645 fix.
		5
		6	[YOCTO #7257]
		7
		8	Signed-off-by: Armin Kuster <akuster@mvista.com>
		9
		10	From 4e314faa0aecb66717418e9a47a4451aec59262b Mon Sep 17 00:00:00 2001
		11	From: Denys Vlasenko <vda.linux@googlemail.com>
		12	Date: Thu, 20 Nov 2014 17:24:33 +0000
		13	Subject: modprobe,rmmod: reject module names with slashes
		14
		15	function old new delta
		16	add_probe 86 113 +27
		17
		18	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		19	---
		20	Index: busybox-1.22.1/modutils/modprobe.c
		21	===================================================================
		22	--- busybox-1.22.1.orig/modutils/modprobe.c
		23	+++ busybox-1.22.1/modutils/modprobe.c
		24	@@ -238,6 +238,17 @@ static void add_probe(const char *name)
		25	{
		26	struct module_entry *m;
		27
		28	+ /*
		29	+ * get_or_add_modentry() strips path from name and works
		30	+ * on remaining basename.
		31	+ * This would make "rmmod dir/name" and "modprobe dir/name"
		32	+ * to work like "rmmod name" and "modprobe name",
		33	+ * which is wrong, and can be abused via implicit modprobing:
		34	+ * "ifconfig /usbserial up" tries to modprobe netdev-/usbserial.
		35	+ */
		36	+ if (strchr(name, '/'))
		37	+ bb_error_msg_and_die("malformed module name '%s'", name);
		38	+
		39	m = get_or_add_modentry(name);
		40	if (!(option_mask32 & (OPT_REMOVE \| OPT_SHOW_DEPS))
		41	&& (m->flags & MODULE_FLAG_LOADED)


diff --git a/meta/recipes-core/busybox/busybox_1.22.1.bb b/meta/recipes-core/busybox/busybox_1.22.1.bb index dd61a2680c..a41879c23f 100644 --- a/meta/recipes-core/busybox/busybox_1.22.1.bb +++ b/meta/recipes-core/busybox/busybox_1.22.1.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
33	file://0001-build-system-Specify-nostldlib-when-linking-to-.o-fi.patch \	33	file://0001-build-system-Specify-nostldlib-when-linking-to-.o-fi.patch \
34	file://recognize_connmand.patch \	34	file://recognize_connmand.patch \
35	file://busybox-cross-menuconfig.patch \	35	file://busybox-cross-menuconfig.patch \
		36	file://CVE-2014-9645_busybox_reject_module_names_with_slashes.patch \
36	"	37	"
37		38
38	SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e"	39	SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e"