Bug 7652

Summary: modprobe wrongly accepts paths as module names
Product: Busybox Reporter: Mathias Krause <minipli>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: minor CC: busybox-cvs
Priority: P5    
Version: 1.22.x   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Host: Target:
Build:

Description Mathias Krause 2014-11-19 21:22:25 UTC 
modprobe uses the "basename" of the module argument as the module to load, as can be seen here:

bbox:~# lsmod | grep vfat
bbox:~# modprobe foo/bar/baz/vfat
bbox:~# lsmod | grep vfat
vfat                   17135  0
fat                    61984  1 vfat
bbox:~# find /lib/modules/`uname -r` -name vfat.ko
/lib/modules/3.18.0-rc5+/vfat.ko

It should instead fail to load the module -- actually fail to *find* the module.

This can even be abused to load arbitrary modules by nullifying enforced module prefixes some of the Linux kernel's subsystems try to apply to prevent just that:

bbox:~# lsmod | grep usb
bbox:~# ifconfig /usbserial up
ifconfig: SIOCGIFFLAGS: No such device
bbox:~# lsmod | grep usb
usbserial              32201  0

The actual modprobe invocation, done by the kernel was:
/sbin/modprobe -q -- netdev-/usbserial

Due to the bug, the "netdev-" prefix including the "/" are ignored and the usbserial.ko module gets loaded.

The same works for filesystems, e.g.:

bbox:~# lsmod | grep snd_pcm
bbox:~# mount -t /snd_pcm none /
mount: mounting none on / failed: No such device
bbox:~# lsmod | grep snd_pcm
snd_pcm                88826  0
snd_timer              26606  1 snd_pcm
snd                    61141  2 snd_pcm,snd_timer

This time the kernel called out to:
/sbin/modprobe -q -- fs-/snd_pcm

Note the "fs-" prefix.
Comment 1 Denys Vlasenko 2014-11-20 17:27:53 UTC 
fixed in git, thanks for the report.