Hi,

while I am waiting for my OpenEmbedded to finish compiling, I just looked over some patches in the packages directory:

From packages/busybox/busybox-1.00/rmmod.patch

@@ -109,7 +120,10 @@
for (n = optind; n < argc; n++) {
#ifdef CONFIG_FEATURE_2_6_MODULES
char module_name[strlen(argv[n]) + 1];
- filename2modname(module_name, argv[n]);
+ if (k_version != 4)
+ filename2modname(module_name, argv[n]);
+ else
+ strcpy(module_name, argv[n]);
#else
#define module_name argv[n]
#endif


I am not sure whether the char declaration itself is exploitable using very large command line arguments, but with the strcpy it get worse since now you can inject code if the line argument exceeds the stack size. If busybox run suid... (well, this only gets interesting if the root-password isn't just empty ;-)


Ciao, Imi.