From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: Ben Hutchings <ben@decadent.org.uk>, brcm80211-dev-list.pdl@broadcom.com
Cc: linux-firmware@kernel.org, linux-wireless@vger.kernel.org
Subject: Re: CVE-2017-9417 and brcmfmac
Date: Mon, 28 Aug 2017 10:55:49 +0200 [thread overview]
Message-ID: <59A3DA95.4050005@broadcom.com> (raw)
In-Reply-To: <1503846841.3688.92.camel@decadent.org.uk>
On 27-08-17 17:14, Ben Hutchings wrote:
> The CVE-2017-9417 aka "Broadpwn" vulnerability is said to affect the
> firmware for various Broadcom BCM43xx wifi chips, some of which are
> supported by the in-tree brcmfmac driver and firmware in linux-
> firmware.git.
>
> The bcmdhd driver for Android was patched to improve validation of
> events from the firmware:
> https://android.googlesource.com/kernel/msm.git/+/android-6.0.1_r0.92%5E!/
> But the event handling code in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c still seems to
> lack most of those checks. Should it be patched?
brcmfmac already has those checks is place [1]. Over a year ago a number
of extra checks were added with commit 0aedbcaf6f18 ("brcmfmac: Add
length checks on firmware events") [2].
> I also haven't seen any related updates for BCM43xx firmware in linux-
> firmware.git. Is any of this firmware vulnerable?
As to firmware it has been brought up that we have quite a collection in
linux-firmware, but quite a few are EOL. So for now the decision made
has been to update firmware for bcm43430, bcm4354, bcm4356, and bcm4358.
For SDIO and USB devices business has moved to Cypress so I will contact
them to query about their plans. As Stephen indicated they released new
firmware for bcm43438, which is used in RPi3/ZeroW.
Regards,
Arend
[1]
http://elixir.free-electrons.com/linux/latest/source/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h#L306
[2]
https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=0aedbcaf6f18
prev parent reply other threads:[~2017-08-28 8:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-27 15:14 CVE-2017-9417 and brcmfmac Ben Hutchings
2017-08-27 16:29 ` Stefan Wahren
2017-08-28 8:55 ` Arend van Spriel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59A3DA95.4050005@broadcom.com \
--to=arend.vanspriel@broadcom.com \
--cc=ben@decadent.org.uk \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=linux-firmware@kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).