CVE-2017-9417 and brcmfmac

CVE-2017-9417 and brcmfmac

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

The CVE-2017-9417 aka "Broadpwn" vulnerability is said to affect the
firmware for various Broadcom BCM43xx wifi chips, some of which are
supported by the in-tree brcmfmac driver and firmware in linux-
firmware.git.

The bcmdhd driver for Android was patched to improve validation of
events from the firmware:
https://android.googlesource.com/kernel/msm.git/+/android-6.0.1_r0.92%5E!/
But the event handling code in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c still seems to
lack most of those checks.  Should it be patched?

I also haven't seen any related updates for BCM43xx firmware in linux-
firmware.git.  Is any of this firmware vulnerable?

Ben.

-- 
Ben Hutchings
Teamwork is essential - it allows you to blame someone else.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: CVE-2017-9417 and brcmfmac

[Stefan Wahren]

Hi Ben,

> Ben Hutchings <ben@decadent.org.uk> hat am 27. August 2017 um 17:14 geschrieben:
> 
> 
> The CVE-2017-9417 aka "Broadpwn" vulnerability is said to affect the
> firmware for various Broadcom BCM43xx wifi chips, some of which are
> supported by the in-tree brcmfmac driver and firmware in linux-
> firmware.git.
> 
> The bcmdhd driver for Android was patched to improve validation of
> events from the firmware:
> https://android.googlesource.com/kernel/msm.git/+/android-6.0.1_r0.92%5E!/
> But the event handling code in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c still seems to
> lack most of those checks.  Should it be patched?
> 
> I also haven't seen any related updates for BCM43xx firmware in linux-
> firmware.git.  Is any of this firmware vulnerable?

according to this comment [1] at least 43438 is affected.

[1] - https://github.com/raspberrypi/linux/issues/1342#issuecomment-321221748

> 
> Ben.
> 
> -- 
> Ben Hutchings
> Teamwork is essential - it allows you to blame someone else.

Re: CVE-2017-9417 and brcmfmac

[Arend van Spriel]

On 27-08-17 17:14, Ben Hutchings wrote:
> The CVE-2017-9417 aka "Broadpwn" vulnerability is said to affect the
> firmware for various Broadcom BCM43xx wifi chips, some of which are
> supported by the in-tree brcmfmac driver and firmware in linux-
> firmware.git.
>
> The bcmdhd driver for Android was patched to improve validation of
> events from the firmware:
> https://android.googlesource.com/kernel/msm.git/+/android-6.0.1_r0.92%5E!/
> But the event handling code in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c still seems to
> lack most of those checks.  Should it be patched?

brcmfmac already has those checks is place [1]. Over a year ago a number 
of extra checks were added with commit 0aedbcaf6f18 ("brcmfmac: Add 
length checks on firmware events") [2].

> I also haven't seen any related updates for BCM43xx firmware in linux-
> firmware.git.  Is any of this firmware vulnerable?

As to firmware it has been brought up that we have quite a collection in 
linux-firmware, but quite a few are EOL. So for now the decision made 
has been to update firmware for bcm43430, bcm4354, bcm4356, and bcm4358. 
For SDIO and USB devices business has moved to Cypress so I will contact 
them to query about their plans. As Stephen indicated they released new 
firmware for bcm43438, which is used in RPi3/ZeroW.

Regards,
Arend

[1] 
http://elixir.free-electrons.com/linux/latest/source/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h#L306
[2] 
https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=0aedbcaf6f18