New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Jul 14
Cc:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 0
Type: Bug-Security



Sign in to add a comment
Security: BroadPwn bug on Broadcom WiFi chipsets (CVE-2017-9417)
Project Member Reported by jorgelo@chromium.org, Jul 11 Back to list
Hi Sir,

Attach firmware is 7.35.79.109 which based on 7.35.79.108 and apply "android security patchCVE-2017-9417". Below is patch description.

FIX:
- Check the length of the WMM_IE which is sent as a Vendor specific IE in IE parse framework
- Clear the WME states in CFG/SCB and return BCME_OK for further processing of the frame"

Thanks.
Terry

brcmfmac4354-sdio.bin
589 KB Download
Thanks for the prompt upload.
Project Member Comment 3 by sheriffbot@chromium.org, Jul 11
Labels: M-59
Project Member Comment 4 by sheriffbot@chromium.org, Jul 11
Labels: ReleaseBlock-Beta
This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 5 by sheriffbot@chromium.org, Jul 11
Status: Assigned
Thanks! Are 4354 devices the only ones affected?
To the best of my knowledge we only have 4354 in Chrome OS hardware.
Project Member Comment 9 by bugdroid1@chromium.org, Jul 13
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/aa91014b7b6971575048db1f2b15258de31225db

commit aa91014b7b6971575048db1f2b15258de31225db
Author: Jorge Lucangeli Obes <jorgelo@chromium.org>
Date: Thu Jul 13 18:44:44 2017

Update brcmfmac4354-sdio firmware to v7.35.79.109.

This fixes CVE-2017-9417.

BUG= chromium:740776 
TEST=Connect to open WiFi, 2.4 GHz.
TEST=Connect to open WiFi, 5 GHz.
TEST=Connect to encrypted WiFi.

Change-Id: If24e3899cc9c29d97d46234daeeeb4f42330f863
Reviewed-on: https://chromium-review.googlesource.com/566888
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/aa91014b7b6971575048db1f2b15258de31225db/brcm/brcmfmac4354-sdio.bin

Labels: Merge-Request-60 Merge-Request-59
We'll let this bake over a couple of canaries but we need to merge this back.
Project Member Comment 11 by sheriffbot@chromium.org, Jul 13
Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: We are only 11 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: josa...@chromium.org
Adding Josafat.
Project Member Comment 13 by sheriffbot@chromium.org, Jul 14
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 14 by sheriffbot@chromium.org, Jul 15
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-59 -Merge-Request-59 -Merge-Review-60 M-60 Merge-Approved-60
Approved for M60 and removing M59 since no more releases plan for it
Project Member Comment 16 by bugdroid1@chromium.org, Jul 24
Labels: merge-merged-release-R60-9592.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/125c30c10407b5aec05642abea84779fa9e675bd

commit 125c30c10407b5aec05642abea84779fa9e675bd
Author: Jorge Lucangeli Obes <jorgelo@chromium.org>
Date: Mon Jul 24 14:48:39 2017

Update brcmfmac4354-sdio firmware to v7.35.79.109.

This fixes CVE-2017-9417.

BUG= chromium:740776 
TEST=Connect to open WiFi, 2.4 GHz.
TEST=Connect to open WiFi, 5 GHz.
TEST=Connect to encrypted WiFi.

Change-Id: If24e3899cc9c29d97d46234daeeeb4f42330f863
Reviewed-on: https://chromium-review.googlesource.com/566888
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
(cherry picked from commit aa91014b7b6971575048db1f2b15258de31225db)
Reviewed-on: https://chromium-review.googlesource.com/583267
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

[modify] https://crrev.com/125c30c10407b5aec05642abea84779fa9e675bd/brcm/brcmfmac4354-sdio.bin

This is now complete.
Project Member Comment 18 by sheriffbot@chromium.org, Jul 24
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-60
Cc: dmitrygr@google.com
Project Member Comment 21 by sheriffbot@chromium.org, Oct 22
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment