New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 740776 link

Starred by 1 user
Status: Archived
Owner:
jorgelo@chromium.org
Closed: Jul 2017
Cc:
alex.c...@broadcom.com
snanda@chromium.org
vijay.na...@broadcom.com
vwang@chromium.org
mnissler@chromium.org
sen-wen....@broadcom.com
dmitrygr@google.com
alberto@chromium.org
cernekee@chromium.org
josa...@chromium.org
terry-ht...@broadcom.com
gareth.w...@broadcom.com
larry.me...@broadcom.com
saintlou@google.com
josa...@google.com
puneetster@google.com
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 0
Type: Bug-Security



Sign in to add a comment

Security: BroadPwn bug on Broadcom WiFi chipsets (CVE-2017-9417)

Project Member Reported by jorgelo@chromium.org, Jul 11 2017

Comment 1 by terry-ht...@broadcom.com, Jul 11 2017 

Hi Sir,

Attach firmware is 7.35.79.109 which based on 7.35.79.108 and apply "android security patchCVE-2017-9417". Below is patch description.

FIX:
- Check the length of the WMM_IE which is sent as a Vendor specific IE in IE parse framework
- Clear the WME states in CFG/SCB and return BCME_OK for further processing of the frame"

Thanks.
Terry
brcmfmac4354-sdio.bin
589 KB Download

Comment 2 by mnissler@chromium.org, Jul 11 2017 

Thanks for the prompt upload.
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 11 2017

Labels: M-59
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 11 2017

Labels: ReleaseBlock-Beta
This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 11 2017

Status: Assigned (was: Unconfirmed)

Comment 6 by jorgelo@chromium.org, Jul 11 2017 

Thanks! Are 4354 devices the only ones affected?

Comment 7 by mnissler@chromium.org, Jul 11 2017 

To the best of my knowledge we only have 4354 in Chrome OS hardware.

Comment 8 by jorgelo@chromium.org, Jul 11 2017 

https://chromium-review.googlesource.com/c/563739/ is the firmwmare update.
Project Member

Comment 9 by bugdroid1@chromium.org, Jul 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/aa91014b7b6971575048db1f2b15258de31225db

commit aa91014b7b6971575048db1f2b15258de31225db
Author: Jorge Lucangeli Obes <jorgelo@chromium.org>
Date: Thu Jul 13 18:44:44 2017

Update brcmfmac4354-sdio firmware to v7.35.79.109.

This fixes CVE-2017-9417.

BUG= chromium:740776 
TEST=Connect to open WiFi, 2.4 GHz.
TEST=Connect to open WiFi, 5 GHz.
TEST=Connect to encrypted WiFi.

Change-Id: If24e3899cc9c29d97d46234daeeeb4f42330f863
Reviewed-on: https://chromium-review.googlesource.com/566888
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/aa91014b7b6971575048db1f2b15258de31225db/brcm/brcmfmac4354-sdio.bin

Comment 10 by jorgelo@chromium.org, Jul 13 2017

Labels: Merge-Request-60 Merge-Request-59
We'll let this bake over a couple of canaries but we need to merge this back.
Project Member

Comment 11 by sheriffbot@chromium.org, Jul 13 2017

Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: We are only 11 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by jorgelo@chromium.org, Jul 13 2017

Cc: josa...@chromium.org
Adding Josafat.
Project Member

Comment 13 by sheriffbot@chromium.org, Jul 14 2017

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 15 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by josa...@chromium.org, Jul 19 2017

Labels: -M-59 -Merge-Request-59 -Merge-Review-60 M-60 Merge-Approved-60
Approved for M60 and removing M59 since no more releases plan for it
Project Member

Comment 16 by bugdroid1@chromium.org, Jul 24 2017

Labels: merge-merged-release-R60-9592.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/125c30c10407b5aec05642abea84779fa9e675bd

commit 125c30c10407b5aec05642abea84779fa9e675bd
Author: Jorge Lucangeli Obes <jorgelo@chromium.org>
Date: Mon Jul 24 14:48:39 2017

Update brcmfmac4354-sdio firmware to v7.35.79.109.

This fixes CVE-2017-9417.

BUG= chromium:740776 
TEST=Connect to open WiFi, 2.4 GHz.
TEST=Connect to open WiFi, 5 GHz.
TEST=Connect to encrypted WiFi.

Change-Id: If24e3899cc9c29d97d46234daeeeb4f42330f863
Reviewed-on: https://chromium-review.googlesource.com/566888
Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
(cherry picked from commit aa91014b7b6971575048db1f2b15258de31225db)
Reviewed-on: https://chromium-review.googlesource.com/583267
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>

[modify] https://crrev.com/125c30c10407b5aec05642abea84779fa9e675bd/brcm/brcmfmac4354-sdio.bin

Comment 17 by jorgelo@chromium.org, Jul 24 2017 

This is now complete.
Project Member

Comment 18 by sheriffbot@chromium.org, Jul 24 2017 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by jorgelo@chromium.org, Jul 24 2017

Labels: -Merge-Approved-60

Comment 20 by jorgelo@chromium.org, Jul 26 2017

Cc: dmitrygr@google.com
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 22 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 23 by yoshi@chromium.org, Aug 14

Cc: -yoshi@chromium.org

Sign in to add a comment