New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 751062 link

Starred by 1 user
Status: Archived
Owner:
groeck@chromium.org
Closed: Aug 2017
Cc:
keta...@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CVE-2017-7541: CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Aug 1 2017 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-7541
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-7541
  CVSS severity score: 7.2/10.0
  Description:

The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by kerrnel@chromium.org, Aug 1 2017

Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by groeck@chromium.org, Aug 2 2017

Labels: Security_Severity-Medium Security_Impact-Stable M-61 Pri-2
Summary: CVE-2017-7541: CrOS: Vulnerability reported in Linux kernel (was: CrOS: Vulnerability reported in Linux kernel)

Comment 3 by groeck@chromium.org, Aug 2 2017

Status: Started (was: Assigned)
Upstream 8f44c9a413867 ("brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()").
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 3 2017

Labels: -Pri-2 Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 3 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/208749146516ab962a25067f8c4b833d7466a266

commit 208749146516ab962a25067f8c4b833d7466a266
Author: Arend van Spriel <arend.vanspriel@broadcom.com>
Date: Thu Aug 03 13:52:02 2017

UPSTREAM: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

BUG= chromium:751062 
TEST=Build and run

Change-Id: I09f04a51f707b80e658b2469928fb49fc8d0796e
Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo()" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 8f44c9a413867)
Reviewed-on: https://chromium-review.googlesource.com/598117
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/208749146516ab962a25067f8c4b833d7466a266/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 4 2017

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Aug 5 2017

Labels: Restrict-View-SecurityNotify

Comment 8 by groeck@chromium.org, Aug 14 2017

Labels: Merge-Request-61
Project Member

Comment 9 by sheriffbot@chromium.org, Aug 14 2017

Labels: -Merge-Request-61 Merge-Review-61 Hotlist-Merge-Review
This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by keta...@chromium.org, Aug 14 2017

Labels: -Merge-Review-61 Merge-Approved-61
Approving merge to M61 Chrome OS.
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 18 2017

Cc: keta...@chromium.org
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by groeck@chromium.org, Aug 18 2017

Labels: -Hotlist-Merge-Review -Merge-Approved-61
Project Member

Comment 13 by bugdroid1@chromium.org, Aug 18 2017

Labels: merge-merged-release-R61-9765.B-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5379824e0fa66ba8a163c52c634cb962341d319b

commit 5379824e0fa66ba8a163c52c634cb962341d319b
Author: Arend van Spriel <arend.vanspriel@broadcom.com>
Date: Fri Aug 18 15:37:55 2017

UPSTREAM: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

BUG= chromium:751062 
TEST=Build and run

Change-Id: I09f04a51f707b80e658b2469928fb49fc8d0796e
Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo()" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 8f44c9a413867)
Reviewed-on: https://chromium-review.googlesource.com/598117
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 208749146516ab962a25067f8c4b833d7466a266)
Reviewed-on: https://chromium-review.googlesource.com/620847

[modify] https://crrev.com/5379824e0fa66ba8a163c52c634cb962341d319b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
Project Member

Comment 14 by sheriffbot@chromium.org, Nov 10 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Sign in to add a comment