Issue metadata
Sign in to add a comment
|
Security: Firmware bug in Broadcom WiFi firmware CVE-2017-7065 |
||||||||||||||||||||||||
Issue descriptionBroadcom notified us about another security bug they refer to as "V2017061202 : missing length checks and buffer overrun related to gtk processing" A firmware update is forthcoming. Going by the description, this may allow remote code execution in the WiFi module, so setting Severity-High for now. Adding terry-ht.chen@broadcom.com to provide firmware. Terry, you can just upload the firmware file to this bug. Thanks!
,
Aug 31 2017
I have done some basic testing with the new firmware to verify it connects and transmits data. Here's a code change to pull it in: https://chromium-review.googlesource.com/c/chromiumos/third_party/linux-firmware/+/645546 Terry, can you provide more information on the vulnerability? Also, is there a CVE ID assigned to it? Thanks!
,
Sep 1 2017
Hi, It's CVE-2017-7065 V2017061202, And there is only descripton "missing length checks and buffer overrun related to gtk processing" which fix in our firmware. Thanks. Terry
,
Sep 1 2017
Terry, can you put us in contact with anyone who can provide more details on the vulnerability? We need more information in order to assess impact and severity, which in turn are important parameters when deciding on a shipping timeline for the fix.
,
Sep 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/6ea9ba6c54b0531f8282a28386bdbaca37599140 commit 6ea9ba6c54b0531f8282a28386bdbaca37599140 Author: Mattias Nissler <mnissler@chromium.org> Date: Fri Sep 01 10:04:51 2017 Update brcmfmac4353-sdio firmware to version 7.81.1 BUG= chromium:760549 TEST=WiFi still works with the new firmware. Change-Id: I8d9079bf82f2b92b231eca5e16236146ec9ca432 Reviewed-on: https://chromium-review.googlesource.com/645546 Commit-Ready: Mattias Nissler <mnissler@chromium.org> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/6ea9ba6c54b0531f8282a28386bdbaca37599140/brcm/brcmfmac4354-sdio.bin
,
Sep 1 2017
Hi, We got the detail information from Google security team. Could you get more detail information from him ? he is google employee. ==> "My name is 'Gal Beniamini' and I'm a security researcher at Google's Project Zero. " Thanks. Terry
,
Sep 4 2017
Adding Gal FYI. Assuming I understand Project Zero's disclosure policy correctly, they only disclose to upstream (in this case, Broadcom, or perhaps Android?). Regardless of Project Zero's disclosure policy, it'd help if Broadcom would share all available details when reporting vulnerabilities - even though Google may have the information somewhere, that does not necessarily mean it is accessible to the Chrome OS team or easy to locate. I've meanwhile bean able to locate the full vulnerability report internally. Summary: Heap corruption via attacker crafted frame causing heap corruption, potentially allowing RCE (although no POC exists that I'm aware of). As a result, we should back-merge to stable. Filing merge requests for M60 and M61.
,
Sep 4 2017
This bug requires manual review: We are only 0 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 4 2017
,
Sep 4 2017
,
Sep 4 2017
,
Sep 4 2017
Adding Sameer and Kirtika.
,
Sep 5 2017
,
Sep 5 2017
,
Sep 6 2017
Bernie is the TPM for 62.
,
Sep 6 2017
,
Sep 6 2017
Merge approved for 62.
,
Sep 6 2017
Approving merge to M61.
,
Sep 6 2017
Manual sanity testing on Speedy R63-9913.0.0 https://wmatrix.googleplex.com/unfiltered?releases=tot&suites=wifi_matfunc&platforms=veyron_speedy,veyron_minnie,veyron_mickey&days_back=5&builds=R63-9904.0.0,R63-9913.0.0
,
Sep 7 2017
Note that there's another pending firmware update per issue 762487 . I'll hold off with the merges for now until we have the final fixed firmware images.
,
Sep 11 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 12 2017
Duplicating since this is superseded by a subsequent firmware update.
,
Sep 15 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 15 2017
No merges required, firmware was updated and merged per issue 762487 .
,
Dec 20 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by terry-ht...@broadcom.com
, Aug 31 2017589 KB
589 KB Download