New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Security: Broadcom WiFi firmware vulnerabilities CVE-2017-11122 CVE-2017-11120

Project Member Reported by mnissler@chromium.org, Sep 6 2017 
Two more firmware vulnerabilities. One of them allows an OOB write to the firmware heap, so can be potentially exploited to achieve code execution in the firmware context.

Only mitigating factor is that our bcm 4354 chips don't have DMA capability, so the attacker can't trivially escalate to full system compromise. Setting Severity-High, Impact-Stable.

We'll require an updated firmware binary from Broadcom to fix this.
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61

Comment 2 by snanda@chromium.org, Sep 6 2017

Cc: cernekee@chromium.org

Comment 3 by mnissler@chromium.org, Sep 7 2017

Cc: keta...@chromium.org

Comment 4 by terry-ht...@broadcom.com, Sep 8 2017 

firmware release change list :

1. V2017062001 - NDOE missing IPv6 payload length check 
2. V2017061204 - Neighbor Report IE Validation
3. V2017061401 - Fix for integer overflow and missing length check during md ie length caclulation

Thanks.
Terry
7.81.3_brcmfmac4354-sdio.bin
589 KB Download

Comment 5 by mnissler@chromium.org, Sep 11 2017

Cc: -har@google.com harpreet@chromium.org josa...@chromium.org dchan@chromium.org
CL is here: https://chromium-review.googlesource.com/c/chromiumos/third_party/linux-firmware/+/657760

Comment 6 by mnissler@chromium.org, Sep 12 2017 

 Issue 760549  has been merged into this issue.

Comment 7 by mnissler@chromium.org, Sep 12 2017 

 Issue 761785  has been merged into this issue.

Comment 8 by mnissler@chromium.org, Sep 12 2017

Labels: Merge-Request-61 Merge-Request-62
Filing merge requests here after merging bugs. CL still pending at https://chromium-review.googlesource.com/c/chromiumos/third_party/linux-firmware/+/657760
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 12 2017

Labels: -Merge-Request-61 Merge-Review-61 Hotlist-Merge-Review
This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 12 2017

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by mnissler@chromium.org, Sep 12 2017

Status: Started (was: Fixed)
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/343fb0c700335650183edd0f6ed46a3ebc01501e

commit 343fb0c700335650183edd0f6ed46a3ebc01501e
Author: Mattias Nissler <mnissler@chromium.org>
Date: Tue Sep 12 20:03:22 2017

Update brcmfmac4354 firmware to version 7.81.3

BUG= chromium:762487 
TEST=WiFi connection successful with new firmware.

Change-Id: I7c4dd309cb55aa0577c8d13e165e658e84a89cc5
Reviewed-on: https://chromium-review.googlesource.com/657760
Commit-Ready: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>

[modify] https://crrev.com/343fb0c700335650183edd0f6ed46a3ebc01501e/brcm/brcmfmac4354-sdio.bin

Comment 13 by ketakid@google.com, Sep 12 2017

Labels: -Merge-Review-61 Merge-Approved-61
Approving merge to M61 and M62. Please merge to M62 before you merge to M61. Please explore an M60 option with Josafat if the timelines do not work for you.

Comment 14 by harpreet@chromium.org, Sep 12 2017

Cc: aashuto...@chromium.org
aashutoshk@ - please sanity test a Broadcom 4354 device with this fix.
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 13 2017

Labels: -Merge-Request-62 Hotlist-Merge-Approved Merge-Approved-62
Your change meets the bar and is auto-approved for M62. Please go ahead and merge the CL to branch 3202 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by bugdroid1@chromium.org, Sep 13 2017

Labels: merge-merged-release-R62-9901.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/3ab674a3be97a52df9325a67a1c0512757302cf7

commit 3ab674a3be97a52df9325a67a1c0512757302cf7
Author: Mattias Nissler <mnissler@chromium.org>
Date: Wed Sep 13 09:54:02 2017

Update brcmfmac4354 firmware to version 7.81.3

BUG= chromium:762487 
TEST=WiFi connection successful with new firmware.

Change-Id: I11aa11b6f6f98f5aa595b2052176d1c3c449fb26
Reviewed-on: https://chromium-review.googlesource.com/663868
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/3ab674a3be97a52df9325a67a1c0512757302cf7/brcm/brcmfmac4354-sdio.bin
Project Member

Comment 17 by bugdroid1@chromium.org, Sep 13 2017

Labels: merge-merged-release-R61-9765.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/linux-firmware/+/e36184bb1f25c3471b3280134853038a2a5a0b07

commit e36184bb1f25c3471b3280134853038a2a5a0b07
Author: Mattias Nissler <mnissler@chromium.org>
Date: Wed Sep 13 09:56:13 2017

Update brcmfmac4354 firmware to version 7.81.3

BUG= chromium:762487 
TEST=WiFi connection successful with new firmware.

Change-Id: I11aa11b6f6f98f5aa595b2052176d1c3c449fb26
Reviewed-on: https://chromium-review.googlesource.com/663869
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/e36184bb1f25c3471b3280134853038a2a5a0b07/brcm/brcmfmac4354-sdio.bin

Comment 18 by mnissler@chromium.org, Sep 13 2017

Labels: -Merge-Approved-61 -Merge-Approved-62
Merged to 62 and 61.

Comment 19 by mnissler@chromium.org, Sep 13 2017

Status: Fixed (was: Started)
Project Member

Comment 20 by sheriffbot@chromium.org, Sep 13 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 21 by mnissler@chromium.org, Sep 19 2017

Labels: -M-61 M-60 Merge-Request-60
An M60 refresh seems possible now, so filing formal merge request to make sure this is on Josafat's radar.

Comment 22 by cernekee@chromium.org, Sep 19 2017 

I've been holding off on a merge because there are still a few more patches under review, would appreciate a +2 (or reply on the public list with comments):

https://chromium-review.googlesource.com/q/topic:%22brcmfmac-762487%22+(status:open%20OR%20status:merged)

Comment 23 by cernekee@chromium.org, Sep 19 2017 

I did test minnie canary this past weekend and verified that the patches currently in the tree did not totally break wifi.
Project Member

Comment 24 by sheriffbot@chromium.org, Sep 20 2017

Labels: -M-60 M-61
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62
Project Member

Comment 26 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63
Project Member

Comment 27 by sheriffbot@chromium.org, Dec 20 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 28 by sheriffbot@chromium.org, Jan 25 2018

Labels: -M-63 M-64
Project Member

Comment 29 by sheriffbot@chromium.org, Mar 7 2018

Labels: -M-64 M-65
Project Member

Comment 30 by sheriffbot@chromium.org, Apr 19 2018

Labels: -M-65 M-66
Project Member

Comment 31 by sheriffbot@chromium.org, May 30 2018

Labels: -M-66 M-67
Project Member

Comment 32 by sheriffbot@chromium.org, Jul 25

Labels: -M-67 Target-68 M-68
Project Member

Comment 33 by sheriffbot@chromium.org, Sep 5

Labels: -M-68 M-69 Target-69
Project Member

Comment 34 by sheriffbot@chromium.org, Oct 17

Labels: -M-69 Target-70 M-70
Project Member

Comment 35 by sheriffbot@chromium.org, Dec 5

Labels: -M-70 Target-71 M-71

Comment 36 by mnissler@chromium.org, Dec 6

Labels: -Merge-Request-60
Dropping stale merge request in an attempt to silence sheriffbot

Sign in to add a comment