The CVE-2017-9417 aka "Broadpwn" vulnerability is said to affect the
firmware for various Broadcom BCM43xx wifi chips, some of which are
supported by the in-tree brcmfmac driver and firmware in linux-
firmware.git.
The bcmdhd driver for Android was patched to improve validation of
events from the firmware:
https://android.googlesource.com/kernel/msm.git/+/android-6.0.1_r0.92%5E!/
But the event handling code in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c still seems to
lack most of those checks. Should it be patched?
I also haven't seen any related updates for BCM43xx firmware in linux-
firmware.git. Is any of this firmware vulnerable?
Ben.
--
Ben Hutchings
Teamwork is essential - it allows you to blame someone else.
On 27-08-17 17:14, Ben Hutchings wrote:
> The CVE-2017-9417 aka "Broadpwn" vulnerability is said to affect the
> firmware for various Broadcom BCM43xx wifi chips, some of which are
> supported by the in-tree brcmfmac driver and firmware in linux-
> firmware.git.
>
> The bcmdhd driver for Android was patched to improve validation of
> events from the firmware:
> https://android.googlesource.com/kernel/msm.git/+/android-6.0.1_r0.92%5E!/
> But the event handling code in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c still seems to
> lack most of those checks. Should it be patched?
brcmfmac already has those checks is place [1]. Over a year ago a number
of extra checks were added with commit 0aedbcaf6f18 ("brcmfmac: Add
length checks on firmware events") [2].
> I also haven't seen any related updates for BCM43xx firmware in linux-
> firmware.git. Is any of this firmware vulnerable?
As to firmware it has been brought up that we have quite a collection in
linux-firmware, but quite a few are EOL. So for now the decision made
has been to update firmware for bcm43430, bcm4354, bcm4356, and bcm4358.
For SDIO and USB devices business has moved to Cypress so I will contact
them to query about their plans. As Stephen indicated they released new
firmware for bcm43438, which is used in RPi3/ZeroW.
Regards,
Arend
[1]
http://elixir.free-electrons.com/linux/latest/source/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h#L306
[2]
https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=0aedbcaf6f18
Hi Ben,
> Ben Hutchings <[email protected]> hat am 27. August 2017 um 17:14 geschrieben:
>
>
> The CVE-2017-9417 aka "Broadpwn" vulnerability is said to affect the
> firmware for various Broadcom BCM43xx wifi chips, some of which are
> supported by the in-tree brcmfmac driver and firmware in linux-
> firmware.git.
>
> The bcmdhd driver for Android was patched to improve validation of
> events from the firmware:
> https://android.googlesource.com/kernel/msm.git/+/android-6.0.1_r0.92%5E!/
> But the event handling code in
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c still seems to
> lack most of those checks. Should it be patched?
>
> I also haven't seen any related updates for BCM43xx firmware in linux-
> firmware.git. Is any of this firmware vulnerable?
according to this comment [1] at least 43438 is affected.
[1] - https://github.com/raspberrypi/linux/issues/1342#issuecomment-321221748
>
> Ben.
>
> --
> Ben Hutchings
> Teamwork is essential - it allows you to blame someone else.