Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624970 (CVE-2017-9417) - <sys-kernel/linux-firmware-20171123 broadpwn remote code execution (CVE-2017-9417)
Summary: <sys-kernel/linux-firmware-20171123 broadpwn remote code execution (CVE-2017-...
Status: RESOLVED FIXED
Alias: CVE-2017-9417
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-14 11:18 UTC by Luke-Jr
Modified: 2020-06-11 21:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Luke-Jr 2017-07-14 11:18:56 UTC 
/lib/firmware/brcm/brcmfmac4358-pcie.bin appears to be the relevant firmware, and is currently dated 2016-09-13 prior to the vulnerability fix.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 20:54:11 UTC 
Thank you, security-kernel project handles kernel related vulnerabilities.

Gentoo Security Padawan
ChrisADR
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-09-26 10:13:47 UTC 
What needs to be done here? All vulnerable versions are gone long ago from the tree. Should users be informed?
Comment 3 Luke-Jr 2019-09-26 12:41:27 UTC 
Are you sure it's fixed?

https://leeneubecker.com/raspberry-pi-patch-to-protect-against-broadpwn-pre-released/ indicates the fix was part of a 2017-08-08 firmware, yet sys-kernel/linux-firmware-20190815 still has a Broadcom firmware dated 2017-06-02...
Comment 4 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-09-26 13:21:44 UTC 
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=17e6288135d4500f9fe60224dce2b46d850c346b
says that CVE-2017-9417 is fixed for brcmfmac4358-pcie.bin since 2017-11-25
(also this was fixed for bcm4354 and bcm4356 on the same day)

Maybe I'm missing something. Which chipset/firmware file is still vulnerable to broadpwn?
Comment 5 Luke-Jr 2019-09-26 17:12:58 UTC 
# strings /lib/firmware/brcm/brcmfmac4358-pcie.bin | grep Date:
4358a3-roml/pcie-ag-p2p-pno-aoe-pktfilter-keepalive-sr-mchan-pktctx-hostpp-lpc-pwropt-txbf-wl11u-mfp-betdls-amsdutx5g-txpwr-rcc-wepso-sarctrl-btcdyn-xorcsum-proxd-gscan-linkstat-ndoe-hs20sta-oobrev-hchk-logtrace-rmon-apf-d11status-fie Version: 7.112.300.12 (r702724) CRC: 8fadde44 Date: Fri 2017-06-02 17:28:25 PDT Ucode Ver: 963.317 FWID: 01-f92b9ce0
Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-09-26 20:28:28 UTC 
Someone did an analysis on the bcm4358 and found the firmware dated 2017-06-02 not vulnerable to broadpwn:
http://boosterok.com/blog/broadpwn/
using a slightly different version though
Comment 7 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-09-26 20:39:36 UTC 
Anyway, nothing for kernel team to do here, the exploit is for the firmware which runs inside the Broadcom wifi chip.
Comment 8 Luke-Jr 2019-09-26 21:05:14 UTC 
(In reply to Chí-Thanh Christopher Nguyễn from comment #7)
> Anyway, nothing for kernel team to do here, the exploit is for the firmware
> which runs inside the Broadcom wifi chip.

But the firmware is part of sys-kernel/linux-firmware, which has metadata.xml making it part of the kernel project?
Comment 9 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-09-26 21:17:04 UTC 
Thinko, I meant kernel security team.

But following bump and cleanup, the security team and not the maintainers take it from there.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-11 21:27:33 UTC 
[22:25:34]  <ajak> 20171009 and 20171123 removed jan 2018

This should've had a GLSA, but bit late now. Closing, thanks ajak.