CVE-2017-9417 firmware fix with b43-fwcutter?

CVE-2017-9417 firmware fix with b43-fwcutter?

[Drew Scott Daniels]

Hi,
Is there newer firmware that fixes the CVE-2017-9417 vulnerability or does
it not apply to devices supported by this driver? If there is a different
CVE not released you can say that this doesn't apply. Is there newer
firmware in pre-release (e.g. brcmfw_170808.tgz)or is that firmware
unrelated (e.g. just for the BCM43430 that isn't listed as supported)?

https://blog.exodusintel.com/2017/07/26/broadpwn/ indicates the
vulnerabilities are focused in HardMAC and seems to imply that SoftMAC isn't
vulnerable (at least on the firmware side as the vulnerability is in the MAC
code). The models listed as affected on that site are BCM4339 through
BCM4361 though it seems others may be affected.

https://bugs.launchpad.net/ubuntu/+source/linux-firmware/+bug/1713276 says:
Cypress (was Broadcom) have given the Raspberry Pi foundation new releases
of the WiFi and Bluetooth firmware to fix the problem. See
https://github.com/raspberrypi/linux/issues/1342#issuecomment-321221748

Debian is tracking a related bug at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869639

Thanks,

     Drew Daniels
Blog: http://www.boxheap.net/ddaniels/blog

CVE-2017-9417 firmware fix with b43-fwcutter?

[Chris Bainbridge]

On 6 September 2017 at 06:58, Drew Scott Daniels
<ddaniels@umalumni.mb.ca> wrote:
>
> Hi,
> Is there newer firmware that fixes the CVE-2017-9417 vulnerability or does
> it not apply to devices supported by this driver?

Gal Beniamini confirmed that he could reproduce the crash used in his
exploit with the standard Linux firmware - https://goo.gl/MWiD3C

CVE-2017-9417 firmware fix with b43-fwcutter?

[Larry Finger]

On 09/06/2017 12:58 AM, Drew Scott Daniels wrote:
> Hi,
> Is there newer firmware that fixes the CVE-2017-9417 vulnerability or does
> it not apply to devices supported by this driver? If there is a different
> CVE not released you can say that this doesn't apply. Is there newer
> firmware in pre-release (e.g. brcmfw_170808.tgz)or is that firmware
> unrelated (e.g. just for the BCM43430 that isn't listed as supported)?
> 
> https://blog.exodusintel.com/2017/07/26/broadpwn/ indicates the
> vulnerabilities are focused in HardMAC and seems to imply that SoftMAC isn't
> vulnerable (at least on the firmware side as the vulnerability is in the MAC
> code). The models listed as affected on that site are BCM4339 through
> BCM4361 though it seems others may be affected.

For the devices handled by b43, I do not think that Broadpwm is a problem. As 
the blog states "On laptops and desktop computers, the WiFi chipset generally 
handles the PHY layer while the kernel driver is responsible for handling layer 
3 and above.". Of course, that exploit could be a problem for mac80211, but that 
would be true for all softmac devices. A second reason is that the b43 and 
b43legacy devices do not run a general-purpose on-board processor such as ARM. 
What they have is better described as a micro controller. That firmware would be 
hard to modify for an exploit.

Larry

CVE-2017-9417 firmware fix with b43-fwcutter?

[Vladis Dronov]

Hello,

I would join Drew in asking a question about CVE-2017-9417/Broadpwn.
My main concern is if this flaw in a firmware above can affect
laptop/desktop/server Linux systems?

So far I see two contradicting answers: "he could reproduce the crash
with the standard Linux firmware [on a mobile phone]" and "I do not
think that Broadpwm is a problem". Can someone please clarify?

I'm also trying to reach Broadcom guys via different channels with this
question, no reply for now. 

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

CVE-2017-9417 firmware fix with b43-fwcutter?

[Michael Büsch]

On Thu, 7 Sep 2017 14:04:55 -0400 (EDT)
Vladis Dronov <vdronov@redhat.com> wrote:

> I would join Drew in asking a question about CVE-2017-9417/Broadpwn.
> My main concern is if this flaw in a firmware above can affect
> laptop/desktop/server Linux systems?
> 
> So far I see two contradicting answers: "he could reproduce the crash
> with the standard Linux firmware [on a mobile phone]" and "I do not
> think that Broadpwm is a problem". Can someone please clarify?


Mobile phones often use FullMAC chips.

That means the chip runs a small operating system and a full 802.11
MLME stack. Usually referred to as "firmware".
This is not to be confused with the "microcode" or "ucode". The ucode
runs on a small sequencer in the 802.11 baseband processor.

FullMAC:	An ARM/MIPS core on the chip runs the 802.11 MLME stack.
		The 802.11 baseband core runs ucode.

SoftMAC:	The host system runs the 802.11 MLME stack.
		The 802.11 baseband core runs ucode.

So if the vulnerability is in the "firmware" and not in the "ucode",
the SoftMAC chips are not affected.

-- 
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/b43-dev/attachments/20170907/79aa4ac6/attachment.sig>