Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2085299843.33841899.1500904419181.JavaMail.zimbra@redhat.com>
Date: Mon, 24 Jul 2017 09:53:39 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-7541: Linux kernel: Memory corruption due to a buffer
 overflow in brcmf_cfg80211_mgmt_tx()

Hello,

Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx()
function in Linux kernels from v3.9-rc1 to v4.13-rc1. It can be triggered by sending
crafted NL80211_CMD_FRAME packet via netlink.

There was a research if this flaw could be triggered remotely, by sending packets on
the air, the result follows:

RX notification is regarding event send to a userspace program, which is
usually the "wpa_supplicant" or "hostapd". The userspace can register
in kernel via NL80211_CMD_REGISTER_FRAME to pass management frames to it.
This flaw would be remote exploitable if a userspace program registers to
receive some management frames and then pass it back to a kernel without
a modification. I'm not sure if any user space program do that, I think
"hostapd" or "wpa_supplicant" don't, but to be sure, it will require to
fully analyze theirs source code.
(Stanislaw Gruszka <sgruszka@...hat.com>)

So, this flaw is unlikely to be triggered remotely, as certain userspace code is needed
for this. An unprivileged local user could use this flaw to induce kernel memory corruption
on the system, leading to a crash. Due to the nature of the flaw, privilege escalation
cannot be fully ruled out, although we believe it is unlikely.

cvss3=6.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
cwe=CWE-120

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1473198

https://bugzilla.novell.com/show_bug.cgi?id=1049645

https://www.spinics.net/lists/stable/msg180994.html

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.