Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 24 Jul 2017 09:53:39 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-7541: Linux kernel: Memory corruption due to a buffer
 overflow in brcmf_cfg80211_mgmt_tx()

Hello,

Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx()
function in Linux kernels from v3.9-rc1 to v4.13-rc1. It can be triggered by sending
crafted NL80211_CMD_FRAME packet via netlink.

There was a research if this flaw could be triggered remotely, by sending packets on
the air, the result follows:

RX notification is regarding event send to a userspace program, which is
usually the "wpa_supplicant" or "hostapd". The userspace can register
in kernel via NL80211_CMD_REGISTER_FRAME to pass management frames to it.
This flaw would be remote exploitable if a userspace program registers to
receive some management frames and then pass it back to a kernel without
a modification. I'm not sure if any user space program do that, I think
"hostapd" or "wpa_supplicant" don't, but to be sure, it will require to
fully analyze theirs source code.
(Stanislaw Gruszka <sgruszka@...hat.com>)

So, this flaw is unlikely to be triggered remotely, as certain userspace code is needed
for this. An unprivileged local user could use this flaw to induce kernel memory corruption
on the system, leading to a crash. Due to the nature of the flaw, privilege escalation
cannot be fully ruled out, although we believe it is unlikely.

cvss3=6.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
cwe=CWE-120

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1473198

https://bugzilla.novell.com/show_bug.cgi?id=1049645

https://www.spinics.net/lists/stable/msg180994.html

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ