oss-sec mailing list archives
CVE-2017-7541: Linux kernel: Memory corruption due to a buffer overflow in brcmf_cfg80211_mgmt_tx()
From: Vladis Dronov <vdronov () redhat com>
Date: Mon, 24 Jul 2017 09:53:39 -0400 (EDT)
Hello, Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. It can be triggered by sending crafted NL80211_CMD_FRAME packet via netlink. There was a research if this flaw could be triggered remotely, by sending packets on the air, the result follows: RX notification is regarding event send to a userspace program, which is usually the "wpa_supplicant" or "hostapd". The userspace can register in kernel via NL80211_CMD_REGISTER_FRAME to pass management frames to it. This flaw would be remote exploitable if a userspace program registers to receive some management frames and then pass it back to a kernel without a modification. I'm not sure if any user space program do that, I think "hostapd" or "wpa_supplicant" don't, but to be sure, it will require to fully analyze theirs source code. (Stanislaw Gruszka <sgruszka () redhat com>) So, this flaw is unlikely to be triggered remotely, as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. cvss3=6.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H cwe=CWE-120 References: https://bugzilla.redhat.com/show_bug.cgi?id=1473198 https://bugzilla.novell.com/show_bug.cgi?id=1049645 https://www.spinics.net/lists/stable/msg180994.html Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f44c9a41386729fea410e688959ddaa9d51be7c
Current thread:
- CVE-2017-7541: Linux kernel: Memory corruption due to a buffer overflow in brcmf_cfg80211_mgmt_tx() Vladis Dronov (Jul 24)