From b563af26fdc99bf93c58a35823931b5363bd9d1d Mon Sep 17 00:00:00 2001 From: "David C. Park" Date: Mon, 23 Oct 2017 16:56:09 -0700 Subject: bcm4343: Fix remote code execution vulnerability Android Security Bulletin 2017#09 Broadcom component Device Specific patches CVE-2017-7065 (Reference: A-62575138, B-V2017061202) The Broadcom wireless firmware accepts GTK frames of up to 244 bytes, but only has a 164-byte buffer to copy them into. A large incoming frame overflows in the firmware heap, leading to arbitrary code execution. The fix is designed to correctly validate incoming frame sizes. CVE-2017-11120 (Reference: A-62575409, B-V2017061204) The rrm module of the Broadcom wireless firmware does not correctly validate the channel index on incoming request frames. A frame referencing an out-of-bounds index can cause firmware heap memory corruption, leading to arbitrary code execution. The fix is designed to correctly validate the channel index. CVE-2017-11121 (Reference: A-62576413, B-V2017061205) The FBT module of the Broadcom wireless firmware does not check the length of all fields of an incoming Fast Transition Information Element (FT-IE). An FT-IE with bad lengths could cause heap overflows and memory corruption leading to arbitrary code execution. The fix is designed to validate the appropriate length fields. BCM4343A1 ver. 7.13.53.11 Bug: 68005256 Change-Id: If030592954da3502e2368a506eefc701a0d1ea0c --- bcmdhd/firmware/bcm4343/fw_bcm4343_a1.bin | Bin 326651 -> 326786 bytes bcmdhd/firmware/bcm4343/fw_bcm4343_a1_apsta.bin | Bin 298408 -> 298379 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/bcmdhd/firmware/bcm4343/fw_bcm4343_a1.bin b/bcmdhd/firmware/bcm4343/fw_bcm4343_a1.bin index dec41dc..66bb44a 100644 Binary files a/bcmdhd/firmware/bcm4343/fw_bcm4343_a1.bin and b/bcmdhd/firmware/bcm4343/fw_bcm4343_a1.bin differ diff --git a/bcmdhd/firmware/bcm4343/fw_bcm4343_a1_apsta.bin b/bcmdhd/firmware/bcm4343/fw_bcm4343_a1_apsta.bin index 1748d33..c41fbb9 100644 Binary files a/bcmdhd/firmware/bcm4343/fw_bcm4343_a1_apsta.bin and b/bcmdhd/firmware/bcm4343/fw_bcm4343_a1_apsta.bin differ -- cgit v1.2.3