Bug 1004462 - (CVE-2016-8658) VUL-0: CVE-2016-8658: kernel: Stack buffer overflow in brcmf_cfg80211_start_ap
(CVE-2016-8658)
VUL-0: CVE-2016-8658: kernel: Stack buffer overflow in brcmf_cfg80211_start_ap
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/173544/
CVSSv2:NVD:CVE-2016-8658:5.6:(AV:L/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-13 09:25 UTC by Johannes Segitz
Modified: 2020-05-12 17:55 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-13 09:25:36 UTC
rh#1384403

A stack based buffer overflow vulnerability was found in brcmf_cfg80211_start_ap() function. User-space can choose to omit NL80211_ATTR_SSID and only provide raw IE TLV data. When doing so it can provide SSID IE with length exceeding the allowed size. The driver further processes this IE copying it into a local variable without checking the length. Hence stack can be corrupted and used as exploit.

Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=ded89912156b1a47d940a0c954c43afbabd0c42c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1384403
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8658
http://seclists.org/oss-sec/2016/q4/113
Comment 1 Swamp Workflow Management 2016-10-13 22:00:52 UTC
bugbot adjusting priority
Comment 3 Benjamin Poirier 2016-10-17 06:12:27 UTC
ded8991 brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() (v4.8-rc7)

The commit description says "Cc: stable@vger.kernel.org # v4.7" but the
surrounding code was introduced in
	1a87334 brcmfmac: add hostap supoort. (v3.7-rc1)

Perhaps the problem depends on some other changes in ex. nl80211 to be
exploitable. Regardless, I don't think there's a problem with patching all
branches with the brcmf_cfg80211_start_ap() memcpy.

Note that CONFIG_BRCMFMAC is not set in SLES*. It is only =m in openSUSE-42.*

cve/linux-3.12 : 3.12.61
	patches.fixes/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
	pushed to facaf62
SLE12-SP2 : 4.4.21
	patches.fixes/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
	pushed to 5664b8b
openSUSE-13.2 : 3.16.7
	patches.fixes/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
	pushed to 9ee9ba5
openSUSE-42.1 : 4.1.34
	patches.fixes/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
	pushed to 53a0f32
Comment 4 Takashi Iwai 2016-10-17 06:56:10 UTC
For SLE12-SP2, I merged to the next maintenance update branch.
Let me know if this should be merged to GM release safely instead.
Comment 9 Swamp Workflow Management 2016-10-21 15:10:21 UTC
openSUSE-SU-2016:2583-1: An update that solves four vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1000287,1000304,1000907,1001462,1001486,1004418,1004462,1005101,799133,881008,909994,911687,922634,963655,972460,978094,979681,987703,991247,991665,993890,993891,996664,999600,999932
CVE References: CVE-2016-5195,CVE-2016-7039,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE Leap 42.1 (src):    drbd-8.4.6-10.1, hdjmod-1.28-26.1, ipset-6.25.1-7.1, kernel-debug-4.1.34-33.1, kernel-default-4.1.34-33.1, kernel-docs-4.1.34-33.3, kernel-ec2-4.1.34-33.1, kernel-obs-build-4.1.34-33.1, kernel-obs-qa-4.1.34-33.1, kernel-obs-qa-xen-4.1.34-33.1, kernel-pae-4.1.34-33.1, kernel-pv-4.1.34-33.1, kernel-source-4.1.34-33.1, kernel-syms-4.1.34-33.1, kernel-vanilla-4.1.34-33.1, kernel-xen-4.1.34-33.1, lttng-modules-2.7.0-4.1, pcfclock-0.44-268.1, vhba-kmp-20140928-7.1
Comment 10 Bernhard Wiedemann 2016-10-23 18:01:19 UTC
This is an autogenerated message for OBS integration:
This bug (1004462) was mentioned in
https://build.opensuse.org/request/show/437000 13.2 / kernel-source
Comment 12 Swamp Workflow Management 2016-10-25 17:07:58 UTC
openSUSE-SU-2016:2625-1: An update that solves 12 vulnerabilities and has 19 fixes is now available.

Category: security (important)
Bug References: 1000287,1001486,1003077,1003925,1003931,1004045,1004418,1004462,881008,909994,911687,922634,951155,960689,978094,980371,986570,989152,991247,991608,991665,993890,993891,994296,994520,994748,994752,994759,996664,999600,999932
CVE References: CVE-2015-7513,CVE-2015-8956,CVE-2016-0823,CVE-2016-1237,CVE-2016-5195,CVE-2016-5696,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7117,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.22.1, cloop-2.639-14.22.1, crash-7.0.8-22.1, hdjmod-1.28-18.23.1, ipset-6.23-22.1, kernel-debug-3.16.7-45.1, kernel-default-3.16.7-45.1, kernel-desktop-3.16.7-45.1, kernel-docs-3.16.7-45.2, kernel-ec2-3.16.7-45.1, kernel-obs-build-3.16.7-45.1, kernel-obs-qa-3.16.7-45.1, kernel-obs-qa-xen-3.16.7-45.1, kernel-pae-3.16.7-45.1, kernel-source-3.16.7-45.1, kernel-syms-3.16.7-45.1, kernel-vanilla-3.16.7-45.1, kernel-xen-3.16.7-45.1, pcfclock-0.44-260.22.1, vhba-kmp-20140629-2.22.1, virtualbox-5.0.28-54.2, xen-4.4.4_05-51.2, xtables-addons-2.6-24.1
Comment 14 Swamp Workflow Management 2016-11-25 16:10:51 UTC
SUSE-SU-2016:2912-1: An update that solves 11 vulnerabilities and has 111 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003866,1003925,1003964,1004252,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,772786,789311,857397,860441,865545,866130,868923,874131,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,931454,934067,937086,937888,940545,941420,946309,955446,956514,959463,961257,962846,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979928,982783,983619,984194,984419,984779,984992,985562,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990245,991247,991608,991665,992244,992555,992591,992593,992712,993392,993841,993890,993891,994296,994438,994520,994748,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2015-8956,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658,CVE-2016-8666
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.67-60.64.18.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.67-60.64.18.3, kernel-obs-build-3.12.67-60.64.18.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.67-60.64.18.1, kernel-source-3.12.67-60.64.18.1, kernel-syms-3.12.67-60.64.18.1, kernel-xen-3.12.67-60.64.18.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.67-60.64.18.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_9-1-6.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.67-60.64.18.1, kernel-source-3.12.67-60.64.18.1, kernel-syms-3.12.67-60.64.18.1, kernel-xen-3.12.67-60.64.18.1
Comment 15 Swamp Workflow Management 2016-12-06 12:11:59 UTC
openSUSE-SU-2016:3021-1: An update that solves 12 vulnerabilities and has 118 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003866,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,772786,789311,799133,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,931454,934067,937086,937888,940545,941420,946309,954986,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,982783,983619,984194,984419,984779,984992,985562,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990245,991247,991608,991665,992244,992555,992591,992593,992712,993392,993841,993890,993891,994296,994438,994520,994748,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2013-5634,CVE-2015-8956,CVE-2016-2069,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.36.1, crash-7.0.2-2.36.1, hdjmod-1.28-16.36.1, ipset-6.21.1-2.40.1, iscsitarget-1.4.20.3-13.36.1, kernel-debug-3.12.67-58.1, kernel-default-3.12.67-58.1, kernel-desktop-3.12.67-58.1, kernel-docs-3.12.67-58.2, kernel-ec2-3.12.67-58.1, kernel-pae-3.12.67-58.1, kernel-source-3.12.67-58.1, kernel-syms-3.12.67-58.1, kernel-trace-3.12.67-58.1, kernel-vanilla-3.12.67-58.1, kernel-xen-3.12.67-58.1, ndiswrapper-1.58-37.1, openvswitch-1.11.0-0.43.1, pcfclock-0.44-258.37.1, vhba-kmp-20130607-2.36.1, virtualbox-4.2.36-2.68.1, xen-4.3.4_10-69.1, xtables-addons-2.3-2.35.1
Comment 16 Marcus Meissner 2016-12-16 16:21:17 UTC
released
Comment 17 Swamp Workflow Management 2016-12-30 17:13:03 UTC
SUSE-SU-2016:3304-1: An update that solves 13 vulnerabilities and has 118 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,789311,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,934067,937086,937888,941420,946309,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,980371,981597,982783,983619,984194,984419,984779,984992,985562,986362,986365,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990058,990245,991247,991608,991665,991667,992244,992555,992568,992591,992593,992712,993392,993841,993890,993891,994167,994296,994438,994520,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2015-8956,CVE-2016-2069,CVE-2016-4998,CVE-2016-5195,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.67-60.27.1, kernel-compute_debug-3.12.67-60.27.1, kernel-rt-3.12.67-60.27.1, kernel-rt_debug-3.12.67-60.27.1, kernel-source-rt-3.12.67-60.27.1, kernel-syms-rt-3.12.67-60.27.1
Comment 18 Swamp Workflow Management 2017-02-15 20:08:28 UTC
SUSE-SU-2017:0471-1: An update that solves 34 vulnerabilities and has 48 fixes is now available.

Category: security (important)
Bug References: 1003153,1003925,1004462,1004517,1005666,1007197,1008833,1008979,1009969,1010040,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011820,1012422,1013038,1013531,1013540,1013542,1014746,1016482,1017410,1017589,1017710,1019300,1019851,1020602,1021258,881008,915183,958606,961257,970083,971989,976195,978094,980371,980560,981038,981597,981709,982282,982544,983619,983721,983977,984148,984419,984755,985978,986362,986365,986445,986569,986572,986811,986941,987542,987565,987576,989152,990384,991608,991665,993392,993890,993891,994296,994748,994881,995968,997708,998795,999584,999600,999932,999943
CVE References: CVE-2014-9904,CVE-2015-8956,CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-4470,CVE-2016-4998,CVE-2016-5696,CVE-2016-5828,CVE-2016-5829,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-8658,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.66.1