[Secure-testing-team] Bug#770327: non-root induced DoS via /proc/brcm_monitor0
Robert Bihlmeyer
robbe at orcus.priv.at
Thu Nov 20 13:26:32 UTC 2014
Package: broadcom-sta-dkms
Version: 6.30.223.248-2
Severity: critical
Tags: security upstream
The wl module creates /proc/brcm_monitorN for each applicable device.
At least with linux-image-3.16-0.bpo.2-amd64, reading from this file
reliably sends my box into la-la land (symptoms are that CPU#2 is reported
as stuck, and almost any process hangs).
The file is mode 644, so this is possible for any local user. I noted
this with monotone, which tries to trawl /proc files in a (arguably mistaken)
attempt to gather randomness. monotone offers a network service, which may
be affected.
I can try reproduction with different kernels if it helps.
What the file actually does is opaque to me. An easy fix would be to
remove world readability in lines 3305 and 3308 of src/wl/sys/wl_linux.c
More information about the Secure-testing-team
mailing list