Linux Kernel ath9k Wireless Driver Uninitialized Memory Read Vulnerability

A vulnerability in the Linux kernel's ath9k wireless driver has been addressed. The issue involved an uninitialized memory read in the function ath9k_htc_rx_msg(). This vulnerability arose because the function ath9k_hif_usb_rx_stream() could be called with a packet length of zero, leading to the allocation of a socket buffer (skb) with uninitialized memory. The function ath9k_htc_rx_msg() then read from this uninitialized memory, creating a potential risk. The vulnerability was reported by syzbot, which indicated that the bytes accessed by ath9k_htc_rx_msg() were not known until the function was called, making it difficult to validate the packet length beforehand. The issue has been resolved by modifying ath9k_htc_rx_msg() to validate the packet length before accessing it, ensuring that only valid data is processed.

Impact

This vulnerability could lead to information disclosure by allowing the driver to read uninitialized memory, which may contain sensitive data.

Reproduction

The vulnerability can be reproduced by sending an IOCTL command to the ath9k driver with a packet length of zero. This can be done using a tool like syzkaller, which automates the process of finding and exploiting vulnerabilities in kernel drivers.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.