Linux Kernel ath12k Driver Uninitialized Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's ath12k wireless driver can lead to a null pointer dereference. This issue occurs during the handling of missed beacons when the driver iterates over active virtual interfaces. The problem arises because the driver attempts to access the radio object of a virtual interface that has not been properly initialized. This can happen with P2P-capable devices, where a default P2P interface is created but may not be linked to a radio until a scan is initiated. If a scan is requested on such an interface, the driver creates a virtual device, attaches the interface to the radio, and then, after the scan, detaches it, leaving the interface uninitialized. When the driver later processes beacon misses, it encounters the P2P interface and tries to access the radio object, leading to a null pointer dereference.

Impact

The vulnerability causes a null pointer dereference, which can lead to a crash of the wireless driver, disrupting network connectivity and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced on a P2P-capable device by initiating a scan on a P2P virtual interface. After the scan is completed or aborted, the P2P interface is left uninitialized. When the driver then handles beacon misses, it will attempt to access the radio object of the uninitialized interface, causing a null pointer dereference. This can be observed by monitoring the driver's response to beacon loss events, which will trigger the null pointer dereference and crash the driver.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.