Linux Kernel mwifiex Driver Channel Statistics Information Leak Vulnerability

A vulnerability in the Linux kernel's mwifiex wireless driver can lead to an information leak. The issue arises because the chan_stats array, used to store channel statistics, is allocated with vmalloc(), which does not initialize the memory. This uninitialized data can be exposed if a user queries the statistics before they have been properly updated. Although the array is small, with a maximum size of 900 bytes, the lack of proper initialization poses a risk of leaking sensitive information.

Impact

Failure to initialize the channel statistics array can result in unintentional exposure of uninitialized memory, potentially leading to an information leak.

Reproduction

The vulnerability can be reproduced by calling the mwifiex_cfg80211_dump_survey() function before the channel statistics have been fully updated by mwifiex_update_chan_statistics(). This can be done by initiating a survey dump immediately after a channel scan, before the driver has had a chance to populate the statistics.

Remediation

The vulnerability has been addressed by modifying the mwifiex driver to use kcalloc() instead of vmalloc() for the channel statistics array allocation. This change ensures that the memory is properly initialized to zero, preventing the information leak. Users should update to the patched version of the Linux kernel where this vulnerability has been fixed.