| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100114-CVE-2025-39891-61f7@gregkh> Date: Wed, 1 Oct 2025 09:43:15 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39891: wifi: mwifiex: Initialize the chan_stats array to zero From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey(). There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also the mwifiex_update_chan_statistics() function doesn't necessarily initialize the whole array. Since the array was not initialized at the start that could result in an information leak. Also this array is pretty small. It's a maximum of 900 bytes so it's more appropriate to use kcalloc() instead vmalloc(). The Linux kernel CVE team has assigned CVE-2025-39891 to this issue. Affected and fixed versions =========================== Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 5.4.299 with commit 9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65 Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 5.10.243 with commit 05daef0442d28350a1a0d6d0e2cab4a7a91df475 Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 5.15.192 with commit acdf26a912190fc6746e2a890d7d0338190527b4 Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 6.1.151 with commit 32c124c9c03aa755cbaf60ef7f76afd918d47659 Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 6.6.105 with commit 9df29aa5637d94d24f7c5f054ef4feaa7b766111 Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 6.12.46 with commit 06616410a3e5e6cd1de5b7cbc668f1a7edeedad9 Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 6.16.6 with commit 5285b7009dc1e09d5bb9e05fae82e1a807882dbc Issue introduced in 3.19 with commit bf35443314acb43fa8a3f9f8046e14cbe178762b and fixed in 6.17 with commit 0e20450829ca3c1dbc2db536391537c57a40fe0b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39891 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/wireless/marvell/mwifiex/cfg80211.c drivers/net/wireless/marvell/mwifiex/main.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65 https://git.kernel.org/stable/c/05daef0442d28350a1a0d6d0e2cab4a7a91df475 https://git.kernel.org/stable/c/acdf26a912190fc6746e2a890d7d0338190527b4 https://git.kernel.org/stable/c/32c124c9c03aa755cbaf60ef7f76afd918d47659 https://git.kernel.org/stable/c/9df29aa5637d94d24f7c5f054ef4feaa7b766111 https://git.kernel.org/stable/c/06616410a3e5e6cd1de5b7cbc668f1a7edeedad9 https://git.kernel.org/stable/c/5285b7009dc1e09d5bb9e05fae82e1a807882dbc https://git.kernel.org/stable/c/0e20450829ca3c1dbc2db536391537c57a40fe0b
Powered by blists - more mailing lists