Linux Kernel Bluetooth L2CAP Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Bluetooth L2CAP implementation of the Linux kernel. The issue arises in the 'l2cap_conn_del()' function, where a channel is created upon receiving data with the 'L2CAP_CID_A2MP' identifier, but the channel is not properly held. This oversight leads to a reference count of one. Consequently, when 'hci_error_reset()' is called, the 'l2cap_conn_del()' function releases the channel, triggering the use-after-free condition by unlocking a channel that has already been freed. The vulnerability can be exploited after the channel is created and the reference count is not correctly managed, allowing for potential memory corruption.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending data that triggers the creation of an A2MP channel. After the channel is established, the 'hci_error_reset()' function is invoked, which initiates the process of closing the channel. This sequence of events causes the reference count of the channel to drop to zero, freeing the channel while it is still in use, leading to the use-after-free vulnerability.