Linux Kernel Bluetooth L2CAP Bad Unlock Balance Vulnerability

A vulnerability in the Linux kernel's Bluetooth L2CAP implementation can lead to a "bad unlock balance" condition. This issue occurs because the channel lock is not properly acquired before calling a function that retrieves a channel by its SCID. If this function returns NULL, it triggers the improper unlock condition.

Impact

Exploitation of this vulnerability causes a "bad unlock balance" issue, which can lead to potential memory corruption or other unintended behavior in the kernel.

Reproduction

The vulnerability can be reproduced by invoking the L2CAP disconnect response function without first acquiring the channel lock. This can be done by sending a disconnect response that includes a SCID for a channel that does not exist, which will cause the channel retrieval function to return NULL. As a result, the disconnect response function will attempt to unlock a lock that was never properly locked, creating a "bad unlock balance" situation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.