Linux Kernel Bluetooth HCI Suspend Synchronization Crash Vulnerability

A race condition vulnerability has been identified in the Linux kernel's Bluetooth subsystem, specifically within the HCI (Host Controller Interface) management. When the function hci_unregister_dev() frees the hci_dev object, the hci_suspend_notifier may still be accessing it, leading to a program crash. This issue arises during the suspension process, where the notifier can attempt to suspend a device that has already been unregistered, causing a crash. The vulnerability has been addressed by modifying the hci_suspend_notifier to hold a reference count of the hci_dev object while processing, preventing access to a freed object and thereby avoiding the crash.

Impact

The vulnerability can lead to a crash of the Bluetooth subsystem, causing disruption in Bluetooth functionality and potentially affecting applications or services that rely on Bluetooth connectivity.

Reproduction

To reproduce this vulnerability, unregister a Bluetooth device using hci_unregister_dev() while the hci_suspend_notifier is still active. This can be done by triggering a suspend action through the power management subsystem, which will call the notifier before the device is fully unregistered. The resulting crash can be observed in the system logs, where the call trace will show the hci_suspend_sync, hci_suspend_dev, and hci_suspend_notifier functions, indicating the point of failure.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.