Linux Kernel Bluetooth Use-After-Free Vulnerability in hci_disconnect_all_sync

A use-after-free vulnerability has been identified in the Linux kernel's Bluetooth subsystem, specifically within the hci_disconnect_all_sync function. This issue arises when a connection is deleted while being processed by a controller event, leading to a potential memory access violation. The vulnerability affects Linux kernel versions 6.5.0-rc1 and prior. The problem was addressed by modifying the iteration over connection lists to prevent concurrent deletion issues, ensuring that links are properly cleaned up before their parent elements are processed.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can cause memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initiating a Bluetooth connection and then concurrently triggering a controller event that deletes the connection while the hci_disconnect_all_sync function is processing. This can be done by using a Bluetooth device that supports connectionless communication, such as a keyboard or mouse, and pairing it with a device running the vulnerable Linux kernel version. Once the connection is established, the controller event can be simulated to delete the connection, causing the use-after-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.