Linux Kernel Bluetooth Subsystem Use-After-Free Vulnerability in hci_add_adv_monitor

A use-after-free vulnerability has been identified in the Bluetooth advertising monitor management of the Linux kernel. This issue arises in the 'hci_add_adv_monitor' function, which is responsible for adding advertising monitors. The vulnerability occurs when the function encounters an error while processing a Microsoft-specific monitor pattern. In such cases, it calls 'hci_free_adv_monitor' to release the monitor, but this leads to a use-after-free condition because the monitor's handle is still referenced in a debug log. The vulnerability affects the Linux kernel Bluetooth subsystem, specifically in the handling of advertising monitors.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to cause memory corruption or execute arbitrary code.

Reproduction

To reproduce this vulnerability, add an advertising monitor using the 'hci_add_adv_monitor' function with a Microsoft-specific monitor pattern. When the function processes the monitor and encounters an error, it will call 'hci_free_adv_monitor' to free the monitor. However, the debug log will still reference the freed monitor's handle, creating a use-after-free condition.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.