Linux Kernel RTL8XXXU Driver Memory Leak Vulnerability in Bluetooth Audio Handling

A memory leak vulnerability has been identified in the Linux kernel's RTL8XXXU Wi-Fi and Bluetooth driver, specifically with the RTL8723BU and RTL8192EU chips. When the RTL8723BU chip is connected to a Bluetooth audio device, it can leak memory due to improper handling of C2H (card to host) messages generated by active Bluetooth traffic. Similarly, the RTL8192EU chip also leaks memory because its C2H messages are queued indefinitely. This issue was introduced when the driver began sending C2H messages in response to changes in the transmission rate, but the messages were not properly managed, leading to memory retention. The problem could theoretically affect the RTL8188FU chip as well, but it is unlikely due to its infrequent C2H message transmission.

Impact

Exploitation of this vulnerability leads to memory leaks, which can cause increased memory usage and potentially degrade system performance over time.

Reproduction

The vulnerability can be reproduced by using a system with a Bluetooth audio device connected, while the RTL8723BU Wi-Fi and Bluetooth combo chip is active. The Bluetooth traffic will generate C2H messages that the driver does not free correctly, causing a memory leak. The issue with the RTL8192EU chip can be reproduced by allowing the chip to send C2H messages when the transmission rate changes, which the driver will then queue indefinitely without proper management.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The patch is available in the Linux kernel stable tree.