Linux Kernel Bluetooth HIDP Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's Bluetooth Human Interface Device Protocol (HIDP) handling. This vulnerability, present in the hidp_session_thread function, can lead to a use-after-free condition. The issue arises because a timer can remain active while the function attempts to delete it, creating a scenario where the session object is freed while the timer is still in use. This mismanagement can cause a kernel panic when the idle timeout function is executed.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing a kernel panic. Such use-after-free vulnerabilities can often be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a Bluetooth HIDP session and allowing the idle timeout to trigger while simultaneously deleting the session's timer. This can be done by manipulating the session's idle timeout value and timing the deletion of the timer, causing the session object to be freed while the timer is still active.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The official Linux kernel Git repository can be checked out for the latest stable releases.