Linux Kernel Bluetooth ISO Connection Locking Vulnerability

A vulnerability in the Linux kernel's Bluetooth ISO connection handling has been addressed. The issue stemmed from improper locking mechanisms and validity checks, which could lead to race conditions. Specifically, operations that modified the socket state or accessed the connection data needed to be synchronized with the appropriate locks to prevent conflicts. The vulnerability was particularly relevant when reusing old connections, which could result in null pointer dereferences and general protection faults, as indicated by kernel oops traces. The problem was exacerbated by circular locking dependencies that had to be carefully managed.

Impact

Exploitation of this vulnerability could lead to null pointer dereferences, causing kernel crashes. Such dereferences were observed in the context of Bluetooth operations, where the kernel attempted to access freed connection data, leading to general protection faults.

Reproduction

The vulnerability could be reproduced by establishing Bluetooth ISO connections, particularly using Connection-Oriented Channels (CIS) or Broadcast Isochronous Channels (BIS). The issue arises when these connections are managed without the proper locking sequence, allowing operations to race and potentially access invalid or freed data. This can be observed by tracing the Bluetooth connection handling in the kernel, where the improper order of lock management leads to accessing null or invalid pointers, causing crashes.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.