Linux Kernel Bluetooth Management Slab-Use-After-Free Vulnerability

A slab-use-after-free vulnerability has been identified in the Bluetooth management subsystem of the Linux kernel. This issue arises in the 'mgmt_remove_adv_monitor_sync' function, where a use-after-free condition is created by improperly managing memory allocation and deallocation. The vulnerability can be triggered when the 'hci_mgmt_cmd' function processes a command that removes an advertising monitor, leading to a crash.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a command to remove an advertising monitor while another process is concurrently accessing the same memory. This can be done through the Bluetooth management interface, specifically by using the 'hci_mgmt_cmd' function to remove an advertising monitor synchronization. The 'mgmt_remove_adv_monitor_sync' function will then attempt to read from a memory address that has already been freed, causing a crash.