Linux Kernel Bluetooth VHCI Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Bluetooth Virtual HCI (VHCI) driver. This issue arises when a thread closes a VHCI file descriptor while another thread is using it, leading to a race condition. The vulnerability was reported by syzbot, which indicated that the problem occurred after the VHCI device was unregistered, but before all references to it were properly synchronized. As a result, another thread could still access the device data, causing a memory management error.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where memory that is still in use is improperly released. This can cause memory corruption, allowing for potential arbitrary code execution or other unintended behavior.

Reproduction

The vulnerability can be reproduced by opening a VHCI file descriptor and performing an ioctl operation on it in one thread. Meanwhile, in another thread, close the VHCI file descriptor. This sequence of actions creates a race condition that triggers the use-after-free vulnerability.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.