Linux Kernel Bluetooth Out-of-Bounds Write Vulnerability in Coredump Handling

A vulnerability in the Linux kernel's Bluetooth coredump handling can lead to an out-of-bounds write. This issue arises in the 'hci_devcd_dump' function, where both 'dev_coredumpv' and 'skb_put_data' reference 'hdev->dump.head'. The 'dev_coredumpv' function can free this buffer if the data hasn't been read by userspace, causing a 'vmalloc-out-of-bounds' error when 'skb_put_data' attempts to access the now-freed memory. This vulnerability has been reported to crash the kernel, as illustrated by a report from 'syzbot'.

Impact

Exploitation of this vulnerability causes a kernel crash due to a 'vmalloc-out-of-bounds' error, where the kernel accesses memory outside the bounds of allocated resources. This type of error can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by triggering the Bluetooth coredump handling in the Linux kernel. This can be done by using a Bluetooth device that generates coredump data. The 'hci_devcd_dump' function will be called, during which 'dev_coredumpv' will free the 'hdev->dump.head' buffer if the data has not been read by userspace. This creates a race condition that leads to the out-of-bounds write when 'skb_put_data' tries to access the freed buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The patch is available in the Linux kernel stable tree.