Linux Kernel Bluetooth Double Free Vulnerability in hci_discovery_filter_clear Function

A double free vulnerability has been identified in the Linux kernel's Bluetooth subsystem, specifically within the 'hci_discovery_filter_clear()' function. This function is responsible for managing the 'uuids' array, which it frees before setting the pointer to NULL. However, a race condition can occur if the function is preempted after freeing the array but before the pointer is set to NULL. This can lead to a situation where the 'uuids' array is freed twice, causing memory corruption. The vulnerability has been addressed by adding proper locking mechanisms around the memory deallocation and pointer nullification processes.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing memory corruption and potentially allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering the 'hci_discovery_filter_clear()' function while another process is updating the Bluetooth service discovery, creating a race condition that results in the 'uuids' array being freed twice.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.