Linux Kernel Bluetooth L2CAP Socket Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Bluetooth L2CAP socket handling of the Linux kernel. This issue arises in the 'l2cap_sock_cleanup_listen()' function, where a socket can be freed by one thread while still being accessed by another. The vulnerability was reported by syzbot and is related to the way socket references are managed during concurrent operations.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly result in memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a scenario where two threads interact with the same L2CAP socket simultaneously. One thread should call 'bt_accept_dequeue()', which removes the socket from a queue and frees it, while the other thread is still holding a reference to the socket. This can be achieved by synchronizing the threads in a way that they overlap during the socket manipulation, particularly around the 'l2cap_sock_cleanup_listen()' call.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.