Linux Kernel brcmfmac Wi-Fi Driver Use-After-Free Vulnerability in Bluetooth Coexistence Management

A use-after-free vulnerability has been identified in the Linux kernel's brcmfmac Wi-Fi driver, specifically within the Bluetooth coexistence management functions. This issue arises from a race condition when detaching Bluetooth coexistence information. The brcmf_btcoex_detach() function only stops the coexistence timer if the timer_on flag is false. However, the timer function can reset this flag while the timer is running, leading to a scenario where the timer is not properly shut down before the associated work is rescheduled. This mismanagement can cause the system to access freed memory, creating a use-after-free condition. The vulnerability can be exploited in two scenarios: one where the Bluetooth coexistence information is freed before the scheduled work is executed, and another where it is deallocated after the work has been scheduled but before it is completed.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly be exploited to execute arbitrary code or cause a system crash.

Reproduction

To reproduce this vulnerability, the brcmf_btcoex_detach() function must be called while the brcmf_btcoex_timerfunc() is still executing. This can be achieved by manually triggering the detachment process before the timer function has completed its operation, creating a race condition. Once the timer function is canceled and the coexistence information is freed, the timer can be rescheduled, causing the worker thread to access the freed memory and trigger the use-after-free vulnerability.

Remediation

The vulnerability has been addressed in the official Linux Git repository. Users can upgrade to the latest version of the Linux kernel to apply the fix.