Linux Kernel Bluetooth btusb Use-After-Free Vulnerability in btusb_disconnect Function

A use-after-free vulnerability has been identified in the Bluetooth btusb driver of the Linux kernel. This issue arises in the btusb_disconnect function, where the btusb data associated with a USB interface is accessed after it has been freed, leading to a use-after-free condition. The vulnerability was detected by the Kernel Address Sanitizer (KASAN), which reported a slab-use-after-free read. The problem occurs when 'usb_driver_release_interface' is called, freeing the btusb data for the interface. Subsequent access to this data in the same function creates a use-after-free scenario.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, disconnect a Bluetooth device managed by the btusb driver. The btusb_disconnect function will be called, where the vulnerability can be triggered by accessing freed data.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.