Linux Kernel Bluetooth Subsystem Bluetooth: SCO Use-After-Free Vulnerability in SCO Connection Management

A use-after-free vulnerability has been identified in the Bluetooth SCO (Synchronous Connection-Oriented) subsystem of the Linux kernel. This issue arises in the SCO connection management, specifically within the 'sco_conn_free' function. The vulnerability is a slab-based use-after-free error, which can be exploited to potentially manipulate memory and execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a Bluetooth SCO connection and then abruptly terminating it. This process involves allocating a socket for the SCO connection, which is then freed without properly managing the associated reference counts. The 'sco_sock_kill' function is responsible for this process, and the vulnerability manifests when the connection is freed while still in use, leading to a use-after-free condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the latest version can be found on the official Linux kernel website.