Linux Kernel Bluetooth Command Synchronization Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Bluetooth command synchronization handling of the Linux kernel. This issue arises in the 'hci_cmd_sync_dequeue_once' function, which performs a lookup and then cancels a command entry under two separate lock sections. Concurrently, the 'hci_cmd_sync_work' function can delete the same entry, causing a double removal from the list and leading to a use-after-free condition. The vulnerability affects the Linux kernel's stable group, specifically in the Bluetooth subsystem's command synchronization management.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by invoking the 'hci_cmd_sync_dequeue_once' function in a scenario where the 'hci_cmd_sync_work' function concurrently deletes the same command entry. This can be achieved by manipulating the command synchronization queue to create a race condition between the lookup, cancellation, and deletion of command entries.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.