Linux Kernel Bluetooth btusb Memory Management Vulnerability

A vulnerability in the Bluetooth btusb driver of the Linux kernel has been addressed by reverting a previous change that used the 'devm_kzalloc' function for memory allocation. This change is significant because it ties the lifespan of the allocated data to a specific driver-interface binding, which can lead to issues when the driver interacts with multiple interfaces. The problem arises in the 'btusb_disconnect' function, where the 'devm' managed data can be prematurely freed, causing potential disruptions. The vulnerability affects the Linux kernel Bluetooth subsystem, specifically within the btusb driver.

Impact

The vulnerability could lead to improper memory management, where data used by one interface could be freed while still in use by another, potentially causing instability or crashes.

Reproduction

The vulnerability can be reproduced by loading a Bluetooth driver that binds to multiple interfaces, such as ISOC and DIAG. Once the driver is active, the 'btusb_disconnect' function will be called, which releases the 'devm_kzalloc' allocated data. This action can inadvertently disrupt the operation of the driver on other interfaces that may not have completed their own disconnect processes.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation or through the package management system of the Linux distribution in use.