Linux Kernel Bluetooth Management Memory Leak Vulnerability

A memory leak vulnerability has been identified in the Linux kernel's Bluetooth management component. Specifically, the issue arises in the 'set_ssp_complete' function, where 'mgmt_pending_cmd' structures are not properly freed after being removed from the pending list. This oversight, introduced by a previous commit that changed how management commands are handled, leads to a memory leak for each completed SSP command. The same issue also occurs in the 'set_advertising_complete' function. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a memory leak, causing increased memory usage over time as 'mgmt_pending_cmd' structures and their associated data are not freed after SSP commands are completed.

Reproduction

The vulnerability can be reproduced by completing an SSP command in the Bluetooth management layer of the Linux kernel. The 'set_ssp_complete' function will be called, but the 'mgmt_pending_free' function, which is supposed to free the 'mgmt_pending_cmd' structures, will be missing. This can be verified by monitoring the memory usage, which will show an increase due to the unfreed structures.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this commit is included.