Linux Kernel Bluetooth SCO Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Bluetooth SCO (Synchronous Connection-Oriented) implementation of the Linux kernel. This issue arises in the 'sco_recv_frame()' function, where the code reads the connection's socket under a lock but then releases the lock without holding a reference to the socket. As a result, a concurrent 'close()' operation can free the socket, leading to a use-after-free condition when the code subsequently accesses the socket's state. Other functions in the same file properly manage socket references, but 'sco_recv_frame()' fails to do so, creating a vulnerability that could be exploited under certain conditions.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by invoking the Bluetooth SCO connection handling in the Linux kernel. When a SCO connection is established, the 'sco_recv_frame()' function is called to process incoming SCO data. The vulnerability occurs because 'sco_recv_frame()' releases the connection lock without holding a reference to the socket, allowing a concurrent 'close()' operation to free the socket. This can be simulated by closing the SCO connection while data is being received, creating a race condition that triggers the use-after-free.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version of the stable Linux kernel where this issue has been addressed.