Linux Kernel Bluetooth btintel Hardware Error Handling Race Condition Vulnerability

A race condition vulnerability has been identified in the Bluetooth btintel driver of the Linux kernel. This issue arises because the function btintel_hw_error() makes two synchronous HCI command calls without proper locking, allowing it to interfere with the Bluetooth device closure process. As a result, this can lead to a use-after-free error when the closing process frees a response buffer that the error handling function is still accessing.

Impact

Exploitation of this vulnerability causes a use-after-free error, where a freed memory buffer is accessed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by invoking the btintel_hw_error() function while simultaneously closing the Bluetooth device. This can be done by triggering a hardware error in the btintel driver, which will cause the btintel_hw_error() function to execute without the necessary synchronization lock. If this occurs while the device is being closed, the response buffer from the HCI command can be freed before the error handling function has finished processing it, leading to the use-after-free condition.

Remediation

The vulnerability has been addressed by modifying the btintel_hw_error() function to include the necessary synchronization lock, ensuring that it does not interfere with the Bluetooth device closure process. Users should update to the latest version of the Linux kernel where this fix has been applied.