Linux Kernel Bluetooth SCO Socket Connection Race Condition Vulnerability

A race condition vulnerability has been identified in the Bluetooth SCO (Synchronous Connection-Oriented) implementation of the Linux kernel. The issue arises in the `sco_sock_connect()` function, where socket state and type are checked without holding the appropriate socket lock. This oversight allows two concurrent `connect()` system calls on the same socket to both pass the initial checks and proceed to the `sco_connect()` function. The result is a use-after-free condition, where one connection attempt can interfere with another, leading to potential memory corruption.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a socket that has been closed is accessed again, leading to memory corruption. This type of vulnerability can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by initiating two concurrent Bluetooth SCO connection requests on the same socket. This can be done by using multiple threads or processes that send `connect()` syscalls to the same SCO socket simultaneously. The first connection request can be blocked, allowing the second one to proceed and complete the connection process, which will then trigger the use-after-free condition when the first request is finally processed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.