Linux Kernel Bluetooth Subsystem Use-After-Free Vulnerability in Passkey Notification Handling

A use-after-free vulnerability has been addressed in the Linux kernel's Bluetooth subsystem, specifically within the handling of passkey notifications for Secure Simple Pairing (SSP). The issue arose because the lookup of Bluetooth connections and access to related fields were not properly synchronized with the device lock, allowing for the potential concurrent freeing of connection objects. This vulnerability affected the Linux kernel stable releases prior to the patching commit. The vulnerability could be exploited by manipulating Bluetooth passkey notifications, potentially leading to the premature release of connection resources while they are still in use, causing a use-after-free condition.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, where a connection object is accessed after it has been freed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending Bluetooth passkey notifications while the connection handling is not properly locked, allowing the connection to be freed concurrently. This can be done by manipulating the Bluetooth pairing process to trigger keypress or passkey notification events before the connection is fully established or while it is being torn down.

Remediation

Users can upgrade to the latest version of the Linux kernel stable release, where this vulnerability has been fixed.