Linux Kernel Bluetooth hci_uart Use-After-Free Vulnerability and Race Condition

A vulnerability in the Bluetooth hci_uart component of the Linux kernel has been addressed, which involved a Use-After-Free (UAF) issue and race conditions during the initialization and closing processes. The vulnerability arose because workqueues were not properly managed, leading to the potential for freed structures to be accessed incorrectly. This issue was particularly problematic if a hangup occurred before the setup was complete, allowing scheduled work to disrupt the lifecycle management of the component.

Impact

Exploitation of this vulnerability could lead to a Use-After-Free condition, allowing for memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering a hangup in the Bluetooth hci_uart component before the initialization process is complete. This will cause the hci_uart_tty_close() function to skip necessary cleanup steps, such as canceling workqueues, and instead free the 'hu' structure. When the workqueues are processed later, they will attempt to access the freed structure, creating a Use-After-Free condition. Additionally, race conditions can be introduced by manipulating the timing of function calls and workqueue processing, further exacerbating the issue.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.