Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth SCO (Synchronous Connection-Oriented) code, specifically in the function sco_recv_frame(). The function reads a socket pointer (conn->sk) while holding a lock (sco_conn_lock()), but it releases the lock without properly holding a reference to the socket. This allows a race condition where a concurrent close() operation can free the socket after the lock is released but before the socket is accessed again, leading to a use-after-free error.

The issue arises because sco_recv_frame() does not use sco_sock_hold() to safely hold a reference to the socket while the lock is released, unlike other functions in the same file. The fix involves using sco_sock_hold() to take a reference before releasing the lock and ensuring sock_put() is called on all exit paths to properly manage the socket's lifecycle.

Useful 0 Not Useful 0

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the Linux kernel's Bluetooth stack. Potential impacts include system crashes, kernel panics, or exploitation by attackers to execute arbitrary code with kernel privileges. Such exploitation could compromise system stability and security.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where the Bluetooth SCO use-after-free issue in sco_recv_frame() is resolved.

Specifically, the fix involves using sco_sock_hold() to take a reference before releasing the sco_conn_lock(), and adding sock_put() on all exit paths to prevent use-after-free conditions.

Therefore, the immediate mitigation step is to apply the kernel update or patch that includes this fix.

Useful 0 Not Useful 0