CVE-2021-3573: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2021-3573) was discovered in the Linux kernel's HCI subsystem, specifically in the hcisockboundioctl() function. The vulnerability was found in the way user calls ioct HCIUNBLOCKADDR or triggers a race condition between hciunregisterdev() and calls to hcisockblacklistadd(), hcisockblacklistdel(), hcigetconninfo(), or hcigetauth_info(). This vulnerability affects Linux kernel versions prior to 5.13-rc5 (NVD, Debian Tracker).

The vulnerability occurs due to a race condition in the HCI subsystem where the hcisockdevevent() function can clean up the hdev object for sockets while it's still in use within the hcisockboundioctl() function. The issue specifically involves four different types of functions that can be called from the vulnerable hcisockboundioctl(): hcigetconninfo(), hcigetauthinfo(), hcisockblacklistadd(), and hcisockblacklist_del(). The vulnerability has a CVSS v3.1 Base Score of 6.4 (Medium) with vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD, OSS Security).

A privileged local user could exploit this vulnerability to crash the system or escalate their privileges. For example, the hcisockblacklistadd() function could allow an attacker to write arbitrary 6 bytes to any location if the released hdev->blacklist can be sprayed. The vulnerability can easily crash the kernel and could be weaponized by skilled attackers with CAPNET_ADMIN privilege (OSS Security).

The vulnerability was patched in Linux kernel version 5.13-rc5. The fix involves replacing the lock to the correct one for serialization requirements. The patch was adopted into the Bluetooth tree on May 31, 2021. The fix can be found in the kernel Bluetooth tree commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 (Kernel Commit).