CVE-2021-3640: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-3640 is a use-after-free vulnerability discovered in the Linux kernel's Bluetooth HCI subsystem, specifically in the sco_sock_sendmsg() function. The vulnerability was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page (Ubuntu Security, NVD).

The vulnerability stems from a race condition in the Bluetooth SCO implementation that can lead to a use-after-free condition. The issue occurs between lock pairs in sco_conn_del(), where sco_chan_del() is called to delete the channel associated with the socket. The conn object is then released by kfree(), but another thread controlled by an attacker can wait for this kfree() and subsequently race to cause a use-after-free condition. The vulnerability exists in the sco_send_frame function which is protected by lock_sock() and release_sock(), but these don't block sco_conn_del() from releasing the conn object (OpenWall).

A privileged local user could exploit this vulnerability to cause a denial of service (memory corruption or system crash) or potentially escalate their privileges on the system. The vulnerability is particularly concerning as the sco_conn struct contains two previous data pointers inside, making it relatively easy for attackers with CAP_NET_ADMIN privilege to spray kmalloc-32 objects with malicious payload (Ubuntu Security, OpenWall).

The vulnerability has been fixed in various Linux distributions through security updates. For example, Ubuntu has fixed this in versions 5.13.0-28.31 for 21.10, 5.4.0-97.110 for 20.04 LTS, and 4.15.0-167.175 for 18.04 LTS. Debian has addressed this in version 4.19.232-1 for the oldstable distribution (buster) (Ubuntu Security, Debian Security).