CVE-2023-1989: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free (UAF) vulnerability was discovered in the Linux Kernel's btsdioremove function in drivers\bluetooth\btsdio.c. The vulnerability, identified as CVE-2023-1989, was reported by Zheng Wang and involves a race condition that occurs when btsdioremove is called with an unfinished job, potentially leading to a use-after-free condition on hdev devices (Kernel Git, NVD).

The vulnerability stems from a race condition in the Bluetooth SDIO driver. In btsdioprobe, data->work was bound with btsdiowork, and in btsdiosendframe, it was started by schedulework. The issue occurs when btsdioremove is called while a job is still unfinished, potentially leading to a use-after-free condition. The vulnerability has been assigned a CVSS score of 7.0 (HIGH) with the vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Security).

Successful exploitation of this vulnerability could lead to multiple security impacts including disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). An attacker able to insert and remove SDIO devices can use this to cause a denial of service through crash or memory corruption, or potentially execute arbitrary code in the kernel (Debian Security, NetApp Security).

The vulnerability has been fixed in Linux kernel version 6.3-rc4 with the addition of cancelworksync(&data->work) before the removal process. Various distributions have released patches, including Debian which fixed it in version 6.1.52-1 for the stable distribution (bookworm), and version 5.10.178-3~deb10u1 for Debian 10 buster (Debian Security, Kernel Git).