[SRU][X][CVE-2020-12352][PATCH v2 0/1] Stack-Based Information Leak in A2MP (BleedingTooth)

William Breathitt Gray william.gray at canonical.com
Thu Oct 22 15:48:31 UTC 2020

SRU Justification


Andy Nguyen discovered that the Bluetooth A2MP implementation in the
Linux kernel did not properly initialize memory in some situations. A
physically proximate remote attacker could use this to expose sensitive
information (kernel memory).

A remote attacker in short distance knowing the victim's bd address can
retrieve kernel stack information containing various pointers that can
be used to predict the memory layout and to defeat KASLR. The leak may
contain other valuable information such as the encryption keys.
Malicious Bluetooth chips can trigger the vulnerability as well.

[Test Case]

BadChoice proof of concept is available as a test case. See Google
Github page for more information:

[Regression Potential]

Regression potential is low. The changes in this patch simply initialize
stack structures to 0; no change in business logic occurs.


This is part of the BleedTooth vulnerability fixes. Focal and Bionic
already have the upstream fix, but Xenial is currently lacking it.

Luiz Augusto von Dentz (1):
  Bluetooth: A2MP: Fix not initializing all members

 net/bluetooth/a2mp.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)


More information about the kernel-team mailing list