skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 21, 2020

GHSL-2020-006: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0073

Man Yue Mo


Out-of-Bounds write in Android’s rw_t2t_handle_tlv_detect_rsp (NFC) could allow an attacker at NFC range to obtain remote code execution


Android Open Source Project



Tested Version

Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01


In the rw_t2t_handle_tlv_detect_rsp function, p_t2t->lockbyte is accessed with the index p_t2t->num_lockbytes 1, while p_t2t->num_lockbytes increases during the loop. Although there is a check 2 to ensure that p_t2t->num_lockbytes cannot be increased more than RW_T2T_MAX_LOCK_BYTES (length of p_t2t->lockbytes) number of times during the loop, this is not sufficient to prevent overflow as the loop can be triggered multiple times during the detection sequence by repeatedly sending the following response:

  {0x00, 0x00, 0x01, 0x03,
   0x00, 0xf6, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00,
   0x0a, 0x00, 0x00, 0x00}

This will lead to a stack OOB write, which, due to the layout of the object rw_cb (type tRW_CB) 3 and p_t2t (type tRW_T2T_CB, which is tcb in rw_cb) 4, will ended up overwriting the function pointer p_cback 5, that is executed in the end of the detection.


If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.

Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).


You can contact the GHSL team at, please include the GHSL-2020-006 in any communication regarding this issue.