Summary
An Out-Of-Bounds write of lock_tlv in Android’s rw_t2t_handle_tlv_detect_rsp (NFC) could leads to remote code execution.
Product
Android Open Source Project
CVE
CVE-2020-0072
Tested Version
Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01
Details
In the rw_t2t_handle_tlv_detect_rsp function, p_t2t->lock_tlv is written to with index p_t2t->num_lock_tlvs 1. As p_t2t->num_lock_tlvs is incremented here 2, by repeatedly triggering this branch, it is possible to increase the value of p_t2t->num_lock_tlvs beyond the size of p_t2t->lock_tlv (RW_T2T_MAX_LOCK_TLVS), causing an OOB write.
Impact
If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.
Coordinated Disclosure Timeline
- 07/01/2020 Reported as issue 147259760, Android ID 147310271.
- 06/04/2020 Fix published in 2020-04-01 Andriod Security patch
Credit
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-007 in any communication regarding this issue.