An Out-Of-Bounds write of
lock_tlv in Android’s
rw_t2t_handle_tlv_detect_rsp (NFC) could leads to remote code execution.
Android Open Source Project
Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01
p_t2t->lock_tlv is written to with index
p_t2t->num_lock_tlvs 1. As
p_t2t->num_lock_tlvs is incremented here 2, by repeatedly triggering this branch, it is possible to increase the value of
p_t2t->num_lock_tlvs beyond the size of
RW_T2T_MAX_LOCK_TLVS), causing an OOB write.
If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.
Coordinated Disclosure Timeline
- 07/01/2020 Reported as issue 147259760, Android ID 147310271.
- 06/04/2020 Fix published in 2020-04-01 Andriod Security patch
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-007 in any communication regarding this issue.