An Out-Of-Bounds write of
lock_tlv in Android's
rw_t2t_handle_tlv_detect_rsp (NFC) could leads to remote code execution.
Android Open Source Project
Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01
p_t2t->lock_tlv is written to with index
p_t2t->num_lock_tlvs 1. As
p_t2t->num_lock_tlvs is incremented here 2, by repeatedly triggering this branch, it is possible to increase the value of
p_t2t->num_lock_tlvs beyond the size of
RW_T2T_MAX_LOCK_TLVS), causing an OOB write.
If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device's NFC daemon.
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-007 in any communication regarding this issue.