An Out-Of-Bounds write of lock_tlv
in Android's rw_t2t_handle_tlv_detect_rsp
(NFC) could leads to remote code execution.
Android Open Source Project
CVE-2020-0072
Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01
In the rw_t2t_handle_tlv_detect_rsp
function, p_t2t->lock_tlv
is written to with index p_t2t->num_lock_tlvs
1. As p_t2t->num_lock_tlvs
is incremented here 2, by repeatedly triggering this branch, it is possible to increase the value of p_t2t->num_lock_tlvs
beyond the size of p_t2t->lock_tlv
(RW_T2T_MAX_LOCK_TLVS
), causing an OOB write.
If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device's NFC daemon.
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-007
in any communication regarding this issue.