skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 21, 2020

GHSL-2020-008: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0071

Man Yue Mo


An Out-Of-Bounds write in Android’s rw_t2t_extract_default_locks_info could leads to remote code execution.


Android Open Source Project



Tested Version

Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01


In the rw_t2t_extract_default_locks_info, the num_dynamic_lock_bytes is derived from p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] 1, which is the 14th entry in the first response in a detection sequence 2. The num_dynamic_lock_bytes is then used as an upper bound to access p_t2t->lockbytes 3. By using a tag_hdr that with a large enough T2T_CC2_TMS_BYTE, e.g. the following as the initial response:

 {0x04, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00,
  0xfa, 0xff, 0xff, 0xff,
  0xe1, 0x11, 0xff, 0x00, //<- 0xff in this row corresponds to |T2T_CC2_TMS_BYTE| in |tag_hdr|
  0x00, 0x00},

it is possible to cause num_dynamic_lock_bytes to exceed the size of p_t2t->lockbytes, causing an OOB write.


If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.

Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).


You can contact the GHSL team at, please include the GHSL-2020-008 in any communication regarding this issue.