CVE: CVE-2021-0950
Tested Versions:
Product URL(s):
An Out-Of-Bounds Write bug was found in nfc_nci_nxp.so
. Specifically, in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc"
, function phNxpNciHal_write_ext
, due to lack of proper validation of the length of supplied command prior to increasing length of it, leading to 3 bytes overflow problem. This vulnerability can be turned into a read past the end of a global buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of NFC HIDL service.
The phNxpNciHal_write
function (defined in "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc"
) is responsible for writing NCI command/data from Device Host to NFC controller. To invoke this function from client, the bellow code can be use in client:
hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc
#include <android/hardware/nfc/1.2/INfc.h>
using android::sp;
using INfcV1_2 = android::hardware::nfc::V1_2::INfc;
...
sp<INfcV1_2> mHal = INfcV1_2::getService();
...
mHal->write(...);
When the mHal->write()
function is invoked from the client side, the phNxpNciHal_write
in the service side is also invoked accordingly. From phNxpNciHal_write
function, phNxpNciHal_write_internal
function is invoked:
hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc
930 int phNxpNciHal_write_internal(uint16_t data_len, const uint8_t* p_data) {
/* ... */
936 if (data_len > NCI_MAX_DATA_LEN) {
937 NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN");
938 android_errorWriteLog(0x534e4554, "121267042");
939 goto clean_and_return;
940 }
941 /* Create local copy of cmd_data */
942 memcpy(nxpncihal_ctrl.p_cmd_data, p_data, data_len);
943 nxpncihal_ctrl.cmd_len = data_len;
944 #ifdef P2P_PRIO_LOGIC_HAL_IMP
/* ... */
954 #endif
955
956 /* Check for NXP ext before sending write */
957 status =
958 phNxpNciHal_write_ext(&nxpncihal_ctrl.cmd_len, nxpncihal_ctrl.p_cmd_data,
959 &nxpncihal_ctrl.rsp_len, nxpncihal_ctrl.p_rsp_data);
/* ... */
988 }
p_data
is client-supplied command buffer and its length is data_len
. The maximum length of p_data
buffer is NCI_MAX_DATA_LEN
(300 bytes).
In phNxpNciHal_write_internal
function, p_data
is copied into a nxpncihal_ctrl.p_cmd_data
buffer.
nxpncihal_ctrl
is a phNxpNciHal_Control_t
global variables, p_cmd_data
and p_rsp_data
are 300 bytes buffer, are defined in "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.h"
:
hardware/nxp/nfc/halimpl/hal/phNxpNciHal.h
89 typedef struct phNxpNciHal_Control {
/* ... */
120 uint16_t cmd_len;
121 uint8_t p_cmd_data[NCI_MAX_DATA_LEN];
122 uint16_t rsp_len;
123 uint8_t p_rsp_data[NCI_MAX_DATA_LEN];
/* ... */
132 } phNxpNciHal_Control_t;
Dig into phNxpNciHal_write_ext
function, which is defined in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc"
. There is 2 branchs:
hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc
613 NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
614 uint16_t* rsp_len, uint8_t* p_rsp_data) {
/* ... */
679 if (bEnableMfcReader && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
680 NXPLOG_NCIHAL_D("Going through extns - Adding Mifare in RF Discovery");
681 p_cmd_data[2] += 3;
682 p_cmd_data[3] += 1;
683 p_cmd_data[*cmd_len] = 0x80; // <-- Out-Of-Bounds Write
684 p_cmd_data[*cmd_len + 1] = 0x01; // <-- Out-Of-Bounds Write
685 p_cmd_data[*cmd_len + 2] = 0x80; // <-- Out-Of-Bounds Write
686 *cmd_len += 3;
687 status = NFCSTATUS_SUCCESS;
688 bEnableMfcExtns = false;
689 NXPLOG_NCIHAL_D(
690 "Going through extns - Adding Mifare in RF Discovery - END");
691 }
/* ... */
790 } else if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
791 NXPLOG_NCIHAL_D(
792 "> Going through workaround - Add Mifare Classic in Discovery Map");
793 p_cmd_data[*cmd_len] = 0x80; // <-- Out-Of-Bounds Write
794 p_cmd_data[*cmd_len + 1] = 0x01; // <-- Out-Of-Bounds Write
795 p_cmd_data[*cmd_len + 2] = 0x80; // <-- Out-Of-Bounds Write
796 p_cmd_data[5] = 0x01;
797 p_cmd_data[6] = 0x01;
798 p_cmd_data[2] += 3;
799 p_cmd_data[3] += 1;
800 *cmd_len += 3;
801 }
/* ... */
879 }
There is no bound check when increasing cmd_len
lead to 3 byte 0x80, 0x01, 0x80 can be written out of p_cmd_data
buffer. Look at the phNxpNciHal_Control_t
object definition, rsp_len
is defined following p_cmd_data
buffer. It leads to rsp_len
variable could be overwritten by 3 bytes in phNxpNciHal_write_ext
function.
$ getprop ro.build.fingerprint
google/sargo/sargo:11/RQ1A.210205.004/7038034:user/release-keys
To successful exploit the 3 bytes Out-Of-Bounds Write vulnerability and turn it into a Infomation Disclosure, we must combine this vulnerability with a race condition, details are as follow:
phNxpNciHal_client_thread
(defined in "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc"
) is a thread handler which handles all TML and NCI messages. NCI is sent to this thread by invoking phTmlNfc_DeferredCall
function (defined in "hardware/nxp/nfc/halimpl/tml/phTmlNfc.cc"
).
In phNxpNciHal_write_ext
function, there are many branches which lead to set return value to NFCSTATUS_FAILED
, for example:
hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc
613 NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
614 uint16_t* rsp_len, uint8_t* p_rsp_data) {
/* ... */
623 if (p_cmd_data[0] == PROPRIETARY_CMD_FELICA_READER_MODE &&
624 p_cmd_data[1] == PROPRIETARY_CMD_FELICA_READER_MODE &&
625 p_cmd_data[2] == PROPRIETARY_CMD_FELICA_READER_MODE) {
626 NXPLOG_NCIHAL_D("Received proprietary command to set Felica Reader mode:%d",
627 p_cmd_data[3]);
628 gFelicaReaderMode = p_cmd_data[3];
629 /* frame the dummy response */
630 *rsp_len = 4;
631 p_rsp_data[0] = 0x00;
632 p_rsp_data[1] = 0x00;
633 p_rsp_data[2] = 0x00;
634 p_rsp_data[3] = 0x00;
635 status = NFCSTATUS_FAILED;
636 }
/* ... */
878 return status;
879 }
If the phNxpNciHal_write_ext
function return NFCSTATUS_FAILED
, the phTmlNfc_DeferredCall
is invoked to send a message to phNxpNciHal_client_thread
thread: hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc
930 int phNxpNciHal_write_internal(uint16_t data_len, const uint8_t* p_data) {
/* ... */
957 status =
958 phNxpNciHal_write_ext(&nxpncihal_ctrl.cmd_len, nxpncihal_ctrl.p_cmd_data,
959 &nxpncihal_ctrl.rsp_len, nxpncihal_ctrl.p_rsp_data);
960 if (status != NFCSTATUS_SUCCESS) {
961 /* Do not send packet to PN54X, send response directly */
962 msg.eMsgType = NCI_HAL_RX_MSG;
963 msg.pMsgData = NULL;
964 msg.Size = 0;
965
966 phTmlNfc_DeferredCall(gpphTmlNfc_Context->dwCallbackThreadId,
967 (phLibNfc_Message_t*)&msg);
968 goto clean_and_return;
969 }
/* ... */
988 }
The NCI_HAL_RX_MSG
message is processed in phNxpNciHal_client_thread
function as following:
hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc
171 static void* phNxpNciHal_client_thread(void* arg) {
/* ... */
270 case NCI_HAL_RX_MSG: {
271 REENTRANCE_LOCK();
272 if (nxpncihal_ctrl.p_nfc_stack_data_cback != NULL) {
273 (*nxpncihal_ctrl.p_nfc_stack_data_cback)(nxpncihal_ctrl.rsp_len,
274 nxpncihal_ctrl.p_rsp_data);
275 }
276 REENTRANCE_UNLOCK();
277 break;
278 }
/* ... */
285 }
Although lock operation is performing here, with the primitive that overwriting the rsp_len
variable without lock operation by exploit 3 bytes out-of-bound write vulnerability above, we can trigger race condition.
The size of p_rsp_data
buffer is 300 bytes and with the out-of-bound write bug, we can overwrite the value of rsp_len
variable to 0x180 = 384
. Combining 2 vulnerabilities, we can leak the 84 bytes memory behind the p_rsp_data
buffer.
Look at declaration of nxpprofile_ctrl
variable in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc"
: hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc
60 /* NCI HAL Control structure */
61 phNxpNciHal_Control_t nxpncihal_ctrl;
62
63 /* NXP Poll Profile structure */
64 phNxpNciProfile_Control_t nxpprofile_ctrl;
65
66 /* TML Context */
67 extern phTmlNfc_Context_t* gpphTmlNfc_Context;
68 extern void phTmlNfc_set_fragmentation_enabled(
69 phTmlNfc_i2cfragmentation_t result);
70 /* global variable to get FW version from NCI response*/
71 uint32_t wFwVerRsp;
72 EseAdaptation *gpEseAdapt = NULL;
gpEseAdapt
looks interesting, it is a pointer to a heap memory in HAL service. This variable is set in phNxpNciHal_MinOpen
function.
In file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc"
, phNxpNciHal_MinOpen
function:
550 int phNxpNciHal_MinOpen (){
...
605 gpEseAdapt = &EseAdaptation::GetInstance();
...
771 }
EseAdaptation::GetInstance
function is defined in file "hardware/nxp/nfc/halimpl/src/adaptation/EseAdaptation.cpp"
: hardware/nxp/nfc/halimpl/src/adaptation/EseAdaptation.cpp
98 EseAdaptation& EseAdaptation::GetInstance() {
99 AutoThreadMutex a(sLock);
100
101 if (!mpInstance) mpInstance = new EseAdaptation; <-- allocation memory in heap.
102 return *mpInstance;
103 }
Confirm this thing by look at library file "/vendor/lib64/nfc_nci_nxp.so"
which NFC HAL code is compiled into (this library is fetched from Pixel 3a phone, firmware version: RQ1A.210205.004
, md5sum: b8b1d55f451117d5b6c67de7bd662883). Open this binary in IDA:
.bss:0000000000030610 byte_30610 % 0x12C <-- the nxpncihal_ctrl.p_rsp_data buffer
.bss:000000000003073C word_3073C % 2 ; DATA XREF: phNxpNciHal_MinOpen(void)+51C↑r
.bss:000000000003073C ; phNxpNciHal_write_unlocked(ushort,uchar const*)+48↑w ...
.bss:000000000003073E byte_3073E % 1 ; DATA XREF: sub_1A2BC+38↑r
.bss:000000000003073E ; sub_1A2BC+44↑w
.bss:000000000003073F byte_3073F % 1 ; DATA XREF: phNxpNciHal_MinOpen(void)+358↑w
.bss:000000000003073F ; phNxpNciHal_MinOpen(void)+530↑r ...
.bss:0000000000030740 byte_30740 % 1 ; DATA XREF: sub_1A2BC+46C↑r
.bss:0000000000030740 ; sub_1A2BC+480↑w ...
.bss:0000000000030741 ALIGN 4
.bss:0000000000030744 dword_30744 % 4 ; DATA XREF: sub_1A2BC:loc_1A578↑r
.bss:0000000000030744 ; sub_1AD2C+118↑w ...
.bss:0000000000030748 word_30748 % 2 ; DATA XREF: sub_1A2BC+334↑w
.bss:0000000000030748 ; sub_1F4C8+98↑r ...
.bss:000000000003074A ALIGN 4
.bss:000000000003074C byte_3074C % 1 ; DATA XREF: phNxpNciHal_MinOpen(void)+4C↑w
.bss:000000000003074C ; phNxpNciHal_MinOpen(void)+6B0↑w ...
.bss:000000000003074D ALIGN 0x10
.bss:0000000000030750 nxpprofile_ctrl % 8 ; DATA XREF: LOAD:0000000000001E38↑o
.bss:0000000000030750 ; phNxpNciHal_MinOpen(void)+268↑w ...
.bss:0000000000030758 EXPORT wFwVerRsp
.bss:0000000000030758 wFwVerRsp % 4 ; DATA XREF: LOAD:0000000000001358↑o
.bss:0000000000030758 ; phNxpNciHal_MinOpen(void)+80C↑r ...
.bss:000000000003075C ALIGN 0x20
.bss:0000000000030760 EXPORT gpEseAdapt
.bss:0000000000030760 gpEseAdapt % 8
The offset between gpEseAdapt
variable and nxpncihal_ctrl.p_rsp_data
buffer is (0x30760 - 0x30610) = 336 bytes, so it is able to leak value of gpEseAdapt
variable.
Since gpEseAdapt
point to an allocation memory chunk in heap memory of NFC HAL service, it can be used to chain with another vulnerability to execute code in NFC HAL service context.