Advisories

Description of the vulnerability

An Out-Of-Bounds Write bug was found in nfc_nci_nxp.so. Specifically, in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc", function phNxpNciHal_write_ext, due to lack of proper validation of the length of supplied command prior to increasing length of it, leading to 3 bytes overflow problem. This vulnerability can be turned into a read past the end of a global buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of NFC HIDL service.

Technical Details

The phNxpNciHal_write function (defined in "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc") is responsible for writing NCI command/data from Device Host to NFC controller. To invoke this function from client, the bellow code can be use in client: hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc

#include <android/hardware/nfc/1.2/INfc.h>

using android::sp;
using INfcV1_2 = android::hardware::nfc::V1_2::INfc;

...
sp<INfcV1_2> mHal = INfcV1_2::getService();
...
mHal->write(...);

When the mHal->write() function is invoked from the client side, the phNxpNciHal_write in the service side is also invoked accordingly. From phNxpNciHal_write function, phNxpNciHal_write_internal function is invoked: hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc

930 int phNxpNciHal_write_internal(uint16_t data_len, const uint8_t* p_data) {
  
      /* ... */
  
936   if (data_len > NCI_MAX_DATA_LEN) {
937     NXPLOG_NCIHAL_E("cmd_len exceeds limit NCI_MAX_DATA_LEN");
938     android_errorWriteLog(0x534e4554, "121267042");
939     goto clean_and_return;
940   }
941   /* Create local copy of cmd_data */
942   memcpy(nxpncihal_ctrl.p_cmd_data, p_data, data_len);
943   nxpncihal_ctrl.cmd_len = data_len;
944 #ifdef P2P_PRIO_LOGIC_HAL_IMP
      /* ... */
954 #endif
955
956   /* Check for NXP ext before sending write */
957   status =
958       phNxpNciHal_write_ext(&nxpncihal_ctrl.cmd_len, nxpncihal_ctrl.p_cmd_data,
959                             &nxpncihal_ctrl.rsp_len, nxpncihal_ctrl.p_rsp_data);
      /* ... */
988 }

p_data is client-supplied command buffer and its length is data_len. The maximum length of p_data buffer is NCI_MAX_DATA_LEN (300 bytes). In phNxpNciHal_write_internal function, p_data is copied into a nxpncihal_ctrl.p_cmd_data buffer. nxpncihal_ctrl is a phNxpNciHal_Control_t global variables, p_cmd_data and p_rsp_data are 300 bytes buffer, are defined in "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.h": hardware/nxp/nfc/halimpl/hal/phNxpNciHal.h

89  typedef struct phNxpNciHal_Control {
      /* ... */
120   uint16_t cmd_len;
121   uint8_t p_cmd_data[NCI_MAX_DATA_LEN];
122   uint16_t rsp_len;
123   uint8_t p_rsp_data[NCI_MAX_DATA_LEN];
      /* ... */
132 } phNxpNciHal_Control_t;

Dig into phNxpNciHal_write_ext function, which is defined in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc". There is 2 branchs: hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc

613 NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
614                             uint16_t* rsp_len, uint8_t* p_rsp_data) {
        /* ... */
679     if (bEnableMfcReader && p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
680       NXPLOG_NCIHAL_D("Going through extns - Adding Mifare in RF Discovery");
681       p_cmd_data[2] += 3;
682       p_cmd_data[3] += 1;
683       p_cmd_data[*cmd_len] = 0x80;              // <-- Out-Of-Bounds Write
684       p_cmd_data[*cmd_len + 1] = 0x01;          // <-- Out-Of-Bounds Write
685       p_cmd_data[*cmd_len + 2] = 0x80;          // <-- Out-Of-Bounds Write
686       *cmd_len += 3;
687       status = NFCSTATUS_SUCCESS;
688       bEnableMfcExtns = false;
689       NXPLOG_NCIHAL_D(
690           "Going through extns - Adding Mifare in RF Discovery - END");
691     }    
        /* ... */
790     } else if (p_cmd_data[0] == 0x21 && p_cmd_data[1] == 0x00) {
791         NXPLOG_NCIHAL_D(
792             "> Going through workaround - Add Mifare Classic in Discovery Map");
793         p_cmd_data[*cmd_len] = 0x80;            // <-- Out-Of-Bounds Write
794         p_cmd_data[*cmd_len + 1] = 0x01;        // <-- Out-Of-Bounds Write
795         p_cmd_data[*cmd_len + 2] = 0x80;        // <-- Out-Of-Bounds Write
796         p_cmd_data[5] = 0x01;
797         p_cmd_data[6] = 0x01;
798         p_cmd_data[2] += 3;
799         p_cmd_data[3] += 1;
800         *cmd_len += 3;
801     }
    /* ... */
879 }

There is no bound check when increasing cmd_len lead to 3 byte 0x80, 0x01, 0x80 can be written out of p_cmd_data buffer. Look at the phNxpNciHal_Control_t object definition, rsp_len is defined following p_cmd_data buffer. It leads to rsp_len variable could be overwritten by 3 bytes in phNxpNciHal_write_ext function.

Build fingerprint

$ getprop ro.build.fingerprint
google/sargo/sargo:11/RQ1A.210205.004/7038034:user/release-keys

Proof of Concept

Turning 3 bytes Out-Of-Bounds Write to Infomation Disclosure.

To successful exploit the 3 bytes Out-Of-Bounds Write vulnerability and turn it into a Infomation Disclosure, we must combine this vulnerability with a race condition, details are as follow:

  • phNxpNciHal_client_thread (defined in "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc") is a thread handler which handles all TML and NCI messages. NCI is sent to this thread by invoking phTmlNfc_DeferredCall function (defined in "hardware/nxp/nfc/halimpl/tml/phTmlNfc.cc").

  • In phNxpNciHal_write_ext function, there are many branches which lead to set return value to NFCSTATUS_FAILED, for example: hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc

    613 NFCSTATUS phNxpNciHal_write_ext(uint16_t* cmd_len, uint8_t* p_cmd_data,
    614                             uint16_t* rsp_len, uint8_t* p_rsp_data) {
            /* ... */
    623     if (p_cmd_data[0] == PROPRIETARY_CMD_FELICA_READER_MODE &&
    624         p_cmd_data[1] == PROPRIETARY_CMD_FELICA_READER_MODE &&
    625         p_cmd_data[2] == PROPRIETARY_CMD_FELICA_READER_MODE) {
    626         NXPLOG_NCIHAL_D("Received proprietary command to set Felica Reader mode:%d",
    627                         p_cmd_data[3]);
    628         gFelicaReaderMode = p_cmd_data[3];
    629         /* frame the dummy response */
    630         *rsp_len = 4;
    631         p_rsp_data[0] = 0x00;
    632         p_rsp_data[1] = 0x00;
    633         p_rsp_data[2] = 0x00;
    634         p_rsp_data[3] = 0x00;
    635         status = NFCSTATUS_FAILED;
    636     }
            /* ... */
    878     return status;
    879 }
    
  • If the phNxpNciHal_write_ext function return NFCSTATUS_FAILED, the phTmlNfc_DeferredCall is invoked to send a message to phNxpNciHal_client_thread thread: hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc

    930 int phNxpNciHal_write_internal(uint16_t data_len, const uint8_t* p_data) {
            /* ... */
    
    957     status =
    958         phNxpNciHal_write_ext(&nxpncihal_ctrl.cmd_len, nxpncihal_ctrl.p_cmd_data,
    959                                 &nxpncihal_ctrl.rsp_len, nxpncihal_ctrl.p_rsp_data);    
    960     if (status != NFCSTATUS_SUCCESS) {
    961         /* Do not send packet to PN54X, send response directly */
    962         msg.eMsgType = NCI_HAL_RX_MSG;
    963         msg.pMsgData = NULL;
    964         msg.Size = 0;
    965
    966         phTmlNfc_DeferredCall(gpphTmlNfc_Context->dwCallbackThreadId,
    967                           (phLibNfc_Message_t*)&msg);
    968         goto clean_and_return;
    969     }
    
            /* ... */
    988 }
    
  • The NCI_HAL_RX_MSG message is processed in phNxpNciHal_client_thread function as following: hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc

    171 static void* phNxpNciHal_client_thread(void* arg) {
            /* ... */
    
    270     case NCI_HAL_RX_MSG: {
    271         REENTRANCE_LOCK();
    272         if (nxpncihal_ctrl.p_nfc_stack_data_cback != NULL) {
    273           (*nxpncihal_ctrl.p_nfc_stack_data_cback)(nxpncihal_ctrl.rsp_len,
    274                                                    nxpncihal_ctrl.p_rsp_data);
    275         }
    276         REENTRANCE_UNLOCK();
    277         break;
    278     }
    
            /* ... */
    285 }
    

    Although lock operation is performing here, with the primitive that overwriting the rsp_len variable without lock operation by exploit 3 bytes out-of-bound write vulnerability above, we can trigger race condition. The size of p_rsp_data buffer is 300 bytes and with the out-of-bound write bug, we can overwrite the value of rsp_len variable to 0x180 = 384. Combining 2 vulnerabilities, we can leak the 84 bytes memory behind the p_rsp_data buffer.

  • Look at declaration of nxpprofile_ctrl variable in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc": hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc

    60 /* NCI HAL Control structure */
    61 phNxpNciHal_Control_t nxpncihal_ctrl;
    62 
    63 /* NXP Poll Profile structure */
    64 phNxpNciProfile_Control_t nxpprofile_ctrl;
    65
    66 /* TML Context */
    67 extern phTmlNfc_Context_t* gpphTmlNfc_Context;
    68 extern void phTmlNfc_set_fragmentation_enabled(
    69     phTmlNfc_i2cfragmentation_t result);
    70 /* global variable to get FW version from NCI response*/
    71 uint32_t wFwVerRsp;
    72 EseAdaptation *gpEseAdapt = NULL;
    

    gpEseAdapt looks interesting, it is a pointer to a heap memory in HAL service. This variable is set in phNxpNciHal_MinOpen function. In file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal.cc", phNxpNciHal_MinOpen function:

    550 int phNxpNciHal_MinOpen (){
            ...
    605     gpEseAdapt = &EseAdaptation::GetInstance();
            ...
    771 }
    

    EseAdaptation::GetInstance function is defined in file "hardware/nxp/nfc/halimpl/src/adaptation/EseAdaptation.cpp": hardware/nxp/nfc/halimpl/src/adaptation/EseAdaptation.cpp

    98  EseAdaptation& EseAdaptation::GetInstance() {
    99      AutoThreadMutex a(sLock);
    100 
    101     if (!mpInstance) mpInstance = new EseAdaptation;    <-- allocation memory in heap.
    102     return *mpInstance;
    103 }
    
  • Confirm this thing by look at library file "/vendor/lib64/nfc_nci_nxp.so" which NFC HAL code is compiled into (this library is fetched from Pixel 3a phone, firmware version: RQ1A.210205.004, md5sum: b8b1d55f451117d5b6c67de7bd662883). Open this binary in IDA:

    .bss:0000000000030610 byte_30610      % 0x12C      <-- the nxpncihal_ctrl.p_rsp_data buffer
    .bss:000000000003073C word_3073C      % 2                     ; DATA XREF: phNxpNciHal_MinOpen(void)+51C↑r
    .bss:000000000003073C                                         ; phNxpNciHal_write_unlocked(ushort,uchar const*)+48↑w ...
    .bss:000000000003073E byte_3073E      % 1                     ; DATA XREF: sub_1A2BC+38↑r
    .bss:000000000003073E                                         ; sub_1A2BC+44↑w
    .bss:000000000003073F byte_3073F      % 1                     ; DATA XREF: phNxpNciHal_MinOpen(void)+358↑w
    .bss:000000000003073F                                         ; phNxpNciHal_MinOpen(void)+530↑r ...
    .bss:0000000000030740 byte_30740      % 1                     ; DATA XREF: sub_1A2BC+46C↑r
    .bss:0000000000030740                                         ; sub_1A2BC+480↑w ...
    .bss:0000000000030741                 ALIGN 4
    .bss:0000000000030744 dword_30744     % 4                     ; DATA XREF: sub_1A2BC:loc_1A578↑r
    .bss:0000000000030744                                         ; sub_1AD2C+118↑w ...
    .bss:0000000000030748 word_30748      % 2                     ; DATA XREF: sub_1A2BC+334↑w
    .bss:0000000000030748                                         ; sub_1F4C8+98↑r ...
    .bss:000000000003074A                 ALIGN 4
    .bss:000000000003074C byte_3074C      % 1                     ; DATA XREF: phNxpNciHal_MinOpen(void)+4C↑w
    .bss:000000000003074C                                         ; phNxpNciHal_MinOpen(void)+6B0↑w ...
    .bss:000000000003074D                 ALIGN 0x10
    .bss:0000000000030750 nxpprofile_ctrl % 8                     ; DATA XREF: LOAD:0000000000001E38↑o
    .bss:0000000000030750                                         ; phNxpNciHal_MinOpen(void)+268↑w ...
    .bss:0000000000030758                 EXPORT wFwVerRsp
    .bss:0000000000030758 wFwVerRsp       % 4                     ; DATA XREF: LOAD:0000000000001358↑o
    .bss:0000000000030758                                         ; phNxpNciHal_MinOpen(void)+80C↑r ...
    .bss:000000000003075C                 ALIGN 0x20
    .bss:0000000000030760                 EXPORT gpEseAdapt
    .bss:0000000000030760 gpEseAdapt      % 8
    

    The offset between gpEseAdapt variable and nxpncihal_ctrl.p_rsp_data buffer is (0x30760 - 0x30610) = 336 bytes, so it is able to leak value of gpEseAdapt variable. Since gpEseAdapt point to an allocation memory chunk in heap memory of NFC HAL service, it can be used to chain with another vulnerability to execute code in NFC HAL service context.

Timeline

  • 2021-03-05 Reported to Vendor
  • 2021-12-02 Vendor assign CVE

Credit

Discovered by Nguyễn Hoàng Thạch