Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Type confusion due to race condition during tag type change in Android NFC
Ned Williamson - GooglePosted 4 Years Ago- Android's NFC stack uses TCB (Task Control Blocks). These are used in order to keep track of the incoming tasks from the NFC controller.
- Each TCB has an auxiliary buffer for the timer data. This appears to be setting a time limit on an action, with a resulting callback happening if the functionality times out.
- Asynchronous actions are notoriously hard to secure! While fuzzing this functionality, the author discovered that while cancelling one of the TCB tasks, the timer was never cancelled. As a result, the callback could use the information from a removed timer.
- The author demonstrates the vulnerability by transitioning between two different types. Using the race condition above, it is possible to swap in your own data for this information. This results in a type confusion.
- The attached proof of concept leads to a segfault, but no mention is to the exact reason. Considering the type confusion, this looks like a fairly exploitable bug! You may need a memory leak to do anything meaningful with this though.
