Android NFC条件竞争漏洞分析(CVE-2021-0870)技术文档<\/h1>

1. 漏洞概述<\/h2>
CVE-2021-0870是Android NFC子系统中的一个高危远程代码执行(RCE)漏洞，于2021年10月安全公告中被修复。该漏洞存在于NFC的Reader\/Write模式中，涉及Tag控制块(TCB)的状态切换机制。<\/p>
漏洞核心问题<\/strong>：当通过`RW_SetActivatedTagType<\/code>函数在不同tag类型之间切换时，会使用memset<\/code>将TCB置零表示上一状态已被禁用，但上一个状态的超时检测定时器仍然在工作并引用TCB中的数据指针。当新状态启动自己的定时器重写TCB中相应偏移的数据时，会产生条件竞争，最终可能导致内存破坏和代码执行。<\/p>`

2. NFC技术背景<\/h2> 2.1 NFC运行模式<\/h3> Reader\/Write模式(R\/W)<\/strong>：与NFC Tag\/NFC reader交互<\/li> Peer-to-Peer模式(P2P)<\/strong>：支持两个NFC设备间交互<\/li> Card Emulation模式(CE)<\/strong>：将NFC设备模拟为智能卡(如支付\/门禁)<\/li> <\/ol> 2.2 NFC数据结构<\/h3> NFC Forum定义了两种主要数据结构：<\/p> NDEF<\/strong>：NFC数据交换格式<\/li> NFC Record<\/strong>：数据记录单元<\/li> <\/ul> 在R\/W模式下使用NDEF通信时，数据交互被封装在NDEF Message中，一个Message包含多个Record。<\/p> 2.3 Tag类型<\/h3> Android支持多种Tag类型，通过android.nfc.tech<\/code>包中的类处理：<\/p> Ndef<\/code>：处理Type1-4 Tag<\/li> IsoDep<\/code>：处理ISO-DEP (ISO 14443-4)<\/li> MifareClassic<\/code>\/MifareUltralight<\/code>：处理MIFARE标签<\/li> NfcA<\/code>\/NfcB<\/code>\/NfcF<\/code>\/NfcV<\/code>：处理不同射频技术标准<\/li> <\/ul> 3. 漏洞详细分析<\/h2> 3.1 漏洞位置<\/h3> 漏洞位于RW_SetActivatedTagType<\/code>函数中，该函数负责在不同Tag类型间切换：<\/p> tNFC_STATUS RW_SetActivatedTagType<\/span>(tNFC_ACTIVATE_DEVT*<\/span> p_activate_params, tRW_CBACK*<\/span> p_cback) { <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> memset(&<\/span>rw_cb.tcb, 0<\/span>, sizeof<\/span>(tRW_TCB)); \/\/ 问题代码：直接清零TCB <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 漏洞触发流程<\/h3> 系统处于i93模式(IsoDep)<\/li> 发起读数据请求(NFA_RwReadNDef<\/code>)，启动定时器<\/li> 立即从i93切换到t3t模式(FeliCa)<\/li> 新t3t模式启动自己的定时器<\/li> 两个定时器同时操作TCB导致条件竞争<\/li> <\/ol> 3.3 根本原因<\/h3> TCB复用<\/strong>：不同Tag状态复用同一块TCB内存区域<\/li> 不完整的状态切换<\/strong>：切换时仅清零TCB，未停止前一个状态的定时器<\/li> 定时器竞争<\/strong>：新旧状态的定时器同时操作TCB中的相同字段<\/li> <\/ul> 4. PoC分析<\/h2> 4.1 PoC关键步骤<\/h3> 初始化NFC环境<\/strong>：<\/p> NfcAdaptation&<\/span> theInstance =<\/span> NfcAdaptation::<\/span>GetInstance(); <\/span><\/span>theInstance.Initialize(); <\/span><\/span>NFA_Init(&<\/span>entry_funcs); <\/span><\/span>NFA_Enable(nfa_dm_callback, nfa_conn_callback); <\/span><\/span><\/code><\/pre><\/li> 模拟i93 Tag激活<\/strong>：<\/p> std::<\/span>vector<<\/span>uint8_t<\/span>><\/span> activate_rf =<\/span> {\/* disc_id *\/<\/span>0x0<\/span>, NFC_DISCOVERY_TYPE_POLL_V, <\/span><\/span> static_cast<\/span><<\/span>uint8_t<\/span>><\/span>(NFC_PROTOCOL_T5T)}; <\/span><\/span>g_callback_tracker-><\/span>SimulatePacketArrival(NCI_MT_NTF, 0<\/span>, NCI_GID_RF_MANAGE, <\/span><\/span> NCI_MSG_RF_INTF_ACTIVATED, <\/span><\/span> activate_rf.data(), activate_rf.size()); <\/span><\/span><\/code><\/pre><\/li> 发起读请求并触发定时器<\/strong>：<\/p> NFA_RwReadNDef(); <\/span><\/span><\/code><\/pre><\/li> 快速切换到t3t模式<\/strong>：<\/p> std::<\/span>vector<<\/span>uint8_t<\/span>><\/span> activate_another_rf =<\/span> {\/* disc_id *\/<\/span>0x0<\/span>, <\/span><\/span> NFC_DISCOVERY_TYPE_LISTEN_F, <\/span><\/span> NFC_PROTOCOL_T3T}; <\/span><\/span>g_callback_tracker-><\/span>SimulatePacketArrival(NCI_MT_NTF, 0<\/span>, NCI_GID_RF_MANAGE, <\/span><\/span> NCI_MSG_RF_INTF_ACTIVATED, <\/span><\/span> activate_another_rf.data(), <\/span><\/span> activate_another_rf.size()); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.2 关键同步机制<\/h3> PoC使用条件变量实现精确时序控制：<\/p> { <\/span><\/span> std::<\/span>unique_lock<<\/span>std::<\/span>mutex><\/span> i93_detect_lock(cv_mutex); <\/span><\/span> i93_detect_cv.wait(i93_detect_lock); \/\/ 等待i93检测完成 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>5. 漏洞修复方案<\/h2> 修复方法是在切换Tag类型前停止所有相关定时器：<\/p> tNFC_STATUS RW_SetActivatedTagType<\/span>(tNFC_ACTIVATE_DEVT*<\/span> p_activate_params, tRW_CBACK*<\/span> p_cback) { <\/span><\/span> \/\/ 根据当前Tag类型停止相应定时器 <\/span><\/span><\/span><\/span> switch<\/span> (rw_cb.tcb_type) { <\/span><\/span> case<\/span> RW_CB_TYPE_T1T: nfc_stop_quick_timer(&<\/span>rw_cb.tcb.t1t.timer); break<\/span>; <\/span><\/span> case<\/span> RW_CB_TYPE_T2T: nfc_stop_quick_timer(&<\/span>rw_cb.tcb.t2t.t2_timer); break<\/span>; <\/span><\/span> case<\/span> RW_CB_TYPE_T3T: <\/span><\/span> nfc_stop_quick_timer(&<\/span>rw_cb.tcb.t3t.timer); <\/span><\/span> nfc_stop_quick_timer(&<\/span>rw_cb.tcb.t3t.poll_timer); <\/span><\/span> break<\/span>; <\/span><\/span> \/\/ ... 其他类型处理 <\/span><\/span><\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 然后再清零TCB <\/span><\/span><\/span><\/span> memset(&<\/span>rw_cb.tcb, 0<\/span>, sizeof<\/span>(tRW_TCB)); <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 技术要点总结<\/h2> NFC子系统架构<\/strong>：理解NFC的任务模型和消息传递机制(GKI)<\/li> TCB管理<\/strong>：Tag控制块的内存管理和状态切换机制<\/li> 定时器机制<\/strong>：NFC中的定时器实现和使用场景<\/li> 条件竞争<\/strong>：多任务环境下共享资源的同步问题<\/li> 安全修复原则<\/strong>：状态切换时应完整清理所有相关资源<\/li> <\/ol> 7. 防御建议<\/h2> 及时更新Android安全补丁<\/li> 对NFC子系统进行模糊测试<\/li> 在状态切换时确保完整清理所有相关资源<\/li> 使用静态分析工具检测类似的条件竞争问题<\/li> <\/ol> 8. 参考资源<\/h2> Android 2021-10安全公告<\/a><\/li> NFC Forum技术规范<\/li> Android NFC子系统源代码<\/li> <\/ol>