, p_data=http://www.kingceram.com/post/) at ../src/nfa/dm/nfa_dm_act.cc:1636#60x00000000006a397d in nfa_dm_disc_notify_activation (p_data=http://www.kingceram.com/post/) at ../src/nfa/dm/nfa_dm_discover.cc:1238#70x0000000000697105 in nfa_dm_disc_sm_discovery (event=, p_data=http://www.kingceram.com/post/0x7fff715200e0) at ../src/nfa/dm/nfa_dm_discover.cc:1918
崩溃现场
i93定时器仍存在于定时器链表中，t3t被激活后里面的数据被t3t定时器破坏 。当t3t定时器也被插入链表头部时会产生段错误 。
崩溃现场：
对应的源代码是while一行，
/* Find the entry that the new one needs to be inserted in front of */p_temp = p_timer_listq->p_first;=>>while (p_tle->ticks > p_temp->ticks) {/* Update the tick value if looking at an unexpired entry */if (p_temp->ticks > 0) p_tle->ticks -= p_temp->ticks;p_temp = p_temp->p_next;}
下面这个调用栈并非poc的而是漏洞被发现时的，放在这仅供参考 。
(rr) bt#00x000000000075b6fd in GKI_add_to_timer_list (p_timer_listq=, p_tle=0x1221dd8 , p_tle@entry=0x7fff71517140) at ../fuzzer/gki_fuzz_fakes.cc:153#10x000000000059d1ce in nfc_start_quick_timer (p_tle=, type=, timeout=) at ../src/nfc/nfc/nfc_task.cc:216#20x00000000005e3c68 in rw_t3t_start_poll_timer (p_cb=) at ../src/nfc/tags/rw_t3t.cc:333#3RW_T3tGetSystemCodes () at ../src/nfc/tags/rw_t3t.cc:2964#40x0000000000719a40 in nfa_rw_t3t_get_system_codes () at ../src/nfa/rw/nfa_rw_act.cc:2331#5nfa_rw_handle_op_req (p_data=http://www.kingceram.com/post/) at ../src/nfa/rw/nfa_rw_act.cc:2971#60x000000000071585d in nfa_rw_activate_ntf (p_data=http://www.kingceram.com/post/) at ../src/nfa/rw/nfa_rw_act.cc:2677#70x000000000070b144 in nfa_rw_handle_event (p_msg=) at ../src/nfa/rw/nfa_rw_main.cc:246#80x000000000070a710 in nfa_rw_proc_disc_evt (event=1 '\001', p_data=http://www.kingceram.com/post/, excl_rf_not_active=) at ../src/nfa/rw/nfa_rw_main.cc:184#90x00000000006b243d in nfa_dm_poll_disc_cback (event=, p_data=http://www.kingceram.com/post/) at ../src/nfa/dm/nfa_dm_act.cc:1636#10 0x00000000006a397d in nfa_dm_disc_notify_activation (p_data=http://www.kingceram.com/post/) at ../src/nfa/dm/nfa_dm_discover.cc:1238#11 0x0000000000697105 in nfa_dm_disc_sm_discovery (event=, p_data=http://www.kingceram.com/post/0x7fff715200e0) at ../src/nfa/dm/nfa_dm_discover.cc:1918#12 nfa_dm_disc_sm_execute (event=, p_data=http://www.kingceram.com/post/) at ../src/nfa/dm/nfa_dm_discover.cc:2533#13 0x000000000068f601 in nfa_dm_disc_discovery_cback (event=, p_data=http://www.kingceram.com/post/) at ../src/nfa/dm/nfa_dm_discover.cc:727#14 0x00000000005b0a92 in nfc_ncif_proc_activate (p=, len=60 '<') at ../src/nfc/nfc/nfc_ncif.cc:1372#15 0x00000000005c50c9 in nci_proc_rf_management_ntf (p_msg=0x617000003180) at ../src/nfc/nci/nci_hrcv.cc:276#16 0x00000000005a2e6b in nfc_ncif_process_event (p_msg=0x617000003180) at ../src/nfc/nfc/nfc_ncif.cc:485
漏洞缓解措施
只要在切换到下一个tag之前，将上一个tag的定时器关闭即可 。
tNFC_STATUS RW_SetActivatedTagType(tNFC_ACTIVATE_DEVT* p_activate_params,tRW_CBACK* p_cback) {tNFC_STATUS status = NFC_STATUS_FAILED;/* check for null cback here / remove checks from rw_t?t */DLOG_IF(INFO, nfc_debug_enabled) << StringPrintf("RW_SetActivatedTagType protocol:%d, technology:%d, SAK:%d",p_activate_params->protocol, p_activate_params->rf_tech_param.mode,p_activate_params->rf_tech_param.param.pa.sel_rsp);if (p_cback == nullptr) {LOG(ERROR) << StringPrintf("RW_SetActivatedTagType called with NULL callback");return (NFC_STATUS_FAILED);}switch (rw_cb.tcb_type) {case RW_CB_TYPE_T1T: {nfc_stop_quick_timer(&rw_cb.tcb.t1t.timer);break;}case RW_CB_TYPE_T2T: {nfc_stop_quick_timer(&rw_cb.tcb.t2t.t2_timer);break;}case RW_CB_TYPE_T3T: {nfc_stop_quick_timer(&rw_cb.tcb.t3t.timer);nfc_stop_quick_timer(&rw_cb.tcb.t3t.poll_timer);break;}case RW_CB_TYPE_T4T: {nfc_stop_quick_timer(&rw_cb.tcb.t4t.timer);break;}case RW_CB_TYPE_T5T: {nfc_stop_quick_timer(&rw_cb.tcb.i93.timer);break;}case RW_CB_TYPE_MIFARE: {nfc_stop_quick_timer(&rw_cb.tcb.mfc.timer);nfc_stop_quick_timer(&rw_cb.tcb.mfc.mfc_timer);break;}case RW_CB_TYPE_UNKNOWN: {break;}}/* Reset tag-specific area of control block */memset(&rw_cb.tcb, 0, sizeof(tRW_TCB));```