am e6d74378: am fb36e884: am 43cb7695: Merge "Revert "Cleanup vroot test and fix false positive."" into jb-dev

* commit 'e6d74378e855ac868d89125a567e7cba203a4085':
  Revert "Cleanup vroot test and fix false positive."
diff --git a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
index f858b11..162223c 100644
--- a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
+++ b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
@@ -28,7 +28,6 @@
 #include <fcntl.h>
 #include <cutils/log.h>
 #include <linux/perf_event.h>
-#include <linux/sysctl.h>
 
 /*
  * Returns true iff this device is vulnerable to CVE-2013-2094.
@@ -78,6 +77,67 @@
     return true;
 }
 
+#define SEARCH_SIZE 0x4000
+
+static int secret;
+
+static bool isValidChildAddress(pid_t child, uintptr_t addr) {
+    long word;
+    long ret = syscall(__NR_ptrace, PTRACE_PEEKDATA, child, addr, &word);
+    return (ret == 0);
+}
+
+/* A lazy, do nothing child. GET A JOB. */
+static void child() {
+    int res;
+    ALOGE("in child");
+    secret = 0xbaadadd4;
+    res = prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
+    if (res != 0) {
+        ALOGE("prctl failed");
+    }
+    res = ptrace(PTRACE_TRACEME, 0, 0, 0);
+    if (res != 0) {
+        ALOGE("child ptrace failed");
+    }
+    signal(SIGSTOP, SIG_IGN);
+    kill(getpid(), SIGSTOP);
+}
+
+static jboolean parent(pid_t child) {
+    int status;
+    // Wait for the child to suspend itself so we can trace it.
+    waitpid(child, &status, 0);
+    jboolean result = true;
+
+    uintptr_t addr;
+    for (addr = 0x00000000; addr < 0xFFFF1000; addr+=SEARCH_SIZE) {
+        if (isValidChildAddress(child, addr)) {
+            // Don't scribble on our memory.
+            // (which has the same mapping as our child)
+            // We don't want to corrupt ourself.
+            continue;
+        }
+
+        errno = 0;
+        syscall(__NR_ptrace, PTRACE_PEEKDATA, child, &secret, addr);
+        if (errno == 0) {
+            result = false;
+            // We found an address which isn't in our our, or our child's,
+            // address space, but yet which is still writable. Scribble
+            // all over it.
+            ALOGE("parent: found writable at %x", addr);
+            uintptr_t addr2;
+            for (addr2 = addr; addr2 < addr + SEARCH_SIZE; addr2++) {
+                syscall(__NR_ptrace, PTRACE_PEEKDATA, child, &secret, addr2);
+            }
+        }
+    }
+
+    ptrace(PTRACE_DETACH, child, 0, 0);
+    return result;
+}
+
 /*
  * Prior to https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/arm/include/asm/uaccess.h?id=8404663f81d212918ff85f493649a7991209fa04
  * there was a flaw in the kernel's handling of get_user and put_user
@@ -85,32 +145,25 @@
  * that reads/writes outside the process's address space are not
  * allowed.
  *
- * In this test, we use sysctl to force a read from an address outside
- * of our address space (but in the kernel's address space). Without the
- * patch applied, this read succeeds, because sysctl uses the
- * vulnerable get_user call.
- *
- * This function returns true if the patch above is applied, or false
- * otherwise.
- *
- * Credit: https://twitter.com/grsecurity/status/401443359912239105
+ * In this test, we use prctl(PTRACE_PEEKDATA) to force a write to
+ * an address outside of our address space. Without the patch applied,
+ * this write succeeds, because prctl(PTRACE_PEEKDATA) uses the
+ * vulnerable put_user call.
  */
 static jboolean android_security_cts_NativeCodeTest_doVrootTest(JNIEnv*, jobject)
 {
     ALOGE("Starting doVrootTest");
+    pid_t pid = fork();
+    if (pid == -1) {
+        return false;
+    }
 
-    struct __sysctl_args args;
-    char osname[100];
-    int name[] = { CTL_KERN, KERN_OSTYPE };
+    if (pid == 0) {
+        child();
+        exit(0);
+    }
 
-    memset(&args, 0, sizeof(struct __sysctl_args));
-    args.name = name;
-    args.nlen = sizeof(name)/sizeof(name[0]);
-    args.oldval = osname;
-    args.oldlenp = (size_t *) 0xc0000000; // PAGE_OFFSET
-
-    int result = syscall(__NR__sysctl, &args);
-    return ((result == -1) && (errno == EFAULT));
+    return parent(pid);
 }
 
 static void* mmap_syscall(void* addr, size_t len, int prot, int flags, int fd, off_t offset)
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index f6e6029..116272d 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -25,10 +25,7 @@
     }
 
     public void testVroot() throws Exception {
-        assertTrue("Device is vulnerable to CVE-2013-6282. Please apply security patch at "
-                   + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
-                   + "commit/arch/arm/include/asm/uaccess.h?id="
-                   + "8404663f81d212918ff85f493649a7991209fa04", doVrootTest());
+        assertTrue(doVrootTest());
     }
 
     public void testPerfEvent() throws Exception {
@@ -73,9 +70,13 @@
     private static native boolean doPerfEventTest2();
 
     /**
-     * ANDROID-11234878 / CVE-2013-6282
+     * ANDROID-11234878
      *
-     * Returns true if the device is patched against the vroot vulnerability, false otherwise.
+     * Returns true if the device is patched against the vroot
+     * vulnerability. Returns false if there was some problem running
+     * the test (for example, out of memory), or the test fails but wasn't
+     * able to crash the device. Most of the time, however, the device will
+     * crash if the vulnerability is present.
      *
      * The following patch addresses this bug:
      * https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/arm/include/asm/uaccess.h?id=8404663f81d212918ff85f493649a7991209fa04