am 34796907: am ddd85c18: Merge "resolve merge conflicts of 950a898 to lollipop-mr1-cts-dev." into lollipop-mr1-cts-dev
* commit '3479690727062c7930138a2928838f98b4d4b067':
CTS test for PingPongRoot vulnerability
diff --git a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
index 00765c6..716d66d 100644
--- a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
+++ b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
@@ -34,6 +34,7 @@
#include <errno.h>
#include <inttypes.h>
#include <linux/sysctl.h>
+#include <arpa/inet.h>
/*
* Returns true iff this device is vulnerable to CVE-2013-2094.
@@ -227,6 +228,28 @@
return !vulnerable;
}
+static jboolean android_security_cts_NativeCodeTest_doPingPongRootTest(JNIEnv*, jobject)
+{
+ int icmp_sock;
+ struct sockaddr sock_addr;
+
+ memset(&sock_addr, 0, sizeof(sock_addr));
+ icmp_sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
+ sock_addr.sa_family = AF_INET;
+
+ /* first connect */
+ connect(icmp_sock, &sock_addr, sizeof(sock_addr));
+
+ /* disconnect */
+ sock_addr.sa_family = AF_UNSPEC;
+ connect(icmp_sock, &sock_addr, sizeof(sock_addr));
+
+ /* second disconnect -> crash */
+ sock_addr.sa_family = AF_UNSPEC;
+ connect(icmp_sock, &sock_addr, sizeof(sock_addr));
+
+ return true;
+}
static JNINativeMethod gMethods[] = {
{ "doPerfEventTest", "()Z",
@@ -241,6 +264,8 @@
(void *) android_security_cts_NativeCodeTest_doFutexTest },
{ "doNvmapIocFromIdTest", "()Z",
(void *) android_security_cts_NativeCodeTest_doNvmapIocFromIdTest },
+ { "doPingPongRootTest", "()Z",
+ (void *) android_security_cts_NativeCodeTest_doPingPongRootTest },
};
int register_android_security_cts_NativeCodeTest(JNIEnv* env)
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index a2f8c09..415ed86 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -56,6 +56,12 @@
+ "For more information, see "
+ "https://nvidia.custhelp.com/app/answers/detail/a_id/3618",
doNvmapIocFromIdTest());
+
+ public void testPingPongRoot() throws Exception {
+ assertTrue("Device is vulnerable to CVE-2015-3636, a vulnerability in the ping "
+ + "socket implementation. Please apply the security patch at "
+ + "https://github.com/torvalds/linux/commit/a134f083e79f",
+ doPingPongRootTest());
}
/**
@@ -120,4 +126,17 @@
* false if the device is vulnerable.
*/
private static native boolean doCVE20141710Test();
+
+ /**
+ * CVE-2015-3636
+ *
+ * Returns true if the patch is applied, crashes the system otherwise.
+ *
+ * Detects if the following patch is present.
+ * https://github.com/torvalds/linux/commit/a134f083e79f
+ *
+ * Credit: Wen Xu and wushi of KeenTeam.
+ * http://seclists.org/oss-sec/2015/q2/333
+ */
+ private static native boolean doPingPongRootTest();
}