diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2022-02-09 06:47:44 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2022-02-09 06:47:44 +0000 |
commit | 8ee805717b253c27cccf1f4fd496b71a303b7fbd (patch) | |
tree | 0fbe10d016e469db0a9ac7eb3889792cd5109c6b | |
parent | f451f5a2c732a43aa197ca0e164a23117d9d35a2 (diff) | |
parent | 0f6bba443bb95ab3de4a59c894f2890f88ea24c8 (diff) | |
download | cts-8ee805717b253c27cccf1f4fd496b71a303b7fbd.tar.gz |
Merge "[RESTRICT AUTOMERGE] Updated CTS test for Android Security b/178725766" into rvc-dev
3 files changed, 73 insertions, 41 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp index 5cad1e4e82c..49cf8a6a9d2 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2021 The Android Open Source Project + * Copyright (C) 2022 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,6 +15,10 @@ * */ +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + cc_test { name: "CVE-2021-0430", defaults: ["cts_hostsidetests_securitybulletin_defaults"], diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp index 153075dbd2d..4cb93c89e89 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2021 The Android Open Source Project + * Copyright (C) 2022 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,8 +21,12 @@ #define RW_MFC_STATE_READ_NDEF 0x03 #define RW_MFC_SUBSTATE_READ_BLOCK 0x03 +#define RW_MFC_DATA_LEN 0x10 +#define P_MFC_NDEF_LENGTH 1024 extern tRW_CB rw_cb; +tNFC_CONN *p_data = nullptr; +tRW_MFC_CB *p_mfc = nullptr; char enable_selective_overload = ENABLE_NONE; @@ -36,24 +40,41 @@ void sigsegv_handler(int signum, siginfo_t *info, void *context) { exit(EXIT_FAILURE); } -void GKI_freebuf(void*) { -} +void GKI_freebuf(void *) {} -void GKI_start_timer(uint8_t, int32_t, bool) { -} +void GKI_start_timer(uint8_t, int32_t, bool) {} -void GKI_stop_timer(uint8_t) { -} +void GKI_stop_timer(uint8_t) {} -void cback(tRW_EVENT, tRW_DATA*) { -} +void cback(tRW_EVENT, tRW_DATA *) {} void poc_cback(tRW_EVENT event, tRW_DATA *p_rw_data) { (void)event; (void)p_rw_data; } +void exit_handler(void) { + if (p_data) { + if (p_data->data.p_data) { + free(p_data->data.p_data); + p_data->data.p_data = nullptr; + } + free(p_data); + p_data = nullptr; + } + + if (p_mfc) { + if (p_mfc->p_ndef_buffer) { + free(p_mfc->p_ndef_buffer); + p_mfc->p_ndef_buffer = nullptr; + } + free(p_mfc); + p_mfc = nullptr; + } +} + int main() { + atexit(exit_handler); sigemptyset(&new_action.sa_mask); new_action.sa_flags = SA_SIGINFO; new_action.sa_sigaction = sigsegv_handler; @@ -81,38 +102,28 @@ int main() { tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; - tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); FAIL_CHECK(p_data); p_data->data.p_data = (NFC_HDR *)malloc(sizeof(uint8_t) * 16); - if (!(p_data->data.p_data)) { - free(p_data); - FAIL_CHECK(p_data->data.p_data); - } + FAIL_CHECK(p_data->data.p_data); - p_data->data.status = NFC_STATUS_OK; - tNFC_CONN_EVT event = NFC_DATA_CEVT; - - NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data; - mfc_data->len = 0x10; - mfc_data->offset = 0; - p_mfc->ndef_length = 1024; - p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16); - enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; - if (!(p_mfc->p_ndef_buffer)) { - free(p_data->data.p_data); - free(p_data); - FAIL_CHECK(p_mfc->p_ndef_buffer); - } + p_data->data.status = NFC_STATUS_OK; + tNFC_CONN_EVT event = NFC_DATA_CEVT; - rw_cb.p_cback = cback; + NFC_HDR *mfc_data = (NFC_HDR *)p_data->data.p_data; + mfc_data->len = RW_MFC_DATA_LEN; + mfc_data->offset = 0; + p_mfc->ndef_length = P_MFC_NDEF_LENGTH; + p_mfc->p_ndef_buffer = (uint8_t *)malloc(sizeof(uint8_t) * 16); + enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; + FAIL_CHECK(p_mfc->p_ndef_buffer); - isTestInProgress = true; - p_cb->p_cback(0, event, p_data); - isTestInProgress = false; + rw_cb.p_cback = cback; - free(p_mfc->p_ndef_buffer); - free(p_data->data.p_data); - free(p_data); - return EXIT_SUCCESS; + isTestInProgress = true; + p_cb->p_cback(0, event, p_data); + isTestInProgress = false; + + return EXIT_SUCCESS; } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java index e4878a048f0..585d19bfbd2 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java @@ -1,5 +1,5 @@ /** - * Copyright (C) 2021 The Android Open Source Project + * Copyright (C) 2022 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,16 +17,24 @@ package android.security.cts; import android.platform.test.annotations.AsbSecurityTest; -import org.junit.Test; -import org.junit.runner.RunWith; + +import com.android.compatibility.common.util.CrashUtils; +import com.android.compatibility.common.util.CrashUtils.Config.BacktraceFilterPattern; import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import java.util.regex.Pattern; + +import org.junit.runner.RunWith; +import org.junit.Test; + @RunWith(DeviceJUnit4ClassRunner.class) public class CVE_2021_0430 extends SecurityTestCase { /** * b/178725766 * Vulnerability Behaviour: SIGSEGV in self + * Vulnerable Library: libnfc-nci (As per AOSP code) + * Vulnerable Function: rw_mfc_handle_read_op (As per AOSP code) */ @Test @AsbSecurityTest(cveBugId = 178725766) @@ -34,6 +42,15 @@ public class CVE_2021_0430 extends SecurityTestCase { AdbUtils.assumeHasNfc(getDevice()); assumeIsSupportedNfcDevice(getDevice()); pocPusher.only64(); - AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice()); + String signals[] = {CrashUtils.SIGSEGV}; + String binaryName = "CVE-2021-0430"; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(Pattern.compile(binaryName)) + .setBacktraceIncludes(new BacktraceFilterPattern("libnfc-nci", + "rw_mfc_handle_read_op")); + testConfig.config + .setBacktraceExcludes(new BacktraceFilterPattern("libdl", "__cfi_slowpath")); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); } } |