Merge "[RESTRICT AUTOMERGE] Updated CTS test for Android Security b/178725766" into rvc-dev

author: TreeHugger Robot <treehugger-gerrit@google.com> 2022-02-09 06:47:44 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2022-02-09 06:47:44 +0000
commit: 8ee805717b253c27cccf1f4fd496b71a303b7fbd (patch)
tree: 0fbe10d016e469db0a9ac7eb3889792cd5109c6b
parent: f451f5a2c732a43aa197ca0e164a23117d9d35a2 (diff)
parent: 0f6bba443bb95ab3de4a59c894f2890f88ea24c8 (diff)
download: cts-8ee805717b253c27cccf1f4fd496b71a303b7fbd.tar.gz
3 files changed, 73 insertions, 41 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
index 5cad1e4e82c..49cf8a6a9d2 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2021 The Android Open Source Project
+ * Copyright (C) 2022 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,10 @@
  *
  */
 
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
 cc_test {
     name: "CVE-2021-0430",
     defaults: ["cts_hostsidetests_securitybulletin_defaults"],
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
index 153075dbd2d..4cb93c89e89 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2021 The Android Open Source Project
+ * Copyright (C) 2022 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,8 +21,12 @@
 
 #define RW_MFC_STATE_READ_NDEF 0x03
 #define RW_MFC_SUBSTATE_READ_BLOCK 0x03
+#define RW_MFC_DATA_LEN 0x10
+#define P_MFC_NDEF_LENGTH 1024
 
 extern tRW_CB rw_cb;
+tNFC_CONN *p_data = nullptr;
+tRW_MFC_CB *p_mfc = nullptr;
 
 char enable_selective_overload = ENABLE_NONE;
 
@@ -36,24 +40,41 @@ void sigsegv_handler(int signum, siginfo_t *info, void *context) {
   exit(EXIT_FAILURE);
 }
 
-void GKI_freebuf(void*) {
-}
+void GKI_freebuf(void *) {}
 
-void GKI_start_timer(uint8_t, int32_t, bool) {
-}
+void GKI_start_timer(uint8_t, int32_t, bool) {}
 
-void GKI_stop_timer(uint8_t) {
-}
+void GKI_stop_timer(uint8_t) {}
 
-void cback(tRW_EVENT, tRW_DATA*) {
-}
+void cback(tRW_EVENT, tRW_DATA *) {}
 
 void poc_cback(tRW_EVENT event, tRW_DATA *p_rw_data) {
   (void)event;
   (void)p_rw_data;
 }
 
+void exit_handler(void) {
+  if (p_data) {
+    if (p_data->data.p_data) {
+      free(p_data->data.p_data);
+      p_data->data.p_data = nullptr;
+    }
+    free(p_data);
+    p_data = nullptr;
+  }
+
+  if (p_mfc) {
+    if (p_mfc->p_ndef_buffer) {
+      free(p_mfc->p_ndef_buffer);
+      p_mfc->p_ndef_buffer = nullptr;
+    }
+    free(p_mfc);
+    p_mfc = nullptr;
+  }
+}
+
 int main() {
+  atexit(exit_handler);
   sigemptyset(&new_action.sa_mask);
   new_action.sa_flags = SA_SIGINFO;
   new_action.sa_sigaction = sigsegv_handler;
@@ -81,38 +102,28 @@ int main() {
 
   tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
 
-  tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+  p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
   FAIL_CHECK(p_data);
 
   p_data->data.p_data = (NFC_HDR *)malloc(sizeof(uint8_t) * 16);
-  if (!(p_data->data.p_data)) {
-    free(p_data);
-    FAIL_CHECK(p_data->data.p_data);
-  }
+  FAIL_CHECK(p_data->data.p_data);
 
-    p_data->data.status = NFC_STATUS_OK;
-    tNFC_CONN_EVT event = NFC_DATA_CEVT;
-
-    NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data;
-    mfc_data->len = 0x10;
-    mfc_data->offset = 0;
-    p_mfc->ndef_length = 1024;
-    p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16);
-    enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
-    if (!(p_mfc->p_ndef_buffer)) {
-        free(p_data->data.p_data);
-        free(p_data);
-        FAIL_CHECK(p_mfc->p_ndef_buffer);
-    }
+  p_data->data.status = NFC_STATUS_OK;
+  tNFC_CONN_EVT event = NFC_DATA_CEVT;
 
-    rw_cb.p_cback = cback;
+  NFC_HDR *mfc_data = (NFC_HDR *)p_data->data.p_data;
+  mfc_data->len = RW_MFC_DATA_LEN;
+  mfc_data->offset = 0;
+  p_mfc->ndef_length = P_MFC_NDEF_LENGTH;
+  p_mfc->p_ndef_buffer = (uint8_t *)malloc(sizeof(uint8_t) * 16);
+  enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
+  FAIL_CHECK(p_mfc->p_ndef_buffer);
 
-    isTestInProgress = true;
-    p_cb->p_cback(0, event, p_data);
-    isTestInProgress = false;
+  rw_cb.p_cback = cback;
 
-    free(p_mfc->p_ndef_buffer);
-    free(p_data->data.p_data);
-    free(p_data);
-    return EXIT_SUCCESS;
+  isTestInProgress = true;
+  p_cb->p_cback(0, event, p_data);
+  isTestInProgress = false;
+
+  return EXIT_SUCCESS;
 }
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
index e4878a048f0..585d19bfbd2 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2021 The Android Open Source Project
+ * Copyright (C) 2022 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,16 +17,24 @@
 package android.security.cts;
 
 import android.platform.test.annotations.AsbSecurityTest;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.compatibility.common.util.CrashUtils.Config.BacktraceFilterPattern;
 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
 
+import java.util.regex.Pattern;
+
+import org.junit.runner.RunWith;
+import org.junit.Test;
+
 @RunWith(DeviceJUnit4ClassRunner.class)
 public class CVE_2021_0430 extends SecurityTestCase {
 
     /**
      * b/178725766
      * Vulnerability Behaviour: SIGSEGV in self
+     * Vulnerable Library: libnfc-nci (As per AOSP code)
+     * Vulnerable Function: rw_mfc_handle_read_op (As per AOSP code)
      */
     @Test
     @AsbSecurityTest(cveBugId = 178725766)
@@ -34,6 +42,15 @@ public class CVE_2021_0430 extends SecurityTestCase {
         AdbUtils.assumeHasNfc(getDevice());
         assumeIsSupportedNfcDevice(getDevice());
         pocPusher.only64();
-        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice());
+        String signals[] = {CrashUtils.SIGSEGV};
+        String binaryName = "CVE-2021-0430";
+        AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+        testConfig.config = new CrashUtils.Config().setProcessPatterns(Pattern.compile(binaryName))
+                .setBacktraceIncludes(new BacktraceFilterPattern("libnfc-nci",
+                        "rw_mfc_handle_read_op"));
+        testConfig.config
+                .setBacktraceExcludes(new BacktraceFilterPattern("libdl", "__cfi_slowpath"));
+        testConfig.config.setSignals(signals);
+        AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
     }
 }
author	TreeHugger Robot <treehugger-gerrit@google.com>	2022-02-09 06:47:44 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2022-02-09 06:47:44 +0000
commit	8ee805717b253c27cccf1f4fd496b71a303b7fbd (patch)
tree	0fbe10d016e469db0a9ac7eb3889792cd5109c6b
parent	f451f5a2c732a43aa197ca0e164a23117d9d35a2 (diff)
parent	0f6bba443bb95ab3de4a59c894f2890f88ea24c8 (diff)
download	cts-8ee805717b253c27cccf1f4fd496b71a303b7fbd.tar.gz