diff options
author | Varun Praveen Goyal <varun.goyal@ittiam.com> | 2021-03-03 13:18:08 +0530 |
---|---|---|
committer | Stacie Mashnitskaya <mashnitskaya@google.com> | 2021-10-07 19:27:35 -0700 |
commit | 0cb2be91fc0b432c32c9937c9053ccde79214a0a (patch) | |
tree | 089d2c5d76fb4251bb678eea52d392d2b18e071d | |
parent | 31ce0c22ab7ca16905d1c363adcaebb2bed686ad (diff) | |
download | cts-0cb2be91fc0b432c32c9937c9053ccde79214a0a.tar.gz |
CTS test for Android Security b/112160868
Bug: 112160868
Bug: 121267261
Test: Ran the new testcase on android-10.0.0_r39 to test with/without patch
Change-Id: I6364efd8851284fc3b7b7ed0c6f6eab6aaf10417
3 files changed, 124 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9549/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9549/Android.bp new file mode 100644 index 00000000000..5b9e6ddba7c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9549/Android.bp @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +cc_test { + name : "CVE-2018-9549", + defaults : ["cts_hostsidetests_securitybulletin_defaults"], + srcs : [ + "poc.cpp", + ], + shared_libs : [ + "libbluetooth", + ], + include_dirs : [ + "external/aac/libSBRdec/src", + "external/aac/libSBRdec/include", + "external/aac/libFDK/include", + "external/aac/libSYS/include", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9549/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9549/poc.cpp new file mode 100644 index 00000000000..11165d29065 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9549/poc.cpp @@ -0,0 +1,43 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "lpp_tran.h" + +constexpr uint8_t kDegreeAliasMaxSize = 64; + +int main() { + FIXP_DBL qmfBufferRealVal = {}; + FIXP_DBL *qmfBufferReal = &qmfBufferRealVal; + FIXP_DBL qmfBufferImagVal = {}; + FIXP_DBL *qmfBufferImag = &qmfBufferImagVal; + QMF_SCALE_FACTOR sbrScaleFactor = {}; + FIXP_DBL degreeAlias[kDegreeAliasMaxSize] = {}; + + SBR_LPP_TRANS hLppTransVal = {}; + HANDLE_SBR_LPP_TRANS hLppTrans = &hLppTransVal; + TRANSPOSER_SETTINGS settings = {}; + for (int32_t i = 0; i < MAX_NUM_NOISE_VALUES; ++i) { + settings.bwBorders[i] = 64; + } + settings.nCols = 1; + hLppTrans->pSettings = &settings; + + lppTransposer(hLppTrans, &sbrScaleFactor, &qmfBufferReal, degreeAlias, &qmfBufferImag, 1, 0, 0, + 0, 0, 0, 0, nullptr, nullptr); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9549.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9549.java new file mode 100644 index 00000000000..bf2b0d1d3f9 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9549.java @@ -0,0 +1,44 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.AsbSecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.runner.RunWith; +import org.junit.Test; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9549 extends SecurityTestCase { + + /** + * b/112160868 + * Vulnerability Behaviour: SIGABRT in self + */ + @AsbSecurityTest(cveBugId = 112160868) + @Test + public void testPocCVE_2018_9549() throws Exception { + String binaryName = "CVE-2018-9549"; + String signals[] = {CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + testConfig.config + .setAbortMessageIncludes(AdbUtils.escapeRegexSpecialChars("ubsan: mul-overflow")); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} |