diff options
| author | TreeHugger Robot <treehugger-gerrit@google.com> | 2022-08-03 06:45:33 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-08-03 06:45:33 +0000 |
| commit | 50562df68d8ec701853a014522ca89e047f66ffd (patch) | |
| tree | 14ff6fe0ba8201cb95e2a3f730475fec6f57a9b1 | |
| parent | aea079a857cb96ef19ecaf90ee590288fff0eecb (diff) | |
| parent | 8a0a660b91a0de45a1f6a4536d06934db01d41a4 (diff) | |
| download | cts-50562df68d8ec701853a014522ca89e047f66ffd.tar.gz | |
Merge "CTS test for Android Security b/201667614" into rvc-dev am: 8a0a660b91
Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/19194531
Change-Id: I210a1756b77af216e68b359c9604be9d392a5745
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
5 files changed, 262 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39795.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39795.java new file mode 100644 index 00000000000..4755ddbb229 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39795.java @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import static org.junit.Assume.assumeNoException; + +import android.platform.test.annotations.AsbSecurityTest; + +import com.android.sts.common.tradefed.testtype.StsExtraBusinessLogicHostTestBase; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_39795 extends StsExtraBusinessLogicHostTestBase { + private static final String TEST_PKG = "android.security.cts.CVE_2021_39795"; + private static final String DIR_PATH = "/storage/emulated/0/Android/data/CVE-2021-39795-dir"; + + @AsbSecurityTest(cveBugId = 201667614) + @Test + public void testPocCVE_2021_39795() { + ITestDevice device = null; + try { + device = getDevice(); + + /* Wake up the screen */ + AdbUtils.runCommandLine("input keyevent KEYCODE_WAKEUP", device); + AdbUtils.runCommandLine("input keyevent KEYCODE_MENU", device); + AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", device); + + installPackage("CVE-2021-39795.apk"); + + /* Make a directory inside "Android/data" folder */ + AdbUtils.runCommandLine("mkdir " + DIR_PATH, device); + + /* Allow Read and Write to external storage */ + AdbUtils.runCommandLine( + "pm grant " + TEST_PKG + " android.permission.READ_EXTERNAL_STORAGE", device); + AdbUtils.runCommandLine( + "pm grant " + TEST_PKG + " android.permission.WRITE_EXTERNAL_STORAGE", device); + + /* Allow the app to manage all files */ + AdbUtils.runCommandLine( + "appops set --uid " + TEST_PKG + " MANAGE_EXTERNAL_STORAGE allow", device); + + runDeviceTests(TEST_PKG, TEST_PKG + ".DeviceTest", "testFilePresence"); + } catch (Exception e) { + assumeNoException(e); + } finally { + try { + AdbUtils.runCommandLine("rm -rf " + DIR_PATH, device); + } catch (Exception e) { + // ignore the exceptions + } + } + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/Android.bp new file mode 100644 index 00000000000..ade2215f2d7 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/Android.bp @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +android_test_helper_app { + name: "CVE-2021-39795", + defaults: [ + "cts_support_defaults" + ], + srcs: [ + "src/**/*.java", + ], + test_suites: [ + "sts", + ], + static_libs: [ + "androidx.test.rules", + "androidx.test.core", + ], +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/AndroidManifest.xml new file mode 100644 index 00000000000..cb42aedc255 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/AndroidManifest.xml @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2022 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="android.security.cts.CVE_2021_39795"> + <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="28"/> + <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> + <uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE"/> + <instrumentation + android:name="androidx.test.runner.AndroidJUnitRunner" + android:targetPackage="android.security.cts.CVE_2021_39795" /> +</manifest> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/res/values/strings.xml new file mode 100644 index 00000000000..19ea461d4cb --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/res/values/strings.xml @@ -0,0 +1,32 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2022 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<resources> + <string name="filePath">Android/data/CVE-2021-39795-dir/</string> + <string name="fileContent">Bypassed by MediaProvider</string> + <string name="fileName">CVE-2021-39795-file</string> + <string name="external">external</string> + <string name="secondFixFailure">Second Fix Patch not applied. + Please Apply second Fix Patch!!</string> + <string name="fileUtilPkg">com.android.providers.media.util.FileUtils</string> + <string name="isDataOrObbPathMethod">isDataOrObbPath</string> + <string name="mediaProviderPkg">com.android.providers.media.module</string> + <string name="sampleFilePath">/storage/emulated/0/Android/data/foo</string> + <string name="failure">Device vulnerable to b/201667614! Any app with + MANAGE_EXTERNAL_STORAGE permission can write into other apps private + external directory.</string> +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/src/android/security/cts/CVE_2021_39795/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/src/android/security/cts/CVE_2021_39795/DeviceTest.java new file mode 100644 index 00000000000..8d3ff0a9602 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39795/src/android/security/cts/CVE_2021_39795/DeviceTest.java @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_39795; + +import static androidx.test.core.app.ApplicationProvider.getApplicationContext; +import static org.junit.Assert.fail; +import static org.junit.Assume.assumeNoException; + +import android.content.Context; +import android.content.ContentResolver; +import android.content.ContentValues; +import android.content.res.Resources; +import android.provider.MediaStore; + +import androidx.test.runner.AndroidJUnit4; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import java.io.OutputStream; +import java.lang.reflect.Method; + +@RunWith(AndroidJUnit4.class) +public class DeviceTest { + + @Test + public void testFilePresence() { + boolean isSecondPatchAbsent = false; + Resources resources = null; + OutputStream outputStream = null; + try { + // Accessing FileUtils.isDataOrObbPath() to detect the presence of second patch of fix. + Context context = getApplicationContext(); + resources = context.getResources(); + Context mediaProviderContext = + context.createPackageContext(resources.getString(R.string.mediaProviderPkg), + Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY); + ClassLoader fileUtilsClassLoader = mediaProviderContext.getClassLoader(); + Class<?> FileUtilsClass = + fileUtilsClassLoader.loadClass(resources.getString(R.string.fileUtilPkg)); + Method isDataOrObbPathMethod = FileUtilsClass.getDeclaredMethod( + resources.getString(R.string.isDataOrObbPathMethod), String.class); + isDataOrObbPathMethod.setAccessible(true); + isSecondPatchAbsent = (boolean) isDataOrObbPathMethod.invoke(this, + resources.getString(R.string.sampleFilePath)); + + // Checking write into external directory. + ContentValues values = new ContentValues(); + ContentResolver contentResolver = context.getContentResolver(); + values.put(MediaStore.MediaColumns.RELATIVE_PATH, + resources.getString(R.string.filePath)); + values.put(MediaStore.MediaColumns.DISPLAY_NAME, + resources.getString(R.string.fileName)); + outputStream = contentResolver.openOutputStream(contentResolver.insert( + MediaStore.Files.getContentUri(resources.getString(R.string.external)), + values)); + outputStream.write(resources.getString(R.string.fileContent).getBytes()); + + /* + * If control flow has reached till this point it means no exception anywhere and fix is + * not present and it is vulnerable to the bug. + */ + fail(resources.getString(R.string.failure)); + } catch (IllegalArgumentException e) { + // First fix patch is applied, ignore this exception. + if (isSecondPatchAbsent) { + // Fail the test as Latest Fix Patch is not applied + fail(resources.getString(R.string.secondFixFailure)); + } + } catch (Exception e) { + assumeNoException(e); + } finally { + try { + outputStream.close(); + } catch (Exception e) { + // ignore all exceptions + } + } + } +} |