[RESTRICT AUTOMERGE] CTS test for Android Security b/144767096

Bug: 144767096
Bug: 151667816
Test: Ran the new testcase on android-8.0.0_r11 with/without patch

Merged-In: I307f5cbfc0e05cbe0819dfbeffe6b7f599ae5c21
Change-Id: I307f5cbfc0e05cbe0819dfbeffe6b7f599ae5c21
(cherry picked from commit b649c2385b4baf32cd0413b79cb69de39aeec42a)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 5979023..9a1b59b 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -255,6 +255,10 @@
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
         <option name="push" value="CVE-2020-0007->/data/local/tmp/CVE-2020-0007" />
 
+        <!-- Bulletin 2020-05 -->
+        <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2020-0101->/data/local/tmp/CVE-2020-0101" />
+
         <!-- Bulletin 2020-10 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
         <option name="push" value="CVE-2020-0408->/data/local/tmp/CVE-2020-0408" />
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0101/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0101/Android.mk
new file mode 100644
index 0000000..118e60d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0101/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2020-0101
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_SRC_FILES += ../includes/memutils_track.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_C_INCLUDES := frameworks/av/media/libmedia/include
+LOCAL_SHARED_LIBRARIES := libbinder
+LOCAL_SHARED_LIBRARIES += libutils
+LOCAL_SHARED_LIBRARIES += libmediadrm
+
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror -Wno-unused-parameter
+LOCAL_CFLAGS += -DCHECK_UNINITIALIZED_MEMORY -DENABLE_SELECTIVE_OVERLOADING
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0101/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0101/poc.cpp
new file mode 100644
index 0000000..3f79838
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0101/poc.cpp
@@ -0,0 +1,106 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <binder/IServiceManager.h>
+#include <binder/IBinder.h>
+#include <binder/Parcel.h>
+#include <media/ICrypto.h>
+
+#include "../includes/memutils_track.h"
+#include "../includes/common.h"
+
+char enable_selective_overload = ENABLE_NONE;
+using namespace android;
+
+constexpr uint8_t kUint32Len = sizeof(uint32_t);
+constexpr uint8_t kUuidSize = 16;
+constexpr uint8_t kSizeToTrack = 10;
+constexpr uint8_t kCreatePluginEnumValue = 3;
+
+bool is_tracking_required(size_t size) {
+  return (size == kSizeToTrack);
+}
+
+struct MyCryptoHal : public BnCrypto {
+  MyCryptoHal() = default;
+  ~MyCryptoHal() = default;
+
+  status_t initCheck() const {
+    return OK;
+  }
+
+  bool isCryptoSchemeSupported(const uint8_t uuid[16]) {
+    return false;
+  }
+
+  status_t createPlugin(const uint8_t uuid[16], const void *data, size_t size) {
+    if (is_memory_uninitialized()) {
+      return EXIT_VULNERABLE;
+    }
+    return OK;
+  }
+
+  status_t destroyPlugin() {
+    return OK;
+  }
+
+  bool requiresSecureDecoderComponent(const char *mime) const {
+    return false;
+  }
+
+  void notifyResolution(uint32_t width, uint32_t height) {
+  }
+
+  status_t setMediaDrmSession(const Vector<uint8_t> &sessionId) {
+    return OK;
+  }
+
+  virtual ssize_t decrypt(const uint8_t key[16], const uint8_t iv[16],
+                          CryptoPlugin::Mode mode,
+                          const CryptoPlugin::Pattern &pattern,
+                          const ICrypto::SourceBuffer &source, size_t offset,
+                          const CryptoPlugin::SubSample *subSamples,
+                          size_t numSubSamples,
+                          const ICrypto::DestinationBuffer &destination,
+                          AString *errorDetailMsg) {
+    return 0;
+  }
+
+  virtual int32_t setHeap(const sp<IMemoryHeap> &heap) {
+    return 0;
+  }
+
+  void unsetHeap(int32_t seqNum) {
+  }
+
+ private:
+  DISALLOW_EVIL_CONSTRUCTORS (MyCryptoHal);
+};
+
+int main() {
+  Parcel data, reply;
+  sp < IBinder > crypto = new MyCryptoHal;
+  uint8_t parcelData[kUuidSize + kUint32Len] = { 0xcc };
+
+  memcpy(parcelData + kUuidSize, &kSizeToTrack, kUint32Len);
+  data.writeInterfaceToken(String16("android.hardware.ICrypto"));
+  data.write(parcelData, kUuidSize + kUint32Len);
+
+  enable_selective_overload = ENABLE_MALLOC_CHECK;
+  crypto->transact(kCreatePluginEnumValue, data, &reply);
+  enable_selective_overload = ENABLE_NONE;
+
+  return reply.readInt32();
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index f2dd1ed..062a6ec 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -54,6 +54,16 @@
      ******************************************************************************/
 
     /**
+     * b/144767096
+     * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+     */
+    @Test
+    @SecurityTest(minPatchLevel = "2020-05")
+    public void testPocCVE_2020_0101() throws Exception {
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0101", null, getDevice());
+    }
+
+    /**
      * b/66969349
      * Vulnerability Behaviour: SIGSEGV in media.codec
      */