hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0481.java - platform/cts - Git at Google

 /*
  * Copyright (C) 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.cts;

 import android.platform.test.annotations.AppModeInstant;
 import android.platform.test.annotations.AppModeFull;
 import android.util.Log;
 import android.platform.test.annotations.AsbSecurityTest;

 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
 import com.android.sts.common.tradefed.testtype.StsExtraBusinessLogicHostTestBase;
 import com.android.tradefed.log.LogUtil.CLog;

 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;

 import static org.junit.Assert.*;
 import static org.hamcrest.CoreMatchers.*;

 /**
  * Test that collects test results from test package android.security.cts.CVE_2021_0481.
  *
  * When this test builds, it also builds a support APK containing
  * {@link android.sample.cts.CVE_2021_0481.SampleDeviceTest}, the results of which are
  * collected from the hostside and reported accordingly.
  */
 @RunWith(DeviceJUnit4ClassRunner.class)
 public class CVE_2021_0481 extends StsExtraBusinessLogicHostTestBase {
     private static final String TEST_PKG = "android.security.cts.CVE_2021_0481";
     private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
     private static final String TEST_APP = "CVE-2021-0481.apk";

     private static final String DEVICE_DIR1 = "/data/user_de/0/com.android.settings/shared_prefs/";
     private static final String DEVICE_DIR2 = "/data/user_de/0/com.android.settings/cache/";

     //defined originally as
     //private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
     //in com.android.settings.users.EditUserPhotoController class
     private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
     private static final String TEST_FILE_NAME = "cve_2021_0481.txt";

     @Before
     public void setUp() throws Exception {
         uninstallPackage(getDevice(), TEST_PKG);
     }

     @Test
     @AsbSecurityTest(cveBugId = 172939189)
     @AppModeFull
     public void testRunDeviceTest() throws Exception {

         String cmd;

         //delete a source file just in case AdbUtils.pushResource()
         //doesn't overwrite existing file
         cmd = "rm " + DEVICE_DIR1 + TEST_FILE_NAME;
         AdbUtils.runCommandLine(cmd, getDevice());

         //push the source file to a device
         AdbUtils.pushResource("/" + TEST_FILE_NAME, DEVICE_DIR1 + TEST_FILE_NAME, getDevice());

         //delete a destination file which is supposed to be created by a vulnerable device
         //by coping TEST_FILE_NAME -> TAKE_PICTURE_FILE_NAME
         cmd = "rm " + DEVICE_DIR2 + TAKE_PICTURE_FILE_NAME;
         AdbUtils.runCommandLine(cmd, getDevice());

         installPackage();

         //ensure the screen is woken up.
         //KEYCODE_WAKEUP wakes up the screen
         //KEYCODE_MENU called twice unlocks the screen (if locked)
         //Note: (applies to Android 12 only):
         //      KEYCODE_MENU called less than twice doesnot unlock the screen
         //      no matter how many times KEYCODE_HOME is called.
         //      This is likely a timing issue which has to be investigated further
         getDevice().executeShellCommand("input keyevent KEYCODE_WAKEUP");
         getDevice().executeShellCommand("input keyevent KEYCODE_MENU");
         getDevice().executeShellCommand("input keyevent KEYCODE_HOME");
         getDevice().executeShellCommand("input keyevent KEYCODE_MENU");

         //run the test
         Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "testUserPhotoSetUp"));

         //go to home screen after test
         getDevice().executeShellCommand("input keyevent KEYCODE_HOME");

         //Check if TEST_FILE_NAME has been copied by "Evil activity"
         //If the file has been copied then it means the vulnerability is active so the test fails.
         cmd = "cmp -s " + DEVICE_DIR1 + TEST_FILE_NAME + " " +
             DEVICE_DIR2 + TAKE_PICTURE_FILE_NAME + "; echo $?";
         String result =  AdbUtils.runCommandLine(cmd, getDevice()).trim();
         CLog.i(cmd + " -->" + result);

         //Delete files created by this test
         cmd = "rm " + DEVICE_DIR2 + TAKE_PICTURE_FILE_NAME;
         AdbUtils.runCommandLine(cmd, getDevice());
         cmd = "rm " + DEVICE_DIR1 + TEST_FILE_NAME;
         AdbUtils.runCommandLine(cmd, getDevice());

         //final assert
         assertThat(result, not(is("0")));
     }

     private void installPackage() throws Exception {
         installPackage(TEST_APP, new String[0]);
     }
 }
	/*
	* Copyright (C) 2021 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.cts;

	import android.platform.test.annotations.AppModeInstant;
	import android.platform.test.annotations.AppModeFull;
	import android.util.Log;
	import android.platform.test.annotations.AsbSecurityTest;

	import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
	import com.android.sts.common.tradefed.testtype.StsExtraBusinessLogicHostTestBase;
	import com.android.tradefed.log.LogUtil.CLog;

	import org.junit.After;
	import org.junit.Assert;
	import org.junit.Before;
	import org.junit.Test;
	import org.junit.runner.RunWith;

	import static org.junit.Assert.*;
	import static org.hamcrest.CoreMatchers.*;

	/**
	* Test that collects test results from test package android.security.cts.CVE_2021_0481.
	*
	* When this test builds, it also builds a support APK containing
	* {@link android.sample.cts.CVE_2021_0481.SampleDeviceTest}, the results of which are
	* collected from the hostside and reported accordingly.
	*/
	@RunWith(DeviceJUnit4ClassRunner.class)
	public class CVE_2021_0481 extends StsExtraBusinessLogicHostTestBase {
	private static final String TEST_PKG = "android.security.cts.CVE_2021_0481";
	private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
	private static final String TEST_APP = "CVE-2021-0481.apk";

	private static final String DEVICE_DIR1 = "/data/user_de/0/com.android.settings/shared_prefs/";
	private static final String DEVICE_DIR2 = "/data/user_de/0/com.android.settings/cache/";

	//defined originally as
	//private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
	//in com.android.settings.users.EditUserPhotoController class
	private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
	private static final String TEST_FILE_NAME = "cve_2021_0481.txt";

	@Before
	public void setUp() throws Exception {
	uninstallPackage(getDevice(), TEST_PKG);
	}

	@Test
	@AsbSecurityTest(cveBugId = 172939189)
	@AppModeFull
	public void testRunDeviceTest() throws Exception {

	String cmd;

	//delete a source file just in case AdbUtils.pushResource()
	//doesn't overwrite existing file
	cmd = "rm " + DEVICE_DIR1 + TEST_FILE_NAME;
	AdbUtils.runCommandLine(cmd, getDevice());

	//push the source file to a device
	AdbUtils.pushResource("/" + TEST_FILE_NAME, DEVICE_DIR1 + TEST_FILE_NAME, getDevice());

	//delete a destination file which is supposed to be created by a vulnerable device
	//by coping TEST_FILE_NAME -> TAKE_PICTURE_FILE_NAME
	cmd = "rm " + DEVICE_DIR2 + TAKE_PICTURE_FILE_NAME;
	AdbUtils.runCommandLine(cmd, getDevice());

	installPackage();

	//ensure the screen is woken up.
	//KEYCODE_WAKEUP wakes up the screen
	//KEYCODE_MENU called twice unlocks the screen (if locked)
	//Note: (applies to Android 12 only):
	// KEYCODE_MENU called less than twice doesnot unlock the screen
	// no matter how many times KEYCODE_HOME is called.
	// This is likely a timing issue which has to be investigated further
	getDevice().executeShellCommand("input keyevent KEYCODE_WAKEUP");
	getDevice().executeShellCommand("input keyevent KEYCODE_MENU");
	getDevice().executeShellCommand("input keyevent KEYCODE_HOME");
	getDevice().executeShellCommand("input keyevent KEYCODE_MENU");

	//run the test
	Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "testUserPhotoSetUp"));

	//go to home screen after test
	getDevice().executeShellCommand("input keyevent KEYCODE_HOME");

	//Check if TEST_FILE_NAME has been copied by "Evil activity"
	//If the file has been copied then it means the vulnerability is active so the test fails.
	cmd = "cmp -s " + DEVICE_DIR1 + TEST_FILE_NAME + " " +
	DEVICE_DIR2 + TAKE_PICTURE_FILE_NAME + "; echo $?";
	String result = AdbUtils.runCommandLine(cmd, getDevice()).trim();
	CLog.i(cmd + " -->" + result);

	//Delete files created by this test
	cmd = "rm " + DEVICE_DIR2 + TAKE_PICTURE_FILE_NAME;
	AdbUtils.runCommandLine(cmd, getDevice());
	cmd = "rm " + DEVICE_DIR1 + TEST_FILE_NAME;
	AdbUtils.runCommandLine(cmd, getDevice());

	//final assert
	assertThat(result, not(is("0")));
	}

	private void installPackage() throws Exception {
	installPackage(TEST_APP, new String[0]);
	}
	}