[RESTRICT AUTOMERGE]: CTS test fix for android security CVE-2017-0386
Bug: 72495142
Bug: 32255299
Test: cts-tradefed run cts -m CtsSecurityBulletinHostTestCases -t android.security.cts.Poc17_01#testPocCVE_2017_0386
Change-Id: I51fb7aa7be837694cb7a7f40b988fc8a3ae6fe24
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk
index 4c7a1ae..258944f 100755
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk
@@ -16,24 +16,23 @@
include $(CLEAR_VARS)
LOCAL_MODULE := CVE-2017-0386
-
-LOCAL_SHARED_LIBRARIES := libnl \
- libc \
- liblog
-
LOCAL_SRC_FILES := poc.c
-LOCAL_C_INCLUDES := external/libnl/include
-
LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_C_INCLUDES := external/libnl/include
+
+LOCAL_SHARED_LIBRARIES := \
+ libnl \
+ libc \
+ liblog \
+
# Tag this module as a cts test artifact
LOCAL_COMPATIBILITY_SUITE := cts vts sts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
LOCAL_CFLAGS += -Wall -Werror
-LOCAL_LDFLAGS += -fPIE -pie
-LOCAL_LDFLAGS += -rdynamic
+
include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c
index dae2d79..90f3238 100755
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c
@@ -1,5 +1,5 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
+/**
+ * Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,11 +14,13 @@
* limitations under the License.
*/
#define _GNU_SOURCE
+
+#define LOG_TAG "CVE-2017-0386"
+
#include <sys/wait.h>
#include <sys/types.h>
#include <stdio.h>
#include <log/log.h>
-
#include <netlink/msg.h>
#include <netlink/netlink.h>
#include <netlink-private/object-api.h>
@@ -26,57 +28,73 @@
#include <netlink/object.h>
#include <netlink/attr.h>
+#include "../includes/common.h"
+
int main(void) {
struct nl_msg *message = NULL;
- char *pad = NULL, *pad2 = NULL;
+ struct nlmsghdr *hdr;
+ char *data = NULL;
uint32_t result = 0;
+ int ret = EXIT_SUCCESS;
+ int pagesize = getpagesize();
+ size_t payloadlength = pagesize + 12 - 0x30;
+ size_t payload2length = pagesize;
message = nlmsg_alloc();
if (message == NULL) {
ALOGE("Alloc message memory failed");
- goto ret;
+ return EXIT_FAILURE;
}
ALOGI("nl_msg.nm_size : %zx\n", message->nm_size);
-
- struct nlmsghdr *hdr;
hdr = message->nm_nlh;
- int length = 0x1000 + 12 - 0x30;
- pad = malloc(length);
- if (pad == NULL) {
- ALOGE("Alloc pad memory failed");
- goto ret;
+ //allocate memory for data with payloadlength
+ data = malloc(payloadlength);
+ if (data == NULL) {
+ ALOGE("Alloc data memory failed");
+ nlmsg_free(message);
+ return EXIT_FAILURE;
}
- memset(pad, 0x41, length);
- pad2 = malloc(0x1000);
- if (pad2 == NULL) {
- ALOGE("Alloc pad2 memory failed");
- goto ret;
- }
- memset(pad2, 0x33, 0x1000);
-
- nla_put(message, 0x4444, length, pad);
- result = message->nm_nlh->nlmsg_len;
-
+ memset(data, 0x41, payloadlength);
+ nla_put(message, 0x4444, payloadlength, data);
+ result = hdr->nlmsg_len;
ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
- ALOGI("message len = 0x%x", message->nm_nlh->nlmsg_len);
+ ALOGI("message len = 0x%x", result);
- nla_put(message, 0x8888, 0xFFFFF000, pad2);
+ free(data);
+ data = NULL;
+
+ //allocate memory for data with payload2length
+ data = malloc(payload2length);
+ if (data == NULL) {
+ ALOGE("Alloc data2 memory failed");
+ nlmsg_free(message);
+ return EXIT_FAILURE;
+ }
+ memset(data, 0x33, payload2length);
ALOGI("\n\n\nPutting down overflow.......\n\n\n");
+ nla_put(message, 0x8888, 0xFFFFF000, data);
ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
- ALOGI("message len = 0x%x", message->nm_nlh->nlmsg_len);
+ ALOGI("message len = 0x%x", hdr->nlmsg_len);
- if(result == message->nm_nlh->nlmsg_len) {
- ALOGE("No Integer overflow");
- } else {
- ALOGE("Integer overflow happened");
+ /*
+ * return 113 error code if length is mismatch
+ */
+ if(result != hdr->nlmsg_len) {
+ ret = EXIT_VULNERABLE;
}
-ret:
- if(NULL != pad) free(pad);
- if(NULL != pad2) free(pad2);
- return 0;
+ if(!data) {
+ free(data);
+ data = NULL;
+ }
+
+ if(!message) {
+ nlmsg_free(message);
+ message = NULL;
+ }
+ return ret;
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
index 3ddc7bf..107ac45 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
@@ -130,10 +130,6 @@
*/
@SecurityTest(minPatchLevel = "2017-01")
public void testPocCVE_2017_0386() throws Exception {
- AdbUtils.runCommandLine("logcat -c" , getDevice());
- AdbUtils.runPoc("CVE-2017-0386", getDevice(), 60);
-
- String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
- assertMatchesMultiLine("No Integer overflow", logcat);
+ AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2017-0386", getDevice(), 60);
}
}