Merge changes I5107bcf4,Ibb1bbf18,I95db3ff5,Ia1b619bd,Ibaad31f7, ... into oc-dev
* changes:
[RESTRICT AUTOMERGE] CTS test for Android Security b/132082342
[RESTRICT AUTOMERGE] CTS test for Android Security b/132083376
[RESTRICT AUTOMERGE] CTS test for Android Security b/31470908
[RESTRICT AUTOMERGE] CTS test for Android Security b/27793367
[RESTRICT AUTOMERGE] CTS test for Android Security b/141890807
[RESTRICT AUTOMERGE] CTS test for Android Security b/118372692
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc20_01.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc20_01.java
new file mode 100644
index 0000000..3c6d4b3
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc20_01.java
@@ -0,0 +1,23 @@
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class Poc20_01 extends SecurityTestCase {
+ /**
+ * CVE-2019-14002
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2020-01")
+ public void testPocCVE_2019_14002() throws Exception {
+ String result =
+ AdbUtils.runCommandLine(
+ "dumpsys package com.qualcomm.qti.callenhancement", getDevice());
+ assertNotMatchesMultiLine("READ_EXTERNAL_STORAGE.*?WRITE_EXTERNAL_STORAGE", result);
+ }
+}
diff --git a/tests/tests/net/jni/NativeMultinetworkJni.c b/tests/tests/net/jni/NativeMultinetworkJni.c
index c2dff8d..8d721e0 100644
--- a/tests/tests/net/jni/NativeMultinetworkJni.c
+++ b/tests/tests/net/jni/NativeMultinetworkJni.c
@@ -179,20 +179,16 @@
setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &timeo, sizeof(timeo));
// For reference see:
- // https://tools.ietf.org/html/draft-tsvwg-quic-protocol#section-6.1
+ // https://datatracker.ietf.org/doc/html/draft-ietf-quic-invariants
uint8_t quic_packet[1200] = {
- 0x0d, // public flags:
- // - version present (0x01),
- // - 64bit connection ID (0x0c),
- // - 1 byte packet number (0x00)
+ 0xc0, // long header
+ 0xaa, 0xda, 0xca, 0xca, // reserved-space version number
+ 0x08, // destination connection ID length
0, 0, 0, 0, 0, 0, 0, 0, // 64bit connection ID
- 0xaa, 0xda, 0xca, 0xaa, // reserved-space version number
- 1, // 1 byte packet number
- 0x00, // private flags
- 0x07, // PING frame (cuz why not)
+ 0x00, // source connection ID length
};
- arc4random_buf(quic_packet + 1, 8); // random connection ID
+ arc4random_buf(quic_packet + 6, 8); // random connection ID
uint8_t response[1500];
ssize_t sent, rcvd;
@@ -217,7 +213,7 @@
i + 1, MAX_RETRIES, rcvd, errnum);
}
}
- if (rcvd < 9) {
+ if (rcvd < 15) {
ALOGD("QUIC UDP %s: sent=%zd but rcvd=%zd, errno=%d", kPort, sent, rcvd, errnum);
if (rcvd <= 0) {
ALOGD("Does this network block UDP port %s?", kPort);
@@ -226,7 +222,7 @@
return -EPROTO;
}
- int conn_id_cmp = memcmp(quic_packet + 1, response + 1, 8);
+ int conn_id_cmp = memcmp(quic_packet + 6, response + 7, 8);
if (conn_id_cmp != 0) {
ALOGD("sent and received connection IDs do not match");
close(fd);
diff --git a/tests/tests/security/res/raw/cve_2018_9474.mp4 b/tests/tests/security/res/raw/cve_2018_9474.mp4
new file mode 100644
index 0000000..3ff485a
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2018_9474.mp4
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index a6f5b67..ad2c7be 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -38,6 +38,7 @@
import android.opengl.GLES11Ext;
import android.os.Looper;
import android.os.SystemClock;
+import android.os.Parcel;
import android.platform.test.annotations.SecurityTest;
import android.util.Log;
import android.view.Surface;
@@ -1241,6 +1242,42 @@
***********************************************************/
@Test
+ @SecurityTest(minPatchLevel = "2018-09")
+ public void testStagefright_cve_2018_9474() throws Exception {
+ MediaPlayer mp = new MediaPlayer();
+ Surface surface = getDummySurface();
+ mp.setSurface(surface);
+ AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(R.raw.cve_2018_9474);
+
+ mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ mp.prepare();
+
+ MediaPlayer.TrackInfo[] trackInfos = mp.getTrackInfo();
+ if (trackInfos == null || trackInfos.length == 0) {
+ return;
+ }
+
+ MediaPlayer.TrackInfo trackInfo = trackInfos[0];
+
+ int trackType = trackInfo.getTrackType();
+ MediaFormat format = trackInfo.getFormat();
+
+ Parcel data = Parcel.obtain();
+ trackInfo.writeToParcel(data, 0);
+
+ data.setDataPosition(0);
+ int trackTypeFromParcel = data.readInt();
+ String mimeTypeFromParcel = data.readString();
+ data.recycle();
+
+ if (trackType == trackTypeFromParcel) {
+ assertFalse("Device *IS* vulnerable to CVE-2018-9474",
+ mimeTypeFromParcel.equals("und"));
+ }
+ }
+
+ @Test
@SecurityTest(minPatchLevel = "2019-09")
public void testStagefright_cve_2019_2108() throws Exception {
doStagefrightTestRawBlob(R.raw.cve_2019_2108_hevc, "video/hevc", 320, 240,