[RESTRICT AUTOMERGE] CTS test for Android Security b/157650336

Bug: 157650336
Bug: 168717856
Test: Ran the new testcase on android-9.0.0_r39 with/without patch

Change-Id: Ibf6bf1ac80ac9714880af065909ac496ce84a4c2
(cherry picked from commit 3a7d29d57bd1aa3efbef256b25e9f016aab2b006)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 0c1a623..82a58f5 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -263,6 +263,7 @@
         <!--__________________-->
         <!-- Bulletin 2020-11 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2020-0450->/data/local/tmp/CVE-2020-0450" />
         <option name="push" value="CVE-2020-0409->/data/local/tmp/CVE-2020-0409" />
 
         <option name="append-bitness" value="true" />
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.mk
new file mode 100644
index 0000000..d373f93
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.mk
@@ -0,0 +1,37 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2020-0450
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_SRC_FILES += ../includes/memutils.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_C_INCLUDES_64 := system/nfc/src/nfc/include/
+LOCAL_C_INCLUDES_64 += system/nfc/src/include/
+LOCAL_C_INCLUDES_64 += system/nfc/src/gki/common/
+LOCAL_C_INCLUDES_64 += system/nfc/src/gki/ulinux/
+LOCAL_C_INCLUDES_64 += system/nfc/src/nfa/include/
+LOCAL_SHARED_LIBRARIES_64 := libnfc-nci
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror -DCHECK_OVERFLOW -DENABLE_SELECTIVE_OVERLOADING
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/poc.cpp
new file mode 100644
index 0000000..ab877aa
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/poc.cpp
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+bool kIsVulnerable = false;
+
+// This PoC is only for 64-bit builds
+#if _64_BIT
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+#define DEFAULT_VALUE 0xBE
+#define RW_I93_FORMAT_DATA_LEN 8
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t* p_uid);
+
+bool kIsInitialized = false;
+void* kVulnPtr = nullptr;
+uint16_t kVulnSize = 0;
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated            */
+  RW_I93_STATE_IDLE,          /* waiting for upper layer API          */
+  RW_I93_STATE_BUSY,          /* waiting for response from tag        */
+
+  RW_I93_STATE_DETECT_NDEF,   /* performing NDEF detection precedure  */
+  RW_I93_STATE_READ_NDEF,     /* performing read NDEF procedure       */
+  RW_I93_STATE_UPDATE_NDEF,   /* performing update NDEF procedure     */
+  RW_I93_STATE_FORMAT,        /* performing format procedure          */
+  RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure   */
+
+  RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag             */
+};
+
+// borrowed from rw_i93.cc
+enum {
+  RW_I93_SUBSTATE_WAIT_UID,          /* waiting for response of inventory    */
+  RW_I93_SUBSTATE_WAIT_SYS_INFO,     /* waiting for response of get sys info */
+  RW_I93_SUBSTATE_WAIT_CC,           /* waiting for reading CC               */
+  RW_I93_SUBSTATE_SEARCH_NDEF_TLV,   /* searching NDEF TLV                   */
+  RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked      */
+
+  RW_I93_SUBSTATE_RESET_LEN,  /* set length to 0 to update NDEF TLV   */
+  RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV      */
+  RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV             */
+
+  RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+  RW_I93_SUBSTATE_CHECK_READ_ONLY,      /* check if any block is locked         */
+  RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV,    /* write CC and empty NDEF/Terminator TLV
+                                         */
+
+  RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only             */
+  RW_I93_SUBSTATE_LOCK_NDEF_TLV,  /* lock blocks of NDEF TLV              */
+  RW_I93_SUBSTATE_WAIT_LOCK_CC    /* lock block of CC                     */
+};
+
+static tNFC_STATUS (*real_rw_i93_send_cmd_write_single_block)(uint16_t block_number,
+                                                              uint8_t* p_data) = nullptr;
+
+static void* (*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void* ptr) = nullptr;
+
+void init(void) {
+  real_rw_i93_send_cmd_write_single_block = (tNFC_STATUS(*)(uint16_t, uint8_t*))dlsym(
+      RTLD_NEXT, "_Z34rw_i93_send_cmd_write_single_blocktPh");
+  if (!real_rw_i93_send_cmd_write_single_block) {
+    return;
+  }
+
+  real_GKI_getbuf = (void* (*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+  if (!real_GKI_getbuf) {
+    return;
+  }
+
+  real_GKI_freebuf = (void (*)(void*))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+  if (!real_GKI_freebuf) {
+    return;
+  }
+
+  kIsInitialized = true;
+}
+
+void* GKI_getbuf(uint16_t size) {
+  if (!kIsInitialized) {
+    init();
+  }
+  void* ptr = nullptr;
+  if ((size == I93_MAX_BLOCK_LENGH) || (size == RW_I93_FORMAT_DATA_LEN)) {
+    ptr = malloc(size);
+    memset(ptr, DEFAULT_VALUE, size);
+    kVulnPtr = ptr;
+    kVulnSize = size;
+  } else {
+    ptr = real_GKI_getbuf(size);
+  }
+  return ptr;
+}
+
+void GKI_freebuf(void* ptr) {
+  if (!kIsInitialized) {
+    init();
+  }
+  if (ptr == kVulnPtr) {
+    free(ptr);
+  } else {
+    real_GKI_freebuf(ptr);
+  }
+}
+
+size_t rw_i93_send_cmd_write_single_block(uint16_t block_number, uint8_t* p_data) {
+  if (!kIsInitialized) {
+    init();
+  }
+  if (p_data == kVulnPtr) {
+    for (int n = 0; n < I93_MAX_BLOCK_LENGH; ++n) {
+      if (p_data[n] == DEFAULT_VALUE) {
+        kIsVulnerable = true;
+        break;
+      }
+    }
+  }
+  return real_rw_i93_send_cmd_write_single_block(block_number, p_data);
+}
+
+#endif /* _64_BIT */
+
+int main() {
+// This PoC is only for 64-bit builds
+#if _64_BIT
+  enable_selective_overload = ENABLE_ALL;
+  tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
+
+  GKI_init();
+  rw_init();
+
+  uint8_t p_uid = 1;
+  if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+    return EXIT_FAILURE;
+  }
+
+  tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+  tNFC_CONN_EVT event = NFC_DATA_CEVT;
+  p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
+
+  tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
+  if (!p_data) {
+    return EXIT_FAILURE;
+  }
+
+  p_data->data.p_data = (NFC_HDR*)GKI_getbuf(sizeof(uint8_t) * 16);
+  if (!(p_data->data.p_data)) {
+    free(p_data);
+    return EXIT_FAILURE;
+  }
+
+  (p_data->data.p_data)->len = I93_MAX_BLOCK_LENGH;
+  p_i93->state = RW_I93_STATE_FORMAT;
+  p_i93->block_size = 7;
+  p_data->status = NFC_STATUS_OK;
+
+  p_cb->p_cback(0, event, p_data);
+
+  free(p_data);
+  enable_selective_overload = ENABLE_NONE;
+#endif /* _64_BIT */
+  return kIsVulnerable ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index f2c9951..1aec628 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -45,6 +45,16 @@
      ******************************************************************************/
 
     /**
+     * b/157650336
+     * Vulnerability Behaviour: SIGSEGV in self / EXIT_VULNERABLE (113)
+     */
+    @SecurityTest(minPatchLevel = "2020-11")
+    @Test
+    public void testPocCVE_2020_0450() throws Exception {
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0450", null, getDevice());
+    }
+
+    /**
      * b/156997193
      * Vulnerability Behaviour: SIGABRT in self
      */