RESTRICT AUTOMERGE: CTS: Verify DynamicRefTable::load security fix
This tests that corrupted apks fail to install on P and later as well as
adds a new test to verify that the DynamicRedTable::load security fix
prevents out-of-bounds reads from occurring.
Bug: 79488511
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: I5b60758cb4979c6a593ff57e73acdd559b5d1be7
Merged-In: I5b60758cb4979c6a593ff57e73acdd559b5d1be7
diff --git a/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk
index ef1e2bf..dc00656 100644
--- a/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk
+++ b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk
Binary files differ
diff --git a/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b79488511.apk b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b79488511.apk
new file mode 100644
index 0000000..22af499
--- /dev/null
+++ b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b79488511.apk
Binary files differ
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/CorruptApkTests.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/CorruptApkTests.java
index bf54cb3..bc0d759 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/CorruptApkTests.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/CorruptApkTests.java
@@ -39,7 +39,8 @@
*/
public class CorruptApkTests extends DeviceTestCase implements IBuildReceiver {
private final String B71360999_PKG = "com.android.appsecurity.b71360999";
- private final String B71361168_PKG = "com.example.helloworld";
+ private final String B71361168_PKG = "com.android.appsecurity.b71361168";
+ private final String B79488511_PKG = "com.android.appsecurity.b79488511";
private static final String TEST_APK_RESOURCE_PREFIX = "/corruptapk/";
private IBuildInfo mBuildInfo;
@@ -55,6 +56,7 @@
super.setUp();
uninstall(B71360999_PKG);
uninstall(B71361168_PKG);
+ uninstall(B79488511_PKG);
}
@After
@@ -63,6 +65,7 @@
super.tearDown();
uninstall(B71360999_PKG);
uninstall(B71361168_PKG);
+ uninstall(B79488511_PKG);
}
/** Uninstall the apk if the test failed previously. */
@@ -74,11 +77,11 @@
}
/**
- * Tests that apks described in b/71360999 do not install successfully nor cause
+ * Tests that apks described in b/71360999 do not install successfully.
*/
public void testFailToInstallCorruptStringPoolHeader_b71360999() throws Exception {
final String APK_PATH = "CtsCorruptApkTests_b71360999.apk";
- assertFailsToInstall(APK_PATH, B71360999_PKG);
+ assertInstallNoFatalError(APK_PATH, B71360999_PKG);
}
/**
@@ -86,29 +89,31 @@
*/
public void testFailToInstallCorruptStringPoolHeader_b71361168() throws Exception {
final String APK_PATH = "CtsCorruptApkTests_b71361168.apk";
- assertFailsToInstall(APK_PATH, B71361168_PKG);
+ assertInstallNoFatalError(APK_PATH, B71361168_PKG);
}
/**
- * Assert that the app fails to install and the reason for failing is not caused by a buffer
- * overflow nor a out of bounds read.
+ * Tests that apks described in b/79488511 do not install successfully.
+ */
+ public void testFailToInstallCorruptStringPoolHeader_b79488511() throws Exception {
+ final String APK_PATH = "CtsCorruptApkTests_b79488511.apk";
+ assertInstallNoFatalError(APK_PATH, B79488511_PKG);
+ }
+
+ /**
+ * Assert that installing the app does not cause a native error caused by a buffer overflow
+ * or an out-of-bounds read.
**/
- private void assertFailsToInstall(String filename, String pkg) throws Exception {
+ private void assertInstallNoFatalError(String filename, String pkg) throws Exception {
ITestDevice device = getDevice();
device.clearLogcat();
-
installPackageFromResource(filename);
- assertFalse(device.getInstalledPackageNames().contains(pkg));
-
// This catches if the device fails to install the app because a segmentation fault
// or out of bounds read created by the bug occurs
String logs = device.executeAdbCommand("logcat", "-d");
assertNotNull(logs);
- // Whether we hung or not, check for the log indicating the size is bad
- boolean fixWasHit = logs.contains("Bad string block: malformed block dimensions") ||
- logs.contains("Bad string block: data size");
- assertTrue(fixWasHit);
+
// Also check for the original indicators
assertFalse(logs.contains("SIGSEGV"));
assertFalse(logs.contains("==ERROR"));