CTS test for Android Security b/190286685
Bug: 190286685
Bug: 196879988
Test: Ran the new testcase on android-11.0.0_r34 to test with/without
patch
Change-Id: I50c7aab3cf56c2958e6f701c63421914cda062b8
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-6685/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-6685/Android.bp
new file mode 100644
index 0000000..a48d5b7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-6685/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-6685",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.c",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "external/sonivox/arm-wt-22k",
+ ],
+ cflags: [
+ "-Wall",
+ "-Werror",
+ "-DNUM_OUTPUT_CHANNELS=2",
+ "-DDLS_SYNTHESIZER",
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ "-D_FILTER_ENABLED",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-6685/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2021-6685/poc.c
new file mode 100644
index 0000000..cf1ba59
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-6685/poc.c
@@ -0,0 +1,70 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <host_src/eas_types.h>
+#include <lib_src/eas_wtengine.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+#define MEM_ALIGNMENT 16
+#define PHASE_INCREMENT 555555
+
+typedef void (*fp_WT_Process_Voice)(S_WT_VOICE *, S_WT_INT_FRAME *);
+char enable_selective_overload = ENABLE_NONE;
+void *libHandle = NULL;
+void *phaseAccumPtr = NULL;
+
+void exit_Handler(void) {
+ if (phaseAccumPtr) {
+ free(phaseAccumPtr);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main() {
+ atexit(exit_Handler);
+ libHandle = dlopen("libsonivox.so", RTLD_NOW | RTLD_LOCAL);
+ FAIL_CHECK(libHandle);
+ fp_WT_Process_Voice functionWTProcessVoice =
+ (fp_WT_Process_Voice)dlsym(libHandle, "WT_ProcessVoice");
+ FAIL_CHECK(functionWTProcessVoice);
+
+ S_WT_VOICE pWTVoice = {};
+ enable_selective_overload = ENABLE_MEMALIGN_CHECK;
+ pWTVoice.phaseAccum = (EAS_U32)memalign(MEM_ALIGNMENT, sizeof(EAS_I16));
+ FAIL_CHECK((void *)pWTVoice.phaseAccum);
+ phaseAccumPtr = ((void *)pWTVoice.phaseAccum);
+ enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
+ pWTVoice.loopEnd = pWTVoice.phaseAccum;
+ pWTVoice.loopStart = pWTVoice.phaseAccum;
+
+ S_WT_INT_FRAME pWTIntFrame = {};
+ pWTIntFrame.frame.phaseIncrement = PHASE_INCREMENT;
+ EAS_PCM pAudioBuffer;
+ EAS_I32 pMixBuffer;
+ pWTIntFrame.pAudioBuffer = &pAudioBuffer;
+ pWTIntFrame.pMixBuffer = &pMixBuffer;
+ pWTIntFrame.numSamples = 1;
+
+ functionWTProcessVoice(&pWTVoice, &pWTIntFrame);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_6685.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_6685.java
new file mode 100644
index 0000000..65d687e
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_6685.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.runner.RunWith;
+import org.junit.Test;
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_6685 extends SecurityTestCase {
+
+ /**
+ * b/190286685
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @AsbSecurityTest(cveBugId = 190286685)
+ @Test
+ public void testPocCVE_2021_6685() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-6685", null, getDevice());
+ }
+}
