Make zergrush test more reliable.
Don't use /proc/net/netlink to determine if vold is alive. It's possible
for a previous test to cause vold not to be listening on /proc/net/netlink.
Instead, scan /proc and determine the PID from there.
Get rid of the IllegalStateException fail(). This was confusing and
hid the actual warning message we want people to see.
Change-Id: I78791fd6e8a539d980351c6e1eb51cc9dab55fb5
diff --git a/tests/tests/security/src/android/security/cts/VoldExploitTest.java b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
index 8fbf874..3957bbe 100644
--- a/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+++ b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
@@ -25,7 +25,9 @@
import android.os.storage.StorageManager;
import android.test.AndroidTestCase;
+import java.io.BufferedReader;
import java.io.File;
+import java.io.FileReader;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationTargetException;
@@ -50,8 +52,7 @@
* is the typical failure for this test.
*/
public void testZergRushCrash() throws Exception {
- Set<Integer> pids = getPids();
- assertTrue(pids.size() > 1); // at least vold and netd should exist
+ int pid = findVold();
StorageManager sm = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);
try {
@@ -63,19 +64,17 @@
+ "AAAA AAAA AAAA AAAA"
+ "AAAA AAAA AAAA AAAA"
+ "AAAA AAAA AAAA AAAA");
- fail("Should have gotten an IllegalStateException");
} catch (IllegalStateException e) {
// expected
}
- // Check to see if all the processes are still alive. If
- // any of them have died, we found an exploitable bug.
- for (int i : pids) {
- assertTrue(
- "PID=" + i + " crashed due to a malformed mount message."
- + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
- new File("/proc/" + i + "/cmdline").exists());
- }
+ Thread.sleep(2000); // give vold some time to crash
+
+ // Check to see if vold is still alive.
+ assertTrue(
+ "PID=" + pid + " crashed due to a malformed mount message."
+ + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
+ new File("/proc/" + pid + "/cmdline").exists());
}
/**
@@ -91,15 +90,14 @@
*
* This test accomplishes the same thing as {@link #testZergRushCrash()}
*/
- public void testZergRushUsingRelection() {
+ public void testZergRushUsingRelection() throws Exception {
// This test assumes we have the MOUNT_UNMOUNT_FILESYSTEMS permission
// Check it first so we know we're reaching the vulnerable code.
assertEquals(PackageManager.PERMISSION_GRANTED,
getContext().checkCallingOrSelfPermission(
android.Manifest.permission.MOUNT_UNMOUNT_FILESYSTEMS));
- Set<Integer> pids = getPids();
- assertTrue(pids.size() > 1); // at least vold and netd should exist
+ int pid = findVold();
try {
Object iBinderObj = Class.forName("android.os.ServiceManager")
@@ -143,14 +141,13 @@
// remote failure. Assume not exploitable.
}
- // Check to see if all the processes are still alive. If
- // any of them have died, we found an exploitable bug.
- for (int i : pids) {
- assertTrue(
- "PID=" + i + " crashed due to a malformed mount message."
- + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
- new File("/proc/" + i + "/cmdline").exists());
- }
+ Thread.sleep(2000); // give vold some time to crash
+
+ // Check to see if vold is still alive.
+ assertTrue(
+ "PID=" + pid + " crashed due to a malformed mount message."
+ + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
+ new File("/proc/" + pid + "/cmdline").exists());
}
/**
@@ -282,6 +279,29 @@
}
}
+ private static int findVold() throws IOException {
+ File f = new File("/proc");
+ for (File d : f.listFiles()) {
+ String cmdLineString = d.getAbsolutePath() + "/cmdline";
+ File cmdLine = new File(cmdLineString);
+ if (cmdLine.exists()) {
+ BufferedReader in = null;
+ try {
+ in = new BufferedReader(new FileReader(cmdLine));
+ String line = in.readLine();
+ if ((line != null) && line.startsWith("/system/bin/vold")) {
+ return Integer.decode(d.getName());
+ }
+ } finally {
+ if (in != null) {
+ in.close();
+ }
+ }
+ }
+ }
+ throw new RuntimeException("should never get here");
+ }
+
/**
* Extract all the PIDs listening for netlink messages.
*/