commit 42f3896defd347c27510a41d297da6060d76a9c5
author Nick Kralevich <nnk@google.com> Mon Dec 12 11:12:38 2011 -0800
committer Nick Kralevich <nnk@google.com> Tue Dec 13 11:05:55 2011 -0800
tree 41b5d14d441529966d1515a25b11af39b3f4e5e8
parent 9b89b4bda07c6d2e3c791915d279cf6d871b6241

Make zergrush test more reliable.

Don't use /proc/net/netlink to determine if vold is alive. It's possible
for a previous test to cause vold not to be listening on /proc/net/netlink.
Instead, scan /proc and determine the PID from there.

Get rid of the IllegalStateException fail(). This was confusing and
hid the actual warning message we want people to see.

Change-Id: I78791fd6e8a539d980351c6e1eb51cc9dab55fb5

tests/tests/security/src/android/security/cts/VoldExploitTest.java

diff --git a/tests/tests/security/src/android/security/cts/VoldExploitTest.java b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
index 8fbf874..3957bbe 100644
--- a/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+++ b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
@@ -25,7 +25,9 @@
 import android.os.storage.StorageManager;
 import android.test.AndroidTestCase;
 
+import java.io.BufferedReader;
 import java.io.File;
+import java.io.FileReader;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.lang.reflect.InvocationTargetException;
@@ -50,8 +52,7 @@
      * is the typical failure for this test.
      */
     public void testZergRushCrash() throws Exception {
-        Set<Integer> pids = getPids();
-        assertTrue(pids.size() > 1);  // at least vold and netd should exist
+        int pid = findVold();
 
         StorageManager sm = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);
         try {
@@ -63,19 +64,17 @@
                     + "AAAA AAAA AAAA AAAA"
                     + "AAAA AAAA AAAA AAAA"
                     + "AAAA AAAA AAAA AAAA");
-            fail("Should have gotten an IllegalStateException");
         } catch (IllegalStateException e) {
             // expected
         }
 
-        // Check to see if all the processes are still alive.  If
-        // any of them have died, we found an exploitable bug.
-        for (int i : pids) {
-            assertTrue(
-                    "PID=" + i + " crashed due to a malformed mount message."
-                    + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
-                    new File("/proc/" + i + "/cmdline").exists());
-        }
+        Thread.sleep(2000);  // give vold some time to crash
+
+        // Check to see if vold is still alive.
+        assertTrue(
+                "PID=" + pid + " crashed due to a malformed mount message."
+                        + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
+                new File("/proc/" + pid + "/cmdline").exists());
     }
 
     /**
@@ -91,15 +90,14 @@
      *
      * This test accomplishes the same thing as {@link #testZergRushCrash()}
      */
-    public void testZergRushUsingRelection() {
+    public void testZergRushUsingRelection() throws Exception {
         // This test assumes we have the MOUNT_UNMOUNT_FILESYSTEMS permission
         // Check it first so we know we're reaching the vulnerable code.
         assertEquals(PackageManager.PERMISSION_GRANTED,
                 getContext().checkCallingOrSelfPermission(
                         android.Manifest.permission.MOUNT_UNMOUNT_FILESYSTEMS));
 
-        Set<Integer> pids = getPids();
-        assertTrue(pids.size() > 1);  // at least vold and netd should exist
+        int pid = findVold();
 
         try {
             Object iBinderObj = Class.forName("android.os.ServiceManager")
@@ -143,14 +141,13 @@
             // remote failure. Assume not exploitable.
         }
 
-        // Check to see if all the processes are still alive.  If
-        // any of them have died, we found an exploitable bug.
-        for (int i : pids) {
-            assertTrue(
-                    "PID=" + i + " crashed due to a malformed mount message."
-                    + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
-                    new File("/proc/" + i + "/cmdline").exists());
-        }
+        Thread.sleep(2000);  // give vold some time to crash
+
+        // Check to see if vold is still alive.
+        assertTrue(
+                "PID=" + pid + " crashed due to a malformed mount message."
+                        + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
+                new File("/proc/" + pid + "/cmdline").exists());
     }
 
     /**
@@ -282,6 +279,29 @@
         }
     }
 
+    private static int findVold() throws IOException {
+        File f = new File("/proc");
+        for (File d : f.listFiles()) {
+            String cmdLineString = d.getAbsolutePath() + "/cmdline";
+            File cmdLine = new File(cmdLineString);
+            if (cmdLine.exists()) {
+                BufferedReader in = null;
+                try {
+                    in = new BufferedReader(new FileReader(cmdLine));
+                    String line = in.readLine();
+                    if ((line != null) && line.startsWith("/system/bin/vold")) {
+                        return Integer.decode(d.getName());
+                    }
+                } finally {
+                    if (in != null) {
+                        in.close();
+                    }
+                }
+            }
+        }
+        throw new RuntimeException("should never get here");
+    }
+
     /**
      * Extract all the PIDs listening for netlink messages.
      */