Google Git
Sign in
android / platform / cts / 4890a11^! / .
commit4890a116f4018c16b69c834706e02dc82c7146ef[log] [tgz]
authorNick Kralevich <nnk@google.com>Tue Oct 11 10:21:46 2011 -0700
committerNick Kralevich <nnk@google.com>Tue Oct 11 12:37:54 2011 -0700
treeb595b1935f4a711d3a1300e6fbba39228434ecc9
parent7e45cf25283c97a5d3300bba10c9d4a871d16c2b [diff]
VoldExploitTest: Detect ZergRush (CVE-2011-3874)

Change-Id: I9a0e649f34d4b8f76069554ae0057834f3f91c60

diff --git a/tests/tests/security/src/android/security/cts/VoldExploitTest.java b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
index 1f0929f..9ef0dac 100644
--- a/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+++ b/tests/tests/security/src/android/security/cts/VoldExploitTest.java

@@ -16,8 +16,10 @@
 
 package android.security.cts;
 
+import android.content.Context;
 import android.net.cts.NetlinkSocket;
-import junit.framework.TestCase;
+import android.os.storage.StorageManager;
+import android.test.AndroidTestCase;
 
 import java.io.File;
 import java.io.IOException;
@@ -29,10 +31,50 @@
 import java.util.Scanner;
 import java.util.Set;
 
-public class VoldExploitTest extends TestCase {
+public class VoldExploitTest extends AndroidTestCase {
 
     /**
-     * Try to crash the vold program.
+     * Validate that this device isn't vulnerable to the "ZergRush"
+     * vold vulnerability (CVE-2011-3874).
+     *
+     * https://github.com/revolutionary/zergRush/blob/master/zergRush.c
+     *
+     * Note: If the ZergRush vulnerability is present, the call to
+     * {@link StorageManager#getMountedObbPath(String)} below hangs until CTS
+     * kills the testsuite (10 minutes). A timeout, while not desirable,
+     * is the typical failure for this test.
+     */
+    public void testZergRushCrash() throws Exception {
+        Set<Integer> pids = getPids();
+        assertTrue(pids.size() > 1);  // at least vold and netd should exist
+
+        StorageManager sm = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);
+        try {
+            sm.getMountedObbPath("AAAA AAAA AAAA AAAA "
+                    + "AAAA AAAA AAAA AAAA "
+                    + "AAAA AAAA AAAA AAAA "
+                    + "AAAA AAAA AAAA AAAA"
+                    + "AAAA AAAA AAAA AAAA"
+                    + "AAAA AAAA AAAA AAAA"
+                    + "AAAA AAAA AAAA AAAA"
+                    + "AAAA AAAA AAAA AAAA");
+            fail("Should have gotten an IllegalStateException");
+        } catch (IllegalStateException e) {
+            // expected
+        }
+
+        // Check to see if all the processes are still alive.  If
+        // any of them have died, we found an exploitable bug.
+        for (int i : pids) {
+            assertTrue(
+                    "PID=" + i + " crashed due to a malformed mount message."
+                    + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
+                    new File("/proc/" + i + "/cmdline").exists());
+        }
+    }
+
+    /**
+     * Try to crash the vold program using CVE-2011-1823.
      *
      * This test attempts to send an invalid netlink messages to
      * any process which is listening for the messages.  If we detect