VoldExploitTest: Detect ZergRush (CVE-2011-3874)
Change-Id: I9a0e649f34d4b8f76069554ae0057834f3f91c60
diff --git a/tests/tests/security/src/android/security/cts/VoldExploitTest.java b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
index 1f0929f..9ef0dac 100644
--- a/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+++ b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
@@ -16,8 +16,10 @@
package android.security.cts;
+import android.content.Context;
import android.net.cts.NetlinkSocket;
-import junit.framework.TestCase;
+import android.os.storage.StorageManager;
+import android.test.AndroidTestCase;
import java.io.File;
import java.io.IOException;
@@ -29,10 +31,50 @@
import java.util.Scanner;
import java.util.Set;
-public class VoldExploitTest extends TestCase {
+public class VoldExploitTest extends AndroidTestCase {
/**
- * Try to crash the vold program.
+ * Validate that this device isn't vulnerable to the "ZergRush"
+ * vold vulnerability (CVE-2011-3874).
+ *
+ * https://github.com/revolutionary/zergRush/blob/master/zergRush.c
+ *
+ * Note: If the ZergRush vulnerability is present, the call to
+ * {@link StorageManager#getMountedObbPath(String)} below hangs until CTS
+ * kills the testsuite (10 minutes). A timeout, while not desirable,
+ * is the typical failure for this test.
+ */
+ public void testZergRushCrash() throws Exception {
+ Set<Integer> pids = getPids();
+ assertTrue(pids.size() > 1); // at least vold and netd should exist
+
+ StorageManager sm = (StorageManager) getContext().getSystemService(Context.STORAGE_SERVICE);
+ try {
+ sm.getMountedObbPath("AAAA AAAA AAAA AAAA "
+ + "AAAA AAAA AAAA AAAA "
+ + "AAAA AAAA AAAA AAAA "
+ + "AAAA AAAA AAAA AAAA"
+ + "AAAA AAAA AAAA AAAA"
+ + "AAAA AAAA AAAA AAAA"
+ + "AAAA AAAA AAAA AAAA"
+ + "AAAA AAAA AAAA AAAA");
+ fail("Should have gotten an IllegalStateException");
+ } catch (IllegalStateException e) {
+ // expected
+ }
+
+ // Check to see if all the processes are still alive. If
+ // any of them have died, we found an exploitable bug.
+ for (int i : pids) {
+ assertTrue(
+ "PID=" + i + " crashed due to a malformed mount message."
+ + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
+ new File("/proc/" + i + "/cmdline").exists());
+ }
+ }
+
+ /**
+ * Try to crash the vold program using CVE-2011-1823.
*
* This test attempts to send an invalid netlink messages to
* any process which is listening for the messages. If we detect