[RESTRICT AUTOMERGE] Updated CTS test for Android Security b/150159669
Bug: 150159669
Bug: 160693070
Bug: 185090843
Bug: 207035735
Test: Ran the new testcase on android-10.0.0_r2 to test with/without patch
Change-Id: I9d1f68004487bb138fa268a7776e35f517d9c370
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
index a427420..06a5d5c 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
@@ -15,6 +15,10 @@
*
*/
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
cc_test {
name: "CVE-2020-0381",
defaults: ["cts_hostsidetests_securitybulletin_defaults"],
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
index f704984..be875f1 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
@@ -16,9 +16,6 @@
#include <dlfcn.h>
#include <media/IMediaExtractor.h>
-#include <signal.h>
-#include <stdlib.h>
-
#include "../includes/common.h"
#include "../includes/memutils.h"
@@ -34,6 +31,22 @@
using namespace android;
+bool isTestInProgress = false;
+
+struct sigaction new_action, old_action;
+
+int fdData, fdInfo;
+
+void *libHandle = nullptr;
+
+void sigsegv_handler(int signum, siginfo_t *info, void *context) {
+ if (isTestInProgress && info->si_signo == SIGSEGV) {
+ (*old_action.sa_sigaction)(signum, info, context);
+ return;
+ }
+ _exit(EXIT_FAILURE);
+}
+
class XMFDataSource : public DataSource {
public:
int mFdData;
@@ -61,7 +74,7 @@
virtual status_t initCheck() const { return 0; }
};
-void close_resources(int fdData, int fdInfo, void *libHandle) {
+void close_resources() {
if (fdData >= 0) {
::close(fdData);
}
@@ -74,44 +87,37 @@
}
int main(int argc, char **argv) {
- if (argc < 3) {
- return EXIT_FAILURE;
- }
- enable_selective_overload = ENABLE_ALL;
- void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ atexit(close_resources);
+
+ sigemptyset(&new_action.sa_mask);
+ new_action.sa_flags = SA_SIGINFO;
+ new_action.sa_sigaction = sigsegv_handler;
+ sigaction(SIGSEGV, &new_action, &old_action);
+
+ FAIL_CHECK(argc == 3);
+ libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
if (!libHandle) {
libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
- if (!libHandle) {
- return EXIT_FAILURE;
- }
+ FAIL_CHECK(libHandle);
}
GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
- if (!getDef) {
- dlclose(libHandle);
- return EXIT_FAILURE;
- }
+ FAIL_CHECK(getDef);
- int fdData = open(argv[1], O_RDONLY);
- if (fdData < 0) {
- dlclose(libHandle);
- return EXIT_FAILURE;
- }
- int fdInfo = open(argv[2], O_RDONLY);
- if (fdInfo < 0) {
- close_resources(fdData, fdInfo, libHandle);
- return EXIT_FAILURE;
- }
+ fdData = open(argv[1], O_RDONLY);
+ FAIL_CHECK(fdData >= 0);
+
+ fdInfo = open(argv[2], O_RDONLY);
+ FAIL_CHECK(fdInfo >= 0);
sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
- if (!dataSource) {
- close_resources(fdData, fdInfo, libHandle);
- return EXIT_FAILURE;
- }
+ FAIL_CHECK(dataSource);
+
+ enable_selective_overload = ENABLE_ALL;
+ isTestInProgress = true;
void *meta = nullptr;
FreeMetaFunc freeMeta = nullptr;
-
float confidence = 0.0f;
if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
@@ -119,7 +125,7 @@
getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
}
- close_resources(fdData, fdInfo, libHandle);
- enable_selective_overload = ENABLE_NONE;
+ isTestInProgress = false;
+ enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
return EXIT_SUCCESS;
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
index 695d8dc..12edb1a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
@@ -16,13 +16,19 @@
package android.security.cts;
+import static org.junit.Assume.assumeFalse;
+
import android.platform.test.annotations.AsbSecurityTest;
+
import org.junit.Test;
import org.junit.runner.RunWith;
-import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
-import com.android.tradefed.device.ITestDevice;
-import static org.junit.Assume.*;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.compatibility.common.util.CrashUtils.Config.BacktraceFilterPattern;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import java.util.Arrays;
+import java.util.regex.Pattern;
@RunWith(DeviceJUnit4ClassRunner.class)
public class CVE_2020_0381 extends SecurityTestCase {
@@ -31,13 +37,21 @@
* b/150159669
* Vulnerability Behaviour: SIGSEGV in self
*/
- @Test
@AsbSecurityTest(cveBugId = 150159669)
+ @Test
public void testPocCVE_2020_0381() throws Exception {
assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String binaryName = "CVE-2020-0381";
String inputFiles[] = {"cve_2020_0381.xmf", "cve_2020_0381.info"};
- AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0381",
- AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
- inputFiles, AdbUtils.TMP_PATH, getDevice());
+ String signals[] = {CrashUtils.SIGSEGV};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(Pattern.compile(binaryName))
+ .setBacktraceIncludes(new BacktraceFilterPattern("libmidiextractor", "Parse_ptbl"));
+ testConfig.config.setSignals(signals);
+ testConfig.arguments =
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1];
+ testConfig.inputFiles = Arrays.asList(inputFiles);
+ testConfig.inputFilesDestination = AdbUtils.TMP_PATH;
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
}
}
