CVE-2013-4254: detect perf_event validate_event bug
Credit: https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c
More info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4254
Bug: 11260636
Change-Id: Ie10c0d7869729b7b53e5a5c321103fa20ab11416
diff --git a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
index b9948d2..acb3012 100644
--- a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
+++ b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp
@@ -24,6 +24,7 @@
#include <signal.h>
#include <stdlib.h>
#include <cutils/log.h>
+#include <linux/perf_event.h>
/*
* Returns true iff this device is vulnerable to CVE-2013-2094.
@@ -44,6 +45,35 @@
return result;
}
+/*
+ * Detects if the following patch is present.
+ * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c95eb3184ea1a3a2551df57190c81da695e2144b
+ *
+ * Returns true if the patch is applied, or crashes the system otherwise.
+ *
+ * While you're at it, you want to apply the following patch too.
+ * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b88a2595b6d8aedbd275c07dfa784657b4f757eb
+ * This test doesn't cover the above patch. TODO write a new test.
+ *
+ * Credit: https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c
+ */
+static jboolean android_security_cts_NativeCodeTest_doPerfEventTest2(JNIEnv* env, jobject thiz)
+{
+ struct perf_event_attr pe[2];
+ int fd[2];
+ memset(pe, 0, sizeof(pe));
+ pe[0].type = 2;
+ pe[0].config = 72;
+ pe[0].size = 80;
+ pe[1].type = PERF_TYPE_RAW;
+ pe[1].size = 80;
+ fd[0]=syscall(__NR_perf_event_open, &pe[0], 0, 0, -1, 0);
+ fd[1]=syscall(__NR_perf_event_open, &pe[1], 0, 0, fd[0], 0);
+ close(fd[0]);
+ close(fd[1]);
+ return true;
+}
+
#define SEARCH_SIZE 0x4000
static int secret;
@@ -136,6 +166,8 @@
static JNINativeMethod gMethods[] = {
{ "doPerfEventTest", "()Z",
(void *) android_security_cts_NativeCodeTest_doPerfEventTest },
+ { "doPerfEventTest2", "()Z",
+ (void *) android_security_cts_NativeCodeTest_doPerfEventTest2 },
{ "doVrootTest", "()Z",
(void *) android_security_cts_NativeCodeTest_doVrootTest },
};
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index da69a2c..4781da3 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -35,6 +35,10 @@
doPerfEventTest());
}
+ public void testPerfEvent2() throws Exception {
+ assertTrue(doPerfEventTest2());
+ }
+
/**
* Returns true iff this device is vulnerable to CVE-2013-2094.
* A patch for CVE-2013-2094 can be found at
@@ -43,6 +47,21 @@
private static native boolean doPerfEventTest();
/**
+ * CVE-2013-4254
+ *
+ * Verifies that
+ * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c95eb3184ea1a3a2551df57190c81da695e2144b
+ * is applied to the system. Returns true if the patch is applied,
+ * and crashes the system otherwise.
+ *
+ * While you're at it, please also apply the following patch:
+ * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b88a2595b6d8aedbd275c07dfa784657b4f757eb
+ *
+ * Credit: https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c
+ */
+ private static native boolean doPerfEventTest2();
+
+ /**
* ANDROID-11234878
*
* Returns true if the device is patched against the vroot