[RESTRICT AUTOMERGE] CTS test for Android Security b/36554207
Bug: 36554207
Bug: 72388983
Test: Ran the new testcase on android-8.0.0_r11 with/without patch
Change-Id: I2334c020175bd391d75675114c2e045890e25620
Merged-In: I2334c020175bd391d75675114c2e045890e25620
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index ad7bf6d..93a6913 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -129,6 +129,7 @@
<!--__________________-->
<!-- Bulletin 2017-06 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2016-4658->/data/local/tmp/CVE-2016-4658" />
<option name="push" value="CVE-2016-5131->/data/local/tmp/CVE-2016-5131" />
<!--__________________-->
diff --git a/hostsidetests/securitybulletin/res/cve_2016_4658.xml b/hostsidetests/securitybulletin/res/cve_2016_4658.xml
new file mode 100644
index 0000000..37347d6
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2016_4658.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (C) 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<Test>
+<root xmlns:aaa="aaa.com" xmlns:bbb="bbb.com" xmlns:ccc="ccc.com">
+ <aaa:one>a</aaa:one>
+ <two bbb:c="d">e</two>
+ <three>ccc:f</three>
+</root>
+</Test>
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-4658/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-4658/Android.bp
new file mode 100644
index 0000000..6e9d63a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-4658/Android.bp
@@ -0,0 +1,32 @@
+// Copyright (C) 2020 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_test {
+ name: "CVE-2016-4658",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.c",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ shared_libs: [
+ "libxml2",
+ ],
+ cflags: [
+ "-Wall",
+ "-Werror",
+ "-fPIC",
+ "-DCHECK_OVERFLOW",
+ "-DCHECK_USE_AFTER_FREE_WITH_WINDOW_SIZE=8192",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-4658/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-4658/poc.c
new file mode 100644
index 0000000..e6aa6eb
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-4658/poc.c
@@ -0,0 +1,52 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdlib.h>
+#include <libxml/parser.h>
+#include <libxml/xpath.h>
+#include <libxml/xpointer.h>
+#include <libxml/xpathInternals.h>
+
+int main(int argc, char **argv) {
+#if defined(LIBXML_XPATH_ENABLED) && defined(LIBXML_XPTR_ENABLED)
+ if(argc > 2) {
+ xmlDocPtr doc;
+ xmlXPathContextPtr xpathCtx;
+ xmlInitParser();
+ /* Load XML document */
+ doc = xmlReadFile(argv[1], NULL, 0);
+ if (doc) {
+ /* Create xpath evaluation context */
+ xpathCtx = (xmlXPathContextPtr)
+ xmlXPtrNewContext(doc, (xmlNode *)NULL, (xmlNode *)NULL);
+ if(xpathCtx) {
+ xmlXPathParserContextPtr pctxt =
+ xmlXPathNewParserContext((xmlChar *)argv[2],
+ xpathCtx);
+ if(pctxt) {
+ xmlXPathEvalExpr(pctxt);
+ xmlXPathFreeContext(xpathCtx);
+ }
+ xmlFreeDoc(doc);
+ }
+ xmlCleanupParser();
+ }
+ }
+#endif
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 125f709..515aa4e 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -41,6 +41,19 @@
******************************************************************************/
/**
+ * b/36554207
+ * Vulnerability Behaviour: SIGSEGV in self
+ **/
+ @SecurityTest(minPatchLevel = "2017-06")
+ @Test
+ public void testPocCVE_2016_4658() throws Exception {
+ String inputFiles[] = {"cve_2016_4658.xml"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2016-4658",
+ AdbUtils.TMP_PATH + inputFiles[0] + " \"range(//namespace::*)\"", inputFiles,
+ AdbUtils.TMP_PATH, getDevice());
+ }
+
+ /**
* b/36554209
* Vulnerability Behaviour: SIGSEGV in self
**/