CTS test for Android Security b/212286849
Bug: 212286849
Bug: 215372606
Test: Ran the new testcase on android-12.0.0_r1 with/without patch
Change-Id: I6ae8799a5df07ce418afae6cf1e82491234541bf
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39701.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39701.java
new file mode 100644
index 0000000..f8d6fe6
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_39701.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.StsExtraBusinessLogicHostTestBase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_39701 extends StsExtraBusinessLogicHostTestBase {
+
+ @AsbSecurityTest(cveBugId = 212286849)
+ @Test
+ public void testPocCVE_2021_39701() throws Exception {
+ final String testPkg = "android.security.cts.CVE_2021_39701";
+ final String testClass = testPkg + "." + "DeviceTest";
+ final String testApp = "CVE-2021-39701.apk";
+
+ ITestDevice device = getDevice();
+ AdbUtils.runCommandLine("input keyevent KEYCODE_WAKEUP", device);
+ AdbUtils.runCommandLine("input keyevent KEYCODE_MENU", device);
+ AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", device);
+
+ installPackage(testApp);
+ runDeviceTests(testPkg, testClass, "testService");
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/Android.bp
new file mode 100644
index 0000000..edbdf24
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+ name: "CVE-2021-39701",
+ defaults: [
+ "cts_support_defaults",
+ ],
+ srcs: [
+ "src/**/*.java",
+ ],
+ test_suites: [
+ "sts",
+ ],
+ sdk_version: "current",
+ static_libs: [
+ "androidx.test.core",
+ "androidx.test.rules",
+ "androidx.test.uiautomator_uiautomator",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/AndroidManifest.xml
new file mode 100644
index 0000000..bbd4e12
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/AndroidManifest.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2022 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.security.cts.CVE_2021_39701"
+ android:versionCode="1"
+ android:versionName="1.0">
+ <application
+ android:supportsRtl="true">
+ <service
+ android:name=".PocService"
+ android:exported="true"
+ android:permission="android.permission.BIND_CONTROLS">
+ <intent-filter>
+ <action android:name="android.service.controls.ControlsProviderService" />
+ </intent-filter>
+ </service>
+ <activity
+ android:name=".PocActivity"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+ </application>
+
+ <instrumentation
+ android:name="androidx.test.runner.AndroidJUnitRunner"
+ android:targetPackage="android.security.cts.CVE_2021_39701" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/layout/activity_main.xml
new file mode 100644
index 0000000..fece757
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/layout/activity_main.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2022 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<LinearLayout
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ xmlns:app="http://schemas.android.com/apk/res-auto"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent">
+ <View
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"/>
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/values/integers.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/values/integers.xml
new file mode 100644
index 0000000..c21db24
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/values/integers.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2022 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<resources>
+ <integer name="pass">0</integer>
+ <integer name="pocServNotStart">1</integer>
+ <integer name="fail">2</integer>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/values/strings.xml
new file mode 100644
index 0000000..c1ca9dd
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/res/values/strings.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2022 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<resources>
+ <string name="addBtnNotFound">Add Button Not Found</string>
+ <string name="addButton">android:id/button1</string>
+ <string name="controlButton">com.android.systemui:id/controls_button</string>
+ <string name="failMessage">Failed to open </string>
+ <string name="flag">flag</string>
+ <string name="iconNotFound">New Icon Not Found</string>
+ <string name="message">message</string>
+ <string name="passMessage">Passed</string>
+ <string name="pocSerNotStarted">Poc Service not started</string>
+ <string name="pocSharedPref">PocSharedPref</string>
+ <string name="systemUiPackage">com.android.systemui</string>
+ <string name="vulnerableMessage">Vulnerable to b/212286849</string>
+ <string name="wakeup">input keyevent KEYCODE_WAKEUP</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/DeviceTest.java
new file mode 100644
index 0000000..4af4c24
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/DeviceTest.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_39701;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeNotNull;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.UiAutomation;
+import android.content.ActivityNotFoundException;
+import android.content.Context;
+import android.content.Intent;
+import android.content.SharedPreferences;
+import android.content.pm.PackageManager;
+import android.content.res.Resources;
+import android.os.RemoteException;
+import android.view.KeyEvent;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.BySelector;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+ @Test
+ public void testService() {
+ final int timeoutMs = 10000;
+ boolean buttonClicked = false;
+ UiAutomation uiAutomation = getInstrumentation().getUiAutomation();
+ UiDevice device = UiDevice.getInstance(getInstrumentation());
+ Context context = getApplicationContext();
+ Resources resources = context.getResources();
+ assumeNotNull(context);
+ PackageManager packageManager = context.getPackageManager();
+ assumeNotNull(packageManager);
+ Intent intent = packageManager.getLaunchIntentForPackage(context.getPackageName());
+ assumeNotNull(intent);
+ intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
+ try {
+ context.startActivity(intent);
+ } catch (ActivityNotFoundException e) {
+ assumeNoException(e);
+ }
+ String applicationName = resources.getString(R.string.systemUiPackage);
+ assumeTrue(resources.getString(R.string.failMessage) + applicationName,
+ device.wait(Until.hasObject(By.pkg(applicationName).depth(0)), timeoutMs));
+
+ // Click on Add Button
+ buttonClicked = clickButton(resources.getString(R.string.addButton));
+ assumeTrue(resources.getString(R.string.addBtnNotFound), buttonClicked);
+ try {
+ if (packageManager.hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+ device.pressKeyCode(KeyEvent.KEYCODE_SLEEP);
+ } else {
+ device.sleep();
+ }
+ } catch (RemoteException e) {
+ assumeNoException(e);
+ }
+ uiAutomation.executeShellCommand(resources.getString(R.string.wakeup));
+ assumeTrue(resources.getString(R.string.failMessage) + applicationName,
+ device.wait(Until.hasObject(By.pkg(applicationName).depth(0)), timeoutMs));
+
+ // Click on the icon on locked screen
+ buttonClicked = clickButton(resources.getString(R.string.controlButton));
+ assumeTrue(resources.getString(R.string.iconNotFound), buttonClicked);
+ assumeTrue(device.pressKeyCode(KeyEvent.KEYCODE_MENU));
+ assumeTrue(resources.getString(R.string.failMessage) + applicationName,
+ device.wait(Until.hasObject(By.pkg(applicationName).depth(0)), timeoutMs));
+
+ int result = resources.getInteger(R.integer.pocServNotStart);
+ String message = "";
+ long startTime = System.currentTimeMillis();
+ while ((System.currentTimeMillis() - startTime) < timeoutMs) {
+ SharedPreferences sharedpref = getApplicationContext().getSharedPreferences(
+ resources.getString(R.string.pocSharedPref), Context.MODE_APPEND);
+ result = sharedpref.getInt(resources.getString(R.string.flag),
+ resources.getInteger(R.integer.pocServNotStart));
+ message = sharedpref.getString(resources.getString(R.string.message), "");
+ if (result < resources.getInteger(R.integer.pocServNotStart)) {
+ break;
+ }
+ }
+ assumeTrue(device.pressHome());
+ assumeTrue(resources.getString(R.string.pocSerNotStarted),
+ result != resources.getInteger(R.integer.pocServNotStart));
+ assertEquals(message, resources.getInteger(R.integer.pass), result);
+ }
+
+ private boolean clickButton(String id) {
+ UiDevice device = UiDevice.getInstance(getInstrumentation());
+ boolean buttonClicked = false;
+ BySelector selector = By.clickable(true);
+ List<UiObject2> objects = device.findObjects(selector);
+ for (UiObject2 object : objects) {
+ String objectId = object.getResourceName();
+ if (objectId != null && objectId.equalsIgnoreCase(id)) {
+ object.click();
+ buttonClicked = true;
+ break;
+ }
+ }
+ return buttonClicked;
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/PocActivity.java
new file mode 100644
index 0000000..8b99a11
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/PocActivity.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_39701;
+
+import android.app.Activity;
+import android.app.PendingIntent;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.os.Bundle;
+import android.service.controls.Control;
+import android.service.controls.ControlsProviderService;
+import android.service.controls.DeviceTypes;
+
+public class PocActivity extends Activity {
+
+ private static final int REQUEST_CODE = 12;
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ setContentView(R.layout.activity_main);
+ checkPermissionAndStartHidden();
+ }
+
+ void checkPermissionAndStartHidden() {
+ ControlsProviderService.requestAddControl(this, new ComponentName(this, PocService.class),
+ new Control.StatefulBuilder("id",
+ PendingIntent.getActivity(this, REQUEST_CODE, new Intent(),
+ PendingIntent.FLAG_IMMUTABLE))
+ .setDeviceType(DeviceTypes.TYPE_UNKNOWN).build());
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/PocService.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/PocService.java
new file mode 100644
index 0000000..0a3b039
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-39701/src/android/security/cts/CVE_2021_39701/PocService.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_39701;
+
+import android.app.Service;
+import android.content.Context;
+import android.content.Intent;
+import android.content.SharedPreferences;
+import android.os.IBinder;
+
+public class PocService extends Service {
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ return null;
+ }
+
+ @Override
+ public void onCreate() {
+ super.onCreate();
+ setResult(getResources().getInteger(R.integer.fail),
+ getResources().getString(R.string.vulnerableMessage));
+ }
+
+ @Override
+ public void onDestroy() {
+ setResult(getResources().getInteger(R.integer.pass),
+ getResources().getString(R.string.passMessage));
+ super.onDestroy();
+ }
+
+ public void setResult(int flag, String message) {
+ SharedPreferences sharedPref = getSharedPreferences(
+ getResources().getString(R.string.pocSharedPref), Context.MODE_PRIVATE);
+ SharedPreferences.Editor editor = sharedPref.edit();
+ editor.putInt(getString(R.string.flag), flag);
+ editor.putString(getString(R.string.message), message);
+ editor.commit();
+ }
+}
