CTS test for Android Security b/119120561
Bug: 119120561
Bug: 128930448
Test: Ran the new testcase on android-10.0.0_r39 to test with/without patch
Change-Id: I0f0a1af7def55bbc964549238e6b01822d33c206
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2027/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2027/Android.bp
new file mode 100644
index 0000000..a080e08
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2027/Android.bp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+ name: "CVE-2019-2027",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libvorbisidec",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2027/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2027/poc.cpp
new file mode 100644
index 0000000..b1426ee
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2027/poc.cpp
@@ -0,0 +1,95 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "../includes/common.h"
+
+#define REF_COUNT 1
+
+extern "C" {
+#include <Tremolo/codebook.h>
+}
+
+bool testInProgress = false;
+struct sigaction new_action, old_action;
+void sigabrt_handler(int signum, siginfo_t *info, void* context) {
+ if (testInProgress && info->si_signo == SIGABRT) {
+ (*old_action.sa_sigaction)(signum, info, context);
+ return;
+ }
+ _exit(EXIT_FAILURE);
+}
+
+unsigned char data[] = {/* 24 bits to make sure the alignment is correct */
+ 0x42, 0x43, 0x56,
+ /* 16 bits for codebook.dim */
+ 0x40, 0x00,
+ /* 24 bits for codebook.entries */
+ 0x10, 0x00, 0x00,
+ /* 1 bit for ordering which is unset for unordered */
+ /* 1 bit set for specifying unused entries */
+ /* 1 bit for valid length */
+ /* 5 bits for length of entry */
+ 0x06,
+ /* 1 bit for valid length */
+ /* 5 bits for length of entry */
+ /* 2 bits for specifying invalid length for next 2 entries */
+ 0x01,
+ /* 8 bits for specifying invalid length for next 8 entries */
+ 0x00,
+ /* 4 bits for specifying invalid length for next 4 entries */
+ /* 4 bits for specifying the map type 1 */
+ 0x10,
+ /* 32 bits for codebook.q_min */
+ 0x00, 0x00, 0x00, 0x00,
+ /* 32 bits for codebook.q_del */
+ 0x00, 0x00, 0x00, 0x00,
+ /* 4 bits for codebook.q_bits */
+ /* 1 bit for codebook.q_seq */
+ /* 4 bits for quantized values of codebook.q_val for quantvals = 2 */
+ /* 7 bits remaining unused */
+ 0x01, 0x00};
+
+int main() {
+ sigemptyset(&new_action.sa_mask);
+ new_action.sa_flags = SA_SIGINFO;
+ new_action.sa_sigaction = sigabrt_handler;
+ sigaction(SIGABRT, &new_action, &old_action);
+
+ ogg_buffer buf;
+ ogg_reference ref;
+ oggpack_buffer bits;
+ codebook book = {};
+
+ memset(&buf, 0, sizeof(ogg_buffer));
+ memset(&ref, 0, sizeof(ogg_reference));
+ memset(&bits, 0, sizeof(oggpack_buffer));
+
+ buf.data = (uint8_t *)data;
+ buf.size = sizeof(data);
+ buf.refcount = REF_COUNT;
+
+ ref.buffer = &buf;
+ ref.length = sizeof(data);
+ oggpack_readinit(&bits, &ref);
+
+ testInProgress = true;
+ FAIL_CHECK(vorbis_book_unpack(&bits, &book) == 0);
+ testInProgress = false;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2027.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2027.java
new file mode 100644
index 0000000..df6c6f4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2027.java
@@ -0,0 +1,44 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.runner.RunWith;
+import org.junit.Test;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2027 extends SecurityTestCase {
+
+ /**
+ * b/119120561
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @AsbSecurityTest(cveBugId = 119120561)
+ @Test
+ public void testPocCVE_2019_2027() throws Exception {
+ String binaryName = "CVE-2019-2027";
+ String signals[] = {CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ testConfig.config
+ .setAbortMessageIncludes(AdbUtils.escapeRegexSpecialChars("ubsan: mul-overflow"));
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
