[RESTRICT AUTOMERGE] CTS test for Android Security b/134420911
Bug: 134420911
Bug: 137880490
Test: Ran the new testcase on android-8.0.0_r2 with/without patch
Change-Id: I4bc34ee84dbcbb130bfda5ffa4c711bd23101cf7
(cherry picked from commit 2b07008f845cd5a65a51719e8181cc992b9ea00a)
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
index d99f2b5..1bd1eaa 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
@@ -174,6 +174,11 @@
* This binary only exists in 32-bit.
*/
BINARY_EXCEPTIONS.add("CVE-2020-000232");
+
+ /**
+ * This binary only exists in 32-bit.
+ */
+ BINARY_EXCEPTIONS.add("CVE-2019-217632");
}
/**
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 54df9ea..7f5bf2f 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -299,6 +299,7 @@
<option name="cleanup" value="true" />
<!-- Please add 32-bit binary tests below to avoid merge conflict -->
+ <option name="push" value="CVE-2019-217632->/data/local/tmp/CVE-2019-2176" />
<option name="push" value="CVE-2020-000232->/data/local/tmp/CVE-2020-0002" />
<option name="push" value="CVE-2017-1317932->/data/local/tmp/CVE-2017-13179" />
<option name="push" value="CVE-2017-083332->/data/local/tmp/CVE-2017-0833" />
diff --git a/hostsidetests/securitybulletin/res/cve_2019_2176.mp4 b/hostsidetests/securitybulletin/res/cve_2019_2176.mp4
new file mode 100644
index 0000000..3a23f8a
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2019_2176.mp4
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2176/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2176/Android.mk
new file mode 100644
index 0000000..c6cbbf8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2176/Android.mk
@@ -0,0 +1,33 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2019-2176
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES := external/libhevc/decoder
+LOCAL_C_INCLUDES += external/libhevc/common
+LOCAL_SHARED_LIBRARIES := libstagefright_soft_hevcdec
+LOCAL_SHARED_LIBRARIES += liblog
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2176/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2176/poc.cpp
new file mode 100644
index 0000000..253ace8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2176/poc.cpp
@@ -0,0 +1,342 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <iostream>
+#include <fstream>
+#include "ihevc_typedefs.h"
+#include "ihevcd_cxa.h"
+#include "ihevc_defs.h"
+#include "ihevcd_defs.h"
+#include "ihevcd_function_selector.h"
+#include "ihevc_structs.h"
+#include "ihevc_cabac_tables.h"
+#include "ihevcd_structs.h"
+#include "../includes/common.h"
+
+#define NUM_CORES 3
+#define COLOR_FORMAT IV_YUV_420SP_UV
+#define DEFAULT_WIDTH 1920
+#define DEFAULT_HEIGHT 1088
+#define NUM_OUTPUT_BUFFERS 2
+#define MEM_ALIGNMENT 16
+#define MAX_WIDTH 10240
+#define MAX_HEIGHT 10240
+#define SKIP_BYTES 4
+#define INITIAL_VAL (0xBE)
+#define INITIAL_VAL_32 (0xBEBEBEBE)
+
+void *iv_aligned_malloc(void *ctxt, WORD32 alignment, WORD32 size) {
+ void *buf = nullptr;
+ (void) ctxt;
+ if (0 != posix_memalign(&buf, alignment, size)) {
+ return nullptr;
+ }
+ return buf;
+}
+
+void iv_aligned_free(void *ctxt, void *buf) {
+ (void) ctxt;
+ free(buf);
+}
+
+class Codec {
+ public:
+ Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores);
+ ~Codec();
+
+ IV_API_CALL_STATUS_T createCodec();
+ void deleteCodec();
+ void resetCodec();
+ void setCores();
+ void allocFrame();
+ void freeFrame();
+ void decodeHeader(const uint8_t *data, size_t size);
+ void decodeFrame(const uint8_t *data, size_t size,
+ size_t *bytesConsumed, bool *isVulnerable);
+ void setParams(IVD_VIDEO_DECODE_MODE_T mode);
+
+ private:
+ IV_COLOR_FORMAT_T mColorFormat;
+ size_t mNumCores;
+ iv_obj_t *mCodec;
+ ivd_out_bufdesc_t mOutBufHandle;
+ uint32_t mWidth;
+ uint32_t mHeight;
+};
+
+Codec::Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores) {
+ mColorFormat = colorFormat;
+ mNumCores = numCores;
+ mCodec = nullptr;
+ mWidth = 0;
+ mHeight = 0;
+
+ memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
+}
+
+Codec::~Codec() {
+}
+
+IV_API_CALL_STATUS_T Codec::createCodec() {
+ IV_API_CALL_STATUS_T ret;
+ ihevcd_cxa_create_ip_t create_ip;
+ ihevcd_cxa_create_op_t create_op;
+ void *fxns = (void *) &ihevcd_cxa_api_function;
+
+ create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE;
+ create_ip.s_ivd_create_ip_t.u4_share_disp_buf = 0;
+ create_ip.s_ivd_create_ip_t.e_output_format = mColorFormat;
+ create_ip.s_ivd_create_ip_t.pf_aligned_alloc = iv_aligned_malloc;
+ create_ip.s_ivd_create_ip_t.pf_aligned_free = iv_aligned_free;
+ create_ip.s_ivd_create_ip_t.pv_mem_ctxt = nullptr;
+ create_ip.s_ivd_create_ip_t.u4_size = sizeof(ihevcd_cxa_create_ip_t);
+ create_op.s_ivd_create_op_t.u4_size = sizeof(ihevcd_cxa_create_op_t);
+
+ ret = ihevcd_cxa_api_function(nullptr, (void *)&create_ip,
+ (void *)&create_op);
+ if (ret != IV_SUCCESS) {
+ return ret;
+ }
+ mCodec = (iv_obj_t *) create_op.s_ivd_create_op_t.pv_handle;
+ mCodec->pv_fxns = fxns;
+ mCodec->u4_size = sizeof(iv_obj_t);
+ return ret;
+}
+
+void Codec::deleteCodec() {
+ ivd_delete_ip_t delete_ip;
+ ivd_delete_op_t delete_op;
+
+ delete_ip.e_cmd = IVD_CMD_DELETE;
+ delete_ip.u4_size = sizeof(ivd_delete_ip_t);
+ delete_op.u4_size = sizeof(ivd_delete_op_t);
+
+ ihevcd_cxa_api_function(mCodec, (void *)&delete_ip, (void *)&delete_op);
+}
+
+void Codec::resetCodec() {
+ ivd_ctl_reset_ip_t s_ctl_ip;
+ ivd_ctl_reset_op_t s_ctl_op;
+
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET;
+ s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t);
+ s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t);
+
+ ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
+}
+
+void Codec::setCores() {
+ ihevcd_cxa_ctl_set_num_cores_ip_t s_ctl_ip;
+ ihevcd_cxa_ctl_set_num_cores_op_t s_ctl_op;
+
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd =
+ (IVD_CONTROL_API_COMMAND_TYPE_T) IHEVCD_CXA_CMD_CTL_SET_NUM_CORES;
+ s_ctl_ip.u4_num_cores = mNumCores;
+ s_ctl_ip.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_ip_t);
+ s_ctl_op.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_op_t);
+
+ ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
+}
+
+void Codec::setParams(IVD_VIDEO_DECODE_MODE_T mode) {
+ ivd_ctl_set_config_ip_t s_ctl_ip;
+ ivd_ctl_set_config_op_t s_ctl_op;
+
+ s_ctl_ip.u4_disp_wd = 0;
+ s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE;
+ s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT;
+ s_ctl_ip.e_vid_dec_mode = mode;
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS;
+ s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t);
+ s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t);
+
+ ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
+}
+
+void Codec::freeFrame() {
+ for (size_t i = 0; i < mOutBufHandle.u4_num_bufs; i++) {
+ if (mOutBufHandle.pu1_bufs[i]) {
+ free(mOutBufHandle.pu1_bufs[i]);
+ mOutBufHandle.pu1_bufs[i] = nullptr;
+ }
+ }
+}
+
+void Codec::allocFrame() {
+ size_t sizes[2];
+ sizes[0] = mWidth * mHeight;
+ sizes[1] = mWidth * mHeight >> 1;
+ size_t num_bufs = NUM_OUTPUT_BUFFERS;
+ freeFrame();
+ memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
+ mOutBufHandle.u4_num_bufs = num_bufs;
+ for (size_t i = 0; i < num_bufs; i++) {
+ mOutBufHandle.u4_min_out_buf_size[i] = sizes[i];
+ mOutBufHandle.pu1_bufs[i] = (UWORD8 *) iv_aligned_malloc(nullptr,
+ MEM_ALIGNMENT,
+ sizes[i]);
+ }
+}
+
+void Codec::decodeHeader(const uint8_t *data, size_t size) {
+ setParams (IVD_DECODE_HEADER);
+
+ while (size > 0) {
+ ivd_video_decode_ip_t dec_ip;
+ ivd_video_decode_op_t dec_op;
+ size_t bytes_consumed;
+
+ memset(&dec_ip, 0, sizeof(dec_ip));
+ memset(&dec_op, 0, sizeof(dec_op));
+
+ dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
+ dec_ip.u4_ts = 0;
+ dec_ip.pv_stream_buffer = (void *) data;
+ dec_ip.u4_num_Bytes = size;
+ dec_ip.u4_size = sizeof(ivd_video_decode_ip_t);
+ dec_op.u4_size = sizeof(ivd_video_decode_op_t);
+
+ ihevcd_cxa_api_function(mCodec, (void *)&dec_ip,
+ (void *)&dec_op);
+
+ bytes_consumed = dec_op.u4_num_bytes_consumed;
+ if (!bytes_consumed)
+ bytes_consumed = SKIP_BYTES;
+
+ bytes_consumed = std::min(size, bytes_consumed);
+
+ data += bytes_consumed;
+ size -= bytes_consumed;
+
+ mWidth = std::min(dec_op.u4_pic_wd, (UWORD32) MAX_WIDTH);
+ mHeight = std::min(dec_op.u4_pic_ht, (UWORD32) MAX_HEIGHT);
+
+ /* Break after successful header decode */
+ if (mWidth && mHeight) {
+ break;
+ }
+ }
+ /* if width / height are invalid, set them to defaults */
+ if (!mWidth)
+ mWidth = DEFAULT_WIDTH;
+ if (!mHeight)
+ mHeight = DEFAULT_HEIGHT;
+}
+
+void Codec::decodeFrame(const uint8_t *data, size_t size,
+ size_t *bytesConsumed,
+ bool* isVulnerable) {
+ ivd_video_decode_ip_t dec_ip;
+ ivd_video_decode_op_t dec_op;
+
+ memset(&dec_ip, 0, sizeof(dec_ip));
+ memset(&dec_op, 0, sizeof(dec_op));
+
+ dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
+ dec_ip.u4_ts = 0;
+ dec_ip.pv_stream_buffer = (void *) data;
+ dec_ip.u4_num_Bytes = size;
+ dec_ip.u4_size = sizeof(ivd_video_decode_ip_t);
+ dec_ip.s_out_buffer = mOutBufHandle;
+
+ dec_op.u4_size = sizeof(ivd_video_decode_op_t);
+ *isVulnerable = false;
+ codec_t * ps_codec = (codec_t *) mCodec->pv_codec_handle;
+ parse_ctxt_t *ps_parse = &ps_codec->s_parse;
+ buf_period_sei_params_t *ps_buf_period_sei_params;
+ ps_buf_period_sei_params = &ps_parse->s_sei_params.s_buf_period_sei_params;
+ memset((void *) ps_buf_period_sei_params, INITIAL_VAL,
+ sizeof(buf_period_sei_params_t));
+ ihevcd_cxa_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op);
+ UWORD32 len = ps_buf_period_sei_params->u4_initial_cpb_removal_delay_length;
+ if (len != INITIAL_VAL_32) {
+ *isVulnerable = true;
+ }
+ /* In case of change in resolution, reset codec and feed the same data again
+ */
+ if ((dec_op.u4_error_code & 0xFF) == IVD_RES_CHANGED) {
+ resetCodec();
+ ihevcd_cxa_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op);
+ }
+ *bytesConsumed = dec_op.u4_num_bytes_consumed;
+
+ /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds
+ * to feed next data */
+ if (!*bytesConsumed)
+ *bytesConsumed = SKIP_BYTES;
+
+ if (dec_op.u4_pic_wd && dec_op.u4_pic_ht
+ && (mWidth != dec_op.u4_pic_wd || mHeight != dec_op.u4_pic_ht)) {
+ mWidth = std::min(dec_op.u4_pic_wd, (UWORD32) MAX_WIDTH);
+ mHeight = std::min(dec_op.u4_pic_ht, (UWORD32) MAX_HEIGHT);
+ allocFrame();
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc != 2) {
+ return EXIT_FAILURE;
+ }
+ std::ifstream inFile(argv[1]);
+ if (!inFile) {
+ return EXIT_FAILURE;
+ }
+ inFile.seekg(0, inFile.end);
+ size_t size = inFile.tellg();
+ if (size < 1) {
+ inFile.close();
+ return EXIT_FAILURE;
+ }
+ inFile.seekg(0, inFile.beg);
+ uint8_t *data = new uint8_t[size];
+ inFile.read(reinterpret_cast<char *>(data), size);
+ IV_COLOR_FORMAT_T colorFormat = COLOR_FORMAT;
+ uint32_t numCores = NUM_CORES;
+ bool isVulnerable = false;
+
+ Codec *codec = new Codec(colorFormat, numCores);
+ IV_API_CALL_STATUS_T ret = codec->createCodec();
+ if(ret != IV_SUCCESS){
+ inFile.close();
+ delete codec;
+ delete[] data;
+ return EXIT_FAILURE;
+ }
+ codec->setCores();
+ codec->decodeHeader(data, size);
+ codec->setParams(IVD_DECODE_FRAME);
+ codec->allocFrame();
+
+ while (size > 0) {
+ size_t bytesConsumed;
+ codec->decodeFrame(data, size, &bytesConsumed, &isVulnerable);
+ bytesConsumed = std::min(size, bytesConsumed);
+ data += bytesConsumed;
+ size -= bytesConsumed;
+ }
+
+ codec->freeFrame();
+ codec->deleteCodec();
+ inFile.close();
+ delete codec;
+ delete[] data;
+ if (isVulnerable) {
+ return EXIT_VULNERABLE;
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 97fc5c3..eb63ca2 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -51,6 +51,18 @@
******************************************************************************/
/**
+ * b/134420911
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2019-09")
+ public void testPocCVE_2019_2176() throws Exception {
+ String inputFiles[] = {"cve_2019_2176.mp4"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2176",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+
+ /**
* b/142602711
* Vulnerability Behaviour: SIGSEGV in self
*/
