[RESTRICT AUTOMERGE] CTS test for Android security b/158762825
Bug: 158762825
Bug: 168717279
Test: Ran the new testcase on android-10.0.0_r1 with/without patch
Change-Id: I1440d17940e3cfe0f6558e3ef8d75c66cf24c3b6
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0451.aac b/hostsidetests/securitybulletin/res/cve_2020_0451.aac
new file mode 100644
index 0000000..7b04e05
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0451.aac
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/Android.bp
new file mode 100644
index 0000000..066b530
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0451",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ include_dirs: [
+ "external/aac/libSYS/include",
+ "external/aac/libAACdec/include",
+ "external/aac/libSBRdec/include",
+ "external/aac/libFDK/include",
+ "external/aac/libAACdec/src",
+ "external/aac/libArithCoding/include",
+ "external/aac/libMpegTPDec/include",
+ "external/aac/libPCMutils/include",
+ "external/aac/libDRCdec/include",
+ "external/aac/libSBRdec/src",
+ ],
+ shared_libs: [
+ "libbluetooth",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/poc.cpp
new file mode 100644
index 0000000..30b2fb9
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fstream>
+#include <iostream>
+#include <limits>
+#include "../includes/common.h"
+#include "aacdecoder_lib.h"
+#include "aacdecoder.h"
+#include "sbr_ram.h"
+
+constexpr uint8_t kNumberOfLayers = 1;
+constexpr uint8_t kMaxChannelCount = 8;
+bool kIsVulnerable = false;
+
+class Codec {
+ public:
+ Codec() = default;
+ ~Codec() { deInitDecoder(); }
+ bool initDecoder();
+ void decodeFrames(UCHAR *data, UINT size);
+ void deInitDecoder();
+ int validateQmfDomainBounds();
+
+ private:
+ HANDLE_AACDECODER mAacDecoderHandle = nullptr;
+ AAC_DECODER_ERROR mErrorCode = AAC_DEC_OK;
+};
+
+bool Codec::initDecoder() {
+ mAacDecoderHandle = aacDecoder_Open(TT_MP4_ADIF, kNumberOfLayers);
+ if (!mAacDecoderHandle) {
+ return false;
+ }
+ return true;
+}
+
+void Codec::deInitDecoder() {
+ aacDecoder_Close(mAacDecoderHandle);
+ mAacDecoderHandle = nullptr;
+}
+
+void Codec::decodeFrames(UCHAR *data, UINT size) {
+ while (size > 0) {
+ UINT inputSize = size;
+ UINT valid = size;
+ mErrorCode = aacDecoder_Fill(mAacDecoderHandle, &data, &inputSize, &valid);
+ if (mErrorCode != AAC_DEC_OK) {
+ ++data;
+ --size;
+ } else {
+ INT_PCM outputBuf[2048 * kMaxChannelCount];
+ aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf,
+ 2048 * kMaxChannelCount, 0);
+ if (valid >= inputSize) {
+ return;
+ }
+ UINT offset = inputSize - valid;
+ data += offset;
+ size = valid;
+ }
+ }
+}
+
+int Codec::validateQmfDomainBounds() {
+ //Check OOB for qmfDomain
+ void *qmfDomainBound = &(mAacDecoderHandle->qmfModeCurr);
+
+ HANDLE_SBRDECODER hSbrDecoder = mAacDecoderHandle->hSbrDecoder;
+ // Referring sbrDecoder_AssignQmfChannels2SbrChannels()
+ {
+ void *qmfDomainInChPtr = nullptr;
+ void *qmfDomainOutChPtr = nullptr;
+ int channel = 0;
+ int element = 0;
+ int absChOffset = 0;
+ for (element = 0; element < hSbrDecoder->numSbrElements; ++element) {
+ if (hSbrDecoder->pSbrElement[element] != NULL) {
+ for (channel = 0; channel < hSbrDecoder->pSbrElement[element]->nChannels; ++channel) {
+ qmfDomainInChPtr = &hSbrDecoder->pQmfDomain->QmfDomainIn[absChOffset + channel];
+ qmfDomainOutChPtr = &hSbrDecoder->pQmfDomain->QmfDomainOut[absChOffset + channel];
+ if (qmfDomainBound <= qmfDomainInChPtr || qmfDomainBound <= qmfDomainOutChPtr) {
+ kIsVulnerable = true;
+ }
+ }
+ absChOffset += hSbrDecoder->pSbrElement[element]->nChannels;
+ }
+ }
+ }
+ return kIsVulnerable ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
+
+int main(int argc, char *argv[]) {
+ if (argc != 2) {
+ return EXIT_FAILURE;
+ }
+
+ std::ifstream file;
+ file.open(argv[1], std::ios::in | std::ios::binary);
+ if (!file.is_open()) {
+ return EXIT_FAILURE;
+ }
+ file.ignore(std::numeric_limits<std::streamsize>::max());
+ std::streamsize length = file.gcount();
+ file.clear();
+ file.seekg(0, std::ios_base::beg);
+ UCHAR *data = new UCHAR[length];
+ file.read(reinterpret_cast<char *>(data), length);
+ file.close();
+
+ Codec codec = Codec();
+ if (codec.initDecoder()) {
+ codec.decodeFrames(data, length);
+ }
+ return codec.validateQmfDomainBounds();
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index b669f1d..0734f5f 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -498,6 +498,25 @@
******************************************************************************/
/**
+ * b/158762825
+ * Vulnerability Behaviour: SIGABRT / EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2020-11")
+ @Test
+ public void testPocCVE_2020_0451() throws Exception {
+ String inputFiles[] = {"cve_2020_0451.aac"};
+ String binaryName = "CVE-2020-0451";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ testConfig.arguments = AdbUtils.TMP_PATH + inputFiles[0];
+ testConfig.inputFiles = Arrays.asList(inputFiles);
+ testConfig.inputFilesDestination = AdbUtils.TMP_PATH;
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+
+ /**
* b/112891564
* Vulnerability Behaviour: SIGSEGV in self (Android P),
* SIGABRT in self (Android Q onward)
