[RESTRICT AUTOMERGE] CTS test for Android Security b/150159669
Bug: 150159669
Bug: 160693070
Test: Ran the new testcase on android-9.0.0_r39 to test with/without patch
Change-Id: I4c48bae14c57b2a431a63b50122083e7c92004e8
(cherry picked from commit a0ba23f117d0b7af0419711983a5b2dc60c6fd7e)
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.info b/hostsidetests/securitybulletin/res/cve_2020_0381.info
new file mode 100644
index 0000000..510c136
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.xmf b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
new file mode 100644
index 0000000..cbe4bbc
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.mk
new file mode 100644
index 0000000..d5939df
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.mk
@@ -0,0 +1,33 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2020-0381
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_SRC_FILES += ../includes/memutils.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libutils
+LOCAL_SHARED_LIBRARIES += libmediandk
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror -DCHECK_OVERFLOW -DENABLE_SELECTIVE_OVERLOADING
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
new file mode 100644
index 0000000..23d73c3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
@@ -0,0 +1,116 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <media/DataSource.h>
+#include <media/MediaExtractor.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+ public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+
+ MediaExtractor::GetExtractorDef getDef =
+ (MediaExtractor::GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ MediaExtractor::FreeMetaFunc freeMeta = nullptr;
+ float confidence = 0.0f;
+ getDef().sniff(dataSource.get(), &confidence, &meta, &freeMeta);
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
new file mode 100644
index 0000000..07f82bb
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
@@ -0,0 +1,40 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0381 extends SecurityTestCase {
+
+ /**
+ * b/150159669
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0381() throws Exception {
+ String inputFiles[] = {"cve_2020_0381.xmf", "cve_2020_0381.info"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0381",
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
