[RESTRICT AUTOMERGE] CTS test for Android Security b/172655291
Bug: 172655291
Bug: 177454666
Test: Ran the new testcase on android-8.1.0_r1 with/without patch
Change-Id: I23d60bfa5ea46642176b80ed1a5f0dd0253d3a4c
(cherry picked from commit cd7ed80ffaba425d5bc9555579159a753d3b84b3)
diff --git a/tests/tests/security/jni/Android.mk b/tests/tests/security/jni/Android.mk
index 363ed47..ecbe43d 100644
--- a/tests/tests/security/jni/Android.mk
+++ b/tests/tests/security/jni/Android.mk
@@ -22,24 +22,25 @@
LOCAL_MODULE_TAGS := optional
LOCAL_SRC_FILES := \
- CtsSecurityJniOnLoad.cpp \
- android_security_cts_CharDeviceTest.cpp \
- android_security_cts_KernelSettingsTest.cpp \
- android_security_cts_LinuxRngTest.cpp \
- android_security_cts_NativeCodeTest.cpp \
- android_security_cts_SELinuxTest.cpp \
- android_security_cts_MMapExecutableTest.cpp \
- android_security_cts_EncryptionTest.cpp \
+ CtsSecurityJniOnLoad.cpp \
+ android_security_cts_CharDeviceTest.cpp \
+ android_security_cts_KernelSettingsTest.cpp \
+ android_security_cts_LinuxRngTest.cpp \
+ android_security_cts_NativeCodeTest.cpp \
+ android_security_cts_SELinuxTest.cpp \
+ android_security_cts_MMapExecutableTest.cpp \
+ android_security_cts_EncryptionTest.cpp \
+ android_security_cts_cve_2021_0394.cpp \
LOCAL_SHARED_LIBRARIES := \
- libnativehelper \
- liblog \
- libcutils \
- libcrypto \
- libselinux \
- libc++ \
- libpcre2 \
- libpackagelistparser
+ libnativehelper \
+ liblog \
+ libcutils \
+ libcrypto \
+ libselinux \
+ libc++ \
+ libpcre2 \
+ libpackagelistparser
LOCAL_C_INCLUDES += ndk/sources/cpufeatures
LOCAL_STATIC_LIBRARIES := cpufeatures
diff --git a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
index 2014591..92d8a4c 100644
--- a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
+++ b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
@@ -25,6 +25,7 @@
extern int register_android_security_cts_SeccompTest(JNIEnv*);
extern int register_android_security_cts_MMapExecutableTest(JNIEnv* env);
extern int register_android_security_cts_EncryptionTest(JNIEnv* env);
+extern int register_android_security_cts_cve_2021_0394(JNIEnv* env);
jint JNI_OnLoad(JavaVM *vm, void *reserved) {
JNIEnv *env = NULL;
@@ -61,5 +62,9 @@
return JNI_ERR;
}
+ if (register_android_security_cts_cve_2021_0394(env)) {
+ return JNI_ERR;
+ }
+
return JNI_VERSION_1_4;
}
diff --git a/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
new file mode 100644
index 0000000..a858894
--- /dev/null
+++ b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <jni.h>
+#include <string.h>
+
+static constexpr char kDefaultValue = 'x';
+static constexpr size_t kStringLength = 4096;
+
+jboolean android_security_cts_cve_2021_0394_poc(JNIEnv* env, jobject thiz) {
+ char array[kStringLength];
+ memset(array, kDefaultValue, kStringLength - 1);
+ array[kStringLength - 1] = 0;
+ jstring s = env->NewStringUTF(array);
+ jboolean isVulnerable = false;
+ char invalidChars[] = { '\xc0', '\xe0', '\xf0' };
+ for (int c = 0; c < sizeof(invalidChars) / sizeof(char); ++c) {
+ char invalid = invalidChars[c];
+ array[kStringLength - 2] = invalid;
+ s = env->NewStringUTF(array);
+ const char* UTFChars = env->GetStringUTFChars(s, nullptr);
+ if (UTFChars[kStringLength - 2] != '?') {
+ isVulnerable = true;
+ }
+ env->ReleaseStringUTFChars(s, UTFChars);
+ }
+ return isVulnerable;
+}
+
+static JNINativeMethod gMethods[] = { { "poc", "()Z",
+ (void*) android_security_cts_cve_2021_0394_poc }, };
+
+int register_android_security_cts_cve_2021_0394(JNIEnv* env) {
+ jclass clazz = env->FindClass("android/security/cts/CVE_2021_0394");
+ return env->RegisterNatives(clazz, gMethods,
+ sizeof(gMethods) / sizeof(JNINativeMethod));
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0394.java b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
new file mode 100644
index 0000000..325e7af
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import junit.framework.TestCase;
+
+public class CVE_2021_0394 extends TestCase {
+ static {
+ System.loadLibrary("ctssecurity_jni");
+ }
+
+ /**
+ * b/172655291
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0394() throws Exception {
+ assertFalse(poc());
+ }
+
+ public static native boolean poc();
+}