[RESTRICT AUTOMERGE] CTS test for Android Security b/142602711
Bug: 142602711
Bug: 144321628
Test: Ran the new testcase on android-8.0.0_r29 with/without patch
Change-Id: Ia29ad5d0a9f257603002f098d86d2324e7994b05
(cherry picked from commit 4c1982e48a7e86226be175aaf4e10b9e49292baa)
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
index a464c4a..d99f2b5 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
@@ -169,6 +169,11 @@
* This binary only exists in 32-bit.
*/
BINARY_EXCEPTIONS.add("CVE-2017-1317932");
+
+ /**
+ * This binary only exists in 32-bit.
+ */
+ BINARY_EXCEPTIONS.add("CVE-2020-000232");
}
/**
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 46e6d7c..54df9ea 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -299,6 +299,7 @@
<option name="cleanup" value="true" />
<!-- Please add 32-bit binary tests below to avoid merge conflict -->
+ <option name="push" value="CVE-2020-000232->/data/local/tmp/CVE-2020-0002" />
<option name="push" value="CVE-2017-1317932->/data/local/tmp/CVE-2017-13179" />
<option name="push" value="CVE-2017-083332->/data/local/tmp/CVE-2017-0833" />
<option name="push" value="CVE-2017-083232->/data/local/tmp/CVE-2017-0832" />
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0002.mp4 b/hostsidetests/securitybulletin/res/cve_2020_0002.mp4
new file mode 100644
index 0000000..673f660
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0002.mp4
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0002/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0002/Android.mk
new file mode 100644
index 0000000..f30e082
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0002/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2020-0002
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_SRC_FILES += ../includes/memutils.c
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES := external/libavc/decoder
+LOCAL_C_INCLUDES += external/libavc/common
+LOCAL_SHARED_LIBRARIES := libstagefright_soft_avcdec
+LOCAL_SHARED_LIBRARIES += liblog
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -DCHECK_USE_AFTER_FREE_WITH_WINDOW_SIZE=2000000\
+ -DDISABLE_MALLOC_OVERLOADING -DCHECK_OVERFLOW
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0002/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0002/poc.cpp
new file mode 100644
index 0000000..63c10a8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0002/poc.cpp
@@ -0,0 +1,317 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <iostream>
+#include <fstream>
+#include "ih264_typedefs.h"
+#include "ih264d.h"
+#include "../includes/common.h"
+#define NUM_CORES 3
+#define COLOR_FORMAT IV_YUV_422ILE
+#define DEFAULT_WIDTH 1920
+#define DEFAULT_HEIGHT 1088
+#define NUM_OUTPUT_BUFFERS 1
+#define MEM_ALIGNMENT 16
+using namespace std;
+void *iv_aligned_malloc(void *ctxt, WORD32 alignment, WORD32 size) {
+ (void) ctxt;
+ return memalign(alignment, size);
+}
+
+void iv_aligned_free(void *ctxt, void *buf) {
+ (void) ctxt;
+ free(buf);
+}
+
+class Codec {
+ public:
+ Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores);
+ ~Codec();
+
+ IV_API_CALL_STATUS_T createCodec();
+ void deleteCodec();
+ void resetCodec();
+ void setCores();
+ void allocFrame();
+ void freeFrame();
+ void decodeHeader(const uint8_t *data, size_t size);
+ void decodeFrame(const uint8_t *data, size_t size, size_t *bytesConsumed);
+ void setParams(IVD_VIDEO_DECODE_MODE_T mode);
+ void setArchitecture(IVD_ARCH_T arch);
+
+ private:
+ IV_COLOR_FORMAT_T mColorFormat;
+ size_t mNumCores;
+ iv_obj_t *mCodec;
+ ivd_out_bufdesc_t mOutBufHandle;
+ uint32_t mWidth;
+ uint32_t mHeight;
+};
+
+Codec::Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores) {
+ mColorFormat = colorFormat;
+ mNumCores = numCores;
+ mCodec = nullptr;
+ mWidth = 0;
+ mHeight = 0;
+ memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
+}
+
+Codec::~Codec() {
+}
+
+IV_API_CALL_STATUS_T Codec::createCodec() {
+ IV_API_CALL_STATUS_T ret;
+ ih264d_create_ip_t create_ip;
+ ih264d_create_op_t create_op;
+ void *fxns = (void *) &ih264d_api_function;
+
+ create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE;
+ create_ip.s_ivd_create_ip_t.u4_share_disp_buf = 0;
+ create_ip.s_ivd_create_ip_t.e_output_format = mColorFormat;
+ create_ip.s_ivd_create_ip_t.pf_aligned_alloc = iv_aligned_malloc;
+ create_ip.s_ivd_create_ip_t.pf_aligned_free = iv_aligned_free;
+ create_ip.s_ivd_create_ip_t.pv_mem_ctxt = nullptr;
+ create_ip.s_ivd_create_ip_t.u4_size = sizeof(ih264d_create_ip_t);
+ create_op.s_ivd_create_op_t.u4_size = sizeof(ih264d_create_op_t);
+
+ ret = ih264d_api_function(nullptr, (void *)&create_ip, (void *)&create_op);
+ if (ret != IV_SUCCESS) {
+ return ret;
+ }
+ mCodec = (iv_obj_t *) create_op.s_ivd_create_op_t.pv_handle;
+ mCodec->pv_fxns = fxns;
+ mCodec->u4_size = sizeof(iv_obj_t);
+ return ret;
+}
+
+void Codec::deleteCodec() {
+ ivd_delete_ip_t delete_ip;
+ ivd_delete_op_t delete_op;
+
+ delete_ip.e_cmd = IVD_CMD_DELETE;
+ delete_ip.u4_size = sizeof(ivd_delete_ip_t);
+ delete_op.u4_size = sizeof(ivd_delete_op_t);
+
+ ih264d_api_function(mCodec, (void *)&delete_ip, (void *)&delete_op);
+}
+
+void Codec::resetCodec() {
+ ivd_ctl_reset_ip_t s_ctl_ip;
+ ivd_ctl_reset_op_t s_ctl_op;
+
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET;
+ s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t);
+ s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t);
+
+ ih264d_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
+}
+
+void Codec::setCores() {
+ ih264d_ctl_set_num_cores_ip_t s_ctl_ip;
+ ih264d_ctl_set_num_cores_op_t s_ctl_op;
+
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd =
+ (IVD_CONTROL_API_COMMAND_TYPE_T) IH264D_CMD_CTL_SET_NUM_CORES;
+ s_ctl_ip.u4_num_cores = mNumCores;
+ s_ctl_ip.u4_size = sizeof(ih264d_ctl_set_num_cores_ip_t);
+ s_ctl_op.u4_size = sizeof(ih264d_ctl_set_num_cores_op_t);
+
+ ih264d_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
+}
+
+void Codec::setParams(IVD_VIDEO_DECODE_MODE_T mode) {
+ ivd_ctl_set_config_ip_t s_ctl_ip;
+ ivd_ctl_set_config_op_t s_ctl_op;
+
+ s_ctl_ip.u4_disp_wd = 0;
+ s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE;
+ s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT;
+ s_ctl_ip.e_vid_dec_mode = mode;
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS;
+ s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t);
+ s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t);
+
+ ih264d_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
+}
+
+void Codec::setArchitecture(IVD_ARCH_T arch) {
+ ih264d_ctl_set_processor_ip_t s_ctl_ip;
+ ih264d_ctl_set_processor_op_t s_ctl_op;
+
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd =
+ (IVD_CONTROL_API_COMMAND_TYPE_T) IH264D_CMD_CTL_SET_PROCESSOR;
+ s_ctl_ip.u4_arch = arch;
+ s_ctl_ip.u4_soc = SOC_GENERIC;
+ s_ctl_ip.u4_size = sizeof(ih264d_ctl_set_processor_ip_t);
+ s_ctl_op.u4_size = sizeof(ih264d_ctl_set_processor_op_t);
+
+ ih264d_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
+}
+
+void Codec::freeFrame() {
+ if (mOutBufHandle.pu1_bufs[0]) {
+ free(mOutBufHandle.pu1_bufs[0]);
+ mOutBufHandle.pu1_bufs[0] = nullptr;
+ }
+}
+
+void Codec::allocFrame() {
+ size_t size = mWidth * mHeight * 2;
+ size_t num_bufs = NUM_OUTPUT_BUFFERS;
+ freeFrame();
+ memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
+ mOutBufHandle.u4_num_bufs = num_bufs;
+ mOutBufHandle.u4_min_out_buf_size[0] = size;
+ mOutBufHandle.pu1_bufs[0] = (UWORD8 *) iv_aligned_malloc(nullptr,
+ MEM_ALIGNMENT,
+ size);
+}
+
+void Codec::decodeHeader(const uint8_t *data, size_t size) {
+ setParams (IVD_DECODE_HEADER);
+
+ while (size > 0) {
+ ivd_video_decode_ip_t dec_ip;
+ ivd_video_decode_op_t dec_op;
+ size_t bytes_consumed;
+
+ memset(&dec_ip, 0, sizeof(dec_ip));
+ memset(&dec_op, 0, sizeof(dec_op));
+
+ dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
+ dec_ip.u4_ts = 0;
+ dec_ip.pv_stream_buffer = (void *) data;
+ dec_ip.u4_num_Bytes = size;
+ dec_ip.u4_size = sizeof(ivd_video_decode_ip_t);
+ dec_op.u4_size = sizeof(ivd_video_decode_op_t);
+
+ ih264d_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op);
+
+ bytes_consumed = dec_op.u4_num_bytes_consumed;
+ /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds
+ * to feed next data */
+ if (!bytes_consumed)
+ bytes_consumed = 4;
+
+ bytes_consumed = std::min(size, bytes_consumed);
+
+ data += bytes_consumed;
+ size -= bytes_consumed;
+
+ mWidth = dec_op.u4_pic_wd;
+ mHeight = dec_op.u4_pic_ht;
+
+ /* Break after successful header decode */
+ if (mWidth && mHeight) {
+ break;
+ }
+ }
+ /* if width / height are invalid, set them to defaults */
+ if (!mWidth)
+ mWidth = DEFAULT_WIDTH;
+ if (!mHeight)
+ mHeight = DEFAULT_HEIGHT;
+}
+
+void Codec::decodeFrame(const uint8_t *data, size_t size,
+ size_t *bytesConsumed) {
+ ivd_video_decode_ip_t dec_ip;
+ ivd_video_decode_op_t dec_op;
+
+ memset(&dec_ip, 0, sizeof(dec_ip));
+ memset(&dec_op, 0, sizeof(dec_op));
+
+ dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
+ dec_ip.u4_ts = 0;
+ dec_ip.pv_stream_buffer = (void *) data;
+ dec_ip.u4_num_Bytes = size;
+ dec_ip.u4_size = sizeof(ivd_video_decode_ip_t);
+ dec_ip.s_out_buffer = mOutBufHandle;
+
+ dec_op.u4_size = sizeof(ivd_video_decode_op_t);
+
+ ih264d_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op);
+
+ /* In case of change in resolution, reset codec and feed the same data again
+ */
+ if ((dec_op.u4_error_code & 0xFF) == IVD_RES_CHANGED) {
+ resetCodec();
+ ih264d_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op);
+ }
+ *bytesConsumed = dec_op.u4_num_bytes_consumed;
+
+ /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds
+ * to feed next data */
+ if (!*bytesConsumed)
+ *bytesConsumed = 4;
+
+ if (dec_op.u4_pic_wd && dec_op.u4_pic_ht
+ && (mWidth != dec_op.u4_pic_wd || mHeight != dec_op.u4_pic_ht)) {
+ mWidth = dec_op.u4_pic_wd;
+ mHeight = dec_op.u4_pic_ht;
+ allocFrame();
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc != 2) {
+ return EXIT_FAILURE;
+ }
+ std::ifstream inFile(argv[1]);
+ if (!inFile) {
+ return EXIT_FAILURE;
+ }
+ inFile.seekg(0, inFile.end);
+ size_t size = inFile.tellg();
+ if (size < 1) {
+ inFile.close();
+ return EXIT_FAILURE;
+ }
+ inFile.seekg(0, inFile.beg);
+ uint8_t *data = new uint8_t[size];
+ inFile.read(reinterpret_cast<char *>(data), size);
+ IV_COLOR_FORMAT_T colorFormat = COLOR_FORMAT;
+ uint32_t numCores = NUM_CORES;
+ Codec *codec = new Codec(colorFormat, numCores);
+ IV_API_CALL_STATUS_T ret = codec->createCodec();
+ if (ret != IV_SUCCESS) {
+ inFile.close();
+ delete codec;
+ delete[] data;
+ return EXIT_FAILURE;
+ }
+ codec->setCores();
+ codec->decodeHeader(data, size);
+ codec->setParams(IVD_DECODE_FRAME);
+ codec->allocFrame();
+ while (size > 0) {
+ size_t bytesConsumed;
+ codec->decodeFrame(data, size, &bytesConsumed);
+ bytesConsumed = std::min(size, bytesConsumed);
+ data += bytesConsumed;
+ size -= bytesConsumed;
+ }
+ codec->freeFrame();
+ codec->deleteCodec();
+ inFile.close();
+ delete codec;
+ delete[] data;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index ea75997..97fc5c3 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -51,6 +51,18 @@
******************************************************************************/
/**
+ * b/142602711
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2020-01")
+ public void testPocCVE_2020_0002() throws Exception {
+ String inputFiles[] = {"cve_2020_0002.mp4"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0002",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+
+ /**
* b/134578122
* Vulnerability Behaviour: SIGSEGV in self
*/
