[RESTRICT AUTOMERGE] CTS test for Android Security b/65719872
Bug: 65719872
Bug: 72407117
Test: Ran the new testcase on android-8.0.0_r11 with/without patch
Change-Id: Ia6de1ecdeb0a1af8ff78b355d18f5b06ba78c3f5
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
index ad1ca1e..eb4c9f0 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
@@ -184,6 +184,11 @@
* This binary only exists in 32-bit.
*/
BINARY_EXCEPTIONS.add("CVE-2015-6616-232");
+
+ /**
+ * This binary only exists in 32-bit.
+ */
+ BINARY_EXCEPTIONS.add("CVE-2017-1314932");
}
/**
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index b9b73b3..f701e50 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -321,6 +321,7 @@
<option name="push" value="CVE-2017-1324132->/data/local/tmp/CVE-2017-13241" />
<option name="push" value="CVE-2016-390932->/data/local/tmp/CVE-2016-3909" />
<option name="push" value="CVE-2017-1319032->/data/local/tmp/CVE-2017-13190" />
+ <option name="push" value="CVE-2017-1314932->/data/local/tmp/CVE-2017-13149" />
<!-- Please add 64-bit binary tests below to avoid merge conflict -->
diff --git a/hostsidetests/securitybulletin/res/cve_2017_13149.hevc b/hostsidetests/securitybulletin/res/cve_2017_13149.hevc
new file mode 100644
index 0000000..c9addc8
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2017_13149.hevc
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13149/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13149/Android.mk
new file mode 100644
index 0000000..b0f6efd
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13149/Android.mk
@@ -0,0 +1,34 @@
+# Copyright (C) 2019 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2017-13149
+LOCAL_SRC_FILES := poc.c
+LOCAL_SRC_FILES += ../includes/memutils.c
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES := external/libhevc/common
+LOCAL_C_INCLUDES += external/libhevc/decoder
+LOCAL_SHARED_LIBRARIES := libstagefright_soft_hevcdec
+LOCAL_SHARED_LIBRARIES += liblog
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror -DCHECK_OVERFLOW
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13149/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13149/poc.c
new file mode 100644
index 0000000..4f1bd55
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13149/poc.c
@@ -0,0 +1,305 @@
+/**
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <stdlib.h>
+#include "ihevc_typedefs.h"
+#include "ihevcd_cxa.h"
+
+#define TOTAL_BUF_LEN (1280 * 720 * 3 / 2)
+#define BUF_LEN_0 (1280 * 720)
+#define BUF_LEN_1 (1280 * 720 / 2)
+
+FILE *ps_ip_file = NULL;
+UWORD8 *pu1_bs_buf = NULL;
+ivd_out_bufdesc_t *ps_out_buf = NULL;
+
+#define EXIT_ON_ERROR(status) \
+{\
+ if (IV_SUCCESS != status) {\
+ if(ps_ip_file)\
+ fclose(ps_ip_file);\
+\
+ if(ps_out_buf) { \
+ if(ps_out_buf->pu1_bufs[0]) {\
+ free(ps_out_buf->pu1_bufs[0]);\
+ }\
+ free(ps_out_buf);\
+ }\
+\
+ if(pu1_bs_buf)\
+ free (pu1_bs_buf);\
+\
+ exit(EXIT_SUCCESS);\
+ }\
+}
+
+void * ihevca_aligned_malloc(void *pv_ctxt, WORD32 alignment, WORD32 i4_size) {
+ (void) pv_ctxt;
+ return memalign(alignment, i4_size);
+}
+
+void ihevca_aligned_free(void *pv_ctxt, void *pv_buf) {
+ (void) pv_ctxt;
+ free(pv_buf);
+ return;
+}
+
+void flush_output(iv_obj_t *codec_obj, ivd_out_bufdesc_t *ps_out_buf,
+ UWORD8 *pu1_bs_buf, UWORD32 *pu4_op_frm_ts,
+ UWORD32 u4_ip_frm_ts, UWORD32 u4_bytes_remaining) {
+ WORD32 ret;
+
+ do {
+ ivd_ctl_flush_ip_t s_ctl_ip;
+ ivd_ctl_flush_op_t s_ctl_op;
+
+ if (*pu4_op_frm_ts >= (10000))
+ break;
+
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_FLUSH;
+ s_ctl_ip.u4_size = sizeof(ivd_ctl_flush_ip_t);
+ s_ctl_op.u4_size = sizeof(ivd_ctl_flush_op_t);
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_ctl_ip, (void *) &s_ctl_op);
+
+ if (IV_SUCCESS == ret) {
+ ivd_video_decode_ip_t s_video_decode_ip;
+ ivd_video_decode_op_t s_video_decode_op;
+
+ s_video_decode_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
+ s_video_decode_ip.u4_ts = u4_ip_frm_ts;
+ s_video_decode_ip.pv_stream_buffer = pu1_bs_buf;
+ s_video_decode_ip.u4_num_Bytes = u4_bytes_remaining;
+ s_video_decode_ip.u4_size = sizeof(ivd_video_decode_ip_t);
+ s_video_decode_ip.s_out_buffer.u4_min_out_buf_size[0] = BUF_LEN_0;
+ s_video_decode_ip.s_out_buffer.u4_min_out_buf_size[1] = BUF_LEN_1;
+ s_video_decode_ip.s_out_buffer.u4_min_out_buf_size[2] = 0;
+ s_video_decode_ip.s_out_buffer.pu1_bufs[0] =
+ ps_out_buf->pu1_bufs[0];
+ s_video_decode_ip.s_out_buffer.pu1_bufs[1] =
+ ps_out_buf->pu1_bufs[1];
+ s_video_decode_ip.s_out_buffer.pu1_bufs[2] = NULL;
+ s_video_decode_ip.s_out_buffer.u4_num_bufs = 2;
+ s_video_decode_op.u4_size = sizeof(ivd_video_decode_op_t);
+
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_video_decode_ip,
+ (void *) &s_video_decode_op);
+
+ if (1 == s_video_decode_op.u4_output_present) {
+ (*pu4_op_frm_ts)++;
+ }
+ }
+ } while (IV_SUCCESS == ret);
+}
+
+int main(WORD32 argc, CHAR *argv[]) {
+ WORD32 ret = 0;
+ UWORD32 file_pos = 0;
+ UWORD32 u4_ip_frm_ts = 0, u4_op_frm_ts = 0;
+ WORD32 u4_bytes_remaining = 0;
+ iv_obj_t *codec_obj = NULL;
+
+ if (argc < 2) {
+ return EXIT_SUCCESS;
+ }
+ ps_ip_file = fopen(argv[1], "rb");
+ if (NULL == ps_ip_file) {
+ return EXIT_SUCCESS;
+ }
+
+ /* Allocate input and output buffers for IV_YUV_420SP_UV */
+ {
+ pu1_bs_buf = (UWORD8 *) malloc(TOTAL_BUF_LEN);
+ ps_out_buf = (ivd_out_bufdesc_t *) malloc(sizeof(ivd_out_bufdesc_t));
+ if ((pu1_bs_buf == NULL) || (ps_out_buf == NULL)) {
+ EXIT_ON_ERROR(IV_FAIL)
+ }
+ ps_out_buf->pu1_bufs[0] = (UWORD8 *) malloc(TOTAL_BUF_LEN);
+ if (ps_out_buf->pu1_bufs[0] == NULL) {
+ EXIT_ON_ERROR(IV_FAIL)
+ }
+ memset(pu1_bs_buf, 0, TOTAL_BUF_LEN);
+
+ ps_out_buf->pu1_bufs[1] = ps_out_buf->pu1_bufs[0] + BUF_LEN_0;
+ }
+
+ /* Create decoder instance */
+ {
+ ihevcd_cxa_create_ip_t s_create_ip;
+ ihevcd_cxa_create_op_t s_create_op;
+ memset(&s_create_ip, 0, sizeof(ihevcd_cxa_create_ip_t));
+ memset(&s_create_op, 0, sizeof(ihevcd_cxa_create_op_t));
+
+ void *fxns = &ihevcd_cxa_api_function;
+ s_create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE;
+ s_create_ip.s_ivd_create_ip_t.e_output_format = IV_YUV_420SP_UV;
+ s_create_ip.s_ivd_create_ip_t.pf_aligned_alloc = ihevca_aligned_malloc;
+ s_create_ip.s_ivd_create_ip_t.pf_aligned_free = ihevca_aligned_free;
+ s_create_ip.s_ivd_create_ip_t.u4_size = sizeof(ihevcd_cxa_create_ip_t);
+ s_create_op.s_ivd_create_op_t.u4_size = sizeof(ihevcd_cxa_create_op_t);
+
+ ret = ihevcd_cxa_api_function(NULL, (void *) &s_create_ip,
+ (void *) &s_create_op);
+ EXIT_ON_ERROR(ret);
+
+ codec_obj = (iv_obj_t*) s_create_op.s_ivd_create_op_t.pv_handle;
+ codec_obj->pv_fxns = fxns;
+ codec_obj->u4_size = sizeof(iv_obj_t);
+ }
+
+ /* set num of cores */
+ {
+ ihevcd_cxa_ctl_set_num_cores_ip_t s_ctl_set_cores_ip;
+ ihevcd_cxa_ctl_set_num_cores_op_t s_ctl_set_cores_op;
+
+ s_ctl_set_cores_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_set_cores_ip.e_sub_cmd =
+ (IVD_CONTROL_API_COMMAND_TYPE_T) IHEVCD_CXA_CMD_CTL_SET_NUM_CORES;
+ s_ctl_set_cores_ip.u4_num_cores = 1;
+ s_ctl_set_cores_ip.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_ip_t);
+ s_ctl_set_cores_op.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_op_t);
+
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_ctl_set_cores_ip,
+ (void *) &s_ctl_set_cores_op);
+ EXIT_ON_ERROR(ret);
+ }
+
+ /* Set the decoder in frame decode mode */
+ {
+ ivd_ctl_set_config_ip_t s_ctl_ip;
+ ivd_ctl_set_config_op_t s_ctl_op;
+
+ s_ctl_ip.u4_disp_wd = 0;
+ s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE;
+ s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT;
+ s_ctl_ip.e_vid_dec_mode = IVD_DECODE_FRAME;
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS;
+ s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t);
+ s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t);
+
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_ctl_ip, (void *) &s_ctl_op);
+ EXIT_ON_ERROR(ret);
+ }
+
+ while ((u4_bytes_remaining = fread(pu1_bs_buf, sizeof(UWORD8),
+ TOTAL_BUF_LEN, ps_ip_file))) {
+ {
+ ivd_video_decode_ip_t s_video_decode_ip;
+ ivd_video_decode_op_t s_video_decode_op;
+
+ s_video_decode_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
+ s_video_decode_ip.u4_ts = u4_ip_frm_ts;
+ s_video_decode_ip.pv_stream_buffer = pu1_bs_buf;
+ s_video_decode_ip.u4_num_Bytes = TOTAL_BUF_LEN;
+ s_video_decode_ip.u4_size = sizeof(ivd_video_decode_ip_t);
+ s_video_decode_ip.s_out_buffer.u4_min_out_buf_size[0] = BUF_LEN_0;
+ s_video_decode_ip.s_out_buffer.u4_min_out_buf_size[1] = BUF_LEN_1;
+ s_video_decode_ip.s_out_buffer.u4_min_out_buf_size[2] = 0;
+ s_video_decode_ip.s_out_buffer.pu1_bufs[0] =
+ ps_out_buf->pu1_bufs[0];
+ s_video_decode_ip.s_out_buffer.pu1_bufs[1] =
+ ps_out_buf->pu1_bufs[1];
+ s_video_decode_ip.s_out_buffer.pu1_bufs[2] = NULL;
+ s_video_decode_ip.s_out_buffer.u4_num_bufs = 2;
+ s_video_decode_op.u4_size = sizeof(ivd_video_decode_op_t);
+
+ /* API Call: Video Decode */
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_video_decode_ip,
+ (void *) &s_video_decode_op);
+
+ if ((IV_SUCCESS != ret)
+ && ((s_video_decode_op.u4_error_code & 0xFF)
+ == IVD_RES_CHANGED)) {
+ ivd_ctl_reset_ip_t s_ctl_ip;
+ ivd_ctl_reset_op_t s_ctl_op;
+
+ flush_output(codec_obj, ps_out_buf, pu1_bs_buf, &u4_op_frm_ts,
+ u4_ip_frm_ts, u4_bytes_remaining);
+
+ s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET;
+ s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t);
+ s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t);
+
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_ctl_ip,
+ (void *) &s_ctl_op);
+ EXIT_ON_ERROR(ret);
+
+ /* set num of cores */
+ {
+ ihevcd_cxa_ctl_set_num_cores_ip_t s_ctl_set_cores_ip;
+ ihevcd_cxa_ctl_set_num_cores_op_t s_ctl_set_cores_op;
+
+ s_ctl_set_cores_ip.e_cmd = IVD_CMD_VIDEO_CTL;
+ s_ctl_set_cores_ip.e_sub_cmd =
+ (IVD_CONTROL_API_COMMAND_TYPE_T) IHEVCD_CXA_CMD_CTL_SET_NUM_CORES;
+ s_ctl_set_cores_ip.u4_num_cores = 1;
+ s_ctl_set_cores_ip.u4_size =
+ sizeof(ihevcd_cxa_ctl_set_num_cores_ip_t);
+ s_ctl_set_cores_op.u4_size =
+ sizeof(ihevcd_cxa_ctl_set_num_cores_op_t);
+
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_ctl_set_cores_ip,
+ (void *) &s_ctl_set_cores_op);
+ EXIT_ON_ERROR(ret);
+ }
+ }
+ file_pos += s_video_decode_op.u4_num_bytes_consumed;
+ fseek(ps_ip_file, file_pos, SEEK_SET);
+ u4_ip_frm_ts++;
+
+ if (1 == s_video_decode_op.u4_output_present) {
+ u4_op_frm_ts++;
+ } else {
+ if ((s_video_decode_op.u4_error_code >> IVD_FATALERROR) & 1) {
+ break;
+ }
+ }
+ }
+ }
+
+ /* To get the last decoded frames, call process with NULL input */
+ flush_output(codec_obj, ps_out_buf, pu1_bs_buf, &u4_op_frm_ts, u4_ip_frm_ts,
+ u4_bytes_remaining);
+
+ /* Delete decoder and close all the files and free all the memory */
+ {
+ ivd_delete_ip_t s_delete_dec_ip;
+ ivd_delete_op_t s_delete_dec_op;
+
+ s_delete_dec_ip.e_cmd = IVD_CMD_DELETE;
+ s_delete_dec_ip.u4_size = sizeof(ivd_delete_ip_t);
+ s_delete_dec_op.u4_size = sizeof(ivd_delete_op_t);
+
+ ret = ihevcd_cxa_api_function((iv_obj_t *) codec_obj,
+ (void *) &s_delete_dec_ip,
+ (void *) &s_delete_dec_op);
+
+ EXIT_ON_ERROR(ret);
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
index 7e70071..ea17619 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
@@ -87,6 +87,17 @@
******************************************************************************/
/**
+ * b/65719872
+ * Vulnerability Behaviour: SIGSEGV in self
+ **/
+ @SecurityTest(minPatchLevel = "2017-04")
+ public void testPocCVE_2017_13149() throws Exception {
+ String inputFiles[] = {"cve_2017_13149.hevc"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13149",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+
+ /**
* b/68299873
**/
@Test
