diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2022-10-06 06:14:12 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-10-06 06:14:12 +0000 |
commit | 0c3fcf287f387c067a7b02e8aa4397e0a75237af (patch) | |
tree | 13a1e2c8138cff0b758655465ae4da2751653db5 | |
parent | 7bb2d078c6eb77fe8fc1b1301c1bdd6de47f3a08 (diff) | |
parent | 39567ff77e23cced8db2dac51e6496a05aa0e3fc (diff) | |
download | cts-0c3fcf287f387c067a7b02e8aa4397e0a75237af.tar.gz |
Merge "CTS test for Android Security b/203229608" into qt-dev am: 454d568f5a am: 39567ff77e
Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/19847329
Change-Id: I7c2067c5f04a7241b4118c6270f9bc1808df071c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
5 files changed, 289 insertions, 0 deletions
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml index 7d1a496d337..afc284bbf3d 100644 --- a/tests/tests/security/AndroidManifest.xml +++ b/tests/tests/security/AndroidManifest.xml @@ -186,6 +186,21 @@ </intent-filter> </activity> + <provider android:name="android.security.cts.CVE_2022_20358.PocContentProvider" + android:authorities="android.security.cts.CVE_2022_20358.provider" + android:enabled="true" + android:exported="true" /> + + <service android:name="android.security.cts.CVE_2022_20358.PocSyncService" + android:enabled="true" + android:exported="true"> + <intent-filter> + <action android:name="android.content.SyncAdapter" /> + </intent-filter> + <meta-data android:name="android.content.SyncAdapter" + android:resource="@xml/syncadapter" /> + </service> + </application> <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner" diff --git a/tests/tests/security/res/xml/syncadapter.xml b/tests/tests/security/res/xml/syncadapter.xml new file mode 100644 index 00000000000..478fad5327f --- /dev/null +++ b/tests/tests/security/res/xml/syncadapter.xml @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2022 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> +<sync-adapter xmlns:android="http://schemas.android.com/apk/res/android" + android:accountType="CVE_2022_20358_acc" + android:isAlwaysSyncable="true" /> diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20358/CVE_2022_20358.java b/tests/tests/security/src/android/security/cts/CVE_2022_20358/CVE_2022_20358.java new file mode 100644 index 00000000000..b1ff1688ced --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2022_20358/CVE_2022_20358.java @@ -0,0 +1,120 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2022_20358; + +import static org.junit.Assert.fail; +import static org.junit.Assume.assumeNoException; +import static org.junit.Assume.assumeTrue; + +import android.accounts.Account; +import android.app.Instrumentation; +import android.content.ComponentName; +import android.content.Context; +import android.content.ISyncAdapter; +import android.content.Intent; +import android.content.ServiceConnection; +import android.os.Bundle; +import android.os.IBinder; +import android.os.RemoteCallback; +import android.platform.test.annotations.AsbSecurityTest; + +import androidx.test.InstrumentationRegistry; +import androidx.test.runner.AndroidJUnit4; + +import com.android.sts.common.util.StsExtraBusinessLogicTestCase; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import java.util.concurrent.CompletableFuture; +import java.util.concurrent.Semaphore; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +@RunWith(AndroidJUnit4.class) +public class CVE_2022_20358 extends StsExtraBusinessLogicTestCase implements ServiceConnection { + static final int TIMEOUT_SEC = 10; + Semaphore mWaitResultServiceConn; + boolean mIsAssumeFail = false; + String mAssumeFailMsg = ""; + + @AsbSecurityTest(cveBugId = 203229608) + @Test + public void testPocCVE_2022_20358() { + try { + // Bind to the PocSyncService + Instrumentation instrumentation = InstrumentationRegistry.getInstrumentation(); + Context context = instrumentation.getContext(); + Intent intent = new Intent(context, PocSyncService.class); + intent.setAction("android.content.SyncAdapter"); + CompletableFuture<String> callbackReturn = new CompletableFuture<>(); + RemoteCallback cb = new RemoteCallback((Bundle result) -> { + callbackReturn.complete(result.getString("fail")); + }); + intent.putExtra("callback", cb); + context.bindService(intent, this, Context.BIND_AUTO_CREATE); + + // Wait for some result from the PocSyncService + mWaitResultServiceConn = new Semaphore(0); + assumeTrue(mWaitResultServiceConn.tryAcquire(TIMEOUT_SEC, TimeUnit.SECONDS)); + assumeTrue(mAssumeFailMsg, !mIsAssumeFail); + + // Wait for a result to be set from onPerformSync() of PocSyncAdapter + callbackReturn.get(TIMEOUT_SEC, TimeUnit.SECONDS); + + // In presence of vulnerability, the above call succeeds and TimeoutException is not + // triggered so failing the test + fail("Vulnerable to b/203229608!!"); + } catch (Exception e) { + if (e instanceof TimeoutException) { + // The fix is present so returning from here + return; + } + assumeNoException(e); + } + } + + @Override + public void onServiceConnected(ComponentName name, IBinder service) { + try { + if (mWaitResultServiceConn == null) { + mWaitResultServiceConn = new Semaphore(0); + } + ISyncAdapter adapter = ISyncAdapter.Stub.asInterface(service); + Account account = new Account("CVE_2022_20358_user", "CVE_2022_20358_acc"); + adapter.startSync(null, "android.security.cts.CVE_2022_20358.provider", account, null); + mWaitResultServiceConn.release(); + } catch (Exception e) { + try { + mWaitResultServiceConn.release(); + mAssumeFailMsg = e.getMessage(); + mIsAssumeFail = true; + } catch (Exception ex) { + // ignore all exceptions + } + } + } + + @Override + public void onServiceDisconnected(ComponentName name) { + try { + mWaitResultServiceConn.release(); + } catch (Exception e) { + // ignore all exceptions + } + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocContentProvider.java b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocContentProvider.java new file mode 100644 index 00000000000..0bc8c2c5fed --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocContentProvider.java @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2022_20358; + +import android.content.ContentProvider; +import android.content.ContentValues; +import android.database.Cursor; +import android.net.Uri; + +public class PocContentProvider extends ContentProvider { + + @Override + public int delete(Uri uri, String selection, String[] selectionArgs) { + return 0; + } + + @Override + public String getType(Uri uri) { + return null; + } + + @Override + public Uri insert(Uri uri, ContentValues values) { + return null; + } + + @Override + public boolean onCreate() { + return true; + } + + @Override + public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, + String sortOrder) { + return null; + } + + @Override + public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) { + return 0; + } +} diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocSyncService.java b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocSyncService.java new file mode 100644 index 00000000000..08fbf92d8e5 --- /dev/null +++ b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocSyncService.java @@ -0,0 +1,79 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2022_20358; + +import android.accounts.Account; +import android.app.Service; +import android.content.AbstractThreadedSyncAdapter; +import android.content.ContentProviderClient; +import android.content.Context; +import android.content.Intent; +import android.content.SyncResult; +import android.os.Bundle; +import android.os.IBinder; +import android.os.RemoteCallback; + +public class PocSyncService extends Service { + private static PocSyncAdapter sSyncAdapter = null; + private static final Object sSyncAdapterLock = new Object(); + RemoteCallback mCb; + + @Override + public void onCreate() { + try { + synchronized (sSyncAdapterLock) { + if (sSyncAdapter == null) { + sSyncAdapter = new PocSyncAdapter(this); + } + } + } catch (Exception e) { + // ignore all exceptions + } + } + + @Override + public IBinder onBind(Intent intent) { + try { + mCb = (RemoteCallback) intent.getExtra("callback"); + } catch (Exception e) { + // ignore all exceptions + } + return sSyncAdapter.getSyncAdapterBinder(); + } + + public class PocSyncAdapter extends AbstractThreadedSyncAdapter { + + public PocSyncAdapter(Context context) { + super(context, false); + } + + @Override + public void onPerformSync(Account account, Bundle extras, String authority, + ContentProviderClient provider, SyncResult syncResult) { + try { + if (account.type.equals("CVE_2022_20358_acc") + && account.name.equals("CVE_2022_20358_user")) { + Bundle res = new Bundle(); + res.putString("fail", ""); + mCb.sendResult(res); + } + } catch (Exception e) { + // ignore all exceptions + } + } + } +} |