Merge "CTS test for Android Security b/203229608" into qt-dev am: 454d568f5a am: 39567ff77e

Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/19847329

Change-Id: I7c2067c5f04a7241b4118c6270f9bc1808df071c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

5 files changed, 289 insertions, 0 deletions

diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 7d1a496d337..afc284bbf3d 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -186,6 +186,21 @@
             </intent-filter>
         </activity>
 
+        <provider android:name="android.security.cts.CVE_2022_20358.PocContentProvider"
+            android:authorities="android.security.cts.CVE_2022_20358.provider"
+            android:enabled="true"
+            android:exported="true" />
+
+        <service android:name="android.security.cts.CVE_2022_20358.PocSyncService"
+            android:enabled="true"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.content.SyncAdapter" />
+            </intent-filter>
+            <meta-data android:name="android.content.SyncAdapter"
+                android:resource="@xml/syncadapter" />
+        </service>
+
     </application>
 
     <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/security/res/xml/syncadapter.xml b/tests/tests/security/res/xml/syncadapter.xml
new file mode 100644
index 00000000000..478fad5327f
--- /dev/null
+++ b/tests/tests/security/res/xml/syncadapter.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2022 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<sync-adapter xmlns:android="http://schemas.android.com/apk/res/android"
+    android:accountType="CVE_2022_20358_acc"
+    android:isAlwaysSyncable="true" />
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20358/CVE_2022_20358.java b/tests/tests/security/src/android/security/cts/CVE_2022_20358/CVE_2022_20358.java
new file mode 100644
index 00000000000..b1ff1688ced
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20358/CVE_2022_20358.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20358;
+
+import static org.junit.Assert.fail;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.accounts.Account;
+import android.app.Instrumentation;
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.ISyncAdapter;
+import android.content.Intent;
+import android.content.ServiceConnection;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.RemoteCallback;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.InstrumentationRegistry;
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2022_20358 extends StsExtraBusinessLogicTestCase implements ServiceConnection {
+    static final int TIMEOUT_SEC = 10;
+    Semaphore mWaitResultServiceConn;
+    boolean mIsAssumeFail = false;
+    String mAssumeFailMsg = "";
+
+    @AsbSecurityTest(cveBugId = 203229608)
+    @Test
+    public void testPocCVE_2022_20358() {
+        try {
+            // Bind to the PocSyncService
+            Instrumentation instrumentation = InstrumentationRegistry.getInstrumentation();
+            Context context = instrumentation.getContext();
+            Intent intent = new Intent(context, PocSyncService.class);
+            intent.setAction("android.content.SyncAdapter");
+            CompletableFuture<String> callbackReturn = new CompletableFuture<>();
+            RemoteCallback cb = new RemoteCallback((Bundle result) -> {
+                callbackReturn.complete(result.getString("fail"));
+            });
+            intent.putExtra("callback", cb);
+            context.bindService(intent, this, Context.BIND_AUTO_CREATE);
+
+            // Wait for some result from the PocSyncService
+            mWaitResultServiceConn = new Semaphore(0);
+            assumeTrue(mWaitResultServiceConn.tryAcquire(TIMEOUT_SEC, TimeUnit.SECONDS));
+            assumeTrue(mAssumeFailMsg, !mIsAssumeFail);
+
+            // Wait for a result to be set from onPerformSync() of PocSyncAdapter
+            callbackReturn.get(TIMEOUT_SEC, TimeUnit.SECONDS);
+
+            // In presence of vulnerability, the above call succeeds and TimeoutException is not
+            // triggered so failing the test
+            fail("Vulnerable to b/203229608!!");
+        } catch (Exception e) {
+            if (e instanceof TimeoutException) {
+                // The fix is present so returning from here
+                return;
+            }
+            assumeNoException(e);
+        }
+    }
+
+    @Override
+    public void onServiceConnected(ComponentName name, IBinder service) {
+        try {
+            if (mWaitResultServiceConn == null) {
+                mWaitResultServiceConn = new Semaphore(0);
+            }
+            ISyncAdapter adapter = ISyncAdapter.Stub.asInterface(service);
+            Account account = new Account("CVE_2022_20358_user", "CVE_2022_20358_acc");
+            adapter.startSync(null, "android.security.cts.CVE_2022_20358.provider", account, null);
+            mWaitResultServiceConn.release();
+        } catch (Exception e) {
+            try {
+                mWaitResultServiceConn.release();
+                mAssumeFailMsg = e.getMessage();
+                mIsAssumeFail = true;
+            } catch (Exception ex) {
+                // ignore all exceptions
+            }
+        }
+    }
+
+    @Override
+    public void onServiceDisconnected(ComponentName name) {
+        try {
+            mWaitResultServiceConn.release();
+        } catch (Exception e) {
+            // ignore all exceptions
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocContentProvider.java b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocContentProvider.java
new file mode 100644
index 00000000000..0bc8c2c5fed
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocContentProvider.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20358;
+
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.Cursor;
+import android.net.Uri;
+
+public class PocContentProvider extends ContentProvider {
+
+    @Override
+    public int delete(Uri uri, String selection, String[] selectionArgs) {
+        return 0;
+    }
+
+    @Override
+    public String getType(Uri uri) {
+        return null;
+    }
+
+    @Override
+    public Uri insert(Uri uri, ContentValues values) {
+        return null;
+    }
+
+    @Override
+    public boolean onCreate() {
+        return true;
+    }
+
+    @Override
+    public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs,
+            String sortOrder) {
+        return null;
+    }
+
+    @Override
+    public int update(Uri uri, ContentValues values, String selection, String[] selectionArgs) {
+        return 0;
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocSyncService.java b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocSyncService.java
new file mode 100644
index 00000000000..08fbf92d8e5
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20358/PocSyncService.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20358;
+
+import android.accounts.Account;
+import android.app.Service;
+import android.content.AbstractThreadedSyncAdapter;
+import android.content.ContentProviderClient;
+import android.content.Context;
+import android.content.Intent;
+import android.content.SyncResult;
+import android.os.Bundle;
+import android.os.IBinder;
+import android.os.RemoteCallback;
+
+public class PocSyncService extends Service {
+    private static PocSyncAdapter sSyncAdapter = null;
+    private static final Object sSyncAdapterLock = new Object();
+    RemoteCallback mCb;
+
+    @Override
+    public void onCreate() {
+        try {
+            synchronized (sSyncAdapterLock) {
+                if (sSyncAdapter == null) {
+                    sSyncAdapter = new PocSyncAdapter(this);
+                }
+            }
+        } catch (Exception e) {
+            // ignore all exceptions
+        }
+    }
+
+    @Override
+    public IBinder onBind(Intent intent) {
+        try {
+            mCb = (RemoteCallback) intent.getExtra("callback");
+        } catch (Exception e) {
+            // ignore all exceptions
+        }
+        return sSyncAdapter.getSyncAdapterBinder();
+    }
+
+    public class PocSyncAdapter extends AbstractThreadedSyncAdapter {
+
+        public PocSyncAdapter(Context context) {
+            super(context, false);
+        }
+
+        @Override
+        public void onPerformSync(Account account, Bundle extras, String authority,
+                ContentProviderClient provider, SyncResult syncResult) {
+            try {
+                if (account.type.equals("CVE_2022_20358_acc")
+                        && account.name.equals("CVE_2022_20358_user")) {
+                    Bundle res = new Bundle();
+                    res.putString("fail", "");
+                    mCb.sendResult(res);
+                }
+            } catch (Exception e) {
+                // ignore all exceptions
+            }
+        }
+    }
+}