1 /**
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.cts;
18 
19 import com.android.tradefed.util.RunUtil;
20 import static org.junit.Assert.*;
21 
22 import android.platform.test.annotations.AsbSecurityTest;
23 
24 import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
25 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
26 
27 import org.junit.Test;
28 import org.junit.runner.RunWith;
29 
30 import java.util.concurrent.Callable;
31 
32 @RunWith(DeviceJUnit4ClassRunner.class)
33 public class Poc17_03 extends NonRootSecurityTestCase {
34 
35     /**
36      *  b/31824853
37      */
38     @Test
39     @AsbSecurityTest(cveBugId = 31824853)
testPocCVE_2016_8479()40     public void testPocCVE_2016_8479() throws Exception {
41         if (containsDriver(getDevice(), "/dev/kgsl-3d0")) {
42              AdbUtils.runPocNoOutput("CVE-2016-8479", getDevice(), TIMEOUT_NONDETERMINISTIC);
43             // CTS begins the next test before device finishes rebooting,
44             // sleep to allow time for device to reboot.
45             RunUtil.getDefault().sleep(70000);
46         }
47     }
48 
49     /**
50      *  b/33940449
51      */
52     @Test
53     @AsbSecurityTest(cveBugId = 33940449)
testPocCVE_2017_0508()54     public void testPocCVE_2017_0508() throws Exception {
55         if (containsDriver(getDevice(), "/dev/ion") &&
56             containsDriver(getDevice(), "/dev/dri/renderD129")) {
57             AdbUtils.runPocNoOutput("CVE-2017-0508", getDevice(), 30);
58             // CTS begins the next test before device finishes rebooting,
59             // sleep to allow time for device to reboot.
60             RunUtil.getDefault().sleep(60000);
61         }
62     }
63 
64     /**
65      *  b/33899363
66      */
67     @Test
68     @AsbSecurityTest(cveBugId = 33899363)
testPocCVE_2017_0333()69     public void testPocCVE_2017_0333() throws Exception {
70         if (containsDriver(getDevice(), "/dev/dri/renderD128")) {
71             AdbUtils.runPocNoOutput("CVE-2017-0333", getDevice(), 30);
72             // Device takes up to 30 seconds to crash after ioctl call
73             RunUtil.getDefault().sleep(30000);
74         }
75     }
76 
77     /**
78      *  b/33245849
79      */
80     @Test
81     @AsbSecurityTest(cveBugId = 33245849)
testPocCVE_2017_0334()82     public void testPocCVE_2017_0334() throws Exception {
83         if (containsDriver(getDevice(), "/dev/dri/renderD129")) {
84             String out = AdbUtils.runPoc("CVE-2017-0334", getDevice());
85             // info leak sample
86             // "leaked ptr is 0xffffffc038ed1980"
87             String[] lines = out.split("\n");
88             String pattern = "Leaked ptr is 0x";
89             assertNotKernelPointer(new Callable<String>() {
90                 int index = 0;
91                 @Override
92                 public String call() {
93                     for (; index < lines.length; index++) {
94                         String line = lines[index];
95                         int index = line.indexOf(pattern);
96                         if (index == -1) {
97                             continue;
98                         }
99                         return line.substring(index + pattern.length());
100                     }
101                     return null;
102                 }
103             }, null);
104         }
105     }
106 
107     /**
108      * b/32707507
109      */
110     @Test
111     @AsbSecurityTest(cveBugId = 32707507)
testPocCVE_2017_0479()112     public void testPocCVE_2017_0479() throws Exception {
113         AdbUtils.runPocAssertNoCrashes("CVE-2017-0479", getDevice(), "audioserver");
114     }
115 
116     /*
117      *  b/33178389
118      */
119     @Test
120     @AsbSecurityTest(cveBugId = 33178389)
testPocCVE_2017_0490()121     public void testPocCVE_2017_0490() throws Exception {
122         String bootCountBefore =
123                 AdbUtils.runCommandLine("settings get global boot_count", getDevice());
124         AdbUtils.runCommandLine("service call wifi 43 s16 content://settings/global/boot_count s16 "
125                 + "\"application/x-wifi-config\"",
126                 getDevice());
127         String bootCountAfter =
128                 AdbUtils.runCommandLine("settings get global boot_count", getDevice());
129         // Poc nukes the boot_count setting, reboot to restore it to a sane value
130         getDevice().reboot();
131         updateKernelStartTime();
132         assertEquals(bootCountBefore, bootCountAfter);
133     }
134 
135 }
136