DO NOT MERGE: CTS test case for CVE-2015-1530

Verifies for Heap overflow in queryDefaultPreProcessing() method of IAudioPolicyService.cpp Bug: 18226810 Change-Id: Ibaea3d7d9a0523919e85bc7eefc618e5d1fa2a9b Signed-off-by: Utsav Singh <utsavs@google.com>

DO NOT MERGE: CTS test case for CVE-2015-1530
Verifies for Heap overflow in queryDefaultPreProcessing() method of IAudioPolicyService.cpp Bug: 18226810 Change-Id: Ibaea3d7d9a0523919e85bc7eefc618e5d1fa2a9b Signed-off-by: Utsav Singh <utsavs@google.com>
d47d81a1 · Utsav Singh · Upendra · dd8ee3dc · d47d81a1 · d47d81a1
Commit d47d81a1 authored 9 years ago by Utsav Singh Committed by Upendra 9 years ago
4 changed files
--- a/tests/tests/security/jni/Android.mk
+++ b/tests/tests/security/jni/Android.mk
@@ -32,10 +32,14 @@ LOCAL_SRC_FILES := \
 		android_security_cts_AudioFlingerBinderTest.cpp \
 		android_security_cts_MediaPlayerInfoLeakTest.cpp \
 		android_security_cts_AudioEffectBinderTest.cpp \
-		android_security_cts_StagefrightFoundationTest.cpp
+		android_security_cts_StagefrightFoundationTest.cpp \
+		android_security_cts_AudioPolicyServiceTest.cpp

-LOCAL_C_INCLUDES := $(JNI_H_INCLUDE)
+LOCAL_C_INCLUDES := $(JNI_H_INCLUDE) \
+		frameworks/av/media/libmedia

-LOCAL_SHARED_LIBRARIES := libnativehelper liblog libbinder libutils libmedia libselinux libdl libstagefright_foundation
+LOCAL_SHARED_LIBRARIES := libnativehelper liblog libbinder libutils libmedia libselinux libdl libstagefright_foundation libmediaplayerservice
+
+LOCAL_CFLAGS += -fpermissive

 include $(BUILD_SHARED_LIBRARY)
--- a/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
+++ b/tests/tests/security/jni/CtsSecurityJniOnLoad.cpp
@@ -27,6 +27,7 @@ extern int register_android_security_cts_AudioFlingerBinderTest(JNIEnv* env);
 extern int register_android_security_cts_MediaPlayerInfoLeakTest(JNIEnv* env);
 extern int register_android_security_cts_AudioEffectBinderTest(JNIEnv* env);
 extern int register_android_security_cts_StagefrightFoundationTest(JNIEnv* env);
+extern int register_android_security_cts_AudioPolicyServiceTest(JNIEnv* env);

 jint JNI_OnLoad(JavaVM *vm, void *reserved) {
    JNIEnv *env = NULL;
@@ -75,5 +76,9 @@ jint JNI_OnLoad(JavaVM *vm, void *reserved) {
        return JNI_ERR;
    }

+    if (register_android_security_cts_AudioPolicyServiceTest(env)) {
+        return JNI_ERR;
+    }
+
    return JNI_VERSION_1_4;
 }
--- a/tests/tests/security/jni/android_security_cts_AudioPolicyServiceTest.cpp
+++ b/tests/tests/security/jni/android_security_cts_AudioPolicyServiceTest.cpp
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define protected public
+
+#include <jni.h>
+#include <binder/IServiceManager.h>
+#include <binder/Parcel.h>
+#include <binder/ProcessState.h>
+#include <media/AudioEffect.h>
+#include <media/IAudioPolicyService.h>
+#include <media/IMediaPlayerService.h>
+#include <media/mediaplayer.h>
+#include <system/audio.h>
+
+#define AUDIO_SESSION_ALLOCATE 0
+
+using namespace android;
+
+/**
+ * struct which can be used to check whether a binder is dead or not
+ */
+struct DeathRecipient : public IBinder::DeathRecipient {
+    DeathRecipient() : mDied(false) { }
+    virtual void binderDied(const wp<IBinder>& who __unused) {
+        mDied = true;
+    }
+    bool died() const {
+        return mDied;
+    }
+    bool mDied;
+};
+
+struct MyClient : public BnMediaPlayerClient {
+    MyClient()
+        : mEOS(false) {
+    }
+    virtual void notify(int msg, int ext1 __unused, int ext2 __unused, const Parcel *obj __unused) {
+        Mutex::Autolock autoLock(mLock);
+        if (msg == MEDIA_ERROR || msg == MEDIA_PLAYBACK_COMPLETE) {
+            mEOS = true;
+            mCondition.signal();
+        }
+    }
+
+    void waitForEOS() {
+        Mutex::Autolock autoLock(mLock);
+        while (!mEOS) {
+            mCondition.wait(mLock);
+        }
+    }
+
+protected:
+    virtual ~MyClient() {}
+
+private:
+    Mutex mLock;
+    Condition mCondition;
+    bool mEOS;
+    DISALLOW_EVIL_CONSTRUCTORS(MyClient);
+};
+
+static jboolean android_security_cts_AudioPolicyServiceTest_doHeapCorruptionTest(JNIEnv*, jobject) {
+    effect_descriptor_t descriptors;
+    uint32_t count = 0xfffffff;
+    sp<MyClient> client = new MyClient;
+    sp<IServiceManager> serviceManger = defaultServiceManager();
+    // binder to get media.audio_policy
+    sp<IBinder> binder = serviceManger->getService(String16("media.audio_policy"));
+    sp<IAudioPolicyService> iPolicy = IAudioPolicyService::asInterface(binder);
+    // binder to get media.player
+    sp<IBinder> mediaBinder = serviceManger->getService(String16("media.player"));
+    // For identifying media player died or not
+    sp<IMediaPlayerService> service = interface_cast<IMediaPlayerService>(mediaBinder);
+    sp<IMediaPlayer> player = service->create(client, AUDIO_SESSION_ALLOCATE);
+    sp<DeathRecipient> deathRecipient(new DeathRecipient());
+    player->onAsBinder()->linkToDeath(deathRecipient);
+    /*
+     Triggering queryDefaultPreProcessing() method which causes
+     media player to die on unpatched device
+    */
+    iPolicy->queryDefaultPreProcessing(1, &descriptors, &count); // 1 for audioSession
+    // wait to check media player died or not
+    sleep(1);
+    return(!deathRecipient->died());
+}
+
+static JNINativeMethod gMethods[] = {
+    {"doHeapCorruptionTest", "()Z",
+            (void *) android_security_cts_AudioPolicyServiceTest_doHeapCorruptionTest}
+};
+
+int register_android_security_cts_AudioPolicyServiceTest(JNIEnv* env) {
+    jclass clazz = env->FindClass("android/security/cts/AudioPolicyServiceTest");
+    return env->RegisterNatives(clazz, gMethods, sizeof(gMethods) / sizeof(JNINativeMethod));
+}
--- a/tests/tests/security/src/android/security/cts/AudioPolicyServiceTest.java
+++ b/tests/tests/security/src/android/security/cts/AudioPolicyServiceTest.java
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import junit.framework.TestCase;
+
+public class AudioPolicyServiceTest extends TestCase {
+    static {
+        System.loadLibrary("ctssecurity_jni");
+    }
+
+    /*
+    * Verifies Heap Corruption in Mediaserver @CVE-2015-1530
+    */
+    public void testHeapCorruption() {
+        assertTrue("Device is vulnerable to CVE-2015-1530", doHeapCorruptionTest());
+    }
+
+    /**
+     * ANDROID-18226810 / CVE-2015-1530
+     *
+     * Returns true in patched devices
+     *
+     * More information on this vulnreability is available at
+     *https://android.googlesource.com/platform/frameworks/av/+/74adca9%5E!/
+     */
+    private static native boolean doHeapCorruptionTest();
+ }