diff options
author | Nick Kralevich <nnk@google.com> | 2014-03-21 09:45:40 -0700 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-03-21 09:45:40 -0700 |
commit | 5cf642b767f2f05102a8e9f237164feab45e834d (patch) | |
tree | 66795fc78968d64828a5660101f101a70d1610a7 | |
parent | 9edcad0c88d4c3005eb4a08245160cf8a902ce8b (diff) | |
parent | ba28fe60c870922047ff468c862ecbdcd8ef1ccd (diff) | |
download | platform_cts-5cf642b767f2f05102a8e9f237164feab45e834d.tar.gz platform_cts-5cf642b767f2f05102a8e9f237164feab45e834d.tar.bz2 platform_cts-5cf642b767f2f05102a8e9f237164feab45e834d.zip |
am ba28fe60: Add test for CVE-2014-1710
* commit 'ba28fe60c870922047ff468c862ecbdcd8ef1ccd':
Add test for CVE-2014-1710
-rw-r--r-- | tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp | 53 | ||||
-rw-r--r-- | tests/tests/security/src/android/security/cts/NativeCodeTest.java | 10 |
2 files changed, 63 insertions, 0 deletions
diff --git a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp index acb30123629..698cd14861c 100644 --- a/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp +++ b/tests/tests/security/jni/android_security_cts_NativeCodeTest.cpp @@ -23,6 +23,9 @@ #include <sys/wait.h> #include <signal.h> #include <stdlib.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <fcntl.h> #include <cutils/log.h> #include <linux/perf_event.h> @@ -163,6 +166,54 @@ static jboolean android_security_cts_NativeCodeTest_doVrootTest(JNIEnv*, jobject return parent(pid); } +static void* mmap_syscall(void* addr, size_t len, int prot, int flags, int fd, off_t offset) +{ + return (void*) syscall(SYS_mmap2, addr, len, prot, flags, fd, offset); +} + +#define KBASE_REG_COOKIE_TB 2 +#define KBASE_REG_COOKIE_MTP 3 + +/* + * Returns true if the device is immune to CVE-2014-1710, + * false if the device is vulnerable. + */ +static jboolean android_security_cts_NativeCodeTest_doCVE20141710Test(JNIEnv*, jobject) +{ + jboolean result = false; + int fd = open("/dev/mali0", O_RDWR); + if (fd < 0) { + return true; /* not vulnerable */ + } + + void* a = mmap_syscall(NULL, 0x1000, PROT_READ, MAP_SHARED, fd, KBASE_REG_COOKIE_MTP); + void* b = mmap_syscall(NULL, 0x1000, PROT_READ, MAP_SHARED, fd, KBASE_REG_COOKIE_TB); + + if (a == MAP_FAILED) { + result = true; /* assume not vulnerable */ + goto done; + } + + if (b == MAP_FAILED) { + result = true; /* assume not vulnerable */ + goto done; + } + + /* mprotect should return an error if not vulnerable */ + result = (mprotect(b, 0x1000, PROT_READ | PROT_WRITE) == -1); + + done: + if (a != MAP_FAILED) { + munmap(a, 0x1000); + } + if (b != MAP_FAILED) { + munmap(b, 0x1000); + } + close(fd); + return result; +} + + static JNINativeMethod gMethods[] = { { "doPerfEventTest", "()Z", (void *) android_security_cts_NativeCodeTest_doPerfEventTest }, @@ -170,6 +221,8 @@ static JNINativeMethod gMethods[] = { (void *) android_security_cts_NativeCodeTest_doPerfEventTest2 }, { "doVrootTest", "()Z", (void *) android_security_cts_NativeCodeTest_doVrootTest }, + { "doCVE20141710Test", "()Z", + (void *) android_security_cts_NativeCodeTest_doCVE20141710Test }, }; int register_android_security_cts_NativeCodeTest(JNIEnv* env) diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java index 4781da30ec3..a9fd82109e0 100644 --- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java +++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java @@ -74,4 +74,14 @@ public class NativeCodeTest extends TestCase { * https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/arm/include/asm/uaccess.h?id=8404663f81d212918ff85f493649a7991209fa04 */ private static native boolean doVrootTest(); + + public void testCVE20141710() throws Exception { + assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test()); + } + + /** + * Returns true if the device is immune to CVE-2014-1710, + * false if the device is vulnerable. + */ + private static native boolean doCVE20141710Test(); } |