From f6f09d5a4495f426c95e9292ab1133bbef55e750 Mon Sep 17 00:00:00 2001 From: Ryan Mitchell Date: Wed, 6 Jun 2018 09:32:43 -0700 Subject: RESTRICT AUTOMERGE: CTS: Verify DynamicRefTable::load security fix This tests that corrupted apks fail to install on P and later as well as adds a new test to verify that the DynamicRedTable::load security fix prevents out-of-bounds reads from occurring. Bug: 79488511 Test: run cts -m CtsAppSecurityHostTestCases \ -t android.appsecurity.cts.CorruptApkTests Change-Id: I5b60758cb4979c6a593ff57e73acdd559b5d1be7 Merged-In: I5b60758cb4979c6a593ff57e73acdd559b5d1be7 --- .../corruptapk/CtsCorruptApkTests_b71361168.apk | Bin 710089 -> 1891867 bytes .../corruptapk/CtsCorruptApkTests_b79488511.apk | Bin 0 -> 1891846 bytes .../android/cts/appsecurity/CorruptApkTests.java | 35 ++++++++++++--------- 3 files changed, 20 insertions(+), 15 deletions(-) create mode 100644 hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b79488511.apk diff --git a/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk index ef1e2bf5d79..dc00656dc20 100644 Binary files a/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk and b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b71361168.apk differ diff --git a/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b79488511.apk b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b79488511.apk new file mode 100644 index 00000000000..22af499980f Binary files /dev/null and b/hostsidetests/appsecurity/res/corruptapk/CtsCorruptApkTests_b79488511.apk differ diff --git a/hostsidetests/appsecurity/src/com/android/cts/appsecurity/CorruptApkTests.java b/hostsidetests/appsecurity/src/com/android/cts/appsecurity/CorruptApkTests.java index 8fc1ff929ca..b334b05a8a2 100644 --- a/hostsidetests/appsecurity/src/com/android/cts/appsecurity/CorruptApkTests.java +++ b/hostsidetests/appsecurity/src/com/android/cts/appsecurity/CorruptApkTests.java @@ -39,7 +39,8 @@ import java.io.OutputStream; */ public class CorruptApkTests extends DeviceTestCase implements IBuildReceiver { private final String B71360999_PKG = "com.android.appsecurity.b71360999"; - private final String B71361168_PKG = "com.example.helloworld"; + private final String B71361168_PKG = "com.android.appsecurity.b71361168"; + private final String B79488511_PKG = "com.android.appsecurity.b79488511"; private static final String TEST_APK_RESOURCE_PREFIX = "/corruptapk/"; private IBuildInfo mBuildInfo; @@ -55,6 +56,7 @@ public class CorruptApkTests extends DeviceTestCase implements IBuildReceiver { super.setUp(); uninstall(B71360999_PKG); uninstall(B71361168_PKG); + uninstall(B79488511_PKG); } @After @@ -63,6 +65,7 @@ public class CorruptApkTests extends DeviceTestCase implements IBuildReceiver { super.tearDown(); uninstall(B71360999_PKG); uninstall(B71361168_PKG); + uninstall(B79488511_PKG); } /** Uninstall the apk if the test failed previously. */ @@ -74,11 +77,11 @@ public class CorruptApkTests extends DeviceTestCase implements IBuildReceiver { } /** - * Tests that apks described in b/71360999 do not install successfully nor cause + * Tests that apks described in b/71360999 do not install successfully. */ public void testFailToInstallCorruptStringPoolHeader_b71360999() throws Exception { final String APK_PATH = "CtsCorruptApkTests_b71360999.apk"; - assertFailsToInstall(APK_PATH, B71360999_PKG); + assertInstallNoFatalError(APK_PATH, B71360999_PKG); } /** @@ -86,29 +89,31 @@ public class CorruptApkTests extends DeviceTestCase implements IBuildReceiver { */ public void testFailToInstallCorruptStringPoolHeader_b71361168() throws Exception { final String APK_PATH = "CtsCorruptApkTests_b71361168.apk"; - assertFailsToInstall(APK_PATH, B71361168_PKG); + assertInstallNoFatalError(APK_PATH, B71361168_PKG); } /** - * Assert that the app fails to install and the reason for failing is not caused by a buffer - * overflow nor a out of bounds read. + * Tests that apks described in b/79488511 do not install successfully. + */ + public void testFailToInstallCorruptStringPoolHeader_b79488511() throws Exception { + final String APK_PATH = "CtsCorruptApkTests_b79488511.apk"; + assertInstallNoFatalError(APK_PATH, B79488511_PKG); + } + + /** + * Assert that installing the app does not cause a native error caused by a buffer overflow + * or an out-of-bounds read. **/ - private void assertFailsToInstall(String filename, String pkg) throws Exception { + private void assertInstallNoFatalError(String filename, String pkg) throws Exception { ITestDevice device = getDevice(); device.clearLogcat(); - installPackageFromResource(filename); - assertFalse(device.getInstalledPackageNames().contains(pkg)); - // This catches if the device fails to install the app because a segmentation fault // or out of bounds read created by the bug occurs String logs = device.executeAdbCommand("logcat", "-d"); assertNotNull(logs); - // Whether we hung or not, check for the log indicating the size is bad - boolean fixWasHit = logs.contains("Bad string block: malformed block dimensions") || - logs.contains("Bad string block: data size"); - assertTrue(fixWasHit); + // Also check for the original indicators assertFalse(logs.contains("SIGSEGV")); assertFalse(logs.contains("==ERROR")); @@ -117,7 +122,7 @@ public class CorruptApkTests extends DeviceTestCase implements IBuildReceiver { /** * Attempt to install the package with the given name from resources **/ - private void installPackageFromResource(String apkFilenameInResources) + private void installPackageFromResource(String apkFilenameInResources) throws Exception { final ITestDevice device = getDevice(); String fullResourceName = TEST_APK_RESOURCE_PREFIX + apkFilenameInResources; -- cgit v1.2.3