xref: /aosp_15_r20/cts/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_40117.java (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.cts;
18 
19 import static com.android.sts.common.CommandUtil.runAndCheck;
20 import static com.android.sts.common.SystemUtil.withSetting;
21 
22 import static com.google.common.truth.Truth.assertWithMessage;
23 
24 import static org.junit.Assume.assumeNoException;
25 
26 import android.platform.test.annotations.AsbSecurityTest;
27 
28 import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
29 import com.android.tradefed.device.ITestDevice;
30 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
31 
32 import org.junit.Test;
33 import org.junit.runner.RunWith;
34 
35 import java.util.Arrays;
36 import java.util.HashMap;
37 import java.util.List;
38 import java.util.Map;
39 
40 @RunWith(DeviceJUnit4ClassRunner.class)
41 public class CVE_2023_40117 extends NonRootSecurityTestCase {
42 
43     @AsbSecurityTest(cveBugId = 253043065)
44     @Test
testPocCVE_2023_40117()45     public void testPocCVE_2023_40117() {
46         try {
47             ITestDevice device = getDevice();
48             final String global = "global";
49             final String secure = "secure";
50             final String frpModeName = "secure_frp_mode";
51             final String enableFRPMode = "1";
52 
53             // Creating maps for settings namespaces and reset modes
54             List<String> namespaces = Arrays.asList(global, secure);
55             List<String> resetModes =
56                     Arrays.asList("trusted_defaults", "untrusted_defaults", "untrusted_clear");
57 
58             try (
59                 // Reset and restore all settings
60                 AutoCloseable withPreservedSettings = withPreservedSettings(device, namespaces);
61                     AutoCloseable withEnabledFRPGlobal =
62                             withSetting(device, global, frpModeName, enableFRPMode);
63                     AutoCloseable withEnabledFRPSecure =
64                             withSetting(device, secure, frpModeName, enableFRPMode);
65                 ) {
66 
67                 // Reset all the settings for all namespaces
68                 for (String namespace : namespaces) {
69                     for (String resetMode : resetModes) {
70                         runAndCheck(
71                                 device,
72                                 String.format("settings reset %s %s", namespace, resetMode));
73                     }
74                 }
75 
76                 // Fetch the current states of 'secure_frp_mode' for both 'secure' and 'global'
77                 String secureFRPModeGlobal = device.getSetting(global, frpModeName);
78                 String secureFRPModeSecure = device.getSetting(secure, frpModeName);
79 
80                 // Without fix 'SECURE_FRP_MODE' gets reset
81                 // With fix 'SECURE_FRP_MODE' stays enabled
82                 assertWithMessage(
83                                 "Device is vulnerable to b/253043065 !! secure_frp_mode should be"
84                                         + "excluded from resets!")
85                         .that(
86                                 (secureFRPModeGlobal != null
87                                                 && secureFRPModeGlobal.equals(enableFRPMode))
88                                         && secureFRPModeSecure != null
89                                         && secureFRPModeSecure.equals(enableFRPMode))
90                         .isTrue();
91             }
92         } catch (Exception e) {
93             assumeNoException(e);
94         }
95     }
96 
withPreservedSettings(ITestDevice device, List<String> namespaces)97     private AutoCloseable withPreservedSettings(ITestDevice device, List<String> namespaces)
98             throws Exception {
99         // Save all settings
100         Map<String, Map<String, String>> allSettingsOld =
101                 new HashMap<String, Map<String, String>>();
102         for (String namespace : namespaces) {
103             Map<String, String> namespaceSettings = device.getAllSettings(namespace);
104             allSettingsOld.put(namespace, namespaceSettings);
105         }
106 
107         // Returning AutoCloseable to restore all the settings
108         return () -> {
109             for (String namespace : namespaces) {
110                 Map<String, String> settingsWithValue = allSettingsOld.get(namespace);
111                 for (Map.Entry<String, String> entry : settingsWithValue.entrySet()) {
112                     device.setSetting(namespace, entry.getKey(), entry.getValue());
113                 }
114             }
115         };
116     }
117 }
118