Merge "CTS test for Android Security b/244154558" into rvc-dev

Author: Treehugger Robot

hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_20944.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_20944 extends NonRootSecurityTestCase {
+
+    // b/244154558
+    // Vulnerable module : services.jar
+    // Vulnerable module : Not applicable
+    // Is Play Managed   : No
+    @AsbSecurityTest(cveBugId = 244154558)
+    @Test
+    public void testPocCVE_2023_20944() {
+        try {
+            final String testPkg = "android.security.cts.CVE_2023_20944_test";
+
+            // Install the test and target apps
+            installPackage("CVE-2023-20944-test.apk");
+            installPackage("CVE-2023-20944-target.apk");
+
+            // Run the test "testCVE_2023_20944"
+            runDeviceTests(testPkg, testPkg + ".DeviceTest", "testCVE_2023_20944");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}

hostsidetests/securitybulletin/test-apps/CVE-2023-20944/Android.bp

@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-20944-target",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "target-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    manifest: "target-app/AndroidManifest.xml",
+    sdk_version: "current",
+}
+
+android_test_helper_app {
+    name: "CVE-2023-20944-test",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "test-app/src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+    ],
+    manifest: "test-app/AndroidManifest.xml",
+    resource_dirs: [
+        "res",
+        "test-app/res",
+    ],
+    platform_apis: true,
+}

hostsidetests/securitybulletin/test-apps/CVE-2023-20944/res/values/strings.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<resources>
+    <string name="accountType">android.security.cts.CVE_2023_20944_test.account</string>
+    <string name="actionTarget">actionTarget</string>
+    <string name="activityName">android.accounts.ChooseTypeAndAccountActivity</string>
+    <string name="activityTarget">android.security.cts.CVE_2023_20944_target.TargetActivity</string>
+    <string name="allowableAccountTypes">allowableAccountTypes</string>
+    <string name="bcastActionTarget">CVE_2023_20944_TargetActivity</string>
+    <string name="launchTaskId">android.activity.launchTaskId</string>
+    <string name="msgFail">Device is vulnerable to b/244154558 !!</string>
+    <string name="noExceptionMsg">no exception</string>
+    <string name="pkgName">android</string>
+    <string name="pkgTarget">android.security.cts.CVE_2023_20944_target</string>
+    <string name="pocCrashedMsg">PocActivity crashed with exception: %s</string>
+    <string name="pocFailedMsg">pocActivity failed</string>
+    <string name="spannableString">AAAAAAAAAAAA\n</string>
+    <string name="status">status</string>
+    <string name="targetFailMsg">TargetActivity did not launch successfully</string>
+    <string name="taskId">taskId</string>
+    <string name="taskOverlay">android.activity.taskOverlay</string>
+</resources>

hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/AndroidManifest.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright (C) 2023 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_20944_target">
+    <application>
+        <activity android:name=".TargetActivity"
+            android:exported="true" />
+    </application>
+</manifest>

hostsidetests/securitybulletin/test-apps/CVE-2023-20944/target-app/src/android/security/cts/CVE_2023_20944_target/TargetActivity.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20944_target;
+
+import android.app.Activity;
+import android.content.Intent;
+
+public class TargetActivity extends Activity {
+
+    @Override
+    protected void onResume() {
+        try {
+            super.onResume();
+            sendBroadcast(new Intent(getString(R.string.bcastActionTarget))
+                    .putExtra(getString(R.string.actionTarget), true)
+                    .putExtra(getString(R.string.taskId), getTaskId()));
+        } catch (Exception ignored) {
+            // ignoring exceptions here
+        }
+    }
+}

hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/AndroidManifest.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_20944_test">
+    <application>
+        <activity android:name=".PocActivity" />
+        <activity android:name=".HijackActivity" />
+        <service android:name=".PocAuthService"
+            android:exported="false">
+            <intent-filter>
+                <action android:name="android.accounts.AccountAuthenticator" />
+            </intent-filter>
+            <meta-data
+                android:name="android.accounts.AccountAuthenticator"
+                android:resource="@xml/authenticator" />
+        </service>
+    </application>
+    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2023_20944_test" />
+</manifest>

hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/res/xml/authenticator.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<account-authenticator xmlns:android="http://schemas.android.com/apk/res/android"
+    android:accountType="android.security.cts.CVE_2023_20944_test.account" />

hostsidetests/securitybulletin/test-apps/CVE-2023-20944/test-app/src/android/security/cts/CVE_2023_20944_test/DeviceTest.java

@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_20944_test;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.ActivityManager;
+import android.app.IActivityTaskManager;
+import android.app.UiAutomation;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.os.ServiceManager;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    private String mPocActivityStatus;
+    private int mTaskId;
+
+    @Test
+    public void testCVE_2023_20944() {
+        try {
+            final int waitMs = 5000;
+            final int waitPerIter = 200;
+            Context context = getInstrumentation().getContext();
+            UiAutomation uiAutomation = getInstrumentation().getUiAutomation();
+            uiAutomation.adoptShellPermissionIdentity();
+
+            // Registering a receiver here to wait for a broadcast from TargetActivity
+            final Semaphore targetReturn = new Semaphore(0);
+            final Semaphore pocReturn = new Semaphore(0);
+            BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
+                @Override
+                public void onReceive(Context context, Intent intent) {
+                    try {
+                        if ((intent.getBooleanExtra(context.getString(R.string.actionTarget), false)
+                                && (mTaskId = intent.getIntExtra(context.getString(R.string.taskId),
+                                        -1)) != -1)) {
+                            targetReturn.release();
+                        }
+                        if ((mPocActivityStatus = intent
+                                .getStringExtra(context.getString(R.string.status))) != null) {
+                            pocReturn.release();
+                        }
+                    } catch (Exception ignored) {
+                        // ignore any exceptions
+                    }
+                }
+            };
+            IntentFilter filter = new IntentFilter(context.getString(R.string.bcastActionTarget));
+            context.registerReceiver(broadcastReceiver, filter);
+
+            // Start TargetActivity
+            Intent targetIntent = new Intent(Intent.ACTION_MAIN);
+            final String pkgTarget = context.getString(R.string.pkgTarget);
+            targetIntent.setClassName(pkgTarget, context.getString(R.string.activityTarget));
+            targetIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            context.startActivity(targetIntent);
+            assumeTrue(context.getString(R.string.targetFailMsg),
+                    targetReturn.tryAcquire(waitMs, TimeUnit.MILLISECONDS));
+
+            // Start PocActivity which in turn starts the ChooseTypeAndAccountActivity
+            Intent intent = new Intent(context, PocActivity.class);
+            intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            context.startActivity(intent);
+            assumeTrue(context.getString(R.string.pocFailedMsg),
+                    pocReturn.tryAcquire(waitMs, TimeUnit.MILLISECONDS));
+            assumeTrue(context.getString(R.string.pocCrashedMsg, mPocActivityStatus),
+                    mPocActivityStatus.equals(context.getString(R.string.noExceptionMsg)));
+
+            // Failing the test if the taskId received from the target activity matches with the
+            // list of running taskId and topActivity has HijackActivity in the same taskId.
+            IActivityTaskManager iActivityTaskManager = IActivityTaskManager.Stub
+                    .asInterface(ServiceManager.getService(Context.ACTIVITY_TASK_SERVICE));
+            long start = System.currentTimeMillis();
+            while (!(iActivityTaskManager.getAllStackInfos().toString()
+                    .contains(HijackActivity.class.getName()))
+                    && System.currentTimeMillis() - start < waitMs) {
+                Thread.sleep(waitPerIter);
+            }
+            boolean isDeviceVulnerable = false;
+            List<ActivityManager.StackInfo> runningTasks = iActivityTaskManager.getAllStackInfos();
+            for (ActivityManager.StackInfo runningTaskInfo : runningTasks) {
+                for (int i = 0; i < runningTaskInfo.taskIds.length; ++i) {
+                    if (mTaskId == runningTaskInfo.taskIds[i] && runningTaskInfo.topActivity
+                            .getClassName().equals(HijackActivity.class.getName())) {
+                        isDeviceVulnerable = true;
+                        break;
+                    }
+                }
+            }
+            assertFalse(context.getString(R.string.msgFail), isDeviceVulnerable);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}