1 /** 2 * Copyright (C) 2021 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security.cts; 18 19 import android.platform.test.annotations.AsbSecurityTest; 20 import com.android.tradefed.device.ITestDevice; 21 import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; 22 import java.util.regex.Pattern; 23 import java.util.regex.Matcher; 24 import org.junit.Test; 25 import org.junit.runner.RunWith; 26 27 import static org.hamcrest.core.Is.is; 28 import static org.junit.Assert.assertThat; 29 30 @RunWith(DeviceJUnit4ClassRunner.class) 31 public class CVE_2021_0523 extends SecurityTestCase { 32 extractInt(String str, int[] displaySize)33 private static void extractInt(String str, int[] displaySize) { 34 str = ((str.replaceAll("[^\\d]", " ")).trim()).replaceAll(" +", " "); 35 if (str.equals("")) { 36 return; 37 } 38 String s[] = str.split(" "); 39 for (int i = 0; i < s.length; ++i) { 40 displaySize[i] = Integer.parseInt(s[i]); 41 } 42 } 43 44 /** 45 * b/174047492 46 */ 47 @Test 48 @AsbSecurityTest(cveBugId = 174047492) testPocCVE_2021_0523()49 public void testPocCVE_2021_0523() throws Exception { 50 final int SLEEP_INTERVAL_MILLISEC = 30 * 1000; 51 String apkName = "CVE-2021-0523.apk"; 52 String appPath = AdbUtils.TMP_PATH + apkName; 53 String packageName = "android.security.cts.cve_2021_0523"; 54 String crashPattern = 55 "Device is vulnerable to b/174047492 hence any app with " + 56 "SYSTEM_ALERT_WINDOW can overlay the WifiScanModeActivity screen"; 57 ITestDevice device = getDevice(); 58 59 try { 60 /* Push the app to /data/local/tmp */ 61 pocPusher.appendBitness(false); 62 pocPusher.pushFile(apkName, appPath); 63 64 /* Wake up the screen */ 65 AdbUtils.runCommandLine("input keyevent KEYCODE_WAKEUP", device); 66 AdbUtils.runCommandLine("input keyevent KEYCODE_MENU", device); 67 AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", device); 68 69 /* Install the application */ 70 AdbUtils.runCommandLine("pm install " + appPath, device); 71 72 /* Grant "Draw over other apps" permission */ 73 AdbUtils.runCommandLine( 74 "pm grant " + packageName + " android.permission.SYSTEM_ALERT_WINDOW", device); 75 76 /* Start the application */ 77 AdbUtils.runCommandLine("am start -n " + packageName + "/.PocActivity", getDevice()); 78 Thread.sleep(SLEEP_INTERVAL_MILLISEC); 79 80 /* Get screen width and height */ 81 int[] displaySize = new int[2]; 82 extractInt(AdbUtils.runCommandLine("wm size", device), displaySize); 83 int width = displaySize[0]; 84 int height = displaySize[1]; 85 86 /* Give a tap command for center of screen */ 87 AdbUtils.runCommandLine("input tap " + width / 2 + " " + height / 2, device); 88 } catch (Exception e) { 89 e.printStackTrace(); 90 } finally { 91 /* Un-install the app after the test */ 92 AdbUtils.runCommandLine("pm uninstall " + packageName, device); 93 94 /* Detection of crash pattern in the logs */ 95 String logcat = AdbUtils.runCommandLine("logcat -d *:S AndroidRuntime:E", device); 96 Pattern pattern = Pattern.compile(crashPattern, Pattern.MULTILINE); 97 assertThat(crashPattern, pattern.matcher(logcat).find(), is(false)); 98 } 99 } 100 } 101