1 /* 2 * Copyright (C) 2013 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security.cts; 18 19 import android.platform.test.annotations.SecurityTest; 20 21 import junit.framework.TestCase; 22 23 @SecurityTest 24 public class NativeCodeTest extends TestCase { 25 26 static { 27 System.loadLibrary("ctssecurity_jni"); 28 } 29 30 @SecurityTest testPerfEvent()31 public void testPerfEvent() throws Exception { 32 assertFalse("Device is vulnerable to CVE-2013-2094. Please apply security patch " 33 + "at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/" 34 + "commit/?id=8176cced706b5e5d15887584150764894e94e02f", 35 doPerfEventTest()); 36 } 37 38 @SecurityTest testPerfEvent2()39 public void testPerfEvent2() throws Exception { 40 assertTrue(doPerfEventTest2()); 41 } 42 43 @SecurityTest testFutex()44 public void testFutex() throws Exception { 45 assertTrue("Device is vulnerable to CVE-2014-3153, a vulnerability in the futex() system " 46 + "call. Please apply the security patch at " 47 + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/" 48 + "?id=e9c243a5a6de0be8e584c604d353412584b592f8", 49 doFutexTest()); 50 } 51 52 @SecurityTest testNvmapIocFromId()53 public void testNvmapIocFromId() throws Exception { 54 assertTrue("Device is vulnerable to CVE-2014-5332. " 55 + "NVIDIA has released code fixes to upstream repositories and device vendors. " 56 + "For more information, see " 57 + "https://nvidia.custhelp.com/app/answers/detail/a_id/3618", 58 doNvmapIocFromIdTest()); 59 } 60 61 @SecurityTest testPingPongRoot()62 public void testPingPongRoot() throws Exception { 63 assertTrue("Device is vulnerable to CVE-2015-3636, a vulnerability in the ping " 64 + "socket implementation. Please apply the security patch at " 65 + "https://github.com/torvalds/linux/commit/a134f083e79f", 66 doPingPongRootTest()); 67 } 68 69 @SecurityTest testPipeReadV()70 public void testPipeReadV() throws Exception { 71 assertTrue("Device is vulnerable to CVE-2015-1805 and/or CVE-2016-0774," 72 + " a vulnerability in the pipe_read() function." 73 + " Please apply the following patches:\n" 74 + "https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=75cf667b7fac08a7b21694adca7dff07361be68a\n" 75 + "https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=feae3ca2e5e1a8f44aa6290255d3d9709985d0b2\n", 76 doPipeReadVTest()); 77 } 78 79 @SecurityTest testSysVipc()80 public void testSysVipc() throws Exception { 81 assertTrue("Android does not support Sys V IPC, it must " 82 + "be removed from the kernel. In the kernel config: " 83 + "Change \"CONFIG_SYSVIPC=y\" to \"# CONFIG_SYSVIPC is not set\" " 84 + "and rebuild.", 85 doSysVipcTest()); 86 } 87 88 /** 89 * Returns true iff this device is vulnerable to CVE-2013-2094. 90 * A patch for CVE-2013-2094 can be found at 91 * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f 92 */ doPerfEventTest()93 private static native boolean doPerfEventTest(); 94 95 /** 96 * CVE-2013-4254 97 * 98 * Verifies that 99 * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c95eb3184ea1a3a2551df57190c81da695e2144b 100 * is applied to the system. Returns true if the patch is applied, 101 * and crashes the system otherwise. 102 * 103 * While you're at it, please also apply the following patch: 104 * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b88a2595b6d8aedbd275c07dfa784657b4f757eb 105 * 106 * Credit: https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c 107 */ doPerfEventTest2()108 private static native boolean doPerfEventTest2(); 109 110 @SecurityTest testCVE20141710()111 public void testCVE20141710() throws Exception { 112 assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test()); 113 } 114 115 /** 116 * ANDROID-15455425 / CVE-2014-3153 117 * 118 * Returns true if the device is patched against the futex() system call vulnerability. 119 * 120 * More information on this vulnerability is at http://seclists.org/oss-sec/2014/q2/467 and 121 * the patch is at: 122 * https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8 123 */ doFutexTest()124 private static native boolean doFutexTest(); 125 126 /** 127 * ANDROID-17453812 / CVE-2014-5332 128 * 129 * Returns true if the device is patched against the NVMAP_IOC_FROM_ID ioctl call. 130 * 131 * More information on this vulnreability is available at 132 * https://nvidia.custhelp.com/app/answers/detail/a_id/3618 133 */ doNvmapIocFromIdTest()134 private static native boolean doNvmapIocFromIdTest(); 135 136 /** 137 * Returns true if the device is immune to CVE-2014-1710, 138 * false if the device is vulnerable. 139 */ doCVE20141710Test()140 private static native boolean doCVE20141710Test(); 141 142 /** 143 * CVE-2015-3636 144 * 145 * Returns true if the patch is applied, crashes the system otherwise. 146 * 147 * Detects if the following patch is present. 148 * https://github.com/torvalds/linux/commit/a134f083e79f 149 * 150 * Credit: Wen Xu and wushi of KeenTeam. 151 * http://seclists.org/oss-sec/2015/q2/333 152 */ doPingPongRootTest()153 private static native boolean doPingPongRootTest(); 154 155 /** 156 * CVE-2015-1805 and CVE-2016-0774 157 * 158 * Returns true if the patches are applied, crashes the system otherwise. 159 * 160 * Detects if the following patches are present. 161 * https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=75cf667b7fac08a7b21694adca7dff07361be68a 162 * https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 163 * 164 * b/27275324 and b/27721803 165 */ doPipeReadVTest()166 private static native boolean doPipeReadVTest(); 167 168 /** 169 * Test that SysV IPC has been removed from the kernel. 170 * 171 * Returns true if SysV IPC has been removed. 172 * 173 * System V IPCs are not compliant with Android's application lifecycle because allocated 174 * resources are not freed by the low memory killer. This lead to global kernel resource leakage. 175 * 176 * For example, there is no way to automatically release a SysV semaphore 177 * allocated in the kernel when: 178 * - a buggy or malicious process exits 179 * - a non-buggy and non-malicious process crashes or is explicitly killed. 180 * 181 * Killing processes automatically to make room for new ones is an 182 * important part of Android's application lifecycle implementation. This means 183 * that, even assuming only non-buggy and non-malicious code, it is very likely 184 * that over time, the kernel global tables used to implement SysV IPCs will fill 185 * up. 186 */ doSysVipcTest()187 private static native boolean doSysVipcTest(); 188 189 } 190