1 /*
2  * Copyright (C) 2013 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.cts;
18 
19 import android.platform.test.annotations.SecurityTest;
20 
21 import junit.framework.TestCase;
22 
23 @SecurityTest
24 public class NativeCodeTest extends TestCase {
25 
26     static {
27         System.loadLibrary("ctssecurity_jni");
28     }
29 
30     @SecurityTest
testPerfEvent()31     public void testPerfEvent() throws Exception {
32         assertFalse("Device is vulnerable to CVE-2013-2094. Please apply security patch "
33                     + "at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
34                     + "commit/?id=8176cced706b5e5d15887584150764894e94e02f",
35                     doPerfEventTest());
36     }
37 
38     @SecurityTest
testPerfEvent2()39     public void testPerfEvent2() throws Exception {
40         assertTrue(doPerfEventTest2());
41     }
42 
43     @SecurityTest
testFutex()44     public void testFutex() throws Exception {
45         assertTrue("Device is vulnerable to CVE-2014-3153, a vulnerability in the futex() system "
46                    + "call. Please apply the security patch at "
47                    + "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/"
48                    + "?id=e9c243a5a6de0be8e584c604d353412584b592f8",
49                    doFutexTest());
50     }
51 
52     @SecurityTest
testNvmapIocFromId()53     public void testNvmapIocFromId() throws Exception {
54         assertTrue("Device is vulnerable to CVE-2014-5332. "
55                    + "NVIDIA has released code fixes to upstream repositories and device vendors. "
56                    + "For more information, see "
57                    + "https://nvidia.custhelp.com/app/answers/detail/a_id/3618",
58                    doNvmapIocFromIdTest());
59     }
60 
61     @SecurityTest
testPingPongRoot()62     public void testPingPongRoot() throws Exception {
63         assertTrue("Device is vulnerable to CVE-2015-3636, a vulnerability in the ping "
64                    + "socket implementation. Please apply the security patch at "
65                    + "https://github.com/torvalds/linux/commit/a134f083e79f",
66                    doPingPongRootTest());
67     }
68 
69     @SecurityTest
testPipeReadV()70     public void testPipeReadV() throws Exception {
71         assertTrue("Device is vulnerable to CVE-2015-1805 and/or CVE-2016-0774,"
72                    + " a vulnerability in the pipe_read() function."
73                    + " Please apply the following patches:\n"
74                    + "https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=75cf667b7fac08a7b21694adca7dff07361be68a\n"
75                    + "https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=feae3ca2e5e1a8f44aa6290255d3d9709985d0b2\n",
76                    doPipeReadVTest());
77     }
78 
79     @SecurityTest
testSysVipc()80     public void testSysVipc() throws Exception {
81         assertTrue("Android does not support Sys V IPC, it must "
82                    + "be removed from the kernel. In the kernel config: "
83                    + "Change \"CONFIG_SYSVIPC=y\" to \"# CONFIG_SYSVIPC is not set\" "
84                    + "and rebuild.",
85                    doSysVipcTest());
86     }
87 
88     /**
89      * Returns true iff this device is vulnerable to CVE-2013-2094.
90      * A patch for CVE-2013-2094 can be found at
91      * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f
92      */
doPerfEventTest()93     private static native boolean doPerfEventTest();
94 
95     /**
96      * CVE-2013-4254
97      *
98      * Verifies that
99      * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c95eb3184ea1a3a2551df57190c81da695e2144b
100      * is applied to the system. Returns true if the patch is applied,
101      * and crashes the system otherwise.
102      *
103      * While you're at it, please also apply the following patch:
104      * http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b88a2595b6d8aedbd275c07dfa784657b4f757eb
105      *
106      * Credit: https://github.com/deater/perf_event_tests/blob/master/exploits/arm_perf_exploit.c
107      */
doPerfEventTest2()108     private static native boolean doPerfEventTest2();
109 
110     @SecurityTest
testCVE20141710()111     public void testCVE20141710() throws Exception {
112         assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test());
113     }
114 
115     /**
116      * ANDROID-15455425 / CVE-2014-3153
117      *
118      * Returns true if the device is patched against the futex() system call vulnerability.
119      *
120      * More information on this vulnerability is at http://seclists.org/oss-sec/2014/q2/467 and
121      * the patch is at:
122      * https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8
123      */
doFutexTest()124     private static native boolean doFutexTest();
125 
126     /**
127      * ANDROID-17453812 / CVE-2014-5332
128      *
129      * Returns true if the device is patched against the NVMAP_IOC_FROM_ID ioctl call.
130      *
131      * More information on this vulnreability is available at
132      * https://nvidia.custhelp.com/app/answers/detail/a_id/3618
133      */
doNvmapIocFromIdTest()134     private static native boolean doNvmapIocFromIdTest();
135 
136     /**
137      * Returns true if the device is immune to CVE-2014-1710,
138      * false if the device is vulnerable.
139      */
doCVE20141710Test()140     private static native boolean doCVE20141710Test();
141 
142     /**
143      * CVE-2015-3636
144      *
145      * Returns true if the patch is applied, crashes the system otherwise.
146      *
147      * Detects if the following patch is present.
148      * https://github.com/torvalds/linux/commit/a134f083e79f
149      *
150      * Credit: Wen Xu and wushi of KeenTeam.
151      * http://seclists.org/oss-sec/2015/q2/333
152      */
doPingPongRootTest()153     private static native boolean doPingPongRootTest();
154 
155     /**
156      * CVE-2015-1805 and CVE-2016-0774
157      *
158      * Returns true if the patches are applied, crashes the system otherwise.
159      *
160      * Detects if the following patches are present.
161      * https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=75cf667b7fac08a7b21694adca7dff07361be68a
162      * https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=feae3ca2e5e1a8f44aa6290255d3d9709985d0b2
163      *
164      * b/27275324 and b/27721803
165      */
doPipeReadVTest()166     private static native boolean doPipeReadVTest();
167 
168     /**
169      * Test that SysV IPC has been removed from the kernel.
170      *
171      * Returns true if SysV IPC has been removed.
172      *
173      * System V IPCs are not compliant with Android's application lifecycle because allocated
174      * resources are not freed by the low memory killer. This lead to global kernel resource leakage.
175      *
176      * For example, there is no way to automatically release a SysV semaphore
177      * allocated in the kernel when:
178      * - a buggy or malicious process exits
179      * - a non-buggy and non-malicious process crashes or is explicitly killed.
180      *
181      * Killing processes automatically to make room for new ones is an
182      * important part of Android's application lifecycle implementation. This means
183      * that, even assuming only non-buggy and non-malicious code, it is very likely
184      * that over time, the kernel global tables used to implement SysV IPCs will fill
185      * up.
186      */
doSysVipcTest()187     private static native boolean doSysVipcTest();
188 
189 }
190