Backport VoldExploitTest from Gingerbreadfroyo

Resync with Gingerbread. Change-Id: Ieee0d8cd162dd69d1418454283b2cb67af856da3
author: Nick Kralevich <nnk@google.com> 2011-12-12 13:42:53 -0800
committer: Nick Kralevich <nnk@google.com> 2011-12-13 11:05:06 -0800
commit: c0cf6bce5fbaf569b5d492a2f270c2425ab86311 (patch)
tree: 82a1d2e2d2cfde2e7dae607dbac228f7cd7e5b92
parent: 669e7bf7f60d0c674b54b32e667802967845e2ab (diff)
download: cts-froyo.tar.gz
1 files changed, 40 insertions, 14 deletions
diff --git a/tests/tests/security/src/android/security/cts/VoldExploitTest.java b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
index 7a986d21f8d..814103dcf6c 100644
--- a/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+++ b/tests/tests/security/src/android/security/cts/VoldExploitTest.java
@@ -23,7 +23,9 @@ import android.os.Parcel;
 import android.os.RemoteException;
 import android.test.AndroidTestCase;
 
+import java.io.BufferedReader;
 import java.io.File;
+import java.io.FileReader;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.lang.reflect.InvocationTargetException;
@@ -47,15 +49,14 @@ public class VoldExploitTest extends AndroidTestCase {
      * below hangs until CTS kills the testsuite (10 minutes). A timeout,
      * while not desirable, is the typical failure for this test.
      */
-    public void testZergRushUsingRelection() {
+    public void testZergRushUsingRelection() throws Exception {
         // This test assumes we have the MOUNT_UNMOUNT_FILESYSTEMS permission
         // Check it first so we know we're reaching the vulnerable code.
         assertEquals(PackageManager.PERMISSION_GRANTED,
                 getContext().checkCallingOrSelfPermission(
                         android.Manifest.permission.MOUNT_UNMOUNT_FILESYSTEMS));
 
-        Set<Integer> pids = getPids();
-        assertTrue(pids.size() > 1);  // at least vold and netd should exist
+        int pid = findVold();
 
         try {
             Object iBinderObj = Class.forName("android.os.ServiceManager")
@@ -99,18 +100,17 @@ public class VoldExploitTest extends AndroidTestCase {
             // remote failure. Assume not exploitable.
         }
 
-        // Check to see if all the processes are still alive.  If
-        // any of them have died, we found an exploitable bug.
-        for (int i : pids) {
-            assertTrue(
-                    "PID=" + i + " crashed due to a malformed mount message."
-                    + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
-                    new File("/proc/" + i + "/cmdline").exists());
-        }
+        Thread.sleep(2000);  // give vold some time to crash
+
+        // Check to see if vold is still alive.
+        assertTrue(
+                "PID=" + pid + " crashed due to a malformed mount message."
+                        + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).",
+                new File("/proc/" + pid + "/cmdline").exists());
     }
 
     /**
-     * Try to crash the vold program.
+     * Try to crash the vold program using CVE-2011-1823.
      *
      * This test attempts to send an invalid netlink messages to
      * any process which is listening for the messages.  If we detect
@@ -129,8 +129,8 @@ public class VoldExploitTest extends AndroidTestCase {
         devices.addAll(getSysFsPath("/etc/vold.fstab"));
         devices.addAll(getSysFsPath("/system/etc/vold.fstab"));
         if (devices.isEmpty()) {
-          // FIXME: We should be able to detect this security hole
-          // even if there's no vold.fstab entry
+          // This vulnerability is not exploitable if there's
+          // no entry in vold.fstab
           return;
         }
 
@@ -187,6 +187,9 @@ public class VoldExploitTest extends AndroidTestCase {
     private static Set<String> getSysFsPath(String file) throws IOException {
         Set<String> retval = new HashSet<String>();
         File netlink = new File(file);
+        if (!netlink.canRead()) {
+            return retval;
+        }
         Scanner scanner = null;
         try {
             scanner = new Scanner(netlink);
@@ -235,6 +238,29 @@ public class VoldExploitTest extends AndroidTestCase {
         }
     }
 
+    private static int findVold() throws IOException {
+        File f = new File("/proc");
+        for (File d : f.listFiles()) {
+            String cmdLineString = d.getAbsolutePath() + "/cmdline";
+            File cmdLine = new File(cmdLineString);
+            if (cmdLine.exists()) {
+                BufferedReader in = null;
+                try {
+                    in = new BufferedReader(new FileReader(cmdLine));
+                    String line = in.readLine();
+                    if ((line != null) && line.startsWith("/system/bin/vold")) {
+                        return Integer.decode(d.getName());
+                    }
+                } finally {
+                    if (in != null) {
+                        in.close();
+                    }
+                }
+            }
+        }
+        throw new RuntimeException("should never get here");
+    }
+
     /**
      * Extract all the PIDs listening for netlink messages.
      */
author	Nick Kralevich <nnk@google.com>	2011-12-12 13:42:53 -0800
committer	Nick Kralevich <nnk@google.com>	2011-12-13 11:05:06 -0800
commit	c0cf6bce5fbaf569b5d492a2f270c2425ab86311 (patch)
tree	82a1d2e2d2cfde2e7dae607dbac228f7cd7e5b92
parent	669e7bf7f60d0c674b54b32e667802967845e2ab (diff)
download	cts-froyo.tar.gz