diff options
author | Nick Kralevich <nnk@google.com> | 2011-12-12 13:42:53 -0800 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2011-12-13 11:05:06 -0800 |
commit | c0cf6bce5fbaf569b5d492a2f270c2425ab86311 (patch) | |
tree | 82a1d2e2d2cfde2e7dae607dbac228f7cd7e5b92 | |
parent | 669e7bf7f60d0c674b54b32e667802967845e2ab (diff) | |
download | cts-froyo.tar.gz |
Backport VoldExploitTest from Gingerbreadfroyo
Resync with Gingerbread.
Change-Id: Ieee0d8cd162dd69d1418454283b2cb67af856da3
-rw-r--r-- | tests/tests/security/src/android/security/cts/VoldExploitTest.java | 54 |
1 files changed, 40 insertions, 14 deletions
diff --git a/tests/tests/security/src/android/security/cts/VoldExploitTest.java b/tests/tests/security/src/android/security/cts/VoldExploitTest.java index 7a986d21f8d..814103dcf6c 100644 --- a/tests/tests/security/src/android/security/cts/VoldExploitTest.java +++ b/tests/tests/security/src/android/security/cts/VoldExploitTest.java @@ -23,7 +23,9 @@ import android.os.Parcel; import android.os.RemoteException; import android.test.AndroidTestCase; +import java.io.BufferedReader; import java.io.File; +import java.io.FileReader; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.lang.reflect.InvocationTargetException; @@ -47,15 +49,14 @@ public class VoldExploitTest extends AndroidTestCase { * below hangs until CTS kills the testsuite (10 minutes). A timeout, * while not desirable, is the typical failure for this test. */ - public void testZergRushUsingRelection() { + public void testZergRushUsingRelection() throws Exception { // This test assumes we have the MOUNT_UNMOUNT_FILESYSTEMS permission // Check it first so we know we're reaching the vulnerable code. assertEquals(PackageManager.PERMISSION_GRANTED, getContext().checkCallingOrSelfPermission( android.Manifest.permission.MOUNT_UNMOUNT_FILESYSTEMS)); - Set<Integer> pids = getPids(); - assertTrue(pids.size() > 1); // at least vold and netd should exist + int pid = findVold(); try { Object iBinderObj = Class.forName("android.os.ServiceManager") @@ -99,18 +100,17 @@ public class VoldExploitTest extends AndroidTestCase { // remote failure. Assume not exploitable. } - // Check to see if all the processes are still alive. If - // any of them have died, we found an exploitable bug. - for (int i : pids) { - assertTrue( - "PID=" + i + " crashed due to a malformed mount message." - + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).", - new File("/proc/" + i + "/cmdline").exists()); - } + Thread.sleep(2000); // give vold some time to crash + + // Check to see if vold is still alive. + assertTrue( + "PID=" + pid + " crashed due to a malformed mount message." + + " Detected unpatched ZergRush vulnerability (CVE-2011-3874).", + new File("/proc/" + pid + "/cmdline").exists()); } /** - * Try to crash the vold program. + * Try to crash the vold program using CVE-2011-1823. * * This test attempts to send an invalid netlink messages to * any process which is listening for the messages. If we detect @@ -129,8 +129,8 @@ public class VoldExploitTest extends AndroidTestCase { devices.addAll(getSysFsPath("/etc/vold.fstab")); devices.addAll(getSysFsPath("/system/etc/vold.fstab")); if (devices.isEmpty()) { - // FIXME: We should be able to detect this security hole - // even if there's no vold.fstab entry + // This vulnerability is not exploitable if there's + // no entry in vold.fstab return; } @@ -187,6 +187,9 @@ public class VoldExploitTest extends AndroidTestCase { private static Set<String> getSysFsPath(String file) throws IOException { Set<String> retval = new HashSet<String>(); File netlink = new File(file); + if (!netlink.canRead()) { + return retval; + } Scanner scanner = null; try { scanner = new Scanner(netlink); @@ -235,6 +238,29 @@ public class VoldExploitTest extends AndroidTestCase { } } + private static int findVold() throws IOException { + File f = new File("/proc"); + for (File d : f.listFiles()) { + String cmdLineString = d.getAbsolutePath() + "/cmdline"; + File cmdLine = new File(cmdLineString); + if (cmdLine.exists()) { + BufferedReader in = null; + try { + in = new BufferedReader(new FileReader(cmdLine)); + String line = in.readLine(); + if ((line != null) && line.startsWith("/system/bin/vold")) { + return Integer.decode(d.getName()); + } + } finally { + if (in != null) { + in.close(); + } + } + } + } + throw new RuntimeException("should never get here"); + } + /** * Extract all the PIDs listening for netlink messages. */ |