1 /*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <android/binder_ibinder.h>
18 #include "ibinder_internal.h"
19
20 #include <android/binder_status.h>
21 #include "parcel_internal.h"
22 #include "status_internal.h"
23
24 #include <android-base/logging.h>
25 #include <binder/IPCThreadState.h>
26
27 using DeathRecipient = ::android::IBinder::DeathRecipient;
28
29 using ::android::IBinder;
30 using ::android::Parcel;
31 using ::android::sp;
32 using ::android::status_t;
33 using ::android::String16;
34 using ::android::String8;
35 using ::android::wp;
36
37 namespace ABBinderTag {
38
39 static const void* kId = "ABBinder";
40 static void* kValue = static_cast<void*>(new bool{true});
clean(const void *,void *,void *)41 void clean(const void* /*id*/, void* /*obj*/, void* /*cookie*/){/* do nothing */};
42
attach(const sp<IBinder> & binder)43 static void attach(const sp<IBinder>& binder) {
44 binder->attachObject(kId, kValue, nullptr /*cookie*/, clean);
45 }
has(const sp<IBinder> & binder)46 static bool has(const sp<IBinder>& binder) {
47 return binder != nullptr && binder->findObject(kId) == kValue;
48 }
49
50 } // namespace ABBinderTag
51
52 namespace ABpBinderTag {
53
54 static std::mutex gLock;
55 static const void* kId = "ABpBinder";
56 struct Value {
57 wp<ABpBinder> binder;
58 };
clean(const void * id,void * obj,void * cookie)59 void clean(const void* id, void* obj, void* cookie) {
60 CHECK(id == kId) << id << " " << obj << " " << cookie;
61
62 delete static_cast<Value*>(obj);
63 };
64
65 } // namespace ABpBinderTag
66
AIBinder(const AIBinder_Class * clazz)67 AIBinder::AIBinder(const AIBinder_Class* clazz) : mClazz(clazz) {}
~AIBinder()68 AIBinder::~AIBinder() {}
69
associateClass(const AIBinder_Class * clazz)70 bool AIBinder::associateClass(const AIBinder_Class* clazz) {
71 if (clazz == nullptr) return false;
72 if (mClazz == clazz) return true;
73
74 String8 newDescriptor(clazz->getInterfaceDescriptor());
75
76 if (mClazz != nullptr) {
77 String8 currentDescriptor(mClazz->getInterfaceDescriptor());
78 if (newDescriptor == currentDescriptor) {
79 LOG(ERROR) << __func__ << ": Class descriptors '" << currentDescriptor
80 << "' match during associateClass, but they are different class objects. "
81 "Class descriptor collision?";
82 } else {
83 LOG(ERROR) << __func__
84 << ": Class cannot be associated on object which already has a class. "
85 "Trying to associate to '"
86 << newDescriptor.c_str() << "' but already set to '"
87 << currentDescriptor.c_str() << "'.";
88 }
89
90 // always a failure because we know mClazz != clazz
91 return false;
92 }
93
94 CHECK(asABpBinder() != nullptr); // ABBinder always has a descriptor
95
96 String8 descriptor(getBinder()->getInterfaceDescriptor());
97 if (descriptor != newDescriptor) {
98 LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor.c_str()
99 << "' but descriptor is actually '" << descriptor.c_str() << "'.";
100 return false;
101 }
102
103 // if this is a local object, it's not one known to libbinder_ndk
104 mClazz = clazz;
105
106 return true;
107 }
108
ABBinder(const AIBinder_Class * clazz,void * userData)109 ABBinder::ABBinder(const AIBinder_Class* clazz, void* userData)
110 : AIBinder(clazz), BBinder(), mUserData(userData) {
111 CHECK(clazz != nullptr);
112 }
~ABBinder()113 ABBinder::~ABBinder() {
114 getClass()->onDestroy(mUserData);
115 }
116
getInterfaceDescriptor() const117 const String16& ABBinder::getInterfaceDescriptor() const {
118 return getClass()->getInterfaceDescriptor();
119 }
120
dump(int fd,const::android::Vector<String16> & args)121 status_t ABBinder::dump(int fd, const ::android::Vector<String16>& args) {
122 AIBinder_onDump onDump = getClass()->onDump;
123
124 if (onDump == nullptr) {
125 return STATUS_OK;
126 }
127
128 // technically UINT32_MAX would be okay here, but INT32_MAX is expected since this may be
129 // null in Java
130 if (args.size() > INT32_MAX) {
131 LOG(ERROR) << "ABBinder::dump received too many arguments: " << args.size();
132 return STATUS_BAD_VALUE;
133 }
134
135 std::vector<String8> utf8Args; // owns memory of utf8s
136 utf8Args.reserve(args.size());
137 std::vector<const char*> utf8Pointers; // what can be passed over NDK API
138 utf8Pointers.reserve(args.size());
139
140 for (size_t i = 0; i < args.size(); i++) {
141 utf8Args.push_back(String8(args[i]));
142 utf8Pointers.push_back(utf8Args[i].c_str());
143 }
144
145 return onDump(this, fd, utf8Pointers.data(), utf8Pointers.size());
146 }
147
onTransact(transaction_code_t code,const Parcel & data,Parcel * reply,binder_flags_t flags)148 status_t ABBinder::onTransact(transaction_code_t code, const Parcel& data, Parcel* reply,
149 binder_flags_t flags) {
150 if (isUserCommand(code)) {
151 if (!data.checkInterface(this)) {
152 return STATUS_BAD_TYPE;
153 }
154
155 const AParcel in = AParcel::readOnly(this, &data);
156 AParcel out = AParcel(this, reply, false /*owns*/);
157
158 binder_status_t status = getClass()->onTransact(this, code, &in, &out);
159 return PruneStatusT(status);
160 } else {
161 return BBinder::onTransact(code, data, reply, flags);
162 }
163 }
164
ABpBinder(const::android::sp<::android::IBinder> & binder)165 ABpBinder::ABpBinder(const ::android::sp<::android::IBinder>& binder)
166 : AIBinder(nullptr /*clazz*/), BpRefBase(binder) {
167 CHECK(binder != nullptr);
168 }
~ABpBinder()169 ABpBinder::~ABpBinder() {}
170
onLastStrongRef(const void * id)171 void ABpBinder::onLastStrongRef(const void* id) {
172 {
173 std::lock_guard<std::mutex> lock(ABpBinderTag::gLock);
174 // Since ABpBinder is OBJECT_LIFETIME_WEAK, we must remove this weak reference in order for
175 // the ABpBinder to be deleted. Since a strong reference to this ABpBinder object should no
176 // longer be able to exist at the time of this method call, there is no longer a need to
177 // recover it.
178
179 ABpBinderTag::Value* value =
180 static_cast<ABpBinderTag::Value*>(remote()->findObject(ABpBinderTag::kId));
181 if (value != nullptr) {
182 value->binder = nullptr;
183 }
184 }
185
186 BpRefBase::onLastStrongRef(id);
187 }
188
lookupOrCreateFromBinder(const::android::sp<::android::IBinder> & binder)189 sp<AIBinder> ABpBinder::lookupOrCreateFromBinder(const ::android::sp<::android::IBinder>& binder) {
190 if (binder == nullptr) {
191 return nullptr;
192 }
193 if (ABBinderTag::has(binder)) {
194 return static_cast<ABBinder*>(binder.get());
195 }
196
197 // The following code ensures that for a given binder object (remote or local), if it is not an
198 // ABBinder then at most one ABpBinder object exists in a given process representing it.
199 std::lock_guard<std::mutex> lock(ABpBinderTag::gLock);
200
201 ABpBinderTag::Value* value =
202 static_cast<ABpBinderTag::Value*>(binder->findObject(ABpBinderTag::kId));
203 if (value == nullptr) {
204 value = new ABpBinderTag::Value;
205 binder->attachObject(ABpBinderTag::kId, static_cast<void*>(value), nullptr /*cookie*/,
206 ABpBinderTag::clean);
207 }
208
209 sp<ABpBinder> ret = value->binder.promote();
210 if (ret == nullptr) {
211 ret = new ABpBinder(binder);
212 value->binder = ret;
213 }
214
215 return ret;
216 }
217
218 struct AIBinder_Weak {
219 wp<AIBinder> binder;
220 };
AIBinder_Weak_new(AIBinder * binder)221 AIBinder_Weak* AIBinder_Weak_new(AIBinder* binder) {
222 if (binder == nullptr) {
223 return nullptr;
224 }
225
226 return new AIBinder_Weak{wp<AIBinder>(binder)};
227 }
AIBinder_Weak_delete(AIBinder_Weak * weakBinder)228 void AIBinder_Weak_delete(AIBinder_Weak* weakBinder) {
229 delete weakBinder;
230 }
AIBinder_Weak_promote(AIBinder_Weak * weakBinder)231 AIBinder* AIBinder_Weak_promote(AIBinder_Weak* weakBinder) {
232 if (weakBinder == nullptr) {
233 return nullptr;
234 }
235
236 sp<AIBinder> binder = weakBinder->binder.promote();
237 AIBinder_incStrong(binder.get());
238 return binder.get();
239 }
240
AIBinder_Class(const char * interfaceDescriptor,AIBinder_Class_onCreate onCreate,AIBinder_Class_onDestroy onDestroy,AIBinder_Class_onTransact onTransact)241 AIBinder_Class::AIBinder_Class(const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate,
242 AIBinder_Class_onDestroy onDestroy,
243 AIBinder_Class_onTransact onTransact)
244 : onCreate(onCreate),
245 onDestroy(onDestroy),
246 onTransact(onTransact),
247 mInterfaceDescriptor(interfaceDescriptor) {}
248
AIBinder_Class_define(const char * interfaceDescriptor,AIBinder_Class_onCreate onCreate,AIBinder_Class_onDestroy onDestroy,AIBinder_Class_onTransact onTransact)249 AIBinder_Class* AIBinder_Class_define(const char* interfaceDescriptor,
250 AIBinder_Class_onCreate onCreate,
251 AIBinder_Class_onDestroy onDestroy,
252 AIBinder_Class_onTransact onTransact) {
253 if (interfaceDescriptor == nullptr || onCreate == nullptr || onDestroy == nullptr ||
254 onTransact == nullptr) {
255 return nullptr;
256 }
257
258 return new AIBinder_Class(interfaceDescriptor, onCreate, onDestroy, onTransact);
259 }
260
AIBinder_Class_setOnDump(AIBinder_Class * clazz,AIBinder_onDump onDump)261 void AIBinder_Class_setOnDump(AIBinder_Class* clazz, AIBinder_onDump onDump) {
262 CHECK(clazz != nullptr) << "setOnDump requires non-null clazz";
263
264 // this is required to be called before instances are instantiated
265 clazz->onDump = onDump;
266 }
267
binderDied(const wp<IBinder> & who)268 void AIBinder_DeathRecipient::TransferDeathRecipient::binderDied(const wp<IBinder>& who) {
269 CHECK(who == mWho);
270
271 mOnDied(mCookie);
272
273 sp<AIBinder_DeathRecipient> recipient = mParentRecipient.promote();
274 sp<IBinder> strongWho = who.promote();
275
276 // otherwise this will be cleaned up later with pruneDeadTransferEntriesLocked
277 if (recipient != nullptr && strongWho != nullptr) {
278 status_t result = recipient->unlinkToDeath(strongWho, mCookie);
279 if (result != ::android::DEAD_OBJECT) {
280 LOG(WARNING) << "Unlinking to dead binder resulted in: " << result;
281 }
282 }
283
284 mWho = nullptr;
285 }
286
AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied)287 AIBinder_DeathRecipient::AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied)
288 : mOnDied(onDied) {
289 CHECK(onDied != nullptr);
290 }
291
pruneDeadTransferEntriesLocked()292 void AIBinder_DeathRecipient::pruneDeadTransferEntriesLocked() {
293 mDeathRecipients.erase(std::remove_if(mDeathRecipients.begin(), mDeathRecipients.end(),
294 [](const sp<TransferDeathRecipient>& tdr) {
295 return tdr->getWho() == nullptr;
296 }),
297 mDeathRecipients.end());
298 }
299
linkToDeath(sp<IBinder> binder,void * cookie)300 binder_status_t AIBinder_DeathRecipient::linkToDeath(sp<IBinder> binder, void* cookie) {
301 CHECK(binder != nullptr);
302
303 std::lock_guard<std::mutex> l(mDeathRecipientsMutex);
304
305 sp<TransferDeathRecipient> recipient =
306 new TransferDeathRecipient(binder, cookie, this, mOnDied);
307
308 status_t status = binder->linkToDeath(recipient, cookie, 0 /*flags*/);
309 if (status != STATUS_OK) {
310 return PruneStatusT(status);
311 }
312
313 mDeathRecipients.push_back(recipient);
314
315 pruneDeadTransferEntriesLocked();
316 return STATUS_OK;
317 }
318
unlinkToDeath(sp<IBinder> binder,void * cookie)319 binder_status_t AIBinder_DeathRecipient::unlinkToDeath(sp<IBinder> binder, void* cookie) {
320 CHECK(binder != nullptr);
321
322 std::lock_guard<std::mutex> l(mDeathRecipientsMutex);
323
324 for (auto it = mDeathRecipients.rbegin(); it != mDeathRecipients.rend(); ++it) {
325 sp<TransferDeathRecipient> recipient = *it;
326
327 if (recipient->getCookie() == cookie && recipient->getWho() == binder) {
328 mDeathRecipients.erase(it.base() - 1);
329
330 status_t status = binder->unlinkToDeath(recipient, cookie, 0 /*flags*/);
331 if (status != ::android::OK) {
332 LOG(ERROR) << __func__
333 << ": removed reference to death recipient but unlink failed.";
334 }
335 return PruneStatusT(status);
336 }
337 }
338
339 return STATUS_NAME_NOT_FOUND;
340 }
341
342 // start of C-API methods
343
AIBinder_new(const AIBinder_Class * clazz,void * args)344 AIBinder* AIBinder_new(const AIBinder_Class* clazz, void* args) {
345 if (clazz == nullptr) {
346 LOG(ERROR) << __func__ << ": Must provide class to construct local binder.";
347 return nullptr;
348 }
349
350 void* userData = clazz->onCreate(args);
351
352 sp<AIBinder> ret = new ABBinder(clazz, userData);
353 ABBinderTag::attach(ret->getBinder());
354
355 AIBinder_incStrong(ret.get());
356 return ret.get();
357 }
358
AIBinder_isRemote(const AIBinder * binder)359 bool AIBinder_isRemote(const AIBinder* binder) {
360 if (binder == nullptr) {
361 return false;
362 }
363
364 return binder->isRemote();
365 }
366
AIBinder_isAlive(const AIBinder * binder)367 bool AIBinder_isAlive(const AIBinder* binder) {
368 if (binder == nullptr) {
369 return false;
370 }
371
372 return const_cast<AIBinder*>(binder)->getBinder()->isBinderAlive();
373 }
374
AIBinder_ping(AIBinder * binder)375 binder_status_t AIBinder_ping(AIBinder* binder) {
376 if (binder == nullptr) {
377 return STATUS_UNEXPECTED_NULL;
378 }
379
380 return PruneStatusT(binder->getBinder()->pingBinder());
381 }
382
AIBinder_dump(AIBinder * binder,int fd,const char ** args,uint32_t numArgs)383 binder_status_t AIBinder_dump(AIBinder* binder, int fd, const char** args, uint32_t numArgs) {
384 if (binder == nullptr) {
385 return STATUS_UNEXPECTED_NULL;
386 }
387
388 ABBinder* bBinder = binder->asABBinder();
389 if (bBinder != nullptr) {
390 AIBinder_onDump onDump = binder->getClass()->onDump;
391 if (onDump == nullptr) {
392 return STATUS_OK;
393 }
394 return PruneStatusT(onDump(bBinder, fd, args, numArgs));
395 }
396
397 ::android::Vector<String16> utf16Args;
398 utf16Args.setCapacity(numArgs);
399 for (uint32_t i = 0; i < numArgs; i++) {
400 utf16Args.push(String16(String8(args[i])));
401 }
402
403 status_t status = binder->getBinder()->dump(fd, utf16Args);
404 return PruneStatusT(status);
405 }
406
AIBinder_linkToDeath(AIBinder * binder,AIBinder_DeathRecipient * recipient,void * cookie)407 binder_status_t AIBinder_linkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
408 void* cookie) {
409 if (binder == nullptr || recipient == nullptr) {
410 LOG(ERROR) << __func__ << ": Must provide binder and recipient.";
411 return STATUS_UNEXPECTED_NULL;
412 }
413
414 // returns binder_status_t
415 return recipient->linkToDeath(binder->getBinder(), cookie);
416 }
417
AIBinder_unlinkToDeath(AIBinder * binder,AIBinder_DeathRecipient * recipient,void * cookie)418 binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
419 void* cookie) {
420 if (binder == nullptr || recipient == nullptr) {
421 LOG(ERROR) << __func__ << ": Must provide binder and recipient.";
422 return STATUS_UNEXPECTED_NULL;
423 }
424
425 // returns binder_status_t
426 return recipient->unlinkToDeath(binder->getBinder(), cookie);
427 }
428
AIBinder_getCallingUid()429 uid_t AIBinder_getCallingUid() {
430 return ::android::IPCThreadState::self()->getCallingUid();
431 }
432
AIBinder_getCallingPid()433 pid_t AIBinder_getCallingPid() {
434 return ::android::IPCThreadState::self()->getCallingPid();
435 }
436
AIBinder_incStrong(AIBinder * binder)437 void AIBinder_incStrong(AIBinder* binder) {
438 if (binder == nullptr) {
439 LOG(ERROR) << __func__ << ": on null binder";
440 return;
441 }
442
443 binder->incStrong(nullptr);
444 }
AIBinder_decStrong(AIBinder * binder)445 void AIBinder_decStrong(AIBinder* binder) {
446 if (binder == nullptr) {
447 LOG(ERROR) << __func__ << ": on null binder";
448 return;
449 }
450
451 binder->decStrong(nullptr);
452 }
AIBinder_debugGetRefCount(AIBinder * binder)453 int32_t AIBinder_debugGetRefCount(AIBinder* binder) {
454 if (binder == nullptr) {
455 LOG(ERROR) << __func__ << ": on null binder";
456 return -1;
457 }
458
459 return binder->getStrongCount();
460 }
461
AIBinder_associateClass(AIBinder * binder,const AIBinder_Class * clazz)462 bool AIBinder_associateClass(AIBinder* binder, const AIBinder_Class* clazz) {
463 if (binder == nullptr) {
464 return false;
465 }
466
467 return binder->associateClass(clazz);
468 }
469
AIBinder_getClass(AIBinder * binder)470 const AIBinder_Class* AIBinder_getClass(AIBinder* binder) {
471 if (binder == nullptr) {
472 return nullptr;
473 }
474
475 return binder->getClass();
476 }
477
AIBinder_getUserData(AIBinder * binder)478 void* AIBinder_getUserData(AIBinder* binder) {
479 if (binder == nullptr) {
480 return nullptr;
481 }
482
483 ABBinder* bBinder = binder->asABBinder();
484 if (bBinder == nullptr) {
485 return nullptr;
486 }
487
488 return bBinder->getUserData();
489 }
490
AIBinder_prepareTransaction(AIBinder * binder,AParcel ** in)491 binder_status_t AIBinder_prepareTransaction(AIBinder* binder, AParcel** in) {
492 if (binder == nullptr || in == nullptr) {
493 LOG(ERROR) << __func__ << ": requires non-null parameters.";
494 return STATUS_UNEXPECTED_NULL;
495 }
496 const AIBinder_Class* clazz = binder->getClass();
497 if (clazz == nullptr) {
498 LOG(ERROR) << __func__
499 << ": Class must be defined for a remote binder transaction. See "
500 "AIBinder_associateClass.";
501 return STATUS_INVALID_OPERATION;
502 }
503
504 if (!binder->isRemote()) {
505 LOG(WARNING) << "A binder object at " << binder
506 << " is being transacted on, however, this object is in the same process as "
507 "its proxy. Transacting with this binder is expensive compared to just "
508 "calling the corresponding functionality in the same process.";
509 }
510
511 *in = new AParcel(binder);
512 status_t status = (*in)->get()->writeInterfaceToken(clazz->getInterfaceDescriptor());
513 binder_status_t ret = PruneStatusT(status);
514
515 if (ret != STATUS_OK) {
516 delete *in;
517 *in = nullptr;
518 }
519
520 return ret;
521 }
522
DestroyParcel(AParcel ** parcel)523 static void DestroyParcel(AParcel** parcel) {
524 delete *parcel;
525 *parcel = nullptr;
526 }
527
AIBinder_transact(AIBinder * binder,transaction_code_t code,AParcel ** in,AParcel ** out,binder_flags_t flags)528 binder_status_t AIBinder_transact(AIBinder* binder, transaction_code_t code, AParcel** in,
529 AParcel** out, binder_flags_t flags) {
530 if (in == nullptr) {
531 LOG(ERROR) << __func__ << ": requires non-null in parameter";
532 return STATUS_UNEXPECTED_NULL;
533 }
534
535 using AutoParcelDestroyer = std::unique_ptr<AParcel*, void (*)(AParcel**)>;
536 // This object is the input to the transaction. This function takes ownership of it and deletes
537 // it.
538 AutoParcelDestroyer forIn(in, DestroyParcel);
539
540 if (!isUserCommand(code)) {
541 LOG(ERROR) << __func__ << ": Only user-defined transactions can be made from the NDK.";
542 return STATUS_UNKNOWN_TRANSACTION;
543 }
544
545 if ((flags & ~FLAG_ONEWAY) != 0) {
546 LOG(ERROR) << __func__ << ": Unrecognized flags sent: " << flags;
547 return STATUS_BAD_VALUE;
548 }
549
550 if (binder == nullptr || *in == nullptr || out == nullptr) {
551 LOG(ERROR) << __func__ << ": requires non-null parameters.";
552 return STATUS_UNEXPECTED_NULL;
553 }
554
555 if ((*in)->getBinder() != binder) {
556 LOG(ERROR) << __func__ << ": parcel is associated with binder object " << binder
557 << " but called with " << (*in)->getBinder();
558 return STATUS_BAD_VALUE;
559 }
560
561 *out = new AParcel(binder);
562
563 status_t status = binder->getBinder()->transact(code, *(*in)->get(), (*out)->get(), flags);
564 binder_status_t ret = PruneStatusT(status);
565
566 if (ret != STATUS_OK) {
567 delete *out;
568 *out = nullptr;
569 }
570
571 return ret;
572 }
573
AIBinder_DeathRecipient_new(AIBinder_DeathRecipient_onBinderDied onBinderDied)574 AIBinder_DeathRecipient* AIBinder_DeathRecipient_new(
575 AIBinder_DeathRecipient_onBinderDied onBinderDied) {
576 if (onBinderDied == nullptr) {
577 LOG(ERROR) << __func__ << ": requires non-null onBinderDied parameter.";
578 return nullptr;
579 }
580 auto ret = new AIBinder_DeathRecipient(onBinderDied);
581 ret->incStrong(nullptr);
582 return ret;
583 }
584
AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient * recipient)585 void AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient* recipient) {
586 if (recipient == nullptr) {
587 return;
588 }
589
590 recipient->decStrong(nullptr);
591 }
592