1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <android/binder_ibinder.h>
18 #include "ibinder_internal.h"
19 
20 #include <android/binder_status.h>
21 #include "parcel_internal.h"
22 #include "status_internal.h"
23 
24 #include <android-base/logging.h>
25 #include <binder/IPCThreadState.h>
26 
27 using DeathRecipient = ::android::IBinder::DeathRecipient;
28 
29 using ::android::IBinder;
30 using ::android::Parcel;
31 using ::android::sp;
32 using ::android::status_t;
33 using ::android::String16;
34 using ::android::String8;
35 using ::android::wp;
36 
37 namespace ABBinderTag {
38 
39 static const void* kId = "ABBinder";
40 static void* kValue = static_cast<void*>(new bool{true});
clean(const void *,void *,void *)41 void clean(const void* /*id*/, void* /*obj*/, void* /*cookie*/){/* do nothing */};
42 
attach(const sp<IBinder> & binder)43 static void attach(const sp<IBinder>& binder) {
44     binder->attachObject(kId, kValue, nullptr /*cookie*/, clean);
45 }
has(const sp<IBinder> & binder)46 static bool has(const sp<IBinder>& binder) {
47     return binder != nullptr && binder->findObject(kId) == kValue;
48 }
49 
50 }  // namespace ABBinderTag
51 
52 namespace ABpBinderTag {
53 
54 static std::mutex gLock;
55 static const void* kId = "ABpBinder";
56 struct Value {
57     wp<ABpBinder> binder;
58 };
clean(const void * id,void * obj,void * cookie)59 void clean(const void* id, void* obj, void* cookie) {
60     CHECK(id == kId) << id << " " << obj << " " << cookie;
61 
62     delete static_cast<Value*>(obj);
63 };
64 
65 }  // namespace ABpBinderTag
66 
AIBinder(const AIBinder_Class * clazz)67 AIBinder::AIBinder(const AIBinder_Class* clazz) : mClazz(clazz) {}
~AIBinder()68 AIBinder::~AIBinder() {}
69 
associateClass(const AIBinder_Class * clazz)70 bool AIBinder::associateClass(const AIBinder_Class* clazz) {
71     if (clazz == nullptr) return false;
72     if (mClazz == clazz) return true;
73 
74     String8 newDescriptor(clazz->getInterfaceDescriptor());
75 
76     if (mClazz != nullptr) {
77         String8 currentDescriptor(mClazz->getInterfaceDescriptor());
78         if (newDescriptor == currentDescriptor) {
79             LOG(ERROR) << __func__ << ": Class descriptors '" << currentDescriptor
80                        << "' match during associateClass, but they are different class objects. "
81                           "Class descriptor collision?";
82         } else {
83             LOG(ERROR) << __func__
84                        << ": Class cannot be associated on object which already has a class. "
85                           "Trying to associate to '"
86                        << newDescriptor.c_str() << "' but already set to '"
87                        << currentDescriptor.c_str() << "'.";
88         }
89 
90         // always a failure because we know mClazz != clazz
91         return false;
92     }
93 
94     CHECK(asABpBinder() != nullptr);  // ABBinder always has a descriptor
95 
96     String8 descriptor(getBinder()->getInterfaceDescriptor());
97     if (descriptor != newDescriptor) {
98         LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor.c_str()
99                    << "' but descriptor is actually '" << descriptor.c_str() << "'.";
100         return false;
101     }
102 
103     // if this is a local object, it's not one known to libbinder_ndk
104     mClazz = clazz;
105 
106     return true;
107 }
108 
ABBinder(const AIBinder_Class * clazz,void * userData)109 ABBinder::ABBinder(const AIBinder_Class* clazz, void* userData)
110     : AIBinder(clazz), BBinder(), mUserData(userData) {
111     CHECK(clazz != nullptr);
112 }
~ABBinder()113 ABBinder::~ABBinder() {
114     getClass()->onDestroy(mUserData);
115 }
116 
getInterfaceDescriptor() const117 const String16& ABBinder::getInterfaceDescriptor() const {
118     return getClass()->getInterfaceDescriptor();
119 }
120 
dump(int fd,const::android::Vector<String16> & args)121 status_t ABBinder::dump(int fd, const ::android::Vector<String16>& args) {
122     AIBinder_onDump onDump = getClass()->onDump;
123 
124     if (onDump == nullptr) {
125         return STATUS_OK;
126     }
127 
128     // technically UINT32_MAX would be okay here, but INT32_MAX is expected since this may be
129     // null in Java
130     if (args.size() > INT32_MAX) {
131         LOG(ERROR) << "ABBinder::dump received too many arguments: " << args.size();
132         return STATUS_BAD_VALUE;
133     }
134 
135     std::vector<String8> utf8Args;  // owns memory of utf8s
136     utf8Args.reserve(args.size());
137     std::vector<const char*> utf8Pointers;  // what can be passed over NDK API
138     utf8Pointers.reserve(args.size());
139 
140     for (size_t i = 0; i < args.size(); i++) {
141         utf8Args.push_back(String8(args[i]));
142         utf8Pointers.push_back(utf8Args[i].c_str());
143     }
144 
145     return onDump(this, fd, utf8Pointers.data(), utf8Pointers.size());
146 }
147 
onTransact(transaction_code_t code,const Parcel & data,Parcel * reply,binder_flags_t flags)148 status_t ABBinder::onTransact(transaction_code_t code, const Parcel& data, Parcel* reply,
149                               binder_flags_t flags) {
150     if (isUserCommand(code)) {
151         if (!data.checkInterface(this)) {
152             return STATUS_BAD_TYPE;
153         }
154 
155         const AParcel in = AParcel::readOnly(this, &data);
156         AParcel out = AParcel(this, reply, false /*owns*/);
157 
158         binder_status_t status = getClass()->onTransact(this, code, &in, &out);
159         return PruneStatusT(status);
160     } else {
161         return BBinder::onTransact(code, data, reply, flags);
162     }
163 }
164 
ABpBinder(const::android::sp<::android::IBinder> & binder)165 ABpBinder::ABpBinder(const ::android::sp<::android::IBinder>& binder)
166     : AIBinder(nullptr /*clazz*/), BpRefBase(binder) {
167     CHECK(binder != nullptr);
168 }
~ABpBinder()169 ABpBinder::~ABpBinder() {}
170 
onLastStrongRef(const void * id)171 void ABpBinder::onLastStrongRef(const void* id) {
172     {
173         std::lock_guard<std::mutex> lock(ABpBinderTag::gLock);
174         // Since ABpBinder is OBJECT_LIFETIME_WEAK, we must remove this weak reference in order for
175         // the ABpBinder to be deleted. Since a strong reference to this ABpBinder object should no
176         // longer be able to exist at the time of this method call, there is no longer a need to
177         // recover it.
178 
179         ABpBinderTag::Value* value =
180                 static_cast<ABpBinderTag::Value*>(remote()->findObject(ABpBinderTag::kId));
181         if (value != nullptr) {
182             value->binder = nullptr;
183         }
184     }
185 
186     BpRefBase::onLastStrongRef(id);
187 }
188 
lookupOrCreateFromBinder(const::android::sp<::android::IBinder> & binder)189 sp<AIBinder> ABpBinder::lookupOrCreateFromBinder(const ::android::sp<::android::IBinder>& binder) {
190     if (binder == nullptr) {
191         return nullptr;
192     }
193     if (ABBinderTag::has(binder)) {
194         return static_cast<ABBinder*>(binder.get());
195     }
196 
197     // The following code ensures that for a given binder object (remote or local), if it is not an
198     // ABBinder then at most one ABpBinder object exists in a given process representing it.
199     std::lock_guard<std::mutex> lock(ABpBinderTag::gLock);
200 
201     ABpBinderTag::Value* value =
202             static_cast<ABpBinderTag::Value*>(binder->findObject(ABpBinderTag::kId));
203     if (value == nullptr) {
204         value = new ABpBinderTag::Value;
205         binder->attachObject(ABpBinderTag::kId, static_cast<void*>(value), nullptr /*cookie*/,
206                              ABpBinderTag::clean);
207     }
208 
209     sp<ABpBinder> ret = value->binder.promote();
210     if (ret == nullptr) {
211         ret = new ABpBinder(binder);
212         value->binder = ret;
213     }
214 
215     return ret;
216 }
217 
218 struct AIBinder_Weak {
219     wp<AIBinder> binder;
220 };
AIBinder_Weak_new(AIBinder * binder)221 AIBinder_Weak* AIBinder_Weak_new(AIBinder* binder) {
222     if (binder == nullptr) {
223         return nullptr;
224     }
225 
226     return new AIBinder_Weak{wp<AIBinder>(binder)};
227 }
AIBinder_Weak_delete(AIBinder_Weak * weakBinder)228 void AIBinder_Weak_delete(AIBinder_Weak* weakBinder) {
229     delete weakBinder;
230 }
AIBinder_Weak_promote(AIBinder_Weak * weakBinder)231 AIBinder* AIBinder_Weak_promote(AIBinder_Weak* weakBinder) {
232     if (weakBinder == nullptr) {
233         return nullptr;
234     }
235 
236     sp<AIBinder> binder = weakBinder->binder.promote();
237     AIBinder_incStrong(binder.get());
238     return binder.get();
239 }
240 
AIBinder_Class(const char * interfaceDescriptor,AIBinder_Class_onCreate onCreate,AIBinder_Class_onDestroy onDestroy,AIBinder_Class_onTransact onTransact)241 AIBinder_Class::AIBinder_Class(const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate,
242                                AIBinder_Class_onDestroy onDestroy,
243                                AIBinder_Class_onTransact onTransact)
244     : onCreate(onCreate),
245       onDestroy(onDestroy),
246       onTransact(onTransact),
247       mInterfaceDescriptor(interfaceDescriptor) {}
248 
AIBinder_Class_define(const char * interfaceDescriptor,AIBinder_Class_onCreate onCreate,AIBinder_Class_onDestroy onDestroy,AIBinder_Class_onTransact onTransact)249 AIBinder_Class* AIBinder_Class_define(const char* interfaceDescriptor,
250                                       AIBinder_Class_onCreate onCreate,
251                                       AIBinder_Class_onDestroy onDestroy,
252                                       AIBinder_Class_onTransact onTransact) {
253     if (interfaceDescriptor == nullptr || onCreate == nullptr || onDestroy == nullptr ||
254         onTransact == nullptr) {
255         return nullptr;
256     }
257 
258     return new AIBinder_Class(interfaceDescriptor, onCreate, onDestroy, onTransact);
259 }
260 
AIBinder_Class_setOnDump(AIBinder_Class * clazz,AIBinder_onDump onDump)261 void AIBinder_Class_setOnDump(AIBinder_Class* clazz, AIBinder_onDump onDump) {
262     CHECK(clazz != nullptr) << "setOnDump requires non-null clazz";
263 
264     // this is required to be called before instances are instantiated
265     clazz->onDump = onDump;
266 }
267 
binderDied(const wp<IBinder> & who)268 void AIBinder_DeathRecipient::TransferDeathRecipient::binderDied(const wp<IBinder>& who) {
269     CHECK(who == mWho);
270 
271     mOnDied(mCookie);
272 
273     sp<AIBinder_DeathRecipient> recipient = mParentRecipient.promote();
274     sp<IBinder> strongWho = who.promote();
275 
276     // otherwise this will be cleaned up later with pruneDeadTransferEntriesLocked
277     if (recipient != nullptr && strongWho != nullptr) {
278         status_t result = recipient->unlinkToDeath(strongWho, mCookie);
279         if (result != ::android::DEAD_OBJECT) {
280             LOG(WARNING) << "Unlinking to dead binder resulted in: " << result;
281         }
282     }
283 
284     mWho = nullptr;
285 }
286 
AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied)287 AIBinder_DeathRecipient::AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied)
288     : mOnDied(onDied) {
289     CHECK(onDied != nullptr);
290 }
291 
pruneDeadTransferEntriesLocked()292 void AIBinder_DeathRecipient::pruneDeadTransferEntriesLocked() {
293     mDeathRecipients.erase(std::remove_if(mDeathRecipients.begin(), mDeathRecipients.end(),
294                                           [](const sp<TransferDeathRecipient>& tdr) {
295                                               return tdr->getWho() == nullptr;
296                                           }),
297                            mDeathRecipients.end());
298 }
299 
linkToDeath(sp<IBinder> binder,void * cookie)300 binder_status_t AIBinder_DeathRecipient::linkToDeath(sp<IBinder> binder, void* cookie) {
301     CHECK(binder != nullptr);
302 
303     std::lock_guard<std::mutex> l(mDeathRecipientsMutex);
304 
305     sp<TransferDeathRecipient> recipient =
306             new TransferDeathRecipient(binder, cookie, this, mOnDied);
307 
308     status_t status = binder->linkToDeath(recipient, cookie, 0 /*flags*/);
309     if (status != STATUS_OK) {
310         return PruneStatusT(status);
311     }
312 
313     mDeathRecipients.push_back(recipient);
314 
315     pruneDeadTransferEntriesLocked();
316     return STATUS_OK;
317 }
318 
unlinkToDeath(sp<IBinder> binder,void * cookie)319 binder_status_t AIBinder_DeathRecipient::unlinkToDeath(sp<IBinder> binder, void* cookie) {
320     CHECK(binder != nullptr);
321 
322     std::lock_guard<std::mutex> l(mDeathRecipientsMutex);
323 
324     for (auto it = mDeathRecipients.rbegin(); it != mDeathRecipients.rend(); ++it) {
325         sp<TransferDeathRecipient> recipient = *it;
326 
327         if (recipient->getCookie() == cookie && recipient->getWho() == binder) {
328             mDeathRecipients.erase(it.base() - 1);
329 
330             status_t status = binder->unlinkToDeath(recipient, cookie, 0 /*flags*/);
331             if (status != ::android::OK) {
332                 LOG(ERROR) << __func__
333                            << ": removed reference to death recipient but unlink failed.";
334             }
335             return PruneStatusT(status);
336         }
337     }
338 
339     return STATUS_NAME_NOT_FOUND;
340 }
341 
342 // start of C-API methods
343 
AIBinder_new(const AIBinder_Class * clazz,void * args)344 AIBinder* AIBinder_new(const AIBinder_Class* clazz, void* args) {
345     if (clazz == nullptr) {
346         LOG(ERROR) << __func__ << ": Must provide class to construct local binder.";
347         return nullptr;
348     }
349 
350     void* userData = clazz->onCreate(args);
351 
352     sp<AIBinder> ret = new ABBinder(clazz, userData);
353     ABBinderTag::attach(ret->getBinder());
354 
355     AIBinder_incStrong(ret.get());
356     return ret.get();
357 }
358 
AIBinder_isRemote(const AIBinder * binder)359 bool AIBinder_isRemote(const AIBinder* binder) {
360     if (binder == nullptr) {
361         return false;
362     }
363 
364     return binder->isRemote();
365 }
366 
AIBinder_isAlive(const AIBinder * binder)367 bool AIBinder_isAlive(const AIBinder* binder) {
368     if (binder == nullptr) {
369         return false;
370     }
371 
372     return const_cast<AIBinder*>(binder)->getBinder()->isBinderAlive();
373 }
374 
AIBinder_ping(AIBinder * binder)375 binder_status_t AIBinder_ping(AIBinder* binder) {
376     if (binder == nullptr) {
377         return STATUS_UNEXPECTED_NULL;
378     }
379 
380     return PruneStatusT(binder->getBinder()->pingBinder());
381 }
382 
AIBinder_dump(AIBinder * binder,int fd,const char ** args,uint32_t numArgs)383 binder_status_t AIBinder_dump(AIBinder* binder, int fd, const char** args, uint32_t numArgs) {
384     if (binder == nullptr) {
385         return STATUS_UNEXPECTED_NULL;
386     }
387 
388     ABBinder* bBinder = binder->asABBinder();
389     if (bBinder != nullptr) {
390         AIBinder_onDump onDump = binder->getClass()->onDump;
391         if (onDump == nullptr) {
392             return STATUS_OK;
393         }
394         return PruneStatusT(onDump(bBinder, fd, args, numArgs));
395     }
396 
397     ::android::Vector<String16> utf16Args;
398     utf16Args.setCapacity(numArgs);
399     for (uint32_t i = 0; i < numArgs; i++) {
400         utf16Args.push(String16(String8(args[i])));
401     }
402 
403     status_t status = binder->getBinder()->dump(fd, utf16Args);
404     return PruneStatusT(status);
405 }
406 
AIBinder_linkToDeath(AIBinder * binder,AIBinder_DeathRecipient * recipient,void * cookie)407 binder_status_t AIBinder_linkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
408                                      void* cookie) {
409     if (binder == nullptr || recipient == nullptr) {
410         LOG(ERROR) << __func__ << ": Must provide binder and recipient.";
411         return STATUS_UNEXPECTED_NULL;
412     }
413 
414     // returns binder_status_t
415     return recipient->linkToDeath(binder->getBinder(), cookie);
416 }
417 
AIBinder_unlinkToDeath(AIBinder * binder,AIBinder_DeathRecipient * recipient,void * cookie)418 binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
419                                        void* cookie) {
420     if (binder == nullptr || recipient == nullptr) {
421         LOG(ERROR) << __func__ << ": Must provide binder and recipient.";
422         return STATUS_UNEXPECTED_NULL;
423     }
424 
425     // returns binder_status_t
426     return recipient->unlinkToDeath(binder->getBinder(), cookie);
427 }
428 
AIBinder_getCallingUid()429 uid_t AIBinder_getCallingUid() {
430     return ::android::IPCThreadState::self()->getCallingUid();
431 }
432 
AIBinder_getCallingPid()433 pid_t AIBinder_getCallingPid() {
434     return ::android::IPCThreadState::self()->getCallingPid();
435 }
436 
AIBinder_incStrong(AIBinder * binder)437 void AIBinder_incStrong(AIBinder* binder) {
438     if (binder == nullptr) {
439         LOG(ERROR) << __func__ << ": on null binder";
440         return;
441     }
442 
443     binder->incStrong(nullptr);
444 }
AIBinder_decStrong(AIBinder * binder)445 void AIBinder_decStrong(AIBinder* binder) {
446     if (binder == nullptr) {
447         LOG(ERROR) << __func__ << ": on null binder";
448         return;
449     }
450 
451     binder->decStrong(nullptr);
452 }
AIBinder_debugGetRefCount(AIBinder * binder)453 int32_t AIBinder_debugGetRefCount(AIBinder* binder) {
454     if (binder == nullptr) {
455         LOG(ERROR) << __func__ << ": on null binder";
456         return -1;
457     }
458 
459     return binder->getStrongCount();
460 }
461 
AIBinder_associateClass(AIBinder * binder,const AIBinder_Class * clazz)462 bool AIBinder_associateClass(AIBinder* binder, const AIBinder_Class* clazz) {
463     if (binder == nullptr) {
464         return false;
465     }
466 
467     return binder->associateClass(clazz);
468 }
469 
AIBinder_getClass(AIBinder * binder)470 const AIBinder_Class* AIBinder_getClass(AIBinder* binder) {
471     if (binder == nullptr) {
472         return nullptr;
473     }
474 
475     return binder->getClass();
476 }
477 
AIBinder_getUserData(AIBinder * binder)478 void* AIBinder_getUserData(AIBinder* binder) {
479     if (binder == nullptr) {
480         return nullptr;
481     }
482 
483     ABBinder* bBinder = binder->asABBinder();
484     if (bBinder == nullptr) {
485         return nullptr;
486     }
487 
488     return bBinder->getUserData();
489 }
490 
AIBinder_prepareTransaction(AIBinder * binder,AParcel ** in)491 binder_status_t AIBinder_prepareTransaction(AIBinder* binder, AParcel** in) {
492     if (binder == nullptr || in == nullptr) {
493         LOG(ERROR) << __func__ << ": requires non-null parameters.";
494         return STATUS_UNEXPECTED_NULL;
495     }
496     const AIBinder_Class* clazz = binder->getClass();
497     if (clazz == nullptr) {
498         LOG(ERROR) << __func__
499                    << ": Class must be defined for a remote binder transaction. See "
500                       "AIBinder_associateClass.";
501         return STATUS_INVALID_OPERATION;
502     }
503 
504     if (!binder->isRemote()) {
505         LOG(WARNING) << "A binder object at " << binder
506                      << " is being transacted on, however, this object is in the same process as "
507                         "its proxy. Transacting with this binder is expensive compared to just "
508                         "calling the corresponding functionality in the same process.";
509     }
510 
511     *in = new AParcel(binder);
512     status_t status = (*in)->get()->writeInterfaceToken(clazz->getInterfaceDescriptor());
513     binder_status_t ret = PruneStatusT(status);
514 
515     if (ret != STATUS_OK) {
516         delete *in;
517         *in = nullptr;
518     }
519 
520     return ret;
521 }
522 
DestroyParcel(AParcel ** parcel)523 static void DestroyParcel(AParcel** parcel) {
524     delete *parcel;
525     *parcel = nullptr;
526 }
527 
AIBinder_transact(AIBinder * binder,transaction_code_t code,AParcel ** in,AParcel ** out,binder_flags_t flags)528 binder_status_t AIBinder_transact(AIBinder* binder, transaction_code_t code, AParcel** in,
529                                   AParcel** out, binder_flags_t flags) {
530     if (in == nullptr) {
531         LOG(ERROR) << __func__ << ": requires non-null in parameter";
532         return STATUS_UNEXPECTED_NULL;
533     }
534 
535     using AutoParcelDestroyer = std::unique_ptr<AParcel*, void (*)(AParcel**)>;
536     // This object is the input to the transaction. This function takes ownership of it and deletes
537     // it.
538     AutoParcelDestroyer forIn(in, DestroyParcel);
539 
540     if (!isUserCommand(code)) {
541         LOG(ERROR) << __func__ << ": Only user-defined transactions can be made from the NDK.";
542         return STATUS_UNKNOWN_TRANSACTION;
543     }
544 
545     if ((flags & ~FLAG_ONEWAY) != 0) {
546         LOG(ERROR) << __func__ << ": Unrecognized flags sent: " << flags;
547         return STATUS_BAD_VALUE;
548     }
549 
550     if (binder == nullptr || *in == nullptr || out == nullptr) {
551         LOG(ERROR) << __func__ << ": requires non-null parameters.";
552         return STATUS_UNEXPECTED_NULL;
553     }
554 
555     if ((*in)->getBinder() != binder) {
556         LOG(ERROR) << __func__ << ": parcel is associated with binder object " << binder
557                    << " but called with " << (*in)->getBinder();
558         return STATUS_BAD_VALUE;
559     }
560 
561     *out = new AParcel(binder);
562 
563     status_t status = binder->getBinder()->transact(code, *(*in)->get(), (*out)->get(), flags);
564     binder_status_t ret = PruneStatusT(status);
565 
566     if (ret != STATUS_OK) {
567         delete *out;
568         *out = nullptr;
569     }
570 
571     return ret;
572 }
573 
AIBinder_DeathRecipient_new(AIBinder_DeathRecipient_onBinderDied onBinderDied)574 AIBinder_DeathRecipient* AIBinder_DeathRecipient_new(
575         AIBinder_DeathRecipient_onBinderDied onBinderDied) {
576     if (onBinderDied == nullptr) {
577         LOG(ERROR) << __func__ << ": requires non-null onBinderDied parameter.";
578         return nullptr;
579     }
580     auto ret = new AIBinder_DeathRecipient(onBinderDied);
581     ret->incStrong(nullptr);
582     return ret;
583 }
584 
AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient * recipient)585 void AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient* recipient) {
586     if (recipient == nullptr) {
587         return;
588     }
589 
590     recipient->decStrong(nullptr);
591 }
592