1 /*
2  * Copyright (C) 2005 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "BpBinder"
18 //#define LOG_NDEBUG 0
19 
20 #include <binder/BpBinder.h>
21 
22 #include <binder/IPCThreadState.h>
23 #include <binder/IResultReceiver.h>
24 #include <cutils/compiler.h>
25 #include <utils/Log.h>
26 
27 #include <stdio.h>
28 
29 //#undef ALOGV
30 //#define ALOGV(...) fprintf(stderr, __VA_ARGS__)
31 
32 namespace android {
33 
34 // ---------------------------------------------------------------------------
35 
36 Mutex BpBinder::sTrackingLock;
37 std::unordered_map<int32_t,uint32_t> BpBinder::sTrackingMap;
38 int BpBinder::sNumTrackedUids = 0;
39 std::atomic_bool BpBinder::sCountByUidEnabled(false);
40 binder_proxy_limit_callback BpBinder::sLimitCallback;
41 bool BpBinder::sBinderProxyThrottleCreate = false;
42 
43 // Arbitrarily high value that probably distinguishes a bad behaving app
44 uint32_t BpBinder::sBinderProxyCountHighWatermark = 2500;
45 // Another arbitrary value a binder count needs to drop below before another callback will be called
46 uint32_t BpBinder::sBinderProxyCountLowWatermark = 2000;
47 
48 enum {
49     LIMIT_REACHED_MASK = 0x80000000,        // A flag denoting that the limit has been reached
50     COUNTING_VALUE_MASK = 0x7FFFFFFF,       // A mask of the remaining bits for the count value
51 };
52 
ObjectManager()53 BpBinder::ObjectManager::ObjectManager()
54 {
55 }
56 
~ObjectManager()57 BpBinder::ObjectManager::~ObjectManager()
58 {
59     kill();
60 }
61 
attach(const void * objectID,void * object,void * cleanupCookie,IBinder::object_cleanup_func func)62 void BpBinder::ObjectManager::attach(
63     const void* objectID, void* object, void* cleanupCookie,
64     IBinder::object_cleanup_func func)
65 {
66     entry_t e;
67     e.object = object;
68     e.cleanupCookie = cleanupCookie;
69     e.func = func;
70 
71     if (mObjects.indexOfKey(objectID) >= 0) {
72         ALOGE("Trying to attach object ID %p to binder ObjectManager %p with object %p, but object ID already in use",
73                 objectID, this,  object);
74         return;
75     }
76 
77     mObjects.add(objectID, e);
78 }
79 
find(const void * objectID) const80 void* BpBinder::ObjectManager::find(const void* objectID) const
81 {
82     const ssize_t i = mObjects.indexOfKey(objectID);
83     if (i < 0) return nullptr;
84     return mObjects.valueAt(i).object;
85 }
86 
detach(const void * objectID)87 void BpBinder::ObjectManager::detach(const void* objectID)
88 {
89     mObjects.removeItem(objectID);
90 }
91 
kill()92 void BpBinder::ObjectManager::kill()
93 {
94     const size_t N = mObjects.size();
95     ALOGV("Killing %zu objects in manager %p", N, this);
96     for (size_t i=0; i<N; i++) {
97         const entry_t& e = mObjects.valueAt(i);
98         if (e.func != nullptr) {
99             e.func(mObjects.keyAt(i), e.object, e.cleanupCookie);
100         }
101     }
102 
103     mObjects.clear();
104 }
105 
106 // ---------------------------------------------------------------------------
107 
108 
create(int32_t handle)109 BpBinder* BpBinder::create(int32_t handle) {
110     int32_t trackedUid = -1;
111     if (sCountByUidEnabled) {
112         trackedUid = IPCThreadState::self()->getCallingUid();
113         AutoMutex _l(sTrackingLock);
114         uint32_t trackedValue = sTrackingMap[trackedUid];
115         if (CC_UNLIKELY(trackedValue & LIMIT_REACHED_MASK)) {
116             if (sBinderProxyThrottleCreate) {
117                 return nullptr;
118             }
119         } else {
120             if ((trackedValue & COUNTING_VALUE_MASK) >= sBinderProxyCountHighWatermark) {
121                 ALOGE("Too many binder proxy objects sent to uid %d from uid %d (%d proxies held)",
122                       getuid(), trackedUid, trackedValue);
123                 sTrackingMap[trackedUid] |= LIMIT_REACHED_MASK;
124                 if (sLimitCallback) sLimitCallback(trackedUid);
125                 if (sBinderProxyThrottleCreate) {
126                     ALOGI("Throttling binder proxy creates from uid %d in uid %d until binder proxy"
127                           " count drops below %d",
128                           trackedUid, getuid(), sBinderProxyCountLowWatermark);
129                     return nullptr;
130                 }
131             }
132         }
133         sTrackingMap[trackedUid]++;
134     }
135     return new BpBinder(handle, trackedUid);
136 }
137 
BpBinder(int32_t handle,int32_t trackedUid)138 BpBinder::BpBinder(int32_t handle, int32_t trackedUid)
139     : mHandle(handle)
140     , mAlive(1)
141     , mObitsSent(0)
142     , mObituaries(nullptr)
143     , mTrackedUid(trackedUid)
144 {
145     ALOGV("Creating BpBinder %p handle %d\n", this, mHandle);
146 
147     extendObjectLifetime(OBJECT_LIFETIME_WEAK);
148     IPCThreadState::self()->incWeakHandle(handle, this);
149 }
150 
isDescriptorCached() const151 bool BpBinder::isDescriptorCached() const {
152     Mutex::Autolock _l(mLock);
153     return mDescriptorCache.size() ? true : false;
154 }
155 
getInterfaceDescriptor() const156 const String16& BpBinder::getInterfaceDescriptor() const
157 {
158     if (isDescriptorCached() == false) {
159         Parcel send, reply;
160         // do the IPC without a lock held.
161         status_t err = const_cast<BpBinder*>(this)->transact(
162                 INTERFACE_TRANSACTION, send, &reply);
163         if (err == NO_ERROR) {
164             String16 res(reply.readString16());
165             Mutex::Autolock _l(mLock);
166             // mDescriptorCache could have been assigned while the lock was
167             // released.
168             if (mDescriptorCache.size() == 0)
169                 mDescriptorCache = res;
170         }
171     }
172 
173     // we're returning a reference to a non-static object here. Usually this
174     // is not something smart to do, however, with binder objects it is
175     // (usually) safe because they are reference-counted.
176 
177     return mDescriptorCache;
178 }
179 
isBinderAlive() const180 bool BpBinder::isBinderAlive() const
181 {
182     return mAlive != 0;
183 }
184 
pingBinder()185 status_t BpBinder::pingBinder()
186 {
187     Parcel send;
188     Parcel reply;
189     status_t err = transact(PING_TRANSACTION, send, &reply);
190     if (err != NO_ERROR) return err;
191     if (reply.dataSize() < sizeof(status_t)) return NOT_ENOUGH_DATA;
192     return (status_t)reply.readInt32();
193 }
194 
dump(int fd,const Vector<String16> & args)195 status_t BpBinder::dump(int fd, const Vector<String16>& args)
196 {
197     Parcel send;
198     Parcel reply;
199     send.writeFileDescriptor(fd);
200     const size_t numArgs = args.size();
201     send.writeInt32(numArgs);
202     for (size_t i = 0; i < numArgs; i++) {
203         send.writeString16(args[i]);
204     }
205     status_t err = transact(DUMP_TRANSACTION, send, &reply);
206     return err;
207 }
208 
209 // NOLINTNEXTLINE(google-default-arguments)
transact(uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)210 status_t BpBinder::transact(
211     uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
212 {
213     // Once a binder has died, it will never come back to life.
214     if (mAlive) {
215         status_t status = IPCThreadState::self()->transact(
216             mHandle, code, data, reply, flags);
217         if (status == DEAD_OBJECT) mAlive = 0;
218         return status;
219     }
220 
221     return DEAD_OBJECT;
222 }
223 
224 // NOLINTNEXTLINE(google-default-arguments)
linkToDeath(const sp<DeathRecipient> & recipient,void * cookie,uint32_t flags)225 status_t BpBinder::linkToDeath(
226     const sp<DeathRecipient>& recipient, void* cookie, uint32_t flags)
227 {
228     Obituary ob;
229     ob.recipient = recipient;
230     ob.cookie = cookie;
231     ob.flags = flags;
232 
233     LOG_ALWAYS_FATAL_IF(recipient == nullptr,
234                         "linkToDeath(): recipient must be non-NULL");
235 
236     {
237         AutoMutex _l(mLock);
238 
239         if (!mObitsSent) {
240             if (!mObituaries) {
241                 mObituaries = new Vector<Obituary>;
242                 if (!mObituaries) {
243                     return NO_MEMORY;
244                 }
245                 ALOGV("Requesting death notification: %p handle %d\n", this, mHandle);
246                 getWeakRefs()->incWeak(this);
247                 IPCThreadState* self = IPCThreadState::self();
248                 self->requestDeathNotification(mHandle, this);
249                 self->flushCommands();
250             }
251             ssize_t res = mObituaries->add(ob);
252             return res >= (ssize_t)NO_ERROR ? (status_t)NO_ERROR : res;
253         }
254     }
255 
256     return DEAD_OBJECT;
257 }
258 
259 // NOLINTNEXTLINE(google-default-arguments)
unlinkToDeath(const wp<DeathRecipient> & recipient,void * cookie,uint32_t flags,wp<DeathRecipient> * outRecipient)260 status_t BpBinder::unlinkToDeath(
261     const wp<DeathRecipient>& recipient, void* cookie, uint32_t flags,
262     wp<DeathRecipient>* outRecipient)
263 {
264     AutoMutex _l(mLock);
265 
266     if (mObitsSent) {
267         return DEAD_OBJECT;
268     }
269 
270     const size_t N = mObituaries ? mObituaries->size() : 0;
271     for (size_t i=0; i<N; i++) {
272         const Obituary& obit = mObituaries->itemAt(i);
273         if ((obit.recipient == recipient
274                     || (recipient == nullptr && obit.cookie == cookie))
275                 && obit.flags == flags) {
276             if (outRecipient != nullptr) {
277                 *outRecipient = mObituaries->itemAt(i).recipient;
278             }
279             mObituaries->removeAt(i);
280             if (mObituaries->size() == 0) {
281                 ALOGV("Clearing death notification: %p handle %d\n", this, mHandle);
282                 IPCThreadState* self = IPCThreadState::self();
283                 self->clearDeathNotification(mHandle, this);
284                 self->flushCommands();
285                 delete mObituaries;
286                 mObituaries = nullptr;
287             }
288             return NO_ERROR;
289         }
290     }
291 
292     return NAME_NOT_FOUND;
293 }
294 
sendObituary()295 void BpBinder::sendObituary()
296 {
297     ALOGV("Sending obituary for proxy %p handle %d, mObitsSent=%s\n",
298         this, mHandle, mObitsSent ? "true" : "false");
299 
300     mAlive = 0;
301     if (mObitsSent) return;
302 
303     mLock.lock();
304     Vector<Obituary>* obits = mObituaries;
305     if(obits != nullptr) {
306         ALOGV("Clearing sent death notification: %p handle %d\n", this, mHandle);
307         IPCThreadState* self = IPCThreadState::self();
308         self->clearDeathNotification(mHandle, this);
309         self->flushCommands();
310         mObituaries = nullptr;
311     }
312     mObitsSent = 1;
313     mLock.unlock();
314 
315     ALOGV("Reporting death of proxy %p for %zu recipients\n",
316         this, obits ? obits->size() : 0U);
317 
318     if (obits != nullptr) {
319         const size_t N = obits->size();
320         for (size_t i=0; i<N; i++) {
321             reportOneDeath(obits->itemAt(i));
322         }
323 
324         delete obits;
325     }
326 }
327 
reportOneDeath(const Obituary & obit)328 void BpBinder::reportOneDeath(const Obituary& obit)
329 {
330     sp<DeathRecipient> recipient = obit.recipient.promote();
331     ALOGV("Reporting death to recipient: %p\n", recipient.get());
332     if (recipient == nullptr) return;
333 
334     recipient->binderDied(this);
335 }
336 
337 
attachObject(const void * objectID,void * object,void * cleanupCookie,object_cleanup_func func)338 void BpBinder::attachObject(
339     const void* objectID, void* object, void* cleanupCookie,
340     object_cleanup_func func)
341 {
342     AutoMutex _l(mLock);
343     ALOGV("Attaching object %p to binder %p (manager=%p)", object, this, &mObjects);
344     mObjects.attach(objectID, object, cleanupCookie, func);
345 }
346 
findObject(const void * objectID) const347 void* BpBinder::findObject(const void* objectID) const
348 {
349     AutoMutex _l(mLock);
350     return mObjects.find(objectID);
351 }
352 
detachObject(const void * objectID)353 void BpBinder::detachObject(const void* objectID)
354 {
355     AutoMutex _l(mLock);
356     mObjects.detach(objectID);
357 }
358 
remoteBinder()359 BpBinder* BpBinder::remoteBinder()
360 {
361     return this;
362 }
363 
~BpBinder()364 BpBinder::~BpBinder()
365 {
366     ALOGV("Destroying BpBinder %p handle %d\n", this, mHandle);
367 
368     IPCThreadState* ipc = IPCThreadState::self();
369 
370     if (mTrackedUid >= 0) {
371         AutoMutex _l(sTrackingLock);
372         uint32_t trackedValue = sTrackingMap[mTrackedUid];
373         if (CC_UNLIKELY((trackedValue & COUNTING_VALUE_MASK) == 0)) {
374             ALOGE("Unexpected Binder Proxy tracking decrement in %p handle %d\n", this, mHandle);
375         } else {
376             if (CC_UNLIKELY(
377                 (trackedValue & LIMIT_REACHED_MASK) &&
378                 ((trackedValue & COUNTING_VALUE_MASK) <= sBinderProxyCountLowWatermark)
379                 )) {
380                 ALOGI("Limit reached bit reset for uid %d (fewer than %d proxies from uid %d held)",
381                                    getuid(), mTrackedUid, sBinderProxyCountLowWatermark);
382                 sTrackingMap[mTrackedUid] &= ~LIMIT_REACHED_MASK;
383             }
384             if (--sTrackingMap[mTrackedUid] == 0) {
385                 sTrackingMap.erase(mTrackedUid);
386             }
387         }
388     }
389 
390     mLock.lock();
391     Vector<Obituary>* obits = mObituaries;
392     if(obits != nullptr) {
393         if (ipc) ipc->clearDeathNotification(mHandle, this);
394         mObituaries = nullptr;
395     }
396     mLock.unlock();
397 
398     if (obits != nullptr) {
399         // XXX Should we tell any remaining DeathRecipient
400         // objects that the last strong ref has gone away, so they
401         // are no longer linked?
402         delete obits;
403     }
404 
405     if (ipc) {
406         ipc->expungeHandle(mHandle, this);
407         ipc->decWeakHandle(mHandle);
408     }
409 }
410 
onFirstRef()411 void BpBinder::onFirstRef()
412 {
413     ALOGV("onFirstRef BpBinder %p handle %d\n", this, mHandle);
414     IPCThreadState* ipc = IPCThreadState::self();
415     if (ipc) ipc->incStrongHandle(mHandle, this);
416 }
417 
onLastStrongRef(const void *)418 void BpBinder::onLastStrongRef(const void* /*id*/)
419 {
420     ALOGV("onLastStrongRef BpBinder %p handle %d\n", this, mHandle);
421     IF_ALOGV() {
422         printRefs();
423     }
424     IPCThreadState* ipc = IPCThreadState::self();
425     if (ipc) ipc->decStrongHandle(mHandle);
426 }
427 
onIncStrongAttempted(uint32_t,const void *)428 bool BpBinder::onIncStrongAttempted(uint32_t /*flags*/, const void* /*id*/)
429 {
430     ALOGV("onIncStrongAttempted BpBinder %p handle %d\n", this, mHandle);
431     IPCThreadState* ipc = IPCThreadState::self();
432     return ipc ? ipc->attemptIncStrongHandle(mHandle) == NO_ERROR : false;
433 }
434 
getBinderProxyCount(uint32_t uid)435 uint32_t BpBinder::getBinderProxyCount(uint32_t uid)
436 {
437     AutoMutex _l(sTrackingLock);
438     auto it = sTrackingMap.find(uid);
439     if (it != sTrackingMap.end()) {
440         return it->second & COUNTING_VALUE_MASK;
441     }
442     return 0;
443 }
444 
getCountByUid(Vector<uint32_t> & uids,Vector<uint32_t> & counts)445 void BpBinder::getCountByUid(Vector<uint32_t>& uids, Vector<uint32_t>& counts)
446 {
447     AutoMutex _l(sTrackingLock);
448     uids.setCapacity(sTrackingMap.size());
449     counts.setCapacity(sTrackingMap.size());
450     for (const auto& it : sTrackingMap) {
451         uids.push_back(it.first);
452         counts.push_back(it.second & COUNTING_VALUE_MASK);
453     }
454 }
455 
enableCountByUid()456 void BpBinder::enableCountByUid() { sCountByUidEnabled.store(true); }
disableCountByUid()457 void BpBinder::disableCountByUid() { sCountByUidEnabled.store(false); }
setCountByUidEnabled(bool enable)458 void BpBinder::setCountByUidEnabled(bool enable) { sCountByUidEnabled.store(enable); }
459 
setLimitCallback(binder_proxy_limit_callback cb)460 void BpBinder::setLimitCallback(binder_proxy_limit_callback cb) {
461     AutoMutex _l(sTrackingLock);
462     sLimitCallback = cb;
463 }
464 
setBinderProxyCountWatermarks(int high,int low)465 void BpBinder::setBinderProxyCountWatermarks(int high, int low) {
466     AutoMutex _l(sTrackingLock);
467     sBinderProxyCountHighWatermark = high;
468     sBinderProxyCountLowWatermark = low;
469 }
470 
471 // ---------------------------------------------------------------------------
472 
473 }; // namespace android
474