blob: c1770b35d13595606eda5b45b8c539b7b1a9a839 [file] [log] [blame]
/*
* Copyright (C) 2005 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "Parcel"
//#define LOG_NDEBUG 0
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <binder/Binder.h>
#include <binder/BpBinder.h>
#include <binder/Functional.h>
#include <binder/IPCThreadState.h>
#include <binder/Parcel.h>
#include <binder/ProcessState.h>
#include <binder/Stability.h>
#include <binder/Status.h>
#include <binder/TextOutput.h>
#ifndef BINDER_DISABLE_BLOB
#include <cutils/ashmem.h>
#endif
#include <utils/String16.h>
#include <utils/String8.h>
#include "OS.h"
#include "RpcState.h"
#include "Static.h"
#include "Utils.h"
// A lot of code in this file uses definitions from the
// Linux kernel header for Binder <linux/android/binder.h>
// which is included indirectly via "binder_module.h".
// Non-Linux OSes do not have that header, so libbinder should be
// built for those targets without kernel binder support, i.e.,
// without BINDER_WITH_KERNEL_IPC. For this reason, all code in this
// file that depends on kernel binder, including the header itself,
// is conditional on BINDER_WITH_KERNEL_IPC.
#ifdef BINDER_WITH_KERNEL_IPC
#include <linux/sched.h>
#include "binder_module.h"
#else // BINDER_WITH_KERNEL_IPC
// Needed by {read,write}Pointer
typedef uintptr_t binder_uintptr_t;
#endif // BINDER_WITH_KERNEL_IPC
#ifdef __BIONIC__
#include <android/fdsan.h>
#endif
#define LOG_REFS(...)
// #define LOG_REFS(...) ALOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__)
#define LOG_ALLOC(...)
// #define LOG_ALLOC(...) ALOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__)
// ---------------------------------------------------------------------------
// This macro should never be used at runtime, as a too large value
// of s could cause an integer overflow. Instead, you should always
// use the wrapper function pad_size()
#define PAD_SIZE_UNSAFE(s) (((s) + 3) & ~3UL)
static size_t pad_size(size_t s) {
if (s > (std::numeric_limits<size_t>::max() - 3)) {
LOG_ALWAYS_FATAL("pad size too big %zu", s);
}
return PAD_SIZE_UNSAFE(s);
}
// Note: must be kept in sync with android/os/StrictMode.java's PENALTY_GATHER
#define STRICT_MODE_PENALTY_GATHER (1 << 31)
namespace android {
using namespace android::binder::impl;
using binder::borrowed_fd;
using binder::unique_fd;
// many things compile this into prebuilts on the stack
#ifdef __LP64__
static_assert(sizeof(Parcel) == 120);
#else
static_assert(sizeof(Parcel) == 60);
#endif
static std::atomic<size_t> gParcelGlobalAllocCount;
static std::atomic<size_t> gParcelGlobalAllocSize;
// Maximum number of file descriptors per Parcel.
constexpr size_t kMaxFds = 1024;
// Maximum size of a blob to transfer in-place.
[[maybe_unused]] static const size_t BLOB_INPLACE_LIMIT = 16 * 1024;
#if defined(__BIONIC__)
static void FdTag(int fd, const void* old_addr, const void* new_addr) {
if (android_fdsan_exchange_owner_tag) {
uint64_t old_tag = android_fdsan_create_owner_tag(ANDROID_FDSAN_OWNER_TYPE_PARCEL,
reinterpret_cast<uint64_t>(old_addr));
uint64_t new_tag = android_fdsan_create_owner_tag(ANDROID_FDSAN_OWNER_TYPE_PARCEL,
reinterpret_cast<uint64_t>(new_addr));
android_fdsan_exchange_owner_tag(fd, old_tag, new_tag);
}
}
static void FdTagClose(int fd, const void* addr) {
if (android_fdsan_close_with_tag) {
uint64_t tag = android_fdsan_create_owner_tag(ANDROID_FDSAN_OWNER_TYPE_PARCEL,
reinterpret_cast<uint64_t>(addr));
android_fdsan_close_with_tag(fd, tag);
} else {
close(fd);
}
}
#else
static void FdTag(int fd, const void* old_addr, const void* new_addr) {
(void)fd;
(void)old_addr;
(void)new_addr;
}
static void FdTagClose(int fd, const void* addr) {
(void)addr;
close(fd);
}
#endif
enum {
BLOB_INPLACE = 0,
BLOB_ASHMEM_IMMUTABLE = 1,
BLOB_ASHMEM_MUTABLE = 2,
};
#ifdef BINDER_WITH_KERNEL_IPC
static void acquire_object(const sp<ProcessState>& proc, const flat_binder_object& obj,
const void* who) {
switch (obj.hdr.type) {
case BINDER_TYPE_BINDER:
if (obj.binder) {
LOG_REFS("Parcel %p acquiring reference on local %llu", who, obj.cookie);
reinterpret_cast<IBinder*>(obj.cookie)->incStrong(who);
}
return;
case BINDER_TYPE_HANDLE: {
const sp<IBinder> b = proc->getStrongProxyForHandle(obj.handle);
if (b != nullptr) {
LOG_REFS("Parcel %p acquiring reference on remote %p", who, b.get());
b->incStrong(who);
}
return;
}
case BINDER_TYPE_FD: {
if (obj.cookie != 0) { // owned
FdTag(obj.handle, nullptr, who);
}
return;
}
}
ALOGD("Invalid object type 0x%08x", obj.hdr.type);
}
static void release_object(const sp<ProcessState>& proc, const flat_binder_object& obj,
const void* who) {
switch (obj.hdr.type) {
case BINDER_TYPE_BINDER:
if (obj.binder) {
LOG_REFS("Parcel %p releasing reference on local %llu", who, obj.cookie);
reinterpret_cast<IBinder*>(obj.cookie)->decStrong(who);
}
return;
case BINDER_TYPE_HANDLE: {
const sp<IBinder> b = proc->getStrongProxyForHandle(obj.handle);
if (b != nullptr) {
LOG_REFS("Parcel %p releasing reference on remote %p", who, b.get());
b->decStrong(who);
}
return;
}
case BINDER_TYPE_FD: {
// note: this path is not used when mOwner, so the tag is also released
// in 'closeFileDescriptors'
if (obj.cookie != 0) { // owned
FdTagClose(obj.handle, who);
}
return;
}
}
ALOGE("Invalid object type 0x%08x", obj.hdr.type);
}
#endif // BINDER_WITH_KERNEL_IPC
static int toRawFd(const std::variant<unique_fd, borrowed_fd>& v) {
return std::visit([](const auto& fd) { return fd.get(); }, v);
}
Parcel::RpcFields::RpcFields(const sp<RpcSession>& session) : mSession(session) {
LOG_ALWAYS_FATAL_IF(mSession == nullptr);
}
status_t Parcel::finishFlattenBinder(const sp<IBinder>& binder)
{
internal::Stability::tryMarkCompilationUnit(binder.get());
int16_t rep = internal::Stability::getRepr(binder.get());
return writeInt32(rep);
}
status_t Parcel::finishUnflattenBinder(
const sp<IBinder>& binder, sp<IBinder>* out) const
{
int32_t stability;
status_t status = readInt32(&stability);
if (status != OK) return status;
status = internal::Stability::setRepr(binder.get(), static_cast<int16_t>(stability),
true /*log*/);
if (status != OK) return status;
*out = binder;
return OK;
}
#ifdef BINDER_WITH_KERNEL_IPC
static constexpr inline int schedPolicyMask(int policy, int priority) {
return (priority & FLAT_BINDER_FLAG_PRIORITY_MASK) | ((policy & 3) << FLAT_BINDER_FLAG_SCHED_POLICY_SHIFT);
}
#endif // BINDER_WITH_KERNEL_IPC
status_t Parcel::flattenBinder(const sp<IBinder>& binder) {
BBinder* local = nullptr;
if (binder) local = binder->localBinder();
if (local) local->setParceled();
if (const auto* rpcFields = maybeRpcFields()) {
if (binder) {
status_t status = writeInt32(1); // non-null
if (status != OK) return status;
uint64_t address;
// TODO(b/167966510): need to undo this if the Parcel is not sent
status = rpcFields->mSession->state()->onBinderLeaving(rpcFields->mSession, binder,
&address);
if (status != OK) return status;
status = writeUint64(address);
if (status != OK) return status;
} else {
status_t status = writeInt32(0); // null
if (status != OK) return status;
}
return finishFlattenBinder(binder);
}
#ifdef BINDER_WITH_KERNEL_IPC
flat_binder_object obj;
int schedBits = 0;
if (!IPCThreadState::self()->backgroundSchedulingDisabled()) {
schedBits = schedPolicyMask(SCHED_NORMAL, 19);
}
if (binder != nullptr) {
if (!local) {
BpBinder *proxy = binder->remoteBinder();
if (proxy == nullptr) {
ALOGE("null proxy");
} else {
if (proxy->isRpcBinder()) {
ALOGE("Sending a socket binder over kernel binder is prohibited");
return INVALID_OPERATION;
}
}
const int32_t handle = proxy ? proxy->getPrivateAccessor().binderHandle() : 0;
obj.hdr.type = BINDER_TYPE_HANDLE;
obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */
obj.flags = 0;
obj.handle = handle;
obj.cookie = 0;
} else {
int policy = local->getMinSchedulerPolicy();
int priority = local->getMinSchedulerPriority();
if (policy != 0 || priority != 0) {
// override value, since it is set explicitly
schedBits = schedPolicyMask(policy, priority);
}
obj.flags = FLAT_BINDER_FLAG_ACCEPTS_FDS;
if (local->isRequestingSid()) {
obj.flags |= FLAT_BINDER_FLAG_TXN_SECURITY_CTX;
}
if (local->isInheritRt()) {
obj.flags |= FLAT_BINDER_FLAG_INHERIT_RT;
}
obj.hdr.type = BINDER_TYPE_BINDER;
obj.binder = reinterpret_cast<uintptr_t>(local->getWeakRefs());
obj.cookie = reinterpret_cast<uintptr_t>(local);
}
} else {
obj.hdr.type = BINDER_TYPE_BINDER;
obj.flags = 0;
obj.binder = 0;
obj.cookie = 0;
}
obj.flags |= schedBits;
status_t status = writeObject(obj, false);
if (status != OK) return status;
return finishFlattenBinder(binder);
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
}
status_t Parcel::unflattenBinder(sp<IBinder>* out) const
{
if (const auto* rpcFields = maybeRpcFields()) {
int32_t isPresent;
status_t status = readInt32(&isPresent);
if (status != OK) return status;
sp<IBinder> binder;
if (isPresent & 1) {
uint64_t addr;
if (status_t status = readUint64(&addr); status != OK) return status;
if (status_t status =
rpcFields->mSession->state()->onBinderEntering(rpcFields->mSession, addr,
&binder);
status != OK)
return status;
if (status_t status =
rpcFields->mSession->state()->flushExcessBinderRefs(rpcFields->mSession,
addr, binder);
status != OK)
return status;
}
return finishUnflattenBinder(binder, out);
}
#ifdef BINDER_WITH_KERNEL_IPC
const flat_binder_object* flat = readObject(false);
if (flat) {
switch (flat->hdr.type) {
case BINDER_TYPE_BINDER: {
sp<IBinder> binder =
sp<IBinder>::fromExisting(reinterpret_cast<IBinder*>(flat->cookie));
return finishUnflattenBinder(binder, out);
}
case BINDER_TYPE_HANDLE: {
sp<IBinder> binder =
ProcessState::self()->getStrongProxyForHandle(flat->handle);
return finishUnflattenBinder(binder, out);
}
}
}
return BAD_TYPE;
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
}
// ---------------------------------------------------------------------------
Parcel::Parcel()
{
LOG_ALLOC("Parcel %p: constructing", this);
initState();
}
Parcel::~Parcel()
{
freeDataNoInit();
LOG_ALLOC("Parcel %p: destroyed", this);
}
size_t Parcel::getGlobalAllocSize() {
return gParcelGlobalAllocSize.load();
}
size_t Parcel::getGlobalAllocCount() {
return gParcelGlobalAllocCount.load();
}
const uint8_t* Parcel::data() const
{
return mData;
}
size_t Parcel::dataSize() const
{
return (mDataSize > mDataPos ? mDataSize : mDataPos);
}
size_t Parcel::dataBufferSize() const {
return mDataSize;
}
size_t Parcel::dataAvail() const
{
size_t result = dataSize() - dataPosition();
if (result > INT32_MAX) {
LOG_ALWAYS_FATAL("result too big: %zu", result);
}
return result;
}
size_t Parcel::dataPosition() const
{
return mDataPos;
}
size_t Parcel::dataCapacity() const
{
return mDataCapacity;
}
status_t Parcel::setDataSize(size_t size)
{
if (size > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
status_t err;
err = continueWrite(size);
if (err == NO_ERROR) {
mDataSize = size;
ALOGV("setDataSize Setting data size of %p to %zu", this, mDataSize);
}
return err;
}
void Parcel::setDataPosition(size_t pos) const
{
if (pos > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
LOG_ALWAYS_FATAL("pos too big: %zu", pos);
}
mDataPos = pos;
if (const auto* kernelFields = maybeKernelFields()) {
kernelFields->mNextObjectHint = 0;
kernelFields->mObjectsSorted = false;
}
}
status_t Parcel::setDataCapacity(size_t size)
{
if (size > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
if (size > mDataCapacity) return continueWrite(size);
return NO_ERROR;
}
status_t Parcel::setData(const uint8_t* buffer, size_t len)
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
status_t err = restartWrite(len);
if (err == NO_ERROR) {
memcpy(const_cast<uint8_t*>(data()), buffer, len);
mDataSize = len;
if (auto* kernelFields = maybeKernelFields()) {
kernelFields->mFdsKnown = false;
}
}
return err;
}
status_t Parcel::appendFrom(const Parcel* parcel, size_t offset, size_t len) {
if (isForRpc() != parcel->isForRpc()) {
ALOGE("Cannot append Parcel from one context to another. They may be different formats, "
"and objects are specific to a context.");
return BAD_TYPE;
}
if (isForRpc() && maybeRpcFields()->mSession != parcel->maybeRpcFields()->mSession) {
ALOGE("Cannot append Parcels from different sessions");
return BAD_TYPE;
}
status_t err;
const uint8_t* data = parcel->mData;
int startPos = mDataPos;
if (len == 0) {
return NO_ERROR;
}
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
// range checks against the source parcel size
if ((offset > parcel->mDataSize)
|| (len > parcel->mDataSize)
|| (offset + len > parcel->mDataSize)) {
return BAD_VALUE;
}
if ((mDataSize+len) > mDataCapacity) {
// grow data
err = growData(len);
if (err != NO_ERROR) {
return err;
}
}
// append data
memcpy(mData + mDataPos, data + offset, len);
mDataPos += len;
mDataSize += len;
err = NO_ERROR;
if (auto* kernelFields = maybeKernelFields()) {
#ifdef BINDER_WITH_KERNEL_IPC
auto* otherKernelFields = parcel->maybeKernelFields();
LOG_ALWAYS_FATAL_IF(otherKernelFields == nullptr);
const binder_size_t* objects = otherKernelFields->mObjects;
size_t size = otherKernelFields->mObjectsSize;
// Count objects in range
int firstIndex = -1, lastIndex = -2;
for (int i = 0; i < (int)size; i++) {
size_t off = objects[i];
if ((off >= offset) && (off + sizeof(flat_binder_object) <= offset + len)) {
if (firstIndex == -1) {
firstIndex = i;
}
lastIndex = i;
}
}
int numObjects = lastIndex - firstIndex + 1;
if (numObjects > 0) {
const sp<ProcessState> proc(ProcessState::self());
// grow objects
if (kernelFields->mObjectsCapacity < kernelFields->mObjectsSize + numObjects) {
if ((size_t)numObjects > SIZE_MAX - kernelFields->mObjectsSize)
return NO_MEMORY; // overflow
if (kernelFields->mObjectsSize + numObjects > SIZE_MAX / 3)
return NO_MEMORY; // overflow
size_t newSize = ((kernelFields->mObjectsSize + numObjects) * 3) / 2;
if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow
binder_size_t* objects = (binder_size_t*)realloc(kernelFields->mObjects,
newSize * sizeof(binder_size_t));
if (objects == (binder_size_t*)nullptr) {
return NO_MEMORY;
}
kernelFields->mObjects = objects;
kernelFields->mObjectsCapacity = newSize;
}
// append and acquire objects
int idx = kernelFields->mObjectsSize;
for (int i = firstIndex; i <= lastIndex; i++) {
size_t off = objects[i] - offset + startPos;
kernelFields->mObjects[idx++] = off;
kernelFields->mObjectsSize++;
flat_binder_object* flat = reinterpret_cast<flat_binder_object*>(mData + off);
if (flat->hdr.type == BINDER_TYPE_FD) {
// If this is a file descriptor, we need to dup it so the
// new Parcel now owns its own fd, and can declare that we
// officially know we have fds.
flat->handle = fcntl(flat->handle, F_DUPFD_CLOEXEC, 0);
flat->cookie = 1;
kernelFields->mHasFds = kernelFields->mFdsKnown = true;
if (!mAllowFds) {
err = FDS_NOT_ALLOWED;
}
}
acquire_object(proc, *flat, this);
}
}
#else
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
} else {
auto* rpcFields = maybeRpcFields();
LOG_ALWAYS_FATAL_IF(rpcFields == nullptr);
auto* otherRpcFields = parcel->maybeRpcFields();
if (otherRpcFields == nullptr) {
return BAD_TYPE;
}
if (rpcFields->mSession != otherRpcFields->mSession) {
return BAD_TYPE;
}
const size_t savedDataPos = mDataPos;
auto scopeGuard = make_scope_guard([&]() { mDataPos = savedDataPos; });
rpcFields->mObjectPositions.reserve(otherRpcFields->mObjectPositions.size());
if (otherRpcFields->mFds != nullptr) {
if (rpcFields->mFds == nullptr) {
rpcFields->mFds = std::make_unique<decltype(rpcFields->mFds)::element_type>();
}
rpcFields->mFds->reserve(otherRpcFields->mFds->size());
}
for (size_t i = 0; i < otherRpcFields->mObjectPositions.size(); i++) {
const binder_size_t objPos = otherRpcFields->mObjectPositions[i];
if (offset <= objPos && objPos < offset + len) {
size_t newDataPos = objPos - offset + startPos;
rpcFields->mObjectPositions.push_back(newDataPos);
mDataPos = newDataPos;
int32_t objectType;
if (status_t status = readInt32(&objectType); status != OK) {
return status;
}
if (objectType != RpcFields::TYPE_NATIVE_FILE_DESCRIPTOR) {
continue;
}
if (!mAllowFds) {
return FDS_NOT_ALLOWED;
}
// Read FD, duplicate, and add to list.
int32_t fdIndex;
if (status_t status = readInt32(&fdIndex); status != OK) {
return status;
}
int oldFd = toRawFd(otherRpcFields->mFds->at(fdIndex));
// To match kernel binder behavior, we always dup, even if the
// FD was unowned in the source parcel.
int newFd = -1;
if (status_t status = binder::os::dupFileDescriptor(oldFd, &newFd); status != OK) {
ALOGW("Failed to duplicate file descriptor %d: %s", oldFd, strerror(-status));
}
rpcFields->mFds->emplace_back(unique_fd(newFd));
// Fixup the index in the data.
mDataPos = newDataPos + 4;
if (status_t status = writeInt32(rpcFields->mFds->size() - 1); status != OK) {
return status;
}
}
}
}
return err;
}
int Parcel::compareData(const Parcel& other) {
size_t size = dataSize();
if (size != other.dataSize()) {
return size < other.dataSize() ? -1 : 1;
}
return memcmp(data(), other.data(), size);
}
status_t Parcel::compareDataInRange(size_t thisOffset, const Parcel& other, size_t otherOffset,
size_t len, int* result) const {
if (len > INT32_MAX || thisOffset > INT32_MAX || otherOffset > INT32_MAX) {
// Don't accept size_t values which may have come from an inadvertent conversion from a
// negative int.
return BAD_VALUE;
}
size_t thisLimit;
if (__builtin_add_overflow(thisOffset, len, &thisLimit) || thisLimit > mDataSize) {
return BAD_VALUE;
}
size_t otherLimit;
if (__builtin_add_overflow(otherOffset, len, &otherLimit) || otherLimit > other.mDataSize) {
return BAD_VALUE;
}
*result = memcmp(data() + thisOffset, other.data() + otherOffset, len);
return NO_ERROR;
}
bool Parcel::allowFds() const
{
return mAllowFds;
}
bool Parcel::pushAllowFds(bool allowFds)
{
const bool origValue = mAllowFds;
if (!allowFds) {
mAllowFds = false;
}
return origValue;
}
void Parcel::restoreAllowFds(bool lastValue)
{
mAllowFds = lastValue;
}
bool Parcel::hasFileDescriptors() const
{
if (const auto* rpcFields = maybeRpcFields()) {
return rpcFields->mFds != nullptr && !rpcFields->mFds->empty();
}
auto* kernelFields = maybeKernelFields();
if (!kernelFields->mFdsKnown) {
scanForFds();
}
return kernelFields->mHasFds;
}
std::vector<sp<IBinder>> Parcel::debugReadAllStrongBinders() const {
std::vector<sp<IBinder>> ret;
#ifdef BINDER_WITH_KERNEL_IPC
const auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return ret;
}
size_t initPosition = dataPosition();
for (size_t i = 0; i < kernelFields->mObjectsSize; i++) {
binder_size_t offset = kernelFields->mObjects[i];
const flat_binder_object* flat =
reinterpret_cast<const flat_binder_object*>(mData + offset);
if (flat->hdr.type != BINDER_TYPE_BINDER) continue;
setDataPosition(offset);
sp<IBinder> binder = readStrongBinder();
if (binder != nullptr) ret.push_back(binder);
}
setDataPosition(initPosition);
#endif // BINDER_WITH_KERNEL_IPC
return ret;
}
std::vector<int> Parcel::debugReadAllFileDescriptors() const {
std::vector<int> ret;
if (const auto* kernelFields = maybeKernelFields()) {
#ifdef BINDER_WITH_KERNEL_IPC
size_t initPosition = dataPosition();
for (size_t i = 0; i < kernelFields->mObjectsSize; i++) {
binder_size_t offset = kernelFields->mObjects[i];
const flat_binder_object* flat =
reinterpret_cast<const flat_binder_object*>(mData + offset);
if (flat->hdr.type != BINDER_TYPE_FD) continue;
setDataPosition(offset);
int fd = readFileDescriptor();
LOG_ALWAYS_FATAL_IF(fd == -1);
ret.push_back(fd);
}
setDataPosition(initPosition);
#else
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
#endif
} else if (const auto* rpcFields = maybeRpcFields(); rpcFields && rpcFields->mFds) {
for (const auto& fd : *rpcFields->mFds) {
ret.push_back(toRawFd(fd));
}
}
return ret;
}
status_t Parcel::hasFileDescriptorsInRange(size_t offset, size_t len, bool* result) const {
if (len > INT32_MAX || offset > INT32_MAX) {
// Don't accept size_t values which may have come from an inadvertent conversion from a
// negative int.
return BAD_VALUE;
}
size_t limit;
if (__builtin_add_overflow(offset, len, &limit) || limit > mDataSize) {
return BAD_VALUE;
}
*result = false;
if (const auto* kernelFields = maybeKernelFields()) {
#ifdef BINDER_WITH_KERNEL_IPC
for (size_t i = 0; i < kernelFields->mObjectsSize; i++) {
size_t pos = kernelFields->mObjects[i];
if (pos < offset) continue;
if (pos + sizeof(flat_binder_object) > offset + len) {
if (kernelFields->mObjectsSorted) {
break;
} else {
continue;
}
}
const flat_binder_object* flat =
reinterpret_cast<const flat_binder_object*>(mData + pos);
if (flat->hdr.type == BINDER_TYPE_FD) {
*result = true;
break;
}
}
#else
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
} else if (const auto* rpcFields = maybeRpcFields()) {
for (uint32_t pos : rpcFields->mObjectPositions) {
if (offset <= pos && pos < limit) {
const auto* type = reinterpret_cast<const RpcFields::ObjectType*>(mData + pos);
if (*type == RpcFields::TYPE_NATIVE_FILE_DESCRIPTOR) {
*result = true;
break;
}
}
}
}
return NO_ERROR;
}
void Parcel::markSensitive() const
{
mDeallocZero = true;
}
void Parcel::markForBinder(const sp<IBinder>& binder) {
LOG_ALWAYS_FATAL_IF(mData != nullptr, "format must be set before data is written");
if (binder && binder->remoteBinder() && binder->remoteBinder()->isRpcBinder()) {
markForRpc(binder->remoteBinder()->getPrivateAccessor().rpcSession());
}
}
void Parcel::markForRpc(const sp<RpcSession>& session) {
LOG_ALWAYS_FATAL_IF(mData != nullptr && mOwner == nullptr,
"format must be set before data is written OR on IPC data");
mVariantFields.emplace<RpcFields>(session);
}
bool Parcel::isForRpc() const {
return std::holds_alternative<RpcFields>(mVariantFields);
}
void Parcel::updateWorkSourceRequestHeaderPosition() const {
auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return;
}
// Only update the request headers once. We only want to point
// to the first headers read/written.
if (!kernelFields->mRequestHeaderPresent) {
kernelFields->mWorkSourceRequestHeaderPosition = dataPosition();
kernelFields->mRequestHeaderPresent = true;
}
}
#ifdef BINDER_WITH_KERNEL_IPC
#if defined(__ANDROID__)
#if defined(__ANDROID_VNDK__)
constexpr int32_t kHeader = B_PACK_CHARS('V', 'N', 'D', 'R');
#elif defined(__ANDROID_RECOVERY__)
constexpr int32_t kHeader = B_PACK_CHARS('R', 'E', 'C', 'O');
#else
constexpr int32_t kHeader = B_PACK_CHARS('S', 'Y', 'S', 'T');
#endif
#else // ANDROID not defined
// If kernel binder is used in new environments, we need to make sure it's separated
// out and has a separate header.
constexpr int32_t kHeader = B_PACK_CHARS('U', 'N', 'K', 'N');
#endif
#endif // BINDER_WITH_KERNEL_IPC
// Write RPC headers. (previously just the interface token)
status_t Parcel::writeInterfaceToken(const String16& interface)
{
return writeInterfaceToken(interface.c_str(), interface.size());
}
status_t Parcel::writeInterfaceToken(const char16_t* str, size_t len) {
if (auto* kernelFields = maybeKernelFields()) {
#ifdef BINDER_WITH_KERNEL_IPC
const IPCThreadState* threadState = IPCThreadState::self();
writeInt32(threadState->getStrictModePolicy() | STRICT_MODE_PENALTY_GATHER);
updateWorkSourceRequestHeaderPosition();
writeInt32(threadState->shouldPropagateWorkSource() ? threadState->getCallingWorkSourceUid()
: IPCThreadState::kUnsetWorkSource);
writeInt32(kHeader);
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
}
// currently the interface identification token is just its name as a string
return writeString16(str, len);
}
bool Parcel::replaceCallingWorkSourceUid(uid_t uid)
{
auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return false;
}
if (!kernelFields->mRequestHeaderPresent) {
return false;
}
const size_t initialPosition = dataPosition();
setDataPosition(kernelFields->mWorkSourceRequestHeaderPosition);
status_t err = writeInt32(uid);
setDataPosition(initialPosition);
return err == NO_ERROR;
}
uid_t Parcel::readCallingWorkSourceUid() const
{
auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return false;
}
if (!kernelFields->mRequestHeaderPresent) {
return IPCThreadState::kUnsetWorkSource;
}
const size_t initialPosition = dataPosition();
setDataPosition(kernelFields->mWorkSourceRequestHeaderPosition);
uid_t uid = readInt32();
setDataPosition(initialPosition);
return uid;
}
bool Parcel::checkInterface(IBinder* binder) const
{
return enforceInterface(binder->getInterfaceDescriptor());
}
bool Parcel::enforceInterface(const String16& interface,
IPCThreadState* threadState) const
{
return enforceInterface(interface.c_str(), interface.size(), threadState);
}
bool Parcel::enforceInterface(const char16_t* interface,
size_t len,
IPCThreadState* threadState) const
{
if (auto* kernelFields = maybeKernelFields()) {
#ifdef BINDER_WITH_KERNEL_IPC
// StrictModePolicy.
int32_t strictPolicy = readInt32();
if (threadState == nullptr) {
threadState = IPCThreadState::self();
}
if ((threadState->getLastTransactionBinderFlags() & IBinder::FLAG_ONEWAY) != 0) {
// For one-way calls, the callee is running entirely
// disconnected from the caller, so disable StrictMode entirely.
// Not only does disk/network usage not impact the caller, but
// there's no way to communicate back violations anyway.
threadState->setStrictModePolicy(0);
} else {
threadState->setStrictModePolicy(strictPolicy);
}
// WorkSource.
updateWorkSourceRequestHeaderPosition();
int32_t workSource = readInt32();
threadState->setCallingWorkSourceUidWithoutPropagation(workSource);
// vendor header
int32_t header = readInt32();
// fuzzers skip this check, because it is for protecting the underlying ABI, but
// we don't want it to reduce our coverage
if (header != kHeader && !mServiceFuzzing) {
ALOGE("Expecting header 0x%x but found 0x%x. Mixing copies of libbinder?", kHeader,
header);
return false;
}
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
(void)threadState;
return false;
#endif // BINDER_WITH_KERNEL_IPC
}
// Interface descriptor.
size_t parcel_interface_len;
const char16_t* parcel_interface = readString16Inplace(&parcel_interface_len);
if (len == parcel_interface_len &&
(!len || !memcmp(parcel_interface, interface, len * sizeof (char16_t)))) {
return true;
} else {
if (mServiceFuzzing) {
// ignore. Theoretically, this could cause a few false positives, because
// people could assume things about getInterfaceDescriptor if they pass
// this point, but it would be extremely fragile. It's more important that
// we fuzz with the above things read from the Parcel.
return true;
} else {
ALOGW("**** enforceInterface() expected '%s' but read '%s'",
String8(interface, len).c_str(),
String8(parcel_interface, parcel_interface_len).c_str());
return false;
}
}
}
void Parcel::setEnforceNoDataAvail(bool enforceNoDataAvail) {
mEnforceNoDataAvail = enforceNoDataAvail;
}
void Parcel::setServiceFuzzing() {
mServiceFuzzing = true;
}
bool Parcel::isServiceFuzzing() const {
return mServiceFuzzing;
}
binder::Status Parcel::enforceNoDataAvail() const {
if (!mEnforceNoDataAvail) {
return binder::Status::ok();
}
const auto n = dataAvail();
if (n == 0) {
return binder::Status::ok();
}
return binder::Status::
fromExceptionCode(binder::Status::Exception::EX_BAD_PARCELABLE,
String8::format("Parcel data not fully consumed, unread size: %zu",
n));
}
size_t Parcel::objectsCount() const
{
if (const auto* kernelFields = maybeKernelFields()) {
return kernelFields->mObjectsSize;
}
return 0;
}
status_t Parcel::errorCheck() const
{
return mError;
}
void Parcel::setError(status_t err)
{
mError = err;
}
status_t Parcel::finishWrite(size_t len)
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
//printf("Finish write of %d\n", len);
mDataPos += len;
ALOGV("finishWrite Setting data pos of %p to %zu", this, mDataPos);
if (mDataPos > mDataSize) {
mDataSize = mDataPos;
ALOGV("finishWrite Setting data size of %p to %zu", this, mDataSize);
}
//printf("New pos=%d, size=%d\n", mDataPos, mDataSize);
return NO_ERROR;
}
status_t Parcel::writeUnpadded(const void* data, size_t len)
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
size_t end = mDataPos + len;
if (end < mDataPos) {
// integer overflow
return BAD_VALUE;
}
if (end <= mDataCapacity) {
restart_write:
memcpy(mData+mDataPos, data, len);
return finishWrite(len);
}
status_t err = growData(len);
if (err == NO_ERROR) goto restart_write;
return err;
}
status_t Parcel::write(const void* data, size_t len)
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
void* const d = writeInplace(len);
if (d) {
memcpy(d, data, len);
return NO_ERROR;
}
return mError;
}
void* Parcel::writeInplace(size_t len)
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return nullptr;
}
const size_t padded = pad_size(len);
// check for integer overflow
if (mDataPos+padded < mDataPos) {
return nullptr;
}
if ((mDataPos+padded) <= mDataCapacity) {
restart_write:
//printf("Writing %ld bytes, padded to %ld\n", len, padded);
uint8_t* const data = mData+mDataPos;
// Need to pad at end?
if (padded != len) {
#if BYTE_ORDER == BIG_ENDIAN
static const uint32_t mask[4] = {
0x00000000, 0xffffff00, 0xffff0000, 0xff000000
};
#endif
#if BYTE_ORDER == LITTLE_ENDIAN
static const uint32_t mask[4] = {
0x00000000, 0x00ffffff, 0x0000ffff, 0x000000ff
};
#endif
//printf("Applying pad mask: %p to %p\n", (void*)mask[padded-len],
// *reinterpret_cast<void**>(data+padded-4));
*reinterpret_cast<uint32_t*>(data+padded-4) &= mask[padded-len];
}
finishWrite(padded);
return data;
}
status_t err = growData(padded);
if (err == NO_ERROR) goto restart_write;
return nullptr;
}
status_t Parcel::writeUtf8AsUtf16(const std::string& str) {
const uint8_t* strData = (uint8_t*)str.data();
const size_t strLen= str.length();
const ssize_t utf16Len = utf8_to_utf16_length(strData, strLen);
if (utf16Len < 0 || utf16Len > std::numeric_limits<int32_t>::max()) {
return BAD_VALUE;
}
status_t err = writeInt32(utf16Len);
if (err) {
return err;
}
// Allocate enough bytes to hold our converted string and its terminating NULL.
void* dst = writeInplace((utf16Len + 1) * sizeof(char16_t));
if (!dst) {
return NO_MEMORY;
}
utf8_to_utf16(strData, strLen, (char16_t*)dst, (size_t) utf16Len + 1);
return NO_ERROR;
}
status_t Parcel::writeUtf8AsUtf16(const std::optional<std::string>& str) { return writeData(str); }
status_t Parcel::writeUtf8AsUtf16(const std::unique_ptr<std::string>& str) { return writeData(str); }
status_t Parcel::writeString16(const std::optional<String16>& str) { return writeData(str); }
status_t Parcel::writeString16(const std::unique_ptr<String16>& str) { return writeData(str); }
status_t Parcel::writeByteVector(const std::vector<int8_t>& val) { return writeData(val); }
status_t Parcel::writeByteVector(const std::optional<std::vector<int8_t>>& val) { return writeData(val); }
status_t Parcel::writeByteVector(const std::unique_ptr<std::vector<int8_t>>& val) { return writeData(val); }
status_t Parcel::writeByteVector(const std::vector<uint8_t>& val) { return writeData(val); }
status_t Parcel::writeByteVector(const std::optional<std::vector<uint8_t>>& val) { return writeData(val); }
status_t Parcel::writeByteVector(const std::unique_ptr<std::vector<uint8_t>>& val){ return writeData(val); }
status_t Parcel::writeInt32Vector(const std::vector<int32_t>& val) { return writeData(val); }
status_t Parcel::writeInt32Vector(const std::optional<std::vector<int32_t>>& val) { return writeData(val); }
status_t Parcel::writeInt32Vector(const std::unique_ptr<std::vector<int32_t>>& val) { return writeData(val); }
status_t Parcel::writeInt64Vector(const std::vector<int64_t>& val) { return writeData(val); }
status_t Parcel::writeInt64Vector(const std::optional<std::vector<int64_t>>& val) { return writeData(val); }
status_t Parcel::writeInt64Vector(const std::unique_ptr<std::vector<int64_t>>& val) { return writeData(val); }
status_t Parcel::writeUint64Vector(const std::vector<uint64_t>& val) { return writeData(val); }
status_t Parcel::writeUint64Vector(const std::optional<std::vector<uint64_t>>& val) { return writeData(val); }
status_t Parcel::writeUint64Vector(const std::unique_ptr<std::vector<uint64_t>>& val) { return writeData(val); }
status_t Parcel::writeFloatVector(const std::vector<float>& val) { return writeData(val); }
status_t Parcel::writeFloatVector(const std::optional<std::vector<float>>& val) { return writeData(val); }
status_t Parcel::writeFloatVector(const std::unique_ptr<std::vector<float>>& val) { return writeData(val); }
status_t Parcel::writeDoubleVector(const std::vector<double>& val) { return writeData(val); }
status_t Parcel::writeDoubleVector(const std::optional<std::vector<double>>& val) { return writeData(val); }
status_t Parcel::writeDoubleVector(const std::unique_ptr<std::vector<double>>& val) { return writeData(val); }
status_t Parcel::writeBoolVector(const std::vector<bool>& val) { return writeData(val); }
status_t Parcel::writeBoolVector(const std::optional<std::vector<bool>>& val) { return writeData(val); }
status_t Parcel::writeBoolVector(const std::unique_ptr<std::vector<bool>>& val) { return writeData(val); }
status_t Parcel::writeCharVector(const std::vector<char16_t>& val) { return writeData(val); }
status_t Parcel::writeCharVector(const std::optional<std::vector<char16_t>>& val) { return writeData(val); }
status_t Parcel::writeCharVector(const std::unique_ptr<std::vector<char16_t>>& val) { return writeData(val); }
status_t Parcel::writeString16Vector(const std::vector<String16>& val) { return writeData(val); }
status_t Parcel::writeString16Vector(
const std::optional<std::vector<std::optional<String16>>>& val) { return writeData(val); }
status_t Parcel::writeString16Vector(
const std::unique_ptr<std::vector<std::unique_ptr<String16>>>& val) { return writeData(val); }
status_t Parcel::writeUtf8VectorAsUtf16Vector(
const std::optional<std::vector<std::optional<std::string>>>& val) { return writeData(val); }
status_t Parcel::writeUtf8VectorAsUtf16Vector(
const std::unique_ptr<std::vector<std::unique_ptr<std::string>>>& val) { return writeData(val); }
status_t Parcel::writeUtf8VectorAsUtf16Vector(const std::vector<std::string>& val) { return writeData(val); }
status_t Parcel::writeUniqueFileDescriptorVector(const std::vector<unique_fd>& val) {
return writeData(val);
}
status_t Parcel::writeUniqueFileDescriptorVector(const std::optional<std::vector<unique_fd>>& val) {
return writeData(val);
}
status_t Parcel::writeUniqueFileDescriptorVector(
const std::unique_ptr<std::vector<unique_fd>>& val) {
return writeData(val);
}
status_t Parcel::writeStrongBinderVector(const std::vector<sp<IBinder>>& val) { return writeData(val); }
status_t Parcel::writeStrongBinderVector(const std::optional<std::vector<sp<IBinder>>>& val) { return writeData(val); }
status_t Parcel::writeStrongBinderVector(const std::unique_ptr<std::vector<sp<IBinder>>>& val) { return writeData(val); }
status_t Parcel::writeParcelable(const Parcelable& parcelable) { return writeData(parcelable); }
status_t Parcel::readUtf8FromUtf16(std::optional<std::string>* str) const { return readData(str); }
status_t Parcel::readUtf8FromUtf16(std::unique_ptr<std::string>* str) const { return readData(str); }
status_t Parcel::readString16(std::optional<String16>* pArg) const { return readData(pArg); }
status_t Parcel::readString16(std::unique_ptr<String16>* pArg) const { return readData(pArg); }
status_t Parcel::readByteVector(std::vector<int8_t>* val) const { return readData(val); }
status_t Parcel::readByteVector(std::vector<uint8_t>* val) const { return readData(val); }
status_t Parcel::readByteVector(std::optional<std::vector<int8_t>>* val) const { return readData(val); }
status_t Parcel::readByteVector(std::unique_ptr<std::vector<int8_t>>* val) const { return readData(val); }
status_t Parcel::readByteVector(std::optional<std::vector<uint8_t>>* val) const { return readData(val); }
status_t Parcel::readByteVector(std::unique_ptr<std::vector<uint8_t>>* val) const { return readData(val); }
status_t Parcel::readInt32Vector(std::optional<std::vector<int32_t>>* val) const { return readData(val); }
status_t Parcel::readInt32Vector(std::unique_ptr<std::vector<int32_t>>* val) const { return readData(val); }
status_t Parcel::readInt32Vector(std::vector<int32_t>* val) const { return readData(val); }
status_t Parcel::readInt64Vector(std::optional<std::vector<int64_t>>* val) const { return readData(val); }
status_t Parcel::readInt64Vector(std::unique_ptr<std::vector<int64_t>>* val) const { return readData(val); }
status_t Parcel::readInt64Vector(std::vector<int64_t>* val) const { return readData(val); }
status_t Parcel::readUint64Vector(std::optional<std::vector<uint64_t>>* val) const { return readData(val); }
status_t Parcel::readUint64Vector(std::unique_ptr<std::vector<uint64_t>>* val) const { return readData(val); }
status_t Parcel::readUint64Vector(std::vector<uint64_t>* val) const { return readData(val); }
status_t Parcel::readFloatVector(std::optional<std::vector<float>>* val) const { return readData(val); }
status_t Parcel::readFloatVector(std::unique_ptr<std::vector<float>>* val) const { return readData(val); }
status_t Parcel::readFloatVector(std::vector<float>* val) const { return readData(val); }
status_t Parcel::readDoubleVector(std::optional<std::vector<double>>* val) const { return readData(val); }
status_t Parcel::readDoubleVector(std::unique_ptr<std::vector<double>>* val) const { return readData(val); }
status_t Parcel::readDoubleVector(std::vector<double>* val) const { return readData(val); }
status_t Parcel::readBoolVector(std::optional<std::vector<bool>>* val) const { return readData(val); }
status_t Parcel::readBoolVector(std::unique_ptr<std::vector<bool>>* val) const { return readData(val); }
status_t Parcel::readBoolVector(std::vector<bool>* val) const { return readData(val); }
status_t Parcel::readCharVector(std::optional<std::vector<char16_t>>* val) const { return readData(val); }
status_t Parcel::readCharVector(std::unique_ptr<std::vector<char16_t>>* val) const { return readData(val); }
status_t Parcel::readCharVector(std::vector<char16_t>* val) const { return readData(val); }
status_t Parcel::readString16Vector(
std::optional<std::vector<std::optional<String16>>>* val) const { return readData(val); }
status_t Parcel::readString16Vector(
std::unique_ptr<std::vector<std::unique_ptr<String16>>>* val) const { return readData(val); }
status_t Parcel::readString16Vector(std::vector<String16>* val) const { return readData(val); }
status_t Parcel::readUtf8VectorFromUtf16Vector(
std::optional<std::vector<std::optional<std::string>>>* val) const { return readData(val); }
status_t Parcel::readUtf8VectorFromUtf16Vector(
std::unique_ptr<std::vector<std::unique_ptr<std::string>>>* val) const { return readData(val); }
status_t Parcel::readUtf8VectorFromUtf16Vector(std::vector<std::string>* val) const { return readData(val); }
status_t Parcel::readUniqueFileDescriptorVector(std::optional<std::vector<unique_fd>>* val) const {
return readData(val);
}
status_t Parcel::readUniqueFileDescriptorVector(
std::unique_ptr<std::vector<unique_fd>>* val) const {
return readData(val);
}
status_t Parcel::readUniqueFileDescriptorVector(std::vector<unique_fd>* val) const {
return readData(val);
}
status_t Parcel::readStrongBinderVector(std::optional<std::vector<sp<IBinder>>>* val) const { return readData(val); }
status_t Parcel::readStrongBinderVector(std::unique_ptr<std::vector<sp<IBinder>>>* val) const { return readData(val); }
status_t Parcel::readStrongBinderVector(std::vector<sp<IBinder>>* val) const { return readData(val); }
status_t Parcel::readParcelable(Parcelable* parcelable) const { return readData(parcelable); }
status_t Parcel::writeInt32(int32_t val)
{
return writeAligned(val);
}
status_t Parcel::writeUint32(uint32_t val)
{
return writeAligned(val);
}
status_t Parcel::writeInt32Array(size_t len, const int32_t *val) {
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
if (!val) {
return writeInt32(-1);
}
status_t ret = writeInt32(static_cast<uint32_t>(len));
if (ret == NO_ERROR) {
ret = write(val, len * sizeof(*val));
}
return ret;
}
status_t Parcel::writeByteArray(size_t len, const uint8_t *val) {
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
if (!val) {
return writeInt32(-1);
}
status_t ret = writeInt32(static_cast<uint32_t>(len));
if (ret == NO_ERROR) {
ret = write(val, len * sizeof(*val));
}
return ret;
}
status_t Parcel::writeBool(bool val)
{
return writeInt32(int32_t(val));
}
status_t Parcel::writeChar(char16_t val)
{
return writeInt32(int32_t(val));
}
status_t Parcel::writeByte(int8_t val)
{
return writeInt32(int32_t(val));
}
status_t Parcel::writeInt64(int64_t val)
{
return writeAligned(val);
}
status_t Parcel::writeUint64(uint64_t val)
{
return writeAligned(val);
}
status_t Parcel::writePointer(uintptr_t val)
{
return writeAligned<binder_uintptr_t>(val);
}
status_t Parcel::writeFloat(float val)
{
return writeAligned(val);
}
#if defined(__mips__) && defined(__mips_hard_float)
status_t Parcel::writeDouble(double val)
{
union {
double d;
unsigned long long ll;
} u;
u.d = val;
return writeAligned(u.ll);
}
#else
status_t Parcel::writeDouble(double val)
{
return writeAligned(val);
}
#endif
status_t Parcel::writeCString(const char* str)
{
return write(str, strlen(str)+1);
}
status_t Parcel::writeString8(const String8& str)
{
return writeString8(str.c_str(), str.size());
}
status_t Parcel::writeString8(const char* str, size_t len)
{
if (str == nullptr) return writeInt32(-1);
// NOTE: Keep this logic in sync with android_os_Parcel.cpp
status_t err = writeInt32(len);
if (err == NO_ERROR) {
uint8_t* data = (uint8_t*)writeInplace(len+sizeof(char));
if (data) {
memcpy(data, str, len);
*reinterpret_cast<char*>(data+len) = 0;
return NO_ERROR;
}
err = mError;
}
return err;
}
status_t Parcel::writeString16(const String16& str)
{
return writeString16(str.c_str(), str.size());
}
status_t Parcel::writeString16(const char16_t* str, size_t len)
{
if (str == nullptr) return writeInt32(-1);
// NOTE: Keep this logic in sync with android_os_Parcel.cpp
status_t err = writeInt32(len);
if (err == NO_ERROR) {
len *= sizeof(char16_t);
uint8_t* data = (uint8_t*)writeInplace(len+sizeof(char16_t));
if (data) {
memcpy(data, str, len);
*reinterpret_cast<char16_t*>(data+len) = 0;
return NO_ERROR;
}
err = mError;
}
return err;
}
status_t Parcel::writeStrongBinder(const sp<IBinder>& val)
{
return flattenBinder(val);
}
status_t Parcel::writeRawNullableParcelable(const Parcelable* parcelable) {
if (!parcelable) {
return writeInt32(0);
}
return writeParcelable(*parcelable);
}
#ifndef BINDER_DISABLE_NATIVE_HANDLE
status_t Parcel::writeNativeHandle(const native_handle* handle)
{
if (!handle || handle->version != sizeof(native_handle))
return BAD_TYPE;
status_t err;
err = writeInt32(handle->numFds);
if (err != NO_ERROR) return err;
err = writeInt32(handle->numInts);
if (err != NO_ERROR) return err;
for (int i=0 ; err==NO_ERROR && i<handle->numFds ; i++)
err = writeDupFileDescriptor(handle->data[i]);
if (err != NO_ERROR) {
ALOGD("write native handle, write dup fd failed");
return err;
}
err = write(handle->data + handle->numFds, sizeof(int)*handle->numInts);
return err;
}
#endif
status_t Parcel::writeFileDescriptor(int fd, bool takeOwnership) {
if (auto* rpcFields = maybeRpcFields()) {
std::variant<unique_fd, borrowed_fd> fdVariant;
if (takeOwnership) {
fdVariant = unique_fd(fd);
} else {
fdVariant = borrowed_fd(fd);
}
if (!mAllowFds) {
return FDS_NOT_ALLOWED;
}
switch (rpcFields->mSession->getFileDescriptorTransportMode()) {
case RpcSession::FileDescriptorTransportMode::NONE: {
return FDS_NOT_ALLOWED;
}
case RpcSession::FileDescriptorTransportMode::UNIX:
case RpcSession::FileDescriptorTransportMode::TRUSTY: {
if (rpcFields->mFds == nullptr) {
rpcFields->mFds = std::make_unique<decltype(rpcFields->mFds)::element_type>();
}
size_t dataPos = mDataPos;
if (dataPos > UINT32_MAX) {
return NO_MEMORY;
}
if (status_t err = writeInt32(RpcFields::TYPE_NATIVE_FILE_DESCRIPTOR); err != OK) {
return err;
}
if (status_t err = writeInt32(rpcFields->mFds->size()); err != OK) {
return err;
}
rpcFields->mObjectPositions.push_back(dataPos);
rpcFields->mFds->push_back(std::move(fdVariant));
return OK;
}
}
}
#ifdef BINDER_WITH_KERNEL_IPC
flat_binder_object obj;
obj.hdr.type = BINDER_TYPE_FD;
obj.flags = 0;
obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */
obj.handle = fd;
obj.cookie = takeOwnership ? 1 : 0;
return writeObject(obj, true);
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
(void)fd;
(void)takeOwnership;
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
}
status_t Parcel::writeDupFileDescriptor(int fd)
{
int dupFd;
if (status_t err = binder::os::dupFileDescriptor(fd, &dupFd); err != OK) {
return err;
}
status_t err = writeFileDescriptor(dupFd, true /*takeOwnership*/);
if (err != OK) {
close(dupFd);
}
return err;
}
status_t Parcel::writeParcelFileDescriptor(int fd, bool takeOwnership)
{
writeInt32(0);
return writeFileDescriptor(fd, takeOwnership);
}
status_t Parcel::writeDupParcelFileDescriptor(int fd)
{
int dupFd;
if (status_t err = binder::os::dupFileDescriptor(fd, &dupFd); err != OK) {
return err;
}
status_t err = writeParcelFileDescriptor(dupFd, true /*takeOwnership*/);
if (err != OK) {
close(dupFd);
}
return err;
}
status_t Parcel::writeUniqueFileDescriptor(const unique_fd& fd) {
return writeDupFileDescriptor(fd.get());
}
status_t Parcel::writeBlob(size_t len, bool mutableCopy, WritableBlob* outBlob)
{
#ifdef BINDER_DISABLE_BLOB
(void)len;
(void)mutableCopy;
(void)outBlob;
return INVALID_OPERATION;
#else
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
status_t status;
if (!mAllowFds || len <= BLOB_INPLACE_LIMIT) {
ALOGV("writeBlob: write in place");
status = writeInt32(BLOB_INPLACE);
if (status) return status;
void* ptr = writeInplace(len);
if (!ptr) return NO_MEMORY;
outBlob->init(-1, ptr, len, false);
return NO_ERROR;
}
ALOGV("writeBlob: write to ashmem");
int fd = ashmem_create_region("Parcel Blob", len);
if (fd < 0) return NO_MEMORY;
int result = ashmem_set_prot_region(fd, PROT_READ | PROT_WRITE);
if (result < 0) {
status = result;
} else {
void* ptr = ::mmap(nullptr, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (ptr == MAP_FAILED) {
status = -errno;
} else {
if (!mutableCopy) {
result = ashmem_set_prot_region(fd, PROT_READ);
}
if (result < 0) {
status = result;
} else {
status = writeInt32(mutableCopy ? BLOB_ASHMEM_MUTABLE : BLOB_ASHMEM_IMMUTABLE);
if (!status) {
status = writeFileDescriptor(fd, true /*takeOwnership*/);
if (!status) {
outBlob->init(fd, ptr, len, mutableCopy);
return NO_ERROR;
}
}
}
}
::munmap(ptr, len);
}
::close(fd);
return status;
#endif
}
status_t Parcel::writeDupImmutableBlobFileDescriptor(int fd)
{
// Must match up with what's done in writeBlob.
if (!mAllowFds) return FDS_NOT_ALLOWED;
status_t status = writeInt32(BLOB_ASHMEM_IMMUTABLE);
if (status) return status;
return writeDupFileDescriptor(fd);
}
status_t Parcel::write(const FlattenableHelperInterface& val)
{
status_t err;
// size if needed
const size_t len = val.getFlattenedSize();
const size_t fd_count = val.getFdCount();
if ((len > INT32_MAX) || (fd_count > kMaxFds)) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
err = this->writeInt32(len);
if (err) return err;
err = this->writeInt32(fd_count);
if (err) return err;
// payload
void* const buf = this->writeInplace(len);
if (buf == nullptr)
return BAD_VALUE;
int* fds = nullptr;
if (fd_count) {
fds = new (std::nothrow) int[fd_count];
if (fds == nullptr) {
ALOGE("write: failed to allocate requested %zu fds", fd_count);
return BAD_VALUE;
}
}
err = val.flatten(buf, len, fds, fd_count);
for (size_t i=0 ; i<fd_count && err==NO_ERROR ; i++) {
err = this->writeDupFileDescriptor( fds[i] );
}
if (fd_count) {
delete [] fds;
}
return err;
}
status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData)
{
auto* kernelFields = maybeKernelFields();
LOG_ALWAYS_FATAL_IF(kernelFields == nullptr, "Can't write flat_binder_object to RPC Parcel");
#ifdef BINDER_WITH_KERNEL_IPC
const bool enoughData = (mDataPos+sizeof(val)) <= mDataCapacity;
const bool enoughObjects = kernelFields->mObjectsSize < kernelFields->mObjectsCapacity;
if (enoughData && enoughObjects) {
restart_write:
*reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;
// remember if it's a file descriptor
if (val.hdr.type == BINDER_TYPE_FD) {
if (!mAllowFds) {
// fail before modifying our object index
return FDS_NOT_ALLOWED;
}
kernelFields->mHasFds = kernelFields->mFdsKnown = true;
}
// Need to write meta-data?
if (nullMetaData || val.binder != 0) {
kernelFields->mObjects[kernelFields->mObjectsSize] = mDataPos;
acquire_object(ProcessState::self(), val, this);
kernelFields->mObjectsSize++;
}
return finishWrite(sizeof(flat_binder_object));
}
if (!enoughData) {
const status_t err = growData(sizeof(val));
if (err != NO_ERROR) return err;
}
if (!enoughObjects) {
if (kernelFields->mObjectsSize > SIZE_MAX - 2) return NO_MEMORY; // overflow
if ((kernelFields->mObjectsSize + 2) > SIZE_MAX / 3) return NO_MEMORY; // overflow
size_t newSize = ((kernelFields->mObjectsSize + 2) * 3) / 2;
if (newSize > SIZE_MAX / sizeof(binder_size_t)) return NO_MEMORY; // overflow
binder_size_t* objects =
(binder_size_t*)realloc(kernelFields->mObjects, newSize * sizeof(binder_size_t));
if (objects == nullptr) return NO_MEMORY;
kernelFields->mObjects = objects;
kernelFields->mObjectsCapacity = newSize;
}
goto restart_write;
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
(void)val;
(void)nullMetaData;
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
}
status_t Parcel::writeNoException()
{
binder::Status status;
return status.writeToParcel(this);
}
status_t Parcel::validateReadData(size_t upperBound) const
{
const auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
// Can't validate RPC Parcel reads because the location of binder
// objects is unknown.
return OK;
}
#ifdef BINDER_WITH_KERNEL_IPC
// Don't allow non-object reads on object data
if (kernelFields->mObjectsSorted || kernelFields->mObjectsSize <= 1) {
data_sorted:
// Expect to check only against the next object
if (kernelFields->mNextObjectHint < kernelFields->mObjectsSize &&
upperBound > kernelFields->mObjects[kernelFields->mNextObjectHint]) {
// For some reason the current read position is greater than the next object
// hint. Iterate until we find the right object
size_t nextObject = kernelFields->mNextObjectHint;
do {
if (mDataPos < kernelFields->mObjects[nextObject] + sizeof(flat_binder_object)) {
// Requested info overlaps with an object
if (!mServiceFuzzing) {
ALOGE("Attempt to read from protected data in Parcel %p", this);
}
return PERMISSION_DENIED;
}
nextObject++;
} while (nextObject < kernelFields->mObjectsSize &&
upperBound > kernelFields->mObjects[nextObject]);
kernelFields->mNextObjectHint = nextObject;
}
return NO_ERROR;
}
// Quickly determine if mObjects is sorted.
binder_size_t* currObj = kernelFields->mObjects + kernelFields->mObjectsSize - 1;
binder_size_t* prevObj = currObj;
while (currObj > kernelFields->mObjects) {
prevObj--;
if(*prevObj > *currObj) {
goto data_unsorted;
}
currObj--;
}
kernelFields->mObjectsSorted = true;
goto data_sorted;
data_unsorted:
// Insertion Sort mObjects
// Great for mostly sorted lists. If randomly sorted or reverse ordered mObjects become common,
// switch to std::sort(mObjects, mObjects + mObjectsSize);
for (binder_size_t* iter0 = kernelFields->mObjects + 1;
iter0 < kernelFields->mObjects + kernelFields->mObjectsSize; iter0++) {
binder_size_t temp = *iter0;
binder_size_t* iter1 = iter0 - 1;
while (iter1 >= kernelFields->mObjects && *iter1 > temp) {
*(iter1 + 1) = *iter1;
iter1--;
}
*(iter1 + 1) = temp;
}
kernelFields->mNextObjectHint = 0;
kernelFields->mObjectsSorted = true;
goto data_sorted;
#else // BINDER_WITH_KERNEL_IPC
(void)upperBound;
return NO_ERROR;
#endif // BINDER_WITH_KERNEL_IPC
}
status_t Parcel::read(void* outData, size_t len) const
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize
&& len <= pad_size(len)) {
const auto* kernelFields = maybeKernelFields();
if (kernelFields != nullptr && kernelFields->mObjectsSize > 0) {
status_t err = validateReadData(mDataPos + pad_size(len));
if(err != NO_ERROR) {
// Still increment the data position by the expected length
mDataPos += pad_size(len);
ALOGV("read Setting data pos of %p to %zu", this, mDataPos);
return err;
}
}
memcpy(outData, mData+mDataPos, len);
mDataPos += pad_size(len);
ALOGV("read Setting data pos of %p to %zu", this, mDataPos);
return NO_ERROR;
}
return NOT_ENOUGH_DATA;
}
const void* Parcel::readInplace(size_t len) const
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return nullptr;
}
if ((mDataPos+pad_size(len)) >= mDataPos && (mDataPos+pad_size(len)) <= mDataSize
&& len <= pad_size(len)) {
const auto* kernelFields = maybeKernelFields();
if (kernelFields != nullptr && kernelFields->mObjectsSize > 0) {
status_t err = validateReadData(mDataPos + pad_size(len));
if(err != NO_ERROR) {
// Still increment the data position by the expected length
mDataPos += pad_size(len);
ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos);
return nullptr;
}
}
const void* data = mData+mDataPos;
mDataPos += pad_size(len);
ALOGV("readInplace Setting data pos of %p to %zu", this, mDataPos);
return data;
}
return nullptr;
}
status_t Parcel::readOutVectorSizeWithCheck(size_t elmSize, int32_t* size) const {
if (status_t status = readInt32(size); status != OK) return status;
if (*size < 0) return OK; // may be null, client to handle
LOG_ALWAYS_FATAL_IF(elmSize > INT32_MAX, "Cannot have element as big as %zu", elmSize);
// approximation, can't know max element size (e.g. if it makes heap
// allocations)
static_assert(sizeof(int) == sizeof(int32_t), "Android is LP64");
int32_t allocationSize;
if (__builtin_smul_overflow(elmSize, *size, &allocationSize)) return NO_MEMORY;
// High limit of 1MB since something this big could never be returned. Could
// probably scope this down, but might impact very specific usecases.
constexpr int32_t kMaxAllocationSize = 1 * 1000 * 1000;
if (allocationSize >= kMaxAllocationSize) {
return NO_MEMORY;
}
return OK;
}
template<class T>
status_t Parcel::readAligned(T *pArg) const {
static_assert(PAD_SIZE_UNSAFE(sizeof(T)) == sizeof(T));
static_assert(std::is_trivially_copyable_v<T>);
if ((mDataPos+sizeof(T)) <= mDataSize) {
const auto* kernelFields = maybeKernelFields();
if (kernelFields != nullptr && kernelFields->mObjectsSize > 0) {
status_t err = validateReadData(mDataPos + sizeof(T));
if(err != NO_ERROR) {
// Still increment the data position by the expected length
mDataPos += sizeof(T);
return err;
}
}
memcpy(pArg, mData + mDataPos, sizeof(T));
mDataPos += sizeof(T);
return NO_ERROR;
} else {
return NOT_ENOUGH_DATA;
}
}
template<class T>
T Parcel::readAligned() const {
T result;
if (readAligned(&result) != NO_ERROR) {
result = 0;
}
return result;
}
template<class T>
status_t Parcel::writeAligned(T val) {
static_assert(PAD_SIZE_UNSAFE(sizeof(T)) == sizeof(T));
static_assert(std::is_trivially_copyable_v<T>);
if ((mDataPos+sizeof(val)) <= mDataCapacity) {
restart_write:
memcpy(mData + mDataPos, &val, sizeof(val));
return finishWrite(sizeof(val));
}
status_t err = growData(sizeof(val));
if (err == NO_ERROR) goto restart_write;
return err;
}
status_t Parcel::readInt32(int32_t *pArg) const
{
return readAligned(pArg);
}
int32_t Parcel::readInt32() const
{
return readAligned<int32_t>();
}
status_t Parcel::readUint32(uint32_t *pArg) const
{
return readAligned(pArg);
}
uint32_t Parcel::readUint32() const
{
return readAligned<uint32_t>();
}
status_t Parcel::readInt64(int64_t *pArg) const
{
return readAligned(pArg);
}
int64_t Parcel::readInt64() const
{
return readAligned<int64_t>();
}
status_t Parcel::readUint64(uint64_t *pArg) const
{
return readAligned(pArg);
}
uint64_t Parcel::readUint64() const
{
return readAligned<uint64_t>();
}
status_t Parcel::readPointer(uintptr_t *pArg) const
{
status_t ret;
binder_uintptr_t ptr;
ret = readAligned(&ptr);
if (!ret)
*pArg = ptr;
return ret;
}
uintptr_t Parcel::readPointer() const
{
return readAligned<binder_uintptr_t>();
}
status_t Parcel::readFloat(float *pArg) const
{
return readAligned(pArg);
}
float Parcel::readFloat() const
{
return readAligned<float>();
}
#if defined(__mips__) && defined(__mips_hard_float)
status_t Parcel::readDouble(double *pArg) const
{
union {
double d;
unsigned long long ll;
} u;
u.d = 0;
status_t status;
status = readAligned(&u.ll);
*pArg = u.d;
return status;
}
double Parcel::readDouble() const
{
union {
double d;
unsigned long long ll;
} u;
u.ll = readAligned<unsigned long long>();
return u.d;
}
#else
status_t Parcel::readDouble(double *pArg) const
{
return readAligned(pArg);
}
double Parcel::readDouble() const
{
return readAligned<double>();
}
#endif
status_t Parcel::readBool(bool *pArg) const
{
int32_t tmp = 0;
status_t ret = readInt32(&tmp);
*pArg = (tmp != 0);
return ret;
}
bool Parcel::readBool() const
{
return readInt32() != 0;
}
status_t Parcel::readChar(char16_t *pArg) const
{
int32_t tmp = 0;
status_t ret = readInt32(&tmp);
*pArg = char16_t(tmp);
return ret;
}
char16_t Parcel::readChar() const
{
return char16_t(readInt32());
}
status_t Parcel::readByte(int8_t *pArg) const
{
int32_t tmp = 0;
status_t ret = readInt32(&tmp);
*pArg = int8_t(tmp);
return ret;
}
int8_t Parcel::readByte() const
{
return int8_t(readInt32());
}
status_t Parcel::readUtf8FromUtf16(std::string* str) const {
size_t utf16Size = 0;
const char16_t* src = readString16Inplace(&utf16Size);
if (!src) {
return UNEXPECTED_NULL;
}
// Save ourselves the trouble, we're done.
if (utf16Size == 0u) {
str->clear();
return NO_ERROR;
}
// Allow for closing '\0'
ssize_t utf8Size = utf16_to_utf8_length(src, utf16Size) + 1;
if (utf8Size < 1) {
return BAD_VALUE;
}
// Note that while it is probably safe to assume string::resize keeps a
// spare byte around for the trailing null, we still pass the size including the trailing null
str->resize(utf8Size);
utf16_to_utf8(src, utf16Size, &((*str)[0]), utf8Size);
str->resize(utf8Size - 1);
return NO_ERROR;
}
const char* Parcel::readCString() const
{
if (mDataPos < mDataSize) {
const size_t avail = mDataSize-mDataPos;
const char* str = reinterpret_cast<const char*>(mData+mDataPos);
// is the string's trailing NUL within the parcel's valid bounds?
const char* eos = reinterpret_cast<const char*>(memchr(str, 0, avail));
if (eos) {
const size_t len = eos - str;
mDataPos += pad_size(len+1);
ALOGV("readCString Setting data pos of %p to %zu", this, mDataPos);
return str;
}
}
return nullptr;
}
String8 Parcel::readString8() const
{
size_t len;
const char* str = readString8Inplace(&len);
if (str) return String8(str, len);
if (!mServiceFuzzing) {
ALOGE("Reading a NULL string not supported here.");
}
return String8();
}
status_t Parcel::readString8(String8* pArg) const
{
size_t len;
const char* str = readString8Inplace(&len);
if (str) {
pArg->setTo(str, len);
return 0;
} else {
*pArg = String8();
return UNEXPECTED_NULL;
}
}
const char* Parcel::readString8Inplace(size_t* outLen) const
{
int32_t size = readInt32();
// watch for potential int overflow from size+1
if (size >= 0 && size < INT32_MAX) {
*outLen = size;
const char* str = (const char*)readInplace(size+1);
if (str != nullptr) {
if (str[size] == '\0') {
return str;
}
android_errorWriteLog(0x534e4554, "172655291");
}
}
*outLen = 0;
return nullptr;
}
String16 Parcel::readString16() const
{
size_t len;
const char16_t* str = readString16Inplace(&len);
if (str) return String16(str, len);
if (!mServiceFuzzing) {
ALOGE("Reading a NULL string not supported here.");
}
return String16();
}
status_t Parcel::readString16(String16* pArg) const
{
size_t len;
const char16_t* str = readString16Inplace(&len);
if (str) {
pArg->setTo(str, len);
return 0;
} else {
*pArg = String16();
return UNEXPECTED_NULL;
}
}
const char16_t* Parcel::readString16Inplace(size_t* outLen) const
{
int32_t size = readInt32();
// watch for potential int overflow from size+1
if (size >= 0 && size < INT32_MAX) {
*outLen = size;
const char16_t* str = (const char16_t*)readInplace((size+1)*sizeof(char16_t));
if (str != nullptr) {
if (str[size] == u'\0') {
return str;
}
android_errorWriteLog(0x534e4554, "172655291");
}
}
*outLen = 0;
return nullptr;
}
status_t Parcel::readStrongBinder(sp<IBinder>* val) const
{
status_t status = readNullableStrongBinder(val);
if (status == OK && !val->get()) {
if (!mServiceFuzzing) {
ALOGW("Expecting binder but got null!");
}
status = UNEXPECTED_NULL;
}
return status;
}
status_t Parcel::readNullableStrongBinder(sp<IBinder>* val) const
{
return unflattenBinder(val);
}
sp<IBinder> Parcel::readStrongBinder() const
{
sp<IBinder> val;
// Note that a lot of code in Android reads binders by hand with this
// method, and that code has historically been ok with getting nullptr
// back (while ignoring error codes).
readNullableStrongBinder(&val);
return val;
}
int32_t Parcel::readExceptionCode() const
{
binder::Status status;
status.readFromParcel(*this);
return status.exceptionCode();
}
#ifndef BINDER_DISABLE_NATIVE_HANDLE
native_handle* Parcel::readNativeHandle() const
{
int numFds, numInts;
status_t err;
err = readInt32(&numFds);
if (err != NO_ERROR) return nullptr;
err = readInt32(&numInts);
if (err != NO_ERROR) return nullptr;
native_handle* h = native_handle_create(numFds, numInts);
if (!h) {
return nullptr;
}
for (int i=0 ; err==NO_ERROR && i<numFds ; i++) {
h->data[i] = fcntl(readFileDescriptor(), F_DUPFD_CLOEXEC, 0);
if (h->data[i] < 0) {
for (int j = 0; j < i; j++) {
close(h->data[j]);
}
native_handle_delete(h);
return nullptr;
}
}
err = read(h->data + numFds, sizeof(int)*numInts);
if (err != NO_ERROR) {
native_handle_close(h);
native_handle_delete(h);
h = nullptr;
}
return h;
}
#endif
int Parcel::readFileDescriptor() const {
if (const auto* rpcFields = maybeRpcFields()) {
if (!std::binary_search(rpcFields->mObjectPositions.begin(),
rpcFields->mObjectPositions.end(), mDataPos)) {
if (!mServiceFuzzing) {
ALOGW("Attempt to read file descriptor from Parcel %p at offset %zu that is not in "
"the object list",
this, mDataPos);
}
return BAD_TYPE;
}
int32_t objectType = readInt32();
if (objectType != RpcFields::TYPE_NATIVE_FILE_DESCRIPTOR) {
return BAD_TYPE;
}
int32_t fdIndex = readInt32();
if (rpcFields->mFds == nullptr || fdIndex < 0 ||
static_cast<size_t>(fdIndex) >= rpcFields->mFds->size()) {
ALOGE("RPC Parcel contains invalid file descriptor index. index=%d fd_count=%zu",
fdIndex, rpcFields->mFds ? rpcFields->mFds->size() : 0);
return BAD_VALUE;
}
return toRawFd(rpcFields->mFds->at(fdIndex));
}
#ifdef BINDER_WITH_KERNEL_IPC
const flat_binder_object* flat = readObject(true);
if (flat && flat->hdr.type == BINDER_TYPE_FD) {
return flat->handle;
}
return BAD_TYPE;
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
return INVALID_OPERATION;
#endif // BINDER_WITH_KERNEL_IPC
}
int Parcel::readParcelFileDescriptor() const {
int32_t hasComm = readInt32();
int fd = readFileDescriptor();
if (hasComm != 0) {
// detach (owned by the binder driver)
int comm = readFileDescriptor();
// warning: this must be kept in sync with:
// frameworks/base/core/java/android/os/ParcelFileDescriptor.java
enum ParcelFileDescriptorStatus {
DETACHED = 2,
};
#if BYTE_ORDER == BIG_ENDIAN
const int32_t message = ParcelFileDescriptorStatus::DETACHED;
#endif
#if BYTE_ORDER == LITTLE_ENDIAN
const int32_t message = __builtin_bswap32(ParcelFileDescriptorStatus::DETACHED);
#endif
ssize_t written = TEMP_FAILURE_RETRY(
::write(comm, &message, sizeof(message)));
if (written != sizeof(message)) {
ALOGW("Failed to detach ParcelFileDescriptor written: %zd err: %s",
written, strerror(errno));
return BAD_TYPE;
}
}
return fd;
}
status_t Parcel::readUniqueFileDescriptor(unique_fd* val) const {
int got = readFileDescriptor();
if (got == BAD_TYPE) {
return BAD_TYPE;
}
int dupFd;
if (status_t err = binder::os::dupFileDescriptor(got, &dupFd); err != OK) {
return BAD_VALUE;
}
val->reset(dupFd);
if (val->get() < 0) {
return BAD_VALUE;
}
return OK;
}
status_t Parcel::readUniqueParcelFileDescriptor(unique_fd* val) const {
int got = readParcelFileDescriptor();
if (got == BAD_TYPE) {
return BAD_TYPE;
}
int dupFd;
if (status_t err = binder::os::dupFileDescriptor(got, &dupFd); err != OK) {
return BAD_VALUE;
}
val->reset(dupFd);
if (val->get() < 0) {
return BAD_VALUE;
}
return OK;
}
status_t Parcel::readBlob(size_t len, ReadableBlob* outBlob) const
{
#ifdef BINDER_DISABLE_BLOB
(void)len;
(void)outBlob;
return INVALID_OPERATION;
#else
int32_t blobType;
status_t status = readInt32(&blobType);
if (status) return status;
if (blobType == BLOB_INPLACE) {
ALOGV("readBlob: read in place");
const void* ptr = readInplace(len);
if (!ptr) return BAD_VALUE;
outBlob->init(-1, const_cast<void*>(ptr), len, false);
return NO_ERROR;
}
ALOGV("readBlob: read from ashmem");
bool isMutable = (blobType == BLOB_ASHMEM_MUTABLE);
int fd = readFileDescriptor();
if (fd == int(BAD_TYPE)) return BAD_VALUE;
if (!ashmem_valid(fd)) {
ALOGE("invalid fd");
return BAD_VALUE;
}
int size = ashmem_get_size_region(fd);
if (size < 0 || size_t(size) < len) {
ALOGE("request size %zu does not match fd size %d", len, size);
return BAD_VALUE;
}
void* ptr = ::mmap(nullptr, len, isMutable ? PROT_READ | PROT_WRITE : PROT_READ,
MAP_SHARED, fd, 0);
if (ptr == MAP_FAILED) return NO_MEMORY;
outBlob->init(fd, ptr, len, isMutable);
return NO_ERROR;
#endif
}
status_t Parcel::read(FlattenableHelperInterface& val) const
{
// size
const size_t len = this->readInt32();
const size_t fd_count = this->readInt32();
if ((len > INT32_MAX) || (fd_count > kMaxFds)) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
// payload
void const* const buf = this->readInplace(pad_size(len));
if (buf == nullptr)
return BAD_VALUE;
int* fds = nullptr;
if (fd_count) {
fds = new (std::nothrow) int[fd_count];
if (fds == nullptr) {
ALOGE("read: failed to allocate requested %zu fds", fd_count);
return BAD_VALUE;
}
}
status_t err = NO_ERROR;
for (size_t i=0 ; i<fd_count && err==NO_ERROR ; i++) {
int fd = this->readFileDescriptor();
if (fd < 0 || ((fds[i] = fcntl(fd, F_DUPFD_CLOEXEC, 0)) < 0)) {
err = BAD_VALUE;
ALOGE("fcntl(F_DUPFD_CLOEXEC) failed in Parcel::read, i is %zu, fds[i] is %d, fd_count is %zu, error: %s",
i, fds[i], fd_count, strerror(fd < 0 ? -fd : errno));
// Close all the file descriptors that were dup-ed.
for (size_t j=0; j<i ;j++) {
close(fds[j]);
}
}
}
if (err == NO_ERROR) {
err = val.unflatten(buf, len, fds, fd_count);
}
if (fd_count) {
delete [] fds;
}
return err;
}
#ifdef BINDER_WITH_KERNEL_IPC
const flat_binder_object* Parcel::readObject(bool nullMetaData) const
{
const auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return nullptr;
}
const size_t DPOS = mDataPos;
if ((DPOS+sizeof(flat_binder_object)) <= mDataSize) {
const flat_binder_object* obj
= reinterpret_cast<const flat_binder_object*>(mData+DPOS);
mDataPos = DPOS + sizeof(flat_binder_object);
if (!nullMetaData && (obj->cookie == 0 && obj->binder == 0)) {
// When transferring a NULL object, we don't write it into
// the object list, so we don't want to check for it when
// reading.
ALOGV("readObject Setting data pos of %p to %zu", this, mDataPos);
return obj;
}
// Ensure that this object is valid...
binder_size_t* const OBJS = kernelFields->mObjects;
const size_t N = kernelFields->mObjectsSize;
size_t opos = kernelFields->mNextObjectHint;
if (N > 0) {
ALOGV("Parcel %p looking for obj at %zu, hint=%zu",
this, DPOS, opos);
// Start at the current hint position, looking for an object at
// the current data position.
if (opos < N) {
while (opos < (N-1) && OBJS[opos] < DPOS) {
opos++;
}
} else {
opos = N-1;
}
if (OBJS[opos] == DPOS) {
// Found it!
ALOGV("Parcel %p found obj %zu at index %zu with forward search",
this, DPOS, opos);
kernelFields->mNextObjectHint = opos + 1;
ALOGV("readObject Setting data pos of %p to %zu", this, mDataPos);
return obj;
}
// Look backwards for it...
while (opos > 0 && OBJS[opos] > DPOS) {
opos--;
}
if (OBJS[opos] == DPOS) {
// Found it!
ALOGV("Parcel %p found obj %zu at index %zu with backward search",
this, DPOS, opos);
kernelFields->mNextObjectHint = opos + 1;
ALOGV("readObject Setting data pos of %p to %zu", this, mDataPos);
return obj;
}
}
if (!mServiceFuzzing) {
ALOGW("Attempt to read object from Parcel %p at offset %zu that is not in the object "
"list",
this, DPOS);
}
}
return nullptr;
}
#endif // BINDER_WITH_KERNEL_IPC
void Parcel::closeFileDescriptors() {
if (auto* kernelFields = maybeKernelFields()) {
#ifdef BINDER_WITH_KERNEL_IPC
size_t i = kernelFields->mObjectsSize;
if (i > 0) {
// ALOGI("Closing file descriptors for %zu objects...", i);
}
while (i > 0) {
i--;
const flat_binder_object* flat =
reinterpret_cast<flat_binder_object*>(mData + kernelFields->mObjects[i]);
if (flat->hdr.type == BINDER_TYPE_FD) {
// ALOGI("Closing fd: %ld", flat->handle);
// FDs from the kernel are always owned
FdTagClose(flat->handle, this);
}
}
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Binder kernel driver disabled at build time");
#endif // BINDER_WITH_KERNEL_IPC
} else if (auto* rpcFields = maybeRpcFields()) {
rpcFields->mFds.reset();
}
}
uintptr_t Parcel::ipcData() const
{
return reinterpret_cast<uintptr_t>(mData);
}
size_t Parcel::ipcDataSize() const
{
return (mDataSize > mDataPos ? mDataSize : mDataPos);
}
uintptr_t Parcel::ipcObjects() const
{
if (const auto* kernelFields = maybeKernelFields()) {
return reinterpret_cast<uintptr_t>(kernelFields->mObjects);
}
return 0;
}
size_t Parcel::ipcObjectsCount() const
{
if (const auto* kernelFields = maybeKernelFields()) {
return kernelFields->mObjectsSize;
}
return 0;
}
void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, const binder_size_t* objects,
size_t objectsCount, release_func relFunc) {
// this code uses 'mOwner == nullptr' to understand whether it owns memory
LOG_ALWAYS_FATAL_IF(relFunc == nullptr, "must provide cleanup function");
freeData();
auto* kernelFields = maybeKernelFields();
LOG_ALWAYS_FATAL_IF(kernelFields == nullptr); // guaranteed by freeData.
mData = const_cast<uint8_t*>(data);
mDataSize = mDataCapacity = dataSize;
kernelFields->mObjects = const_cast<binder_size_t*>(objects);
kernelFields->mObjectsSize = kernelFields->mObjectsCapacity = objectsCount;
mOwner = relFunc;
#ifdef BINDER_WITH_KERNEL_IPC
binder_size_t minOffset = 0;
for (size_t i = 0; i < kernelFields->mObjectsSize; i++) {
binder_size_t offset = kernelFields->mObjects[i];
if (offset < minOffset) {
ALOGE("%s: bad object offset %" PRIu64 " < %" PRIu64 "\n",
__func__, (uint64_t)offset, (uint64_t)minOffset);
kernelFields->mObjectsSize = 0;
break;
}
const flat_binder_object* flat
= reinterpret_cast<const flat_binder_object*>(mData + offset);
uint32_t type = flat->hdr.type;
if (!(type == BINDER_TYPE_BINDER || type == BINDER_TYPE_HANDLE ||
type == BINDER_TYPE_FD)) {
// We should never receive other types (eg BINDER_TYPE_FDA) as long as we don't support
// them in libbinder. If we do receive them, it probably means a kernel bug; try to
// recover gracefully by clearing out the objects.
android_errorWriteLog(0x534e4554, "135930648");
android_errorWriteLog(0x534e4554, "203847542");
ALOGE("%s: unsupported type object (%" PRIu32 ") at offset %" PRIu64 "\n",
__func__, type, (uint64_t)offset);
// WARNING: callers of ipcSetDataReference need to make sure they
// don't rely on mObjectsSize in their release_func.
kernelFields->mObjectsSize = 0;
break;
}
if (type == BINDER_TYPE_FD) {
// FDs from the kernel are always owned
FdTag(flat->handle, 0, this);
}
minOffset = offset + sizeof(flat_binder_object);
}
scanForFds();
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL_IF(objectsCount != 0,
"Non-zero objects count passed to Parcel with kernel driver disabled");
#endif // BINDER_WITH_KERNEL_IPC
}
status_t Parcel::rpcSetDataReference(
const sp<RpcSession>& session, const uint8_t* data, size_t dataSize,
const uint32_t* objectTable, size_t objectTableSize,
std::vector<std::variant<unique_fd, borrowed_fd>>&& ancillaryFds, release_func relFunc) {
// this code uses 'mOwner == nullptr' to understand whether it owns memory
LOG_ALWAYS_FATAL_IF(relFunc == nullptr, "must provide cleanup function");
LOG_ALWAYS_FATAL_IF(session == nullptr);
if (objectTableSize != ancillaryFds.size()) {
ALOGE("objectTableSize=%zu ancillaryFds.size=%zu", objectTableSize, ancillaryFds.size());
relFunc(data, dataSize, nullptr, 0);
return BAD_VALUE;
}
for (size_t i = 0; i < objectTableSize; i++) {
uint32_t minObjectEnd;
if (__builtin_add_overflow(objectTable[i], sizeof(RpcFields::ObjectType), &minObjectEnd) ||
minObjectEnd >= dataSize) {
ALOGE("received out of range object position: %" PRIu32 " (parcel size is %zu)",
objectTable[i], dataSize);
relFunc(data, dataSize, nullptr, 0);
return BAD_VALUE;
}
}
freeData();
markForRpc(session);
auto* rpcFields = maybeRpcFields();
LOG_ALWAYS_FATAL_IF(rpcFields == nullptr); // guaranteed by markForRpc.
mData = const_cast<uint8_t*>(data);
mDataSize = mDataCapacity = dataSize;
mOwner = relFunc;
rpcFields->mObjectPositions.reserve(objectTableSize);
for (size_t i = 0; i < objectTableSize; i++) {
rpcFields->mObjectPositions.push_back(objectTable[i]);
}
if (!ancillaryFds.empty()) {
rpcFields->mFds = std::make_unique<decltype(rpcFields->mFds)::element_type>();
*rpcFields->mFds = std::move(ancillaryFds);
}
return OK;
}
void Parcel::print(std::ostream& to, uint32_t /*flags*/) const {
to << "Parcel(";
if (errorCheck() != NO_ERROR) {
const status_t err = errorCheck();
to << "Error: " << (void*)(intptr_t)err << " \"" << strerror(-err) << "\"";
} else if (dataSize() > 0) {
const uint8_t* DATA = data();
to << "\t" << HexDump(DATA, dataSize());
#ifdef BINDER_WITH_KERNEL_IPC
if (const auto* kernelFields = maybeKernelFields()) {
const binder_size_t* OBJS = kernelFields->mObjects;
const size_t N = objectsCount();
for (size_t i = 0; i < N; i++) {
const flat_binder_object* flat =
reinterpret_cast<const flat_binder_object*>(DATA + OBJS[i]);
to << "Object #" << i << " @ " << (void*)OBJS[i] << ": "
<< TypeCode(flat->hdr.type & 0x7f7f7f00) << " = " << flat->binder;
}
}
#endif // BINDER_WITH_KERNEL_IPC
} else {
to << "NULL";
}
to << ")";
}
void Parcel::releaseObjects()
{
auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return;
}
#ifdef BINDER_WITH_KERNEL_IPC
size_t i = kernelFields->mObjectsSize;
if (i == 0) {
return;
}
sp<ProcessState> proc(ProcessState::self());
uint8_t* const data = mData;
binder_size_t* const objects = kernelFields->mObjects;
while (i > 0) {
i--;
const flat_binder_object* flat = reinterpret_cast<flat_binder_object*>(data + objects[i]);
release_object(proc, *flat, this);
}
#endif // BINDER_WITH_KERNEL_IPC
}
void Parcel::acquireObjects()
{
auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return;
}
#ifdef BINDER_WITH_KERNEL_IPC
size_t i = kernelFields->mObjectsSize;
if (i == 0) {
return;
}
const sp<ProcessState> proc(ProcessState::self());
uint8_t* const data = mData;
binder_size_t* const objects = kernelFields->mObjects;
while (i > 0) {
i--;
const flat_binder_object* flat = reinterpret_cast<flat_binder_object*>(data + objects[i]);
acquire_object(proc, *flat, this);
}
#endif // BINDER_WITH_KERNEL_IPC
}
void Parcel::freeData()
{
freeDataNoInit();
initState();
}
void Parcel::freeDataNoInit()
{
if (mOwner) {
LOG_ALLOC("Parcel %p: freeing other owner data", this);
//ALOGI("Freeing data ref of %p (pid=%d)", this, getpid());
auto* kernelFields = maybeKernelFields();
// Close FDs before freeing, otherwise they will leak for kernel binder.
closeFileDescriptors();
mOwner(mData, mDataSize, kernelFields ? kernelFields->mObjects : nullptr,
kernelFields ? kernelFields->mObjectsSize : 0);
} else {
LOG_ALLOC("Parcel %p: freeing allocated data", this);
releaseObjects();
if (mData) {
LOG_ALLOC("Parcel %p: freeing with %zu capacity", this, mDataCapacity);
gParcelGlobalAllocSize -= mDataCapacity;
gParcelGlobalAllocCount--;
if (mDeallocZero) {
zeroMemory(mData, mDataSize);
}
free(mData);
}
auto* kernelFields = maybeKernelFields();
if (kernelFields && kernelFields->mObjects) free(kernelFields->mObjects);
}
}
status_t Parcel::growData(size_t len)
{
if (len > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
if (len > SIZE_MAX - mDataSize) return NO_MEMORY; // overflow
if (mDataSize + len > SIZE_MAX / 3) return NO_MEMORY; // overflow
size_t newSize = ((mDataSize+len)*3)/2;
return (newSize <= mDataSize)
? (status_t) NO_MEMORY
: continueWrite(std::max(newSize, (size_t) 128));
}
static uint8_t* reallocZeroFree(uint8_t* data, size_t oldCapacity, size_t newCapacity, bool zero) {
if (!zero) {
return (uint8_t*)realloc(data, newCapacity);
}
uint8_t* newData = (uint8_t*)malloc(newCapacity);
if (!newData) {
return nullptr;
}
memcpy(newData, data, std::min(oldCapacity, newCapacity));
zeroMemory(data, oldCapacity);
free(data);
return newData;
}
status_t Parcel::restartWrite(size_t desired)
{
if (desired > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
if (mOwner) {
freeData();
return continueWrite(desired);
}
uint8_t* data = reallocZeroFree(mData, mDataCapacity, desired, mDeallocZero);
if (!data && desired > mDataCapacity) {
mError = NO_MEMORY;
return NO_MEMORY;
}
releaseObjects();
if (data || desired == 0) {
LOG_ALLOC("Parcel %p: restart from %zu to %zu capacity", this, mDataCapacity, desired);
if (mDataCapacity > desired) {
gParcelGlobalAllocSize -= (mDataCapacity - desired);
} else {
gParcelGlobalAllocSize += (desired - mDataCapacity);
}
if (!mData) {
gParcelGlobalAllocCount++;
}
mData = data;
mDataCapacity = desired;
}
mDataSize = mDataPos = 0;
ALOGV("restartWrite Setting data size of %p to %zu", this, mDataSize);
ALOGV("restartWrite Setting data pos of %p to %zu", this, mDataPos);
if (auto* kernelFields = maybeKernelFields()) {
free(kernelFields->mObjects);
kernelFields->mObjects = nullptr;
kernelFields->mObjectsSize = kernelFields->mObjectsCapacity = 0;
kernelFields->mNextObjectHint = 0;
kernelFields->mObjectsSorted = false;
kernelFields->mHasFds = false;
kernelFields->mFdsKnown = true;
} else if (auto* rpcFields = maybeRpcFields()) {
rpcFields->mObjectPositions.clear();
rpcFields->mFds.reset();
}
mAllowFds = true;
return NO_ERROR;
}
status_t Parcel::continueWrite(size_t desired)
{
if (desired > INT32_MAX) {
// don't accept size_t values which may have come from an
// inadvertent conversion from a negative int.
return BAD_VALUE;
}
auto* kernelFields = maybeKernelFields();
auto* rpcFields = maybeRpcFields();
// If shrinking, first adjust for any objects that appear
// after the new data size.
size_t objectsSize =
kernelFields ? kernelFields->mObjectsSize : rpcFields->mObjectPositions.size();
if (desired < mDataSize) {
if (desired == 0) {
objectsSize = 0;
} else {
if (kernelFields) {
while (objectsSize > 0) {
if (kernelFields->mObjects[objectsSize - 1] < desired) break;
objectsSize--;
}
} else {
while (objectsSize > 0) {
if (rpcFields->mObjectPositions[objectsSize - 1] < desired) break;
objectsSize--;
}
}
}
}
if (mOwner) {
// If the size is going to zero, just release the owner's data.
if (desired == 0) {
freeData();
return NO_ERROR;
}
// If there is a different owner, we need to take
// posession.
uint8_t* data = (uint8_t*)malloc(desired);
if (!data) {
mError = NO_MEMORY;
return NO_MEMORY;
}
binder_size_t* objects = nullptr;
if (kernelFields && objectsSize) {
objects = (binder_size_t*)calloc(objectsSize, sizeof(binder_size_t));
if (!objects) {
free(data);
mError = NO_MEMORY;
return NO_MEMORY;
}
// Little hack to only acquire references on objects
// we will be keeping.
size_t oldObjectsSize = kernelFields->mObjectsSize;
kernelFields->mObjectsSize = objectsSize;
acquireObjects();
kernelFields->mObjectsSize = oldObjectsSize;
}
if (rpcFields) {
if (status_t status = truncateRpcObjects(objectsSize); status != OK) {
free(data);
return status;
}
}
if (mData) {
memcpy(data, mData, mDataSize < desired ? mDataSize : desired);
}
if (objects && kernelFields && kernelFields->mObjects) {
memcpy(objects, kernelFields->mObjects, objectsSize * sizeof(binder_size_t));
}
// ALOGI("Freeing data ref of %p (pid=%d)", this, getpid());
if (kernelFields) {
// TODO(b/239222407): This seems wrong. We should only free FDs when
// they are in a truncated section of the parcel.
closeFileDescriptors();
}
mOwner(mData, mDataSize, kernelFields ? kernelFields->mObjects : nullptr,
kernelFields ? kernelFields->mObjectsSize : 0);
mOwner = nullptr;
LOG_ALLOC("Parcel %p: taking ownership of %zu capacity", this, desired);
gParcelGlobalAllocSize += desired;
gParcelGlobalAllocCount++;
mData = data;
mDataSize = (mDataSize < desired) ? mDataSize : desired;
ALOGV("continueWrite Setting data size of %p to %zu", this, mDataSize);
mDataCapacity = desired;
if (kernelFields) {
kernelFields->mObjects = objects;
kernelFields->mObjectsSize = kernelFields->mObjectsCapacity = objectsSize;
kernelFields->mNextObjectHint = 0;
kernelFields->mObjectsSorted = false;
}
} else if (mData) {
if (kernelFields && objectsSize < kernelFields->mObjectsSize) {
#ifdef BINDER_WITH_KERNEL_IPC
// Need to release refs on any objects we are dropping.
const sp<ProcessState> proc(ProcessState::self());
for (size_t i = objectsSize; i < kernelFields->mObjectsSize; i++) {
const flat_binder_object* flat =
reinterpret_cast<flat_binder_object*>(mData + kernelFields->mObjects[i]);
if (flat->hdr.type == BINDER_TYPE_FD) {
// will need to rescan because we may have lopped off the only FDs
kernelFields->mFdsKnown = false;
}
release_object(proc, *flat, this);
}
if (objectsSize == 0) {
free(kernelFields->mObjects);
kernelFields->mObjects = nullptr;
kernelFields->mObjectsCapacity = 0;
} else {
binder_size_t* objects =
(binder_size_t*)realloc(kernelFields->mObjects,
objectsSize * sizeof(binder_size_t));
if (objects) {
kernelFields->mObjects = objects;
kernelFields->mObjectsCapacity = objectsSize;
}
}
kernelFields->mObjectsSize = objectsSize;
kernelFields->mNextObjectHint = 0;
kernelFields->mObjectsSorted = false;
#else // BINDER_WITH_KERNEL_IPC
LOG_ALWAYS_FATAL("Non-zero numObjects for RPC Parcel");
#endif // BINDER_WITH_KERNEL_IPC
}
if (rpcFields) {
if (status_t status = truncateRpcObjects(objectsSize); status != OK) {
return status;
}
}
// We own the data, so we can just do a realloc().
if (desired > mDataCapacity) {
uint8_t* data = reallocZeroFree(mData, mDataCapacity, desired, mDeallocZero);
if (data) {
LOG_ALLOC("Parcel %p: continue from %zu to %zu capacity", this, mDataCapacity,
desired);
gParcelGlobalAllocSize += desired;
gParcelGlobalAllocSize -= mDataCapacity;
mData = data;
mDataCapacity = desired;
} else {
mError = NO_MEMORY;
return NO_MEMORY;
}
} else {
if (mDataSize > desired) {
mDataSize = desired;
ALOGV("continueWrite Setting data size of %p to %zu", this, mDataSize);
}
if (mDataPos > desired) {
mDataPos = desired;
ALOGV("continueWrite Setting data pos of %p to %zu", this, mDataPos);
}
}
} else {
// This is the first data. Easy!
uint8_t* data = (uint8_t*)malloc(desired);
if (!data) {
mError = NO_MEMORY;
return NO_MEMORY;
}
if (!(mDataCapacity == 0 &&
(kernelFields == nullptr ||
(kernelFields->mObjects == nullptr && kernelFields->mObjectsCapacity == 0)))) {
ALOGE("continueWrite: %zu/%p/%zu/%zu", mDataCapacity,
kernelFields ? kernelFields->mObjects : nullptr,
kernelFields ? kernelFields->mObjectsCapacity : 0, desired);
}
LOG_ALLOC("Parcel %p: allocating with %zu capacity", this, desired);
gParcelGlobalAllocSize += desired;
gParcelGlobalAllocCount++;
mData = data;
mDataSize = mDataPos = 0;
ALOGV("continueWrite Setting data size of %p to %zu", this, mDataSize);
ALOGV("continueWrite Setting data pos of %p to %zu", this, mDataPos);
mDataCapacity = desired;
}
return NO_ERROR;
}
status_t Parcel::truncateRpcObjects(size_t newObjectsSize) {
auto* rpcFields = maybeRpcFields();
if (newObjectsSize == 0) {
rpcFields->mObjectPositions.clear();
if (rpcFields->mFds) {
rpcFields->mFds->clear();
}
return OK;
}
while (rpcFields->mObjectPositions.size() > newObjectsSize) {
uint32_t pos = rpcFields->mObjectPositions.back();
rpcFields->mObjectPositions.pop_back();
const auto type = *reinterpret_cast<const RpcFields::ObjectType*>(mData + pos);
if (type == RpcFields::TYPE_NATIVE_FILE_DESCRIPTOR) {
const auto fdIndex =
*reinterpret_cast<const int32_t*>(mData + pos + sizeof(RpcFields::ObjectType));
if (rpcFields->mFds == nullptr || fdIndex < 0 ||
static_cast<size_t>(fdIndex) >= rpcFields->mFds->size()) {
ALOGE("RPC Parcel contains invalid file descriptor index. index=%d fd_count=%zu",
fdIndex, rpcFields->mFds ? rpcFields->mFds->size() : 0);
return BAD_VALUE;
}
// In practice, this always removes the last element.
rpcFields->mFds->erase(rpcFields->mFds->begin() + fdIndex);
}
}
return OK;
}
void Parcel::initState()
{
LOG_ALLOC("Parcel %p: initState", this);
mError = NO_ERROR;
mData = nullptr;
mDataSize = 0;
mDataCapacity = 0;
mDataPos = 0;
ALOGV("initState Setting data size of %p to %zu", this, mDataSize);
ALOGV("initState Setting data pos of %p to %zu", this, mDataPos);
mVariantFields.emplace<KernelFields>();
mAllowFds = true;
mDeallocZero = false;
mOwner = nullptr;
mEnforceNoDataAvail = true;
mServiceFuzzing = false;
}
void Parcel::scanForFds() const {
auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return;
}
status_t status = hasFileDescriptorsInRange(0, dataSize(), &kernelFields->mHasFds);
ALOGE_IF(status != NO_ERROR, "Error %d calling hasFileDescriptorsInRange()", status);
kernelFields->mFdsKnown = true;
}
#ifdef BINDER_WITH_KERNEL_IPC
size_t Parcel::getBlobAshmemSize() const
{
// This used to return the size of all blobs that were written to ashmem, now we're returning
// the ashmem currently referenced by this Parcel, which should be equivalent.
// TODO(b/202029388): Remove method once ABI can be changed.
return getOpenAshmemSize();
}
size_t Parcel::getOpenAshmemSize() const
{
auto* kernelFields = maybeKernelFields();
if (kernelFields == nullptr) {
return 0;
}
size_t openAshmemSize = 0;
#ifndef BINDER_DISABLE_BLOB
for (size_t i = 0; i < kernelFields->mObjectsSize; i++) {
const flat_binder_object* flat =
reinterpret_cast<const flat_binder_object*>(mData + kernelFields->mObjects[i]);
// cookie is compared against zero for historical reasons
// > obj.cookie = takeOwnership ? 1 : 0;
if (flat->hdr.type == BINDER_TYPE_FD && flat->cookie != 0 && ashmem_valid(flat->handle)) {
int size = ashmem_get_size_region(flat->handle);
if (__builtin_add_overflow(openAshmemSize, size, &openAshmemSize)) {
ALOGE("Overflow when computing ashmem size.");
return SIZE_MAX;
}
}
}
#endif
return openAshmemSize;
}
#endif // BINDER_WITH_KERNEL_IPC
// --- Parcel::Blob ---
Parcel::Blob::Blob() :
mFd(-1), mData(nullptr), mSize(0), mMutable(false) {
}
Parcel::Blob::~Blob() {
release();
}
void Parcel::Blob::release() {
if (mFd != -1 && mData) {
::munmap(mData, mSize);
}
clear();
}
void Parcel::Blob::init(int fd, void* data, size_t size, bool isMutable) {
mFd = fd;
mData = data;
mSize = size;
mMutable = isMutable;
}
void Parcel::Blob::clear() {
mFd = -1;
mData = nullptr;
mSize = 0;
mMutable = false;
}
} // namespace android