1 /*
2 * Copyright (C) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "binder_invoker.h"
17
18 #include <chrono>
19 #include <securec.h>
20
21 #include "access_token_adapter.h"
22 #include "backtrace_local.h"
23 #include "binder_debug.h"
24 #include "hilog/log.h"
25 #include "hitrace_invoker.h"
26 #include "ipc_object_proxy.h"
27 #include "ipc_object_stub.h"
28 #include "ipc_process_skeleton.h"
29 #include "ipc_thread_skeleton.h"
30 #include "log_tags.h"
31 #include "string_ex.h"
32 #include "sys_binder.h"
33 #ifdef FFRT_IPC_ENABLE
34 #include "c/ffrt_ipc.h"
35 #endif
36
37 #if defined(__arm__) || defined(__aarch64__)
38 #define TLS_SLOT_MIGRATION_DISABLE_COUNT (-10)
39 class ThreadMigrationDisabler {
GetTls()40 unsigned long *GetTls()
41 {
42 unsigned long *tls = nullptr;
43 #ifdef __aarch64__
44 asm("mrs %0, tpidr_el0" : "=r"(tls));
45 #else
46 asm("mrc p15, 0, %0, c13, c0, 3" : "=r"(tls));
47 #endif
48 return tls;
49 }
50
51 public:
ThreadMigrationDisabler()52 ThreadMigrationDisabler()
53 {
54 GetTls()[TLS_SLOT_MIGRATION_DISABLE_COUNT]++;
55 }
~ThreadMigrationDisabler()56 ~ThreadMigrationDisabler()
57 {
58 GetTls()[TLS_SLOT_MIGRATION_DISABLE_COUNT]--;
59 }
60 };
61 #else
62 class ThreadMigrationDisabler {};
63 #endif
64
65 namespace OHOS {
66 #ifdef CONFIG_IPC_SINGLE
67 namespace IPC_SINGLE {
68 #endif
69
70 #define PIDUID_OFFSET 2
71 using namespace OHOS::HiviewDFX;
72 static constexpr HiviewDFX::HiLogLabel LABEL = { LOG_CORE, LOG_ID_IPC_BINDER_INVOKER, "BinderInvoker" };
73 #ifndef CONFIG_IPC_SINGLE
74 static constexpr pid_t INVALID_PID = -1;
75 static constexpr int32_t BINDER_ALIGN_BYTES = 8;
76 #endif
77
78 enum {
79 GET_SERVICE_TRANSACTION = 0x1,
80 CHECK_SERVICE_TRANSACTION,
81 ADD_SERVICE_TRANSACTION,
82 };
83
BinderInvoker()84 BinderInvoker::BinderInvoker()
85 : isMainWorkThread(false), stopWorkThread(false), callerPid_(getpid()),
86 callerRealPid_(getprocpid()), callerUid_(getuid()),
87 callerTokenID_(0), firstTokenID_(0), callerSid_(""), status_(0)
88 {
89 invokerInfo_ = { callerPid_, callerRealPid_, callerUid_, callerTokenID_, firstTokenID_, callerSid_,
90 reinterpret_cast<uintptr_t>(this) };
91 input_.SetDataCapacity(IPC_DEFAULT_PARCEL_SIZE);
92 binderConnector_ = BinderConnector::GetInstance();
93 ZLOGD(LABEL, ":%{public}u", ProcessSkeleton::ConvertAddr(this));
94 }
95
~BinderInvoker()96 BinderInvoker::~BinderInvoker()
97 {
98 ZLOGD(LABEL, ":%{public}u", ProcessSkeleton::ConvertAddr(this));
99 auto current = ProcessSkeleton::GetInstance();
100 if (current != nullptr) {
101 current->DetachInvokerProcInfo(true);
102 }
103 ProcDeferredDecRefs();
104 FlushCommands(nullptr);
105 }
106
AcquireHandle(int32_t handle)107 bool BinderInvoker::AcquireHandle(int32_t handle)
108 {
109 size_t rewindPos = output_.GetWritePosition();
110 if (!output_.WriteUint32(BC_ACQUIRE)) {
111 return false;
112 }
113
114 if (!output_.WriteInt32(handle)) {
115 if (!output_.RewindWrite(rewindPos)) {
116 output_.FlushBuffer();
117 }
118 return false;
119 }
120 /* invoke remote to receive acquire handle event, don't care ping result */
121 if (handle != 0) {
122 (void)FlushCommands(nullptr);
123 }
124 ZLOGD(LABEL, "handle:%{public}d", handle);
125 return true;
126 }
127
ReleaseHandle(int32_t handle)128 bool BinderInvoker::ReleaseHandle(int32_t handle)
129 {
130 size_t rewindPos = output_.GetWritePosition();
131 if (!output_.WriteUint32(BC_RELEASE)) {
132 return false;
133 }
134
135 if (!output_.WriteInt32(handle)) {
136 if (!output_.RewindWrite(rewindPos)) {
137 output_.FlushBuffer();
138 }
139 return false;
140 }
141 FlushCommands(nullptr);
142 ZLOGD(LABEL, "handle:%{public}d", handle);
143 return true;
144 }
145
SendRequest(int handle,uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)146 int BinderInvoker::SendRequest(int handle, uint32_t code, MessageParcel &data, MessageParcel &reply,
147 MessageOption &option)
148 {
149 int error = ERR_NONE;
150 uint32_t flags = static_cast<uint32_t>(option.GetFlags());
151 [[maybe_unused]] ThreadMigrationDisabler _d;
152
153 if (!TranslateDBinderProxy(handle, data)) {
154 return IPC_INVOKER_WRITE_TRANS_ERR;
155 }
156
157 size_t totalDBinderBufSize = 0;
158 #ifndef CONFIG_IPC_SINGLE
159 if (!TranslateDBinderStub(handle, data, false, totalDBinderBufSize)) {
160 return IPC_TRANSLATE_DBINDER_STUB_ERR;
161 }
162 auto dataSize = data.GetDataSize();
163 if (totalDBinderBufSize > 0 && dataSize % BINDER_ALIGN_BYTES != 0) {
164 ZLOGI(LABEL, "not 8 bytes aligned(%{public}zu), padding it", dataSize);
165 data.WriteInt8(0);
166 }
167 #endif
168 MessageParcel &newData = const_cast<MessageParcel &>(data);
169 size_t oldWritePosition = newData.GetWritePosition();
170 HiTraceId traceId = HiTraceChain::GetId();
171 // set client send trace point if trace is enabled
172 HiTraceId childId = HitraceInvoker::TraceClientSend(handle, code, newData, flags, traceId);
173
174 int cmd = (totalDBinderBufSize > 0) ? BC_TRANSACTION_SG : BC_TRANSACTION;
175 if (!WriteTransaction(cmd, flags, handle, code, data, nullptr, totalDBinderBufSize)) {
176 ZLOGE(LABEL, "WriteTransaction ERROR");
177 newData.RewindWrite(oldWritePosition);
178 return IPC_INVOKER_WRITE_TRANS_ERR;
179 }
180
181 ++sendRequestCount_;
182 if ((flags & TF_ONE_WAY) != 0) {
183 error = WaitForCompletion(nullptr);
184 } else {
185 #ifdef FFRT_IPC_ENABLE
186 ffrt_this_task_set_legacy_mode(true);
187 #endif
188 error = WaitForCompletion(&reply);
189 #ifdef FFRT_IPC_ENABLE
190 ffrt_this_task_set_legacy_mode(false);
191 #endif
192 }
193 HitraceInvoker::TraceClientReceieve(handle, code, flags, traceId, childId);
194 // restore Parcel data
195 newData.RewindWrite(oldWritePosition);
196 --sendRequestCount_;
197 return error;
198 }
199
TranslateDBinderProxy(int handle,MessageParcel & parcel)200 bool BinderInvoker::TranslateDBinderProxy(int handle, MessageParcel &parcel)
201 {
202 uintptr_t dataOffset = parcel.GetData();
203 binder_size_t *objOffset = reinterpret_cast<binder_size_t *>(parcel.GetObjectOffsets());
204 for (size_t i = 0; i < parcel.GetOffsetsSize(); i++) {
205 auto flat = reinterpret_cast<flat_binder_object *>(dataOffset + *(objOffset + i));
206 #ifdef CONFIG_IPC_SINGLE
207 if (flat->hdr.type == BINDER_TYPE_HANDLE && flat->cookie != IRemoteObject::IF_PROT_BINDER) {
208 ZLOGE(LABEL, "sending a dbinder proxy in ipc_single.z.so is not allowed");
209 return false;
210 }
211 #else
212 if (flat->hdr.type == BINDER_TYPE_HANDLE && flat->cookie == IRemoteObject::IF_PROT_DATABUS
213 && flat->handle < IPCProcessSkeleton::DBINDER_HANDLE_BASE) {
214 if (!AddCommAuth(handle, flat)) {
215 return false;
216 }
217 }
218 #endif
219 }
220 return true;
221 }
222
AddDeathRecipient(int32_t handle,void * cookie)223 bool BinderInvoker::AddDeathRecipient(int32_t handle, void *cookie)
224 {
225 ZLOGD(LABEL, "for handle:%{public}d", handle);
226 size_t rewindPos = output_.GetWritePosition();
227 if (!output_.WriteInt32(BC_REQUEST_DEATH_NOTIFICATION)) {
228 ZLOGE(LABEL, "fail to write command field, handle:%{public}d", handle);
229 return false;
230 }
231
232 if (!output_.WriteInt32(handle)) {
233 if (!output_.RewindWrite(rewindPos)) {
234 output_.FlushBuffer();
235 }
236 return false;
237 }
238
239 if (!output_.WritePointer((uintptr_t)cookie)) {
240 /* rewind written size notification and handle. */
241 if (!output_.RewindWrite(rewindPos)) {
242 output_.FlushBuffer();
243 }
244 return false;
245 }
246
247 // pass in nullptr directly
248 int error = FlushCommands(nullptr);
249 if (error == ERR_NONE) {
250 auto *proxy = reinterpret_cast<IPCObjectProxy *>(cookie);
251 if (proxy != nullptr) {
252 proxy->IncStrongRef(this);
253 }
254 }
255 return error == ERR_NONE;
256 }
257
RemoveDeathRecipient(int32_t handle,void * cookie)258 bool BinderInvoker::RemoveDeathRecipient(int32_t handle, void *cookie)
259 {
260 size_t rewindPos = output_.GetWritePosition();
261 if (!output_.WriteInt32(BC_CLEAR_DEATH_NOTIFICATION)) {
262 return false;
263 }
264
265 if (!output_.WriteInt32(handle)) {
266 if (!output_.RewindWrite(rewindPos)) {
267 output_.FlushBuffer();
268 }
269 return false;
270 }
271
272 if (!output_.WritePointer((uintptr_t)cookie)) {
273 if (!output_.RewindWrite(rewindPos)) {
274 output_.FlushBuffer();
275 }
276 return false;
277 }
278
279 // pass in nullptr directly
280 int error = FlushCommands(nullptr);
281 if (error != ERR_NONE) {
282 ZLOGE(LABEL, "failed, handle:%{public}d error:%{public}d", handle, error);
283 return false;
284 }
285
286 return true;
287 }
288
289 #ifndef CONFIG_IPC_SINGLE
TranslateIRemoteObject(int32_t cmd,const sptr<IRemoteObject> & obj)290 int BinderInvoker::TranslateIRemoteObject(int32_t cmd, const sptr<IRemoteObject> &obj)
291 {
292 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
293 return -IPC_INVOKER_CONNECT_ERR;
294 }
295 size_t rewindPos = output_.GetWritePosition();
296 if (!output_.WriteInt32(cmd)) {
297 if (!output_.RewindWrite(rewindPos)) {
298 output_.FlushBuffer();
299 }
300 return -IPC_INVOKER_TRANSLATE_ERR;
301 }
302 if (!FlattenObject(output_, obj.GetRefPtr())) {
303 if (!output_.RewindWrite(rewindPos)) {
304 output_.FlushBuffer();
305 }
306 return -IPC_INVOKER_TRANSLATE_ERR;
307 }
308 MessageParcel reply;
309 int error = WaitForCompletion(&reply);
310 if (error == ERR_NONE) {
311 uint32_t handle = reply.ReadUint32();
312 if (handle > 0) {
313 return handle;
314 }
315 }
316 ZLOGE(LABEL, "failed to TranslateIRemoteObject");
317 return -IPC_INVOKER_TRANSLATE_ERR;
318 }
319
GetSAMgrObject()320 sptr<IRemoteObject> BinderInvoker::GetSAMgrObject()
321 {
322 ZLOGI(LABEL, "get samgr object!");
323 IPCProcessSkeleton *current = IPCProcessSkeleton::GetCurrent();
324 if (current != nullptr) {
325 return current->GetRegistryObject();
326 }
327 return nullptr;
328 }
329
AddCommAuth(int32_t handle,flat_binder_object * flat)330 bool BinderInvoker::AddCommAuth(int32_t handle, flat_binder_object *flat)
331 {
332 MessageParcel data;
333 MessageParcel reply;
334 MessageOption option;
335 if (SendRequest(handle, GET_PID_UID, data, reply, option) != ERR_NONE) {
336 ZLOGE(LABEL, "get pid and uid failed");
337 return false;
338 }
339 MessageParcel data2;
340 MessageParcel reply2;
341 MessageOption option2;
342 data2.WriteUint32(reply.ReadUint32()); // pid
343 data2.WriteUint32(reply.ReadUint32()); // uid
344 IPCProcessSkeleton *current = IPCProcessSkeleton::GetCurrent();
345 if (current == nullptr) {
346 ZLOGE(LABEL, "current is null");
347 return false;
348 }
349 data2.WriteString(current->GetLocalDeviceID()); // deviceId
350 std::shared_ptr<DBinderSessionObject> session = current->ProxyQueryDBinderSession(flat->handle);
351 if (session == nullptr) {
352 ZLOGE(LABEL, "no session found for handle:%{public}d", flat->handle);
353 return false;
354 }
355 data2.WriteUint64(session->GetStubIndex()); // stubIndex
356 data2.WriteUint32(session->GetTokenId()); // tokenId
357 IRemoteInvoker *invoker = IPCThreadSkeleton::GetRemoteInvoker(IRemoteObject::IF_PROT_DATABUS);
358 if (invoker == nullptr) {
359 ZLOGE(LABEL, "invoker is null");
360 return false;
361 }
362 if (invoker->SendRequest(flat->handle, DBINDER_ADD_COMMAUTH, data2, reply2, option2) != ERR_NONE) {
363 ZLOGE(LABEL, "dbinder add auth info failed");
364 return false;
365 }
366 return true;
367 }
368
GetDBinderCallingPidUid(int handle,bool isReply,pid_t & pid,uid_t & uid)369 bool BinderInvoker::GetDBinderCallingPidUid(int handle, bool isReply, pid_t &pid, uid_t &uid)
370 {
371 if (pid == INVALID_PID) {
372 if (!isReply) {
373 MessageParcel data;
374 MessageParcel reply;
375 MessageOption option;
376 auto ret = SendRequest(handle, GET_PID_UID, data, reply, option);
377 if (ret != ERR_NONE) {
378 ZLOGE(LABEL, "GET_PID_UID failed, error:%{public}d", ret);
379 return false;
380 }
381 uint32_t tempPid = reply.ReadUint32();
382 if (tempPid > static_cast<uint32_t>(std::numeric_limits<pid_t>::max())) {
383 ZLOGE(LABEL, "PID overflow: %{public}u", tempPid);
384 return false;
385 }
386 pid = static_cast<pid_t>(tempPid);
387 uid = reply.ReadUint32();
388 } else {
389 pid = GetCallerPid();
390 uid = GetCallerUid();
391 }
392 ZLOGI(LABEL, "pid:%{public}d uid:%{public}d", pid, uid);
393 }
394 return true;
395 }
396
TranslateDBinderStub(int handle,MessageParcel & parcel,bool isReply,size_t & totalDBinderBufSize)397 bool BinderInvoker::TranslateDBinderStub(int handle, MessageParcel &parcel, bool isReply, size_t &totalDBinderBufSize)
398 {
399 pid_t pid = INVALID_PID;
400 uid_t uid = INVALID_PID;
401 uintptr_t dataBuf = parcel.GetData();
402 size_t totalSize = parcel.GetDataSize();
403 size_t objCount = parcel.GetOffsetsSize();
404 binder_size_t *objOffset = reinterpret_cast<binder_size_t *>(parcel.GetObjectOffsets());
405 size_t alignSize = 0;
406
407 for (size_t i = 0; i < objCount; ++i) {
408 auto obj = reinterpret_cast<binder_buffer_object *>(dataBuf + objOffset[i]);
409 if ((obj->hdr.type == BINDER_TYPE_PTR) && (obj->length == sizeof(dbinder_negotiation_data))) {
410 alignSize = (obj->length + (sizeof(uint64_t) - 1)) & ~(sizeof(uint64_t) - 1);
411 if (alignSize != obj->length) {
412 ZLOGW(LABEL, "alignSize(%{public}zu) != obj.length(%{public}llu)", alignSize, obj->length);
413 }
414 totalDBinderBufSize += alignSize;
415 // skip to next object
416 ++i;
417 if ((i >= objCount) || (objOffset[i] + sizeof(flat_binder_object) > totalSize)) {
418 ZLOGW(LABEL, "over length, i:%{public}zu count:%{public}zu offset:%{public}llu totalSize:%{public}zu",
419 i, objCount, objOffset[i], totalSize);
420 break;
421 }
422 auto flat = reinterpret_cast<flat_binder_object *>(dataBuf + objOffset[i]);
423 if (flat->hdr.type != BINDER_TYPE_BINDER) {
424 ZLOGE(LABEL, "unexpected binder type:%{public}d", flat->hdr.type);
425 return false;
426 }
427 if (!GetDBinderCallingPidUid(handle, isReply, pid, uid)) {
428 ZLOGE(LABEL, "GetDBinderCallingPidUid fail, cookie:%{public}llu", flat->cookie);
429 return false;
430 }
431
432 auto stub = reinterpret_cast<IPCObjectStub *>(flat->cookie);
433 if (stub->GetAndSaveDBinderData(pid, uid) != ERR_NONE) {
434 ZLOGE(LABEL, "GetAndSaveDBinderData fail, cookie:%{public}llu", flat->cookie);
435 return false;
436 }
437 ZLOGI(LABEL, "succ, cookie:%{public}llu", flat->cookie);
438 }
439 }
440 return true;
441 }
442
UnFlattenDBinderObject(Parcel & parcel,dbinder_negotiation_data & dbinderData)443 bool BinderInvoker::UnFlattenDBinderObject(Parcel &parcel, dbinder_negotiation_data &dbinderData)
444 {
445 auto offset = parcel.GetReadPosition();
446 auto *buffer = parcel.ReadBuffer(sizeof(binder_object_header), false);
447 if (buffer == nullptr) {
448 ZLOGE(LABEL, "null object buffer");
449 return false;
450 }
451 auto *hdr = reinterpret_cast<const binder_object_header *>(buffer);
452 if (hdr->type != BINDER_TYPE_PTR) {
453 parcel.RewindRead(offset);
454 return false;
455 }
456 ZLOGI(LABEL, "PTR");
457 parcel.RewindRead(offset);
458 buffer = parcel.ReadBuffer(sizeof(binder_buffer_object), false);
459 if (buffer == nullptr) {
460 ZLOGE(LABEL, "null object buffer");
461 return false;
462 }
463 auto *obj = reinterpret_cast<const binder_buffer_object *>(buffer);
464 if (((obj->flags & BINDER_BUFFER_FLAG_HAS_DBINDER) == 0) || (obj->length != sizeof(dbinder_negotiation_data))) {
465 ZLOGW(LABEL, "no dbinder buffer flag");
466 parcel.RewindRead(offset);
467 return false;
468 }
469 dbinderData = *reinterpret_cast<dbinder_negotiation_data *>(obj->buffer);
470 return true;
471 }
472 #endif
473
SetMaxWorkThread(int maxThreadNum)474 bool BinderInvoker::SetMaxWorkThread(int maxThreadNum)
475 {
476 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
477 ZLOGE(LABEL, "driver died");
478 return false;
479 }
480
481 int error = binderConnector_->WriteBinder(BINDER_SET_MAX_THREADS, &maxThreadNum);
482 if (error != ERR_NONE) {
483 ZLOGE(LABEL, "SetMaxWorkThread error:%{public}d", error);
484 return false;
485 }
486
487 return true;
488 }
489
FlushCommands(IRemoteObject * object)490 int BinderInvoker::FlushCommands(IRemoteObject *object)
491 {
492 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
493 ZLOGE(LABEL, "driver is died");
494 return IPC_INVOKER_CONNECT_ERR;
495 }
496 int error = TransactWithDriver(false);
497 if (error != ERR_NONE) {
498 uint64_t curTime = static_cast<uint64_t>(std::chrono::duration_cast<std::chrono::nanoseconds>(
499 std::chrono::steady_clock::now().time_since_epoch()).count());
500 ZLOGE(LABEL, "failed, error:%{public}d time:%{public}" PRIu64, error, curTime);
501 }
502
503 if (output_.GetDataSize() > 0) {
504 error = TransactWithDriver(false);
505 }
506 if (error != ERR_NONE || output_.GetDataSize() > 0) {
507 ZLOGW(LABEL, "error:%{public}d, left data size:%{public}zu", error, output_.GetDataSize());
508 PrintParcelData(input_, "input_");
509 PrintParcelData(output_, "output_");
510 std::string backtrace;
511 if (!GetBacktrace(backtrace, false)) {
512 ZLOGE(LABEL, "GetBacktrace fail");
513 } else {
514 ZLOGW(LABEL, "backtrace info:\n%{public}s", backtrace.c_str());
515 }
516 }
517
518 return error;
519 }
520
ExitCurrentThread()521 void BinderInvoker::ExitCurrentThread()
522 {
523 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
524 ZLOGE(LABEL, "driver died when exit current thread");
525 return;
526 }
527 binderConnector_->ExitCurrentThread(BINDER_THREAD_EXIT);
528 }
529
StartWorkLoop()530 void BinderInvoker::StartWorkLoop()
531 {
532 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
533 ZLOGE(LABEL, "driver is died");
534 return;
535 }
536 int error;
537 do {
538 ProcessSkeleton *process = ProcessSkeleton::GetInstance();
539 if (process == nullptr || process->GetThreadStopFlag()) {
540 break;
541 }
542 error = TransactWithDriver();
543 if (error < ERR_NONE && error != -ECONNREFUSED && error != -EBADF) {
544 ZLOGE(LABEL, "returned unexpected error:%{public}d, aborting", error);
545 break;
546 }
547 if (input_.GetReadableBytes() == 0) {
548 continue;
549 }
550 uint32_t cmd = input_.ReadUint32();
551 IPCProcessSkeleton *current = IPCProcessSkeleton::GetCurrent();
552 if (current != nullptr) {
553 current->LockForNumExecuting();
554 }
555 int userError = HandleCommands(cmd);
556 if (current != nullptr) {
557 current->UnlockForNumExecuting();
558 }
559 if ((userError == -ERR_TIMED_OUT || userError == IPC_INVOKER_INVALID_DATA_ERR) && !isMainWorkThread) {
560 ZLOGW(LABEL, "exit, userError:%{public}d", userError);
561 break;
562 }
563 ProcDeferredDecRefs();
564 } while (error != -ECONNREFUSED && error != -EBADF && !stopWorkThread);
565 }
566
SendReply(MessageParcel & reply,uint32_t flags,int32_t result)567 int BinderInvoker::SendReply(MessageParcel &reply, uint32_t flags, int32_t result)
568 {
569 size_t totalDBinderBufSize = 0;
570 #ifndef CONFIG_IPC_SINGLE
571 if (!TranslateDBinderStub(-1, reply, true, totalDBinderBufSize)) {
572 return IPC_TRANSLATE_DBINDER_STUB_ERR;
573 }
574 auto replySize = reply.GetDataSize();
575 if (totalDBinderBufSize > 0 && replySize % BINDER_ALIGN_BYTES != 0) {
576 ZLOGI(LABEL, "not 8 bytes aligned(%{public}zu), padding it", replySize);
577 reply.WriteInt8(0);
578 }
579 #endif
580
581 int cmd = (totalDBinderBufSize > 0) ? BC_REPLY_SG : BC_REPLY;
582 int error = WriteTransaction(cmd, flags, -1, 0, reply, &result, totalDBinderBufSize);
583 if (error < ERR_NONE) {
584 return error;
585 }
586 return WaitForCompletion();
587 }
588
OnBinderDied()589 void BinderInvoker::OnBinderDied()
590 {
591 ZLOGD(LABEL, "enter");
592 uintptr_t cookie = input_.ReadPointer();
593 auto *proxy = reinterpret_cast<IPCObjectProxy *>(cookie);
594 if ((proxy == nullptr) || (proxy->GetSptrRefCount() <= 0)) {
595 ZLOGE(LABEL, "Invalid proxy object %{public}u.", ProcessSkeleton::ConvertAddr(proxy));
596 return;
597 }
598 ProcessSkeleton *current = ProcessSkeleton::GetInstance();
599 std::u16string desc;
600 if ((current != nullptr) && !current->IsValidObject(proxy, desc)) {
601 ZLOGE(LABEL, "%{public}u is invalid", ProcessSkeleton::ConvertAddr(proxy));
602 } else {
603 std::string descTemp = Str16ToStr8(desc);
604 CrashObjDumper dumper(descTemp.c_str());
605 if (proxy->AttemptIncStrongRef(this)) {
606 proxy->SendObituary();
607 proxy->DecStrongRef(this);
608 } else {
609 ZLOGW(LABEL, "failed to increment strong reference count");
610 }
611 }
612 size_t rewindPos = output_.GetWritePosition();
613 if (!output_.WriteInt32(BC_DEAD_BINDER_DONE)) {
614 return;
615 }
616
617 if (!output_.WritePointer((uintptr_t)cookie)) {
618 if (!output_.RewindWrite(rewindPos)) {
619 output_.FlushBuffer();
620 }
621 }
622 }
623
OnAcquireObject(uint32_t cmd)624 void BinderInvoker::OnAcquireObject(uint32_t cmd)
625 {
626 bool result = false;
627 uintptr_t refsPointer = input_.ReadPointer();
628 uintptr_t objectPointer = input_.ReadPointer();
629 RefCounter *refs = reinterpret_cast<RefCounter *>(refsPointer);
630 IRemoteObject *obj = reinterpret_cast<IRemoteObject *>(objectPointer);
631 if ((obj == nullptr) || (refs == nullptr)) {
632 ZLOGE(LABEL, "Invalid stub object %{public}u.", ProcessSkeleton::ConvertAddr(obj));
633 return;
634 }
635 ProcessSkeleton *current = ProcessSkeleton::GetInstance();
636 std::u16string desc;
637 if ((current != nullptr) && !current->IsValidObject(obj, desc)) {
638 ZLOGE(LABEL, "%{public}u is invalid", ProcessSkeleton::ConvertAddr(obj));
639 return;
640 }
641 std::string descTemp = Str16ToStr8(desc);
642 CrashObjDumper dumper(descTemp.c_str());
643 if (obj->GetSptrRefCount() <= 0) {
644 ZLOGE(LABEL, "Invalid stub object %{public}u.", ProcessSkeleton::ConvertAddr(obj));
645 return;
646 }
647 size_t rewindPos = output_.GetWritePosition();
648 if (cmd == BR_ACQUIRE) {
649 obj->IncStrongRef(this);
650 result = output_.WriteInt32(BC_ACQUIRE_DONE);
651 } else {
652 refs->IncWeakRefCount(this);
653 result = output_.WriteInt32(BC_INCREFS_DONE);
654 }
655
656 if (!result || !output_.WritePointer(refsPointer) || !output_.WritePointer(objectPointer)) {
657 if (!output_.RewindWrite(rewindPos)) {
658 output_.FlushBuffer();
659 }
660 return;
661 }
662 }
663
OnReleaseObject(uint32_t cmd)664 void BinderInvoker::OnReleaseObject(uint32_t cmd)
665 {
666 uintptr_t refsPointer = input_.ReadPointer();
667 uintptr_t objectPointer = input_.ReadPointer();
668 RefCounter *refs = reinterpret_cast<RefCounter *>(refsPointer);
669 IRemoteObject *obj = reinterpret_cast<IRemoteObject *>(objectPointer);
670 if ((refs == nullptr) || (obj == nullptr)) {
671 ZLOGE(LABEL, "Invalid stub object %{public}u.", ProcessSkeleton::ConvertAddr(obj));
672 return;
673 }
674
675 ZLOGD(LABEL, "refcount:%{public}d refs:%{public}u obj:%{public}u", refs->GetStrongRefCount(),
676 ProcessSkeleton::ConvertAddr(refs), ProcessSkeleton::ConvertAddr(obj));
677 if (cmd == BR_RELEASE) {
678 std::lock_guard<std::mutex> lock(strongRefMutex_);
679 decStrongRefs_.push_back(obj);
680 } else {
681 std::lock_guard<std::mutex> lock(weakRefMutex_);
682 decWeakRefs_.push_back(refs);
683 }
684 }
685
GetAccessToken(uint64_t & callerTokenID,uint64_t & firstTokenID)686 void BinderInvoker::GetAccessToken(uint64_t &callerTokenID, uint64_t &firstTokenID)
687 {
688 struct access_token token{};
689 int error = binderConnector_->WriteBinder(BINDER_GET_ACCESS_TOKEN, &token);
690 if (error != ERR_NONE) {
691 token.sender_tokenid = 0;
692 token.first_tokenid = 0;
693 }
694 callerTokenID = token.sender_tokenid;
695 firstTokenID = token.first_tokenid;
696 }
697
GetSenderInfo(uint64_t & callerTokenID,uint64_t & firstTokenID,pid_t & realPid)698 void BinderInvoker::GetSenderInfo(uint64_t &callerTokenID, uint64_t &firstTokenID, pid_t &realPid)
699 {
700 struct binder_sender_info sender{};
701 int error = binderConnector_->WriteBinder(BINDER_GET_SENDER_INFO, &sender);
702 if (error != ERR_NONE) {
703 sender.tokens.sender_tokenid = 0;
704 sender.tokens.first_tokenid = 0;
705 sender.sender_pid_nr = 0;
706 }
707 callerTokenID = sender.tokens.sender_tokenid;
708 firstTokenID = sender.tokens.first_tokenid;
709 realPid = static_cast<pid_t>(sender.sender_pid_nr);
710 }
711
RestoreInvokerProcInfo(const InvokerProcInfo & info)712 void BinderInvoker::RestoreInvokerProcInfo(const InvokerProcInfo &info)
713 {
714 callerPid_ = info.pid;
715 callerRealPid_ = info.realPid;
716 callerUid_ = info.uid;
717 callerTokenID_ = info.tokenId;
718 firstTokenID_ = info.firstTokenId;
719 callerSid_ = info.sid;
720 }
721
AttachInvokerProcInfoWrapper()722 void BinderInvoker::AttachInvokerProcInfoWrapper()
723 {
724 InvokerProcInfo invokerInfo = { callerPid_, callerRealPid_,
725 callerUid_, callerTokenID_, firstTokenID_, callerSid_, ProcessSkeleton::ConvertAddr(this) };
726 auto current = ProcessSkeleton::GetInstance();
727 if (current != nullptr) {
728 current->AttachInvokerProcInfo(true, invokerInfo);
729 }
730 }
731
SamgrServiceSendRequest(const binder_transaction_data & tr,MessageParcel & data,MessageParcel & reply,MessageOption & option)732 int32_t BinderInvoker::SamgrServiceSendRequest(
733 const binder_transaction_data &tr, MessageParcel &data, MessageParcel &reply, MessageOption &option)
734 {
735 int error = ERR_DEAD_OBJECT;
736
737 auto targetObject = IPCProcessSkeleton::GetCurrent()->GetRegistryObject();
738 if (targetObject == nullptr) {
739 ZLOGE(LABEL, "Invalid samgr stub object");
740 } else {
741 error = targetObject->SendRequest(tr.code, data, reply, option);
742 }
743 return error;
744 }
745
GeneralServiceSendRequest(const binder_transaction_data & tr,MessageParcel & data,MessageParcel & reply,MessageOption & option)746 int32_t BinderInvoker::GeneralServiceSendRequest(
747 const binder_transaction_data &tr, MessageParcel &data, MessageParcel &reply, MessageOption &option)
748 {
749 int32_t error = ERR_DEAD_OBJECT;
750 auto *refs = reinterpret_cast<RefCounter *>(tr.target.ptr);
751 int count = 0;
752 if ((refs != nullptr) && (tr.cookie) && (refs->AttemptIncStrongRef(this, count))) {
753 auto *targetObject = reinterpret_cast<IPCObjectStub *>(tr.cookie);
754 if (targetObject == nullptr) {
755 ZLOGE(LABEL, "Invalid stub object");
756 return error;
757 }
758 auto current = ProcessSkeleton::GetInstance();
759 std::u16string desc;
760 if ((current != nullptr) && !current->IsValidObject(targetObject, desc)) {
761 ZLOGE(LABEL, "%{public}u is invalid", ProcessSkeleton::ConvertAddr(targetObject));
762 } else {
763 std::string descTemp = Str16ToStr8(desc);
764 CrashObjDumper dumper(descTemp.c_str());
765 if (targetObject->GetSptrRefCount() > 0) {
766 error = targetObject->SendRequest(tr.code, data, reply, option);
767 targetObject->DecStrongRef(this);
768 }
769 }
770 }
771 return error;
772 }
773
TargetStubSendRequest(const binder_transaction_data & tr,MessageParcel & data,MessageParcel & reply,MessageOption & option,uint32_t & flagValue)774 int32_t BinderInvoker::TargetStubSendRequest(const binder_transaction_data &tr,
775 MessageParcel &data, MessageParcel &reply, MessageOption &option, uint32_t &flagValue)
776 {
777 #ifdef CONFIG_ACTV_BINDER
778 bool oldActvBinder = GetUseActvBinder();
779 SetUseActvBinder(false);
780 #endif
781
782 int32_t error = ERR_DEAD_OBJECT;
783 flagValue = static_cast<uint32_t>(tr.flags) & ~static_cast<uint32_t>(MessageOption::TF_ACCEPT_FDS);
784 option.SetFlags(static_cast<int>(flagValue));
785 if (tr.target.ptr != 0) {
786 error = GeneralServiceSendRequest(tr, data, reply, option);
787 } else {
788 error = SamgrServiceSendRequest(tr, data, reply, option);
789 }
790
791 #ifdef CONFIG_ACTV_BINDER
792 SetUseActvBinder(oldActvBinder);
793 #endif
794 return error;
795 }
796
Transaction(binder_transaction_data_secctx & trSecctx)797 void BinderInvoker::Transaction(binder_transaction_data_secctx& trSecctx)
798 {
799 binder_transaction_data& tr = trSecctx.transaction_data;
800 auto binderAllocator = new (std::nothrow) BinderAllocator();
801 if (binderAllocator == nullptr) {
802 ZLOGE(LABEL, "BinderAllocator Creation failed");
803 return;
804 }
805 auto data = std::make_unique<MessageParcel>(binderAllocator);
806 data->ParseFrom(tr.data.ptr.buffer, tr.data_size);
807 if (tr.offsets_size > 0) {
808 data->InjectOffsets(tr.data.ptr.offsets, tr.offsets_size / sizeof(binder_size_t));
809 }
810
811 uint32_t &newFlags = const_cast<uint32_t&>(tr.flags);
812 int isServerTraced = HitraceInvoker::TraceServerReceieve(static_cast<uint64_t>(tr.target.handle),
813 tr.code, *data, newFlags);
814
815 InvokerProcInfo oldInvokerProcInfo = {
816 callerPid_, callerRealPid_, callerUid_, callerTokenID_, firstTokenID_, callerSid_, 0 };
817 uint32_t oldStatus = status_;
818 callerSid_ = (trSecctx.secctx != 0) ? reinterpret_cast<char *>(trSecctx.secctx) : "";
819 callerPid_ = tr.sender_pid;
820 callerUid_ = tr.sender_euid;
821 callerRealPid_ = callerPid_;
822 if (binderConnector_ != nullptr && binderConnector_->IsRealPidSupported()) {
823 GetSenderInfo(callerTokenID_, firstTokenID_, callerRealPid_);
824 } else if (binderConnector_ != nullptr && binderConnector_->IsAccessTokenSupported()) {
825 GetAccessToken(callerTokenID_, firstTokenID_);
826 }
827 // sync caller information to another binderinvoker
828 AttachInvokerProcInfoWrapper();
829 MessageParcel reply;
830 MessageOption option;
831 uint32_t flagValue;
832
833 SetStatus(IRemoteInvoker::ACTIVE_INVOKER);
834 int32_t error = TargetStubSendRequest(tr, *data, reply, option, flagValue);
835 HitraceInvoker::TraceServerSend(static_cast<uint64_t>(tr.target.handle), tr.code, isServerTraced, newFlags);
836 if (!(flagValue & TF_ONE_WAY)) {
837 SendReply(reply, 0, error);
838 }
839
840 RestoreInvokerProcInfo(oldInvokerProcInfo);
841 // restore caller information to another binderinvoker
842 AttachInvokerProcInfoWrapper();
843 SetStatus(oldStatus);
844 }
845
OnAttemptAcquire()846 void BinderInvoker::OnAttemptAcquire()
847 {
848 bool success = false;
849 uintptr_t refsPtr = input_.ReadPointer();
850 uintptr_t objectPtr = input_.ReadPointer();
851 auto *refs = reinterpret_cast<RefCounter *>(refsPtr);
852
853 size_t rewindPos = output_.GetWritePosition();
854 if ((refs != nullptr) && (!objectPtr)) {
855 int count = 0;
856 success = refs->AttemptIncStrongRef(this, count);
857 }
858
859 if (!output_.WriteUint32(BC_ACQUIRE_RESULT)) {
860 return;
861 }
862
863 if (!output_.WriteUint32((uint32_t)success)) {
864 if (!output_.RewindWrite(rewindPos)) {
865 output_.FlushBuffer();
866 }
867 }
868 }
869
OnRemoveRecipientDone()870 void BinderInvoker::OnRemoveRecipientDone()
871 {
872 uintptr_t cookie = input_.ReadPointer();
873 auto *proxy = reinterpret_cast<IPCObjectProxy *>(cookie);
874 if (proxy != nullptr) {
875 proxy->DecStrongRef(this);
876 }
877 }
878
OnSpawnThread()879 void BinderInvoker::OnSpawnThread()
880 {
881 IPCProcessSkeleton *current = IPCProcessSkeleton::GetCurrent();
882 if (current != nullptr) {
883 #ifdef CONFIG_ACTV_BINDER
884 if (GetUseActvBinder()) {
885 current->SpawnThread(IPCWorkThread::ACTV_PASSIVE);
886 } else {
887 current->SpawnThread();
888 }
889 #else
890 current->SpawnThread();
891 #endif
892 }
893 }
894
OnTransaction(uint32_t cmd,int32_t & error)895 void BinderInvoker::OnTransaction(uint32_t cmd, int32_t &error)
896 {
897 binder_transaction_data_secctx trSecctx = {
898 .secctx = 0,
899 };
900 const uint8_t *buffer = nullptr;
901 bool isSecctx = (cmd == static_cast<uint32_t>(BR_TRANSACTION_SEC_CTX));
902 uint32_t bufferSize = isSecctx ? sizeof(binder_transaction_data_secctx) : sizeof(binder_transaction_data);
903
904 buffer = input_.ReadBuffer(bufferSize, false);
905 if (buffer == nullptr) {
906 error = IPC_INVOKER_INVALID_DATA_ERR;
907 return;
908 }
909
910 if (isSecctx) {
911 trSecctx = *(reinterpret_cast<const binder_transaction_data_secctx *>(buffer));
912 } else {
913 trSecctx.transaction_data = *(reinterpret_cast<const binder_transaction_data *>(buffer));
914 }
915
916 Transaction(trSecctx);
917 }
918
HandleReply(MessageParcel * reply,bool & isStubRet)919 int BinderInvoker::HandleReply(MessageParcel *reply, bool &isStubRet)
920 {
921 const size_t readSize = sizeof(binder_transaction_data);
922 const uint8_t *buffer = input_.ReadBuffer(readSize, false);
923 if (buffer == nullptr) {
924 ZLOGE(LABEL, "HandleReply read tr failed");
925 return IPC_INVOKER_INVALID_DATA_ERR;
926 }
927 const binder_transaction_data *tr = reinterpret_cast<const binder_transaction_data *>(buffer);
928
929 if (reply == nullptr) {
930 ZLOGD(LABEL, "no need reply, free the buffer");
931 FreeBuffer(reinterpret_cast<void *>(tr->data.ptr.buffer));
932 return IPC_INVOKER_INVALID_REPLY_ERR;
933 }
934
935 if (tr->flags & TF_STATUS_CODE) {
936 isStubRet = true;
937 int32_t status = *reinterpret_cast<const int32_t *>(tr->data.ptr.buffer);
938 ZLOGD(LABEL, "received status code:%{public}d, free the buffer", status);
939 FreeBuffer(reinterpret_cast<void *>(tr->data.ptr.buffer));
940 return status;
941 }
942
943 auto allocator = new (std::nothrow) BinderAllocator();
944 if (allocator == nullptr) {
945 ZLOGE(LABEL, "create BinderAllocator object failed");
946 return IPC_INVOKER_INVALID_DATA_ERR;
947 }
948 if (!reply->SetAllocator(allocator)) {
949 ZLOGD(LABEL, "SetAllocator failed");
950 delete allocator;
951 FreeBuffer(reinterpret_cast<void *>(tr->data.ptr.buffer));
952 return IPC_INVOKER_INVALID_DATA_ERR;
953 }
954 reply->ParseFrom(tr->data.ptr.buffer, tr->data_size);
955
956 if (tr->offsets_size > 0) {
957 reply->InjectOffsets(tr->data.ptr.offsets, tr->offsets_size / sizeof(binder_size_t));
958 reply->SetClearFdFlag();
959 }
960
961 return ERR_NONE;
962 }
963
HandleCommandsInner(uint32_t cmd)964 int BinderInvoker::HandleCommandsInner(uint32_t cmd)
965 {
966 int error = ERR_NONE;
967
968 switch (cmd) {
969 case BR_ERROR:
970 error = input_.ReadInt32();
971 break;
972 case BR_ACQUIRE:
973 case BR_INCREFS:
974 OnAcquireObject(cmd);
975 break;
976 case BR_RELEASE:
977 case BR_DECREFS:
978 OnReleaseObject(cmd);
979 break;
980 case BR_ATTEMPT_ACQUIRE:
981 OnAttemptAcquire();
982 break;
983 case BR_TRANSACTION_SEC_CTX:
984 case BR_TRANSACTION:
985 OnTransaction(cmd, error);
986 break;
987 case BR_SPAWN_LOOPER:
988 OnSpawnThread();
989 break;
990 case BR_FINISHED:
991 error = -ERR_TIMED_OUT;
992 break;
993 case BR_DEAD_BINDER:
994 OnBinderDied();
995 break;
996 case BR_OK:
997 case BR_NOOP:
998 break;
999 case BR_CLEAR_DEATH_NOTIFICATION_DONE:
1000 OnRemoveRecipientDone();
1001 break;
1002
1003 default:
1004 error = IPC_INVOKER_ON_TRANSACT_ERR;
1005 break;
1006 }
1007
1008 return error;
1009 }
1010
HandleCommands(uint32_t cmd)1011 int BinderInvoker::HandleCommands(uint32_t cmd)
1012 {
1013 auto start = std::chrono::steady_clock::now();
1014 int error = HandleCommandsInner(cmd);
1015 if (error != ERR_NONE && error != -ERR_TIMED_OUT) {
1016 if (ProcessSkeleton::IsPrint(error, lastErr_, lastErrCnt_)) {
1017 ZLOGE(LABEL, "HandleCommands cmd:%{public}u error:%{public}d", cmd, error);
1018 PrintParcelData(input_, "input_");
1019 PrintParcelData(output_, "output_");
1020 std::string backtrace;
1021 if (!GetBacktrace(backtrace, false)) {
1022 ZLOGE(LABEL, "GetBacktrace fail");
1023 } else {
1024 ZLOGW(LABEL, "backtrace info:\n%{public}s", backtrace.c_str());
1025 }
1026 }
1027 }
1028 if (cmd != BR_TRANSACTION) {
1029 auto finish = std::chrono::steady_clock::now();
1030 int duration = static_cast<int>(std::chrono::duration_cast<std::chrono::milliseconds>(
1031 finish - start).count());
1032 if (duration >= IPC_CMD_PROCESS_WARN_TIME) {
1033 ZLOGW(LABEL, "HandleCommands cmd:%{public}u cost time:%{public}dms", cmd, duration);
1034 }
1035 }
1036 return error;
1037 }
1038
JoinThread(bool initiative)1039 void BinderInvoker::JoinThread(bool initiative)
1040 {
1041 [[maybe_unused]] ThreadMigrationDisabler _d;
1042 isMainWorkThread = initiative;
1043 output_.WriteUint32(initiative ? BC_ENTER_LOOPER : BC_REGISTER_LOOPER);
1044 StartWorkLoop();
1045 output_.WriteUint32(BC_EXIT_LOOPER);
1046 // pass in nullptr directly
1047 FlushCommands(nullptr);
1048 ZLOGE(LABEL, "Current Thread:%{public}d is leaving", getpid());
1049 }
1050
JoinProcessThread(bool initiative)1051 void BinderInvoker::JoinProcessThread(bool initiative) {}
1052
UpdateConsumedData(const binder_write_read & bwr,const size_t outAvail)1053 void BinderInvoker::UpdateConsumedData(const binder_write_read &bwr, const size_t outAvail)
1054 {
1055 if (bwr.write_consumed > 0) {
1056 if (bwr.write_consumed < outAvail) {
1057 // we still have some bytes not been handled.
1058 PrintParcelData(input_, "input_");
1059 PrintParcelData(output_, "output_");
1060 ZLOGE(LABEL, "binder write_consumed:%{public}llu exception, "
1061 "outAvail:%{public}zu read_consumed:%{public}llu",
1062 bwr.write_consumed, outAvail, bwr.read_consumed);
1063 }
1064
1065 // Moves the data that is not consumed by the binder to the output_ buffer header.
1066 if (bwr.write_consumed < output_.GetDataSize()) {
1067 ZLOGI(LABEL, "moves the data that is not consumed by the binder, "
1068 "write_consumed:%{public}llu outAvail:%{public}zu GetDataSize:%{public}zu",
1069 bwr.write_consumed, outAvail, output_.GetDataSize());
1070 Parcel temp;
1071 temp.WriteBuffer(reinterpret_cast<void *>(output_.GetData() + bwr.write_consumed),
1072 output_.GetDataSize() - bwr.write_consumed);
1073 output_.FlushBuffer();
1074 output_.WriteBuffer(reinterpret_cast<void *>(temp.GetData()), temp.GetDataSize());
1075 } else {
1076 --sendNestCount_;
1077 if (sendNestCount_ > 0) {
1078 ZLOGW(LABEL, "unexpected sendNestCount:%{public}d", sendNestCount_.load());
1079 PrintParcelData(input_, "input_");
1080 PrintParcelData(output_, "output_");
1081 sendNestCount_ = 0;
1082 }
1083 output_.FlushBuffer();
1084 }
1085 }
1086 if (bwr.read_consumed > 0) {
1087 input_.SetDataSize(bwr.read_consumed);
1088 input_.RewindRead(0);
1089 }
1090 }
1091
TransactWithDriver(bool doRead)1092 int BinderInvoker::TransactWithDriver(bool doRead)
1093 {
1094 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
1095 return IPC_INVOKER_CONNECT_ERR;
1096 }
1097
1098 binder_write_read bwr;
1099 const bool needRead = input_.GetReadableBytes() == 0;
1100 const size_t outAvail = (!doRead || needRead) ? output_.GetDataSize() : 0;
1101
1102 bwr.write_size = (binder_size_t)outAvail;
1103 bwr.write_buffer = output_.GetData();
1104
1105 if (doRead && needRead) {
1106 bwr.read_size = input_.GetDataCapacity();
1107 bwr.read_buffer = input_.GetData();
1108 } else {
1109 bwr.read_size = 0;
1110 bwr.read_buffer = 0;
1111 }
1112 if ((bwr.write_size == 0) && (bwr.read_size == 0)) {
1113 return ERR_NONE;
1114 }
1115
1116 bwr.write_consumed = 0;
1117 bwr.read_consumed = 0;
1118 #ifdef CONFIG_ACTV_BINDER
1119 int error = binderConnector_->WriteBinder(GetBWRCommand(), &bwr);
1120 #else
1121 int error = binderConnector_->WriteBinder(BINDER_WRITE_READ, &bwr);
1122 #endif
1123 UpdateConsumedData(bwr, outAvail);
1124 if (error != ERR_NONE) {
1125 uint64_t curTime = static_cast<uint64_t>(std::chrono::duration_cast<std::chrono::nanoseconds>(
1126 std::chrono::steady_clock::now().time_since_epoch()).count());
1127 ZLOGE(LABEL, "fail, result:%{public}d time:%{public}" PRIu64, error, curTime);
1128 }
1129
1130 return error;
1131 }
1132
WriteTransaction(int cmd,uint32_t flags,int32_t handle,uint32_t code,const MessageParcel & data,const int32_t * status,size_t totalDBinderBufSize)1133 bool BinderInvoker::WriteTransaction(int cmd, uint32_t flags, int32_t handle, uint32_t code, const MessageParcel &data,
1134 const int32_t *status, size_t totalDBinderBufSize)
1135 {
1136 binder_transaction_data_sg tr_sg {};
1137 auto &tr = tr_sg.transaction_data;
1138 bool isContainPtrType = totalDBinderBufSize > 0;
1139
1140 tr.target.handle = (uint32_t)handle;
1141 tr.code = code;
1142 tr.flags = flags;
1143 tr.flags |= TF_ACCEPT_FDS;
1144 if (data.GetDataSize() > 0) {
1145 // Send this parcel's data through the binder.
1146 tr.data_size = data.GetDataSize();
1147 tr.data.ptr.buffer = (binder_uintptr_t)data.GetData();
1148 tr.offsets_size = data.GetOffsetsSize() * sizeof(binder_size_t);
1149 tr.data.ptr.offsets = data.GetObjectOffsets();
1150 tr_sg.buffers_size = isContainPtrType ? totalDBinderBufSize : 0;
1151 } else if (status != nullptr) {
1152 // Send this parcel's status through the binder.
1153 tr.flags |= TF_STATUS_CODE;
1154 tr.data_size = sizeof(int32_t);
1155 tr.data.ptr.buffer = reinterpret_cast<uintptr_t>(status);
1156 tr.offsets_size = 0;
1157 tr.data.ptr.offsets = 0;
1158 }
1159
1160 if (!output_.WriteInt32(cmd)) {
1161 ZLOGE(LABEL, "write cmd fail");
1162 return false;
1163 }
1164 const void *buf = isContainPtrType ? static_cast<const void *>(&tr_sg) : static_cast<const void *>(&tr);
1165 size_t bufSize = isContainPtrType ? sizeof(tr_sg) : sizeof(tr);
1166 bool ret = output_.WriteBuffer(buf, bufSize);
1167
1168 if (sendNestCount_ > 0) {
1169 ZLOGW(LABEL, "request nesting occurs, handle:%{public}d count:%{public}u", handle, sendNestCount_.load());
1170 PrintParcelData(input_, "input_");
1171 PrintParcelData(output_, "output_");
1172 std::string backtrace;
1173 if (!GetBacktrace(backtrace, false)) {
1174 ZLOGE(LABEL, "GetBacktrace fail");
1175 } else {
1176 ZLOGW(LABEL, "backtrace info:\n%{public}s", backtrace.c_str());
1177 }
1178 }
1179 ++sendNestCount_;
1180 return ret;
1181 }
1182
OnTransactionComplete(MessageParcel * reply,int32_t * acquireResult,bool & continueLoop,int32_t & error,uint32_t cmd)1183 void BinderInvoker::OnTransactionComplete(
1184 MessageParcel *reply, int32_t *acquireResult, bool &continueLoop, int32_t &error, uint32_t cmd)
1185 {
1186 (void)continueLoop;
1187 (void)error;
1188 (void)cmd;
1189
1190 if (reply == nullptr && acquireResult == nullptr) {
1191 continueLoop = false;
1192 }
1193 }
1194
OnDeadOrFailedReply(MessageParcel * reply,int32_t * acquireResult,bool & continueLoop,int32_t & error,uint32_t cmd)1195 void BinderInvoker::OnDeadOrFailedReply(
1196 MessageParcel *reply, int32_t *acquireResult, bool &continueLoop, int32_t &error, uint32_t cmd)
1197 {
1198 (void)reply;
1199
1200 error = static_cast<int32_t>(cmd);
1201 if (acquireResult != nullptr) {
1202 *acquireResult = cmd;
1203 }
1204 continueLoop = false;
1205 }
1206
OnAcquireResult(MessageParcel * reply,int32_t * acquireResult,bool & continueLoop,int32_t & error,uint32_t cmd)1207 void BinderInvoker::OnAcquireResult(
1208 MessageParcel *reply, int32_t *acquireResult, bool &continueLoop, int32_t &error, uint32_t cmd)
1209 {
1210 (void)reply;
1211 (void)error;
1212 (void)cmd;
1213
1214 int32_t result = input_.ReadInt32();
1215 if (acquireResult != nullptr) {
1216 *acquireResult = result ? ERR_NONE : ERR_INVALID_OPERATION;
1217 continueLoop = false;
1218 }
1219 }
1220
OnReply(MessageParcel * reply,int32_t * acquireResult,bool & continueLoop,int32_t & error,uint32_t cmd)1221 void BinderInvoker::OnReply(
1222 MessageParcel *reply, int32_t *acquireResult, bool &continueLoop, int32_t &error, uint32_t cmd)
1223 {
1224 (void)reply;
1225 (void)acquireResult;
1226 (void)cmd;
1227
1228 bool isStubRet = false;
1229 error = HandleReply(reply, isStubRet);
1230 if (isStubRet || error != IPC_INVOKER_INVALID_REPLY_ERR) {
1231 continueLoop = false;
1232 return;
1233 }
1234 error = ERR_NONE;
1235 }
1236
OnTranslationComplete(MessageParcel * reply,int32_t * acquireResult,bool & continueLoop,int32_t & error,uint32_t cmd)1237 void BinderInvoker::OnTranslationComplete(
1238 MessageParcel *reply, int32_t *acquireResult, bool &continueLoop, int32_t &error, uint32_t cmd)
1239 {
1240 (void)reply;
1241 (void)acquireResult;
1242 (void)error;
1243 (void)cmd;
1244
1245 uint32_t handle = input_.ReadUint32();
1246 if (reply != nullptr) {
1247 reply->WriteUint32(handle);
1248 }
1249 continueLoop = false;
1250 }
1251
DealWithCmd(MessageParcel * reply,int32_t * acquireResult,bool & continueLoop,int32_t & error,uint32_t cmd)1252 void BinderInvoker::DealWithCmd(
1253 MessageParcel *reply, int32_t *acquireResult, bool &continueLoop, int32_t &error, uint32_t cmd)
1254 {
1255 switch (cmd) {
1256 case BR_TRANSACTION_COMPLETE:
1257 OnTransactionComplete(reply, acquireResult, continueLoop, error, cmd);
1258 break;
1259 case BR_DEAD_REPLY:
1260 case BR_FAILED_REPLY:
1261 OnDeadOrFailedReply(reply, acquireResult, continueLoop, error, cmd);
1262 break;
1263 case BR_ACQUIRE_RESULT:
1264 OnAcquireResult(reply, acquireResult, continueLoop, error, cmd);
1265 break;
1266 case BR_REPLY:
1267 OnReply(reply, acquireResult, continueLoop, error, cmd);
1268 break;
1269 case BR_TRANSLATION_COMPLETE:
1270 OnTranslationComplete(reply, acquireResult, continueLoop, error, cmd);
1271 break;
1272 default:
1273 error = HandleCommands(cmd);
1274 if (error != ERR_NONE) {
1275 continueLoop = false;
1276 }
1277 break;
1278 }
1279 }
1280
WaitForCompletion(MessageParcel * reply,int32_t * acquireResult)1281 int BinderInvoker::WaitForCompletion(MessageParcel *reply, int32_t *acquireResult)
1282 {
1283 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
1284 ZLOGE(LABEL, "driver is died");
1285 return IPC_INVOKER_CONNECT_ERR;
1286 }
1287 uint32_t cmd;
1288 bool continueLoop = true;
1289 int error = ERR_NONE;
1290 while (continueLoop) {
1291 if ((error = TransactWithDriver()) < ERR_NONE) {
1292 break;
1293 }
1294 if (input_.GetReadableBytes() == 0) {
1295 continue;
1296 }
1297 cmd = input_.ReadUint32();
1298 DealWithCmd(reply, acquireResult, continueLoop, error, cmd);
1299 }
1300 return error;
1301 }
1302
StopWorkThread()1303 void BinderInvoker::StopWorkThread()
1304 {
1305 stopWorkThread = true;
1306 }
1307
PingService(int32_t handle)1308 bool BinderInvoker::PingService(int32_t handle)
1309 {
1310 MessageParcel data;
1311 MessageParcel reply;
1312 MessageOption option;
1313 int result = SendRequest(handle, PING_TRANSACTION, data, reply, option);
1314 return (result == ERR_NONE);
1315 }
1316
SetRegistryObject(sptr<IRemoteObject> & object)1317 bool BinderInvoker::SetRegistryObject(sptr<IRemoteObject> &object)
1318 {
1319 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive()) || (object == nullptr)) {
1320 return false;
1321 }
1322
1323 if (object->IsProxyObject()) {
1324 ZLOGE(LABEL, "set wrong object!");
1325 return false;
1326 }
1327
1328 #ifdef WITH_SELINUX
1329 flat_binder_object flat = {
1330 .flags = FLAT_BINDER_FLAG_TXN_SECURITY_CTX,
1331 };
1332
1333 int result = binderConnector_->WriteBinder(BINDER_SET_CONTEXT_MGR_EXT, &flat);
1334 if (result == ERR_NONE) {
1335 return true;
1336 }
1337 ZLOGI(LABEL, "fail, error:%{public}d", result);
1338 #endif
1339
1340 int dummy = 0;
1341 int res = binderConnector_->WriteBinder(BINDER_SET_CONTEXT_MGR, &dummy);
1342 if (res != ERR_NONE) {
1343 ZLOGE(LABEL, "fail, error:%{public}d", res);
1344 return false;
1345 }
1346
1347 return true;
1348 }
1349
FreeBuffer(void * data)1350 void BinderInvoker::FreeBuffer(void *data)
1351 {
1352 size_t rewindPos = output_.GetWritePosition();
1353 if (!output_.WriteUint32(BC_FREE_BUFFER)) {
1354 return;
1355 }
1356
1357 if (!output_.WritePointer((uintptr_t)data)) {
1358 if (!output_.RewindWrite(rewindPos)) {
1359 output_.FlushBuffer();
1360 }
1361 }
1362
1363 // Distribute data from output_ to the kernel for processing.
1364 int error = FlushCommands(nullptr);
1365 if (error != ERR_NONE) {
1366 ZLOGE(LABEL, "failed, error:%{public}d", error);
1367 }
1368 }
1369
Dealloc(void * data)1370 void BinderInvoker::BinderAllocator::Dealloc(void *data)
1371 {
1372 IRemoteInvoker *invoker = IPCThreadSkeleton::GetRemoteInvoker(IRemoteObject::IF_PROT_DEFAULT);
1373 if (invoker != nullptr) {
1374 invoker->FreeBuffer(data);
1375 }
1376 }
1377
GetCallerPid() const1378 pid_t BinderInvoker::GetCallerPid() const
1379 {
1380 // when the current caller information is self, obtain another binderinvoker
1381 auto pid = getpid();
1382 if (!status_ && pid != invokerInfo_.pid) {
1383 return invokerInfo_.pid;
1384 }
1385 return callerPid_;
1386 }
1387
GetCallerSid() const1388 std::string BinderInvoker::GetCallerSid() const
1389 {
1390 auto pid = getpid();
1391 if (!status_ && pid != invokerInfo_.pid) {
1392 return invokerInfo_.sid;
1393 }
1394 return callerSid_;
1395 }
1396
GetCallerRealPid() const1397 pid_t BinderInvoker::GetCallerRealPid() const
1398 {
1399 auto pid = getpid();
1400 if (!status_ && pid != invokerInfo_.pid) {
1401 return invokerInfo_.realPid;
1402 }
1403 return callerRealPid_;
1404 }
1405
GetCallerUid() const1406 uid_t BinderInvoker::GetCallerUid() const
1407 {
1408 auto pid = getpid();
1409 if (!status_ && pid != invokerInfo_.pid) {
1410 return invokerInfo_.uid;
1411 }
1412 return callerUid_;
1413 }
1414
GetCallerTokenID() const1415 uint64_t BinderInvoker::GetCallerTokenID() const
1416 {
1417 // If a process does NOT have a tokenid, the UID should be returned accordingly.
1418 auto pid = getpid();
1419 if (!status_ && pid != invokerInfo_.pid) {
1420 return (invokerInfo_.tokenId == 0) ? invokerInfo_.uid : invokerInfo_.tokenId;
1421 }
1422 return (callerTokenID_ == 0) ? callerUid_ : callerTokenID_;
1423 }
1424
GetFirstCallerTokenID() const1425 uint64_t BinderInvoker::GetFirstCallerTokenID() const
1426 {
1427 auto pid = getpid();
1428 if (!status_ && pid != invokerInfo_.pid) {
1429 return invokerInfo_.firstTokenId;
1430 }
1431 return firstTokenID_;
1432 }
1433
GetSelfTokenID() const1434 uint64_t BinderInvoker::GetSelfTokenID() const
1435 {
1436 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
1437 return 0;
1438 }
1439 uint64_t selfTokenId = binderConnector_->GetSelfTokenID();
1440 return (selfTokenId == 0) ? static_cast<uint64_t>(getuid()) : selfTokenId;
1441 }
1442
GetSelfFirstCallerTokenID() const1443 uint64_t BinderInvoker::GetSelfFirstCallerTokenID() const
1444 {
1445 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
1446 return 0;
1447 }
1448 uint64_t selfFirstCallerTokenId = binderConnector_->GetSelfFirstCallerTokenID();
1449 return (selfFirstCallerTokenId == 0) ? static_cast<uint32_t>(getuid()) : selfFirstCallerTokenId;
1450 }
1451
GetStatus()1452 uint32_t BinderInvoker::GetStatus()
1453 {
1454 if (status_ != BinderInvoker::ACTIVE_INVOKER) {
1455 auto current = ProcessSkeleton::GetInstance();
1456 if (current != nullptr) {
1457 bool flag = current->QueryInvokerProcInfo(true, invokerInfo_) && (getpid() != invokerInfo_.pid);
1458 return flag ? BinderInvoker::ACTIVE_INVOKER : BinderInvoker::IDLE_INVOKER;
1459 }
1460 }
1461 return status_;
1462 }
1463
SetStatus(uint32_t status)1464 void BinderInvoker::SetStatus(uint32_t status)
1465 {
1466 status_ = status;
1467 }
1468
GetLocalDeviceID()1469 std::string BinderInvoker::GetLocalDeviceID()
1470 {
1471 return "";
1472 }
1473
GetCallerDeviceID() const1474 std::string BinderInvoker::GetCallerDeviceID() const
1475 {
1476 return "";
1477 }
1478
IsLocalCalling()1479 bool BinderInvoker::IsLocalCalling()
1480 {
1481 return true;
1482 }
1483
FlattenObject(Parcel & parcel,const IRemoteObject * object) const1484 bool BinderInvoker::FlattenObject(Parcel &parcel, const IRemoteObject *object) const
1485 {
1486 if (object == nullptr) {
1487 return false;
1488 }
1489 flat_binder_object flat;
1490 flat.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
1491 if (object->IsProxyObject()) {
1492 const IPCObjectProxy *proxy = reinterpret_cast<const IPCObjectProxy *>(object);
1493 const int32_t handle = proxy ? static_cast<int32_t>(proxy->GetHandle()) : -1;
1494 flat.hdr.type = BINDER_TYPE_HANDLE;
1495 flat.binder = 0;
1496 flat.handle = (uint32_t)handle;
1497 flat.cookie = proxy ? static_cast<binder_uintptr_t>(proxy->GetProto()) : 0;
1498 } else {
1499 const IPCObjectStub *stub = reinterpret_cast<const IPCObjectStub *>(object);
1500 if (stub->GetRequestSidFlag()) {
1501 flat.flags |= FLAT_BINDER_FLAG_TXN_SECURITY_CTX;
1502 }
1503 flat.hdr.type = BINDER_TYPE_BINDER;
1504 flat.binder = reinterpret_cast<uintptr_t>(object->GetRefCounter());
1505 flat.cookie = reinterpret_cast<uintptr_t>(object);
1506 }
1507
1508 bool status = parcel.WriteBuffer(&flat, sizeof(flat_binder_object));
1509 if (!status) {
1510 ZLOGE(LABEL, "Fail to flatten object");
1511 }
1512 return status;
1513 }
1514
UnflattenObject(Parcel & parcel)1515 sptr<IRemoteObject> BinderInvoker::UnflattenObject(Parcel &parcel)
1516 {
1517 #ifndef CONFIG_IPC_SINGLE
1518 dbinder_negotiation_data dbinderData;
1519 bool isDBinderObj = UnFlattenDBinderObject(parcel, dbinderData);
1520 #endif
1521 if (!parcel.CheckOffsets()) {
1522 ZLOGE(LABEL, "Parcel CheckOffsets fail");
1523 return nullptr;
1524 }
1525 const uint8_t *buffer = parcel.ReadBuffer(sizeof(flat_binder_object), false);
1526 if (buffer == nullptr) {
1527 ZLOGE(LABEL, "null object buffer");
1528 return nullptr;
1529 }
1530 IPCProcessSkeleton *current = IPCProcessSkeleton::GetCurrent();
1531 if (current == nullptr) {
1532 return nullptr;
1533 }
1534
1535 sptr<IRemoteObject> remoteObject = nullptr;
1536 auto *flat = reinterpret_cast<const flat_binder_object *>(buffer);
1537 switch (flat->hdr.type) {
1538 case BINDER_TYPE_BINDER: {
1539 auto stubObject = reinterpret_cast<IRemoteObject *>(flat->cookie);
1540 if (!current->IsContainsObject(stubObject)) {
1541 ZLOGE(LABEL, "invalid binder cookie:%{public}llu", flat->cookie);
1542 return nullptr;
1543 }
1544 remoteObject = stubObject;
1545 break;
1546 }
1547 case BINDER_TYPE_HANDLE: {
1548 #ifndef CONFIG_IPC_SINGLE
1549 if (isDBinderObj) {
1550 ZLOGI(LABEL, "dbinder BINDER_TYPE_HANDLE");
1551 }
1552 remoteObject = current->FindOrNewObject(flat->handle, isDBinderObj ? &dbinderData : nullptr);
1553 #else
1554 remoteObject = current->FindOrNewObject(flat->handle);
1555 #endif
1556 break;
1557 }
1558 default:
1559 ZLOGE(LABEL, "unknown binder type:%{public}u", flat->hdr.type);
1560 break;
1561 }
1562 return remoteObject;
1563 }
1564
ReadFileDescriptor(Parcel & parcel)1565 int BinderInvoker::ReadFileDescriptor(Parcel &parcel)
1566 {
1567 int fd = -1;
1568 const uint8_t *buffer = parcel.ReadBuffer(sizeof(flat_binder_object), false);
1569 if (buffer == nullptr) {
1570 ZLOGE(LABEL, "UnflattenObject null object buffer");
1571 return fd;
1572 }
1573
1574 auto *flat = reinterpret_cast<const flat_binder_object *>(buffer);
1575 if (flat->hdr.type == BINDER_TYPE_FD || flat->hdr.type == BINDER_TYPE_FDR) {
1576 fd = flat->handle;
1577 ZLOGD(LABEL, "fd:%{public}d", fd);
1578 } else {
1579 ZLOGE(LABEL, "unknown binder type:%{public}u", flat->hdr.type);
1580 }
1581
1582 return fd;
1583 }
1584
WriteFileDescriptor(Parcel & parcel,int fd,bool takeOwnership)1585 bool BinderInvoker::WriteFileDescriptor(Parcel &parcel, int fd, bool takeOwnership)
1586 {
1587 flat_binder_object flat;
1588 flat.hdr.type = BINDER_TYPE_FD;
1589 flat.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
1590 flat.binder = 0; // Don't pass uninitialized stack data to a remote process
1591 flat.handle = static_cast<__u32>(fd);
1592 flat.cookie = takeOwnership ? 1 : 0;
1593
1594 return parcel.WriteBuffer(&flat, sizeof(flat_binder_object));
1595 }
1596
ResetCallingIdentity()1597 std::string BinderInvoker::ResetCallingIdentity()
1598 {
1599 pid_t tempPid = callerPid_;
1600 pid_t tempRealPid = callerRealPid_;
1601 pid_t tempUid = callerUid_;
1602 uint64_t tempTokenId = callerTokenID_;
1603 std::string tempSid = callerSid_;
1604
1605 auto pid = getpid();
1606 if (!status_ && pid != invokerInfo_.pid) {
1607 tempPid = invokerInfo_.pid;
1608 tempRealPid = invokerInfo_.realPid;
1609 tempUid = invokerInfo_.uid;
1610 tempTokenId = invokerInfo_.tokenId;
1611 tempSid = invokerInfo_.sid;
1612 }
1613
1614 char buf[ACCESS_TOKEN_MAX_LEN + 1] = {0};
1615 int ret = sprintf_s(buf, ACCESS_TOKEN_MAX_LEN + 1, "%010" PRIu64, tempTokenId);
1616 if (ret < 0) {
1617 ZLOGE(LABEL, "sprintf callerTokenID:%{public}" PRIu64 " failed", tempTokenId);
1618 return "";
1619 }
1620 std::string accessToken(buf);
1621 ret = sprintf_s(buf, ACCESS_TOKEN_MAX_LEN + 1, "%010d", tempRealPid);
1622 if (ret < 0) {
1623 ZLOGE(LABEL, "sprintf callerRealPid_:%{public}d failed", tempRealPid);
1624 return "";
1625 }
1626 std::string realPid(buf);
1627 std::string pidUid = std::to_string(((static_cast<uint64_t>(tempUid) << PID_LEN)
1628 | static_cast<uint64_t>(tempPid)));
1629 callerUid_ = static_cast<pid_t>(getuid());
1630 callerPid_ = getpid();
1631 callerRealPid_ = getprocpid();
1632 callerTokenID_ = GetSelfTokenID();
1633 callerSid_ = "";
1634 return tempSid + "<" + accessToken + realPid + pidUid; // '<' is the separator character
1635 }
1636
PrintIdentity(bool isPrint,bool isBefore)1637 void BinderInvoker::PrintIdentity(bool isPrint, bool isBefore)
1638 {
1639 if (!isPrint) {
1640 return;
1641 }
1642 ZLOGI(LABEL, "%{public}s callingIdentity, callerSid:%{public}s, callerTokenID:%{public}" PRIu64 ", \
1643 callerRealPid:%{public}u, callerUid:%{public}u, callerPid:%{public}u",
1644 isBefore ? "Before" : "After", callerSid_.c_str(), callerTokenID_, callerRealPid_, callerUid_, callerPid_);
1645 }
1646
SetCallingIdentity(std::string & identity,bool flag)1647 bool BinderInvoker::SetCallingIdentity(std::string &identity, bool flag)
1648 {
1649 if (identity.empty() || identity.length() <= ACCESS_TOKEN_MAX_LEN) {
1650 return false;
1651 }
1652 auto pos = identity.find('<');
1653 if (pos == std::string::npos) {
1654 return false;
1655 }
1656 PrintIdentity(flag, true);
1657 std::string callerSid;
1658 if (!ProcessSkeleton::GetSubStr(identity, callerSid, 0, pos)) {
1659 ZLOGE(LABEL, "Identity param callerSid is invalid");
1660 return false;
1661 }
1662 std::string tokenIdStr;
1663 if (!ProcessSkeleton::GetSubStr(identity, tokenIdStr, pos + 1, ACCESS_TOKEN_MAX_LEN) ||
1664 !ProcessSkeleton::IsNumStr(tokenIdStr)) {
1665 ZLOGE(LABEL, "Identity param tokenId is invalid");
1666 return false;
1667 }
1668 std::string realPidStr;
1669 if (!ProcessSkeleton::GetSubStr(identity, realPidStr, pos + 1 + ACCESS_TOKEN_MAX_LEN, ACCESS_TOKEN_MAX_LEN) ||
1670 !ProcessSkeleton::IsNumStr(realPidStr)) {
1671 ZLOGE(LABEL, "Identity param realPid is invalid");
1672 return false;
1673 }
1674 std::string pidUidStr;
1675 size_t offset = pos + 1 + ACCESS_TOKEN_MAX_LEN * PIDUID_OFFSET;
1676 if (identity.length() <= offset) {
1677 ZLOGE(LABEL, "Identity param no pidUid, len:%{public}zu, offset:%{public}zu", identity.length(), offset);
1678 return false;
1679 }
1680 size_t subLen = identity.length() - offset;
1681 if (!ProcessSkeleton::GetSubStr(identity, pidUidStr, offset, subLen) || !ProcessSkeleton::IsNumStr(pidUidStr)) {
1682 ZLOGE(LABEL, "Identity param pidUid is invalid");
1683 return false;
1684 }
1685 callerSid_ = callerSid;
1686 callerTokenID_ = std::stoull(tokenIdStr.c_str());
1687 callerRealPid_ = static_cast<int>(std::stoull(realPidStr.c_str()));
1688 uint64_t pidUid = std::stoull(pidUidStr.c_str());
1689 callerUid_ = static_cast<int>(pidUid >> PID_LEN);
1690 callerPid_ = static_cast<int>(pidUid);
1691 PrintIdentity(flag, false);
1692 return true;
1693 }
1694
GetStrongRefCountForStub(uint32_t handle)1695 uint32_t BinderInvoker::GetStrongRefCountForStub(uint32_t handle)
1696 {
1697 if ((binderConnector_ == nullptr) || (!binderConnector_->IsDriverAlive())) {
1698 return 0; // 0 means get failed
1699 }
1700 binder_node_info_for_ref info;
1701 memset_s(&info, sizeof(binder_node_info_for_ref), 0, sizeof(binder_node_info_for_ref));
1702
1703 info.handle = handle;
1704 int32_t result = binderConnector_->WriteBinder(BINDER_GET_NODE_INFO_FOR_REF, &info);
1705 if (result != ERR_NONE) {
1706 ZLOGE(LABEL, "WriteBinder failed, Error code %{public}d", result);
1707 return 0; // 0 means get failed
1708 }
1709
1710 return info.strong_count;
1711 }
1712
PrintParcelData(Parcel & parcel,const std::string & parcelName)1713 void BinderInvoker::PrintParcelData(Parcel &parcel, const std::string &parcelName)
1714 {
1715 std::string formatStr;
1716 size_t size = parcel.GetDataSize();
1717 auto data = reinterpret_cast<const uint8_t *>(parcel.GetData());
1718 size_t idex = 0;
1719 while (idex < size) {
1720 formatStr += std::to_string(data[idex]) + ',';
1721 ++idex;
1722 }
1723 ZLOGE(LABEL,
1724 "parcel name:%{public}s, size:%{public}zu, readpos:%{public}zu, writepos:%{public}zu, data:%{public}s",
1725 parcelName.c_str(), size, parcel.GetReadPosition(), parcel.GetWritePosition(), formatStr.c_str());
1726 }
1727
IsSendRequesting()1728 bool BinderInvoker::IsSendRequesting()
1729 {
1730 return sendRequestCount_ > 0;
1731 }
1732
ProcDeferredDecRefs()1733 void BinderInvoker::ProcDeferredDecRefs()
1734 {
1735 if (input_.GetReadableBytes() > 0) {
1736 return;
1737 }
1738 {
1739 std::lock_guard<std::mutex> lock(weakRefMutex_);
1740 for (size_t idx = 0; idx < decWeakRefs_.size(); ++idx) {
1741 auto &ref = decWeakRefs_[idx];
1742 ref->DecWeakRefCount(this);
1743 }
1744 decWeakRefs_.clear();
1745 }
1746 {
1747 ProcessSkeleton *current = ProcessSkeleton::GetInstance();
1748 if (current == nullptr) {
1749 ZLOGE(LABEL, "ProcessSkeleton is null");
1750 return;
1751 }
1752 std::lock_guard<std::mutex> lock(strongRefMutex_);
1753 for (size_t idx = 0; idx < decStrongRefs_.size(); ++idx) {
1754 auto &obj = decStrongRefs_[idx];
1755 std::u16string desc;
1756 if (!current->IsValidObject(obj, desc)) {
1757 ZLOGE(LABEL, "%{public}u is invalid", ProcessSkeleton::ConvertAddr(obj));
1758 continue;
1759 }
1760 std::string descTemp = Str16ToStr8(desc);
1761 CrashObjDumper dumper(descTemp.c_str());
1762 obj->DecStrongRef(this);
1763 }
1764 decStrongRefs_.clear();
1765 }
1766 }
1767
1768 #ifdef CONFIG_ACTV_BINDER
JoinActvThread(bool initiative)1769 void BinderInvoker::JoinActvThread(bool initiative)
1770 {
1771 IRemoteInvoker *remoteInvoker = IPCThreadSkeleton::GetRemoteInvoker(IRemoteObject::IF_PROT_BINDER);
1772 BinderInvoker *invoker = reinterpret_cast<BinderInvoker *>(remoteInvoker);
1773
1774 if (invoker != nullptr) {
1775 invoker->SetUseActvBinder(true);
1776 invoker->JoinThread(initiative);
1777 }
1778 }
1779
IsActvBinderService()1780 bool BinderInvoker::IsActvBinderService()
1781 {
1782 bool check = false;
1783 IRemoteInvoker *remoteInvoker = IPCThreadSkeleton::GetRemoteInvoker(IRemoteObject::IF_PROT_BINDER);
1784 BinderInvoker *invoker = reinterpret_cast<BinderInvoker *>(remoteInvoker);
1785
1786 if ((invoker != nullptr) && (invoker->binderConnector_ != nullptr)) {
1787 check = invoker->binderConnector_->IsActvBinderService();
1788 }
1789
1790 return check;
1791 }
1792 #endif // CONFIG_ACTV_BINDER
1793
1794 #ifdef CONFIG_IPC_SINGLE
1795 } // namespace IPC_SINGLE
1796 #endif
1797 } // namespace OHOS
1798