From 11cfdccfd3cfceb08732909a1489419ff0229694 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Fri, 14 Feb 2014 20:14:02 -0800 Subject: [PATCH 1/3] Binder: Disable attemptIncStrongHandle The driver does not support BC_ATTEMPT_ACQUIRE and will return an error. IPCThreadState does not handle driver errors, and will resend the failed command blocking all other commands. Change-Id: I643986037341821b27b62dc82df933844f4842b8 --- libs/binder/IPCThreadState.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index cb42549aa..779630959 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -635,6 +635,7 @@ void IPCThreadState::decWeakHandle(int32_t handle) status_t IPCThreadState::attemptIncStrongHandle(int32_t handle) { +#if HAS_BC_ATTEMPT_ACQUIRE LOG_REMOTEREFS("IPCThreadState::attemptIncStrongHandle(%d)\n", handle); mOut.writeInt32(BC_ATTEMPT_ACQUIRE); mOut.writeInt32(0); // xxx was thread priority @@ -649,6 +650,11 @@ status_t IPCThreadState::attemptIncStrongHandle(int32_t handle) #endif return result; +#else + (void)handle; + ALOGE("%s(%d): Not supported\n", __func__, handle); + return INVALID_OPERATION; +#endif } void IPCThreadState::expungeHandle(int32_t handle, IBinder* binder) From 87b30d0447829167b2d83f4f61f702638d937524 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Tue, 18 Feb 2014 21:04:31 -0800 Subject: [PATCH 2/3] Binder: Don't cast directly from a pointer to binder_uintptr_t When using the 64 bit binder interface from a 32 bit process the pointer may get sign extended and cause the kernel to fail to read from it. Change-Id: I90fcf53880e2aa92e230a9723f9b3f7696170e32 --- libs/binder/IPCThreadState.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index 779630959..65329f5e9 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -921,7 +921,7 @@ status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, tr.flags |= TF_STATUS_CODE; *statusBuffer = err; tr.data_size = sizeof(status_t); - tr.data.ptr.buffer = reinterpret_cast(statusBuffer); + tr.data.ptr.buffer = reinterpret_cast(statusBuffer); tr.offsets_size = 0; tr.data.ptr.offsets = 0; } else { From 07fd0f195db6d341cab4e54257f508d802c98832 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Tue, 18 Feb 2014 21:10:29 -0800 Subject: [PATCH 3/3] Binder: Fix some valgrind errors. When using 64 bit binder pointers, only initializing the 32 bit handle, in a stack allocated struct, will pass uninitialized stack data to the kernel and other processes. Change-Id: I3432d9d36bb251d8ddb0a863661aeb80aabb3d92 --- libs/binder/IPCThreadState.cpp | 1 + libs/binder/Parcel.cpp | 3 +++ 2 files changed, 4 insertions(+) diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index 65329f5e9..35dba1221 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -904,6 +904,7 @@ status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, { binder_transaction_data tr; + tr.target.ptr = 0; /* Don't pass uninitialized stack data to a remote process */ tr.target.handle = handle; tr.code = code; tr.flags = binderFlags; diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 03bcf01e5..9f56def83 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -164,6 +164,7 @@ status_t flatten_binder(const sp& /*proc*/, } const int32_t handle = proxy ? proxy->handle() : 0; obj.type = BINDER_TYPE_HANDLE; + obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */ obj.handle = handle; obj.cookie = 0; } else { @@ -197,6 +198,7 @@ status_t flatten_binder(const sp& /*proc*/, } const int32_t handle = proxy ? proxy->handle() : 0; obj.type = BINDER_TYPE_WEAK_HANDLE; + obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */ obj.handle = handle; obj.cookie = 0; } else { @@ -748,6 +750,7 @@ status_t Parcel::writeFileDescriptor(int fd, bool takeOwnership) flat_binder_object obj; obj.type = BINDER_TYPE_FD; obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; + obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */ obj.handle = fd; obj.cookie = takeOwnership ? 1 : 0; return writeObject(obj, true);