diff options
Diffstat (limited to 'libs/binder')
| -rw-r--r-- | libs/binder/IMemory.cpp | 18 | ||||
| -rw-r--r-- | libs/binder/IPCThreadState.cpp | 12 | ||||
| -rw-r--r-- | libs/binder/Parcel.cpp | 62 |
3 files changed, 77 insertions, 15 deletions
diff --git a/libs/binder/IMemory.cpp b/libs/binder/IMemory.cpp index 3f2198a..f59867a 100644 --- a/libs/binder/IMemory.cpp +++ b/libs/binder/IMemory.cpp @@ -26,6 +26,7 @@ #include <sys/mman.h> #include <binder/IMemory.h> +#include <cutils/log.h> #include <utils/KeyedVector.h> #include <utils/threads.h> #include <utils/Atomic.h> @@ -191,15 +192,26 @@ sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const if (heap != 0) { mHeap = interface_cast<IMemoryHeap>(heap); if (mHeap != 0) { - mOffset = o; - mSize = s; + size_t heapSize = mHeap->getSize(); + if (s <= heapSize + && o >= 0 + && (static_cast<size_t>(o) <= heapSize - s)) { + mOffset = o; + mSize = s; + } else { + // Hm. + android_errorWriteWithInfoLog(0x534e4554, + "26877992", -1, NULL, 0); + mOffset = 0; + mSize = 0; + } } } } } if (offset) *offset = mOffset; if (size) *size = mSize; - return mHeap; + return (mSize > 0) ? mHeap : 0; } // --------------------------------------------------------------------------- diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp index ef88181..af18e11 100644 --- a/libs/binder/IPCThreadState.cpp +++ b/libs/binder/IPCThreadState.cpp @@ -1083,8 +1083,16 @@ status_t IPCThreadState::executeCommand(int32_t cmd) << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl; } if (tr.target.ptr) { - sp<BBinder> b((BBinder*)tr.cookie); - error = b->transact(tr.code, buffer, &reply, tr.flags); + // We only have a weak reference on the target object, so we must first try to + // safely acquire a strong reference before doing anything else with it. + if (reinterpret_cast<RefBase::weakref_type*>( + tr.target.ptr)->attemptIncStrong(this)) { + error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer, + &reply, tr.flags); + reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this); + } else { + error = UNKNOWN_TRANSACTION; + } } else { error = the_context_object->transact(tr.code, buffer, &reply, tr.flags); diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 4f539a8..65e67d6 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -18,6 +18,8 @@ //#define LOG_NDEBUG 0 #include <binder/Parcel.h> +#include <fcntl.h> +#include <pthread.h> #include <binder/IPCThreadState.h> #include <binder/Binder.h> @@ -42,6 +44,9 @@ #include <stdlib.h> #include <stdint.h> #include <sys/mman.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> #ifndef INT32_MAX #define INT32_MAX ((int32_t)(2147483647)) @@ -95,6 +100,32 @@ enum { BLOB_ASHMEM_MUTABLE = 2, }; +static dev_t ashmem_rdev() +{ + static dev_t __ashmem_rdev; + static pthread_mutex_t __ashmem_rdev_lock = PTHREAD_MUTEX_INITIALIZER; + + pthread_mutex_lock(&__ashmem_rdev_lock); + + dev_t rdev = __ashmem_rdev; + if (!rdev) { + int fd = TEMP_FAILURE_RETRY(open("/dev/ashmem", O_RDONLY)); + if (fd >= 0) { + struct stat st; + + int ret = TEMP_FAILURE_RETRY(fstat(fd, &st)); + close(fd); + if ((ret >= 0) && S_ISCHR(st.st_mode)) { + rdev = __ashmem_rdev = st.st_rdev; + } + } + } + + pthread_mutex_unlock(&__ashmem_rdev_lock); + + return rdev; +} + void acquire_object(const sp<ProcessState>& proc, const flat_binder_object& obj, const void* who, size_t* outAshmemSize) { @@ -123,8 +154,10 @@ void acquire_object(const sp<ProcessState>& proc, return; } case BINDER_TYPE_FD: { - if (obj.cookie != 0) { - if (outAshmemSize != NULL) { + if ((obj.cookie != 0) && (outAshmemSize != NULL)) { + struct stat st; + int ret = fstat(obj.handle, &st); + if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) { // If we own an ashmem fd, keep track of how much memory it refers to. int size = ashmem_get_size_region(obj.handle); if (size > 0) { @@ -173,15 +206,18 @@ static void release_object(const sp<ProcessState>& proc, return; } case BINDER_TYPE_FD: { - if (outAshmemSize != NULL) { - if (obj.cookie != 0) { - int size = ashmem_get_size_region(obj.handle); - if (size > 0) { - *outAshmemSize -= size; + if (obj.cookie != 0) { // owned + if (outAshmemSize != NULL) { + struct stat st; + int ret = fstat(obj.handle, &st); + if (!ret && S_ISCHR(st.st_mode) && (st.st_rdev == ashmem_rdev())) { + int size = ashmem_get_size_region(obj.handle); + if (size > 0) { + *outAshmemSize -= size; + } } - - close(obj.handle); } + close(obj.handle); #ifdef DISABLE_ASHMEM_TRACKING } else if (obj.cookie != 0) { close(obj.handle); @@ -1389,7 +1425,13 @@ native_handle* Parcel::readNativeHandle() const for (int i=0 ; err==NO_ERROR && i<numFds ; i++) { h->data[i] = dup(readFileDescriptor()); - if (h->data[i] < 0) err = BAD_VALUE; + if (h->data[i] < 0) { + for (int j = 0; j < i; j++) { + close(h->data[j]); + } + native_handle_delete(h); + return 0; + } } err = read(h->data + numFds, sizeof(int)*numInts); if (err != NO_ERROR) { |