libgbinder icon indicating copy to clipboard operation
libgbinder copied to clipboard

Published 20 hours ago verified publisher icon mer-hybris

[gbinder] fix sending NULL binder object

Open peat-psuwit opened this issue 5 months ago • 2 comments

  • Use BINDER_TYPE_BINDER for NULL local object. 3 reasons:
    • This is what encode_remote_object() does. I see no reason a NULL local object should be encoded differently than a NULL remote object.
    • This is what Parcel.cpp does when flattening a NULL binder [1]. This is contrary to what is said in PR #99 [2]; I'm not sure why PR #99 said it uses BINDER_TYPE_HANDLE.
    • More importantly, BINDER_TYPE_HANDLE number 0 does NOT represent a NULL binder. According to the comment at [3], handle number 0 actually represent the context manager. So, by sending BINDER_TYPE_HANDLE number 0, we're sending context manager, not a NULL binder.

[1]: https://android.googlesource.com/platform/frameworks/native/+/refs/tags/android-14.0.0_r1/libs/binder/Parcel.cpp#277 [2]: https://github.com/mer-hybris/libgbinder/pull/99 [3]: https://android.googlesource.com/platform/frameworks/native/+/refs/tags/android-14.0.0_r1/libs/binder/ProcessState.cpp#336

  • Writer: don't write object offset for NULL binder object Writing offset will trigger the kernel-side code to transform the flat binder object into the handle form, which (in my understanding) is not a valid operation for a NULL binder object. Meanwhile, the receiving side will create a corresponding Binder object from such handle, tripping the stability check as it will no longer accept UNDECLARED.

    OTOH, if the offset is not written, then the receiving side will receive the flat binder object as-is, with type BINDER and pointer NULL, which will be interpreted as NULL binder. This is also what Android's Parcel.cpp does [4][5].

    IMO, this is sort of a hack. Binder kernel driver should handle the NULL binder internally, and not relying on the sender doing the correct thing. Meanwhile, the receiver should always reject a flat binder object of type BINDER. But that's how Android work, so... 🤷

[4]: https://github.com/LineageOS/android_frameworks_native/blob/lineage-19.1/libs/binder/Parcel.cpp#L1327-L1332 [5]: https://github.com/LineageOS/android_frameworks_native/blob/lineage-19.1/libs/binder/Parcel.cpp#L2023-L2029

peat-psuwit avatar Oct 02 '24 16:10 peat-psuwit