sys/linux: improve binder descriptions

Add few new ioctl's. Add some typedefs for clarity.
dvyukov · May 14, 2019 · 36c1564 · 36c1564
1 parent b2793a5
commit 36c1564
Show file tree

Hide file tree

Showing 13 changed files with 335 additions and 54 deletions.
diff --git a/executor/defs.h b/executor/defs.h
@@ -60,7 +60,7 @@
 
 #if GOARCH_386
 #define GOARCH "386"
-#define SYZ_REVISION "3d52a222b87f6036a84f338de14740f34a4a74d3"
+#define SYZ_REVISION "c481fc548f8495652321938cc664cda692bb3640"
 #define SYZ_EXECUTOR_USES_FORK_SERVER 1
 #define SYZ_EXECUTOR_USES_SHMEM 1
 #define SYZ_PAGE_SIZE 4096
@@ -70,7 +70,7 @@
 
 #if GOARCH_amd64
 #define GOARCH "amd64"
-#define SYZ_REVISION "1e8b2cbaae600fa5e394e2174cddf8ccf7041300"
+#define SYZ_REVISION "c3ca596ec5a418716e3ed1df1d9f03f6614fb8c9"
 #define SYZ_EXECUTOR_USES_FORK_SERVER 1
 #define SYZ_EXECUTOR_USES_SHMEM 1
 #define SYZ_PAGE_SIZE 4096
@@ -80,7 +80,7 @@
 
 #if GOARCH_arm
 #define GOARCH "arm"
-#define SYZ_REVISION "4a47ba2821cf130ddc502d985baaad7845663453"
+#define SYZ_REVISION "755e72f507bfba544c5361f262fc77fb932a5e2d"
 #define SYZ_EXECUTOR_USES_FORK_SERVER 1
 #define SYZ_EXECUTOR_USES_SHMEM 1
 #define SYZ_PAGE_SIZE 4096
@@ -90,7 +90,7 @@
 
 #if GOARCH_arm64
 #define GOARCH "arm64"
-#define SYZ_REVISION "dff930cd81891aa2da786dab8783efe0de057abb"
+#define SYZ_REVISION "ac163f5b11f81bf7691ef0b1f6e6be60c286f750"
 #define SYZ_EXECUTOR_USES_FORK_SERVER 1
 #define SYZ_EXECUTOR_USES_SHMEM 1
 #define SYZ_PAGE_SIZE 4096
@@ -100,7 +100,7 @@
 
 #if GOARCH_ppc64le
 #define GOARCH "ppc64le"
-#define SYZ_REVISION "0f540c7bfaa1f375f0b49062ef69700e13a1aa94"
+#define SYZ_REVISION "c9b32a0e01f79a400b0dde6e9094c8bde5adc209"
 #define SYZ_EXECUTOR_USES_FORK_SERVER 1
 #define SYZ_EXECUTOR_USES_SHMEM 1
 #define SYZ_PAGE_SIZE 4096

diff --git a/executor/syscalls.h b/executor/syscalls.h
@@ -2057,7 +2057,9 @@ const call_t syscalls[] = {
     {"ioctl$ASHMEM_SET_PROT_MASK", 54},
     {"ioctl$ASHMEM_SET_SIZE", 54},
     {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 54},
+    {"ioctl$BINDER_GET_NODE_INFO_FOR_REF", 54},
     {"ioctl$BINDER_SET_CONTEXT_MGR", 54},
+    {"ioctl$BINDER_SET_CONTEXT_MGR_EXT", 54},
     {"ioctl$BINDER_SET_MAX_THREADS", 54},
     {"ioctl$BINDER_THREAD_EXIT", 54},
     {"ioctl$BINDER_WRITE_READ", 54},
@@ -4751,7 +4753,9 @@ const call_t syscalls[] = {
     {"ioctl$ASHMEM_SET_PROT_MASK", 16},
     {"ioctl$ASHMEM_SET_SIZE", 16},
     {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 16},
+    {"ioctl$BINDER_GET_NODE_INFO_FOR_REF", 16},
     {"ioctl$BINDER_SET_CONTEXT_MGR", 16},
+    {"ioctl$BINDER_SET_CONTEXT_MGR_EXT", 16},
     {"ioctl$BINDER_SET_MAX_THREADS", 16},
     {"ioctl$BINDER_THREAD_EXIT", 16},
     {"ioctl$BINDER_WRITE_READ", 16},
@@ -7427,7 +7431,9 @@ const call_t syscalls[] = {
     {"ioctl$ASHMEM_SET_PROT_MASK", 54},
     {"ioctl$ASHMEM_SET_SIZE", 54},
     {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 54},
+    {"ioctl$BINDER_GET_NODE_INFO_FOR_REF", 54},
     {"ioctl$BINDER_SET_CONTEXT_MGR", 54},
+    {"ioctl$BINDER_SET_CONTEXT_MGR_EXT", 54},
     {"ioctl$BINDER_SET_MAX_THREADS", 54},
     {"ioctl$BINDER_THREAD_EXIT", 54},
     {"ioctl$BINDER_WRITE_READ", 54},
@@ -10054,7 +10060,9 @@ const call_t syscalls[] = {
     {"ioctl$ASHMEM_SET_PROT_MASK", 29},
     {"ioctl$ASHMEM_SET_SIZE", 29},
     {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 29},
+    {"ioctl$BINDER_GET_NODE_INFO_FOR_REF", 29},
     {"ioctl$BINDER_SET_CONTEXT_MGR", 29},
+    {"ioctl$BINDER_SET_CONTEXT_MGR_EXT", 29},
     {"ioctl$BINDER_SET_MAX_THREADS", 29},
     {"ioctl$BINDER_THREAD_EXIT", 29},
     {"ioctl$BINDER_WRITE_READ", 29},
@@ -12674,7 +12682,9 @@ const call_t syscalls[] = {
     {"ioctl$ASHMEM_SET_PROT_MASK", 54},
     {"ioctl$ASHMEM_SET_SIZE", 54},
     {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 54},
+    {"ioctl$BINDER_GET_NODE_INFO_FOR_REF", 54},
     {"ioctl$BINDER_SET_CONTEXT_MGR", 54},
+    {"ioctl$BINDER_SET_CONTEXT_MGR_EXT", 54},
     {"ioctl$BINDER_SET_MAX_THREADS", 54},
     {"ioctl$BINDER_THREAD_EXIT", 54},
     {"ioctl$BINDER_WRITE_READ", 54},

diff --git a/sys/linux/dev_binder.txt b/sys/linux/dev_binder.txt
@@ -11,15 +11,20 @@ include <linux/fcntl.h>
 resource fd_binder[fd]
 resource binder_ptr[int64]: 0
 
+type binder_handle int32[0:4]
+type binder_cookie int64[0:4]
+
 syz_open_dev$binder(dev ptr[in, string["/dev/binder#"]], id proc[0, 1], flags flags[binder_open_flags]) fd_binder
 
 mmap$binder(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_binder, offset fileoff) binder_ptr
 
-ioctl$BINDER_SET_MAX_THREADS(fd fd_binder, cmd const[BINDER_SET_MAX_THREADS], nthreads int32)
+ioctl$BINDER_SET_MAX_THREADS(fd fd_binder, cmd const[BINDER_SET_MAX_THREADS], arg ptr[in, int32])
 ioctl$BINDER_SET_CONTEXT_MGR(fd fd_binder, cmd const[BINDER_SET_CONTEXT_MGR], arg const[0])
+ioctl$BINDER_SET_CONTEXT_MGR_EXT(fd fd_binder, cmd const[BINDER_SET_CONTEXT_MGR_EXT], arg ptr[in, flat_binder_object])
 ioctl$BINDER_THREAD_EXIT(fd fd_binder, cmd const[BINDER_THREAD_EXIT], arg const[0])
 ioctl$BINDER_GET_NODE_DEBUG_INFO(fd fd_binder, cmd const[BINDER_GET_NODE_DEBUG_INFO], arg ptr[inout, binder_node_debug_info])
 ioctl$BINDER_WRITE_READ(fd fd_binder, cmd const[BINDER_WRITE_READ], arg ptr[in, binder_write_read])
+ioctl$BINDER_GET_NODE_INFO_FOR_REF(fd fd_binder, cmd const[BINDER_GET_NODE_INFO_FOR_REF], arg ptr[in, binder_node_info_for_ref])
 
 binder_open_flags = O_RDWR, O_NONBLOCK
 _ = __NR_mmap2
@@ -31,6 +36,15 @@ binder_node_debug_info {
 	has_weak_ref	const[0, int32]
 }
 
+binder_node_info_for_ref {
+	handle		binder_handle
+	strong_count	const[0, int32]
+	weak_count	const[0, int32]
+	reserved1	const[0, int32]
+	reserved2	const[0, int32]
+	reserved3	const[0, int32]
+}
+
 binder_write_read {
 	write_size	bytesize[write_buffer, int64]
 	write_consumed	const[0, int64]
@@ -81,10 +95,10 @@ binder_cmd_reply_sg {
 } [packed]
 
 binder_transaction_data {
-	handle		int32[0:4]
+	handle		binder_handle
 # there is a union of handle with binder_uintptr_t
 	pad		const[0, int32]
-	cookie		int64[0:4]
+	cookie		binder_cookie
 	code		const[0, int32]
 	flags		flags[binder_transaction_flags, int32]
 	sender_pid	const[0, int32]
@@ -97,6 +111,7 @@ binder_transaction_data {
 
 binder_transaction_data_sg {
 	trx		binder_transaction_data
+# NEED: buffers_size should be multiple of 8.
 	buffers_size	int64
 } [packed]
 
@@ -113,22 +128,28 @@ binder_object [
 	ptr	binder_buffer_object
 ] [varlen]
 
-flat_binder_object {
-	type	flags[binder_flat_types, int32]
+flat_binder_object [
+	binder		flat_binder_object_t[BINDER_TYPE_BINDER, binder_ptr]
+	weak_binder	flat_binder_object_t[BINDER_TYPE_WEAK_BINDER, binder_ptr]
+	handle		flat_binder_object_t[BINDER_TYPE_HANDLE, binder_handle]
+	weak_handle	flat_binder_object_t[BINDER_TYPE_WEAK_HANDLE, binder_handle]
+]
+
+type flat_binder_object_t[TYP, DATA] {
+	type	const[TYP, int32]
 	flags	flags[binder_flat_flags, int32]
-	binder	binder_ptr
-	cookie	int64[0:4]
+	binder	DATA
+	cookie	binder_cookie
 }
 
-binder_flat_types = BINDER_TYPE_BINDER, BINDER_TYPE_WEAK_BINDER, BINDER_TYPE_HANDLE, BINDER_TYPE_WEAK_HANDLE
-binder_flat_flags = 1, 10, FLAT_BINDER_FLAG_ACCEPTS_FDS
+binder_flat_flags = 1, 10, FLAT_BINDER_FLAG_ACCEPTS_FDS, FLAT_BINDER_FLAG_TXN_SECURITY_CTX
 
 binder_fd_object {
 	type	const[BINDER_TYPE_FD, int32]
 	pad	const[0, int32]
 	fd	fd
 	pad2	const[0, int32]
-	cookie	int64[0:4]
+	cookie	binder_cookie
 }
 
 binder_fd_array_object {
@@ -140,8 +161,8 @@ binder_fd_array_object {
 
 binder_buffer_object {
 	type		const[BINDER_TYPE_PTR, int32]
-	flags		int32[0:1]
-	buffer		ptr64[in, const[0, int8]]
+	flags		bool32
+	buffer		ptr64[in, array[int8]]
 	length		bytesize[buffer, int64]
 	parnt		int64[0:4]
 	parent_offset	int64[0:64]
@@ -175,13 +196,13 @@ binder_cmd_decrefs {
 binder_cmd_increfs_done {
 	cmd	const[BC_INCREFS_DONE, int32]
 	ptr	binder_ptr
-	cookie	int64[0:4]
+	cookie	binder_cookie
 } [packed]
 
 binder_cmd_acquire_done {
 	cmd	const[BC_ACQUIRE_DONE, int32]
 	ptr	binder_ptr
-	cookie	int64[0:4]
+	cookie	binder_cookie
 } [packed]
 
 binder_cmd_register_looper {
@@ -198,17 +219,17 @@ binder_cmd_exit_looper {
 
 binder_cmd_request_death {
 	cmd	const[BC_REQUEST_DEATH_NOTIFICATION, int32]
-	handle	int32[0:4]
-	cookie	int64[0:4]
+	handle	binder_handle
+	cookie	binder_cookie
 } [packed]
 
 binder_cmd_clear_death {
 	cmd	const[BC_CLEAR_DEATH_NOTIFICATION, int32]
-	handle	int32[0:4]
-	cookie	int64[0:4]
+	handle	binder_handle
+	cookie	binder_cookie
 } [packed]
 
 binder_cmd_dead_binder_done {
 	cmd	const[BC_DEAD_BINDER_DONE, int32]
-	cookie	int64[0:4]
+	cookie	binder_cookie
 } [packed]
diff --git a/sys/linux/dev_binder_386.const b/sys/linux/dev_binder_386.const
@@ -17,7 +17,9 @@ BC_REQUEST_DEATH_NOTIFICATION = 1074553614
 BC_TRANSACTION = 1077961472
 BC_TRANSACTION_SG = 1078485777
 BINDER_GET_NODE_DEBUG_INFO = 3222823435
+BINDER_GET_NODE_INFO_FOR_REF = 3222823436
 BINDER_SET_CONTEXT_MGR = 1074029063
+BINDER_SET_CONTEXT_MGR_EXT = 1075339789
 BINDER_SET_MAX_THREADS = 1074029061
 BINDER_THREAD_EXIT = 1074029064
 BINDER_TYPE_BINDER = 1935813253
@@ -29,6 +31,7 @@ BINDER_TYPE_WEAK_BINDER = 2002922117
 BINDER_TYPE_WEAK_HANDLE = 2003315333
 BINDER_WRITE_READ = 3224396289
 FLAT_BINDER_FLAG_ACCEPTS_FDS = 256
+FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 4096
 O_NONBLOCK = 2048
 O_RDWR = 2
 TF_ACCEPT_FDS = 16

diff --git a/sys/linux/dev_binder_amd64.const b/sys/linux/dev_binder_amd64.const
@@ -17,7 +17,9 @@ BC_REQUEST_DEATH_NOTIFICATION = 1074553614
 BC_TRANSACTION = 1077961472
 BC_TRANSACTION_SG = 1078485777
 BINDER_GET_NODE_DEBUG_INFO = 3222823435
+BINDER_GET_NODE_INFO_FOR_REF = 3222823436
 BINDER_SET_CONTEXT_MGR = 1074029063
+BINDER_SET_CONTEXT_MGR_EXT = 1075339789
 BINDER_SET_MAX_THREADS = 1074029061
 BINDER_THREAD_EXIT = 1074029064
 BINDER_TYPE_BINDER = 1935813253
@@ -29,6 +31,7 @@ BINDER_TYPE_WEAK_BINDER = 2002922117
 BINDER_TYPE_WEAK_HANDLE = 2003315333
 BINDER_WRITE_READ = 3224396289
 FLAT_BINDER_FLAG_ACCEPTS_FDS = 256
+FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 4096
 O_NONBLOCK = 2048
 O_RDWR = 2
 TF_ACCEPT_FDS = 16

diff --git a/sys/linux/dev_binder_arm.const b/sys/linux/dev_binder_arm.const
@@ -17,7 +17,9 @@ BC_REQUEST_DEATH_NOTIFICATION = 1074553614
 BC_TRANSACTION = 1077961472
 BC_TRANSACTION_SG = 1078485777
 BINDER_GET_NODE_DEBUG_INFO = 3222823435
+BINDER_GET_NODE_INFO_FOR_REF = 3222823436
 BINDER_SET_CONTEXT_MGR = 1074029063
+BINDER_SET_CONTEXT_MGR_EXT = 1075339789
 BINDER_SET_MAX_THREADS = 1074029061
 BINDER_THREAD_EXIT = 1074029064
 BINDER_TYPE_BINDER = 1935813253
@@ -29,6 +31,7 @@ BINDER_TYPE_WEAK_BINDER = 2002922117
 BINDER_TYPE_WEAK_HANDLE = 2003315333
 BINDER_WRITE_READ = 3224396289
 FLAT_BINDER_FLAG_ACCEPTS_FDS = 256
+FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 4096
 O_NONBLOCK = 2048
 O_RDWR = 2
 TF_ACCEPT_FDS = 16

diff --git a/sys/linux/dev_binder_arm64.const b/sys/linux/dev_binder_arm64.const
@@ -17,7 +17,9 @@ BC_REQUEST_DEATH_NOTIFICATION = 1074553614
 BC_TRANSACTION = 1077961472
 BC_TRANSACTION_SG = 1078485777
 BINDER_GET_NODE_DEBUG_INFO = 3222823435
+BINDER_GET_NODE_INFO_FOR_REF = 3222823436
 BINDER_SET_CONTEXT_MGR = 1074029063
+BINDER_SET_CONTEXT_MGR_EXT = 1075339789
 BINDER_SET_MAX_THREADS = 1074029061
 BINDER_THREAD_EXIT = 1074029064
 BINDER_TYPE_BINDER = 1935813253
@@ -29,6 +31,7 @@ BINDER_TYPE_WEAK_BINDER = 2002922117
 BINDER_TYPE_WEAK_HANDLE = 2003315333
 BINDER_WRITE_READ = 3224396289
 FLAT_BINDER_FLAG_ACCEPTS_FDS = 256
+FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 4096
 O_NONBLOCK = 2048
 O_RDWR = 2
 TF_ACCEPT_FDS = 16

diff --git a/sys/linux/dev_binder_ppc64le.const b/sys/linux/dev_binder_ppc64le.const
@@ -17,7 +17,9 @@ BC_REQUEST_DEATH_NOTIFICATION = 2148295438
 BC_TRANSACTION = 2151703296
 BC_TRANSACTION_SG = 2152227601
 BINDER_GET_NODE_DEBUG_INFO = 3222823435
+BINDER_GET_NODE_INFO_FOR_REF = 3222823436
 BINDER_SET_CONTEXT_MGR = 2147770887
+BINDER_SET_CONTEXT_MGR_EXT = 2149081613
 BINDER_SET_MAX_THREADS = 2147770885
 BINDER_THREAD_EXIT = 2147770888
 BINDER_TYPE_BINDER = 1935813253
@@ -29,6 +31,7 @@ BINDER_TYPE_WEAK_BINDER = 2002922117
 BINDER_TYPE_WEAK_HANDLE = 2003315333
 BINDER_WRITE_READ = 3224396289
 FLAT_BINDER_FLAG_ACCEPTS_FDS = 256
+FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 4096
 O_NONBLOCK = 2048
 O_RDWR = 2
 TF_ACCEPT_FDS = 16