kfree.cocci 1.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
  1. /// Find a use after free.
  2. //# Values of variables may imply that some
  3. //# execution paths are not possible, resulting in false positives.
  4. //# Another source of false positives are macros such as
  5. //# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
  6. ///
  7. // Confidence: Moderate
  8. // Copyright: (C) 2010-2012 Nicolas Palix. GPLv2.
  9. // Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2.
  10. // Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2.
  11. // URL: http://coccinelle.lip6.fr/
  12. // Comments:
  13. // Options: -no_includes -include_headers
  14. virtual org
  15. virtual report
  16. @free@
  17. expression E;
  18. position p1;
  19. @@
  20. kfree@p1(E)
  21. @print expression@
  22. constant char [] c;
  23. expression free.E,E2;
  24. type T;
  25. position p;
  26. identifier f;
  27. @@
  28. (
  29. f(...,c,...,(T)E@p,...)
  30. |
  31. E@p == E2
  32. |
  33. E@p != E2
  34. |
  35. E2 == E@p
  36. |
  37. E2 != E@p
  38. |
  39. !E@p
  40. |
  41. E@p || ...
  42. )
  43. @sz@
  44. expression free.E;
  45. position p;
  46. @@
  47. sizeof(<+...E@p...+>)
  48. @loop exists@
  49. expression E;
  50. identifier l;
  51. position ok;
  52. @@
  53. while (1) { ...
  54. kfree@ok(E)
  55. ... when != break;
  56. when != goto l;
  57. when forall
  58. }
  59. @r exists@
  60. expression free.E, subE<=free.E, E2;
  61. expression E1;
  62. iterator iter;
  63. statement S;
  64. position free.p1!=loop.ok,p2!={print.p,sz.p};
  65. @@
  66. kfree@p1(E,...)
  67. ...
  68. (
  69. iter(...,subE,...) S // no use
  70. |
  71. list_remove_head(E1,subE,...)
  72. |
  73. subE = E2
  74. |
  75. subE++
  76. |
  77. ++subE
  78. |
  79. --subE
  80. |
  81. subE--
  82. |
  83. &subE
  84. |
  85. BUG(...)
  86. |
  87. BUG_ON(...)
  88. |
  89. return_VALUE(...)
  90. |
  91. return_ACPI_STATUS(...)
  92. |
  93. E@p2 // bad use
  94. )
  95. @script:python depends on org@
  96. p1 << free.p1;
  97. p2 << r.p2;
  98. @@
  99. cocci.print_main("kfree",p1)
  100. cocci.print_secs("ref",p2)
  101. @script:python depends on report@
  102. p1 << free.p1;
  103. p2 << r.p2;
  104. @@
  105. msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
  106. coccilib.report.print_report(p2[0],msg)