Home Explore Help
Sign In
weimzh
/
amlogic-aml8726-mx-kernel
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
amlogic-aml8...
/
scripts
/
coccinelle
/
free
/
kfree.cocci

kfree.cocci 1.6 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118 
  1. /// Find a use after free.
    2. 

  2. //# Values of variables may imply that some
    3. 

  3. //# execution paths are not possible, resulting in false positives.
    4. 

  4. //# Another source of false positives are macros such as
    5. 

  5. //# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
    6. 

  6. ///
    7. 

  7. // Confidence: Moderate
    8. 

  8. // Copyright: (C) 2010 Nicolas Palix, DIKU.  GPLv2.
    9. 

  9. // Copyright: (C) 2010 Julia Lawall, DIKU.  GPLv2.
    10. 

  10. // Copyright: (C) 2010 Gilles Muller, INRIA/LiP6.  GPLv2.
    11. 

  11. // URL: http://coccinelle.lip6.fr/
    12. 

  12. // Comments:
    13. 

  13. // Options: -no_includes -include_headers
    14. 

  14. 

  15. virtual org
    16. 

  16. virtual report
    17. 

  17. 

  18. @free@
    19. 

  19. expression E;
    20. 

  20. position p1;
    21. 

  21. @@
    22. 

  22. 

  23. kfree@p1(E)
    24. 

  24. 

  25. @print expression@
    26. 

  26. constant char *c;
    27. 

  27. expression free.E,E2;
    28. 

  28. type T;
    29. 

  29. position p;
    30. 

  30. identifier f;
    31. 

  31. @@
    32. 

  32. 

  33. (
    34. 

  34.  f(...,c,...,(T)E@p,...)
    35. 

  35. |
    36. 

  36.  E@p == E2
    37. 

  37. |
    38. 

  38.  E@p != E2
    39. 

  39. |
    40. 

  40.  !E@p
    41. 

  41. |
    42. 

  42.  E@p || ...
    43. 

  43. )
    44. 

  44. 

  45. @sz@
    46. 

  46. expression free.E;
    47. 

  47. position p;
    48. 

  48. @@
    49. 

  49. 

  50.  sizeof(<+...E@p...+>)
    51. 

  51. 

  52. @loop exists@
    53. 

  53. expression E;
    54. 

  54. identifier l;
    55. 

  55. position ok;
    56. 

  56. @@
    57. 

  57. 

  58. while (1) { ...
    59. 

  59.   kfree@ok(E)
    60. 

  60.   ... when != break;
    61. 

  61.       when != goto l;
    62. 

  62.       when forall
    63. 

  63. }
    64. 

  64. 

  65. @r exists@
    66. 

  66. expression free.E, subE<=free.E, E2;
    67. 

  67. expression E1;
    68. 

  68. iterator iter;
    69. 

  69. statement S;
    70. 

  70. position free.p1!=loop.ok,p2!={print.p,sz.p};
    71. 

  71. @@
    72. 

  72. 

  73. kfree@p1(E,...)
    74. 

  74. ...
    75. 

  75. (
    76. 

  76.  iter(...,subE,...) S // no use
    77. 

  77. |
    78. 

  78.  list_remove_head(E1,subE,...)
    79. 

  79. |
    80. 

  80.  subE = E2
    81. 

  81. |
    82. 

  82.  subE++
    83. 

  83. |
    84. 

  84.  ++subE
    85. 

  85. |
    86. 

  86.  --subE
    87. 

  87. |
    88. 

  88.  subE--
    89. 

  89. |
    90. 

  90.  &subE
    91. 

  91. |
    92. 

  92.  BUG(...)
    93. 

  93. |
    94. 

  94.  BUG_ON(...)
    95. 

  95. |
    96. 

  96.  return_VALUE(...)
    97. 

  97. |
    98. 

  98.  return_ACPI_STATUS(...)
    99. 

  99. |
    100. 

  100.  E@p2 // bad use
    101. 

  101. )
    102. 

  102. 

  103. @script:python depends on org@
    104. 

  104. p1 << free.p1;
    105. 

  105. p2 << r.p2;
    106. 

  106. @@
    107. 

  107. 

  108. cocci.print_main("kfree",p1)
    109. 

  109. cocci.print_secs("ref",p2)
    110. 

  110. 

  111. @script:python depends on report@
    112. 

  112. p1 << free.p1;
    113. 

  113. p2 << r.p2;
    114. 

  114. @@
    115. 

  115. 

  116. msg = "reference preceded by free on line %s" % (p1[0].line)
    117. 

  117. coccilib.report.print_report(p2[0],msg)
    118. 

  118.