projects / mirror_ubuntu-jammy-kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| 7f904d7e | 1 | // SPDX-License-Identifier: GPL-2.0-only |
| e90f6590 NP |
2 | /// Find a use after free. |
| 3 | //# Values of variables may imply that some | |
| 4 | //# execution paths are not possible, resulting in false positives. | |
| 5 | //# Another source of false positives are macros such as | |
| 6 | //# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument | |
| 43ba21b5 NP |
7 | /// |
| 8 | // Confidence: Moderate | |
| 7f904d7e TG |
9 | // Copyright: (C) 2010-2012 Nicolas Palix. |
| 10 | // Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. | |
| 11 | // Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. | |
| 43ba21b5 NP |
12 | // URL: http://coccinelle.lip6.fr/ |
| 13 | // Comments: | |
| 93f14468 | 14 | // Options: --no-includes --include-headers |
| 43ba21b5 NP |
15 | |
| 16 | virtual org | |
| 17 | virtual report | |
| 18 | ||
| 19 | @free@ | |
| 20 | expression E; | |
| 21 | position p1; | |
| 22 | @@ | |
| 23 | ||
| 6dd9379e YD |
24 | ( |
| 25 | * kfree@p1(E) | |
| 26 | | | |
| 27 | * kzfree@p1(E) | |
| 28 | ) | |
| 43ba21b5 NP |
29 | |
| 30 | @print expression@ | |
| 29a36d4d | 31 | constant char [] c; |
| 43ba21b5 NP |
32 | expression free.E,E2; |
| 33 | type T; | |
| 34 | position p; | |
| 35 | identifier f; | |
| 36 | @@ | |
| 37 | ||
| 38 | ( | |
| 39 | f(...,c,...,(T)E@p,...) | |
| 40 | | | |
| 41 | E@p == E2 | |
| 42 | | | |
| 43 | E@p != E2 | |
| 29a36d4d JL |
44 | | |
| 45 | E2 == E@p | |
| 46 | | | |
| 47 | E2 != E@p | |
| 43ba21b5 NP |
48 | | |
| 49 | !E@p | |
| 50 | | | |
| 51 | E@p || ... | |
| 52 | ) | |
| 53 | ||
| 54 | @sz@ | |
| 55 | expression free.E; | |
| 56 | position p; | |
| 57 | @@ | |
| 58 | ||
| 59 | sizeof(<+...E@p...+>) | |
| 60 | ||
| 61 | @loop exists@ | |
| 62 | expression E; | |
| 63 | identifier l; | |
| 64 | position ok; | |
| 65 | @@ | |
| 66 | ||
| 67 | while (1) { ... | |
| 6dd9379e YD |
68 | ( |
| 69 | * kfree@ok(E) | |
| 70 | | | |
| 71 | * kzfree@ok(E) | |
| 72 | ) | |
| 43ba21b5 NP |
73 | ... when != break; |
| 74 | when != goto l; | |
| 75 | when forall | |
| 76 | } | |
| 77 | ||
| 78 | @r exists@ | |
| 79 | expression free.E, subE<=free.E, E2; | |
| 80 | expression E1; | |
| 81 | iterator iter; | |
| 82 | statement S; | |
| 83 | position free.p1!=loop.ok,p2!={print.p,sz.p}; | |
| 84 | @@ | |
| 85 | ||
| 6dd9379e YD |
86 | ( |
| 87 | * kfree@p1(E,...) | |
| 88 | | | |
| 89 | * kzfree@p1(E,...) | |
| 90 | ) | |
| 43ba21b5 NP |
91 | ... |
| 92 | ( | |
| 93 | iter(...,subE,...) S // no use | |
| 94 | | | |
| 95 | list_remove_head(E1,subE,...) | |
| 96 | | | |
| 97 | subE = E2 | |
| 98 | | | |
| 99 | subE++ | |
| 100 | | | |
| 101 | ++subE | |
| 102 | | | |
| 103 | --subE | |
| 104 | | | |
| 105 | subE-- | |
| 106 | | | |
| 107 | &subE | |
| 108 | | | |
| 109 | BUG(...) | |
| 110 | | | |
| 111 | BUG_ON(...) | |
| 112 | | | |
| 113 | return_VALUE(...) | |
| 114 | | | |
| 115 | return_ACPI_STATUS(...) | |
| 116 | | | |
| 117 | E@p2 // bad use | |
| 118 | ) | |
| 119 | ||
| 120 | @script:python depends on org@ | |
| 121 | p1 << free.p1; | |
| 122 | p2 << r.p2; | |
| 123 | @@ | |
| 124 | ||
| 125 | cocci.print_main("kfree",p1) | |
| 126 | cocci.print_secs("ref",p2) | |
| 127 | ||
| 128 | @script:python depends on report@ | |
| 129 | p1 << free.p1; | |
| 130 | p2 << r.p2; | |
| 131 | @@ | |
| 132 | ||
| 29a36d4d | 133 | msg = "ERROR: reference preceded by free on line %s" % (p1[0].line) |
| 43ba21b5 | 134 | coccilib.report.print_report(p2[0],msg) |