]>
Commit | Line | Data |
---|---|---|
7f904d7e | 1 | // SPDX-License-Identifier: GPL-2.0-only |
e90f6590 NP |
2 | /// Find a use after free. |
3 | //# Values of variables may imply that some | |
4 | //# execution paths are not possible, resulting in false positives. | |
5 | //# Another source of false positives are macros such as | |
6 | //# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument | |
43ba21b5 NP |
7 | /// |
8 | // Confidence: Moderate | |
7f904d7e TG |
9 | // Copyright: (C) 2010-2012 Nicolas Palix. |
10 | // Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. | |
11 | // Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. | |
43ba21b5 NP |
12 | // URL: http://coccinelle.lip6.fr/ |
13 | // Comments: | |
93f14468 | 14 | // Options: --no-includes --include-headers |
43ba21b5 NP |
15 | |
16 | virtual org | |
17 | virtual report | |
18 | ||
19 | @free@ | |
20 | expression E; | |
21 | position p1; | |
22 | @@ | |
23 | ||
6dd9379e YD |
24 | ( |
25 | * kfree@p1(E) | |
26 | | | |
27 | * kzfree@p1(E) | |
28 | ) | |
43ba21b5 NP |
29 | |
30 | @print expression@ | |
29a36d4d | 31 | constant char [] c; |
43ba21b5 NP |
32 | expression free.E,E2; |
33 | type T; | |
34 | position p; | |
35 | identifier f; | |
36 | @@ | |
37 | ||
38 | ( | |
39 | f(...,c,...,(T)E@p,...) | |
40 | | | |
41 | E@p == E2 | |
42 | | | |
43 | E@p != E2 | |
29a36d4d JL |
44 | | |
45 | E2 == E@p | |
46 | | | |
47 | E2 != E@p | |
43ba21b5 NP |
48 | | |
49 | !E@p | |
50 | | | |
51 | E@p || ... | |
52 | ) | |
53 | ||
54 | @sz@ | |
55 | expression free.E; | |
56 | position p; | |
57 | @@ | |
58 | ||
59 | sizeof(<+...E@p...+>) | |
60 | ||
61 | @loop exists@ | |
62 | expression E; | |
63 | identifier l; | |
64 | position ok; | |
65 | @@ | |
66 | ||
67 | while (1) { ... | |
6dd9379e YD |
68 | ( |
69 | * kfree@ok(E) | |
70 | | | |
71 | * kzfree@ok(E) | |
72 | ) | |
43ba21b5 NP |
73 | ... when != break; |
74 | when != goto l; | |
75 | when forall | |
76 | } | |
77 | ||
78 | @r exists@ | |
79 | expression free.E, subE<=free.E, E2; | |
80 | expression E1; | |
81 | iterator iter; | |
82 | statement S; | |
83 | position free.p1!=loop.ok,p2!={print.p,sz.p}; | |
84 | @@ | |
85 | ||
6dd9379e YD |
86 | ( |
87 | * kfree@p1(E,...) | |
88 | | | |
89 | * kzfree@p1(E,...) | |
90 | ) | |
43ba21b5 NP |
91 | ... |
92 | ( | |
93 | iter(...,subE,...) S // no use | |
94 | | | |
95 | list_remove_head(E1,subE,...) | |
96 | | | |
97 | subE = E2 | |
98 | | | |
99 | subE++ | |
100 | | | |
101 | ++subE | |
102 | | | |
103 | --subE | |
104 | | | |
105 | subE-- | |
106 | | | |
107 | &subE | |
108 | | | |
109 | BUG(...) | |
110 | | | |
111 | BUG_ON(...) | |
112 | | | |
113 | return_VALUE(...) | |
114 | | | |
115 | return_ACPI_STATUS(...) | |
116 | | | |
117 | E@p2 // bad use | |
118 | ) | |
119 | ||
120 | @script:python depends on org@ | |
121 | p1 << free.p1; | |
122 | p2 << r.p2; | |
123 | @@ | |
124 | ||
125 | cocci.print_main("kfree",p1) | |
126 | cocci.print_secs("ref",p2) | |
127 | ||
128 | @script:python depends on report@ | |
129 | p1 << free.p1; | |
130 | p2 << r.p2; | |
131 | @@ | |
132 | ||
29a36d4d | 133 | msg = "ERROR: reference preceded by free on line %s" % (p1[0].line) |
43ba21b5 | 134 | coccilib.report.print_report(p2[0],msg) |