2019-06-04 15:11:38 +07:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2010-10-09 02:27:39 +07:00
|
|
|
/// Find a use after free.
|
|
|
|
|
//# Values of variables may imply that some
|
|
|
|
|
//# execution paths are not possible, resulting in false positives.
|
|
|
|
|
//# Another source of false positives are macros such as
|
|
|
|
|
//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
|
2010-08-24 22:39:04 +07:00
|
|
|
///
|
|
|
|
|
// Confidence: Moderate
|
2019-06-04 15:11:38 +07:00
|
|
|
// Copyright: (C) 2010-2012 Nicolas Palix.
|
|
|
|
|
// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6.
|
|
|
|
|
// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6.
|
2010-08-24 22:39:04 +07:00
|
|
|
// URL: http://coccinelle.lip6.fr/
|
|
|
|
|
// Comments:
|
2013-06-20 18:10:56 +07:00
|
|
|
// Options: --no-includes --include-headers
|
2010-08-24 22:39:04 +07:00
|
|
|
|
|
|
|
|
virtual org
|
|
|
|
|
virtual report
|
|
|
|
|
|
|
|
|
|
@free@
|
|
|
|
|
expression E;
|
|
|
|
|
position p1;
|
|
|
|
|
@@
|
|
|
|
|
|
2016-05-23 22:07:19 +07:00
|
|
|
(
|
|
|
|
|
* kfree@p1(E)
|
|
|
|
|
|
|
2020-08-07 13:18:13 +07:00
|
|
|
* kfree_sensitive@p1(E)
|
2016-05-23 22:07:19 +07:00
|
|
|
)
|
2010-08-24 22:39:04 +07:00
|
|
|
|
|
|
|
|
@print expression@
|
2012-01-15 05:41:54 +07:00
|
|
|
constant char [] c;
|
2010-08-24 22:39:04 +07:00
|
|
|
expression free.E,E2;
|
|
|
|
|
type T;
|
|
|
|
|
position p;
|
|
|
|
|
identifier f;
|
|
|
|
|
@@
|
|
|
|
|
|
|
|
|
|
(
|
|
|
|
|
f(...,c,...,(T)E@p,...)
|
|
|
|
|
|
|
|
|
|
|
E@p == E2
|
|
|
|
|
|
|
|
|
|
|
E@p != E2
|
2012-01-15 05:41:54 +07:00
|
|
|
|
|
|
|
|
|
E2 == E@p
|
|
|
|
|
|
|
|
|
|
|
E2 != E@p
|
2010-08-24 22:39:04 +07:00
|
|
|
|
|
|
|
|
|
!E@p
|
|
|
|
|
|
|
|
|
|
|
E@p || ...
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
@sz@
|
|
|
|
|
expression free.E;
|
|
|
|
|
position p;
|
|
|
|
|
@@
|
|
|
|
|
|
|
|
|
|
sizeof(<+...E@p...+>)
|
|
|
|
|
|
|
|
|
|
@loop exists@
|
|
|
|
|
expression E;
|
|
|
|
|
identifier l;
|
|
|
|
|
position ok;
|
|
|
|
|
@@
|
|
|
|
|
|
|
|
|
|
while (1) { ...
|
2016-05-23 22:07:19 +07:00
|
|
|
(
|
|
|
|
|
* kfree@ok(E)
|
|
|
|
|
|
|
2020-08-07 13:18:13 +07:00
|
|
|
* kfree_sensitive@ok(E)
|
2016-05-23 22:07:19 +07:00
|
|
|
)
|
2010-08-24 22:39:04 +07:00
|
|
|
... when != break;
|
|
|
|
|
when != goto l;
|
|
|
|
|
when forall
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@r exists@
|
|
|
|
|
expression free.E, subE<=free.E, E2;
|
|
|
|
|
expression E1;
|
|
|
|
|
iterator iter;
|
|
|
|
|
statement S;
|
|
|
|
|
position free.p1!=loop.ok,p2!={print.p,sz.p};
|
|
|
|
|
@@
|
|
|
|
|
|
2016-05-23 22:07:19 +07:00
|
|
|
(
|
|
|
|
|
* kfree@p1(E,...)
|
|
|
|
|
|
|
2020-08-07 13:18:13 +07:00
|
|
|
* kfree_sensitive@p1(E,...)
|
2016-05-23 22:07:19 +07:00
|
|
|
)
|
2010-08-24 22:39:04 +07:00
|
|
|
...
|
|
|
|
|
(
|
|
|
|
|
iter(...,subE,...) S // no use
|
|
|
|
|
|
|
|
|
|
|
list_remove_head(E1,subE,...)
|
|
|
|
|
|
|
|
|
|
|
subE = E2
|
|
|
|
|
|
|
|
|
|
|
subE++
|
|
|
|
|
|
|
|
|
|
|
++subE
|
|
|
|
|
|
|
|
|
|
|
--subE
|
|
|
|
|
|
|
|
|
|
|
subE--
|
|
|
|
|
|
|
|
|
|
|
&subE
|
|
|
|
|
|
|
|
|
|
|
BUG(...)
|
|
|
|
|
|
|
|
|
|
|
BUG_ON(...)
|
|
|
|
|
|
|
|
|
|
|
return_VALUE(...)
|
|
|
|
|
|
|
|
|
|
|
return_ACPI_STATUS(...)
|
|
|
|
|
|
|
|
|
|
|
E@p2 // bad use
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
@script:python depends on org@
|
|
|
|
|
p1 << free.p1;
|
|
|
|
|
p2 << r.p2;
|
|
|
|
|
@@
|
|
|
|
|
|
|
|
|
|
cocci.print_main("kfree",p1)
|
|
|
|
|
cocci.print_secs("ref",p2)
|
|
|
|
|
|
|
|
|
|
@script:python depends on report@
|
|
|
|
|
p1 << free.p1;
|
|
|
|
|
p2 << r.p2;
|
|
|
|
|
@@
|
|
|
|
|
|
2012-01-15 05:41:54 +07:00
|
|
|
msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
|
2010-08-24 22:39:04 +07:00
|
|
|
coccilib.report.print_report(p2[0],msg)
|
