Blame - scripts/coccinelle/free/kfree.cocci - SHIFTPHONES/mainline/linux

blob: ac438da4fd7b183d9a6eeec255a6672856d1c1f6 [file] [log] [blame]

Nicolas Palix	e90f659	2010-10-08 21:27:39 +0200	[diff] [blame]	1	/// Find a use after free.
				2	//# Values of variables may imply that some
				3	//# execution paths are not possible, resulting in false positives.
				4	//# Another source of false positives are macros such as
				5	//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	6	///
				7	// Confidence: Moderate
Julia Lawall	29a36d4	2012-01-14 23:41:54 +0100	[diff] [blame]	8	// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2.
				9	// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2.
				10	// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2.
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	11	// URL: http://coccinelle.lip6.fr/
				12	// Comments:
Nicolas Palix	93f1446	2013-06-20 13:10:56 +0200	[diff] [blame]	13	// Options: --no-includes --include-headers
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	14
				15	virtual org
				16	virtual report
				17
				18	@free@
				19	expression E;
				20	position p1;
				21	@@
				22
Yann Droneaud	6dd9379	2016-05-23 17:07:19 +0200	[diff] [blame]	23	(
				24	* kfree@p1(E)
				25	\|
				26	* kzfree@p1(E)
				27	)
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	28
				29	@print expression@
Julia Lawall	29a36d4	2012-01-14 23:41:54 +0100	[diff] [blame]	30	constant char [] c;
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	31	expression free.E,E2;
				32	type T;
				33	position p;
				34	identifier f;
				35	@@
				36
				37	(
				38	f(...,c,...,(T)E@p,...)
				39	\|
				40	E@p == E2
				41	\|
				42	E@p != E2
				43	\|
Julia Lawall	29a36d4	2012-01-14 23:41:54 +0100	[diff] [blame]	44	E2 == E@p
				45	\|
				46	E2 != E@p
				47	\|
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	48	!E@p
				49	\|
				50	E@p \|\| ...
				51	)
				52
				53	@sz@
				54	expression free.E;
				55	position p;
				56	@@
				57
				58	sizeof(<+...E@p...+>)
				59
				60	@loop exists@
				61	expression E;
				62	identifier l;
				63	position ok;
				64	@@
				65
				66	while (1) { ...
Yann Droneaud	6dd9379	2016-05-23 17:07:19 +0200	[diff] [blame]	67	(
				68	* kfree@ok(E)
				69	\|
				70	* kzfree@ok(E)
				71	)
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	72	... when != break;
				73	when != goto l;
				74	when forall
				75	}
				76
				77	@r exists@
				78	expression free.E, subE<=free.E, E2;
				79	expression E1;
				80	iterator iter;
				81	statement S;
				82	position free.p1!=loop.ok,p2!={print.p,sz.p};
				83	@@
				84
Yann Droneaud	6dd9379	2016-05-23 17:07:19 +0200	[diff] [blame]	85	(
				86	* kfree@p1(E,...)
				87	\|
				88	* kzfree@p1(E,...)
				89	)
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	90	...
				91	(
				92	iter(...,subE,...) S // no use
				93	\|
				94	list_remove_head(E1,subE,...)
				95	\|
				96	subE = E2
				97	\|
				98	subE++
				99	\|
				100	++subE
				101	\|
				102	--subE
				103	\|
				104	subE--
				105	\|
				106	&subE
				107	\|
				108	BUG(...)
				109	\|
				110	BUG_ON(...)
				111	\|
				112	return_VALUE(...)
				113	\|
				114	return_ACPI_STATUS(...)
				115	\|
				116	E@p2 // bad use
				117	)
				118
				119	@script:python depends on org@
				120	p1 << free.p1;
				121	p2 << r.p2;
				122	@@
				123
				124	cocci.print_main("kfree",p1)
				125	cocci.print_secs("ref",p2)
				126
				127	@script:python depends on report@
				128	p1 << free.p1;
				129	p2 << r.p2;
				130	@@
				131
Julia Lawall	29a36d4	2012-01-14 23:41:54 +0100	[diff] [blame]	132	msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
Nicolas Palix	43ba21b	2010-08-24 17:39:04 +0200	[diff] [blame]	133	coccilib.report.print_report(p2[0],msg)