Linux Audio

Check our new training course

Open Menu / scripts / coccinelle / free / kfree.cocci
Loading...
v6.8
  1// SPDX-License-Identifier: GPL-2.0-only
  2/// Find a use after free.
  3//# Values of variables may imply that some
  4//# execution paths are not possible, resulting in false positives.
  5//# Another source of false positives are macros such as
  6//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
  7///
  8// Confidence: Moderate
  9// Copyright: (C) 2010-2012 Nicolas Palix.
 10// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6.
 11// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6.
 12// URL: https://coccinelle.gitlabpages.inria.fr/website
 13// Comments:
 14// Options: --no-includes --include-headers
 15
 16virtual org
 17virtual report
 18
 19@free@
 20expression E;
 21position p1;
 22@@
 23
 24(
 25 kfree@p1(E)
 26|
 27 kfree_sensitive@p1(E)
 28)
 29
 30@print expression@
 31constant char [] c;
 32expression free.E,E2;
 33type T;
 34position p;
 35identifier f;
 36@@
 37
 38(
 39 f(...,c,...,(T)E@p,...)
 40|
 41 E@p == E2
 42|
 43 E@p != E2
 44|
 45 E2 == E@p
 46|
 47 E2 != E@p
 48|
 49 !E@p
 50|
 51 E@p || ...
 52)
 53
 54@sz@
 55expression free.E;
 56position p;
 57@@
 58
 59 sizeof(<+...E@p...+>)
 60
 61@loop exists@
 62expression E;
 63identifier l;
 64position ok;
 65@@
 66
 67while (1) { ...
 68(
 69 kfree@ok(E)
 70|
 71 kfree_sensitive@ok(E)
 72)
 73  ... when != break;
 74      when != goto l;
 75      when forall
 76}
 77
 78@r exists@
 79expression free.E, subE<=free.E, E2;
 80expression E1;
 81iterator iter;
 82statement S;
 83position free.p1!=loop.ok,p2!={print.p,sz.p};
 84@@
 85
 86(
 87 kfree@p1(E,...)
 88|
 89 kfree_sensitive@p1(E,...)
 90)
 91...
 92(
 93 iter(...,subE,...) S // no use
 94|
 95 list_remove_head(E1,subE,...)
 96|
 97 subE = E2
 98|
 99 subE++
100|
101 ++subE
102|
103 --subE
104|
105 subE--
106|
107 &subE
108|
109 BUG(...)
110|
111 BUG_ON(...)
112|
113 return_VALUE(...)
114|
115 return_ACPI_STATUS(...)
116|
117 E@p2 // bad use
118)
119
120@script:python depends on org@
121p1 << free.p1;
122p2 << r.p2;
123@@
124
125cocci.print_main("kfree",p1)
126cocci.print_secs("ref",p2)
127
128@script:python depends on report@
129p1 << free.p1;
130p2 << r.p2;
131@@
132
133msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
134coccilib.report.print_report(p2[0],msg)
v5.14.15
  1// SPDX-License-Identifier: GPL-2.0-only
  2/// Find a use after free.
  3//# Values of variables may imply that some
  4//# execution paths are not possible, resulting in false positives.
  5//# Another source of false positives are macros such as
  6//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
  7///
  8// Confidence: Moderate
  9// Copyright: (C) 2010-2012 Nicolas Palix.
 10// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6.
 11// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6.
 12// URL: http://coccinelle.lip6.fr/
 13// Comments:
 14// Options: --no-includes --include-headers
 15
 16virtual org
 17virtual report
 18
 19@free@
 20expression E;
 21position p1;
 22@@
 23
 24(
 25 kfree@p1(E)
 26|
 27 kfree_sensitive@p1(E)
 28)
 29
 30@print expression@
 31constant char [] c;
 32expression free.E,E2;
 33type T;
 34position p;
 35identifier f;
 36@@
 37
 38(
 39 f(...,c,...,(T)E@p,...)
 40|
 41 E@p == E2
 42|
 43 E@p != E2
 44|
 45 E2 == E@p
 46|
 47 E2 != E@p
 48|
 49 !E@p
 50|
 51 E@p || ...
 52)
 53
 54@sz@
 55expression free.E;
 56position p;
 57@@
 58
 59 sizeof(<+...E@p...+>)
 60
 61@loop exists@
 62expression E;
 63identifier l;
 64position ok;
 65@@
 66
 67while (1) { ...
 68(
 69 kfree@ok(E)
 70|
 71 kfree_sensitive@ok(E)
 72)
 73  ... when != break;
 74      when != goto l;
 75      when forall
 76}
 77
 78@r exists@
 79expression free.E, subE<=free.E, E2;
 80expression E1;
 81iterator iter;
 82statement S;
 83position free.p1!=loop.ok,p2!={print.p,sz.p};
 84@@
 85
 86(
 87 kfree@p1(E,...)
 88|
 89 kfree_sensitive@p1(E,...)
 90)
 91...
 92(
 93 iter(...,subE,...) S // no use
 94|
 95 list_remove_head(E1,subE,...)
 96|
 97 subE = E2
 98|
 99 subE++
100|
101 ++subE
102|
103 --subE
104|
105 subE--
106|
107 &subE
108|
109 BUG(...)
110|
111 BUG_ON(...)
112|
113 return_VALUE(...)
114|
115 return_ACPI_STATUS(...)
116|
117 E@p2 // bad use
118)
119
120@script:python depends on org@
121p1 << free.p1;
122p2 << r.p2;
123@@
124
125cocci.print_main("kfree",p1)
126cocci.print_secs("ref",p2)
127
128@script:python depends on report@
129p1 << free.p1;
130p2 << r.p2;
131@@
132
133msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
134coccilib.report.print_report(p2[0],msg)