coccinelle/free/kfree.cocci

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /// Find a use after free.
0003 //# Values of variables may imply that some
0004 //# execution paths are not possible, resulting in false positives.
0005 //# Another source of false positives are macros such as
0006 //# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
0007 ///
0008 // Confidence: Moderate
0009 // Copyright: (C) 2010-2012 Nicolas Palix.
0010 // Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6.
0011 // Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6.
0012 // URL: https://coccinelle.gitlabpages.inria.fr/website
0013 // Comments:
0014 // Options: --no-includes --include-headers
0015
0016 virtual org
0017 virtual report
0018
0019 @free@
0020 expression E;
0021 position p1;
0022 @@
0023
0024 (
0025  kfree@p1(E)
0026 |
0027  kfree_sensitive@p1(E)
0028 )
0029
0030 @print expression@
0031 constant char [] c;
0032 expression free.E,E2;
0033 type T;
0034 position p;
0035 identifier f;
0036 @@
0037
0038 (
0039  f(...,c,...,(T)E@p,...)
0040 |
0041  E@p == E2
0042 |
0043  E@p != E2
0044 |
0045  E2 == E@p
0046 |
0047  E2 != E@p
0048 |
0049  !E@p
0050 |
0051  E@p || ...
0052 )
0053
0054 @sz@
0055 expression free.E;
0056 position p;
0057 @@
0058
0059  sizeof(<+...E@p...+>)
0060
0061 @loop exists@
0062 expression E;
0063 identifier l;
0064 position ok;
0065 @@
0066
0067 while (1) { ...
0068 (
0069  kfree@ok(E)
0070 |
0071  kfree_sensitive@ok(E)
0072 )
0073   ... when != break;
0074       when != goto l;
0075       when forall
0076 }
0077
0078 @r exists@
0079 expression free.E, subE<=free.E, E2;
0080 expression E1;
0081 iterator iter;
0082 statement S;
0083 position free.p1!=loop.ok,p2!={print.p,sz.p};
0084 @@
0085
0086 (
0087  kfree@p1(E,...)
0088 |
0089  kfree_sensitive@p1(E,...)
0090 )
0091 ...
0092 (
0093  iter(...,subE,...) S // no use
0094 |
0095  list_remove_head(E1,subE,...)
0096 |
0097  subE = E2
0098 |
0099  subE++
0100 |
0101  ++subE
0102 |
0103  --subE
0104 |
0105  subE--
0106 |
0107  &subE
0108 |
0109  BUG(...)
0110 |
0111  BUG_ON(...)
0112 |
0113  return_VALUE(...)
0114 |
0115  return_ACPI_STATUS(...)
0116 |
0117  E@p2 // bad use
0118 )
0119
0120 @script:python depends on org@
0121 p1 << free.p1;
0122 p2 << r.p2;
0123 @@
0124
0125 cocci.print_main("kfree",p1)
0126 cocci.print_secs("ref",p2)
0127
0128 @script:python depends on report@
0129 p1 << free.p1;
0130 p2 << r.p2;
0131 @@
0132
0133 msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
0134 coccilib.report.print_report(p2[0],msg)