1/// Find a use after free. 2//# Values of variables may imply that some 3//# execution paths are not possible, resulting in false positives. 4//# Another source of false positives are macros such as 5//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument 6/// 7// Confidence: Moderate 8// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. 9// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. 10// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. 11// URL: http://coccinelle.lip6.fr/ 12// Comments: 13// Options: -no_includes -include_headers 14 15virtual org 16virtual report 17 18@free@ 19expression E; 20position p1; 21@@ 22 23kfree@p1(E) 24 25@print expression@ 26constant char [] c; 27expression free.E,E2; 28type T; 29position p; 30identifier f; 31@@ 32 33( 34 f(...,c,...,(T)E@p,...) 35| 36 E@p == E2 37| 38 E@p != E2 39| 40 E2 == E@p 41| 42 E2 != E@p 43| 44 !E@p 45| 46 E@p || ... 47) 48 49@sz@ 50expression free.E; 51position p; 52@@ 53 54 sizeof(<+...E@p...+>) 55 56@loop exists@ 57expression E; 58identifier l; 59position ok; 60@@ 61 62while (1) { ... 63 kfree@ok(E) 64 ... when != break; 65 when != goto l; 66 when forall 67} 68 69@r exists@ 70expression free.E, subE<=free.E, E2; 71expression E1; 72iterator iter; 73statement S; 74position free.p1!=loop.ok,p2!={print.p,sz.p}; 75@@ 76 77kfree@p1(E,...) 78... 79( 80 iter(...,subE,...) S // no use 81| 82 list_remove_head(E1,subE,...) 83| 84 subE = E2 85| 86 subE++ 87| 88 ++subE 89| 90 --subE 91| 92 subE-- 93| 94 &subE 95| 96 BUG(...) 97| 98 BUG_ON(...) 99| 100 return_VALUE(...) 101| 102 return_ACPI_STATUS(...) 103| 104 E@p2 // bad use 105) 106 107@script:python depends on org@ 108p1 << free.p1; 109p2 << r.p2; 110@@ 111 112cocci.print_main("kfree",p1) 113cocci.print_secs("ref",p2) 114 115@script:python depends on report@ 116p1 << free.p1; 117p2 << r.p2; 118@@ 119 120msg = "ERROR: reference preceded by free on line %s" % (p1[0].line) 121coccilib.report.print_report(p2[0],msg) 122