-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Find a use after free. Values of variables may imply that some execution paths are not possible, resulting in false positives. Another source of false positives are macros such as SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument Signed-off-by: Nicolas Palix <npalix@diku.dk> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Michal Marek <mmarek@suse.cz>
- Loading branch information
Nicolas Palix
authored and
Michal Marek
committed
Aug 31, 2010
1 parent
5c34050
commit 43ba21b
Showing
1 changed file
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| /// Find a use after free. Values of variables may imply that some | ||
| /// execution paths are not possible, resulting in false positives. | ||
| /// Another source of false positives are macros such as | ||
| /// SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument | ||
| /// | ||
| // Confidence: Moderate | ||
| // Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. | ||
| // Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. | ||
| // Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. | ||
| // URL: http://coccinelle.lip6.fr/ | ||
| // Comments: | ||
| // Options: -no_includes -include_headers | ||
|
|
||
| virtual org | ||
| virtual report | ||
|
|
||
| @free@ | ||
| expression E; | ||
| position p1; | ||
| @@ | ||
|
|
||
| kfree@p1(E) | ||
|
|
||
| @print expression@ | ||
| constant char *c; | ||
| expression free.E,E2; | ||
| type T; | ||
| position p; | ||
| identifier f; | ||
| @@ | ||
|
|
||
| ( | ||
| f(...,c,...,(T)E@p,...) | ||
| | | ||
| E@p == E2 | ||
| | | ||
| E@p != E2 | ||
| | | ||
| !E@p | ||
| | | ||
| E@p || ... | ||
| ) | ||
|
|
||
| @sz@ | ||
| expression free.E; | ||
| position p; | ||
| @@ | ||
|
|
||
| sizeof(<+...E@p...+>) | ||
|
|
||
| @loop exists@ | ||
| expression E; | ||
| identifier l; | ||
| position ok; | ||
| @@ | ||
|
|
||
| while (1) { ... | ||
| kfree@ok(E) | ||
| ... when != break; | ||
| when != goto l; | ||
| when forall | ||
| } | ||
|
|
||
| @r exists@ | ||
| expression free.E, subE<=free.E, E2; | ||
| expression E1; | ||
| iterator iter; | ||
| statement S; | ||
| position free.p1!=loop.ok,p2!={print.p,sz.p}; | ||
| @@ | ||
|
|
||
| kfree@p1(E,...) | ||
| ... | ||
| ( | ||
| iter(...,subE,...) S // no use | ||
| | | ||
| list_remove_head(E1,subE,...) | ||
| | | ||
| subE = E2 | ||
| | | ||
| subE++ | ||
| | | ||
| ++subE | ||
| | | ||
| --subE | ||
| | | ||
| subE-- | ||
| | | ||
| &subE | ||
| | | ||
| BUG(...) | ||
| | | ||
| BUG_ON(...) | ||
| | | ||
| return_VALUE(...) | ||
| | | ||
| return_ACPI_STATUS(...) | ||
| | | ||
| E@p2 // bad use | ||
| ) | ||
|
|
||
| @script:python depends on org@ | ||
| p1 << free.p1; | ||
| p2 << r.p2; | ||
| @@ | ||
| cocci.print_main("kfree",p1) | ||
| cocci.print_secs("ref",p2) | ||
| @script:python depends on report@ | ||
| p1 << free.p1; | ||
| p2 << r.p2; | ||
| @@ | ||
| msg = "reference preceded by free on line %s" % (p1[0].line) | ||
| coccilib.report.print_report(p2[0],msg) |