cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

kfree.cocci (1849B)

      1// SPDX-License-Identifier: GPL-2.0-only
      2/// Find a use after free.
      3//# Values of variables may imply that some
      4//# execution paths are not possible, resulting in false positives.
      5//# Another source of false positives are macros such as
      6//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
      7///
      8// Confidence: Moderate
      9// Copyright: (C) 2010-2012 Nicolas Palix.
     10// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6.
     11// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6.
     12// URL: http://coccinelle.lip6.fr/
     13// Comments:
     14// Options: --no-includes --include-headers
     15
     16virtual org
     17virtual report
     18
     19@free@
     20expression E;
     21position p1;
     22@@
     23
     24(
     25 kfree@p1(E)
     26|
     27 kfree_sensitive@p1(E)
     28)
     29
     30@print expression@
     31constant char [] c;
     32expression free.E,E2;
     33type T;
     34position p;
     35identifier f;
     36@@
     37
     38(
     39 f(...,c,...,(T)E@p,...)
     40|
     41 E@p == E2
     42|
     43 E@p != E2
     44|
     45 E2 == E@p
     46|
     47 E2 != E@p
     48|
     49 !E@p
     50|
     51 E@p || ...
     52)
     53
     54@sz@
     55expression free.E;
     56position p;
     57@@
     58
     59 sizeof(<+...E@p...+>)
     60
     61@loop exists@
     62expression E;
     63identifier l;
     64position ok;
     65@@
     66
     67while (1) { ...
     68(
     69 kfree@ok(E)
     70|
     71 kfree_sensitive@ok(E)
     72)
     73  ... when != break;
     74      when != goto l;
     75      when forall
     76}
     77
     78@r exists@
     79expression free.E, subE<=free.E, E2;
     80expression E1;
     81iterator iter;
     82statement S;
     83position free.p1!=loop.ok,p2!={print.p,sz.p};
     84@@
     85
     86(
     87 kfree@p1(E,...)
     88|
     89 kfree_sensitive@p1(E,...)
     90)
     91...
     92(
     93 iter(...,subE,...) S // no use
     94|
     95 list_remove_head(E1,subE,...)
     96|
     97 subE = E2
     98|
     99 subE++
    100|
    101 ++subE
    102|
    103 --subE
    104|
    105 subE--
    106|
    107 &subE
    108|
    109 BUG(...)
    110|
    111 BUG_ON(...)
    112|
    113 return_VALUE(...)
    114|
    115 return_ACPI_STATUS(...)
    116|
    117 E@p2 // bad use
    118)
    119
    120@script:python depends on org@
    121p1 << free.p1;
    122p2 << r.p2;
    123@@
    124
    125cocci.print_main("kfree",p1)
    126cocci.print_secs("ref",p2)
    127
    128@script:python depends on report@
    129p1 << free.p1;
    130p2 << r.p2;
    131@@
    132
    133msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
    134coccilib.report.print_report(p2[0],msg)