Initial commit: OpenHarmony-v4.0-ReleaseOpenHarmony-v4.0-Release

author: We-unite <3205135446@qq.com> 2025-03-08 22:04:20 +0800
committer: We-unite <3205135446@qq.com> 2025-03-08 22:04:20 +0800
commit: a07bb8fd1299070229f0e8f3dcb57ffd5ef9870a (patch)
tree: 84f21bd0bf7071bc5fc7dd989e77d7ceb5476682 /scripts/coccinelle/free/kfree.cocci
download: ohosKernel-a07bb8fd1299070229f0e8f3dcb57ffd5ef9870a.tar.gz
ohosKernel-a07bb8fd1299070229f0e8f3dcb57ffd5ef9870a.zip
1 files changed, 134 insertions, 0 deletions
diff --git a/scripts/coccinelle/free/kfree.cocci b/scripts/coccinelle/free/kfree.cocci
new file mode 100644
index 000000000..168568386
--- /dev/null
+++ b/scripts/coccinelle/free/kfree.cocci
@@ -0,0 +1,134 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/// Find a use after free.
+//# Values of variables may imply that some
+//# execution paths are not possible, resulting in false positives.
+//# Another source of false positives are macros such as
+//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
+///
+// Confidence: Moderate
+// Copyright: (C) 2010-2012 Nicolas Palix.
+// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6.
+// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6.
+// URL: http://coccinelle.lip6.fr/
+// Comments:
+// Options: --no-includes --include-headers
+virtual org
+virtual report
+@free@
+expression E;
+position p1;
+@@
+(
+* kfree@p1(E)
+|
+* kfree_sensitive@p1(E)
+)
+@print expression@
+constant char [] c;
+expression free.E,E2;
+type T;
+position p;
+identifier f;
+@@
+(
+ f(...,c,...,(T)E@p,...)
+|
+ E@p == E2
+|
+ E@p != E2
+|
+ E2 == E@p
+|
+ E2 != E@p
+|
+ !E@p
+|
+ E@p || ...
+)
+@sz@
+expression free.E;
+position p;
+@@
+ sizeof(<+...E@p...+>)
+@loop exists@
+expression E;
+identifier l;
+position ok;
+@@
+while (1) { ...
+(
+* kfree@ok(E)
+|
+* kfree_sensitive@ok(E)
+)
+  ... when != break;
+      when != goto l;
+      when forall
+}
+@r exists@
+expression free.E, subE<=free.E, E2;
+expression E1;
+iterator iter;
+statement S;
+position free.p1!=loop.ok,p2!={print.p,sz.p};
+@@
+(
+* kfree@p1(E,...)
+|
+* kfree_sensitive@p1(E,...)
+)
+...
+(
+ iter(...,subE,...) S // no use
+|
+ list_remove_head(E1,subE,...)
+|
+ subE = E2
+|
+ subE++
+|
+ ++subE
+|
+ --subE
+|
+ subE--
+|
+ &subE
+|
+ BUG(...)
+|
+ BUG_ON(...)
+|
+ return_VALUE(...)
+|
+ return_ACPI_STATUS(...)
+|
+ E@p2 // bad use
+)
+@script:python depends on org@
+p1 << free.p1;
+p2 << r.p2;
+@@
+cocci.print_main("kfree",p1)
+cocci.print_secs("ref",p2)
+@script:python depends on report@
+p1 << free.p1;
+p2 << r.p2;
+@@
+msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
+coccilib.report.print_report(p2[0],msg)
author	We-unite <3205135446@qq.com>	2025-03-08 22:04:20 +0800
committer	We-unite <3205135446@qq.com>	2025-03-08 22:04:20 +0800
commit	a07bb8fd1299070229f0e8f3dcb57ffd5ef9870a (patch)
tree	84f21bd0bf7071bc5fc7dd989e77d7ceb5476682 /scripts/coccinelle/free/kfree.cocci
download	ohosKernel-a07bb8fd1299070229f0e8f3dcb57ffd5ef9870a.tar.gz ohosKernel-a07bb8fd1299070229f0e8f3dcb57ffd5ef9870a.zip

diff --git a/scripts/coccinelle/free/kfree.cocci b/scripts/coccinelle/free/kfree.cocci new file mode 100644 index 000000000..168568386 --- /dev/null +++ b/scripts/coccinelle/free/kfree.cocci
@@ -0,0 +1,134 @@
	1	// SPDX-License-Identifier: GPL-2.0-only
	2	/// Find a use after free.
	3	//# Values of variables may imply that some
	4	//# execution paths are not possible, resulting in false positives.
	5	//# Another source of false positives are macros such as
	6	//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
	7	///
	8	// Confidence: Moderate
	9	// Copyright: (C) 2010-2012 Nicolas Palix.
	10	// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6.
	11	// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6.
	12	// URL: http://coccinelle.lip6.fr/
	13	// Comments:
	14	// Options: --no-includes --include-headers
	15
	16	virtual org
	17	virtual report
	18
	19	@free@
	20	expression E;
	21	position p1;
	22	@@
	23
	24	(
	25	* kfree@p1(E)
	26	\|
	27	* kfree_sensitive@p1(E)
	28	)
	29
	30	@print expression@
	31	constant char [] c;
	32	expression free.E,E2;
	33	type T;
	34	position p;
	35	identifier f;
	36	@@
	37
	38	(
	39	f(...,c,...,(T)E@p,...)
	40	\|
	41	E@p == E2
	42	\|
	43	E@p != E2
	44	\|
	45	E2 == E@p
	46	\|
	47	E2 != E@p
	48	\|
	49	!E@p
	50	\|
	51	E@p \|\| ...
	52	)
	53
	54	@sz@
	55	expression free.E;
	56	position p;
	57	@@
	58
	59	sizeof(<+...E@p...+>)
	60
	61	@loop exists@
	62	expression E;
	63	identifier l;
	64	position ok;
	65	@@
	66
	67	while (1) { ...
	68	(
	69	* kfree@ok(E)
	70	\|
	71	* kfree_sensitive@ok(E)
	72	)
	73	... when != break;
	74	when != goto l;
	75	when forall
	76	}
	77
	78	@r exists@
	79	expression free.E, subE<=free.E, E2;
	80	expression E1;
	81	iterator iter;
	82	statement S;
	83	position free.p1!=loop.ok,p2!={print.p,sz.p};
	84	@@
	85
	86	(
	87	* kfree@p1(E,...)
	88	\|
	89	* kfree_sensitive@p1(E,...)
	90	)
	91	...
	92	(
	93	iter(...,subE,...) S // no use
	94	\|
	95	list_remove_head(E1,subE,...)
	96	\|
	97	subE = E2
	98	\|
	99	subE++
	100	\|
	101	++subE
	102	\|
	103	--subE
	104	\|
	105	subE--
	106	\|
	107	&subE
	108	\|
	109	BUG(...)
	110	\|
	111	BUG_ON(...)
	112	\|
	113	return_VALUE(...)
	114	\|
	115	return_ACPI_STATUS(...)
	116	\|
	117	E@p2 // bad use
	118	)
	119
	120	@script:python depends on org@
	121	p1 << free.p1;
	122	p2 << r.p2;
	123	@@
	124
	125	cocci.print_main("kfree",p1)
	126	cocci.print_secs("ref",p2)
	127
	128	@script:python depends on report@
	129	p1 << free.p1;
	130	p2 << r.p2;
	131	@@
	132
	133	msg = "ERROR: reference preceded by free on line %s" % (p1[0].line)
	134	coccilib.report.print_report(p2[0],msg)