mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-01-29 22:11:18 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: pools: fix bad freeing of aligned pools in UAF mode

Browse Source 
As reported by Christopher, in UAF mode memory release of aligned
objects as introduced in commit ef915e672a ("MEDIUM: pools: respect
pool alignment in allocations") does not work. The padding calculation
in the freeing code is no longer correct since it now depends on the
alignment, so munmap() fails on EINVAL. Fortunately we don't care much
about it since we know it's the low bits of the passed address, which
is much simpler to compute, since all mmaps are page-aligned.

There's no need to backport this, as this was introduced in 3.3.
This commit is contained in:
Willy Tarreau 2025-10-13 19:15:55 +02:00
parent fda6dc9597
commit 0e6a233217
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/pool-os.h
View File

@ -86,7 +86,7 @@ static inline void *pool_alloc_area_uaf(size_t size, size_t align)
*/
static inline void pool_free_area_uaf(void *area, size_t size)
{
size_t pad = (4096 - size) & 0xFF0;
size_t pad = (uintptr_t)area & 4095;
/* This object will be released for real in order to detect a use after
* free. We also force a write to the area to ensure we crash on double