From 17930edeccf016832dcaa95659f87a0ab56a940e Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 13 Oct 2025 19:22:31 +0200
Subject: [PATCH] MEDIUM: pools: detect() when munmap() fails in UAF mode

Better check that munmap() always works, otherwise it means we might
have miscalculated an address, and if it fails silently, it will eat
all the memory extremely quickly. Let's add a BUG_ON() on munmap's
return.
---
 include/haproxy/pool-os.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/haproxy/pool-os.h b/include/haproxy/pool-os.h
index 016070822..59bb41b94 100644
--- a/include/haproxy/pool-os.h
+++ b/include/haproxy/pool-os.h
@@ -97,7 +97,8 @@ static inline void pool_free_area_uaf(void *area, size_t size)
 	if (pad >= sizeof(void *) && *(void **)(area - sizeof(void *)) != area)
 		ABORT_NOW();
 
-	munmap(area - pad, (size + 4095) & -4096);
+	/* better know immediately if an address calculation was wrong! */
+	BUG_ON(munmap(area - pad, (size + 4095) & -4096) == -1);
 }
 
 #endif /* _HAPROXY_POOL_OS_H */