From 67f89c527f877c1003848e61e9e8af1f7def3045 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 8 Dec 2022 09:29:42 +0100 Subject: [PATCH] CLEANUP: pools: move the write before free to the uaf-only function In UAF mode, pool_put_to_os() performs a write to the about-to-be-freed memory area so as to make sure the page is properly mapped and catch a possible double-free. However there's no point keeping that in an ifdef in the generic function, because we now have a pool_free_area_uaf() that is the UAF-specific version of pool_free_area() and the one that is called immediately after this write. Let's move the code there, it will be cleaner. --- src/pool.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/pool.c b/src/pool.c index 1c177cafd..48e51e665 100644 --- a/src/pool.c +++ b/src/pool.c @@ -352,14 +352,6 @@ void *pool_get_from_os(struct pool_head *pool) */ void pool_put_to_os(struct pool_head *pool, void *ptr) { -#ifdef DEBUG_UAF - /* This object will be released for real in order to detect a use after - * free. We also force a write to the area to ensure we crash on double - * free or free of a const area. - */ - *(uint32_t *)ptr = 0xDEADADD4; -#endif /* DEBUG_UAF */ - pool_free_area(ptr, pool->alloc_sz); _HA_ATOMIC_DEC(&pool->allocated); } @@ -837,6 +829,12 @@ void pool_free_area_uaf(void *area, size_t size) { size_t pad = (4096 - size) & 0xFF0; + /* This object will be released for real in order to detect a use after + * free. We also force a write to the area to ensure we crash on double + * free or free of a const area. + */ + *(uint32_t *)area = 0xDEADADD4; + if (pad >= sizeof(void *) && *(void **)(area - sizeof(void *)) != area) ABORT_NOW();