From: Willy Tarreau Date: Thu, 8 Dec 2022 08:29:42 +0000 (+0100) Subject: CLEANUP: pools: move the write before free to the uaf-only function X-Git-Tag: v2.8-dev1~158 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=67f89c527f877c1003848e61e9e8af1f7def3045;p=thirdparty%2Fhaproxy.git CLEANUP: pools: move the write before free to the uaf-only function In UAF mode, pool_put_to_os() performs a write to the about-to-be-freed memory area so as to make sure the page is properly mapped and catch a possible double-free. However there's no point keeping that in an ifdef in the generic function, because we now have a pool_free_area_uaf() that is the UAF-specific version of pool_free_area() and the one that is called immediately after this write. Let's move the code there, it will be cleaner. --- diff --git a/src/pool.c b/src/pool.c index 1c177cafd2..48e51e665d 100644 --- a/src/pool.c +++ b/src/pool.c @@ -352,14 +352,6 @@ void *pool_get_from_os(struct pool_head *pool) */ void pool_put_to_os(struct pool_head *pool, void *ptr) { -#ifdef DEBUG_UAF - /* This object will be released for real in order to detect a use after - * free. We also force a write to the area to ensure we crash on double - * free or free of a const area. - */ - *(uint32_t *)ptr = 0xDEADADD4; -#endif /* DEBUG_UAF */ - pool_free_area(ptr, pool->alloc_sz); _HA_ATOMIC_DEC(&pool->allocated); } @@ -837,6 +829,12 @@ void pool_free_area_uaf(void *area, size_t size) { size_t pad = (4096 - size) & 0xFF0; + /* This object will be released for real in order to detect a use after + * free. We also force a write to the area to ensure we crash on double + * free or free of a const area. + */ + *(uint32_t *)area = 0xDEADADD4; + if (pad >= sizeof(void *) && *(void **)(area - sizeof(void *)) != area) ABORT_NOW();