From: Willy Tarreau <w@1wt.eu>
Date: Mon, 13 Oct 2025 17:15:55 +0000 (+0200)
Subject: BUG/MEDIUM: pools: fix bad freeing of aligned pools in UAF mode
X-Git-Tag: v3.3-dev10~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e6a2332178037612f4ec579bb2f2ce019fa6fd2;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: pools: fix bad freeing of aligned pools in UAF mode

As reported by Christopher, in UAF mode memory release of aligned
objects as introduced in commit ef915e672a ("MEDIUM: pools: respect
pool alignment in allocations") does not work. The padding calculation
in the freeing code is no longer correct since it now depends on the
alignment, so munmap() fails on EINVAL. Fortunately we don't care much
about it since we know it's the low bits of the passed address, which
is much simpler to compute, since all mmaps are page-aligned.

There's no need to backport this, as this was introduced in 3.3.
---

diff --git a/include/haproxy/pool-os.h b/include/haproxy/pool-os.h
index db938b069..016070822 100644
--- a/include/haproxy/pool-os.h
+++ b/include/haproxy/pool-os.h
@@ -86,7 +86,7 @@ static inline void *pool_alloc_area_uaf(size_t size, size_t align)
  */
 static inline void pool_free_area_uaf(void *area, size_t size)
 {
-	size_t pad = (4096 - size) & 0xFF0;
+	size_t pad = (uintptr_t)area & 4095;
 
 	/* This object will be released for real in order to detect a use after
 	 * free. We also force a write to the area to ensure we crash on double