BUG/MEDIUM: pools: fix bad freeing of aligned pools in UAF mode

As reported by Christopher, in UAF mode memory release of aligned
objects as introduced in commit ef915e672a ("MEDIUM: pools: respect
pool alignment in allocations") does not work. The padding calculation
in the freeing code is no longer correct since it now depends on the
alignment, so munmap() fails on EINVAL. Fortunately we don't care much
about it since we know it's the low bits of the passed address, which
is much simpler to compute, since all mmaps are page-aligned.

There's no need to backport this, as this was introduced in 3.3.

diff --git a/include/haproxy/pool-os.h b/include/haproxy/pool-os.h
index db938b06985b94f55651e3ef87d87885afb4e554..016070822c3245fbd9a59cbdab026b8cf3b2bdf3 100644 (file)
--- a/include/haproxy/pool-os.h
+++ b/include/haproxy/pool-os.h
@@ -86,7 +86,7 @@ static inline void *pool_alloc_area_uaf(size_t size, size_t align)
  */
 static inline void pool_free_area_uaf(void *area, size_t size)
 {
-       size_t pad = (4096 - size) & 0xFF0;
+       size_t pad = (uintptr_t)area & 4095;
 
        /* This object will be released for real in order to detect a use after
         * free. We also force a write to the area to ensure we crash on double