From: Willy Tarreau <w@1wt.eu>
Date: Mon, 13 Oct 2025 17:22:31 +0000 (+0200)
Subject: MEDIUM: pools: detect() when munmap() fails in UAF mode
X-Git-Tag: v3.3-dev10~18
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=17930edeccf016832dcaa95659f87a0ab56a940e;p=thirdparty%2Fhaproxy.git

MEDIUM: pools: detect() when munmap() fails in UAF mode

Better check that munmap() always works, otherwise it means we might
have miscalculated an address, and if it fails silently, it will eat
all the memory extremely quickly. Let's add a BUG_ON() on munmap's
return.
---

diff --git a/include/haproxy/pool-os.h b/include/haproxy/pool-os.h
index 016070822..59bb41b94 100644
--- a/include/haproxy/pool-os.h
+++ b/include/haproxy/pool-os.h
@@ -97,7 +97,8 @@ static inline void pool_free_area_uaf(void *area, size_t size)
 	if (pad >= sizeof(void *) && *(void **)(area - sizeof(void *)) != area)
 		ABORT_NOW();
 
-	munmap(area - pad, (size + 4095) & -4096);
+	/* better know immediately if an address calculation was wrong! */
+	BUG_ON(munmap(area - pad, (size + 4095) & -4096) == -1);
 }
 
 #endif /* _HAPROXY_POOL_OS_H */