CLEANUP: pools: move the write before free to the uaf-only function
In UAF mode, pool_put_to_os() performs a write to the about-to-be-freed
memory area so as to make sure the page is properly mapped and catch a
possible double-free. However there's no point keeping that in an ifdef
in the generic function, because we now have a pool_free_area_uaf()
that is the UAF-specific version of pool_free_area() and the one that
is called immediately after this write. Let's move the code there, it
will be cleaner.
diff --git a/src/pool.c b/src/pool.c
index 1c177ca..48e51e6 100644
--- a/src/pool.c
+++ b/src/pool.c
@@ -352,14 +352,6 @@
*/
void pool_put_to_os(struct pool_head *pool, void *ptr)
{
-#ifdef DEBUG_UAF
- /* This object will be released for real in order to detect a use after
- * free. We also force a write to the area to ensure we crash on double
- * free or free of a const area.
- */
- *(uint32_t *)ptr = 0xDEADADD4;
-#endif /* DEBUG_UAF */
-
pool_free_area(ptr, pool->alloc_sz);
_HA_ATOMIC_DEC(&pool->allocated);
}
@@ -837,6 +829,12 @@
{
size_t pad = (4096 - size) & 0xFF0;
+ /* This object will be released for real in order to detect a use after
+ * free. We also force a write to the area to ensure we crash on double
+ * free or free of a const area.
+ */
+ *(uint32_t *)area = 0xDEADADD4;
+
if (pad >= sizeof(void *) && *(void **)(area - sizeof(void *)) != area)
ABORT_NOW();