Giters

andralex / std_allocator

Phobos std.allocator candidate

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Freelist allocation batching can cause use after free

Dante-Broggi opened this issue · comments

commented

Just from observation of the freelist (and shared freelist) code (without compiling to test), I believe the following series of operations can result in a use after free:

auto alloc = Freelist!(Mallocator, 64);
auto a1 = alloc.allocate(64);
auto a2 = alloc.allocate(64);
assert(alloc.reallocate(a1, 8*64)); // the default batch size, assume it reallocs in place.
// a1 now overlaps a2 because the reallocation was in place, 
// as from malloc's perspective it was a no-op reallocate. 
alloc.deallocate(a1);
use(a2); // a2 was freed by the previous line, due to overlap.