Implement use-after-free detection using junk and stash.

On deallocation, sampled pointers (specially aligned) get junked and stashed into tcache (to prevent immediate reuse). The expected behavior is to have read-after-free corrupted and stopped by the junk-filling, while write-after-free is checked when flushing the stashed pointers.
2026-04-14 14:41:42 +03:00 · 2021-10-18 17:33:15 -07:00 · 2021-10-18 17:33:15 -07:00 · b75822bc6e
commit b75822bc6e
parent 06aac61c4b
22 changed files with 793 additions and 42 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1564,6 +1564,23 @@ if test "x$enable_opt_size_checks" = "x1" ; then
 fi
 AC_SUBST([enable_opt_size_checks])

+dnl Do not check for use-after-free by default.
+AC_ARG_ENABLE([uaf-detection],
+  [AS_HELP_STRING([--enable-uaf-detection],
+  [Allow sampled junk-filling on deallocation to detect use-after-free])],
+[if test "x$enable_uaf_detection" = "xno" ; then
+  enable_uaf_detection="0"
+else
+  enable_uaf_detection="1"
+fi
+],
+[enable_uaf_detection="0"]
+)
+if test "x$enable_uaf_detection" = "x1" ; then
+  AC_DEFINE([JEMALLOC_UAF_DETECTION], [ ])
+fi
+AC_SUBST([enable_uaf_detection])
+
 JE_COMPILABLE([a program using __builtin_unreachable], [
 void foo (void) {
  __builtin_unreachable();