Actually free memory in free(); use-after-free issues will no longer …

…be discovered
Shnatsel · Aug 29, 2018 · 14ff5db · 14ff5db
1 parent f7bc9d3
commit 14ff5db
Showing 1 changed file with 2 additions and 8 deletions.
diff --git a/libdislocator.so.c b/libdislocator.so.c
@@ -196,7 +196,7 @@ void* malloc(size_t len) {
 }
 
 
-/* The wrapper for free(). This simply marks the entire region as PROT_NONE.
+/* The wrapper for free().
    If the region is already freed, the code will segfault during the attempt to
    read the canary. Not very graceful, but works, right? */
 
@@ -214,15 +214,9 @@ void free(void* ptr) {
 
   total_mem -= len;
 
-  /* Protect everything. Note that the extra page at the end is already
-     set as PROT_NONE, so we don't need to touch that. */
-
   ptr -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
 
-  if (mprotect(ptr - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE))
-    FATAL("mprotect() failed when freeing memory");
-
-  /* Keep the mapping; this is wasteful, but prevents ptr reuse. */
+  munmap(ptr - 8, (1 + PG_COUNT(len + 8)) * PAGE_SIZE);
 
 }