os: Improve custom delete operator for raw_combined to ensure proper memory cleanup

Fix UB in raw_combined 'operator delete' to eliminate uninitialized memory access

Fixes: https://tracker.ceph.com/issues/72473
Signed-off-by: Edwin Rodriguez <edwin.rodriguez1@ibm.com>

diff --git a/src/common/buffer.cc b/src/common/buffer.cc
index 6a6a8cbe5ba7539a934d76bcac28895b42b4e3e5..f15060c703709778a15be128ed4eaf23907b9627 100644 (file)
--- a/src/common/buffer.cc
+++ b/src/common/buffer.cc
@@ -131,9 +131,16 @@ static ceph::spinlock debug_lock;
        new (ptr + datalen) raw_combined(ptr, len, mempool));
     }
 
-    static void operator delete(void *ptr) {
-      raw_combined *raw = (raw_combined *)ptr;
-      aligned_free((void *)raw->data);
+    // Custom delete operator that properly handles cleanup of a combined allocation
+    // where the object is placed after its data buffer. The operator must:
+    // 1. Save the data pointer before the object is destroyed
+    // 2. Explicitly call the destructor to clean up the object's members
+    // 3. Free the entire combined allocation through the data pointer
+    // Uses std::destroying_delete_t to prevent automatic destructor call after delete
+    static void operator delete(raw_combined *raw, std::destroying_delete_t) {
+      char * dataptr = raw->data;
+      raw->~raw_combined();
+      aligned_free(dataptr);
     }
   };