From: Edwin Rodriguez <edwin.rodriguez1@ibm.com>
Date: Tue, 5 Aug 2025 12:53:22 +0000 (-0400)
Subject: os: Improve custom delete operator for raw_combined to ensure proper memory cleanup
X-Git-Tag: v21.0.0~209^2~5^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=058b0fb094068e6ba42b6b2febf8ce24ec0f244e;p=ceph.git

os: Improve custom delete operator for raw_combined to ensure proper memory cleanup

Fix UB in raw_combined 'operator delete' to eliminate uninitialized memory access

Fixes: https://tracker.ceph.com/issues/72473
Signed-off-by: Edwin Rodriguez <edwin.rodriguez1@ibm.com>
---

diff --git a/src/common/buffer.cc b/src/common/buffer.cc
index 6a6a8cbe5ba7..f15060c70370 100644
--- a/src/common/buffer.cc
+++ b/src/common/buffer.cc
@@ -131,9 +131,16 @@ static ceph::spinlock debug_lock;
 	new (ptr + datalen) raw_combined(ptr, len, mempool));
     }
 
-    static void operator delete(void *ptr) {
-      raw_combined *raw = (raw_combined *)ptr;
-      aligned_free((void *)raw->data);
+    // Custom delete operator that properly handles cleanup of a combined allocation
+    // where the object is placed after its data buffer. The operator must:
+    // 1. Save the data pointer before the object is destroyed
+    // 2. Explicitly call the destructor to clean up the object's members
+    // 3. Free the entire combined allocation through the data pointer
+    // Uses std::destroying_delete_t to prevent automatic destructor call after delete
+    static void operator delete(raw_combined *raw, std::destroying_delete_t) {
+      char * dataptr = raw->data;
+      raw->~raw_combined();
+      aligned_free(dataptr);
     }
   };