From b101ff6972d7de3ea272273b97b588da8c7d872b Mon Sep 17 00:00:00 2001
From: Edwin Rodriguez <edwin.rodriguez1@ibm.com>
Date: Tue, 5 Aug 2025 08:53:22 -0400
Subject: [PATCH] os: Improve custom delete operator for raw_combined to ensure
 proper memory cleanup

Fix UB in raw_combined 'operator delete' to eliminate uninitialized memory access

Fixes: https://tracker.ceph.com/issues/72473
Signed-off-by: Edwin Rodriguez <edwin.rodriguez1@ibm.com>
---
 src/common/buffer.cc | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/common/buffer.cc b/src/common/buffer.cc
index 5f0038e8ce9..d5184036f85 100644
--- a/src/common/buffer.cc
+++ b/src/common/buffer.cc
@@ -132,9 +132,16 @@ static ceph::spinlock debug_lock;
 	new (ptr + datalen) raw_combined(ptr, len, mempool));
     }
 
-    static void operator delete(void *ptr) {
-      raw_combined *raw = (raw_combined *)ptr;
-      aligned_free((void *)raw->data);
+    // Custom delete operator that properly handles cleanup of a combined allocation
+    // where the object is placed after its data buffer. The operator must:
+    // 1. Save the data pointer before the object is destroyed
+    // 2. Explicitly call the destructor to clean up the object's members
+    // 3. Free the entire combined allocation through the data pointer
+    // Uses std::destroying_delete_t to prevent automatic destructor call after delete
+    static void operator delete(raw_combined *raw, std::destroying_delete_t) {
+      char * dataptr = raw->data;
+      raw->~raw_combined();
+      aligned_free(dataptr);
     }
   };
 
-- 
2.39.5