Destroy global base allocator in the library destructor

ldorau · ldorau · commit 1e81caba60bc · 2024-02-14T20:26:28.000+01:00
The global base allocator should be destroyed in the library destructor
in order to avoid use-after-free.

Signed-off-by: Lukasz Dorau &lt;lukasz.dorau@intel.com&gt;
diff --git a/src/base_alloc/base_alloc_global.c b/src/base_alloc/base_alloc_global.c
@@ -9,6 +9,7 @@
 #include <stdlib.h>
 
 #include "base_alloc.h"
+#include "base_alloc_global.h"
 #include "utils_concurrency.h"
 
 #define SIZE_BA_POOL_CHUNK 128
@@ -17,17 +18,20 @@
 static umf_ba_pool_t *BA_pool = NULL;
 static UTIL_ONCE_FLAG ba_is_initialized = UTIL_ONCE_FLAG_INIT;
 
-static void umf_ba_destroy_global(void) {
-    assert(BA_pool);
-    umf_ba_destroy(BA_pool);
-    BA_pool = NULL;
-}
-
 static void umf_ba_create_global(void) {
     assert(BA_pool == NULL);
     BA_pool = umf_ba_create(SIZE_BA_POOL_CHUNK);
+    assert(BA_pool);
+#if defined(_WIN32) && !defined(UMF_SHARED_LIBRARY)
+    atexit(umf_ba_destroy_global);
+#endif
+}
+
+void umf_ba_destroy_global(void) {
     if (BA_pool) {
-        atexit(umf_ba_destroy_global);
+        umf_ba_pool_t *pool = BA_pool;
+        BA_pool = NULL;
+        umf_ba_destroy(pool);
     }
 }
 
diff --git a/src/base_alloc/base_alloc_global.h b/src/base_alloc/base_alloc_global.h
@@ -15,6 +15,7 @@ extern "C" {
 #endif
 
 umf_ba_pool_t *umf_ba_get_pool(size_t size);
+void umf_ba_destroy_global(void);
 
 #ifdef __cplusplus
 }
diff --git a/src/base_alloc/base_alloc_linux.c b/src/base_alloc/base_alloc_linux.c
@@ -12,6 +12,15 @@
 #include <unistd.h>
 
 #include "base_alloc.h"
+#include "base_alloc_global.h"
+
+// The highest possible priority (101) is used, because the constructor should be called
+// as the first one and the destructor as the last one in order to avoid use-after-free.
+void __attribute__((constructor(101))) umf_ba_constructor(void) {}
+
+void __attribute__((destructor(101))) umf_ba_destructor(void) {
+    umf_ba_destroy_global();
+}
 
 void *ba_os_alloc(size_t size) {
     return mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,
diff --git a/src/libumf_windows.c b/src/libumf_windows.c
@@ -17,7 +17,10 @@ umf_memory_tracker_handle_t TRACKER = NULL;
 
 static void umfCreate(void) { TRACKER = umfMemoryTrackerCreate(); }
 
-static void umfDestroy(void) { umfMemoryTrackerDestroy(TRACKER); }
+static void umfDestroy(void) {
+    umfMemoryTrackerDestroy(TRACKER);
+    umf_ba_destroy_global();
+}
 
 #if defined(UMF_SHARED_LIBRARY)
 BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ extern "C" {`
`15`	`15`	`#endif`
`16`	`16`
`17`	`17`	`umf_ba_pool_t *umf_ba_get_pool(size_t size);`
	`18`	`+void umf_ba_destroy_global(void);`
`18`	`19`
`19`	`20`	`#ifdef __cplusplus`
`20`	`21`	`}`