Furi: Detect use-after-free

Next-Flip · Nov 9, 2024 · 996e62e · 996e62e
1 parent 68fba5b
commit 996e62e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/furi/core/memmgr_heap.c b/furi/core/memmgr_heap.c
@@ -527,7 +527,7 @@ void vPortFree(void* pv) {
                     /* Add this block to the list of free blocks. */
                     xFreeBytesRemaining += pxLink->xBlockSize;
                     traceFREE(pv, pxLink->xBlockSize);
-                    memset(pv, 0, pxLink->xBlockSize - xHeapStructSize);
+                    memset(pv, 0xDD, pxLink->xBlockSize - xHeapStructSize);
                     prvInsertBlockIntoFreeList((BlockLink_t*)pxLink);
                 }
                 (void)xTaskResumeAll();

diff --git a/targets/f7/furi_hal/furi_hal_interrupt.c b/targets/f7/furi_hal/furi_hal_interrupt.c
@@ -314,6 +314,8 @@ void MemManage_Handler(void) {
 }
 
 void BusFault_Handler(void) {
+    const char* crash_msg = "BusFault";
+
     furi_log_puts("\r\n" _FURI_LOG_CLR_E "Bus fault:\r\n");
     if(FURI_BIT(SCB->CFSR, SCB_CFSR_LSPERR_Pos)) {
         furi_log_puts(" - lazy stacking for exception entry\r\n");
@@ -351,11 +353,13 @@ void BusFault_Handler(void) {
 
         if(busfault_address == (uint32_t)NULL) {
             furi_log_puts(" -- NULL pointer dereference\r\n");
+        } else if(busfault_address >= 0xDDDDDDDD && busfault_address <= 0xDDDEDDDD) {
+            crash_msg = "Possible use-after-free";
         }
     }
     furi_log_puts(_FURI_LOG_CLR_RESET);
 
-    furi_crash("BusFault");
+    furi_crash(crash_msg);
 }
 
 void UsageFault_Handler(void) {