Scrub deallocations before reallocation.

Author: mjp41

CMakeLists.txt

@@ -490,7 +490,8 @@ if(NOT SNMALLOC_HEADER_ONLY_LIBRARY)
       random_larger_thresholds;
       random_initial;
       random_preserve;
-      random_extra_slab)
+      random_extra_slab;
+      scrub_free)
 
 
     foreach (MITIGATION ${MITIGATIONS})

src/snmalloc/ds_core/mitigations.h

@@ -209,12 +209,18 @@ namespace snmalloc
    * model.
    */
   static constexpr mitigation::type pal_enforce_access{1 << 13};
+  /**
+   * If this mitigation is enabled, then deallocations are
+   * scrubbed before reallocation. This prevents data leaks
+   * by looking into uninitialised memory.
+   */
+  static constexpr mitigation::type scrub_free{1 << 14};
 
   constexpr mitigation::type full_checks = random_pagemap +
     random_larger_thresholds + freelist_forward_edge + freelist_backward_edge +
     freelist_teardown_validate + random_initial + random_preserve +
     metadata_protection + random_extra_slab + reuse_LIFO + sanity_checks +
-    clear_meta + pal_enforce_access;
+    clear_meta + pal_enforce_access + scrub_free;
 
   constexpr mitigation::type no_checks{0};
 

src/snmalloc/mem/corealloc.h

@@ -688,6 +688,12 @@ namespace snmalloc
         is_start_of_object(entry.get_sizeclass(), address_cast(p)),
         "Not deallocating start of an object");
 
+      if (mitigations(scrub_free))
+      {
+        Config::Pal::zero(
+          p.unsafe_ptr(), sizeclass_full_to_size(entry.get_sizeclass()));
+      }
+
       auto cp = p.as_static<freelist::Object::T<>>();
 
       auto& key = entropy.get_free_list_key();