Skip to content

fixed wrong usage of VirtualFree (win32)#891

Open
frankmorgner wants to merge 2 commits into
softhsm:mainfrom
frankmorgner:SecureAllocator
Open

fixed wrong usage of VirtualFree (win32)#891
frankmorgner wants to merge 2 commits into
softhsm:mainfrom
frankmorgner:SecureAllocator

Conversation

@frankmorgner

@frankmorgner frankmorgner commented Jun 27, 2026

Copy link
Copy Markdown

SecureAlloc should have never even compiled on win32. First, the API usage is wrong - VirtualFree requires a size parameter (0 in case of MEM_RELEASE). Second, the deallocator used a non existing variable name as reference.

This change fixes the usage, but the change itself is untested.

Summary by CodeRabbit

  • Bug Fixes
    • Improved Windows memory cleanup for secure non-paged allocations, including correct handling of allocation-failure cleanup.
    • Updated secure memory deallocation on Windows to better match the expected VirtualFree call pattern, reducing the risk of cleanup issues.

SecureAlloc should have never even compiled on win32. First, the API
usage is wrong - VirtualFree requires a size parameter (0 in case of
MEM_RELEASE). Second, the deallocator used a non existing variable name
as reference.

This change fixes the usage, but the change itself is untested.
@frankmorgner frankmorgner requested a review from a team as a code owner June 27, 2026 15:37
@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Four Windows VirtualFree call sites in secure allocation and deallocation paths are updated to pass 0 as the size argument together with MEM_RELEASE.

VirtualFree signature fix

Layer / File(s) Summary
Fix VirtualFree calls in secure allocation paths
src/lib/data_mgr/SecureAllocator.h, src/lib/data_mgr/salloc.cpp
The Windows cleanup and free paths in both files now call VirtualFree(..., 0, MEM_RELEASE) instead of omitting the size argument.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A tiny zero hopped in with a grin,
And freed-up calls now fit right in.
🐇 Two paths were fixed, concise and neat,
Windows memory cleanup now lands on its feet.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main Windows-specific VirtualFree fix in this changeset.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/data_mgr/SecureAllocator.h`:
- Line 125: The two VirtualFree calls in SecureAllocator should stop casting the
pointer to const void because that still does not match the Win32 LPVOID
signature and causes Windows build issues. Update the release path in the
SecureAllocator logic so VirtualFree is called with a mutable void*/LPVOID
pointer instead, keeping the existing allocation/free flow intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a784059a-02a0-4e3c-bcc4-8207c09aef37

📥 Commits

Reviewing files that changed from the base of the PR and between 22b1487 and a73f4b9.

📒 Files selected for processing (1)
  • src/lib/data_mgr/SecureAllocator.h

free(r);
#else
VirtualFree((const void*) r, MEM_RELEASE);
VirtualFree((const void*) r, 0, MEM_RELEASE);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '110,190p' src/lib/data_mgr/SecureAllocator.h

Repository: softhsm/SoftHSMv2

Length of output: 1853


Remove the const cast from both VirtualFree calls. VirtualFree takes LPVOID, so VirtualFree((const void*) ...) still mismatches the Win32 signature and breaks Windows builds; pass void*/LPVOID instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/data_mgr/SecureAllocator.h` at line 125, The two VirtualFree calls in
SecureAllocator should stop casting the pointer to const void because that still
does not match the Win32 LPVOID signature and causes Windows build issues.
Update the release path in the SecureAllocator logic so VirtualFree is called
with a mutable void*/LPVOID pointer instead, keeping the existing
allocation/free flow intact.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/data_mgr/salloc.cpp`:
- Line 74: The Windows release path in salloc/sfree is still using an undefined
pointer name (`pre`) and mixed pointer variables, so make the pointer handling
consistent across the Windows branch of salloc and the cleanup path in sfree.
Update the allocation/lock/cleanup/return flow to use the same existing variable
(`ptr` or equivalent) everywhere, including the VirtualFree call and any
registry or unlock logic, so both _WIN32 paths compile cleanly.
- Line 119: The secure-path cleanup in `salloc.cpp` is mixing allocation APIs:
the `VirtualAlloc`/`VirtualFree` branch should not fall through to `free(ptr)`.
Update the cleanup logic around the `pre`/`ptr` handling so the `VirtualFree`
path only releases memory allocated by `VirtualAlloc`, and keep `free()`
exclusively for the malloc/valloc path; use the existing `salloc` deallocation
flow to separate the two cases cleanly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7932b398-1dde-436e-b840-8410c2ad3533

📥 Commits

Reviewing files that changed from the base of the PR and between a73f4b9 and 951b77a.

📒 Files selected for processing (1)
  • src/lib/data_mgr/salloc.cpp

free(ptr);
#else
VirtualFree((const void*) pre, MEM_RELEASE);
VirtualFree((const void*) pre, 0, MEM_RELEASE);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

pre is still undefined on both Windows release paths.

These call sites still cannot compile on _WIN32: sfree only has ptr, and salloc's Windows branch currently mixes r, ptr, and now pre. The size fix is correct, but the pointer variable needs to be made consistent across allocation, locking, cleanup, registry, and return first.

Suggested fix
 `#ifndef` _WIN32
 	void* ptr = (void*) valloc(len);
 `#else`
-	pointer r = (pointer) VirtualAlloc(NULL, n * sizeof(T), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+	void* ptr = VirtualAlloc(NULL, len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
 `#endif`
@@
 `#ifndef` _WIN32
 	if (mlock((const void*) ptr, len) != 0)
 `#else`
-	if (VirtualLock((const void*) r, n * sizeof(T)) == 0)
+	if (VirtualLock((const void*) ptr, len) == 0)
 `#endif`
@@
 `#ifndef` _WIN32
 		free(ptr);
 `#else`
-		VirtualFree((const void*) pre, 0, MEM_RELEASE);
+		VirtualFree((const void*) ptr, 0, MEM_RELEASE);
 `#endif`
@@
 `#else`
-	VirtualFree((const void*) pre, 0, MEM_RELEASE);
+	VirtualFree((const void*) ptr, 0, MEM_RELEASE);
 `#endif`

Also applies to: 119-119

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/data_mgr/salloc.cpp` at line 74, The Windows release path in
salloc/sfree is still using an undefined pointer name (`pre`) and mixed pointer
variables, so make the pointer handling consistent across the Windows branch of
salloc and the cleanup path in sfree. Update the allocation/lock/cleanup/return
flow to use the same existing variable (`ptr` or equivalent) everywhere,
including the VirtualFree call and any registry or unlock logic, so both _WIN32
paths compile cleanly.

munlock((const void*) ptr, len);
#else
VirtualFree((const void*) pre, MEM_RELEASE);
VirtualFree((const void*) pre, 0, MEM_RELEASE);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '44,125p' src/lib/data_mgr/salloc.cpp
echo '---'
sed -n '160,180p' src/lib/data_mgr/SecureAllocator.h

Repository: softhsm/SoftHSMv2

Length of output: 2211


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '--- src/lib/data_mgr/salloc.cpp ---\n'
cat -n src/lib/data_mgr/salloc.cpp | sed -n '1,220p'

printf '\n--- src/lib/data_mgr/SecureAllocator.h ---\n'
cat -n src/lib/data_mgr/SecureAllocator.h | sed -n '1,260p'

Repository: softhsm/SoftHSMv2

Length of output: 246


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- src/lib/data_mgr/salloc.cpp ---'
cat -n src/lib/data_mgr/salloc.cpp | sed -n '1,220p'

echo
echo '--- src/lib/data_mgr/SecureAllocator.h ---'
cat -n src/lib/data_mgr/SecureAllocator.h | sed -n '1,260p'

Repository: softhsm/SoftHSMv2

Length of output: 11328


🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n '\bpre\b|\bVirtualFree\b|\bfree\(ptr\)' src/lib/data_mgr/salloc.cpp src/lib/data_mgr/SecureAllocator.h

Repository: softhsm/SoftHSMv2

Length of output: 580


Fix the Windows secure-path cleanup in src/lib/data_mgr/salloc.cpp:115-124. The VirtualAlloc branch still calls VirtualFree(...) and then falls through to free(ptr), which mixes deallocation APIs for the same buffer; keep free() on the malloc/valloc path only.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/data_mgr/salloc.cpp` at line 119, The secure-path cleanup in
`salloc.cpp` is mixing allocation APIs: the `VirtualAlloc`/`VirtualFree` branch
should not fall through to `free(ptr)`. Update the cleanup logic around the
`pre`/`ptr` handling so the `VirtualFree` path only releases memory allocated by
`VirtualAlloc`, and keep `free()` exclusively for the malloc/valloc path; use
the existing `salloc` deallocation flow to separate the two cases cleanly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant