IIRC, the allocator would possess a capability with authority over the whole heap, and it can derive a new pointer using that capability and the address of the block that's being freed.
Obviously, it should make sure that the capability passed to free has full authority over the block first, or else it may end up vulnerable to confused deputy attacks.
Obviously, it should make sure that the capability passed to free has full authority over the block first, or else it may end up vulnerable to confused deputy attacks.