erofs-utils: sbi->devs should be cleared after freed

Otherwise, it could cause double-free if sbi reuses when fuzzing [1]. [1] https://github.com/erofs/erofsnightly/actions/runs/5921003885/job/16053013007 Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com> Link: https://lore.kernel.org/r/20230821093929.17146-1-hsiangkao@linux.alibaba.com
author: Gao Xiang <hsiangkao@linux.alibaba.com> 2023-08-21 17:39:29 +0800
committer: Gao Xiang <hsiangkao@linux.alibaba.com> 2023-08-21 23:14:59 +0800
commit: 88a43ec74514b311773c3a0824e0344c2687c593 (patch)
tree: 1a678b4fada89bee9e9142c881ff5b2c7046a2d2
parent: 0111d59cfcaeea694371d5489ce2a8f0ab942381 (diff)
download: erofs-utils-88a43ec74514b311773c3a0824e0344c2687c593.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/super.c b/lib/super.c
index 21dc51f..373354a 100644
--- a/lib/super.c
+++ b/lib/super.c
@@ -57,6 +57,7 @@ static int erofs_init_devices(struct erofs_sb_info *sbi,
 		ret = dev_read(sbi, 0, &dis, pos, sizeof(dis));
 		if (ret < 0) {
 			free(sbi->devs);
+			sbi->devs = NULL;
 			return ret;
 		}
 
@@ -126,14 +127,18 @@ int erofs_read_superblock(struct erofs_sb_info *sbi)
 		return ret;
 
 	ret = erofs_xattr_prefixes_init(sbi);
-	if (ret)
+	if (ret && sbi->devs) {
 		free(sbi->devs);
+		sbi->devs = NULL;
+	}
 	return ret;
 }
 
 void erofs_put_super(struct erofs_sb_info *sbi)
 {
-	if (sbi->devs)
+	if (sbi->devs) {
 		free(sbi->devs);
+		sbi->devs = NULL;
+	}
 	erofs_xattr_prefixes_cleanup(sbi);
 }
author	Gao Xiang <hsiangkao@linux.alibaba.com>	2023-08-21 17:39:29 +0800
committer	Gao Xiang <hsiangkao@linux.alibaba.com>	2023-08-21 23:14:59 +0800
commit	88a43ec74514b311773c3a0824e0344c2687c593 (patch)
tree	1a678b4fada89bee9e9142c881ff5b2c7046a2d2
parent	0111d59cfcaeea694371d5489ce2a8f0ab942381 (diff)
download	erofs-utils-88a43ec74514b311773c3a0824e0344c2687c593.tar.gz