erofs-utils: sbi->devs should be cleared after freed

Otherwise, it could cause double-free if sbi reuses
when fuzzing [1].

[1] https://github.com/erofs/erofsnightly/actions/runs/5921003885/job/16053013007

Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Link: https://lore.kernel.org/r/20230821093929.17146-1-hsiangkao@linux.alibaba.com

diff --git a/lib/super.c b/lib/super.c
index 21dc51f73129f9b5a8c3178a18cc7a269bd772e6..373354ab997b31fb4583ce3284fa380f68230ca1 100644 (file)
--- a/lib/super.c
+++ b/lib/super.c
@@ -57,6 +57,7 @@ static int erofs_init_devices(struct erofs_sb_info *sbi,
                ret = dev_read(sbi, 0, &dis, pos, sizeof(dis));
                if (ret < 0) {
                        free(sbi->devs);
+                       sbi->devs = NULL;
                        return ret;
                }
 
@@ -126,14 +127,18 @@ int erofs_read_superblock(struct erofs_sb_info *sbi)
                return ret;
 
        ret = erofs_xattr_prefixes_init(sbi);
-       if (ret)
+       if (ret && sbi->devs) {
                free(sbi->devs);
+               sbi->devs = NULL;
+       }
        return ret;
 }
 
 void erofs_put_super(struct erofs_sb_info *sbi)
 {
-       if (sbi->devs)
+       if (sbi->devs) {
                free(sbi->devs);
+               sbi->devs = NULL;
+       }
        erofs_xattr_prefixes_cleanup(sbi);
 }