erofs-utils: lib: fix user-after-free in xattr.c

Currently, put_xattritem() does not remove the `item`
from the hash table after freeing it, which may lead
to a user-after-free issue.

This patch fixes it.

Fixes: 47d6895a5ff9 ("erofs-utils: introduce inline xattr support")
Signed-off-by: Hongzhen Luo <hongzhen@linux.alibaba.com>
Reviewed-by: Sandeep Dhavale <dhavale@google.com>
Link: https://lore.kernel.org/r/20241202024019.85901-1-hongzhen@linux.alibaba.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

diff --git a/lib/xattr.c b/lib/xattr.c
index 7fbd24bbdd75fe6536cd69bc9d0afba9d94f4924..e4207758fa62151e4f1057896272e51a08f745f3 100644 (file)
--- a/lib/xattr.c
+++ b/lib/xattr.c
@@ -169,6 +169,7 @@ static unsigned int put_xattritem(struct xattr_item *item)
 {
        if (item->count > 1)
                return --item->count;
+       hash_del(&item->node);
        free(item);
        return 0;
 }