From: Hongzhen Luo <hongzhen@linux.alibaba.com>
Date: Mon, 2 Dec 2024 02:40:19 +0000 (+0800)
Subject: erofs-utils: lib: fix user-after-free in xattr.c
X-Git-Tag: accepted/tizen/unified/20250610.081809~87
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a4a24fda82386304ef65af8cb071403ac9181676;p=platform%2Fupstream%2Ferofs-utils.git

erofs-utils: lib: fix user-after-free in xattr.c

Currently, put_xattritem() does not remove the `item`
from the hash table after freeing it, which may lead
to a user-after-free issue.

This patch fixes it.

Fixes: 47d6895a5ff9 ("erofs-utils: introduce inline xattr support")
Signed-off-by: Hongzhen Luo <hongzhen@linux.alibaba.com>
Reviewed-by: Sandeep Dhavale <dhavale@google.com>
Link: https://lore.kernel.org/r/20241202024019.85901-1-hongzhen@linux.alibaba.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---

diff --git a/lib/xattr.c b/lib/xattr.c
index 7fbd24b..e420775 100644
--- a/lib/xattr.c
+++ b/lib/xattr.c
@@ -169,6 +169,7 @@ static unsigned int put_xattritem(struct xattr_item *item)
 {
 	if (item->count > 1)
 		return --item->count;
+	hash_del(&item->node);
 	free(item);
 	return 0;
 }