It is possible to trigger a double free with an invalid verity partition. All it takes is an unknown hash algorithm, which makes it a bit more likely than a completely broken partition header. But all it takes is an error return value of VERITY_read_sb() or strdup().
If crypt_load fails before setting cd->type, crypt_free will handle the union as if it was of type "none", which means it will call free() for "active_name", a field which is only properly set up when the type was actually "none".
In all other cases, "active_name" contains the first 4 or 8 bytes of the actually used header structure. Fortunately it can be only a pointer or NULL, so an attacker has no direct control of the value. Nonetheless it can easily trigger a double free.
Signed-off-by: Tobias Stoeckmann firstname.lastname@example.org