Double free vulnerability in do_rename_gpt_parts
jordy at simplyhacker.com
Fri Jan 17 13:03:09 CET 2020
Hello U-Boot lists!
I think I found a double free bug in U-Boot, in /cmp/gpt.c in the function do_rename_gpt_parts().
On line 702 the partition_list is being free'd if ret is smaller than 0.
If the return value is not -ENOMEM it will go to the out: label and free the partition_list again.
Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code.
My advice would be to not free the parition_list on line 702 as nothing is being done with it there afterwards anyway and leave your clean_up in the out: label :)
More information about the U-Boot