In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis.
Weakness
The product calls free() twice on the same memory address.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| U-boot | Denx | * | 2020.01 (including) |
| U-boot | Ubuntu | bionic | * |
| U-boot | Ubuntu | eoan | * |
| U-boot | Ubuntu | esm-infra/bionic | * |
| U-boot | Ubuntu | esm-infra/focal | * |
| U-boot | Ubuntu | focal | * |
| U-boot | Ubuntu | trusty | * |
| U-boot | Ubuntu | upstream | * |
Potential Mitigations
References
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00030.html
- https://www.mail-archive.com/u-boot%40lists.denx.de/msg354060.html
- https://www.mail-archive.com/u-boot%40lists.denx.de/msg354114.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00030.html
- https://www.mail-archive.com/u-boot%40lists.denx.de/msg354060.html
- https://www.mail-archive.com/u-boot%40lists.denx.de/msg354114.html