From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jordy <jordy@simplyhacker.com>
Date: Fri, 17 Jan 2020 07:03:09 -0500 (EST)
Subject: Double free vulnerability in do_rename_gpt_parts
Message-ID: <1646688175.190878.1579262589951@privateemail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hello U-Boot lists!

I think I found a double free bug in U-Boot, in /cmp/gpt.c in the function do_rename_gpt_parts().

On line 702 the partition_list is being free'd if ret is smaller than 0.
If the return value is not -ENOMEM it will go to the out: label and free the partition_list again.

Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

My advice would be to not free the parition_list on line 702 as nothing is being done with it there afterwards anyway and leave your clean_up in the out: label :)

Kind Regards,

Jordy Zomer