CVE-2020-8432

Vulnerability

A double-free vulnerability was discovered in Das U-Boot's cmd/gpt.c file, specifically in the do_rename_gpt_parts() function. The bug was introduced in commit 18030d04 ("GPT: fix memory leaks identified by Coverity") and affects U-Boot through version 2020.01. On line 702, partition_list is freed if ret is less than 0; however, if the return value is not -ENOMEM, execution proceeds to the out: label where partition_list is freed again, resulting in a double-free condition [1][2].

Exploitation

An attacker must be able to issue the gpt rename command within the U-Boot shell, which typically requires physical or serial console access or a compromised boot flow. The double-free occurs when the function fails with a return value other than -ENOMEM. This can be triggered by supplying malformed GPT partition data or inducing an error during the rename operation. The double-free may corrupt heap metadata, leading to a write-what-where primitive that can be leveraged for arbitrary code execution [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code at the U-Boot privilege level, which often means full control over the boot process and system firmware. This could enable persistent compromise, bypass of secure boot, or loading of a malicious operating system. The impact is considered high due to the privileged context [1][2].

Mitigation

A fix was proposed in the referenced mailing list threads: remove the premature free() on line 702 and rely on the cleanup at the out: label. As of the 2020.01 release, no official patch had been merged, and users were advised to apply the suggested change manually. No CISA KEV listing is available. Users should update to a version containing the fix (e.g., a subsequent release after 2020.01) or apply the workaround [1][2].