CVE-2019-15791 – Reference count underflow in shiftfs
https://notcve.org/view.php?id=CVE-2019-15791
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow. En shiftfs, un parche no upstream para el Kernel de Linux incluido en las series kernel de Ubuntu versiones 5.0 y 5.3, shiftfs_btrfs_ioctl_fd_replace() instala un fd que hace referencia a un archivo del sistema de archivos inferior sin tomar una referencia adicional a ese archivo. Después de que el btrfs ioctl completa este fd se cierra, lo que entonces pone una referencia a ese archivo, lo que lleva a un subflujo de recuento. • https://www.exploit-db.com/exploits/47693 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=601a64857b3d7040ca15c39c929e6b9db3373ec1 https://usn.ubuntu.com/usn/usn-4183-1 https://usn.ubuntu.com/usn/usn-4184-1 • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-672: Operation on a Resource after Expiration or Release •
CVE-2019-15792 – Type confusion in shiftfs
https://notcve.org/view.php?id=CVE-2019-15792
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a "struct shiftfs_file_info *". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code. En shiftfs, un parche no upstream para el Kernel de Linux incluido en las series kernel de Ubuntu versiones 5.0 y 5.3, shiftfs_btrfs_ioctl_fd_replace() llama a fdget(oldfd), luego sin más comprobaciones pasa el archivo resultante* a shiftfs_real_fdget(), que lanza file->private_data, un vacío* que apunta a un tipo dependiente del sistema de archivos, a un "struct shiftfs_file_info *". Como no es necesario que el private_data sea un puntero, un atacante puede utilizarlo para provocar una denegación de servicio o posiblemente ejecutar un código arbitrario. • https://www.exploit-db.com/exploits/47693 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=5df147c8140efc71ac0879ae3b0057f577226d4c https://usn.ubuntu.com/usn/usn-4183-1 https://usn.ubuntu.com/usn/usn-4184-1 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2019-15794 – Reference counting error in overlayfs/shiftfs error path when used in conjuction with aufs
https://notcve.org/view.php?id=CVE-2019-15794
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow. Overlayfs en el kernel de Linux y shiftfs, un parche no upstream para el kernel de Linux incluido en las series de kernel Ubuntu versiones 5.0 y 5.3, ambos reemplazan vma->vm_file en sus manejadores de mmap. • https://www.exploit-db.com/exploits/47692 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3 https://usn.ubuntu.com/usn/usn-4208-1 https://usn.ubuntu.com/usn/usn-4209-1 • CWE-672: Operation on a Resource after Expiration or Release •
CVE-2019-18806
https://notcve.org/view.php?id=CVE-2019-18806
A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. Una pérdida de memoria en la función ql_alloc_large_buffers() en el archivo drivers/net/ethernet/qlogic/qla3xxx.c en el kernel de Linux versiones anteriores a 5.3.5, permite a usuarios locales causar una denegación de servicio (consumo de memoria) mediante la activación de fallos de la función pci_dma_mapping_error(), también se conoce como CID-1acb8f2a7a9f. • https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.5 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1acb8f2a7a9f10543868ddd737e37424d5c36cf4 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2019-18807
https://notcve.org/view.php?id=CVE-2019-18807
Two memory leaks in the sja1105_static_config_upload() function in drivers/net/dsa/sja1105/sja1105_spi.c in the Linux kernel before 5.3.5 allow attackers to cause a denial of service (memory consumption) by triggering static_config_buf_prepare_for_upload() or sja1105_inhibit_tx() failures, aka CID-68501df92d11. Dos fugas de memoria en la función sja1105_static_config_upload() en el archivo drivers/net/dsa/sja1105/sja1105_spi.c en el kernel de Linux versiones anteriores a 5.3.5, permiten a atacantes causar una denegación de servicio (consumo de memoria) mediante la activación de fallos de la función static_config_buf_prepare_for_upload() o sja1105_inhibit_tx(), también se conoce como CID-68501df92d11. • https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.5 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68501df92d116b760777a2cfda314789f926476f https://security.netapp.com/advisory/ntap-20191205-0001 • CWE-401: Missing Release of Memory after Effective Lifetime •