CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-15792 – Type confusion in shiftfs
https://notcve.org/view.php?id=CVE-2019-15792
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a "struct shiftfs_file_info *". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code. En shiftfs, un parche no upstream para el Kernel de Linux incluido en las series kernel de Ubuntu versiones 5.0 y 5.3, shiftfs_btrfs_ioctl_fd_replace() llama a fdget(oldfd), luego sin más comprobaciones pasa el archivo resultante* a shiftfs_real_fdget(), que lanza file->private_data, un vacío* que apunta a un tipo dependiente del sistema de archivos, a un "struct shiftfs_file_info *". Como no es necesario que el private_data sea un puntero, un atacante puede utilizarlo para provocar una denegación de servicio o posiblemente ejecutar un código arbitrario. • https://www.exploit-db.com/exploits/47693 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=5df147c8140efc71ac0879ae3b0057f577226d4c https://usn.ubuntu.com/usn/usn-4183-1 https://usn.ubuntu.com/usn/usn-4184-1 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-15793 – Mishandling of file-system uid/gid with namespaces in shiftfs
https://notcve.org/view.php?id=CVE-2019-15793
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions. En shiftfs, un parche no upstream para el Kernel de Linux incluido en las series kernel de Ubuntu versiones 5.0 y 5.3, varias ubicaciones que desplazan los ids traducen los ids de usuario/grupo antes de realizar operaciones en el sistema de archivos inferior los estaban traduciendo a init_user_ns, mientras que deberían haber sido traducidos a s_user_ns para el sistema de archivos inferior. Esto dio lugar a que se utilizaran ids distintos de los previstos en los fs inferiores, que probablemente no se mapearon en los shifts s_user_ns. • https://www.exploit-db.com/exploits/47693 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=3644b9d5688da86f18e017c9c580b75cf52927bb https://usn.ubuntu.com/usn/usn-4183-1 https://usn.ubuntu.com/usn/usn-4184-1 • CWE-276: Incorrect Default Permissions CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2019-15791 – Reference count underflow in shiftfs
https://notcve.org/view.php?id=CVE-2019-15791
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow. En shiftfs, un parche no upstream para el Kernel de Linux incluido en las series kernel de Ubuntu versiones 5.0 y 5.3, shiftfs_btrfs_ioctl_fd_replace() instala un fd que hace referencia a un archivo del sistema de archivos inferior sin tomar una referencia adicional a ese archivo. Después de que el btrfs ioctl completa este fd se cierra, lo que entonces pone una referencia a ese archivo, lo que lleva a un subflujo de recuento. • https://www.exploit-db.com/exploits/47693 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=601a64857b3d7040ca15c39c929e6b9db3373ec1 https://usn.ubuntu.com/usn/usn-4183-1 https://usn.ubuntu.com/usn/usn-4184-1 • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 1CVE-2019-15794 – Reference counting error in overlayfs/shiftfs error path when used in conjuction with aufs
https://notcve.org/view.php?id=CVE-2019-15794
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow. Overlayfs en el kernel de Linux y shiftfs, un parche no upstream para el kernel de Linux incluido en las series de kernel Ubuntu versiones 5.0 y 5.3, ambos reemplazan vma->vm_file en sus manejadores de mmap. • https://www.exploit-db.com/exploits/47692 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3 https://usn.ubuntu.com/usn/usn-4208-1 https://usn.ubuntu.com/usn/usn-4209-1 • CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18806
https://notcve.org/view.php?id=CVE-2019-18806
A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. Una pérdida de memoria en la función ql_alloc_large_buffers() en el archivo drivers/net/ethernet/qlogic/qla3xxx.c en el kernel de Linux versiones anteriores a 5.3.5, permite a usuarios locales causar una denegación de servicio (consumo de memoria) mediante la activación de fallos de la función pci_dma_mapping_error(), también se conoce como CID-1acb8f2a7a9f. • https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.5 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1acb8f2a7a9f10543868ddd737e37424d5c36cf4 • CWE-401: Missing Release of Memory after Effective Lifetime •