CVE-2019-15794

Reference counting error in overlayfs/shiftfs error path when used in conjuction with aufs

Severity Score

6.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.

Overlayfs en el kernel de Linux y shiftfs, un parche no upstream para el kernel de Linux incluido en las series de kernel Ubuntu versiones 5.0 y 5.3, ambos reemplazan vma->vm_file en sus manejadores de mmap. En el error el valor original no se restaura, y se pone la referencia para el archivo al que apunta vm_file. En los núcleos ascendentes esto no es un problema, ya que ninguna de las llamadas que siguen a vm_file después de call_mmap() devuelve un error. Sin embargo, los parches de aufs cambian mmap_region() para reemplazar el fput() usando una variable local con vma_fput(), la cual fput() vm_file, lo que lleva a un subflujo de recuento.

A flaw was found in the Linux kernel. In Overlayfs, vma->vm_file was replaced in the mmap handlers and, on errors, the original value is not restored. A local attacker with special user privilege (or root) can cause a kernel internal information leak. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux kernel did not properly handle reference counting during memory mapping operations when used in conjunction with AUFS. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Various other issues were also addressed.

*Credits: Jann Horn of Google Project Zero

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-29 CVE Reserved
2019-11-12 CVE Published
2019-11-12 First Exploit
2024-09-16 CVE Updated
2025-03-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-672: Operation on a Resource after Expiration or Release

CAPEC

References (8)

URL	Tag	Source
https://usn.ubuntu.com/usn/usn-4208-1	Third Party Advisory
https://usn.ubuntu.com/usn/usn-4209-1	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/155249	2019-11-12
https://www.exploit-db.com/exploits/47692	2019-11-20

URL	Date	SRC
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635	2020-05-26
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3	2020-05-26

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2019-15794	2021-11-09
https://bugzilla.redhat.com/show_bug.cgi?id=1831055	2021-11-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.0 Search vendor "Linux" for product "Linux Kernel" and version "5.0"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.3 Search vendor "Linux" for product "Linux Kernel" and version "5.3"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"		-		Affected