CVE-2019-15791
published 2020-04-24CVE-2019-15791: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd…
PriorityP342high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.32%
67.2th percentile
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | linux | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| ubuntu | shiftfs_in_the_linux_kernel | >= 5.0 kernel < 5.0.0-35.38 | 5.0.0-35.38 |
| ubuntu | shiftfs_in_the_linux_kernel | >= 5.3.0-11.12 < 5.3 kernel* | 5.3 kernel* |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.1LOW
vendor_redhat7.1HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerability and regression
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2019-0155 [MEDIUM] Linux kernel vulnerability and regression
Title: Linux kernel vulnerability and regression
Summary: Several issues were fixed in the Linux kernel.
USN-4184-1 fixed vulnerabilities in the Linux kernel. It was discovered
that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command
Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the
update introduced a regression that broke KVM guests where extended
page tables (EPT) are disabled or not supported. This update addresses
both issues.
We apologize for the inconvenience.
Original advisory details:
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronizati
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2018-12207 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11135)
It was discovered that the Intel i915 graphics chipsets allowed userspace
to modify page table entries via writes to MMIO from the Blitter Command
Streamer and expose kernel memory informat
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2019-0155 [MEDIUM] Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: Several security issues were fixed in the Linux kernel.
USN-4183-1 fixed vulnerabilities in the Linux kernel. It was
discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter
Command Streamer check) was incomplete on 64-bit Intel x86 systems.
This update addresses the issue.
We apologize for the inconvenience.
Original advisory details:
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executi
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-11-13·CVSS 6.5
CVE-2018-12207 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11135)
It was discovered that the Intel i915 graphics chipsets allowed userspace
to modify page table entries via writes to MMIO from the Blitter Command
Streamer and expose kernel memory informat
Red Hat
kernel: reference count underflow was discovered in shiftfs implementation causing dos
vendor_redhat·2019-11-01·CVSS 7.1
CVE-2019-15791 [HIGH] CWE-400 kernel: reference count underflow was discovered in shiftfs implementation causing dos
kernel: reference count underflow was discovered in shiftfs implementation causing dos
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.
A vulnerability was found in Linux kernel. A reference count underflow was discovered in the shiftfs implementation which could be used to cause a denial of service (system crash) or possibly execute arbitrary code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Sta
Debian
CVE-2019-15791: linux - In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 ...
vendor_debian·2019·CVSS 7.1
CVE-2019-15791 [HIGH] CVE-2019-15791: linux - In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 ...
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-5fx5-7qgj-cmg7: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
ghsa_unreviewed·2022-05-24
CVE-2019-15791 [MEDIUM] GHSA-5fx5-7qgj-cmg7: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.
OSV
linux, linux-hwe, linux-oem-osp1 vulnerability and regression
osv·2019-11-13·CVSS 6.5
CVE-2019-0155 [MEDIUM] linux, linux-hwe, linux-oem-osp1 vulnerability and regression
linux, linux-hwe, linux-oem-osp1 vulnerability and regression
USN-4184-1 fixed vulnerabilities in the Linux kernel. It was discovered
that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command
Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the
update introduced a regression that broke KVM guests where extended
page tables (EPT) are disabled or not supported. This update addresses
both issues.
We apologize for the inconvenience.
Original advisory details:
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory cont
OSV
linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-raspi2 vulnerabilities
osv·2019-11-13·CVSS 6.5
[MEDIUM] linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-raspi2 vulnerabilities
linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-raspi2 vulnerabilities
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo,
Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz
Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel
processors using Transactional Synchronization Extensions (TSX) could
expose memory contents previously stored in microarchitectural buffers to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11135)
It was discovered that the Intel i915 graphics chipsets allowed userspace
to modify page table entries via writes to MMIO from the Blitter Command
Stream
OSV
CVE-2019-15791: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
osv·2019-11-12·CVSS 7.8
CVE-2019-15791 [HIGH] CVE-2019-15791: In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() installs an fd referencing a file from the lower filesystem without taking an additional reference to that file. After the btrfs ioctl completes this fd is closed, which then puts a reference to that file, leading to a refcount underflow.
No detection rules found.
Bugzilla
CVE-2019-15791 kernel: reference count underflow was discovered in shiftfs implementation causing dos
bugzilla·2020-02-11·CVSS 7.1
CVE-2019-15791 [HIGH] CVE-2019-15791 kernel: reference count underflow was discovered in shiftfs implementation causing dos
CVE-2019-15791 kernel: reference count underflow was discovered in shiftfs implementation causing dos
A vulnerability was found in Linux Kernel, where a reference count underflow was discovered in the shiftfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
Reference:
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15791.html
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1801617]
---
Shiftfs is not upstream, and is currently an Ubuntu specific patch set. This has never impacted any Fedora products.
---
The fs/shiftfs.c file affected by this flaw is also not present in RHEL.
---
Statement:
No current shipping products include the c
Bugzilla
CVE-2019-15791 kernel: reference count underflow was discovered in shiftfs implementation causing dos [fedora-all]
bugzilla·2020-02-11·CVSS 7.1
CVE-2019-15791 [HIGH] CVE-2019-15791 kernel: reference count underflow was discovered in shiftfs implementation causing dos [fedora-all]
CVE-2019-15791 kernel: reference count underflow was discovered in shiftfs implementation causing dos [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issu
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=601a64857b3d7040ca15c39c929e6b9db3373ec1https://usn.ubuntu.com/usn/usn-4183-1https://usn.ubuntu.com/usn/usn-4184-1https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=601a64857b3d7040ca15c39c929e6b9db3373ec1https://usn.ubuntu.com/usn/usn-4183-1https://usn.ubuntu.com/usn/usn-4184-1
2020-04-24
Published