CVE-2019-15794
published 2020-04-24CVE-2019-15794: Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file…
PriorityP431medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
EXPLOIT
EPSS
1.16%
63.1th percentile
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | linux | < linux 5.16.7-1 (bookworm) | linux 5.16.7-1 (bookworm) |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.16.7-1 | 5.16.7-1 |
| linux | linux_kernel | >= 0 < 5.16.7-1 | 5.16.7-1 |
| linux | linux_kernel | >= 0 < 5.16.7-1 | 5.16.7-1 |
| ubuntu | linux_kernel | >= 5.0 kernel < 5.0.0-37.40 | 5.0.0-37.40 |
| ubuntu | linux_kernel | >= 5.3 kernel < 5.3.0-24.26 | 5.3.0-24.26 |
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv6.7MEDIUM
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
vendor_ubuntu7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-33f2-r445-jvq6: Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
ghsa_unreviewed·2022-05-24
CVE-2019-15794 [HIGH] GHSA-33f2-r445-jvq6: Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.
OSV
CVE-2019-15794: Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
osv·2020-04-24·CVSS 6.7
CVE-2019-15794 [MEDIUM] CVE-2019-15794: Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.
OSV
linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-kvm, linux-oracle vulnerabilities
osv·2019-12-02·CVSS 6.7
CVE-2019-15794 [MEDIUM] linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-kvm, linux-oracle vulnerabilities
linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-kvm, linux-oracle vulnerabilities
Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux
kernel did not properly handle reference counting during memory mapping
operations when used in conjunction with AUFS. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2019-15794)
Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel
did not properly validate SSID lengths. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-17133)
It was discovered that the ARM Komeda display driver for the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this
OSV
linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2 vulnerabilities
osv·2019-12-02·CVSS 6.7
CVE-2019-15794 [MEDIUM] linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2 vulnerabilities
linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2 vulnerabilities
Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux
kernel did not properly handle reference counting during memory mapping
operations when used in conjunction with AUFS. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2019-15794)
It was discovered that a buffer overflow existed in the 802.11 Wi-Fi
configuration interface for the Linux kernel when handling beacon settings.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-16746)
It was discovered that there was a memory le
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-12-02·CVSS 7.1
CVE-2019-15794 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux
kernel did not properly handle reference counting during memory mapping
operations when used in conjunction with AUFS. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2019-15794)
It was discovered that a buffer overflow existed in the 802.11 Wi-Fi
configuration interface for the Linux kernel when handling beacon settings.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-16746)
It was discovered that there was a memory leak in the Advanced Buffer
Management functionality of th
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-12-02·CVSS 7.1
CVE-2019-15794 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux
kernel did not properly handle reference counting during memory mapping
operations when used in conjunction with AUFS. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2019-15794)
Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel
did not properly validate SSID lengths. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-17133)
It was discovered that the ARM Komeda display driver for the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attac
Red Hat
kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow
vendor_redhat·2019-11-12·CVSS 7.1
CVE-2019-15794 [HIGH] CWE-672 kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow
kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.
A flaw was found in the Linux kernel. In Overlayfs, vma->vm_file was replaced in the mmap handle
Debian
CVE-2019-15794: linux - Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux ker...
vendor_debian·2019·CVSS 7.1
CVE-2019-15794 [HIGH] CVE-2019-15794: linux - Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux ker...
Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.
Scope: local
bookworm: resolved (fixed in 5.16.7-1)
bullseye: open
forky: resolved (fixed in 5.16.7-1)
sid: resolved (fixed in 5.16.7-1)
trixie: resolved (fixed in 5.16.7-1)
No detection rules found.
Bugzilla
CVE-2019-15794 kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow [fedora-all]
bugzilla·2020-05-06·CVSS 7.1
CVE-2019-15794 [HIGH] CVE-2019-15794 kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow [fedora-all]
CVE-2019-15794 kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg
Bugzilla
CVE-2019-15794 kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow
bugzilla·2020-05-04·CVSS 7.1
CVE-2019-15794 [HIGH] CVE-2019-15794 kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow
CVE-2019-15794 kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow
An issue was found in Overlayfs in the Linux kernel were it replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points.
On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow. This can lead to an invalid address access and a DoS problem.
Reference:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=2
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3https://usn.ubuntu.com/usn/usn-4208-1https://usn.ubuntu.com/usn/usn-4209-1https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3https://usn.ubuntu.com/usn/usn-4208-1https://usn.ubuntu.com/usn/usn-4209-1
2020-04-24
Published