CVE-2019-15792

24.04.2020, 00:15

In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a "struct shiftfs_file_info *". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code.

Type Confusion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
canonical	CNA	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Vendor	Product	Version
linux	linux_kernel	5.0
linux	linux_kernel	5.3
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	19.04

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

eoan	Fixed 5.3.0-22.24 released
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	ignored

linux-aws

eoan	Fixed 5.3.0-1007.8 released
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	ignored

linux-aws-5.0

eoan	dne
disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-aws-hwe

eoan	dne
disco	dne
bionic	dne
xenial	not-affected
trusty	dne

linux-azure

eoan	Fixed 5.3.0-1007.8 released
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	ignored

linux-azure-5.3

eoan	dne
disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-azure-edge

eoan	dne
disco	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-gcp

eoan	Fixed 5.3.0-1008.9 released
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-gcp-5.3

eoan	dne
disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gcp-edge

eoan	dne
disco	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gke-4.15

eoan	dne
disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gke-5.0

eoan	dne
disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-gke-5.3

eoan	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-hwe

eoan	dne
disco	dne
bionic	not-affected
xenial	not-affected
trusty	dne

linux-hwe-edge

eoan	dne
disco	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-kvm

eoan	Fixed 5.3.0-1007.8 released
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-lts-trusty

eoan	dne
disco	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

eoan	dne
disco	dne
bionic	dne
xenial	dne
trusty	ignored

linux-oem

eoan	not-affected
disco	not-affected
bionic	not-affected
xenial	ignored
trusty	dne

linux-oem-5.4

eoan	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-osp1

eoan	not-affected
disco	not-affected
bionic	not-affected
xenial	dne
trusty	dne

linux-oracle

eoan	Fixed 5.3.0-1006.7 released
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-oracle-5.0

eoan	dne
disco	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-raspi2

eoan	Fixed 5.3.0-1012.14 released
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

linux-raspi2-5.3

eoan	dne
bionic	not-affected
xenial	dne
trusty	dne

linux-snapdragon

eoan	dne
disco	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

Common Weakness Enumeration

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=5df147c8140efc71ac0879ae3b0057f577226d4c

https://usn.ubuntu.com/usn/usn-4183-1

https://usn.ubuntu.com/usn/usn-4184-1

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=5df147c8140efc71ac0879ae3b0057f577226d4c

https://usn.ubuntu.com/usn/usn-4183-1

https://usn.ubuntu.com/usn/usn-4184-1