{"containers": {"cna": {"affected": [{"product": "Linux kernel", "vendor": "Ubuntu", "versions": [{"lessThan": "5.3.0-24.26", "status": "affected", "version": "5.3 kernel", "versionType": "custom"}, {"lessThan": "5.0.0-37.40", "status": "affected", "version": "5.0 kernel", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Jann Horn of Google Project Zero"}], "datePublic": "2019-11-08T00:00:00", "descriptions": [{"lang": "en", "value": "Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-672", "description": "CWE-672 Operation on a Resource after Expiration or Release", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-23T23:55:24", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635"}, {"tags": ["x_refsource_MISC"], "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3"}, {"tags": ["x_refsource_MISC"], "url": "https://usn.ubuntu.com/usn/usn-4208-1"}, {"tags": ["x_refsource_MISC"], "url": "https://usn.ubuntu.com/usn/usn-4209-1"}], "source": {"defect": ["https://bugs.launchpad.net/bugs/1850994"], "discovery": "EXTERNAL"}, "title": "Reference counting error in overlayfs/shiftfs error path when used in conjuction with aufs", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2019-11-08T00:00:00.000Z", "ID": "CVE-2019-15794", "STATE": "PUBLIC", "TITLE": "Reference counting error in overlayfs/shiftfs error path when used in conjuction with aufs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Linux kernel", "version": {"version_data": [{"version_affected": "<", "version_name": "5.3 kernel", "version_value": "5.3.0-24.26"}, {"version_affected": "<", "version_name": "5.0 kernel", "version_value": "5.0.0-37.40"}]}}]}, "vendor_name": "Ubuntu"}]}}, "credit": [{"lang": "eng", "value": "Jann Horn of Google Project Zero"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-672 Operation on a Resource after Expiration or Release"}]}]}, "references": {"reference_data": [{"name": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635", "refsource": "MISC", "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635"}, {"name": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3", "refsource": "MISC", "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3"}, {"name": "https://usn.ubuntu.com/usn/usn-4208-1", "refsource": "MISC", "url": "https://usn.ubuntu.com/usn/usn-4208-1"}, {"name": "https://usn.ubuntu.com/usn/usn-4209-1", "refsource": "MISC", "url": "https://usn.ubuntu.com/usn/usn-4209-1"}]}, "source": {"defect": ["https://bugs.launchpad.net/bugs/1850994"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:56:22.473Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://usn.ubuntu.com/usn/usn-4208-1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://usn.ubuntu.com/usn/usn-4209-1"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2019-15794", "datePublished": "2020-04-23T23:55:25.039982Z", "dateReserved": "2019-08-29T00:00:00", "dateUpdated": "2024-09-16T19:52:18.313Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4300F13-DCE3-40B5-9310-313405468D2F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.3:*:*:*:*:*:*:*", "matchCriteriaId": "CF8AA5A5-E882-4063-B2BB-C2268685060E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow."}, {"lang": "es", "value": "Overlayfs en el kernel de Linux y shiftfs, un parche no upstream para el kernel de Linux incluido en las series de kernel Ubuntu versiones 5.0 y 5.3, ambos reemplazan vma-&gt;vm_file en sus manejadores de mmap. En el error el valor original no se restaura, y se pone la referencia para el archivo al que apunta vm_file. En los n\u00facleos ascendentes esto no es un problema, ya que ninguna de las llamadas que siguen a vm_file despu\u00e9s de call_mmap() devuelve un error. Sin embargo, los parches de aufs cambian mmap_region() para reemplazar el fput() usando una variable local con vma_fput(), la cual fput() vm_file, lo que lleva a un subflujo de recuento."}], "id": "CVE-2019-15794", "lastModified": "2020-05-26T15:18:52.653", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-04-24T00:15:11.933", "references": [{"source": "security@ubuntu.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=270d16ae48a4dbf1c7e25e94cc3e38b4bea37635"}, {"source": "security@ubuntu.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=ef81780548d20a786cc77ed4203fca146fd81ce3"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/usn/usn-4208-1"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/usn/usn-4209-1"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-672"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-672"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: Overlayfs in the Linux kernel and shiftfs not restoring original value on error leading to a refcount underflow", "id": "1831055", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831055"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-672", "details": ["Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replace vma->vm_file in their mmap handlers. On error the original value is not restored, and the reference is put for the file to which vm_file points. On upstream kernels this is not an issue, as no callers dereference vm_file following after call_mmap() returns an error. However, the aufs patchs change mmap_region() to replace the fput() using a local variable with vma_fput(), which will fput() vm_file, leading to a refcount underflow.", "A flaw was found in the Linux kernel. In Overlayfs, vma->vm_file was replaced in the mmap handlers and, on errors, the original value is not restored. A local attacker with special user privilege (or root) can cause a kernel internal information leak. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2019-15794", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-alt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise MRG 2"}], "public_date": "2019-11-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-15794\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15794"], "threat_severity": "Moderate"}