cve/2019/CVE-2019-15792.md

### [CVE-2019-15792](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15792)
![](https://img.shields.io/static/v1?label=Product&message=Shiftfs%20in%20the%20Linux%20kernel&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=5.3%20kernel%3E%3D%205.3.0-11.12%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-843%20Access%20of%20Resource%20Using%20Incompatible%20Type%20('Type%20Confusion')&color=brighgreen)

### Description

In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a "struct shiftfs_file_info *". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code.

### POC

#### Reference
- https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=5df147c8140efc71ac0879ae3b0057f577226d4c

#### Github
No PoCs found on GitHub currently.
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2019-15792](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15792)`
			`![](https://img.shields.io/static/v1?label=Product&message=Shiftfs%20in%20the%20Linux%20kernel&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=5.3%20kernel%3E%3D%205.3.0-11.12%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-843%20Access%20of%20Resource%20Using%20Incompatible%20Type%20('Type%20Confusion')&color=brighgreen)`

			`### Description`

			`In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks passes the resulting file* into shiftfs_real_fdget(), which casts file->private_data, a void* that points to a filesystem-dependent type, to a "struct shiftfs_file_info *". As the private_data is not required to be a pointer, an attacker can use this to cause a denial of service or possibly execute arbitrary code.`

			`### POC`

			`#### Reference`
			`- https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=5df147c8140efc71ac0879ae3b0057f577226d4c`

			`#### Github`
			`No PoCs found on GitHub currently.`