CVE-2019-19039

__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because “1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So its really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.

Weakness

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Affected Software

Name	Vendor	Start Version	End Version
Linux_kernel	Linux	*	5.3.12 (including)
Linux	Ubuntu	bionic	*
Linux	Ubuntu	disco	*
Linux	Ubuntu	eoan	*
Linux	Ubuntu	esm-infra-legacy/trusty	*
Linux	Ubuntu	esm-infra/xenial	*
Linux	Ubuntu	focal	*
Linux	Ubuntu	precise/esm	*
Linux	Ubuntu	trusty	*
Linux	Ubuntu	trusty/esm	*
Linux	Ubuntu	upstream	*
Linux	Ubuntu	xenial	*
Linux-aws	Ubuntu	bionic	*
Linux-aws	Ubuntu	disco	*
Linux-aws	Ubuntu	eoan	*
Linux-aws	Ubuntu	esm-infra-legacy/trusty	*
Linux-aws	Ubuntu	esm-infra/xenial	*
Linux-aws	Ubuntu	focal	*
Linux-aws	Ubuntu	trusty	*
Linux-aws	Ubuntu	trusty/esm	*
Linux-aws	Ubuntu	upstream	*
Linux-aws	Ubuntu	xenial	*
Linux-aws-5.0	Ubuntu	bionic	*
Linux-aws-5.0	Ubuntu	esm-infra/bionic	*
Linux-aws-5.0	Ubuntu	upstream	*
Linux-aws-5.15	Ubuntu	upstream	*
Linux-aws-5.3	Ubuntu	bionic	*
Linux-aws-5.3	Ubuntu	upstream	*
Linux-aws-5.4	Ubuntu	upstream	*
Linux-aws-6.8	Ubuntu	upstream	*
Linux-aws-fips	Ubuntu	fips-updates/bionic	*
Linux-aws-fips	Ubuntu	fips/bionic	*
Linux-aws-fips	Ubuntu	trusty	*
Linux-aws-fips	Ubuntu	upstream	*
Linux-aws-fips	Ubuntu	xenial	*
Linux-aws-hwe	Ubuntu	upstream	*
Linux-aws-hwe	Ubuntu	xenial	*
Linux-azure	Ubuntu	bionic	*
Linux-azure	Ubuntu	disco	*
Linux-azure	Ubuntu	eoan	*
Linux-azure	Ubuntu	esm-infra/bionic	*
Linux-azure	Ubuntu	focal	*
Linux-azure	Ubuntu	trusty	*
Linux-azure	Ubuntu	trusty/esm	*
Linux-azure	Ubuntu	upstream	*
Linux-azure	Ubuntu	xenial	*
Linux-azure-4.15	Ubuntu	bionic	*
Linux-azure-4.15	Ubuntu	upstream	*
Linux-azure-5.15	Ubuntu	upstream	*
Linux-azure-5.3	Ubuntu	bionic	*
Linux-azure-5.3	Ubuntu	upstream	*
Linux-azure-5.4	Ubuntu	upstream	*
Linux-azure-6.8	Ubuntu	upstream	*
Linux-azure-edge	Ubuntu	bionic	*
Linux-azure-edge	Ubuntu	esm-infra/bionic	*
Linux-azure-edge	Ubuntu	upstream	*
Linux-azure-fde	Ubuntu	focal	*
Linux-azure-fde	Ubuntu	upstream	*
Linux-azure-fde-5.15	Ubuntu	upstream	*
Linux-azure-fips	Ubuntu	fips-updates/bionic	*
Linux-azure-fips	Ubuntu	fips/bionic	*
Linux-azure-fips	Ubuntu	trusty	*
Linux-azure-fips	Ubuntu	upstream	*
Linux-azure-fips	Ubuntu	xenial	*
Linux-bluefield	Ubuntu	upstream	*
Linux-dell300x	Ubuntu	upstream	*
Linux-fips	Ubuntu	fips-updates/bionic	*
Linux-fips	Ubuntu	fips-updates/xenial	*
Linux-fips	Ubuntu	fips/bionic	*
Linux-fips	Ubuntu	fips/xenial	*
Linux-fips	Ubuntu	upstream	*
Linux-gcp	Ubuntu	bionic	*
Linux-gcp	Ubuntu	disco	*
Linux-gcp	Ubuntu	eoan	*
Linux-gcp	Ubuntu	esm-infra/bionic	*
Linux-gcp	Ubuntu	focal	*
Linux-gcp	Ubuntu	upstream	*
Linux-gcp	Ubuntu	xenial	*
Linux-gcp-4.15	Ubuntu	bionic	*
Linux-gcp-4.15	Ubuntu	upstream	*
Linux-gcp-5.15	Ubuntu	upstream	*
Linux-gcp-5.3	Ubuntu	bionic	*
Linux-gcp-5.3	Ubuntu	upstream	*
Linux-gcp-5.4	Ubuntu	upstream	*
Linux-gcp-6.8	Ubuntu	upstream	*
Linux-gcp-edge	Ubuntu	bionic	*
Linux-gcp-edge	Ubuntu	esm-infra/bionic	*
Linux-gcp-edge	Ubuntu	upstream	*
Linux-gcp-fips	Ubuntu	fips/bionic	*
Linux-gcp-fips	Ubuntu	trusty	*
Linux-gcp-fips	Ubuntu	upstream	*
Linux-gcp-fips	Ubuntu	xenial	*
Linux-gke	Ubuntu	focal	*
Linux-gke	Ubuntu	upstream	*
Linux-gke	Ubuntu	xenial	*
Linux-gke-4.15	Ubuntu	bionic	*
Linux-gke-4.15	Ubuntu	upstream	*
Linux-gke-5.0	Ubuntu	bionic	*
Linux-gke-5.0	Ubuntu	upstream	*
Linux-gke-5.3	Ubuntu	bionic	*
Linux-gke-5.3	Ubuntu	upstream	*
Linux-gke-5.4	Ubuntu	upstream	*
Linux-gkeop	Ubuntu	upstream	*
Linux-gkeop-5.15	Ubuntu	upstream	*
Linux-gkeop-5.4	Ubuntu	upstream	*
Linux-hwe	Ubuntu	bionic	*
Linux-hwe	Ubuntu	upstream	*
Linux-hwe	Ubuntu	xenial	*
Linux-hwe-5.15	Ubuntu	upstream	*
Linux-hwe-5.4	Ubuntu	upstream	*
Linux-hwe-5.8	Ubuntu	upstream	*
Linux-hwe-6.8	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/xenial	*
Linux-hwe-edge	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	xenial	*
Linux-ibm	Ubuntu	upstream	*
Linux-ibm-5.15	Ubuntu	upstream	*
Linux-ibm-5.4	Ubuntu	upstream	*
Linux-intel	Ubuntu	upstream	*
Linux-intel-iot-realtime	Ubuntu	upstream	*
Linux-intel-iotg	Ubuntu	upstream	*
Linux-intel-iotg-5.15	Ubuntu	upstream	*
Linux-iot	Ubuntu	upstream	*
Linux-kvm	Ubuntu	bionic	*
Linux-kvm	Ubuntu	disco	*
Linux-kvm	Ubuntu	eoan	*
Linux-kvm	Ubuntu	esm-infra/xenial	*
Linux-kvm	Ubuntu	focal	*
Linux-kvm	Ubuntu	upstream	*
Linux-kvm	Ubuntu	xenial	*
Linux-lowlatency	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.15	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.8	Ubuntu	upstream	*
Linux-lts-trusty	Ubuntu	precise/esm	*
Linux-lts-trusty	Ubuntu	upstream	*
Linux-lts-xenial	Ubuntu	esm-infra-legacy/trusty	*
Linux-lts-xenial	Ubuntu	trusty	*
Linux-lts-xenial	Ubuntu	trusty/esm	*
Linux-lts-xenial	Ubuntu	upstream	*
Linux-nvidia	Ubuntu	upstream	*
Linux-nvidia-6.5	Ubuntu	upstream	*
Linux-nvidia-6.8	Ubuntu	upstream	*
Linux-nvidia-lowlatency	Ubuntu	upstream	*
Linux-oem	Ubuntu	bionic	*
Linux-oem	Ubuntu	disco	*
Linux-oem	Ubuntu	eoan	*
Linux-oem	Ubuntu	upstream	*
Linux-oem	Ubuntu	xenial	*
Linux-oem-5.10	Ubuntu	upstream	*
Linux-oem-5.6	Ubuntu	focal	*
Linux-oem-5.6	Ubuntu	upstream	*
Linux-oem-6.11	Ubuntu	upstream	*
Linux-oem-6.8	Ubuntu	upstream	*
Linux-oem-osp1	Ubuntu	bionic	*
Linux-oem-osp1	Ubuntu	disco	*
Linux-oem-osp1	Ubuntu	eoan	*
Linux-oem-osp1	Ubuntu	upstream	*
Linux-oracle	Ubuntu	bionic	*
Linux-oracle	Ubuntu	disco	*
Linux-oracle	Ubuntu	eoan	*
Linux-oracle	Ubuntu	focal	*
Linux-oracle	Ubuntu	upstream	*
Linux-oracle	Ubuntu	xenial	*
Linux-oracle-5.0	Ubuntu	bionic	*
Linux-oracle-5.0	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.0	Ubuntu	upstream	*
Linux-oracle-5.15	Ubuntu	upstream	*
Linux-oracle-5.3	Ubuntu	bionic	*
Linux-oracle-5.3	Ubuntu	upstream	*
Linux-oracle-5.4	Ubuntu	upstream	*
Linux-oracle-6.8	Ubuntu	upstream	*
Linux-raspi	Ubuntu	focal	*
Linux-raspi	Ubuntu	upstream	*
Linux-raspi-5.4	Ubuntu	upstream	*
Linux-raspi-realtime	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	bionic	*
Linux-raspi2	Ubuntu	disco	*
Linux-raspi2	Ubuntu	eoan	*
Linux-raspi2	Ubuntu	focal	*
Linux-raspi2	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	xenial	*
Linux-raspi2-5.3	Ubuntu	bionic	*
Linux-raspi2-5.3	Ubuntu	upstream	*
Linux-realtime	Ubuntu	jammy	*
Linux-realtime	Ubuntu	upstream	*
Linux-riscv	Ubuntu	focal	*
Linux-riscv	Ubuntu	jammy	*
Linux-riscv	Ubuntu	upstream	*
Linux-riscv-5.15	Ubuntu	upstream	*
Linux-riscv-6.8	Ubuntu	upstream	*
Linux-snapdragon	Ubuntu	bionic	*
Linux-snapdragon	Ubuntu	disco	*
Linux-snapdragon	Ubuntu	upstream	*
Linux-snapdragon	Ubuntu	xenial	*
Linux-xilinx-zynqmp	Ubuntu	upstream	*

Extended Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for:

Potential Mitigations

https://cwe.mitre.org/data/definitions/215.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-19039
CWE	https://cwe.mitre.org/data/definitions/532.html

Insertion of Sensitive Information into Log File

Weakness

Affected Software

Extended Description

Potential Mitigations

References

CVE-2019-19039

Insertion of Sensitive Information into Log File

Weakness

Affected Software

Extended Description

Potential Mitigations

Related Attack Patterns

References