Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed

Affected products

Linux
  • =<6.18.*
  • =<*
  • <5.0
  • =<6.1.*
  • <b5316e2b8614a87d8736941972441cb47bfd4491
  • =<6.6.*
  • =<5.15.*
  • <88697cf980222d5906a37bf47662dac0732e2a0f
  • =<6.12.*
  • =<7.0.*
  • <c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
  • <8fc536e9f6856230f19c7d13e71af064b6a77b22
  • <7f2d76c9c03257c0782afef9d95321fa04096f60
  • ==5.0
  • <ec82ea4eb220164d854f8734ca5a35e23e577b94
  • <42827d03f8009a6a218bacab153e21f39d6a121c
  • =<5.10.*
  • <25c8c7fb3b0b9668c7d05e209f58c158d2b020c7