Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
f2fs: avoid reading already updated pages during GC

In the Linux kernel, the following vulnerability has been resolved: f2fs: avoid reading already updated pages during GC We found the following issue during fuzz testing: page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9 memcg:f8ffff800e269c00 aops:f2fs_meta_aops ino:2 flags: 0x52880000000080a9(locked|waiters|uptodate|lru|private|zone=1|kasantag=0x4a) raw: 52880000000080a9 fffffffec6e17588 fffffffec0ccc088 a7ffff8067063618 raw: 000000000018b2dc 0000000000000009 00000003ffffffff f8ffff800e269c00 page dumped because: VM_BUG_ON_FOLIO(folio_test_uptodate(folio)) page_owner tracks the page as allocated post_alloc_hook+0x58c/0x5ec prep_new_page+0x34/0x284 get_page_from_freelist+0x2dcc/0x2e8c __alloc_pages_noprof+0x280/0x76c __folio_alloc_noprof+0x18/0xac __filemap_get_folio+0x6bc/0xdc4 pagecache_get_page+0x3c/0x104 do_garbage_collect+0x5c78/0x77a4 f2fs_gc+0xd74/0x25f0 gc_thread_func+0xb28/0x2930 kthread+0x464/0x5d8 ret_from_fork+0x10/0x20 ------------[ cut here ]------------ kernel BUG at mm/filemap.c:1563! folio_end_read+0x140/0x168 f2fs_finish_read_bio+0x5c4/0xb80 f2fs_read_end_io+0x64c/0x708 bio_endio+0x85c/0x8c0 blk_update_request+0x690/0x127c scsi_end_request+0x9c/0xb8c scsi_io_completion+0xf0/0x250 scsi_finish_command+0x430/0x45c scsi_complete+0x178/0x6d4 blk_mq_complete_request+0xcc/0x104 scsi_done_internal+0x214/0x454 scsi_done+0x24/0x34 which is similar to the problem reported by syzbot: https://syzkaller.appspot.com/bug?extid=3686758660f980b402dc This case is consistent with the description in commit 9bf1a3f ("f2fs: avoid GC causing encrypted file corrupted"): Page 1 is moved from blkaddr A to blkaddr B by move_data_block, and after being written it is marked as uptodate. Then, Page 1 is moved from blkaddr B to blkaddr C, VM_BUG_ON_FOLIO was triggered in the endio initiated by ra_data_block. There is no need to read Page 1 again from blkaddr B, since it has already been updated. Therefore, avoid initiating I/O in this case.

Affected products

Linux
  • =<6.18.*
  • =<7.0.*
  • <4.19
  • =<*
  • <570e2ccc7cb35fe720106964e65060602d3d2ac4
  • ==4.19
  • <4623c251496b99c530ce225c05334f4eac8b933a
  • <b663ebb8a340eae5442e605b6acd2cff5677f016
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ksmbd: fix use-after-free in smb2_open during durable reconnect

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_open during durable reconnect In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails) or a scavenger accesses the file, it leads to a use-after-free when accessing fp properties (eg fp->create_time). Move the single put to the end of the function below err_out2 so fp stays valid until smb2_open returns.

Affected products

Linux
  • ==6.9
  • =<6.18.*
  • ==8df4bcdb0a4232192b2445256c39b787d58ef14d
  • =<7.0.*
  • <1baff47b81f94f9231c91236aa511420d0e266b9
  • <ce2e164c1c51c3f7813b80f8c926836e896bcbb3
  • =<*
  • <97a0cd55283b4e63fd92804da91c8d9896adcad9
  • <6.7
  • <6.9
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
vrf: Fix a potential NPD when removing a port from a VRF

In the Linux kernel, the following vulnerability has been resolved: vrf: Fix a potential NPD when removing a port from a VRF RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device. They then continue to dereference its l3mdev operations. This assumption is not always correct and can result in a NPD [1]. There is no RCU synchronization when removing a port from a VRF, so it is possible for an RCU reader to see a new master device (e.g., a bridge) that does not have l3mdev operations. Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag. Skip this synchronization when a net device is removed from a VRF as part of its deletion and when the VRF device itself is deleted. In the latter case an RCU grace period will pass by the time RTNL is released. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181) [...] Call Trace: <TASK> l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189) __inet_bind (net/ipv4/af_inet.c:499 (discriminator 3)) inet_bind_sk (net/ipv4/af_inet.c:469) __sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1)) __x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Affected products

Linux
  • <2674d603a9e6970463b2b9ebcf8e31e90beae169
  • =<5.15.*
  • =<6.18.*
  • <2c022f582fd16a470df6ed9e7fb7e9fc48946d49
  • <a7a97f2303e63ede105c1d55ef53dc497364e11d
  • <4ab6fc60ed5a0344b60711b09bff1dc238d8d6a4
  • =<6.12.*
  • =<7.0.*
  • <d47204c127992da0c976ac9747070a575912e0fe
  • <8c2b792f04a3db97c9d8d2a45817e93f8884baf5
  • <468defa0b70902a22f4478c1207624bc1b31c124
  • <4.12
  • =<*
  • =<5.10.*
  • =<6.1.*
  • <3db8d078f7f652379ee394132b169d304f6eb4c1
  • ==4.12
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
sctp: diag: reject stale associations in dump_one path

In the Linux kernel, the following vulnerability has been resolved: sctp: diag: reject stale associations in dump_one path The SCTP exact sock_diag lookup can hold a transport reference, block on lock_sock(sk), and then resume after sctp_association_free() has marked the association dead and freed its bind address list. When that happens, inet_assoc_attr_size() and inet_diag_msg_sctpasoc_fill() can still dereference association state that is no longer valid for reporting. In particular, inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a real sctp_sockaddr_entry and trigger an out-of-bounds read from unrelated association memory. Reject the association after taking the socket lock if it has been reaped or detached from the endpoint, and report the lookup as stale. This keeps the exact dump-one path from formatting torn association state.

Affected products

Linux
  • <5425de8bd6e9fe5bd67d158e3348171ae7510117
  • =<5.15.*
  • =<6.18.*
  • <f5af203dec6e0e7a6090fcc2130e9f3901bfc84d
  • <5eba3e48d78edd7551b992cb7ba687019b3a78da
  • =<6.12.*
  • =<7.0.*
  • ==4.7
  • <4.7
  • <480f754580b5686b928977d16a59f20cef83ff01
  • =<*
  • <6657af827e21883ae90693e42e7f59a6aab690b5
  • <b2be72d401833194917e44fbd8d8144bb4f2db16
  • <e97c2a535e23ed0fdd2660993fb3f10d9535c9bc
  • =<6.1.*
  • =<5.10.*
  • <78c4f964b2f94e405721c093773f6250e1e676b2
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nf_queue: hold bridge skb->dev while queued

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.

Affected products

Linux
  • =<5.15.*
  • =<6.18.*
  • <1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be
  • =<6.12.*
  • =<7.0.*
  • <15d464265120ab9818bd673af301deee09bedab2
  • <3823c27099cfe2482299065814adbaa771be9644
  • <3fb0f5c0f64162a8c3f25616a4f1e340b921737f
  • <950d809f154dca04e5fbe5d3c8b9c5e44769cd57
  • <a698ac8ab2561cf575d2d9f34095032651dd952e
  • <19924bdd8a45ebc72a7b84c57fd63057d1dc75ac
  • <4.7
  • =<*
  • <e196115ec330a18de415bdb9f5071aa9f08e53ce
  • =<6.1.*
  • =<5.10.*
  • ==4.7
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
crypto: ccp - copy IV using skcipher ivsize

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - copy IV using skcipher ivsize AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver. ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, so the restore overruns the provided buffer. Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.

Affected products

Linux
  • <eecee15e263ccb8cd77170a56ab6c969cb54dd6a
  • =<6.1.*
  • =<5.15.*
  • <a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4
  • ==3.14
  • <798d409a8949f3f495f238549b86de2886b129bd
  • =<6.18.*
  • =<6.12.*
  • <227c1e1d9e2aa4cfc65ba446d5690da1f546cda4
  • =<7.0.*
  • <3.14
  • =<*
  • <dfb2cf434829819268fe50f41542aad318ad62b2
  • =<6.6.*
  • <bb01d8f1f385bc9034ca114d3508c7fdea24fc9a
  • <939061b2d0f7f15114e34b4ce878ef50ff4089c3
  • =<5.10.*
  • <df9784bb5b637ac80f4a2768a58ca9a50bef28a9
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware. But it is never killed in rtl_pci_deinit(). When the rtlwifi card probe fails or is being detached, the ieee80211_hw is deallocated. However, irq_prepare_bcn_tasklet may still be running or pending, leading to use-after-free when the freed ieee80211_hw is accessed in _rtl_pci_prepare_bcn_tasklet(). Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to ensure that irq_prepare_bcn_tasklet is properly terminated before the ieee80211_hw is released. The issue was identified through static analysis.

Affected products

Linux
  • <7731b67bd59d1284d150cbe40a47e95a10613234
  • =<6.6.*
  • <039cd522dc70151da13329a5e3ae19b1736f468a
  • <008c456b76e9070979bc0e763897a5d3b0fdd4dc
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <fac1079e0fdec6df6d7562c21941587236dc3def
  • =<7.0.*
  • <2.6.38
  • <ae10d4a1ab6bcaa1336abb171908a9a365761d3e
  • <3c0e8a3179e6325a7dc6ce221aef0e03d854ab4b
  • =<*
  • <e40873820c9d245ce482faa7ad514ebdb3b8d23d
  • <aa10a452e34810987fb9f4a047995b30003fb53f
  • =<6.1.*
  • =<5.10.*
  • ==2.6.38
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/sun4i: backend: fix error pointer dereference

In the Linux kernel, the following vulnerability has been resolved: drm/sun4i: backend: fix error pointer dereference The function drm_atomic_get_plane_state() can return an error pointer and is not checked for it. Add error pointer check. Detected by Smatch: drivers/gpu/drm/sun4i/sun4i_backend.c:496 sun4i_backend_atomic_check() error: 'plane_state' dereferencing possible ERR_PTR()

Affected products

Linux
  • =<6.1.*
  • =<6.18.*
  • <e9bef62f1bb9fcb38223730657af20f4c6283c16
  • =<6.12.*
  • <ea51fd96aca01381e8f1ac0c671a57b7619193bb
  • <cf615b90a11a39a28e313be5e508e94bcde72016
  • <06277983eca4a31d3c2114fa33d99a6e82484b11
  • <47038159c559824f4dbfb5b0d87b9b3416663372
  • =<7.0.*
  • ==4.17
  • =<*
  • <4.17
  • <779c2f10743fc021f2f0ebe2b188cadfb973c5e4
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
libceph: Fix potential null-ptr-deref in decode_choose_args()

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential null-ptr-deref in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index. This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.

Affected products

Linux
  • <a20e16ebfe2fa65348eb4b2dc7deac330ce03e9c
  • <d55ffad8d422b5d1cc44dad32bd3d25f4471cd9f
  • =<6.18.*
  • <d7a65a34d2453f8cd3e0cc0e1319740af7e24276
  • <5.15.209
  • =<7.0.*
  • <5.10.258
  • =<6.1.*
  • <6.18.33
  • <301286c0ccd37d66b0e40786fd35a4f19cdbd88a
  • <7169f326a23d0f547fcd90e68b72fd387622e126
  • <7.0.10
  • <6.1.175
  • <f2f95e6d4b97e70bb876139b0583fc8079983f85
  • <6.6.141
  • <28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf
  • <312ec973efac0efb9b9ed64214235910e9ecbaa8
  • =<5.15.*
  • =<*
  • <6.12.91
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/msm/dpu: fix mismatch between power and frequency

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: fix mismatch between power and frequency During DPU runtime suspend, calling dev_pm_opp_set_rate(dev, 0) drops the MMCX rail to MIN_SVS while the core clock frequency remains at its original (highest) rate. When runtime resume re-enables the clock, this may result in a mismatch between the rail voltage and the clock rate. For example, in the DPU bind path, the sequence could be: cpu0: dev_sync_state -> rpmhpd_sync_state cpu1: dpu_kms_hw_init timeline 0 ------------------------------------------------> t After rpmhpd_sync_state, the voltage performance is no longer guaranteed to stay at the highest level. During dpu_kms_hw_init, calling dev_pm_opp_set_rate(dev, 0) drops the voltage, causing the MMCX rail to fall to MIN_SVS while the core clock is still at its maximum frequency. When the power is re-enabled, only the clock is enabled, leading to a situation where the MMCX rail is at MIN_SVS but the core clock is at its highest rate. In this state, the rail cannot sustain the clock rate, which may cause instability or system crash. Remove the call to dev_pm_opp_set_rate(dev, 0) from dpu_runtime_suspend to ensure the correct vote is restored when DPU resumes. Patchwork: https://patchwork.freedesktop.org/patch/710077/

Affected products

Linux
  • <0ccf4f27b4652570b5de3de02a89a86435559de9
  • ==5.9
  • =<6.18.*
  • =<6.12.*
  • <0f7dd5839cfabaf9c007fb718ec66e907a473c93
  • =<7.0.*
  • <5.9
  • <9830999c9e065c1813ec5435bfe4eab98ee54a87
  • <1181a7028d37e0b1e720a36125a03f5db97e3d27
  • <bc1dccc518cc5ab5140fba06c27e7188e0ed342b
  • =<*
  • =<6.1.*
  • <c5735c7d0eef7a5240f9c1c66e44ba52a1be58d6
  • =<6.6.*