Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: fix mm lifecycle in open-coded task_vma iterator

In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded task_vma iterator The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free. Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU. Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock. A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.

Affected products

Linux
  • <6.7
  • =<6.18.*
  • <239cec25a22662dbd80f57d94b38178c8be95269
  • =<7.0.*
  • <d0862de7c866c5bd7c32531f66738c21197af888
  • ==6.7
  • <d8e27d2d22b6e2df3a0125b8c08e9aace38c954c
  • =<*
  • <43683bb280330f3d36f0f2a3932a4867b9603e9c
  • =<6.12.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: Validate node_id in arena_alloc_pages()

In the Linux kernel, the following vulnerability has been resolved: bpf: Validate node_id in arena_alloc_pages() arena_alloc_pages() accepts a plain int node_id and forwards it through the entire allocation chain without any bounds checking. Validate node_id before passing it down the allocation chain in arena_alloc_pages().

Affected products

Linux
  • ==6.9
  • =<6.18.*
  • <31d3b4b28e55835646d6829d60023f730dd34e85
  • =<7.0.*
  • <e15900888c09480a4c632bc598f1c5bd39bed6d6
  • =<*
  • <fb66e20130f95a93ffea1677252526a9e39170b2
  • <2845989f2ebaf7848e4eccf9a779daf3156ea0a5
  • <6.9
  • =<6.12.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
gfs2: prevent NULL pointer dereference during unmount

In the Linux kernel, the following vulnerability has been resolved: gfs2: prevent NULL pointer dereference during unmount When flushing out outstanding glock work during an unmount, gfs2_log_flush() can be called when sdp->sd_jdesc has already been deallocated and sdp->sd_jdesc is NULL. Commit 35264909e9d1 ("gfs2: Fix NULL pointer dereference in gfs2_log_flush") added a check for that to gfs2_log_flush() itself, but it missed the sdp->sd_jdesc dereference in gfs2_log_release(). Fix that.

Affected products

Linux
  • =<6.18.*
  • <5.15.209
  • =<7.0.*
  • =<6.1.*
  • <6.10
  • <74b4dbb946060a3233604d91859a9abd3708141d
  • <2fc4c868c9060f424fd4a7cacb0aec5082aba4de
  • <abd73229f0e886a91a16ea781ab656bd9b4d1ee8
  • <6.1.175
  • <d8ffae016c4a78693fe1283335d0b6833a9c1366
  • <6.6.141
  • ==f54f9d5368a4e92ede7dd078a62788dae3a7c6ef
  • =<5.15.*
  • ==6.10
  • <233a0945a4b1dbe3f38c30afb7d05b76c67f1193
  • =<*
  • <6.10
  • <e15f16761594e80b15776980b27c35477655a135
  • =<6.12.*
  • <cec55674354794eddb80b914f73a6bf9b7fc304a
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars

In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars When regsafe() compares two scalar registers that both carry BPF_ADD_CONST, check_scalar_ids() maps their full compound id (aka base | BPF_ADD_CONST flag) as one idmap entry. However, it never verifies that the underlying base ids, that is, with the flag stripped are consistent with existing idmap mappings. This allows construction of two verifier states where the old state has R3 = R2 + 10 (both sharing base id A) while the current state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap creates two independent entries: A->B (for R2) and A|flag->C|flag (for R3), without catching that A->C conflicts with A->B. State pruning then incorrectly succeeds. Fix this by additionally verifying base ID mapping consistency whenever BPF_ADD_CONST is set: after mapping the compound ids, also invoke check_ids() on the base IDs (flag bits stripped). This ensures that if A was already mapped to B from comparing the source register, any ADD_CONST derivative must also derive from B, not an unrelated C.

Affected products

Linux
  • <6.11
  • =<6.18.*
  • <2f2ec8e7730e21fc9bd49e0de9cdd58213ea24d0
  • =<6.12.*
  • =<7.0.*
  • <13c02881e49aac4c82b261faa26db9edf2567231
  • =<*
  • ==6.11
  • <691adf738817275368ed56311b7d798d617823a3
  • <7d73c72cccac651acc891377a5e623e4021c6380
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: ipset: stop hash:* range iteration at end

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: stop hash:* range iteration at end The following hash set variants: hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net iterate IPv4 ranges with a 32-bit iterator. The iterator must stop once the last address in the requested range has been processed. Advancing it once more can move the traversal state past the end of the request, so a later retry may continue from an unintended position. Handle the iterator increment explicitly at the end of the loop and stop once the upper bound has been processed. This keeps the existing retry behaviour intact for valid ranges while preventing traversal from continuing past the original boundary.

Affected products

Linux
  • <0d3a282ab5f165fc207ff49ea5b6ad8f54616bd6
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <be75218fadea22e59c8673db212f29c681bf45bb
  • =<7.0.*
  • <4.14
  • <02f75f041a93ea045834da89cd3234f4c1d749b4
  • <0d7b33ace701fe397e6e4de145f32e098178d901
  • <0b530efb2cc9dbdddfd49d392e3a857f0d4ce8dc
  • <952e988163c2ab9939c3db9f0f8e77af6a1bb436
  • =<6.6.*
  • =<*
  • <383418c20e69f5761b6ec5238f599423f4fb77fb
  • ==4.14
  • =<6.1.*
  • =<5.10.*
  • <c281e018af98df91827d65bec00f4956c00a1b02
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ice: fix race condition in TX timestamp ring cleanup

In the Linux kernel, the following vulnerability has been resolved: ice: fix race condition in TX timestamp ring cleanup Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map() that can cause a NULL pointer dereference. ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map call on another CPU to dereference the tstamp_ring, which could lead to a NULL pointer dereference. CPU A:ice_free_tx_tstamp_ring() | CPU B:ice_tx_map() --------------------------------|--------------------------------- tx_ring->tstamp_ring = NULL | | ice_is_txtime_cfg() -> true | tstamp_ring = tx_ring->tstamp_ring | tstamp_ring->count // NULL deref! flags &= ~ICE_TX_FLAGS_TXTIME | Fix by: 1. Reordering ice_free_tx_tstamp_ring() to clear the flag before NULLing the pointer, with smp_wmb() to ensure proper ordering. 2. Adding smp_rmb() in ice_tx_map() after the flag check to order the flag read before the pointer read, using READ_ONCE() for the pointer, and adding a NULL check as a safety net. 3. Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag operations throughout the driver: - ICE_TX_RING_FLAGS_XDP - ICE_TX_RING_FLAGS_VLAN_L2TAG1 - ICE_TX_RING_FLAGS_VLAN_L2TAG2 - ICE_TX_RING_FLAGS_TXTIME

Affected products

Linux
  • =<7.0.*
  • ==6.18
  • <7c72ec18c2a4111204c2e915f8e4f6d849ce9398
  • =<*
  • <6.18
  • <097409d20465723283632515df73038a4a853eda
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iommu/amd: Fix clone_alias() to use the original device's devid

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix clone_alias() to use the original device's devid Currently clone_alias() assumes first argument (pdev) is always the original device pointer. This function is called by pci_for_each_dma_alias() which based on topology decides to send original or alias device details in first argument. This meant that the source devid used to look up and copy the DTE may be incorrect, leading to wrong or stale DTE entries being propagated to alias device. Fix this by passing the original pdev as the opaque data argument to both the direct clone_alias() call and pci_for_each_dma_alias(). Inside clone_alias(), retrieve the original device from data and compute devid from it.

Affected products

Linux
  • =<6.18.*
  • <5.5
  • =<7.0.*
  • <20b3c566e2702e5d4d0545be8a97029a2eebcc0e
  • ==5.5
  • <dae251ff11d2d2208a029f98923756831cefec46
  • <5.5
  • =<*
  • <dbd76a537d8cb814e7f5b795ab21ecb7949c821d
  • =<6.12.*
  • ==1f03a258f20f1699ede29bb40804074db9398a0d
  • <faad224fe0f0857a04ff2eb3c90f0de57f47d0f3
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
virt: sev-guest: Do not use host-controlled page order in cleanup path

In the Linux kernel, the following vulnerability has been resolved: virt: sev-guest: Do not use host-controlled page order in cleanup path When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report_req->certs_len. However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get_ext_report() subsequently updates report_req->certs_len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator. Fix this by using alloc_pages_exact() instead, and reusing @npages to compute the size passed to free_pages_exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.

Affected products

Linux
  • <23e6a1ca04ae44806439a5a446e62e4d42e80bb4
  • =<6.18.*
  • =<7.0.*
  • <6.14
  • ==0b16521f95c875e79d657cb8d6911c15080dbb80
  • <9e48b4f813d2c3db75d522aa82ab705ce04b7e2d
  • <6.14
  • =<*
  • ==6.14
  • <3f6fb0211b39aaa1b841260681dd02ca6b693ed5
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/amdgpu: avoid double drm_exec_fini() in userq validate

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drm_exec_fini() in userq validate When new_addition is true, amdgpu_userq_vm_validate() calls drm_exec_fini(&exec) before iterating over the collected HMM ranges and calling amdgpu_ttm_tt_get_user_pages(). If amdgpu_ttm_tt_get_user_pages() fails in that path, the code jumps to unlock_all and calls drm_exec_fini(&exec) a second time on the same exec object. drm_exec_fini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context. Route that error path directly to the range cleanup once exec has already been finalized. Issue found using a prototype static analysis tool and confirmed by code review. (cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)

Affected products

Linux
  • <c7c3ae7c01e5a0742b93cb9b40800bdd7f811e38
  • <6.19
  • <508babf310365f1107a2e8831c267c292a286818
  • =<7.0.*
  • =<*
  • ==6.19
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix use-after-free in advance_sched() on schedule switch In advance_sched(), when should_change_schedules() returns true, switch_schedules() is called to promote the admin schedule to oper. switch_schedules() queues the old oper schedule for RCU freeing via call_rcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->end_time = end_time' and rcu_assign_pointer(q->current_entry, next) are use-after-free. Fix this by selecting 'next' from the new oper schedule immediately after switch_schedules(), and using its pre-calculated end_time. setup_first_end_time() sets the first entry's end_time to base_time + interval when the schedule is installed, so the value is already correct. The deleted 'end_time = sched_base_time(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated end_time with just base_time.

Affected products

Linux
  • <105425b1969c5affe532713cfac1c0b320d7ac2b
  • ==5.2
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <3471874578160a28c171a607fa069f24062634b8
  • =<7.0.*
  • <1bd286fa3e21200133478ed523cc6a2788baf38a
  • <b73235da5dde77ed1264f9767b62c28c9d71fd78
  • <a8fc396519ef4f081bc545e88f61241728bb78d7
  • <eee072fe16c646190d33ae69c9983d8de1562bf8
  • <7256996e1ef553716817f3bfd077c2f3b48b582f
  • =<*
  • <0e62171df8ed4804d00db088f17eed06468233fa
  • <5.2
  • =<6.1.*
  • =<5.10.*
  • =<6.6.*