Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
memcg: use round-robin victim selection in refill_stock

In the Linux kernel, the following vulnerability has been resolved: memcg: use round-robin victim selection in refill_stock Harry Yoo reported that get_random_u32_below() is not safe to call in the nmi context and memcg charge draining can happen in nmi context. More specifically get_random_u32_below() is neither reentrant- nor NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the ChaCha batch state and recurses into the random subsystem would corrupt that state. The memcg_stock local_trylock prevents re-entry on the percpu stock itself, but cannot protect an unrelated subsystem's per-cpu lock. Replace the random pick with a per-cpu round-robin counter stored in memcg_stock_pcp and serialized by the same local_trylock that already guards cached[] and nr_pages[]. No atomics, no random calls, no extra locks needed.

Affected products

Linux
  • <89bd8215e25aa6999cc51696da418e0d422bc5e0
  • =<6.18.*
  • =<7.0.*
  • <c0cafe24d3f6534294c4b2bc2d47734ff7cbd313
  • <00731bd7e18f182a32ca54d6b176eaa470b51ed7
  • <6.16
  • ==6.16
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
6lowpan: fix off-by-one in multicast context address compression

In the Linux kernel, the following vulnerability has been resolved: 6lowpan: fix off-by-one in multicast context address compression The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses &data[1] as destination and &ipaddr->s6_addr[11] as source, but both should be offset by one: &data[2] and &ipaddr->s6_addr[12] respectively. This off-by-one has two consequences: 1. data[1] is overwritten with s6_addr[11], corrupting the RIID field in the compressed multicast address 2. data[5] is never written, so uninitialized kernel stack memory is transmitted over the network via lowpan_push_hc_data(), leaking kernel stack contents The correct inline data layout must match what the decompression function lowpan_uncompress_multicast_ctx_daddr() expects: data[0..1] = s6_addr[1..2] (flags/scope + RIID) data[2..5] = s6_addr[12..15] (group ID) Also zero-initialize the data array as a defensive measure against similar bugs in the future.

Affected products

Linux
  • <c32f30ef5e66adbfa102348e2e8a23776eb007cb
  • =<5.10.*
  • =<6.18.*
  • =<6.1.*
  • <da8808463882c3f3c357b072e25053c2121f1419
  • =<*
  • =<6.6.*
  • <f24a58c72a45f4c109f3557a760cc4b60b7a6037
  • <2a58899d11009bffc7b4b32a571858f381121837
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <da8cbb64b47e9066b40af0de170901caf17b768c
  • <06ce6fc106b16dec9b535950db626261be865e5b
  • ==4.6
  • <4.6
  • <4485d79617520d84ba5a14515e2b5136007d6deb
  • <dcb1bec1c32ee5c3878354e087cf5dbee2b7c7af
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

Affected products

Linux
  • =<6.18.*
  • <d6bd0bb7697ea8c0387b0d9d973453f479017b23
  • =<6.1.*
  • =<*
  • =<6.6.*
  • =<5.15.*
  • <d796cfd06074b579d265b28401306cadd30db945
  • <f76a8b323e28e0951f979dbef20a7496383c47df
  • =<6.12.*
  • <8ce96f1182644079249a24ac7e2ffc32e0301a46
  • =<7.0.*
  • <928dd94db23e8ba340f83d68f7f24d831b7a4426
  • ==2.6.25
  • <f8373d7090b745728de66308deeecc67e8d319ce
  • <2.6.25
  • <446e0ecd845abc394b24ae2030a883572bec9d16
  • =<5.10.*
  • <8e86817b8af4d552f3c6fe04ca52bb0c8c57411d
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: airoha: Fix use-after-free in metadata dst teardown

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

Affected products

Linux
  • =<6.18.*
  • =<7.0.*
  • <6.15
  • <b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0
  • <4b5a574e033e66d2131eff1c18feef8d8643c67e
  • ==6.15
  • <6f829e2c17a53a35321268339cd252aff6d6d723
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.

Affected products

Linux
  • ==3.19
  • =<6.18.*
  • <c327fa4fca31415431202e063767a7ae342e19c6
  • <2abfb19bbb81958714ad1d43ebeb65b30394184b
  • =<6.1.*
  • <3.19
  • =<6.6.*
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <fc657ac0767c49839b3ef0b08dc0953ca30883f8
  • <47fb3c2b4203556308e64354b3e78f2ce221d646
  • <2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d
  • <90fd4513315ca07da99cfd8549d3e553a7160f0d
  • <f513f308cc4bdb4530d033431592ffbc29b7fca1
  • <a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ipvs: clear the svc scheduler ptr early on edit

In the Linux kernel, the following vulnerability has been resolved: ipvs: clear the svc scheduler ptr early on edit ip_vs_edit_service() while unbinding the old scheduler clears the svc->scheduler ptr after the scheduler module initiates RCU callbacks. This can cause packets to use the old scheduler at the time when svc->sched_data is already freed after RCU grace period. Fix it by clearing the ptr early in ip_vs_unbind_scheduler(), before the done_service method schedules any RCU callbacks. Also, if the new scheduler fails to initialize when replacing the old scheduler, try to restore the old scheduler while still returning the error code.

Affected products

Linux
  • =<6.6.*
  • <25918720ba97f974a4f8d433b5a0132c5b43f6f3
  • ==4.2
  • <4.2
  • =<6.18.*
  • <d10730a1f2caf08088e0db1b19b242f3e6fa5f06
  • <4.2
  • <7d4f5004511757e3984901ffb412fcf858d80ed5
  • =<5.10.*
  • =<*
  • ==c803fddd2a95a70873c68dbff42d4c59fd2e674e
  • <c6376b9b1b4d2bad638256b1b3588e073344ae69
  • =<6.1.*
  • ==4ec8fb23158797affae7993c15beba080488482f
  • <e4feec3174036ba772006be74beee0efa09a9eb8
  • =<7.0.*
  • =<5.15.*
  • <193989cc6d80dd8e0460fb3992e69fa03bf0ff9b
  • <14e4689c113b4c06af1069364ade24fdd7055f33
  • <19a9493faa4bf3c7bd0a386f30b60b1bb4a3da03
  • =<6.12.*
  • <3.19
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing

In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing When a listening SCTP server processes a COOKIE_ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp_process_init() using sctp_walk_params(). However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE_ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE_COOKIE processing and kmemdup() copies). Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used.

Affected products

Linux
  • ==2.6.12
  • =<6.18.*
  • <edccbf3d63b0a3362bc916ea72edacc1e1ca456a
  • =<7.0.*
  • <0861615c28de668669d748ef4eb913ea9262d13b
  • <2.6.12
  • <cc272185c9a9a4b7febc2de52eeaa3d00f19091e
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()

In the Linux kernel, the following vulnerability has been resolved: drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first() which does cursor->chain = dma_fence_get(head), taking an extra reference. On normal loop completion, dma_fence_unwrap_next() releases this via dma_fence_chain_walk() -> dma_fence_put(). When virtio_gpu_do_fence_wait() fails and the function returns early from inside the loop, the cursor->chain reference is never released. This is the only caller in the entire kernel that does an early return inside dma_fence_unwrap_for_each. Add dma_fence_put(itr.chain) before the early return.

Affected products

Linux
  • =<6.18.*
  • <6.5
  • ==6.5
  • =<6.6.*
  • =<7.0.*
  • =<6.12.*
  • <c0fffc874c264292e769f26194a2a5e66ce31810
  • <3f26bb732cc136ab20176697c92f32c9c84cb125
  • <73524e9f96a278b521f257a78a845c49eb522bc1
  • <8348567a6afb24e2c9cafe8a321162d0eebe1411
  • <898bd0ccfed71651b881660c5d20ad73b5203174
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: require Ethernet MAC header before using eth_hdr()

In the Linux kernel, the following vulnerability has been resolved: netfilter: require Ethernet MAC header before using eth_hdr() `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`.

Affected products

Linux
  • <726abf97566867f808fec9d8a408eb9698bd570a
  • <6.1.176
  • =<6.6.*
  • <5.15.210
  • =<6.18.*
  • <063f43361e884acd7300790e90194430275d0d0c
  • =<*
  • <6.12.94
  • =<6.1.*
  • <4435888e1bf139d2bfe5911643d4217382136743
  • <cea435ea7e868ea6fdf039bc4f2090c1d829b556
  • <6.6.143
  • <367abcacc13a8e2e7624408b7f593bd1e60e49d9
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <7.0.13
  • <6.18.36
  • <62443dc21114c0bbc476fa62973db89743f2f137
  • <5d634afb8b83b49de562792fd0d047416a43bd4d
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
zram: fix use-after-free in zram_bvec_write_partial()

In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zram_bvec_write_partial() zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page. zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.

Affected products

Linux
  • =<6.18.*
  • <0c2821665ff71be3f4b07ecece384669f2877f6a
  • <4.14
  • =<6.6.*
  • =<7.0.*
  • <732fd9f0b9c1cdc6dfd77162ded60df005182cc0
  • ==4.14
  • =<6.12.*
  • <198b5a14cca27263b9c14b20114c8092de15dfcb
  • <c96786d6ff1acc1d54d9241e97767554c1dfdd5b
  • <77a602b505ce4802915853cfc435a4722fab3e64
  • =<*