Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed

Affected products

Linux
  • =<6.18.*
  • =<*
  • <5.0
  • =<6.1.*
  • <b5316e2b8614a87d8736941972441cb47bfd4491
  • =<6.6.*
  • =<5.15.*
  • <88697cf980222d5906a37bf47662dac0732e2a0f
  • =<6.12.*
  • =<7.0.*
  • <c4c1ea36d83bf3c4569468ca5b8b614fda1bf821
  • <8fc536e9f6856230f19c7d13e71af064b6a77b22
  • <7f2d76c9c03257c0782afef9d95321fa04096f60
  • ==5.0
  • <ec82ea4eb220164d854f8734ca5a35e23e577b94
  • <42827d03f8009a6a218bacab153e21f39d6a121c
  • =<5.10.*
  • <25c8c7fb3b0b9668c7d05e209f58c158d2b020c7
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ovl: keep err zero after successful ovl_cache_get()

In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.

Affected products

Linux
  • =<7.0.*
  • <1711b6ed6953cee5940ca4c3a6e77f1b3798cee2
  • <6.19
  • ==6.19
  • <e7051909a01bfb883bfa78b27514854068ac4b85
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ipv6: anycast: insert aca into global hash under idev->lock

In the Linux kernel, the following vulnerability has been resolved: ipv6: anycast: insert aca into global hash under idev->lock syzbot reported a splat [1]: a slab-use-after-free in ipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash under RCU and dereferences a struct ifacaddr6 that has already been freed while still linked in the hash, so a later reader walks into a dangling node. In __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then aca_get() bumps it to 2 to keep it alive across the unlocked region. It is published to idev->ac_list under idev->lock, but ipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent teardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL) can slip into that window: CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL) ------------------------------ ------------------------------------ aca_alloc() refcnt 1 aca_get() refcnt 2 write_lock_bh(idev->lock) add aca to ac_list write_unlock_bh(idev->lock) write_lock_bh(idev->lock) pull aca off ac_list write_unlock_bh(idev->lock) ipv6_del_acaddr_hash(aca) hlist_del_init_rcu() is a no-op, aca is not in the hash yet aca_put() refcnt 2->1 ipv6_add_acaddr_hash(aca) aca now inserted into the hash aca_put() refcnt 1->0 call_rcu(aca_free_rcu) -> kfree(aca) The hash removal becomes a no-op because the insertion has not happened yet, so once CPU0 inserts and drops the last reference, the aca is freed while still linked in inet6_acaddr_lst[], and readers dereference freed memory after the slab slot is reused. This window opened once RTNL stopped serializing the join path against device teardown. Move ipv6_add_acaddr_hash() inside the idev->lock section so the ac_list and hash insertions are atomic with respect to teardown: a racing remover now either misses the aca entirely or finds it in both lists. acaddr_hash_lock is now nested under idev->lock, which is acquired in softirq context, so switch all acaddr_hash_lock sites to spin_lock_bh() to avoid the irq lock inversion reported in [2]. [1] https://syzkaller.appspot.com/bug?extid=a01df04303c131efbf3a [2] https://lore.kernel.org/netdev/6a194ef7.ba3b1513.1890b4.0000.GAE@google.com/

Affected products

Linux
  • =<6.18.*
  • <6.17
  • =<7.0.*
  • <3a967c498baa976b11d4800dda224c507416e97c
  • ==6.17
  • <f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3
  • <15be7e9fdbff831fb3e89b83cc337a4f85ad3310
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX XN has already been extracted from its bitfield position so using FIELD_PREP() on the mask that clears XN[0] is completely broken, having the effect of unconditionally granting execute permissions... Fix the obvious mistake by manipulating the right bit.

Affected products

Linux
  • =<7.0.*
  • <6.19
  • ==6.19
  • <b95976c2ea446044553a5f469c0bae13553d75ab
  • <49b32ddb87a3a109afecea89e55d70f73956b8bc
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe

In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe rsu_send_msg() can return -ETIMEDOUT when wait_for_completion_interruptible_timeout() fires while the SMC call is still pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION, COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMAND_RSU_STATUS path. Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared. While at it, clean up stratix10_rsu_probe() in two ways without changing behavior: - Drop redundant zero-initialization of fields already cleared by devm_kzalloc(): client.receive_cb, status.* and spt0/1_address (INVALID_SPT_ADDRESS is 0x0). - Replace five identical 3-line error-cleanup blocks (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() + return ret) with goto labels (remove_async_client, free_channel), matching the standard kernel resource-unwinding pattern and making it easier to extend the probe sequence without forgetting matching cleanup. Also move init_completion() next to mutex_init() so sync-primitive initialization is grouped before anything that could trigger a callback. --- v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a centralize exit for all the rsu_send_async_msg() and rsu_send_msg().

Affected products

Linux
  • <6bc249d324241c64118a3018124798c28e2950f7
  • =<7.0.*
  • <6.19
  • ==6.19
  • <bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
mm/huge_memory: update file PMD counter before folio_put()

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: update file PMD counter before folio_put() __split_huge_pmd_locked() updates the file/shmem RSS counter after dropping the PMD mapping's folio reference. If folio_put() drops the last reference, mm_counter_file() can later read freed folio state via folio_test_swapbacked(). Move the counter update before folio_put().

Affected products

Linux
  • <5f5b604e1e6bde4e889199168ee80fe8306d06ad
  • =<6.18.*
  • <459771c9cf30f378bdbd30fc65d17f7eb931bb59
  • =<6.1.*
  • =<6.6.*
  • <108963978a681c0c468d279cac2b930c27672877
  • =<6.12.*
  • =<7.0.*
  • <4.19
  • <84b3212b166b446faea27ebebb7161405ffceef9
  • =<5.15.*
  • ==4.19
  • <6c29a8ba084e89499ca77b947e07ae817f9c16ce
  • <ae9d4caf6f133e884cf5fcda4982c493b35e5194
  • <ed5b030931292c94133437ac5e5ff580e498eabd
  • <8d878059924f12c1bc24556a92ec56add74de3c8
  • =<5.10.*
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams

In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.

Affected products

Linux
  • <6.1.176
  • =<6.6.*
  • <d68b621bb5a48051932f1017a6e1bc9b18f854d0
  • <5.10.259
  • <7c71a9522555ff137a9ca36b15d759ca04d84788
  • =<6.18.*
  • ==7.0
  • <cd98837db15f323463b8df07282ac723bd5c3fed
  • <88fe2e3658726cb21ff2dcf9770bf672f9b9d31b
  • =<5.10.*
  • =<*
  • <6.12.94
  • =<6.1.*
  • <b053fcd8912f06c30f932f5b8ec41c72de474695
  • ==c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694
  • <6.6.143
  • <6.20
  • =<7.0.*
  • =<6.12.*
  • <cac5bf3500ee6422cf64e0df0b5daeecfed42917
  • <7.0
  • <6.18.36
  • <d842f26a167e77a36f3ed333b9fa99d36ef99fe6
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ipv6: mcast: Fix use-after-free when processing MLD queries

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Fix use-after-free when processing MLD queries When processing an MLD query, a pointer to the multicast group address is retrieved when initially parsing the packet. This pointer is later dereferenced without being reloaded despite the fact that the skb header might have been reallocated following the pskb_may_pull() calls, leading to a use-after-free [1]. Fix by copying the multicast group address when the packet is initially parsed. [1] BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 Workqueue: mld mld_query_work Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) print_address_description.constprop.0 (mm/kasan/report.c:378) print_report (mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:595) __mld_query_work (net/ipv6/mcast.c:1512) mld_query_work (net/ipv6/mcast.c:1563) process_one_work (kernel/workqueue.c:3314) worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:158) ret_from_fork_asm (arch/x86/entry/entry_64.S:245) </TASK> [...] Freed by task 118: kasan_save_stack (mm/kasan/common.c:57) kasan_save_track (mm/kasan/common.c:78) kasan_save_free_info (mm/kasan/generic.c:584) __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) pskb_expand_head (net/core/skbuff.c:2335) __pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) __mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) mld_query_work (net/ipv6/mcast.c:1563) process_one_work (kernel/workqueue.c:3314) worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:158) ret_from_fork_asm (arch/x86/entry/entry_64.S:245)

Affected products

Linux
  • ==2.6.15
  • =<6.18.*
  • =<6.1.*
  • <791c91dc7a9dfb2457d5e29b8216a6484b9c4b40
  • <4203806f700bb44ea0b05d484d9d40044b47fb04
  • =<6.6.*
  • <53baa63a4183291574483f89583dbef13677a2c4
  • =<5.15.*
  • =<6.12.*
  • =<7.0.*
  • <2.6.15
  • <087dbacf897c020f438f780f0a4a8aa73b6d7c5a
  • <1354271c89d0e5fbf8b3d94097ff0216695209c7
  • <b2eb8886200b907fc71806869620609f0f4cacb0
  • <2a613bf497029d555a7428406aa8cdb84a503cea
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net: phy: clean the sfp upstream if phy probing fails

In the Linux kernel, the following vulnerability has been resolved: net: phy: clean the sfp upstream if phy probing fails Sashiko reported that we don't call sfp_bus_del_upstream() in the probe failure path, so let's add it, otherwise the sfp-bus is left with a dangling 'upstream' field, that may be used later on during SFP events. This issue existed before the generic phylib sfp support, back when drivers were calling phy_sfp_probe themselves.

Affected products

Linux
  • <48774e87bbaa0056819d4b52301e4692e50e3252
  • <5.5
  • ==5.5
  • =<*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: synproxy: add mutex to guard hook reference counting

In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: add mutex to guard hook reference counting As the synproxy infrastructure register netfilter hooks on-demand when a user adds the first iptables target or nftables expression, if done concurrently they can race each other. Introduce a mutex to serialize the refcount control blocks access from both frontends. While a per namespace mutex might be more efficient, it is not needed for target/expression like SYNPROXY.

Affected products

Linux
  • =<6.18.*
  • =<6.1.*
  • <2fcba19caaeb2a33017459d3430f057967bb91b6
  • <5.3
  • =<6.6.*
  • <fbf0591275f50eae5733c3d7a8cd6c1e79933ffa
  • =<5.15.*
  • <aaf80701dc2f7a48fe543961e21f8ca3924d587c
  • =<6.12.*
  • =<7.0.*
  • <0ec9ddc1bda261a2c57636c74c8b4e53000102c9
  • <640441348258220e78daed40528b85b8afcedab6
  • ==5.3
  • <debc57b83d5b323df74bf010c8d50fe26ad2ed6b
  • <0f8ba5e4c53d2e4a536aa68140beda9fe59b2f88
  • <56ffbe3a08c01dcdb0d6adee9ce1e535bfb3b389
  • =<5.10.*
  • =<*