Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
fsnotify: fix inode reference leak in fsnotify_recalc_mask()

In the Linux kernel, the following vulnerability has been resolved: fsnotify: fix inode reference leak in fsnotify_recalc_mask() fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared. This manifests as a hung task with the following call trace: INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit The race window that triggers the iref leak: Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return /* ---- gap: no lock held ---- */ fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A) fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): /* mark_A skipped: ATTACHED cleared */ /* only mark_B(evictable) remains */ want_iref = false has_iref = true /* not yet cleared */ -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) /* BUG: return value discarded! * iput() and fsnotify_put_sb_watched_objects() * are never called */ Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).

Affected products

Linux
  • <5c80289503da3658e3df80280598c68d181eadbd
  • <b740cc86816bbc87902ae9db74cd21abde3c8d63
  • <4aca914ac152f5d055ddcb36704d1e539ac08977
  • =<6.18.*
  • <5.19
  • =<6.12.*
  • <5.11
  • =<7.0.*
  • <8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42
  • ==4f145b67c075324b13d6ae7d5abb6e7a1dbac26d
  • ==5.19
  • =<*
  • <5.16
  • ==ff34ebaa6f6dc1eebce6a8d6f12a1566f33d00fe
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
f2fs: avoid reading already updated pages during GC

In the Linux kernel, the following vulnerability has been resolved: f2fs: avoid reading already updated pages during GC We found the following issue during fuzz testing: page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9 memcg:f8ffff800e269c00 aops:f2fs_meta_aops ino:2 flags: 0x52880000000080a9(locked|waiters|uptodate|lru|private|zone=1|kasantag=0x4a) raw: 52880000000080a9 fffffffec6e17588 fffffffec0ccc088 a7ffff8067063618 raw: 000000000018b2dc 0000000000000009 00000003ffffffff f8ffff800e269c00 page dumped because: VM_BUG_ON_FOLIO(folio_test_uptodate(folio)) page_owner tracks the page as allocated post_alloc_hook+0x58c/0x5ec prep_new_page+0x34/0x284 get_page_from_freelist+0x2dcc/0x2e8c __alloc_pages_noprof+0x280/0x76c __folio_alloc_noprof+0x18/0xac __filemap_get_folio+0x6bc/0xdc4 pagecache_get_page+0x3c/0x104 do_garbage_collect+0x5c78/0x77a4 f2fs_gc+0xd74/0x25f0 gc_thread_func+0xb28/0x2930 kthread+0x464/0x5d8 ret_from_fork+0x10/0x20 ------------[ cut here ]------------ kernel BUG at mm/filemap.c:1563! folio_end_read+0x140/0x168 f2fs_finish_read_bio+0x5c4/0xb80 f2fs_read_end_io+0x64c/0x708 bio_endio+0x85c/0x8c0 blk_update_request+0x690/0x127c scsi_end_request+0x9c/0xb8c scsi_io_completion+0xf0/0x250 scsi_finish_command+0x430/0x45c scsi_complete+0x178/0x6d4 blk_mq_complete_request+0xcc/0x104 scsi_done_internal+0x214/0x454 scsi_done+0x24/0x34 which is similar to the problem reported by syzbot: https://syzkaller.appspot.com/bug?extid=3686758660f980b402dc This case is consistent with the description in commit 9bf1a3f ("f2fs: avoid GC causing encrypted file corrupted"): Page 1 is moved from blkaddr A to blkaddr B by move_data_block, and after being written it is marked as uptodate. Then, Page 1 is moved from blkaddr B to blkaddr C, VM_BUG_ON_FOLIO was triggered in the endio initiated by ra_data_block. There is no need to read Page 1 again from blkaddr B, since it has already been updated. Therefore, avoid initiating I/O in this case.

Affected products

Linux
  • =<6.18.*
  • =<7.0.*
  • <4.19
  • =<*
  • <570e2ccc7cb35fe720106964e65060602d3d2ac4
  • ==4.19
  • <4623c251496b99c530ce225c05334f4eac8b933a
  • <b663ebb8a340eae5442e605b6acd2cff5677f016
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ksmbd: fix use-after-free in smb2_open during durable reconnect

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_open during durable reconnect In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails) or a scavenger accesses the file, it leads to a use-after-free when accessing fp properties (eg fp->create_time). Move the single put to the end of the function below err_out2 so fp stays valid until smb2_open returns.

Affected products

Linux
  • ==6.9
  • =<6.18.*
  • ==8df4bcdb0a4232192b2445256c39b787d58ef14d
  • =<7.0.*
  • <1baff47b81f94f9231c91236aa511420d0e266b9
  • <ce2e164c1c51c3f7813b80f8c926836e896bcbb3
  • =<*
  • <97a0cd55283b4e63fd92804da91c8d9896adcad9
  • <6.7
  • <6.9
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
vrf: Fix a potential NPD when removing a port from a VRF

In the Linux kernel, the following vulnerability has been resolved: vrf: Fix a potential NPD when removing a port from a VRF RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device. They then continue to dereference its l3mdev operations. This assumption is not always correct and can result in a NPD [1]. There is no RCU synchronization when removing a port from a VRF, so it is possible for an RCU reader to see a new master device (e.g., a bridge) that does not have l3mdev operations. Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag. Skip this synchronization when a net device is removed from a VRF as part of its deletion and when the VRF device itself is deleted. In the latter case an RCU grace period will pass by the time RTNL is released. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181) [...] Call Trace: <TASK> l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189) __inet_bind (net/ipv4/af_inet.c:499 (discriminator 3)) inet_bind_sk (net/ipv4/af_inet.c:469) __sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1)) __x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Affected products

Linux
  • <2674d603a9e6970463b2b9ebcf8e31e90beae169
  • =<5.15.*
  • =<6.18.*
  • <2c022f582fd16a470df6ed9e7fb7e9fc48946d49
  • <a7a97f2303e63ede105c1d55ef53dc497364e11d
  • <4ab6fc60ed5a0344b60711b09bff1dc238d8d6a4
  • =<6.12.*
  • =<7.0.*
  • <d47204c127992da0c976ac9747070a575912e0fe
  • <8c2b792f04a3db97c9d8d2a45817e93f8884baf5
  • <468defa0b70902a22f4478c1207624bc1b31c124
  • <4.12
  • =<*
  • =<5.10.*
  • =<6.1.*
  • <3db8d078f7f652379ee394132b169d304f6eb4c1
  • ==4.12
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
sctp: diag: reject stale associations in dump_one path

In the Linux kernel, the following vulnerability has been resolved: sctp: diag: reject stale associations in dump_one path The SCTP exact sock_diag lookup can hold a transport reference, block on lock_sock(sk), and then resume after sctp_association_free() has marked the association dead and freed its bind address list. When that happens, inet_assoc_attr_size() and inet_diag_msg_sctpasoc_fill() can still dereference association state that is no longer valid for reporting. In particular, inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a real sctp_sockaddr_entry and trigger an out-of-bounds read from unrelated association memory. Reject the association after taking the socket lock if it has been reaped or detached from the endpoint, and report the lookup as stale. This keeps the exact dump-one path from formatting torn association state.

Affected products

Linux
  • <5425de8bd6e9fe5bd67d158e3348171ae7510117
  • =<5.15.*
  • =<6.18.*
  • <f5af203dec6e0e7a6090fcc2130e9f3901bfc84d
  • <5eba3e48d78edd7551b992cb7ba687019b3a78da
  • =<6.12.*
  • =<7.0.*
  • ==4.7
  • <4.7
  • <480f754580b5686b928977d16a59f20cef83ff01
  • =<*
  • <6657af827e21883ae90693e42e7f59a6aab690b5
  • <b2be72d401833194917e44fbd8d8144bb4f2db16
  • <e97c2a535e23ed0fdd2660993fb3f10d9535c9bc
  • =<6.1.*
  • =<5.10.*
  • <78c4f964b2f94e405721c093773f6250e1e676b2
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: nf_queue: hold bridge skb->dev while queued

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling.

Affected products

Linux
  • =<5.15.*
  • =<6.18.*
  • <1e5e20031c5eee8d2e490a90ff4d6a2feecfc3be
  • =<6.12.*
  • =<7.0.*
  • <15d464265120ab9818bd673af301deee09bedab2
  • <3823c27099cfe2482299065814adbaa771be9644
  • <3fb0f5c0f64162a8c3f25616a4f1e340b921737f
  • <950d809f154dca04e5fbe5d3c8b9c5e44769cd57
  • <a698ac8ab2561cf575d2d9f34095032651dd952e
  • <19924bdd8a45ebc72a7b84c57fd63057d1dc75ac
  • <4.7
  • =<*
  • <e196115ec330a18de415bdb9f5071aa9f08e53ce
  • =<6.1.*
  • =<5.10.*
  • ==4.7
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
crypto: ccp - copy IV using skcipher ivsize

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - copy IV using skcipher ivsize AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver. ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, so the restore overruns the provided buffer. Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.

Affected products

Linux
  • <eecee15e263ccb8cd77170a56ab6c969cb54dd6a
  • =<6.1.*
  • =<5.15.*
  • <a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4
  • ==3.14
  • <798d409a8949f3f495f238549b86de2886b129bd
  • =<6.18.*
  • =<6.12.*
  • <227c1e1d9e2aa4cfc65ba446d5690da1f546cda4
  • =<7.0.*
  • <3.14
  • =<*
  • <dfb2cf434829819268fe50f41542aad318ad62b2
  • =<6.6.*
  • <bb01d8f1f385bc9034ca114d3508c7fdea24fc9a
  • <939061b2d0f7f15114e34b4ce878ef50ff4089c3
  • =<5.10.*
  • <df9784bb5b637ac80f4a2768a58ca9a50bef28a9
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware. But it is never killed in rtl_pci_deinit(). When the rtlwifi card probe fails or is being detached, the ieee80211_hw is deallocated. However, irq_prepare_bcn_tasklet may still be running or pending, leading to use-after-free when the freed ieee80211_hw is accessed in _rtl_pci_prepare_bcn_tasklet(). Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to ensure that irq_prepare_bcn_tasklet is properly terminated before the ieee80211_hw is released. The issue was identified through static analysis.

Affected products

Linux
  • <7731b67bd59d1284d150cbe40a47e95a10613234
  • =<6.6.*
  • <039cd522dc70151da13329a5e3ae19b1736f468a
  • <008c456b76e9070979bc0e763897a5d3b0fdd4dc
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <fac1079e0fdec6df6d7562c21941587236dc3def
  • =<7.0.*
  • <2.6.38
  • <ae10d4a1ab6bcaa1336abb171908a9a365761d3e
  • <3c0e8a3179e6325a7dc6ce221aef0e03d854ab4b
  • =<*
  • <e40873820c9d245ce482faa7ad514ebdb3b8d23d
  • <aa10a452e34810987fb9f4a047995b30003fb53f
  • =<6.1.*
  • =<5.10.*
  • ==2.6.38
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/sun4i: backend: fix error pointer dereference

In the Linux kernel, the following vulnerability has been resolved: drm/sun4i: backend: fix error pointer dereference The function drm_atomic_get_plane_state() can return an error pointer and is not checked for it. Add error pointer check. Detected by Smatch: drivers/gpu/drm/sun4i/sun4i_backend.c:496 sun4i_backend_atomic_check() error: 'plane_state' dereferencing possible ERR_PTR()

Affected products

Linux
  • =<6.1.*
  • =<6.18.*
  • <e9bef62f1bb9fcb38223730657af20f4c6283c16
  • =<6.12.*
  • <ea51fd96aca01381e8f1ac0c671a57b7619193bb
  • <cf615b90a11a39a28e313be5e508e94bcde72016
  • <06277983eca4a31d3c2114fa33d99a6e82484b11
  • <47038159c559824f4dbfb5b0d87b9b3416663372
  • =<7.0.*
  • ==4.17
  • =<*
  • <4.17
  • <779c2f10743fc021f2f0ebe2b188cadfb973c5e4
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks, 1 day ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
libceph: Fix potential null-ptr-deref in decode_choose_args()

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential null-ptr-deref in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index. This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.

Affected products

Linux
  • <a20e16ebfe2fa65348eb4b2dc7deac330ce03e9c
  • <d55ffad8d422b5d1cc44dad32bd3d25f4471cd9f
  • =<6.18.*
  • <d7a65a34d2453f8cd3e0cc0e1319740af7e24276
  • <5.15.209
  • =<7.0.*
  • <5.10.258
  • =<6.1.*
  • <6.18.33
  • <301286c0ccd37d66b0e40786fd35a4f19cdbd88a
  • <7169f326a23d0f547fcd90e68b72fd387622e126
  • <7.0.10
  • <6.1.175
  • <f2f95e6d4b97e70bb876139b0583fc8079983f85
  • <6.6.141
  • <28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf
  • <312ec973efac0efb9b9ed64214235910e9ecbaa8
  • =<5.15.*
  • =<*
  • <6.12.91
  • =<6.12.*
  • =<5.10.*
  • =<6.6.*