Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix use-after-free in advance_sched() on schedule switch In advance_sched(), when should_change_schedules() returns true, switch_schedules() is called to promote the admin schedule to oper. switch_schedules() queues the old oper schedule for RCU freeing via call_rcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->end_time = end_time' and rcu_assign_pointer(q->current_entry, next) are use-after-free. Fix this by selecting 'next' from the new oper schedule immediately after switch_schedules(), and using its pre-calculated end_time. setup_first_end_time() sets the first entry's end_time to base_time + interval when the schedule is installed, so the value is already correct. The deleted 'end_time = sched_base_time(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated end_time with just base_time.

Affected products

Linux
  • <105425b1969c5affe532713cfac1c0b320d7ac2b
  • ==5.2
  • =<5.15.*
  • =<6.18.*
  • =<6.12.*
  • <3471874578160a28c171a607fa069f24062634b8
  • =<7.0.*
  • <1bd286fa3e21200133478ed523cc6a2788baf38a
  • <b73235da5dde77ed1264f9767b62c28c9d71fd78
  • <a8fc396519ef4f081bc545e88f61241728bb78d7
  • <eee072fe16c646190d33ae69c9983d8de1562bf8
  • <7256996e1ef553716817f3bfd077c2f3b48b582f
  • =<*
  • <0e62171df8ed4804d00db088f17eed06468233fa
  • <5.2
  • =<6.1.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
efi/capsule-loader: fix incorrect sizeof in phys array reallocation

In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.

Affected products

Linux
  • =<6.18.*
  • =<7.0.*
  • =<6.1.*
  • <e0e6b14995fd6fa2c0df8c712d76ab32f0694c31
  • <ab3f7098a3a27175b91cfc947950f5c26855801b
  • <48a428215782321b56956974f23593e40ce84b7a
  • <67adde6bfdfd563a54b045d59aeb9a2d90c80697
  • <4.15
  • <5e185330d902b12fe8e6eb4b8514b5d736d8d66d
  • <608e1f7bc9d171ab26c1fba288c97fc76363c27d
  • <22022cd8851703a58f67615a17bc7e9e8682785b
  • <8be69e9245f805566bac68ffc8574b64735fd996
  • =<5.15.*
  • ==95a362c9a6892085f714eb6e31eea6a0e3aa93bf
  • <4.15
  • =<*
  • =<6.12.*
  • =<5.10.*
  • ==4.15
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
ocfs2: fix listxattr handling when the buffer is full

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full [BUG] If an OCFS2 inode has both inline and block-based xattrs, listxattr() can return a size larger than the caller's buffer when the inline names consume that buffer exactly. kernel BUG at mm/usercopy.c:102! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102 Call Trace: __check_heap_object+0xe3/0x120 mm/slub.c:8243 check_heap_object mm/usercopy.c:196 [inline] __check_object_size mm/usercopy.c:250 [inline] __check_object_size+0x5c5/0x780 mm/usercopy.c:215 check_object_size include/linux/ucopysize.h:22 [inline] check_copy_size include/linux/ucopysize.h:59 [inline] copy_to_user include/linux/uaccess.h:219 [inline] listxattr+0xb0/0x170 fs/xattr.c:926 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x137/0x320 fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] __se_sys_listxattr fs/xattr.c:998 [inline] __x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998 ... [CAUSE] Commit 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().") replaced the old per-handler list accounting with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect probe mode. That assumption stops being true once ocfs2_listxattr() finishes the inline-xattr pass. If the inline names fill the caller buffer exactly, the block-xattr pass runs with a non-NULL buffer and a remaining size of zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps counting block names, and returns a positive size larger than the supplied buffer. [FIX] Detect probe mode by testing whether the destination buffer pointer is NULL instead of whether the remaining size is zero. That restores the pre-refactor behavior and matches the OCFS2 getxattr helpers. Once the remaining buffer reaches zero while more names are left, the block-xattr pass now returns -ERANGE instead of reporting a size larger than the allocated list buffer.

Affected products

Linux
  • <d919b905939eda93393e3572900ff70dbad2b47f
  • <46e66fefb83811958127bc9ad736983ec629d82b
  • =<5.15.*
  • <6f702b00b8124c5d3525f19172934544826a114d
  • ==2.6.28
  • =<6.18.*
  • =<6.12.*
  • <2323084c17370304f49c84b354fe7b3edbb264fe
  • =<7.0.*
  • <2685df8577a38d83b367c8cf52eda9dc286959ff
  • <2.6.28
  • <50033ec1350fe68abdc63b950ced7ae57364b77a
  • =<*
  • <a35a1c2b170b5b578b1b3fecb95694796552af9a
  • <d12f558e6200b3f47dbef9331ed6d115d2410e59
  • =<6.1.*
  • =<5.10.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
drm/xe/dma-buf: fix UAF with retry loop

In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: fix UAF with retry loop Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe. Reported by Sashiko. v2: Fix up the error unwind (CI) (cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)

Affected products

Linux
  • <827062952ed9bdf4220466c1f05ce452d04bdedf
  • =<6.18.*
  • <39fdac6be02eb7c3460518c1c4085f75f935c4ce
  • <155a372a1cc50fa93387c5d3cdfd614a61e1afd1
  • =<7.0.*
  • ==6.18
  • =<*
  • <6.18
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
neigh: let neigh_xmit take skb ownership

In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.

Affected products

Linux
  • <0084712e0bee204b284510cdb63182fd5a30c2b7
  • =<6.18.*
  • ==4.1
  • <8a89054a1ec0767aec25ed2bbac933da6ba3cf5a
  • =<6.12.*
  • <4438113be604ee67a7bf4f81da6e1cca41332ce4
  • <63063ba60d2dc334e34f1e3f9271d7f3f6f30307
  • <4.1
  • =<7.0.*
  • <9247d59ca15bf60a57dca08103f055d8a4340877
  • =<*
  • <445e45a2c3a078316a62d2d331a570cf34ef5079
  • =<6.1.*
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
iommu/riscv: Add IOTINVAL after updating DDT/PDT entries

In the Linux kernel, the following vulnerability has been resolved: iommu/riscv: Add IOTINVAL after updating DDT/PDT entries Add riscv_iommu_iodir_iotinval() to perform required TLB and context cache invalidations after updating DDT or PDT entries, as mandated by the RISC-V IOMMU specification (Section 6.3.1 and 6.3.2).

Affected products

Linux
  • =<6.18.*
  • <3f917d9bff68600f77561900f3145bd4706dc840
  • =<7.0.*
  • <6.13
  • ==6.13
  • <f5c262b544975e067ea265fc7403aefbbea8563e
  • =<*
  • <d99d1c13faa793ff1abab0d20ab6473c838081b3
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
bpf, sockmap: Fix af_unix iter deadlock

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix af_unix iter deadlock bpf_iter_unix_seq_show() may deadlock when lock_sock_fast() takes the fast path and the iter prog attempts to update a sockmap. Which ends up spinning at sock_map_update_elem()'s bh_lock_sock(): WARNING: possible recursive locking detected test_progs/1393 is trying to acquire lock: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: sock_map_update_elem+0xdb/0x1f0 but task is already holding lock: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(slock-AF_UNIX); lock(slock-AF_UNIX); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by test_progs/1393: #0: ffff88814b59c790 (&p->lock){+.+.}-{4:4}, at: bpf_seq_read+0x59/0x10d0 #1: ffff88811ec25fd8 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: bpf_seq_read+0x42c/0x10d0 #2: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0 #3: ffffffff85a6a7c0 (rcu_read_lock){....}-{1:3}, at: bpf_iter_run_prog+0x51d/0xb00 Call Trace: dump_stack_lvl+0x5d/0x80 print_deadlock_bug.cold+0xc0/0xce __lock_acquire+0x130f/0x2590 lock_acquire+0x14e/0x2b0 _raw_spin_lock+0x30/0x40 sock_map_update_elem+0xdb/0x1f0 bpf_prog_2d0075e5d9b721cd_dump_unix+0x55/0x4f4 bpf_iter_run_prog+0x5b9/0xb00 bpf_iter_unix_seq_show+0x1f7/0x2e0 bpf_seq_read+0x42c/0x10d0 vfs_read+0x171/0xb20 ksys_read+0xff/0x200 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Affected products

Linux
  • =<6.18.*
  • <66d9fab4565eafe1afe7ba0581f79b76073b60fa
  • =<6.12.*
  • =<7.0.*
  • <5.15
  • =<*
  • <527057ebe8076dfbcaef51195ff1b7508646be2c
  • <3cef33b9813b78f227942572fb317afcd5c9ac94
  • =<6.6.*
  • ==5.15
  • <4d328dd695383224aa750ddee6b4ad40c0f8d205
  • =<6.1.*
  • <bd3592129f24243713673a07225cf1f15a9bb835
  • <87828b380956d4986f59f2c086e0b09b3e6cdaae
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

In the Linux kernel, the following vulnerability has been resolved: fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440). Later, omfs_make_empty() uses sbi->s_sys_blocksize - OMFS_DIR_START as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer. Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed.

Affected products

Linux
  • ==2.6.27
  • =<6.1.*
  • <131ea3e57fc22936ed0e2c8330f2e36106172f51
  • =<6.18.*
  • =<5.15.*
  • =<6.12.*
  • <817f16ed62bc58a168417bfb5e859c2a370bab03
  • <79f84af38c9fef9deb0e02c79eb969b5541c2644
  • =<7.0.*
  • <754ff1bea3819a90c6f33cccfc1a299ef7609f07
  • <5822a05a841a10794ad818620dd2af490b0705d3
  • =<*
  • <6561afc38398e3518a29c5eebb975c30468f98a6
  • <0621c385fda1376e967f37ccd534c26c3e511d14
  • <2.6.27
  • =<5.10.*
  • <fbc72f5c645155dc2ed3573243ed20f9913e3a54
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
batman-adv: v: stop OGMv2 on disabled interface

In the Linux kernel, the following vulnerability has been resolved: batman-adv: v: stop OGMv2 on disabled interface When a batadv_hard_iface is disabled, its mesh_iface pointer is set to NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via batadv_v_ogm_queue_on_if() for interfaces that have since lost their mesh_iface association. This results in a NULL pointer dereference when batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the now NULL hard_iface->mesh_iface to retrieve the batadv_priv. It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was called.

Affected products

Linux
  • <4ff461af943efb5e74d09942d5ffee7644d1e1fe
  • =<5.15.*
  • =<6.18.*
  • <aad70db50ea3d7dfe30e402b889ff075a293b287
  • =<6.12.*
  • <31dcb9711abd1dcd2080d9fac05c79dd9997d6bf
  • =<7.0.*
  • <f8ce8b8331a1bc44ad4905886a482214d428b253
  • <4.6
  • <70c9f6ab0d8f785087fb74fb85464a9a5288bfdb
  • <d7391a2b854a62235539c68e9cbf6fc7910a8e9a
  • =<*
  • <040fe8eb34624002071dd21de9824dfe668ce65d
  • <1be1e99cbd5b74a69d3f92200ca87cf1bce852db
  • =<6.1.*
  • =<5.10.*
  • ==4.6
  • =<6.6.*
Dismissed
(max. allowed matches exceeded)
created 3 weeks ago Activity log
  • Created & dismissed (max. allowed matches exceeded) suggestion
netfilter: conntrack: remove sprintf usage

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: remove sprintf usage Replace it with scnprintf, the buffer sizes are expected to be large enough to hold the result, no need for snprintf+overflow check. Increase buffer size in mangle_content_len() while at it. BUG: KASAN: stack-out-of-bounds in vsnprintf+0xea5/0x1270 Write of size 1 at addr [..] vsnprintf+0xea5/0x1270 sprintf+0xb1/0xe0 mangle_content_len+0x1ac/0x280 nf_nat_sdp_session+0x1cc/0x240 process_sdp+0x8f8/0xb80 process_invite_request+0x108/0x2b0 process_sip_msg+0x5da/0xf50 sip_help_tcp+0x45e/0x780 nf_confirm+0x34d/0x990 [..]

Affected products

Linux
  • =<6.1.*
  • <c08ff52e44945e6ef4ce0790f49ea761b060c45b
  • =<5.15.*
  • <a8e0a32a23d3f34862af3b4da792ecb3a891a9a3
  • =<6.18.*
  • <2f793ba78470a99f40389b7dc60a81d9f5ad3956
  • <8e3be0d12615a173fe260cd42753ca7a001acbf2
  • =<6.12.*
  • <ab64e61c9323fa6de21bd20da1ddb29a0fb65d34
  • <6e7066bdb481a87fe88c4fa563e348c03b2d373d
  • ==2.6.20
  • <2.6.20
  • =<7.0.*
  • =<*
  • <6bbf829b4c1b44c941c47dd0d710f1393258f3d5
  • <1c9fb8aeed06790d42cdcd00f6c3ce0b9e926c1e
  • =<5.10.*
  • =<6.6.*