Lucene search
K

TencentOS Server 4: kernel (TSSA-2025:0216)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

TencentOS Server 4 is vulnerable due to outdated kernel; updates fix multiple vulnerabilities.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2025:0216.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239284);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2022-49035",
    "CVE-2024-36476",
    "CVE-2024-39282",
    "CVE-2024-41149",
    "CVE-2024-43098",
    "CVE-2024-46896"
  );

  script_name(english:"TencentOS Server 4: kernel (TSSA-2025:0216)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0216 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2022-49035:
    In the Linux kernel, the following vulnerability has been resolved:

    drm/amdgpu: don't access invalid sched

    Since 2320c9e6a768 (drm/sched: memset() 'job' in drm_sched_job_init())
    accessing job->base.sched can produce unexpected results as the initialisation
    of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the
    memset.

    This commit fixes an issue when a CS would fail validation and would
    be rejected after job->num_ibs is incremented. In this case,
    amdgpu_ib_free(ring->adev, ...) will be called, which would crash the
    machine because the ring value is bogus.

    To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this
    because the device is actually not used in this function.

    The next commit will remove the ring argument completely.

    (cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)

    CVE-2024-43098:
    In the Linux kernel, the following vulnerability has been resolved:

    i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock

    A deadlock may happen since the i3c_master_register() acquires
    &i3cbus->lock twice. See the log below.
    Use i3cdev->desc->info instead of calling i3c_device_info() to
    avoid acquiring the lock twice.

    v2:
    - Modified the title and commit message

    ============================================
    WARNING: possible recursive locking detected
    6.11.0-mainline
    --------------------------------------------
    init/1 is trying to acquire lock:
    f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock

    but task is already holding lock:
    f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register

    other info that might help us debug this:
     Possible unsafe locking scenario:

         CPU0
         ----
    lock(&i3cbus->lock);
    lock(&i3cbus->lock);

     *** DEADLOCK ***

     May be due to missing lock nesting notation

    2 locks held by init/1:
     #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach
     #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register

    stack backtrace:
    CPU: 6 UID: 0 PID: 1 Comm: init
    Call trace:
     dump_backtrace+0xfc/0x17c
     show_stack+0x18/0x28
     dump_stack_lvl+0x40/0xc0
     dump_stack+0x18/0x24
     print_deadlock_bug+0x388/0x390
     __lock_acquire+0x18bc/0x32ec
     lock_acquire+0x134/0x2b0
     down_read+0x50/0x19c
     i3c_bus_normaluse_lock+0x14/0x24
     i3c_device_get_info+0x24/0x58
     i3c_device_uevent+0x34/0xa4
     dev_uevent+0x310/0x384
     kobject_uevent_env+0x244/0x414
     kobject_uevent+0x14/0x20
     device_add+0x278/0x460
     device_register+0x20/0x34
     i3c_master_register_new_i3c_devs+0x78/0x154
     i3c_master_register+0x6a0/0x6d4
     mtk_i3c_master_probe+0x3b8/0x4d8
     platform_probe+0xa0/0xe0
     really_probe+0x114/0x454
     __driver_probe_device+0xa0/0x15c
     driver_probe_device+0x3c/0x1ac
     __driver_attach+0xc4/0x1f0
     bus_for_each_dev+0x104/0x160
     driver_attach+0x24/0x34
     bus_add_driver+0x14c/0x294
     driver_register+0x68/0x104
     __platform_driver_register+0x20/0x30
     init_module+0x20/0xfe4
     do_one_initcall+0x184/0x464
     do_init_module+0x58/0x1ec
     load_module+0xefc/0x10c8
     __arm64_sys_finit_module+0x238/0x33c
     invoke_syscall+0x58/0x10c
     el0_svc_common+0xa8/0xdc
     do_el0_svc+0x1c/0x28
     el0_svc+0x50/0xac
     el0t_64_sync_handler+0x70/0xbc
     el0t_64_sync+0x1a8/0x1ac

    CVE-2024-41149:
    In the Linux kernel, the following vulnerability has been resolved:

    block: avoid to reuse `hctx` not removed from cpuhp callback list

    If the 'hctx' isn't removed from cpuhp callback list, we can't reuse it,
    otherwise use-after-free may be triggered.

    CVE-2024-46896:
    In the Linux kernel, the following vulnerability has been resolved:

    net: wwan: t7xx: Fix FSM command timeout issue

    When driver processes the internal state change command, it use an
    asynchronous thread to process the command operation. If the main
    thread detects that the task has timed out, the asynchronous thread
    will panic when executing the completion notification because the
    main thread completion object has been released.

    BUG: unable to handle page fault for address: fffffffffffffff8
    PGD 1f283a067 P4D 1f283a067 PUD 1f283c067 PMD 0
    Oops: 0000 [#1] PREEMPT SMP NOPTI
    RIP: 0010:complete_all+0x3e/0xa0
    [...]
    Call Trace:
     <TASK>
     ? __die_body+0x68/0xb0
     ? page_fault_oops+0x379/0x3e0
     ? exc_page_fault+0x69/0xa0
     ? asm_exc_page_fault+0x22/0x30
     ? complete_all+0x3e/0xa0
     fsm_main_thread+0xa3/0x9c0 [mtk_t7xx (HASH:1400 5)]
     ? __pfx_autoremove_wake_function+0x10/0x10
     kthread+0xd8/0x110
     ? __pfx_fsm_main_thread+0x10/0x10 [mtk_t7xx (HASH:1400 5)]
     ? __pfx_kthread+0x10/0x10
     ret_from_fork+0x38/0x50
     ? __pfx_kthread+0x10/0x10
     ret_from_fork_asm+0x1b/0x30
     </TASK>
    [...]
    CR2: fffffffffffffff8
    ---[ end trace 0000000000000000 ]---

    Use the reference counter to ensure safe release as Sergey suggests:
    https://lore.kernel.org/all/[email protected]/

    CVE-2024-39282:
    In the Linux kernel, the following vulnerability has been resolved:

    RDMA/rtrs: Ensure 'ib_sge list' is accessible

    Move the declaration of the 'ib_sge list' variable outside the
    'always_invalidate' block to ensure it remains accessible for use
    throughout the function.

    Previously, 'ib_sge list' was declared within the 'always_invalidate'
    block, limiting its accessibility, then caused a
    'BUG: kernel NULL pointer dereference'[1].
     ? __die_body.cold+0x19/0x27
     ? page_fault_oops+0x15a/0x2d0
     ? search_module_extables+0x19/0x60
     ? search_bpf_extables+0x5f/0x80
     ? exc_page_fault+0x7e/0x180
     ? asm_exc_page_fault+0x26/0x30
     ? memcpy_orig+0xd5/0x140
     rxe_mr_copy+0x1c3/0x200 [rdma_rxe]
     ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe]
     copy_data+0xa5/0x230 [rdma_rxe]
     rxe_requester+0xd9b/0xf70 [rdma_rxe]
     ? finish_task_switch.isra.0+0x99/0x2e0
     rxe_sender+0x13/0x40 [rdma_rxe]
     do_task+0x68/0x1e0 [rdma_rxe]
     process_one_work+0x177/0x330
     worker_thread+0x252/0x390
     ? __pfx_worker_thread+0x10/0x10

    This change ensures the variable is available for subsequent operations
    that require it.

    [1] https://lore.kernel.org/linux-rdma/[email protected]/

    CVE-2024-36476:
    In the Linux kernel, the following vulnerability has been resolved:

    media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE

    I expect that the hardware will have limited this to 16, but just in
    case it hasn't, check for this corner case.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20250216.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-46896");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/03/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:kernel");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'bpftool-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'bpftool-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'bpftool-debuginfo-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'bpftool-debuginfo-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-core-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-core-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-debuginfo-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-debuginfo-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-debuginfo-common-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-debuginfo-common-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-devel-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-devel-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-headers-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-headers-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-modules-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-modules-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-signing-keys-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-signing-keys-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-debuginfo-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-debuginfo-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-libs-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-libs-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-libs-devel-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-tools-libs-devel-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mlnx-ofed-dist-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'perf-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'perf-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'perf-debuginfo-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'perf-debuginfo-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-perf-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-perf-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-perf-debuginfo-6.6.70-24.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-perf-debuginfo-6.6.70-24.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / bpftool-debuginfo / kernel / etc');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

20 Nov 2025 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.15.5 - 7.8
EPSS0.00224
SSVC
4