Lucene search
K

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-399368)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel ext4 out-of-bounds read during dotdot directory check; fix extends __ext4_check_dir_entry.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(266934);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2025-37785");

  script_name(english:"Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-399368)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-399368 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ext4: fix OOB read when checking dotdot dir

    Mounting a corrupted filesystem with directory which contains '.' dir
    entry with rec_len == block size results in out-of-bounds read (later
    on, when the corrupted directory is removed).

    ext4_empty_dir() assumes every ext4 directory contains at least '.'
    and '..' as directory entries in the first data block. It first loads
    the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
    and then uses its rec_len member to compute the location of '..' dir
    entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
    same data block.

    If the rec_len of '.' is precisely one block (4KB), it slips through the
    sanity checks (it is considered the last directory entry in the data
    block) and leaves struct ext4_dir_entry_2 *de point exactly past the
    memory slot allocated to the data block. The following call to
    ext4_check_dir_entry() on new value of de then dereferences this pointer
    which results in out-of-bounds mem access.

    Fix this by extending __ext4_check_dir_entry() to check for '.' dir
    entries that reach the end of data block. Make sure to ignore the phony
    dir entries for checksum (by checking name_len for non-zero).

    Note: This is reported by KASAN as use-after-free in case another
    structure was recently freed from the slot past the bound, but it is
    really an OOB read.

    This issue was found by syzkaller tool.

    Call Trace:
    [   38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
    [   38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
    [   38.595158]
    [   38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
    [   38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
    [   38.595304] Call Trace:
    [   38.595308]  <TASK>
    [   38.595311]  dump_stack_lvl+0xa7/0xd0
    [   38.595325]  print_address_description.constprop.0+0x2c/0x3f0
    [   38.595339]  ? __ext4_check_dir_entry+0x67e/0x710
    [   38.595349]  print_report+0xaa/0x250
    [   38.595359]  ? __ext4_check_dir_entry+0x67e/0x710
    [   38.595368]  ? kasan_addr_to_slab+0x9/0x90
    [   38.595378]  kasan_report+0xab/0xe0
    [   38.595389]  ? __ext4_check_dir_entry+0x67e/0x710
    [   38.595400]  __ext4_check_dir_entry+0x67e/0x710
    [   38.595410]  ext4_empty_dir+0x465/0x990
    [   38.595421]  ? __pfx_ext4_empty_dir+0x10/0x10
    [   38.595432]  ext4_rmdir.part.0+0x29a/0xd10
    [   38.595441]  ? __dquot_initialize+0x2a7/0xbf0
    [   38.595455]  ? __pfx_ext4_rmdir.part.0+0x10/0x10
    [   38.595464]  ? __pfx___dquot_initialize+0x10/0x10
    [   38.595478]  ? down_write+0xdb/0x140
    [   38.595487]  ? __pfx_down_write+0x10/0x10
    [   38.595497]  ext4_rmdir+0xee/0x140
    [   38.595506]  vfs_rmdir+0x209/0x670
    [   38.595517]  ? lookup_one_qstr_excl+0x3b/0x190
    [   38.595529]  do_rmdir+0x363/0x3c0
    [   38.595537]  ? __pfx_do_rmdir+0x10/0x10
    [   38.595544]  ? strncpy_from_user+0x1ff/0x2e0
    [   38.595561]  __x64_sys_unlinkat+0xf0/0x130
    [   38.595570]  do_syscall_64+0x5b/0x180
    [   38.595583]  entry_SYSCALL_64_after_hwframe+0x76/0x7e

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-399368
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f94ba488");
  # https://lore.kernel.org/linux-cve-announce/2025041813-CVE-2025-37785-e13d@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b231687c");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-37785");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-37785");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050a|20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050a / 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050a',
    'pkgs': [
      {'reference':'kernel-5.10.0-27.2', 'sp':'1050a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.2', 'sp':'1050a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.2', 'sp':'1050a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.17.1
EPSS0.00226
2