Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-415326)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux 20.1070a fixes ubifs authentication use-after-free in ubifs_tnc_end_commit.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(266821);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2024-53171");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-415326)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-415326 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit

    After an insertion in TNC, the tree might split and cause a node to
    change its `znode->parent`. A further deletion of other nodes in the
    tree (which also could free the nodes), the aforementioned node's
    `znode->cparent` could still point to a freed node. This
    `znode->cparent` may not be updated when getting nodes to commit in
    `ubifs_tnc_start_commit()`. This could then trigger a use-after-free
    when accessing the `znode->cparent` in `write_index()` in
    `ubifs_tnc_end_commit()`.

    This can be triggered by running

      rm -f /etc/test-file.bin
      dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync

    in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then
    reports:

      BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950
      Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153

      Call trace:
       dump_backtrace+0x0/0x340
       show_stack+0x18/0x24
       dump_stack_lvl+0x9c/0xbc
       print_address_description.constprop.0+0x74/0x2b0
       kasan_report+0x1d8/0x1f0
       kasan_check_range+0xf8/0x1a0
       memcpy+0x84/0xf4
       ubifs_tnc_end_commit+0xa5c/0x1950
       do_commit+0x4e0/0x1340
       ubifs_bg_thread+0x234/0x2e0
       kthread+0x36c/0x410
       ret_from_fork+0x10/0x20

      Allocated by task 401:
       kasan_save_stack+0x38/0x70
       __kasan_kmalloc+0x8c/0xd0
       __kmalloc+0x34c/0x5bc
       tnc_insert+0x140/0x16a4
       ubifs_tnc_add+0x370/0x52c
       ubifs_jnl_write_data+0x5d8/0x870
       do_writepage+0x36c/0x510
       ubifs_writepage+0x190/0x4dc
       __writepage+0x58/0x154
       write_cache_pages+0x394/0x830
       do_writepages+0x1f0/0x5b0
       filemap_fdatawrite_wbc+0x170/0x25c
       file_write_and_wait_range+0x140/0x190
       ubifs_fsync+0xe8/0x290
       vfs_fsync_range+0xc0/0x1e4
       do_fsync+0x40/0x90
       __arm64_sys_fsync+0x34/0x50
       invoke_syscall.constprop.0+0xa8/0x260
       do_el0_svc+0xc8/0x1f0
       el0_svc+0x34/0x70
       el0t_64_sync_handler+0x108/0x114
       el0t_64_sync+0x1a4/0x1a8

      Freed by task 403:
       kasan_save_stack+0x38/0x70
       kasan_set_track+0x28/0x40
       kasan_set_free_info+0x28/0x4c
       __kasan_slab_free+0xd4/0x13c
       kfree+0xc4/0x3a0
       tnc_delete+0x3f4/0xe40
       ubifs_tnc_remove_range+0x368/0x73c
       ubifs_tnc_remove_ino+0x29c/0x2e0
       ubifs_jnl_delete_inode+0x150/0x260
       ubifs_evict_inode+0x1d4/0x2e4
       evict+0x1c8/0x450
       iput+0x2a0/0x3c4
       do_unlinkat+0x2cc/0x490
       __arm64_sys_unlinkat+0x90/0x100
       invoke_syscall.constprop.0+0xa8/0x260
       do_el0_svc+0xc8/0x1f0
       el0_svc+0x34/0x70
       el0t_64_sync_handler+0x108/0x114
       el0t_64_sync+0x1a4/0x1a8

    The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free
    when a node becomes root in TNC but still has a `cparent` to an already
    freed node. More specifically, consider the following TNC:

             zroot
             /
            /
          zp1
          /
         /
        zn

    Inserting a new node `zn_new` with a key smaller then `zn` will trigger
    a split in `tnc_insert()` if `zp1` is full:

             zroot
             /   \
            /     \
          zp1     zp2
          /         \
         /           \
      zn_new          zn

    `zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still
    points to `zp1`.

    Now, consider a removal of all the nodes _except_ `zn`. Just when
    `tnc_delete()` is about to delete `zroot` and `zp2`:

             zroot
                 \
                  \
                  zp2
                    \
                     \
                     zn

    `zroot` and `zp2` get freed and the tree collapses:

               zn

    `zn` now becomes the new `zroot`.

    `get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and
    `write_index()` will check its `znode->cparent` that wrongly points to
    the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called
    with `znode->cparent->zbranch[znode->iip].hash` that triggers the
    use-after-free!

    Fix this by explicitly setting `znode->cparent` to `NULL` in
    `get_znodes_to_commit()` for the root node. The search for the dirty
    nodes
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-415326
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75ab73ea");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-53171");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-53171");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/12/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.17.8
EPSS0.00285
SSVC
2