Lucene search
K

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-449275)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel fix for NULL pointer dereference in hugetlbfs when configuring pagesize via fsconfig.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(267856);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2024-26688");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-449275)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-449275 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super

    When configuring a hugetlb filesystem via the fsconfig() syscall, there is
    a possible NULL dereference in hugetlbfs_fill_super() caused by assigning
    NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize
    is non valid.

    E.g: Taking the following steps:

         fd = fsopen(hugetlbfs, FSOPEN_CLOEXEC);
         fsconfig(fd, FSCONFIG_SET_STRING, pagesize, 1024, 0);
         fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);

    Given that the requested pagesize is invalid, ctxt->hstate will be replaced
    with NULL, losing its previous value, and we will print an error:

     ...
     ...
     case Opt_pagesize:
     ps = memparse(param->string, &rest);
     ctx->hstate = h;
     if (!ctx->hstate) {
             pr_err(Unsupported page size %lu MB\n, ps / SZ_1M);
             return -EINVAL;
     }
     return 0;
     ...
     ...

    This is a problem because later on, we will dereference ctxt->hstate in
    hugetlbfs_fill_super()

     ...
     ...
     sb->s_blocksize = huge_page_size(ctx->hstate);
     ...
     ...

    Causing below Oops.

    Fix this by replacing cxt->hstate value only when then pagesize is known
    to be valid.

     kernel: hugetlbfs: Unsupported page size 0 MB
     kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028
     kernel: #PF: supervisor read access in kernel mode
     kernel: #PF: error_code(0x0000) - not-present page
     kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0
     kernel: Oops: 0000 [#1] PREEMPT SMP PTI
     kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G            E      6.8.0-rc2-default+ #22
    5a47c3fef76212addcc6eb71344aabc35190ae8f
     kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017
     kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0
     kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff
    7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28
     kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246
     kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004
     kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000
     kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004
     kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000
     kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400
     kernel: FS:  00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000
     kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0
     kernel: Call Trace:
     kernel:  <TASK>
     kernel:  ? __die_body+0x1a/0x60
     kernel:  ? page_fault_oops+0x16f/0x4a0
     kernel:  ? search_bpf_extables+0x65/0x70
     kernel:  ? fixup_exception+0x22/0x310
     kernel:  ? exc_page_fault+0x69/0x150
     kernel:  ? asm_exc_page_fault+0x22/0x30
     kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10
     kernel:  ? hugetlbfs_fill_super+0xb4/0x1a0
     kernel:  ? hugetlbfs_fill_super+0x28/0x1a0
     kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10
     kernel:  vfs_get_super+0x40/0xa0
     kernel:  ? __pfx_bpf_lsm_capable+0x10/0x10
     kernel:  vfs_get_tree+0x25/0xd0
     kernel:  vfs_cmd_create+0x64/0xe0
     kernel:  __x64_sys_fsconfig+0x395/0x410
     kernel:  do_syscall_64+0x80/0x160
     kernel:  ? syscall_exit_to_user_mode+0x82/0x240
     kernel:  ? do_syscall_64+0x8d/0x160
     kernel:  ? syscall_exit_to_user_mode+0x82/0x240
     kernel:  ? do_syscall_64+0x8d/0x160
     kernel:  ? exc_page_fault+0x69/0x150
     kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76
     kernel: RIP: 0033:0x7ffbc0cb87c9
     kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d
    89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48
     kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af
     kernel: RAX: fffffffffff
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-449275
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c9187782");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-26688");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-26688");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.15.5
EPSS0.00245
SSVC
2