Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-986476)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux 20 security update fixes nilfs2 NULL pointer dereference in nilfs_palloc_commit_free_entry.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(268271);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2022-49007");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-986476)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-986476 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()

    Syzbot reported a null-ptr-deref bug:

     NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP
     frequency < 30 seconds
     general protection fault, probably for non-canonical address
     0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
     KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
     CPU: 1 PID: 3603 Comm: segctord Not tainted
     6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
     Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google
     10/11/2022
     RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0
     fs/nilfs2/alloc.c:608
     Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00
     00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02
     00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7
     RSP: 0018:ffffc90003dff830 EFLAGS: 00010212
     RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d
     RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010
     RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f
     R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158
     R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004
     FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000)
     knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0
     Call Trace:
      <TASK>
      nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]
      nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193
      nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236
      nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940
      nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]
      nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]
      nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088
      nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337
      nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568
      nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018
      nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067
      nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]
      nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]
      nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045
      nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379
      nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]
      nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570
      kthread+0x2e4/0x3a0 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      </TASK>
     ...

    If DAT metadata file is corrupted on disk, there is a case where
    req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during
    a b-tree operation that cascadingly updates ancestor nodes of the b-tree,
    because nilfs_dat_commit_alloc() for a lower level block can initialize
    the blocknr on the same DAT entry between nilfs_dat_prepare_end() and
    nilfs_dat_commit_end().

    If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()
    without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and
    causes the NULL pointer dereference above in
    nilfs_palloc_commit_free_entry() function, which leads to a crash.

    Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh
    before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().

    This also calls nilfs_error() in that case to notify that there is a fatal
    flaw in the filesystem metadata and prevent further operations.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-986476
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c2f2ad2");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49007");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49007");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2403.3.0.0270.103.002', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2403.3.0.0270.103.002', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2403.3.0.0270.103.002', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.15.5
EPSS0.00247
SSVC
2