Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-986676)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Linux kernel taprio offload may crash if never enabled; fix under security advisory.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(268219);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2022-48644");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-986676)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-986676 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net/sched: taprio: avoid disabling offload when it was never enabled

    In an incredibly strange API design decision, qdisc->destroy() gets
    called even if qdisc->init() never succeeded, not exclusively since
    commit 87b60cfacf9f (net_sched: fix error recovery at qdisc creation),
    but apparently also earlier (in the case of qdisc_create_dflt()).

    The taprio qdisc does not fully acknowledge this when it attempts full
    offload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in
    taprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS
    parsed from netlink (in taprio_change(), tail called from taprio_init()).

    But in taprio_destroy(), we call taprio_disable_offload(), and this
    determines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).

    But looking at the implementation of FULL_OFFLOAD_IS_ENABLED()
    (a bitwise check of bit 1 in q->flags), it is invalid to call this macro
    on q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set
    to U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on
    an invalid set of flags.

    As a result, it is possible to crash the kernel if user space forces an
    error between setting q->flags = TAPRIO_FLAGS_INVALID, and the calling
    of taprio_enable_offload(). This is because drivers do not expect the
    offload to be disabled when it was never enabled.

    The error that we force here is to attach taprio as a non-root qdisc,
    but instead as child of an mqprio root qdisc:

    $ tc qdisc add dev swp0 root handle 1: \
            mqprio num_tc 8 map 0 1 2 3 4 5 6 7 \
            queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0
    $ tc qdisc replace dev swp0 parent 1:1 \
            taprio num_tc 8 map 0 1 2 3 4 5 6 7 \
            queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \
            sched-entry S 0x7f 990000 sched-entry S 0x80 100000 \
            flags 0x0 clockid CLOCK_TAI
    Unable to handle kernel paging request at virtual address fffffffffffffff8
    [fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000
    Internal error: Oops: 96000004 [#1] PREEMPT SMP
    Call trace:
     taprio_dump+0x27c/0x310
     vsc9959_port_setup_tc+0x1f4/0x460
     felix_port_setup_tc+0x24/0x3c
     dsa_slave_setup_tc+0x54/0x27c
     taprio_disable_offload.isra.0+0x58/0xe0
     taprio_destroy+0x80/0x104
     qdisc_create+0x240/0x470
     tc_modify_qdisc+0x1fc/0x6b0
     rtnetlink_rcv_msg+0x12c/0x390
     netlink_rcv_skb+0x5c/0x130
     rtnetlink_rcv+0x1c/0x2c

    Fix this by keeping track of the operations we made, and undo the
    offload only if we actually did it.

    I've added bool offloaded inside a 4 byte hole between int clockid
    and atomic64_t picos_per_byte. Now the first cache line looks like
    below:

    $ pahole -C taprio_sched net/sched/sch_taprio.o
    struct taprio_sched {
            struct Qdisc * *           qdiscs;               /*     0     8 */
            struct Qdisc *             root;                 /*     8     8 */
            u32                        flags;                /*    16     4 */
            enum tk_offsets            tk_offset;            /*    20     4 */
            int                        clockid;              /*    24     4 */
            bool                       offloaded;            /*    28     1 */

            /* XXX 3 bytes hole, try to pack */

            atomic64_t                 picos_per_byte;       /*    32     0 */

            /* XXX 8 bytes hole, try to pack */

            spinlock_t                 current_entry_lock;   /*    40     0 */

            /* XXX 8 bytes hole, try to pack */

            struct sched_entry *       current_entry;        /*    48     8 */
            struct sched_gate_list *   oper_sched;           /*    56     8 */
            /* --- cacheline 1 boundary (64 bytes) --- */

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-986676
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2924c965");
  # https://lore.kernel.org/linux-cve-announce/2024042856-CVE-2022-48644-757e@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?586f1fe8");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-48644");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-48644");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.15.5
EPSS0.00232
SSVC
2