Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987329)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Security update fixes kernel scsi core bad pointer dereference when ehandler kthread is invalid.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(268444);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2021-47337");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987329)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-987329 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    scsi: core: Fix bad pointer dereference when ehandler kthread is invalid

    Commit 66a834d09293 (scsi: core: Fix error handling of scsi_host_alloc())
    changed the allocation logic to call put_device() to perform host cleanup
    with the assumption that IDA removal and stopping the kthread would
    properly be performed in scsi_host_dev_release(). However, in the unlikely
    case that the error handler thread fails to spawn, shost->ehandler is set
    to ERR_PTR(-ENOMEM).

    The error handler cleanup code in scsi_host_dev_release() will call
    kthread_stop() if shost->ehandler != NULL which will always be the case
    whether the kthread was successfully spawned or not. In the case that it
    failed to spawn this has the nasty side effect of trying to dereference an
    invalid pointer when kthread_stop() is called. The following splat provides
    an example of this behavior in the wild:

    scsi host11: error handler thread failed to spawn, error = -4
    Kernel attempted to read user page (10c) - exploit attempt? (uid: 0)
    BUG: Kernel NULL pointer dereference on read at 0x0000010c
    Faulting instruction address: 0xc00000000818e9a8
    Oops: Kernel access of bad area, sig: 11 [#1]
    LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
    Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region
     hash dm_log dm_mod fuse overlay squashfs loop
    CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1
    NIP:  c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8
    REGS: c000000037d12ea0 TRAP: 0300   Not tainted  (5.13.0-rc7)
    MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 28228228
    XER: 20040001
    CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0
    GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc
    GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000
    GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff
    GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0
    GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288
    GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898
    GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000
    GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc
    NIP [c00000000818e9a8] kthread_stop+0x38/0x230
    LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160
    Call Trace:
    [c000000033bb2c48] 0xc000000033bb2c48 (unreliable)
    [c0000000089846e8] scsi_host_dev_release+0x98/0x160
    [c00000000891e960] device_release+0x60/0x100
    [c0000000087e55c4] kobject_release+0x84/0x210
    [c00000000891ec78] put_device+0x28/0x40
    [c000000008984ea4] scsi_host_alloc+0x314/0x430
    [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]
    [c000000008110104] vio_bus_probe+0xa4/0x4b0
    [c00000000892a860] really_probe+0x140/0x680
    [c00000000892aefc] driver_probe_device+0x15c/0x200
    [c00000000892b63c] device_driver_attach+0xcc/0xe0
    [c00000000892b740] __driver_attach+0xf0/0x200
    [c000000008926f28] bus_for_each_dev+0xa8/0x130
    [c000000008929ce4] driver_attach+0x34/0x50
    [c000000008928fc0] bus_add_driver+0x1b0/0x300
    [c00000000892c798] driver_register+0x98/0x1a0
    [c00000000810eb60] __vio_register_driver+0x80/0xe0
    [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]
    [c0000000080121d0] do_one_initcall+0x60/0x2d0
    [c000000008261abc] do_init_module+0x7c/0x320
    [c000000008265700] load_module+0x2350/0x25b0
    [c000000008265cb4] __do_sys_finit_module+0xd4/0x160
    [c000000008031110] system_call_exception+0x150/0x2d0
    [c00000000800d35c] system_call_common+0xec/0x278

    Fix this be nulling shost->ehandler when the kthread fails to spawn.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-987329
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1f36bfc9");
  # https://lore.kernel.org/linux-cve-announce/2024052136-CVE-2021-47337-4863@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8078b78d");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47337");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47337");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/08/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.15.5
EPSS0.0024
SSVC
3