Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987398)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com

Unity Linux 20.1070e kernel fix for jffs2 use after free in clear xattr subsystem.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(268432);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2021-47656");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987398)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-987398 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    jffs2: fix use-after-free in jffs2_clear_xattr_subsystem

    When we mount a jffs2 image, assume that the first few blocks of
    the image are normal and contain at least one xattr-related inode,
    but the next block is abnormal. As a result, an error is returned
    in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
    called in jffs2_build_filesystem() and then again in
    jffs2_do_fill_super().

    Finally we can observe the following report:
     ==================================================================
     BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
     Read of size 8 at addr ffff8881243384e0 by task mount/719

     Call Trace:
      dump_stack+0x115/0x16b
      jffs2_clear_xattr_subsystem+0x95/0x6ac
      jffs2_do_fill_super+0x84f/0xc30
      jffs2_fill_super+0x2ea/0x4c0
      mtd_get_sb+0x254/0x400
      mtd_get_sb_by_nr+0x4f/0xd0
      get_tree_mtd+0x498/0x840
      jffs2_get_tree+0x25/0x30
      vfs_get_tree+0x8d/0x2e0
      path_mount+0x50f/0x1e50
      do_mount+0x107/0x130
      __se_sys_mount+0x1c5/0x2f0
      __x64_sys_mount+0xc7/0x160
      do_syscall_64+0x45/0x70
      entry_SYSCALL_64_after_hwframe+0x44/0xa9

     Allocated by task 719:
      kasan_save_stack+0x23/0x60
      __kasan_kmalloc.constprop.0+0x10b/0x120
      kasan_slab_alloc+0x12/0x20
      kmem_cache_alloc+0x1c0/0x870
      jffs2_alloc_xattr_ref+0x2f/0xa0
      jffs2_scan_medium.cold+0x3713/0x4794
      jffs2_do_mount_fs.cold+0xa7/0x2253
      jffs2_do_fill_super+0x383/0xc30
      jffs2_fill_super+0x2ea/0x4c0
     [...]

     Freed by task 719:
      kmem_cache_free+0xcc/0x7b0
      jffs2_free_xattr_ref+0x78/0x98
      jffs2_clear_xattr_subsystem+0xa1/0x6ac
      jffs2_do_mount_fs.cold+0x5e6/0x2253
      jffs2_do_fill_super+0x383/0xc30
      jffs2_fill_super+0x2ea/0x4c0
     [...]

     The buggy address belongs to the object at ffff8881243384b8
      which belongs to the cache jffs2_xattr_ref of size 48
     The buggy address is located 40 bytes inside of
      48-byte region [ffff8881243384b8, ffff8881243384e8)
     [...]
     ==================================================================

    The triggering of the BUG is shown in the following stack:
    -----------------------------------------------------------
    jffs2_fill_super
      jffs2_do_fill_super
        jffs2_do_mount_fs
          jffs2_build_filesystem
            jffs2_scan_medium
              jffs2_scan_eraseblock        <--- ERROR
            jffs2_clear_xattr_subsystem    <--- free
        jffs2_clear_xattr_subsystem        <--- free again
    -----------------------------------------------------------

    An error is returned in jffs2_do_mount_fs(). If the error is returned
    by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
    be executed. If the error is returned by jffs2_build_filesystem(), the
    jffs2_clear_xattr_subsystem() also does not need to be executed again.
    So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
    to fix this UAF problem.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-987398
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?26b90f9a");
  # https://lore.kernel.org/linux-cve-announce/2025022650-CVE-2021-47656-0abd@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d5477e4e");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47656");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47656");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.17.8
EPSS0.00242
SSVC
0