Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987656)

🗓️ 21 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux kernel security update fixes ubifs refcount on private pages to prevent a page migration bug.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(270920);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/21");

  script_cve_id("CVE-2021-47635");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987656)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-987656 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ubifs: Fix to add refcount once page is set private

    MM defined the rule [1] very clearly that once page was set with PG_private
    flag, we should increment the refcount in that page, also main flows like
    pageout(), migrate_page() will assume there is one additional page
    reference count if page_has_private() returns true. Otherwise, we may
    get a BUG in page migration:

      page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8
      index:0xe2 pfn:0x14c12
      aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:f30e
      flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|
      zone=1|lastcpupid=0x1fffff)
      page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)
      ------------[ cut here ]------------
      kernel BUG at include/linux/page_ref.h:184!
      invalid opcode: 0000 [#1] SMP
      CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5
      RIP: 0010:migrate_page_move_mapping+0xac3/0xe70
      Call Trace:
        ubifs_migrate_page+0x22/0xc0 [ubifs]
        move_to_new_page+0xb4/0x600
        migrate_pages+0x1523/0x1cc0
        compact_zone+0x8c5/0x14b0
        kcompactd+0x2bc/0x560
        kthread+0x18c/0x1e0
        ret_from_fork+0x1f/0x30

    Before the time, we should make clean a concept, what does refcount means
    in page gotten from grab_cache_page_write_begin(). There are 2 situations:
    Situation 1: refcount is 3, page is created by __page_cache_alloc.
      TYPE_A - the write process is using this page
      TYPE_B - page is assigned to one certain mapping by calling
               __add_to_page_cache_locked()
      TYPE_C - page is added into pagevec list corresponding current cpu by
               calling lru_cache_add()
    Situation 2: refcount is 2, page is gotten from the mapping's tree
      TYPE_B - page has been assigned to one certain mapping
      TYPE_A - the write process is using this page (by calling
               page_cache_get_speculative())
    Filesystem releases one refcount by calling put_page() in xxx_write_end(),
    the released refcount corresponds to TYPE_A (write task is using it). If
    there are any processes using a page, page migration process will skip the
    page by judging whether expected_page_refs() equals to page refcount.

    The BUG is caused by following process:
        PA(cpu 0)                           kcompactd(cpu 1)
                                    compact_zone
    ubifs_write_begin
      page_a = grab_cache_page_write_begin
        add_to_page_cache_lru
          lru_cache_add
            pagevec_add // put page into cpu 0's pagevec
      (refcnf = 3, for page creation process)
    ubifs_write_end
      SetPagePrivate(page_a) // doesn't increase page count !
      unlock_page(page_a)
      put_page(page_a)  // refcnt = 2
                                    [...]

        PB(cpu 0)
    filemap_read
      filemap_get_pages
        add_to_page_cache_lru
          lru_cache_add
            __pagevec_lru_add // traverse all pages in cpu 0's pagevec
              __pagevec_lru_add_fn
                SetPageLRU(page_a)
                                    isolate_migratepages
                                      isolate_migratepages_block
                                        get_page_unless_zero(page_a)
                                        // refcnt = 3
                                          list_add(page_a, from_list)
                                    migrate_pages(from_list)
                                      __unmap_and_move
                                        move_to_new_page
                                          ubifs_migrate_page(page_a)
                                            migrate_page_move_mapping
                                              expected_page_refs get 3
                                      (migration[1] + mapping[1] + private[1])
             release_pages
               put_page_testzero(page_a) // refcnt = 3
                                              page_ref_freeze  // refcnt = 0
                 page_ref_dec_and_test(0 - 1 = -1)
                                              page_ref_unfreeze
                                                VM_BUG_ON_PAGE(-1 != 0, page)

    UBIFS doesn't increase the page refcount after setting private flag, which
    leads to page migration task believes the page is not used by any other
    processes, so the page is migrated. This causes concurrent accessing on
    page refcount between put_page() called by other process(eg. read process
    calls lru_cache_add) and page_ref_unfreeze() called by mi
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-987656
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4a7176d6");
  # https://lore.kernel.org/linux-cve-announce/2025022646-CVE-2021-47635-8c4f@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e6473998");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47635");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47635");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Oct 2025 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 3.15.5
EPSS0.00231
2