Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987663)

🗓️ 21 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Kernel fix for virt_addr_valid on 64-bit PowerPC Book3E to prevent vmalloc address misuse.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(270895);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/21");

  script_cve_id("CVE-2022-49067");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987663)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-987663 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit

    mpe: On 64-bit Book3E vmalloc space starts at 0x8000000000000000.

    Because of the way __pa() works we have:
      __pa(0x8000000000000000) == 0, and therefore
      virt_to_pfn(0x8000000000000000) == 0, and therefore
      virt_addr_valid(0x8000000000000000) == true

    Which is wrong, virt_addr_valid() should be false for vmalloc space.
    In fact all vmalloc addresses that alias with a valid PFN will return
    true from virt_addr_valid(). That can cause bugs with hardened usercopy
    as described below by Kefeng Wang:

      When running ethtool eth0 on 64-bit Book3E, a BUG occurred:

        usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size
    1048)!
        kernel BUG at mm/usercopy.c:99
        ...
        usercopy_abort+0x64/0xa0 (unreliable)
        __check_heap_object+0x168/0x190
        __check_object_size+0x1a0/0x200
        dev_ethtool+0x2494/0x2b20
        dev_ioctl+0x5d0/0x770
        sock_do_ioctl+0xf0/0x1d0
        sock_ioctl+0x3ec/0x5a0
        __se_sys_ioctl+0xf0/0x160
        system_call_exception+0xfc/0x1f0
        system_call_common+0xf8/0x200

      The code shows below,

        data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));
        copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))

      The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true
      on 64-bit Book3E, which leads to the panic.

      As commit 4dd7554a6456 (powerpc/64: Add VIRTUAL_BUG_ON checks for __va
      and __pa addresses) does, make sure the virt addr above PAGE_OFFSET in
      the virt_addr_valid() for 64-bit, also add upper limit check to make
      sure the virt is below high_memory.

      Meanwhile, for 32-bit PAGE_OFFSET is the virtual address of the start
      of lowmem, high_memory is the upper low virtual address, the check is
      suitable for 32-bit, this will fix the issue mentioned in commit
      602946ec2f90 (powerpc: Set max_mapnr correctly) too.

    On 32-bit there is a similar problem with high memory, that was fixed in
    commit 602946ec2f90 (powerpc: Set max_mapnr correctly), but that
    commit breaks highmem and needs to be reverted.

    We can't easily fix __pa(), we have code that relies on its current
    behaviour. So for now add extra checks to virt_addr_valid().

    For 64-bit Book3S the extra checks are not necessary, the combination of
    virt_to_pfn() and pfn_valid() should yield the correct result, but they
    are harmless.

    [mpe: Add additional change log detail]

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-987663
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d71b19bc");
  # https://lore.kernel.org/linux-cve-announce/2025022654-CVE-2022-49067-94d7@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6cf21d78");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49067");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49067");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Oct 2025 00:00Current
5.3Medium risk
Vulners AI Score5.3
CVSS 3.15.5
EPSS0.00247
3