Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987709)

🗓️ 21 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux 20.1070e security update fixes an ext4 race condition between write and convert_inline_data in the kernel.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(270905);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/21");

  script_cve_id("CVE-2022-49414");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987709)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-987709 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ext4: fix race condition between ext4_write and ext4_convert_inline_data

    Hulk Robot reported a BUG_ON:
     ==================================================================
     EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0,
     block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters
     kernel BUG at fs/ext4/ext4_jbd2.c:53!
     invalid opcode: 0000 [#1] SMP KASAN PTI
     CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1
     RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]
     RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116
     [...]
     Call Trace:
      ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795
      generic_perform_write+0x279/0x3c0 mm/filemap.c:3344
      ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270
      ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520
      do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732
      do_iter_write+0x107/0x430 fs/read_write.c:861
      vfs_writev fs/read_write.c:934 [inline]
      do_pwritev+0x1e5/0x380 fs/read_write.c:1031
     [...]
     ==================================================================

    Above issue may happen as follows:
               cpu1                     cpu2
    __________________________|__________________________
    do_pwritev
     vfs_writev
      do_iter_write
       ext4_file_write_iter
        ext4_buffered_write_iter
         generic_perform_write
          ext4_da_write_begin
                               vfs_fallocate
                                ext4_fallocate
                                 ext4_convert_inline_data
                                  ext4_convert_inline_data_nolock
                                   ext4_destroy_inline_data_nolock
                                    clear EXT4_STATE_MAY_INLINE_DATA
                                   ext4_map_blocks
                                    ext4_ext_map_blocks
                                     ext4_mb_new_blocks
                                      ext4_mb_regular_allocator
                                       ext4_mb_good_group_nolock
                                        ext4_mb_init_group
                                         ext4_mb_init_cache
                                          ext4_mb_generate_buddy  --> error
           ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
                                    ext4_restore_inline_data
                                     set EXT4_STATE_MAY_INLINE_DATA
           ext4_block_write_begin
          ext4_da_write_end
           ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
           ext4_write_inline_data_end
            handle=NULL
            ext4_journal_stop(handle)
             __ext4_journal_stop
              ext4_put_nojournal(handle)
               ref_cnt = (unsigned long)handle
               BUG_ON(ref_cnt == 0)  ---> BUG_ON

    The lock held by ext4_convert_inline_data is xattr_sem, but the lock
    held by generic_perform_write is i_rwsem. Therefore, the two locks can
    be concurrent.

    To solve above issue, we add inode_lock() for ext4_convert_inline_data().
    At the same time, move ext4_convert_inline_data() in front of
    ext4_punch_hole(), remove similar handling from ext4_punch_hole().

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-987709
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?89efdd3d");
  # https://lore.kernel.org/linux-cve-announce/2025022653-CVE-2022-49414-5693@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c08e92e8");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49414");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49414");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Oct 2025 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.14.7
EPSS0.00184
SSVC
2