Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989182)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux 20.1070a kernel fix UTSA-2025-989182 prevents reading mapcount for migration entry.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272883);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2022-48802");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989182)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989182 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    fs/proc: task_mmu.c: don't read mapcount for migration entry

    The syzbot reported the below BUG:

      kernel BUG at include/linux/page-flags.h:785!
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline]
      RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744
      Call Trace:
        page_mapcount include/linux/mm.h:837 [inline]
        smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466
        smaps_pte_entry fs/proc/task_mmu.c:538 [inline]
        smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601
        walk_pmd_range mm/pagewalk.c:128 [inline]
        walk_pud_range mm/pagewalk.c:205 [inline]
        walk_p4d_range mm/pagewalk.c:240 [inline]
        walk_pgd_range mm/pagewalk.c:277 [inline]
        __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379
        walk_page_vma+0x277/0x350 mm/pagewalk.c:530
        smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768
        smap_gather_stats fs/proc/task_mmu.c:741 [inline]
        show_smap+0xc6/0x440 fs/proc/task_mmu.c:822
        seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272
        seq_read+0x3e0/0x5b0 fs/seq_file.c:162
        vfs_read+0x1b5/0x600 fs/read_write.c:479
        ksys_read+0x12d/0x250 fs/read_write.c:619
        do_syscall_x64 arch/x86/entry/common.c:50 [inline]
        do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
        entry_SYSCALL_64_after_hwframe+0x44/0xae

    The reproducer was trying to read /proc/$PID/smaps when calling
    MADV_FREE at the mean time.  MADV_FREE may split THPs if it is called
    for partial THP.  It may trigger the below race:

               CPU A                         CPU B
               -----                         -----
      smaps walk:                      MADV_FREE:
      page_mapcount()
        PageCompound()
                                       split_huge_page()
        page = compound_head(page)
        PageDoubleMap(page)

    When calling PageDoubleMap() this page is not a tail page of THP anymore
    so the BUG is triggered.

    This could be fixed by elevated refcount of the page before calling
    mapcount, but that would prevent it from counting migration entries, and
    it seems overkilling because the race just could happen when PMD is
    split so all PTE entries of tail pages are actually migration entries,
    and smaps_account() does treat migration entries as mapcount == 1 as
    Kirill pointed out.

    Add a new parameter for smaps_account() to tell this entry is migration
    entry then skip calling page_mapcount().  Don't skip getting mapcount
    for device private entries since they do track references with mapcount.

    Pagemap also has the similar issue although it was not reported.  Fixed
    it as well.

    [[email protected]: v4]
    [[email protected]: avoid unused variable warning in pagemap_pmd_range()]

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989182
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b47af423");
  # https://lore.kernel.org/linux-cve-announce/2024071644-CVE-2022-48802-a19f@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9d2baec7");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-48802");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-48802");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.15.5
EPSS0.00289
SSVC
3