Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989237)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 8 Views

Kernel update fixes use-after-free in dynamic ftrace operations.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(274002);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2022-49892");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989237)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989237 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ftrace: Fix use-after-free for dynamic ftrace_ops

    KASAN reported a use-after-free with ftrace ops [1]. It was found from
    vmcore that perf had registered two ops with the same content
    successively, both dynamic. After unregistering the second ops, a
    use-after-free occurred.

    In ftrace_shutdown(), when the second ops is unregistered, the
    FTRACE_UPDATE_CALLS command is not set because there is another enabled
    ops with the same content.  Also, both ops are dynamic and the ftrace
    callback function is ftrace_ops_list_func, so the
    FTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value
    of 'command' will be 0 and ftrace_shutdown() will skip the rcu
    synchronization.

    However, ftrace may be activated. When the ops is released, another CPU
    may be accessing the ops.  Add the missing synchronization to fix this
    problem.

    [1]
    BUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
    BUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
    Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468

    CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7
    Hardware name: linux,dummy-virt (DT)
    Call trace:
     dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132
     show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1b4/0x248 lib/dump_stack.c:118
     print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387
     __kasan_report mm/kasan/report.c:547 [inline]
     kasan_report+0x118/0x210 mm/kasan/report.c:564
     check_memory_region_inline mm/kasan/generic.c:187 [inline]
     __asan_load8+0x98/0xc0 mm/kasan/generic.c:253
     __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
     ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
     ftrace_graph_call+0x0/0x4
     __might_sleep+0x8/0x100 include/linux/perf_event.h:1170
     __might_fault mm/memory.c:5183 [inline]
     __might_fault+0x58/0x70 mm/memory.c:5171
     do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
     strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139
     getname_flags+0xb0/0x31c fs/namei.c:149
     getname+0x2c/0x40 fs/namei.c:209
     [...]

    Allocated by task 14445:
     kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
     kasan_set_track mm/kasan/common.c:56 [inline]
     __kasan_kmalloc mm/kasan/common.c:479 [inline]
     __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449
     kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493
     kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950
     kmalloc include/linux/slab.h:563 [inline]
     kzalloc include/linux/slab.h:675 [inline]
     perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230
     perf_event_alloc kernel/events/core.c:11733 [inline]
     __do_sys_perf_event_open kernel/events/core.c:11831 [inline]
     __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
     __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723
     [...]

    Freed by task 14445:
     kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
     kasan_set_track+0x24/0x34 mm/kasan/common.c:56
     kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358
     __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437
     __kasan_slab_free mm/kasan/common.c:445 [inline]
     kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446
     slab_free_hook mm/slub.c:1569 [inline]
     slab_free_freelist_hook mm/slub.c:1608 [inline]
     slab_free mm/slub.c:3179 [inline]
     kfree+0x12c/0xc10 mm/slub.c:4176
     perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434
     perf_event_alloc kernel/events/core.c:11733 [inline]
     __do_sys_perf_event_open kernel/events/core.c:11831 [inline]
     __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
     [...]

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989237
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fa5e5c09");
  # https://lore.kernel.org/linux-cve-announce/2025050158-CVE-2022-49892-2393@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7fe8a5c7");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49892");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49892");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.17.8
EPSS0.00188
8