Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989239)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType

Kernel fix for global out-of-bounds in tmc_update_etf_buffer due to barrier_pkt size check.

Reporter	Title	Published	Views	Family All 16
AstraLinux	Astra Linux – Vulnerability in Linux, Linux 5.10	3 May 202623:59	–	astralinux
Circl	CVE-2021-47346	8 Mar 202504:34	–	circl
CNNVD	Linux kernel 安全漏洞	21 May 202400:00	–	cnnvd
CVE	CVE-2021-47346	21 May 202414:35	–	cve
Cvelist	CVE-2021-47346 coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()	21 May 202414:35	–	cvelist
Debian CVE	CVE-2021-47346	21 May 202414:35	–	debiancve
NVD	CVE-2021-47346	21 May 202415:15	–	nvd
OSV	DEBIAN-CVE-2021-47346	21 May 202415:15	–	osv
OSV	OESA-2024-1767 kernel security update	28 Jun 202411:08	–	osv
OSV	UBUNTU-CVE-2021-47346	21 May 202415:15	–	osv

Source	Link
nessus	www.nessus.org/u
nessus	www.nessus.org/u
nvd	www.nvd.nist.gov/vuln/detail/CVE-2021-47346
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(273820);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2021-47346");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989239)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989239 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()

    commit 6f755e85c332 (coresight: Add helper for inserting synchronization
    packets) removed trailing '\0' from barrier_pkt array and updated the
    call sites like etb_update_buffer() to have proper checks for barrier_pkt
    size before read but missed updating tmc_update_etf_buffer() which still
    reads barrier_pkt past the array size resulting in KASAN out-of-bounds
    bug. Fix this by adding a check for barrier_pkt size before accessing
    like it is done in etb_update_buffer().

     BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698
     Read of size 4 at addr ffffffd05b7d1030 by task perf/2629

     Call trace:
      dump_backtrace+0x0/0x27c
      show_stack+0x20/0x2c
      dump_stack+0x11c/0x188
      print_address_description+0x3c/0x4a4
      __kasan_report+0x140/0x164
      kasan_report+0x10/0x18
      __asan_report_load4_noabort+0x1c/0x24
      tmc_update_etf_buffer+0x4b8/0x698
      etm_event_stop+0x248/0x2d8
      etm_event_del+0x20/0x2c
      event_sched_out+0x214/0x6f0
      group_sched_out+0xd0/0x270
      ctx_sched_out+0x2ec/0x518
      __perf_event_task_sched_out+0x4fc/0xe6c
      __schedule+0x1094/0x16a0
      preempt_schedule_irq+0x88/0x170
      arm64_preempt_schedule_irq+0xf0/0x18c
      el1_irq+0xe8/0x180
      perf_event_exec+0x4d8/0x56c
      setup_new_exec+0x204/0x400
      load_elf_binary+0x72c/0x18c0
      search_binary_handler+0x13c/0x420
      load_script+0x500/0x6c4
      search_binary_handler+0x13c/0x420
      exec_binprm+0x118/0x654
      __do_execve_file+0x77c/0xba4
      __arm64_compat_sys_execve+0x98/0xac
      el0_svc_common+0x1f8/0x5e0
      el0_svc_compat_handler+0x84/0xb0
      el0_svc_compat+0x10/0x50

     The buggy address belongs to the variable:
      barrier_pkt+0x10/0x40

     Memory state around the buggy address:
      ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
      ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03
                                          ^
      ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa
      ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa
     ==================================================================

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989239
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4e92c6d4");
  # https://lore.kernel.org/linux-cve-announce/2024052139-CVE-2021-47346-dcfa@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?57a6c62e");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47346");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47346");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

05 Nov 2025 00:00Current

6.2Medium risk

Vulners AI Score6.2

CVSS 3.17.1

EPSS0.00249

SSVC