Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-989339)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 5 Views

Unity Linux kernel fix for arm architecture ftrace PLT handling to prevent internal errors and possible kernel panic.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(273481);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2022-49721");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-989339)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989339 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    arm64: ftrace: consistently handle PLTs.

    Sometimes it is necessary to use a PLT entry to call an ftrace
    trampoline. This is handled by ftrace_make_call() and ftrace_make_nop(),
    with each having *almost* identical logic, but this is not handled by
    ftrace_modify_call() since its introduction in commit:

      3b23e4991fb66f6d (arm64: implement ftrace with regs)

    Due to this, if we ever were to call ftrace_modify_call() for a callsite
    which requires a PLT entry for a trampoline, then either:

    a) If the old addr requires a trampoline, ftrace_modify_call() will use
       an out-of-range address to generate the 'old' branch instruction.
       This will result in warnings from aarch64_insn_gen_branch_imm() and
       ftrace_modify_code(), and no instructions will be modified. As
       ftrace_modify_call() will return an error, this will result in
       subsequent internal ftrace errors.

    b) If the old addr does not require a trampoline, but the new addr does,
       ftrace_modify_call() will use an out-of-range address to generate the
       'new' branch instruction. This will result in warnings from
       aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace
       the 'old' branch with a BRK. This will result in a kernel panic when
       this BRK is later executed.

    Practically speaking, case (a) is vastly more likely than case (b), and
    typically this will result in internal ftrace errors that don't
    necessarily affect the rest of the system. This can be demonstrated with
    an out-of-tree test module which triggers ftrace_modify_call(), e.g.

    | # insmod test_ftrace.ko
    | test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024
    | branch_imm_common: offset out of range
    | branch_imm_common: offset out of range
    | ------------[ ftrace bug ]------------
    | ftrace failed to modify
    | [<ffffb37493992024>] test_function+0x8/0x38 [test_ftrace]
    |  actual:   1d:00:00:94
    | Updating ftrace call site to call a different ftrace function
    | ftrace record flags: e0000002
    |  (2) R
    |  expected tramp: ffffb374ae42ed54
    | ------------[ cut here ]------------
    | WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0
    | Modules linked in: test_ftrace(+)
    | CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13
    | Hardware name: linux,dummy-virt (DT)
    | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    | pc : ftrace_bug+0x280/0x2b0
    | lr : ftrace_bug+0x280/0x2b0
    | sp : ffff80000839ba00
    | x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0
    | x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000
    | x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8
    | x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff
    | x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4
    | x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666
    | x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8
    | x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167
    | x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000
    | x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022
    | Call trace:
    |  ftrace_bug+0x280/0x2b0
    |  ftrace_replace_code+0x98/0xa0
    |  ftrace_modify_all_code+0xe0/0x144
    |  arch_ftrace_update_code+0x14/0x20
    |  ftrace_startup+0xf8/0x1b0
    |  register_ftrace_function+0x38/0x90
    |  test_ftrace_init+0xd0/0x1000 [test_ftrace]
    |  do_one_initcall+0x50/0x2b0
    |  do_init_module+0x50/0x1f0
    |  load_module+0x17c8/0x1d64
    |  __do_sys_finit_module+0xa8/0x100
    |  __arm64_sys_finit_module+0x2c/0x3c
    |  invoke_syscall+0x50/0x120
    |  el0_svc_common.constprop.0+0xdc/0x100
    |  do_el0_svc+0x3c/0xd0
    |  el0_svc+0x34/0xb0
    |  el0t_64_sync_handler+0xbc/0x140
    |  el0t_64_sync+0x18c/0x190
    | ---[ end trace 0000000000000000 ]---

    We can solve this by consistently determining whether to use a PLT entry
    for an address.

    Note that since (the earlier) commit:

      f1a54ae9
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989339
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?222f30d8");
  # https://lore.kernel.org/linux-cve-announce/2025022632-CVE-2022-49721-b74f@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?538555c7");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49721");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49721");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/07/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.15.5
EPSS0.00252
5