Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989751)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272768);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2021-47634");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989751)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989751 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

    Hulk Robot reported a KASAN report about use-after-free:
     ==================================================================
     BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160
     Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385
     [...]
     Call Trace:
      klist_dec_and_del+0xa7/0x4a0
      klist_put+0xc7/0x1a0
      device_del+0x4d4/0xed0
      cdev_device_del+0x1a/0x80
      ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]
      ctrl_cdev_ioctl+0x286/0x2f0 [ubi]

     Allocated by task 1414:
      device_add+0x60a/0x18b0
      cdev_device_add+0x103/0x170
      ubi_create_volume+0x1118/0x1a10 [ubi]
      ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]

     Freed by task 1385:
      cdev_device_del+0x1a/0x80
      ubi_remove_volume+0x438/0x6c0 [ubi]
      ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]
     [...]
     ==================================================================

    The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held
    by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be
    concurrent.

    ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.
    ubi_detach is bug-free because it uses reference counting to prevent
    concurrency. However, uif_init and uif_close in ubi_attach may race with
    ubi_cdev_ioctl.

    uif_init will race with ubi_cdev_ioctl as in the following stack.
               cpu1                   cpu2                  cpu3
    _______________________|________________________|______________________
    ctrl_cdev_ioctl
     ubi_attach_mtd_dev
      uif_init
                               ubi_cdev_ioctl
                                ubi_create_volume
                                 cdev_device_add
       ubi_add_volume
       // sysfs exist
       kill_volumes
                                                        ubi_cdev_ioctl
                                                         ubi_remove_volume
                                                          cdev_device_del
                                                           // first free
        ubi_free_volume
         cdev_del
         // double free
       cdev_device_del

    And uif_close will race with ubi_cdev_ioctl as in the following stack.
               cpu1                   cpu2                  cpu3
    _______________________|________________________|______________________
    ctrl_cdev_ioctl
     ubi_attach_mtd_dev
      uif_init
                               ubi_cdev_ioctl
                                ubi_create_volume
                                 cdev_device_add
      ubi_debugfs_init_dev
      //error goto out_uif;
      uif_close
       kill_volumes
                                                        ubi_cdev_ioctl
                                                         ubi_remove_volume
                                                          cdev_device_del
                                                           // first free
        ubi_free_volume
        // double free

    The cause of this problem is that commit 714fb87e8bc0 make device
    available before it becomes accessible via sysfs. Therefore, we
    roll back the modification. We will fix the race condition between
    ubi device creation and udev by removing ubi_get_device in
    vol_attribute_show and dev_attribute_show.This avoids accessing
    uninitialized ubi_devices[ubi_num].

    ubi_get_device is used to prevent devices from being deleted during
    sysfs execution. However, now kernfs ensures that devices will not
    be deleted before all reference counting are released.
    The key process is shown in the following stack.

    device_del
      device_remove_attrs
        device_remove_groups
          sysfs_remove_groups
            sysfs_remove_group
              remove_files
                kernfs_remove_by_name
                  kernfs_remove_by_name_ns
                    __kernfs_remove
                      kernfs_drain

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989751
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a6ab737");
  # https://lore.kernel.org/linux-cve-announce/2025022646-CVE-2021-47634-f73e@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f2d5061d");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47634");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47634");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}