Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990509)

🗓️ 06 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel fix for sata_dwc crash from OOB write; update ATA_TAG_INTERNAL to 32 and adjust QCMD_MAX.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(274226);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/06");

  script_cve_id("CVE-2022-49073");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990509)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990509 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ata: sata_dwc_460ex: Fix crash due to OOB write

    the driver uses libata's tag values from in various arrays.
    Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32,
    the value of the SATA_DWC_QCMD_MAX needs to account for that.

    Otherwise ATA_TAG_INTERNAL usage cause similar crashes like
    this as reported by Tice Rex on the OpenWrt Forum and
    reproduced (with symbols) here:

    | BUG: Kernel NULL pointer dereference at 0x00000000
    | Faulting instruction address: 0xc03ed4b8
    | Oops: Kernel access of bad area, sig: 11 [#1]
    | BE PAGE_SIZE=4K PowerPC 44x Platform
    | CPU: 0 PID: 362 Comm: scsi_eh_1 Not tainted 5.4.163 #0
    | NIP:  c03ed4b8 LR: c03d27e8 CTR: c03ed36c
    | REGS: cfa59950 TRAP: 0300   Not tainted  (5.4.163)
    | MSR:  00021000 <CE,ME>  CR: 42000222  XER: 00000000
    | DEAR: 00000000 ESR: 00000000
    | GPR00: c03d27e8 cfa59a08 cfa55fe0 00000000 0fa46bc0 [...]
    | [..]
    | NIP [c03ed4b8] sata_dwc_qc_issue+0x14c/0x254
    | LR [c03d27e8] ata_qc_issue+0x1c8/0x2dc
    | Call Trace:
    | [cfa59a08] [c003f4e0] __cancel_work_timer+0x124/0x194 (unreliable)
    | [cfa59a78] [c03d27e8] ata_qc_issue+0x1c8/0x2dc
    | [cfa59a98] [c03d2b3c] ata_exec_internal_sg+0x240/0x524
    | [cfa59b08] [c03d2e98] ata_exec_internal+0x78/0xe0
    | [cfa59b58] [c03d30fc] ata_read_log_page.part.38+0x1dc/0x204
    | [cfa59bc8] [c03d324c] ata_identify_page_supported+0x68/0x130
    | [...]

    This is because sata_dwc_dma_xfer_complete() NULLs the
    dma_pending's next neighbour chan (a *dma_chan struct) in
    this '32' case right here (line ~735):
    > hsdevp->dma_pending[tag] = SATA_DWC_DMA_PENDING_NONE;

    Then the next time, a dma gets issued; dma_dwc_xfer_setup() passes
    the NULL'd hsdevp->chan to the dmaengine_slave_config() which then
    causes the crash.

    With this patch, SATA_DWC_QCMD_MAX is now set to ATA_MAX_QUEUE + 1.
    This avoids the OOB. But please note, there was a worthwhile discussion
    on what ATA_TAG_INTERNAL and ATA_MAX_QUEUE is. And why there should not
    be a fake 33 command-long queue size.

    Ideally, the dw driver should account for the ATA_TAG_INTERNAL.
    In Damien Le Moal's words: ... having looked at the driver, it
    is a bigger change than just faking a 33rd tag that is in fact
    not a command tag at all.

    BugLink: https://github.com/openwrt/openwrt/issues/9505

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990509
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3f22b1c1");
  # https://lore.kernel.org/linux-cve-announce/2025022655-CVE-2022-49073-0a26@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f8526c61");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49073");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49073");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Nov 2025 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.17.8
EPSS0.0026
2