Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990637)

🗓️ 06 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 1 Views

Kernel vulnerability in jffs2 could cause illegal access; fixed in Unity Linux 20.1070a.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(274150);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/06");

  script_cve_id("CVE-2024-42115");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990637)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990637 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    jffs2: Fix potential illegal address access in jffs2_free_inode

    During the stress testing of the jffs2 file system,the following
    abnormal printouts were found:
    [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948
    [ 2430.649622] Mem abort info:
    [ 2430.649829]   ESR = 0x96000004
    [ 2430.650115]   EC = 0x25: DABT (current EL), IL = 32 bits
    [ 2430.650564]   SET = 0, FnV = 0
    [ 2430.650795]   EA = 0, S1PTW = 0
    [ 2430.651032]   FSC = 0x04: level 0 translation fault
    [ 2430.651446] Data abort info:
    [ 2430.651683]   ISV = 0, ISS = 0x00000004
    [ 2430.652001]   CM = 0, WnR = 0
    [ 2430.652558] [0069696969696948] address between user and kernel address ranges
    [ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP
    [ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33
    [ 2430.655008] Hardware name: linux,dummy-virt (DT)
    [ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [ 2430.656142] pc : kfree+0x78/0x348
    [ 2430.656630] lr : jffs2_free_inode+0x24/0x48
    [ 2430.657051] sp : ffff800009eebd10
    [ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000
    [ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000
    [ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14
    [ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000
    [ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000
    [ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19
    [ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14
    [ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302
    [ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342
    [ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000
    [ 2430.664217] Call trace:
    [ 2430.664528]  kfree+0x78/0x348
    [ 2430.664855]  jffs2_free_inode+0x24/0x48
    [ 2430.665233]  i_callback+0x24/0x50
    [ 2430.665528]  rcu_do_batch+0x1ac/0x448
    [ 2430.665892]  rcu_core+0x28c/0x3c8
    [ 2430.666151]  rcu_core_si+0x18/0x28
    [ 2430.666473]  __do_softirq+0x138/0x3cc
    [ 2430.666781]  irq_exit+0xf0/0x110
    [ 2430.667065]  handle_domain_irq+0x6c/0x98
    [ 2430.667447]  gic_handle_irq+0xac/0xe8
    [ 2430.667739]  call_on_irq_stack+0x28/0x54
    The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of
    the jffs_inode_info structure. It was found that all variables in the jffs_inode_info
    structure were 5a5a5a5a, except for the first member sem. It is suspected that these
    variables are not initialized because they were set to 5a5a5a5a during memory testing,
    which is meant to detect uninitialized memory.The sem variable is initialized in the
    function jffs2_i_init_once, while other members are initialized in
    the function jffs2_init_inode_info.

    The function jffs2_init_inode_info is called after iget_locked,
    but in the iget_locked function, the destroy_inode process is triggered,
    which releases the inode and consequently, the target member of the inode
    is not initialized.In concurrent high pressure scenarios, iget_locked
    may enter the destroy_inode branch as described in the code.

    Since the destroy_inode functionality of jffs2 only releases the target,
    the fix method is to set target to NULL in jffs2_i_init_once.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990637
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b1a12da8");
  # https://lore.kernel.org/linux-cve-announce/2024073023-CVE-2024-42115-d99a@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b9c4a4d6");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-42115");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-42115");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.003', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Nov 2025 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.15.5
EPSS0.0025
SSVC
1