Lucene search
K

Unity Linux 20.1050e Security Update: kernel (UTSA-2025-991283)

🗓️ 18 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel uprobes fix for big-endian arm64 endianness handling to correct instruction analysis.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(279247);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/18");

  script_cve_id("CVE-2024-50194");

  script_name(english:"Unity Linux 20.1050e Security Update: kernel (UTSA-2025-991283)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-991283 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    arm64: probes: Fix uprobes for big-endian kernels

    The arm64 uprobes code is broken for big-endian kernels as it doesn't
    convert the in-memory instruction encoding (which is always
    little-endian) into the kernel's native endianness before analyzing and
    simulating instructions. This may result in a few distinct problems:

    * The kernel may may erroneously reject probing an instruction which can
      safely be probed.

    * The kernel may erroneously erroneously permit stepping an
      instruction out-of-line when that instruction cannot be stepped
      out-of-line safely.

    * The kernel may erroneously simulate instruction incorrectly dur to
      interpretting the byte-swapped encoding.

    The endianness mismatch isn't caught by the compiler or sparse because:

    * The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so
      the compiler and sparse have no idea these contain a little-endian
      32-bit value. The core uprobes code populates these with a memcpy()
      which similarly does not handle endianness.

    * While the uprobe_opcode_t type is an alias for __le32, both
      arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]
      to the similarly-named probe_opcode_t, which is an alias for u32.
      Hence there is no endianness conversion warning.

    Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and
    adding the appropriate __le32_to_cpu() conversions prior to consuming
    the instruction encoding. The core uprobes copies these fields as opaque
    ranges of bytes, and so is unaffected by this change.

    At the same time, remove MAX_UINSN_BYTES and consistently use
    AARCH64_INSN_SIZE for clarity.

    Tested with the following:

    | #include <stdio.h>
    | #include <stdbool.h>
    |
    | #define noinline __attribute__((noinline))
    |
    | static noinline void *adrp_self(void)
    | {
    |         void *addr;
    |
    |         asm volatile(
    |                adrp    %x0, adrp_self\n
    |                add     %x0, %x0, :lo12:adrp_self\n
    |         : =r (addr));
    | }
    |
    |
    | int main(int argc, char *argv)
    | {
    |         void *ptr = adrp_self();
    |         bool equal = (ptr == adrp_self);
    |
    |         printf(adrp_self   => %p\n
    |                adrp_self() => %p\n
    |                %s\n,
    |                adrp_self, ptr, equal ? EQUAL : NOT EQUAL);
    |
    |         return 0;
    | }

    .... where the adrp_self() function was compiled to:

    | 00000000004007e0 <adrp_self>:
    |   4007e0:       90000000        adrp    x0, 400000 <__ehdr_start>
    |   4007e4:       911f8000        add     x0, x0, #0x7e0
    |   4007e8:       d65f03c0        ret

    Before this patch, the ADRP is not recognized, and is assumed to be
    steppable, resulting in corruption of the result:

    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0x4007e0
    | EQUAL
    | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
    | # echo 1 > /sys/kernel/tracing/events/uprobes/enable
    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0xffffffffff7e0
    | NOT EQUAL

    After this patch, the ADRP is correctly recognized and simulated:

    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0x4007e0
    | EQUAL
    | #
    | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
    | # echo 1 > /sys/kernel/tracing/events/uprobes/enable
    | # ./adrp-self
    | adrp_self   => 0x4007e0
    | adrp_self() => 0x4007e0
    | EQUAL

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-991283
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ad5510e4");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-50194");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-50194");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/11/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2211.5.0.0178.45', 'sp':'1050e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.45', 'sp':'1050e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.45', 'sp':'1050e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Dec 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.15.5
EPSS0.00229
SSVC
2