Lucene search
K

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992227)

🗓️ 30 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Linux kernel fix for PCI slot use-after-free on hot removal affecting USB4 docks on Lenovo laptops.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(280609);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/30");

  script_cve_id("CVE-2024-53194");

  script_name(english:"Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992227)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-992227 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    PCI: Fix use-after-free of slot->bus on hot remove

    Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock.

    Since commit 0fc70886569c (thunderbolt: Reset USB4 v2 host router) and
    commit 59a54c5f3dbd (thunderbolt: Reset topology created by the boot
    firmware), USB4 v2 and v1 Host Routers are reset on probe of the
    thunderbolt driver.

    The reset clears the Presence Detect State and Data Link Layer Link Active
    bits at the USB4 Host Router's Root Port and thus causes hot removal of the
    dock.

    The crash occurs when pciehp is unbound from one of the dock's Downstream
    Ports:  pciehp creates a pci_slot on bind and destroys it on unbind.  The
    pci_slot contains a pointer to the pci_bus below the Downstream Port, but
    a reference on that pci_bus is never acquired.  The pci_bus is destroyed
    before the pci_slot, so a use-after-free ensues when pci_slot_release()
    accesses slot->bus.

    In principle this should not happen because pci_stop_bus_device() unbinds
    pciehp (and therefore destroys the pci_slot) before the pci_bus is
    destroyed by pci_remove_bus_device().

    However the stacktrace provided by Dennis shows that pciehp is unbound from
    pci_remove_bus_device() instead of pci_stop_bus_device().  To understand
    the significance of this, one needs to know that the PCI core uses a two
    step process to remove a portion of the hierarchy:  It first unbinds all
    drivers in the sub-hierarchy in pci_stop_bus_device() and then actually
    removes the devices in pci_remove_bus_device().  There is no precaution to
    prevent driver binding in-between pci_stop_bus_device() and
    pci_remove_bus_device().

    In Dennis' case, it seems removal of the hierarchy by pciehp races with
    driver binding by pci_bus_add_devices().  pciehp is bound to the
    Downstream Port after pci_stop_bus_device() has run, so it is unbound by
    pci_remove_bus_device() instead of pci_stop_bus_device().  Because the
    pci_bus has already been destroyed at that point, accesses to it result in
    a use-after-free.

    One might conclude that driver binding needs to be prevented after
    pci_stop_bus_device() has run.  However it seems risky that pci_slot points
    to pci_bus without holding a reference.  Solely relying on correct ordering
    of driver unbind versus pci_bus destruction is certainly not defensive
    programming.

    If pci_slot has a need to access data in pci_bus, it ought to acquire a
    reference.  Amend pci_create_slot() accordingly.  Dennis reports that the
    crash is not reproducible with this change.

    Abridged stacktrace:

      pcieport 0000:00:07.0: PME: Signaling with IRQ 156
      pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+
    Interlock- NoCompl+ IbPresDis- LLActRep+
      pci_bus 0000:20: dev 00, created physical slot 12
      pcieport 0000:00:07.0: pciehp: Slot(12): Card not present
      ...
      pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0
      Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT
    SMP NOPTI
      CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1
      RIP: 0010:dev_driver_string+0x12/0x40
      pci_destroy_slot
      pciehp_remove
      pcie_port_remove_service
      device_release_driver_internal
      bus_remove_device
      device_del
      device_unregister
      remove_iter
      device_for_each_child
      pcie_portdrv_remove
      pci_device_remove
      device_release_driver_internal
      bus_remove_device
      device_del
      pci_remove_bus_device (recursive invocation)
      pci_remove_bus_device
      pciehp_unconfigure_device
      pciehp_disable_slot
      pciehp_handle_presence_or_link_change
      pciehp_ist

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-992227
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?794f4239");
  # https://lore.kernel.org/linux-cve-announce/2024122724-CVE-2024-53194-9edf@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?24027cb4");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-53194");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-53194");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/12/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060e',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Dec 2025 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.17.8
EPSS0.0023
SSVC
3