Lucene search
K

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993026)

🗓️ 31 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux security update fixes kernel refcount bug in sk_psock_get during SMC fallback in connect.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(281087);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/31");

  script_cve_id("CVE-2022-49979");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993026)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-993026 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net: fix refcount bug in sk_psock_get (2)

    Syzkaller reports refcount bug as follows:
    ------------[ cut here ]------------
    refcount_t: saturated; leaking memory.
    WARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19
    Modules linked in:
    CPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0
     <TASK>
     __refcount_add_not_zero include/linux/refcount.h:163 [inline]
     __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
     refcount_inc_not_zero include/linux/refcount.h:245 [inline]
     sk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439
     tls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091
     tcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983
     tcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057
     tcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659
     tcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682
     sk_backlog_rcv include/net/sock.h:1061 [inline]
     __release_sock+0x134/0x3b0 net/core/sock.c:2849
     release_sock+0x54/0x1b0 net/core/sock.c:3404
     inet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909
     __sys_shutdown_sock net/socket.c:2331 [inline]
     __sys_shutdown_sock net/socket.c:2325 [inline]
     __sys_shutdown+0xf1/0x1b0 net/socket.c:2343
     __do_sys_shutdown net/socket.c:2351 [inline]
     __se_sys_shutdown net/socket.c:2349 [inline]
     __x64_sys_shutdown+0x50/0x70 net/socket.c:2349
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x46/0xb0
     </TASK>

    During SMC fallback process in connect syscall, kernel will
    replaces TCP with SMC. In order to forward wakeup
    smc socket waitqueue after fallback, kernel will sets
    clcsk->sk_user_data to origin smc socket in
    smc_fback_replace_callbacks().

    Later, in shutdown syscall, kernel will calls
    sk_psock_get(), which treats the clcsk->sk_user_data
    as psock type, triggering the refcnt warning.

    So, the root cause is that smc and psock, both will use
    sk_user_data field. So they will mismatch this field
    easily.

    This patch solves it by using another bit(defined as
    SK_USER_DATA_PSOCK) in PTRMASK, to mark whether
    sk_user_data points to a psock object or not.
    This patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e
    (net, sk_msg: Clear sk_user_data pointer on clone if tagged).

    For there will possibly be more flags in the sk_user_data field,
    this patch also refactor sk_user_data flags code to be more generic
    to improve its maintainability.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-993026
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?51220783");
  # https://lore.kernel.org/linux-cve-announce/2025061820-CVE-2022-49979-f695@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7d845753");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49979");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49979");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Dec 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.15.5
EPSS0.00205
2