Detections
Analytics

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-986650)

high Nessus Plugin ID 268801

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-986650 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 sched/scs: Reset task stack state in bringup_cpu()

 To hot unplug a CPU, the idle task on that CPU calls a few layers of C code before finally leaving the kernel. When KASAN is in use, poisoned shadow is left around for each of the active stack frames, and when shadow call stacks are in use. When shadow call stacks (SCS) are in use the task's saved SCS SP is left pointing at an arbitrary point within the task's shadow call stack.

 When a CPU is offlined than onlined back into the kernel, this stale state can adversely affect execution. Stale KASAN shadow can alias new stackframes and result in bogus KASAN warnings. A stale SCS SP is effectively a memory leak, and prevents a portion of the shadow call stack being used. Across a number of hotplug cycles the idle task's entire shadow call stack can become unusable.

 We previously fixed the KASAN issue in commit:

 e1b77c92981a5222 (sched/kasan: remove stale KASAN poison after hotplug)

 ... by removing any stale KASAN stack poison immediately prior to onlining a CPU.

 Subsequently in commit:

 f1a0a376ca0c4ef1 (sched/core: Initialize the idle task with preemption disabled)

 ... the refactoring left the KASAN and SCS cleanup in one-time idle thread initialization code rather than something invoked prior to each CPU being onlined, breaking both as above.

 We fixed SCS (but not KASAN) in commit:

 63acd42c0d4942f7 (sched/scs: Reset the shadow stack when idle_task_exit)

 ... but as this runs in the context of the idle task being offlined it's potentially fragile.

 To fix these consistently and more robustly, reset the SCS SP and KASAN shadow of a CPU's idle task immediately before we online that CPU in bringup_cpu(). This ensures the idle task always has a consistent state when it is running, and removes the need to so so when exiting an idle task.

 Whenever any thread is created, dup_task_struct() will give the task a stack which is free of KASAN shadow, and initialize the task's SCS SP, so there's no need to specially initialize either for idle thread within init_idle(), as this was only necessary to handle hotplug cycles.

 I've tested this on arm64 with:

 * gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK
 * clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK

 ... offlining and onlining CPUS with:

 | while true; do | for C in /sys/devices/system/cpu/cpu*/online; do | echo 0 > $C;
 | echo 1 > $C;
 | done | done

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?e442b116

http://www.nessus.org/u?cc24797a

https://nvd.nist.gov/vuln/detail/CVE-2021-47553

Plugin Details

Severity: High

ID: 268801

File Name: unity_linux_UTSA-2025-986650.nasl

Version: 1.2

Type: local

Published: 10/7/2025

Updated: 10/15/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2021-47553

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/23/2025

Vulnerability Publication Date: 7/21/2021

Reference Information

CVE: CVE-2021-47553