Detections
Analytics

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990770)

medium Nessus Plugin ID 275062

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-990770 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 dm ioctl: fix misbehavior if list_versions races with module loading

 __list_versions will first estimate the required space using the dm_target_iterate(list_version_get_needed, &needed) call and then will fill the space using the dm_target_iterate(list_version_get_info, &iter_info) call. Each of these calls locks the targets using the down_read(&_lock) and up_read(&_lock) calls, however between the first and second dm_target_iterate there is no lock held and the target modules can be loaded at this point, so the second dm_target_iterate call may need more space than what was the first dm_target_iterate returned.

 The code tries to handle this overflow (see the beginning of list_version_get_info), however this handling is incorrect.

 The code sets param->data_size = param->data_start + needed and iter_info.end = (char *)vers+len - needed is the size returned by the first dm_target_iterate call; len is the size of the buffer allocated by userspace.

 len may be greater than needed; in this case, the code will write up to len bytes into the buffer, however param->data_size is set to needed, so it may write data past the param->data_size value. The ioctl interface copies only up to param->data_size into userspace, thus part of the result will be truncated.

 Fix this bug by setting iter_info.end = (char *)vers + needed; - this guarantees that the second dm_target_iterate call will write only up to the needed buffer and it will exit with DM_BUFFER_FULL_FLAG if it overflows the needed space - in this case, userspace will allocate a larger buffer and retry.

 Note that there is also a bug in list_version_get_needed - we need to add strlen(tt->name) + 1 to the needed size, not strlen(tt->name).

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?b6a11bd0

http://www.nessus.org/u?4eb75bda

https://nvd.nist.gov/vuln/detail/CVE-2022-49771

Plugin Details

Severity: Medium

ID: 275062

File Name: unity_linux_UTSA-2025-990770.nasl

Version: 1.1

Type: local

Published: 11/12/2025

Updated: 11/12/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: Low

Base Score: 3.8

Temporal Score: 2.8

Vector: CVSS2#AV:L/AC:H/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2022-49771

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/12/2025

Vulnerability Publication Date: 1/23/2023

Reference Information

CVE: CVE-2022-49771