StackRot Vulnerability in Linux Kernel Enables Privilege Escalation
A new vulnerability, called StackRot, was discovered by a security researcher, Ruihan Li, in the Linux kernel’s memory management subsystem. The incorrect lock handling for accessing and updating virtual memory areas (VMAs) resulted in a use-after-free flaw. An attacker can use this flaw to enable the execution of arbitrary kernel code, escalate containers, and acquire root privileges.
StackRot Vulnerability (CVE-2023-3269)
According to BleepingComputer, StackRot is a result of how the Linux kernel manages stack expansion within its memory management subsystem, particularly in relation to virtual memory areas (VMAs).
The vulnerability occurs in the maple tree, a newly introduced data structure system to manage virtual memory areas (VMAs). This system replaces the previous “red-black trees” and relies on the read-copy-update (RCU) mechanism. The issue arises when the maple tree replaces a node without obtaining the necessary memory management (MM) write lock.
As the Linux kernel eliminates the gap between VMAs during the stack expansion process, a new node is created in the maple tree. At the same time, the old one is marked for deletion once ongoing reads are completed, following the RCU safety principles of the maple tree.
However, a critical concern arises during the RCU grace period, where a use-after-free problem may occur if a process accesses the old node. As a result, an attacker can overwrite memory and elevate privileges.
Linus Torvalds Improves Linux’s User-Mode Stack Expansion
Linus Torvalds, the creator of Linux, no longer writes as much kernel code as he used to. These days, he is more focused on overseeing the upstream kernel development community, reviewing code, managing releases, and participating in mailing list discussions. However, he still gets down and dirty with some low-level kernel hacking occasionally, as he did recently with the user-mode stack expansion code for Linux 6.5.
Linux Torvalds said that the user-mode stack expansion code had been modified to ensure that the mmap_lock is always acquired for writing before making any changes to the VM layout. The process remained relatively straightforward by simply adjusting the vm_start (or vm_end in the case of grow-up stacks) and implementing specialized ad-hoc locking using the
anon_vma lock and the
However, Ruihan Li brought to their attention the fact that with the introduction of the maple tree code in the vma layout, modifying only the vm_start and vm_end is no longer sufficient, and the existing locking mechanism is flawed.
According to Ruihan Li, exploiting StackRot poses a considerable challenge, and CVE-2023-3269 may serve as the first documented example of a potentially exploitable use-after-free-by-RCU (UAFBR) vulnerability. The researcher has announced intentions to disclose the comprehensive technical details of StackRot, along with a proof-of-concept (PoC) exploit, by the end of July.
Although Linux kernel 6.1 is the long-term support (LTS) version, not all major Linux distributions have implemented it. For example, Ubuntu 22.04.2 LTS (Jammy Jellyfish), which is supported until April 2027, is shipped with Linux kernel 5.19. While the latest Debian release, Debian 12 (Bookworm), includes Linux kernel 6.1. Moreover, the StackRot vulnerability does not apply to kernel versions shipped with Red Hat Enterprise Linux, as the affected code was not introduced into those platforms.
The sources for this article include a story from BleepingComputer.