Researchers have uncovered a new security vulnerability in the Linux kernel, which they've named 'StackRot' (CVE-2023-3269). This flaw could potentially allow a user to gain higher privileges on a targeted host. The affected versions of Linux are 6.1 through 6.4. To date, there is no indication that this vulnerability has been exploited in the wild.
Ruihan Li, a security researcher at Peking University, explained that 'StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger.' It's important to note that exploiting this vulnerability is considered challenging due to the fact that maple nodes are freed using RCU callbacks, which delays the actual memory deallocation until after the RCU grace period.
The flaw was responsibly disclosed on June 15, 2023, and was addressed in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023, following a two-week effort led by Linus Torvalds. A proof-of-concept (PoC) exploit and more technical details about the bug are expected to be released to the public by the end of the month.
The root of the flaw lies in a data structure known as maple tree, which was introduced in Linux kernel 6.1 to replace the red-black tree (rbtree) for managing and storing virtual memory areas (VMAs). VMAs are a contiguous range of virtual addresses that could be the contents of a file on disk or the memory a program uses during execution.
Specifically, StackRot is described as a use-after-free bug that could be exploited by a local user to compromise the kernel and escalate their privileges. This can be achieved by taking advantage of the fact that the maple tree 'can undergo node replacement without properly acquiring the MM write lock.' Linus Torvalds has suggested moving all the stack expansion code to a new file, but for now, the patches have been kept minimal for backporting purposes.