Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 909829 (CVE-2023-3269) - StackRot vulnerability: Linux kernel privilege escalation via VMA
Summary: StackRot vulnerability: Linux kernel privilege escalation via VMA
Status: CONFIRMED
Alias: CVE-2023-3269
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on: 909777 909831
Blocks:
  Show dependency tree
 
Reported: 2023-07-07 10:43 UTC by Sam James
Modified: 2024-03-03 22:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-07 10:43:13 UTC
Links:
- https://www.openwall.com/lists/oss-security/2023/07/05/1
- https://github.com/lrh2000/StackRot

"""
[...]
A flaw was found in the handling of stack expansion in the Linux kernel 6.1
through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual
memory areas, can undergo node replacement without properly acquiring the MM
write lock, leading to use-after-free issues. An unprivileged local user could
use this flaw to compromise the kernel and escalate their privileges.

As StackRot is a Linux kernel vulnerability found in the memory management
subsystem, it affects almost all kernel configurations and requires minimal
capabilities to trigger. However, it should be noted that maple nodes are freed
using RCU callbacks, delaying the actual memory deallocation until after the
RCU grace period. Consequently, exploiting this vulnerability is considered
challenging.

To the best of my knowledge, there are currently no publicly available exploits
targeting use-after-free-by-RCU (UAFBR) bugs. This marks the first instance
where UAFBR bugs have been proven to be exploitable, even without the presence
of CONFIG_PREEMPT or CONFIG_SLAB_MERGE_DEFAULT settings. Notably, this exploit
has been successfully demonstrated in the environment provided by [Google kCTF
VRP][ctf] ([bzImage_upstream_6.1.25][img], [config][cfg]).

 [ctf]: https://google.github.io/kctf/vrp.html
 [img]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25
 [cfg]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25_config

The StackRot vulnerability has been present in the Linux kernel since version
6.1 when the VMA tree structure was [changed][ch] from red-black trees to maple
trees.

 [ch]: https://lore.kernel.org/lkml/20220906194824.2110408-1-Liam.Howlett@oracle.com/
[...]
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-07 10:43:31 UTC
Note that we should stable the latest round of kernels, not the previous ones, as there were fixes for some other arches.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-07 10:44:04 UTC
Only >= 6.1 is vulnerable, fwiw, but may want to stable the other latest ones just for consistency.
Comment 3 Larry the Git Cow gentoo-dev 2023-07-18 16:32:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c035a24288407abc36840e708d7877c0556d2bf

commit 5c035a24288407abc36840e708d7877c0556d2bf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-18 15:56:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-18 15:56:42 +0000

    profiles: mask bad dist-kernels too
    
    Bug: https://bugs.gentoo.org/909829
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)