Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 909829 (CVE-2023-3269)

Summary: StackRot vulnerability: Linux kernel privilege escalation via VMA
Product: Gentoo Security Reporter: Sam James <sam>
Component: KernelAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: dist-kernel, kernel
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 909777, 909831    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-07 10:43:13 UTC 
Links:
- https://www.openwall.com/lists/oss-security/2023/07/05/1
- https://github.com/lrh2000/StackRot

"""
[...]
A flaw was found in the handling of stack expansion in the Linux kernel 6.1
through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual
memory areas, can undergo node replacement without properly acquiring the MM
write lock, leading to use-after-free issues. An unprivileged local user could
use this flaw to compromise the kernel and escalate their privileges.

As StackRot is a Linux kernel vulnerability found in the memory management
subsystem, it affects almost all kernel configurations and requires minimal
capabilities to trigger. However, it should be noted that maple nodes are freed
using RCU callbacks, delaying the actual memory deallocation until after the
RCU grace period. Consequently, exploiting this vulnerability is considered
challenging.

To the best of my knowledge, there are currently no publicly available exploits
targeting use-after-free-by-RCU (UAFBR) bugs. This marks the first instance
where UAFBR bugs have been proven to be exploitable, even without the presence
of CONFIG_PREEMPT or CONFIG_SLAB_MERGE_DEFAULT settings. Notably, this exploit
has been successfully demonstrated in the environment provided by [Google kCTF
VRP][ctf] ([bzImage_upstream_6.1.25][img], [config][cfg]).

 [ctf]: https://google.github.io/kctf/vrp.html
 [img]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25
 [cfg]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25_config

The StackRot vulnerability has been present in the Linux kernel since version
6.1 when the VMA tree structure was [changed][ch] from red-black trees to maple
trees.

 [ch]: https://lore.kernel.org/lkml/20220906194824.2110408-1-Liam.Howlett@oracle.com/
[...]
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-07 10:43:31 UTC 
Note that we should stable the latest round of kernels, not the previous ones, as there were fixes for some other arches.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-07-07 10:44:04 UTC 
Only >= 6.1 is vulnerable, fwiw, but may want to stable the other latest ones just for consistency.
Comment 3 Larry the Git Cow gentoo-dev 2023-07-18 16:32:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c035a24288407abc36840e708d7877c0556d2bf

commit 5c035a24288407abc36840e708d7877c0556d2bf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-18 15:56:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-18 15:56:42 +0000

    profiles: mask bad dist-kernels too
    
    Bug: https://bugs.gentoo.org/909829
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)