909829 – (CVE-2023-3269) StackRot vulnerability: Linux kernel privilege escalation via VMA

Bug 909829 (CVE-2023-3269) - StackRot vulnerability: Linux kernel privilege escalation via VMA

Summary: StackRot vulnerability: Linux kernel privilege escalation via VMA

Status:	CONFIRMED

Alias:	CVE-2023-3269

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	909777 909831
Blocks:
	Show dependency tree

Reported:	2023-07-07 10:43 UTC by Sam James
Modified:	2024-03-03 22:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-07-07 10:43:13 UTC

Links:
- https://www.openwall.com/lists/oss-security/2023/07/05/1
- https://github.com/lrh2000/StackRot

"""
[...]
A flaw was found in the handling of stack expansion in the Linux kernel 6.1
through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual
memory areas, can undergo node replacement without properly acquiring the MM
write lock, leading to use-after-free issues. An unprivileged local user could
use this flaw to compromise the kernel and escalate their privileges.

As StackRot is a Linux kernel vulnerability found in the memory management
subsystem, it affects almost all kernel configurations and requires minimal
capabilities to trigger. However, it should be noted that maple nodes are freed
using RCU callbacks, delaying the actual memory deallocation until after the
RCU grace period. Consequently, exploiting this vulnerability is considered
challenging.

To the best of my knowledge, there are currently no publicly available exploits
targeting use-after-free-by-RCU (UAFBR) bugs. This marks the first instance
where UAFBR bugs have been proven to be exploitable, even without the presence
of CONFIG_PREEMPT or CONFIG_SLAB_MERGE_DEFAULT settings. Notably, this exploit
has been successfully demonstrated in the environment provided by [Google kCTF
VRP][ctf] ([bzImage_upstream_6.1.25][img], [config][cfg]).

 [ctf]: https://google.github.io/kctf/vrp.html
 [img]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25
 [cfg]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25_config

The StackRot vulnerability has been present in the Linux kernel since version
6.1 when the VMA tree structure was [changed][ch] from red-black trees to maple
trees.

 [ch]: https://lore.kernel.org/lkml/20220906194824.2110408-1-Liam.Howlett@oracle.com/
[...]
"""

Comment 1 Sam James archtester

2023-07-07 10:43:31 UTC

Note that we should stable the latest round of kernels, not the previous ones, as there were fixes for some other arches.

Comment 2 Sam James archtester

2023-07-07 10:44:04 UTC

Only >= 6.1 is vulnerable, fwiw, but may want to stable the other latest ones just for consistency.

Comment 3 Larry the Git Cow gentoo-dev

2023-07-18 16:32:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c035a24288407abc36840e708d7877c0556d2bf

commit 5c035a24288407abc36840e708d7877c0556d2bf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-18 15:56:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-18 15:56:42 +0000

    profiles: mask bad dist-kernels too
    
    Bug: https://bugs.gentoo.org/909829
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)