Links: - https://www.openwall.com/lists/oss-security/2023/07/05/1 - https://github.com/lrh2000/StackRot """ [...] A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging. To the best of my knowledge, there are currently no publicly available exploits targeting use-after-free-by-RCU (UAFBR) bugs. This marks the first instance where UAFBR bugs have been proven to be exploitable, even without the presence of CONFIG_PREEMPT or CONFIG_SLAB_MERGE_DEFAULT settings. Notably, this exploit has been successfully demonstrated in the environment provided by [Google kCTF VRP][ctf] ([bzImage_upstream_6.1.25][img], [config][cfg]). [ctf]: https://google.github.io/kctf/vrp.html [img]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25 [cfg]: https://storage.googleapis.com/kctf-vrp-public-files/bzImage_upstream_6.1.25_config The StackRot vulnerability has been present in the Linux kernel since version 6.1 when the VMA tree structure was [changed][ch] from red-black trees to maple trees. [ch]: https://lore.kernel.org/lkml/20220906194824.2110408-1-Liam.Howlett@oracle.com/ [...] """
Note that we should stable the latest round of kernels, not the previous ones, as there were fixes for some other arches.
Only >= 6.1 is vulnerable, fwiw, but may want to stable the other latest ones just for consistency.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c035a24288407abc36840e708d7877c0556d2bf commit 5c035a24288407abc36840e708d7877c0556d2bf Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-18 15:56:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-18 15:56:42 +0000 profiles: mask bad dist-kernels too Bug: https://bugs.gentoo.org/909829 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-)
