Exploit code for a critical vulnerability in the Linux kernel, known as StackRot (CVE-2023-3269), is expected to be publicly available by the end of July. This vulnerability was discovered by security researcher Ruihan Li of Peking University in China and was reported to Linux administrators in mid-June.
The StackRot bug impacts Linux kernel versions 6.1 through 6.4 and provides attackers with a way to escalate privileges on affected systems. Li described the vulnerability as affecting almost all Linux kernel configurations and requiring minimal capabilities to trigger.
In response to the discovery, a team led by Linux creator Linus Torvalds worked for about two weeks on developing a set of patches to address the vulnerability. These patches were merged into Linus’ tree during the merge window for Linux kernel 6.5 on June 28th. The patches have since been backported to kernels 6.1.37, 6.2.11, and 6.4.1, effectively resolving the StackRot bug on July 1st.
The StackRot vulnerability relates to the Linux kernel’s handling of stack expansion, which is a mechanism for automatically growing or expanding the stack memory of a running process. The bug occurs due to a flaw in the management of virtual memory spaces, resulting in use-after-free-by-RCU (UAFBR) issues. UAFBR flaws combine the use-after-free vulnerability with the Read-Copy-Update (RCU) mechanism in the Linux kernel for synchronizing the use of shared data.
Use-after-free vulnerabilities occur when a software program continues to use a memory reference after it has been deallocated or freed. Attackers can exploit this vulnerability to insert arbitrary code into the freed but still used memory space. In the case of StackRot, an unprivileged local user could use this flaw to compromise the kernel and escalate their privileges since the Linux kernel uses the RCU mechanism to free or deallocate used memory space.
Although UAFBR vulnerabilities can be dangerous, they are not easy to exploit due to a delay in memory deallocation when memory spaces are freed using RCU callbacks. However, the researcher claims that the exploit for StackRot is likely the first to successfully exploit a UAFBR bug. Currently, there are no publicly available exploits targeting use-after-free-by-RCU bugs, making the StackRot exploit a significant development in the field.
To address the vulnerability, the Linux kernel team led by Torvalds made modifications to the kernel’s user mode stack expansion code to prevent the use-after-free condition from occurring. Torvalds commented that this fix was something they should have done earlier but had been lazy about implementing because it wasn’t strictly necessary.
In conclusion, the StackRot vulnerability in the Linux kernel has been addressed with the release of patches and the bug is expected to be fully resolved by the end of July. The vulnerability posed a significant threat as it allowed attackers to escalate privileges on affected systems. However, due to the efforts of the Linux kernel team, a fix has been implemented to prevent the use-after-free condition and protect against potential exploits.