StackRot: Linux Kernel Vulnerability

A critical security vulnerability has recently surfaced, affecting various versions of the Linux kernel. This vulnerability, known as StackRot (CVE-2023-3269), can be exploited with minimal capabilities to compromise the kernel and gain elevated privileges. Security researcher Ruihan Li discovered and reported this flaw, which impacts the memory management subsystem responsible for virtual memory, demand paging, memory allocation, and file mapping. In this article, we'll delve into the details of StackRot, the patching process, and the steps users can take to protect their systems.

StackRot revolves around how the Linux kernel manages stack expansion within its memory management subsystem. The vulnerability is specifically related to the "maple tree" data structure, introduced in Linux kernel version 6.1 as a replacement for "red-black trees." The issue arises from the read-copy-update (RCU) mechanism employed by maple tree. Due to improper handling of stack expansion, the maple tree can replace a node without acquiring the necessary memory management (MM) write lock. Consequently, during the process of stack expansion and VMA merging, a use-after-free (UAF) vulnerability can be exploited, providing an opportunity for privilege escalation. Upon discovering StackRot, Ruihan Li promptly reported the vulnerability on June 15th. However, addressing the complexity of the issue required nearly two weeks of dedicated effort led by Linux creator Linus Torvalds. On June 28th, during the merge window for Linux kernel 5.5, the fix was successfully merged into Linus' tree. Subsequently, the patches were backported to stable kernels, including versions 6.1.37, 6.3.11, and 6.4.1. This comprehensive resolution effectively eliminated the StackRot vulnerability on July 1st.

StackRot affects all kernel configurations in Linux versions 6.1 through 6.4. It's worth noting that Linux kernel 6.1 has been approved as the long-term support (LTS) version since February. However, not all major Linux distributions have adopted it. For example, Ubuntu 22.04.2 LTS (Jammy Jellyfish), which receives standard support until April 2027, ships with Linux kernel version 5.19. Conversely, Debian 12 (Bookworm) is bundled with Linux kernel 6.1. To determine if your Linux distribution is running an affected version, consult DistroWatch for a comprehensive list of distributions utilizing kernel version 6.1 or higher.

While StackRot exploitation is challenging, Ruihan Li intends to disclose complete technical details and share a proof-of-concept (PoC) exploit by the end of July. To safeguard your system, it is crucial to identify the kernel version running on your Linux distribution and choose an unaffected version or an updated release containing the necessary fixes. Keeping your system up-to-date with the latest security patches is vital to mitigate potential risks.