Peking University security researcher Ruihan Li reported a high-severity vulnerability to the Linux kernel security team on June 15th. The vulnerability dubbed ‘StackRot’ is a vulnerability that lies in the memory management subsystem of the Linux kernel. The vulnerability has been tracked under the CVE ID CVE-2023-3269, with a CVSS score of 7.8 which could allow an attacker to compromise the kernel and escalate their privileges on affected systems. According to the researcher, the flaw affects almost all kernel configurations and requires minimal capabilities to trigger. Since attackers can abuse this overwrite flaw to escalate privileges and inject code from unprivileged processes to privileged processes, It is highly recommended for all Linux users to quickly address this vulnerability. We published this post to help Linux users, who want to know how to fix CVE-2023-3269, StackRot Vulnerability in Linux Kernel.
Understanding CVE-2023-3269- StackRot Vulnerability
Before we jump into the technical details of the CVE-2023-3269- StackRot Vulnerability, let’s understand the Memory Management system, Virtual Memory Areas (VMA), Red-Black tree (rbtree), and Maple Tree in Linux Kernel.
Linux, as a virtual-memory system, uses a structure called Virtual Memory Areas (VMAs) to handle the address space for each process. VMAs represent contiguous blocks of address space and each represents a range of memory of a certain type. While VMAs appear contiguous to the process, the underlying physical memory may not be.
The operations on VMAs, such as lookups and modifications, need to be fast as they’re essential to system functionality. Currently, these VMAs are stored in a modified red-black tree (rbtree) with an added doubly-linked list to aid kernel traversal. However, this structure has several shortcomings: rbtrees aren’t effective at supporting ranges, handling them in a lockless manner is difficult, and rbtree traversal is inefficient.
To protect operations on VMAs, a lock is used, specifically a reader/writer semaphore, located within the struct mm_struct. This lock, known as mmap_lock, often leads to contention, especially with threaded applications on large systems. This issue has been discussed extensively among kernel developers.
To address these issues, developers have proposed a new data structure called a “maple tree”. This tree differs from rbtrees significantly as it belongs to the B-tree family, allowing its nodes to contain multiple elements. This structure requires less creation of new nodes, allows cache-aligned sizes leading to fewer cache misses, and enhances search support. Furthermore, maple trees are designed to operate in a lockless manner using read-copy-update (RCU). Initially, the maple tree will be used to replace the rbtrees and linked lists that currently manage VMAs.
We recommend visiting the below pages to learn more about the Memory Management system, Virtual Memory Areas (VMA), Red-Black tree (rbtree), and Maple Tree in Linux Kernel.
Summary of StackRot Vulnerability- CVE-2023-3269
|Associated CVE ID||CVE-2023-3269|
|Description||CVE-2023-3269, also known as StackRot, is a use-after-free vulnerability in the Linux kernel versions 6.1 to 6.4. This vulnerability occurs when the elimination of a gap triggers node replacement in the maple tree. The asynchronous freeing of the old node through an RCU callback, while pointers to the old node are still accessible, leads to a use-after-free vulnerability.|
|Associated ZDI ID||–|
|CVSS Score||7.8 High|
|Attack Vector (AV)||Local|
|Attack Complexity (AC)||High|
|Privilege Required (PR)||Low|
|User Interaction (UI)||None|
Since the data structure Maple Tree replaced Red-Black Tree from the version 6.1, this StackRot Vulnerability affects all the kernel versions starting from 6.1 through 6.4.
The vulnerability has been tracked under the CVE ID CVE-2023-3269, with a CVSS score of 7.8 out of 10 on the CVSS scale lies in the management of the virtual memory areas (VMAs), which is handled by a data structure called a “maple tree”. It appears that during stack expansion, node replacement in the maple tree can occur without properly acquiring the MM write lock. This flawed handling can lead to “use-after-free” (UAF) issues which eventually give way for an unprivileged local user to exploit this vulnerability to compromise the kernel, thereby escalating their privileges.
Kernel Versions Vulnerable to StackRot Vulnerability
The StackRot vulnerability (CVE-2023-3269) affects multiple versions of the Linux kernel. According to the researcher Ruihan Li, who discovered the vulnerability, StackRot affects Linux kernel versions from v6.1 all the way up to v6.4.We recommend all Linux admins and users check the version of the kernel your machine is currently running on. You can use this simple command to check the version of the kernel. Run the following command in the terminal:
$ uname -rs
If the output shows a kernel version between 6.1 to 6.4, then your system is potentially vulnerable to the StackRot vulnerability.
How to Fix CVE-2023-3269- StackRot Vulnerability in Linux Kernel?
Upon the researcher, Ruihan Li reported this vulnerability to the Linux kernel security team on June 15th, it took approximately two weeks for Linus Torvalds in addressing the vulnerability. On June 28th, during the merge window for Linux kernel 6.5, the fix was incorporated into Linus’ tree. Please read the detailed merge message explaining the patch series from a technical standpoint.
At the time of publishing this post, patches were applied to versions 6.1.37, 6.3.11, and 6.4.1. Follow this How-To procedure to update your kernel to the desired version.
Time needed: 10 minutes.
Note: Before you download and install it on your production server, we recommend testing this on a test machine. Don’t forget to take the full VM snapshot if are upgrading the kernel on a Virtual Image. Or, take the filesystem backup if you have a physical server.
- Check the kernel version
Before we start upgrading the kernel, it is a good practice to determine the version of the kernel running on the system. To check the kernel version, open the terminal and type the following command:
$ uname -rs
The output of the command will show the current kernel version installed on the system.
- Download kernel packages v6.4
Download the kernel packages directly from the kernel.ubuntu.com website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.
Create a directory in your path:
$ mkdir /home/arunkl/kernel-6.4.1
Change the directory:
$ cd /home/arunkl/kernel-6.4.1/
Download these two files (where X.Y.Z is the patched version):
Commands to download the kernel v6.4.1
Run this command to set the file’s permission to execution mode:
$ chmod +x *.deb
- Install kernel Packages v6.4
Install the downloaded packages using the default dpkg utility then reboot the server.
$ sudo dpkg –-install *.deb
- Check the kernel version after the reboot
Use the same command used in the first step. You will see an upgraded kernel version if everything goes well.