How to Fix CVE-2023-3269- StackRot Vulnerability in Linux Kernel?

Peking University security researcher Ruihan Li reported a high-severity vulnerability to the Linux kernel security team on June 15th. The vulnerability dubbed ‘StackRot’ is a vulnerability that lies in the memory management subsystem of the Linux kernel. The vulnerability has been tracked under the CVE ID CVE-2023-3269, with a CVSS score of 7.8 which could allow an attacker to compromise the kernel and escalate their privileges on affected systems. According to the researcher, the flaw affects almost all kernel configurations and requires minimal capabilities to trigger. Since attackers can abuse this overwrite flaw to escalate privileges and inject code from unprivileged processes to privileged processes, It is highly recommended for all Linux users to quickly address this vulnerability. We published this post to help Linux users, who want to know how to fix CVE-2023-3269, StackRot Vulnerability in Linux Kernel.

Understanding CVE-2023-3269- StackRot Vulnerability

Before we jump into the technical details of the CVE-2023-3269- StackRot Vulnerability, let’s understand the Memory Management system, Virtual Memory Areas (VMA), Red-Black tree (rbtree), and Maple Tree in Linux Kernel.

Linux, as a virtual-memory system, uses a structure called Virtual Memory Areas (VMAs) to handle the address space for each process. VMAs represent contiguous blocks of address space and each represents a range of memory of a certain type. While VMAs appear contiguous to the process, the underlying physical memory may not be.

The operations on VMAs, such as lookups and modifications, need to be fast as they’re essential to system functionality. Currently, these VMAs are stored in a modified red-black tree (rbtree) with an added doubly-linked list to aid kernel traversal. However, this structure has several shortcomings: rbtrees aren’t effective at supporting ranges, handling them in a lockless manner is difficult, and rbtree traversal is inefficient.

See also  10 Most Prevalent Cyber Attacks And How You Should Protect Your Website From These Cyberattacks?

To protect operations on VMAs, a lock is used, specifically a reader/writer semaphore, located within the struct mm_struct. This lock, known as mmap_lock, often leads to contention, especially with threaded applications on large systems. This issue has been discussed extensively among kernel developers.

To address these issues, developers have proposed a new data structure called a “maple tree”. This tree differs from rbtrees significantly as it belongs to the B-tree family, allowing its nodes to contain multiple elements. This structure requires less creation of new nodes, allows cache-aligned sizes leading to fewer cache misses, and enhances search support. Furthermore, maple trees are designed to operate in a lockless manner using read-copy-update (RCU). Initially, the maple tree will be used to replace the rbtrees and linked lists that currently manage VMAs.

We recommend visiting the below pages to learn more about the Memory Management system, Virtual Memory Areas (VMA), Red-Black tree (rbtree), and Maple Tree in Linux Kernel.

Summary of StackRot Vulnerability- CVE-2023-3269

Associated CVE ID CVE-2023-3269
Description CVE-2023-3269, also known as StackRot, is a use-after-free vulnerability in the Linux kernel versions 6.1 to 6.4. This vulnerability occurs when the elimination of a gap triggers node replacement in the maple tree. The asynchronous freeing of the old node through an RCU callback, while pointers to the old node are still accessible, leads to a use-after-free vulnerability.
Associated ZDI ID
CVSS Score 7.8 High
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Local
Attack Complexity (AC) High
Privilege Required (PR) Low
User Interaction (UI) None
Scope Changed
Confidentiality (C) High
Integrity (I) High
availability (a) High

Since the data structure Maple Tree replaced Red-Black Tree from the version 6.1, this StackRot Vulnerability affects all the kernel versions starting from 6.1 through 6.4.

See Also  How to Patch Four New Vulnerabilities in VMWare Workstation and Fusion?

The vulnerability has been tracked under the CVE ID CVE-2023-3269, with a CVSS score of 7.8 out of 10 on the CVSS scale lies in the management of the virtual memory areas (VMAs), which is handled by a data structure called a “maple tree”. It appears that during stack expansion, node replacement in the maple tree can occur without properly acquiring the MM write lock. This flawed handling can lead to “use-after-free” (UAF) issues which eventually give way for an unprivileged local user to exploit this vulnerability to compromise the kernel, thereby escalating their privileges.

See also  Top 6 Programming Languages for Hackers and Pentesters!

Kernel Versions Vulnerable to StackRot Vulnerability

The StackRot vulnerability (CVE-2023-3269) affects multiple versions of the Linux kernel. According to the researcher Ruihan Li, who discovered the vulnerability, StackRot affects Linux kernel versions from v6.1 all the way up to v6.4.We recommend all Linux admins and users check the version of the kernel your machine is currently running on. You can use this simple command to check the version of the kernel. Run the following command in the terminal:

$ uname -rs

If the output shows a kernel version between 6.1 to 6.4, then your system is potentially vulnerable to the StackRot vulnerability.

How to Fix CVE-2023-3269- StackRot Vulnerability in Linux Kernel?

Upon the researcher, Ruihan Li reported this vulnerability to the Linux kernel security team on June 15th, it took approximately two weeks for Linus Torvalds in addressing the vulnerability. On June 28th, during the merge window for Linux kernel 6.5, the fix was incorporated into Linus’ tree. Please read the detailed merge message explaining the patch series from a technical standpoint.

At the time of publishing this post, patches were applied to versions 6.1.37, 6.3.11, and 6.4.1. Follow this How-To procedure to update your kernel to the desired version.

Time needed: 10 minutes.

Note: Before you download and install it on your production server, we recommend testing this on a test machine. Don’t forget to take the full VM snapshot if are upgrading the kernel on a Virtual Image. Or, take the filesystem backup if you have a physical server.

  1. Check the kernel version

    Before we start upgrading the kernel, it is a good practice to determine the version of the kernel running on the system. To check the kernel version, open the terminal and type the following command:

    $ uname -rs

    The output of the command will show the current kernel version installed on the system.

    Check the kernel version

  2. Download kernel packages v6.4

    Download the kernel packages directly from the website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.

    Create a directory in your path:

    $ mkdir /home/arunkl/kernel-6.4.1

    Change the directory:

    $ cd /home/arunkl/kernel-6.4.1/

    Download these two files (where X.Y.Z is the patched version):

    1. linux-image-*X.Y.Z*-generic-*.deb
    2. linux-modules-X.Y.Z*-generic-*.deb

    Commands to download the kernel v6.4.1

    $ wget

    $ wget

    Run this command to set the file’s permission to execution mode:

    $ chmod +x *.deb

    Download kernel packages v6.4

  3. Install kernel Packages v6.4

    Install the downloaded packages using the default dpkg utility then reboot the server.

    $ sudo dpkg –-install *.deb

    $ reboot

    Install kernel Packages v6.4

  4. Check the kernel version after the reboot

    Use the same command used in the first step. You will see an upgraded kernel version if everything goes well.

    heck the kernel version after reboot

Leave a Reply

Your email address will not be published. Required fields are marked *