StackRot Linux Kernel Bug Has Exploit Code on the Way

Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported to Linux administrators in mid-June.

The bug, which the researcher labeled StackRot (CVE-2023-3269), affects Linux kernel 6.1 through 6.4 and gives attackers a way to escalate privileges on affected systems.

Affects All Linux Configurations

Security researcher Ruihan Li of Peking University in China discovered the vulnerability and described it this week as affecting almost all Linux kernel configurations and requiring minimal capabilities to trigger.

A response team, led by Linux creator Linus Torvalds, worked about two weeks on developing a set of patches to address the vulnerability. 

"On June 28th, during the merge window for Linux kernel 6.5, the fix was merged into Linus' tree," Li said in a GitHub post announcing his discovery. "Linus provided a comprehensive merge message to elucidate the patch series from a technical perspective," Li noted.

The patches have since been backported to kernels 6.1.37, 6.2.11, and 6.4.1, "effectively resolving the 'StackRot' bug on July 1," Li wrote. "The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July."

StackRot pertains to the Linux kernel's handing of stack expansion, a mechanism for automatically growing or expanding the stack memory of a running process.

The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues, Li said. UAFBR flaws combine the use-after-free vulnerability with what is known as the Read-Copy-Update (RCU) mechanism in the Linux kernel for synchronizing the use of shared data.

Use-after-free is a type of vulnerability where a software program continues to use a memory reference after it has been deallocated or freed. This gives attackers a way to insert arbitrary code into the freed but still used memory space. "An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges," Li said. The Linux kernel uses the RCU mechanism to free or deallocate used memory space.

While UAFBR vulnerabilities can be dangerous, they are not easy to exploit because of a certain delay that happens with memory deallocation when memory spaces are freed using RCU callbacks, Li explained.

First-of-Its-Kind Exploit

The researcher described the exploit for StackRot as likely the first to successfully exploit a UAFBR bug. "To the best of my knowledge, there are currently no publicly available exploits targeting use-after-free-by-RCU bugs," Li said. "This marks the first instance where UAFBR bugs have been proven to be exploitable."

The Linux kernel teams fix for the flaw — led by Torvalds — basically modifies the kernel's user mode stack expansion code to prevent the use-after-free condition from happening.

"It's actually something we always technically should have done," Torvalds said in a GitHub post. "But because we didn't strictly need [it], we were being lazy ('opportunistic' sounds so much better, doesn't it?) about things."