StackRot Linux Kernel Bug Has Exploit Code on the Way

Linus Torvalds led a Linux kernel team in developing a set of patches for the privilege escalation flaw.

3 Min Read
LINUX word on cubes on a blue background
Source: Zhanna Hapanovich via Shutterstock

Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported to Linux administrators in mid-June.

The bug, which the researcher labeled StackRot (CVE-2023-3269), affects Linux kernel 6.1 through 6.4 and gives attackers a way to escalate privileges on affected systems.

Affects All Linux Configurations

Security researcher Ruihan Li of Peking University in China discovered the vulnerability and described it this week as affecting almost all Linux kernel configurations and requiring minimal capabilities to trigger.

A response team, led by Linux creator Linus Torvalds, worked about two weeks on developing a set of patches to address the vulnerability. 

"On June 28th, during the merge window for Linux kernel 6.5, the fix was merged into Linus' tree," Li said in a GitHub post announcing his discovery. "Linus provided a comprehensive merge message to elucidate the patch series from a technical perspective," Li noted.

The patches have since been backported to kernels 6.1.37, 6.2.11, and 6.4.1, "effectively resolving the 'StackRot' bug on July 1," Li wrote. "The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July."

StackRot pertains to the Linux kernel's handing of stack expansion, a mechanism for automatically growing or expanding the stack memory of a running process.

The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues, Li said. UAFBR flaws combine the use-after-free vulnerability with what is known as the Read-Copy-Update (RCU) mechanism in the Linux kernel for synchronizing the use of shared data.

Use-after-free is a type of vulnerability where a software program continues to use a memory reference after it has been deallocated or freed. This gives attackers a way to insert arbitrary code into the freed but still used memory space. "An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges," Li said. The Linux kernel uses the RCU mechanism to free or deallocate used memory space.

While UAFBR vulnerabilities can be dangerous, they are not easy to exploit because of a certain delay that happens with memory deallocation when memory spaces are freed using RCU callbacks, Li explained.

First-of-Its-Kind Exploit

The researcher described the exploit for StackRot as likely the first to successfully exploit a UAFBR bug. "To the best of my knowledge, there are currently no publicly available exploits targeting use-after-free-by-RCU bugs," Li said. "This marks the first instance where UAFBR bugs have been proven to be exploitable."

The Linux kernel teams fix for the flaw — led by Torvalds — basically modifies the kernel's user mode stack expansion code to prevent the use-after-free condition from happening.

"It's actually something we always technically should have done," Torvalds said in a GitHub post. "But because we didn't strictly need [it], we were being lazy ('opportunistic' sounds so much better, doesn't it?) about things."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights