If you are a Linux user, you may have heard about a new vulnerability that affects the Linux kernel versions 6.1 to 6.4. The vulnerability, dubbed StackRot (CVE-2023-3269), is a use-after-free bug that can be exploited by an unprivileged local user to compromise the kernel and escalate their privileges. This can lead to serious security issues, such as data breaches, ransomware infections, or identity theft. In this article, we will explain what StackRot is, how it works, how to exploit it, and how to patch it.
What is StackRot and how does it work?
StackRot is a vulnerability that stems from a flaw in the maple tree data structure that manages virtual memory areas (VMAs) in the Linux kernel. VMAs are structures that store information about memory mappings, such as flags, properties, and permissions. The maple tree is responsible for fast lookup of VMAs based on the address.
The flaw occurs when the maple tree undergoes node replacement without properly acquiring the memory management (MM) write lock. This can lead to a scenario known as use-after-free, where the system tries to use memory space that has already been freed up for use elsewhere. This can cause unpredictable behavior and potential security issues.
An attacker can exploit this flaw by triggering a page fault or a memory-related system call that causes the maple tree to replace a node. Then, the attacker can wait for the node to be freed by a technique called RCU (Read Copy Update) callbacks, which delays the actual memory deallocation until after a period called the RCU grace period. Finally, the attacker can use another system call to allocate memory in the same space as the freed node and overwrite its contents with malicious code.
How to exploit StackRot?
Exploiting StackRot is not easy, as it requires precise timing and knowledge of the kernel internals. The attacker needs to know when the RCU grace period ends and when the node is freed. The attacker also needs to know how to craft malicious code that can execute in kernel mode and bypass security mechanisms.
To demonstrate the exploitability of StackRot, security researcher Ruihan Li has developed a proof-of-concept exploit code that works on Linux kernel 6.1.25 with CONFIG_PREEMPT and CONFIG_SLAB_MERGE_DEFAULT settings enabled. The exploit code has been successfully tested in the environment provided by Google kCTF VRP (Virtual Reward Program).
The exploit code consists of three parts:
- A user-space program that triggers the page fault and allocates memory in user space.
- A kernel module that triggers the memory-related system call and allocates memory in kernel space.
- A shellcode that runs in kernel mode and elevates privileges.
The exploit code works as follows:
- The user-space program triggers a page fault by accessing an unmapped address. This causes the maple tree to replace a node with a new one.
- The user-space program allocates memory in user space using mmap() and fills it with NOP instructions and shellcode.
- The kernel module triggers a memory-related system call by calling mprotect.
- The kernel module allocates memory in kernel space using kmalloc() and fills it with a pointer to the user-space memory.
- The kernel module waits for the RCU grace period to end and the node to be freed.
- The kernel module calls another system call to allocate memory in the same space as the freed node and overwrite its contents with the pointer to the user-space memory.
- The kernel module triggers another page fault by accessing the same unmapped address as before. This causes the maple tree to look up the VMA using the overwritten node.
- The kernel executes the NOP instructions and shellcode in user space, which elevates privileges and spawns a root shell.
How to patch StackRot?
The good news is that StackRot has been patched by the Linux kernel developers since July 1st. The patch involves removing the LSA protection UI from the Device security settings, as it is not needed for most users. The patch has been backported to stable kernels (6.1.37, 6.3.11, and 6.4.1).
To apply the patch, you need to update your Linux kernel to the latest version available for your distribution. You can use your package manager or download the kernel source code and compile it yourself. You can also check if your distribution has released a security update that includes the patch.
To verify if your kernel is patched, you can use the following command:
This will show you the kernel version that you are running. If it is higher than or equal to 6.1.37, 6.3.11, or 6.4.1, then you are safe from StackRot.
StackRot is a new vulnerability that affects the Linux kernel versions 6.1 to 6.4. It is a use-after-free bug in the maple tree data structure that manages virtual memory areas. It can be exploited by an unprivileged local user to compromise the kernel and escalate their privileges.
Exploiting StackRot is challenging, as it requires precise timing and knowledge of the kernel internals. However, a proof-of-concept exploit code has been developed and tested by a security researcher, proving that StackRot is indeed exploitable.
StackRot has been patched by the Linux kernel developers since July 1st. The patch involves removing the LSA protection UI from the Device security settings, as it is not needed for most users. To apply the patch, you need to update your Linux kernel to the latest version available for your distribution.
We hope this article helped you understand what StackRot is and how to protect your Linux system from it. If you have any questions or feedback, please let us know in the comments below. And don’t forget to share this article with your friends and family who use Linux devices 🙌