There is a newly identified vulnerability in the Linux kernel that can allow an unprivileged user to gain elevated privileges on a target machine. The bug has been present since version 6.1 and fixes for it have been merged into the affected Linux trees.
The vulnerability (CVE-2023-3269) is complex and the researcher who discovered it said that exploiting the bug is not a simple feat. The bug is a specific kind of use-after-free flaw known as a use-after-free-by-RCU, and Ruihan Li, who discovered the vulnerability, said this is the first known instance of this type of vulnerability being shown to be exploitable in certain circumstances.
“A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka ‘Stack Rot’. The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges,” Li said in the advisory.
“As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging.”
Li reported the StackRot bug to the Linux kernel security team in June and a patch for it was merged to the affected kernel versions on July 1.
“The RCU callback is invoked only after all pre-existing RCU critical sections have concluded. However, the issue arises when accessing VMAs, as only the MM read lock is held, and it does not enter the RCU critical section. Consequently, in theory, the callback could be invoked at any time, resulting in the freeing of the old maple node. However, pointers to the old node may have already been fetched, leading to a use-after-free bug when attempting subsequent access to it,” the advisory says.
Li did not publish an exploit for the vulnerability but plans to do so by the end of July.