StackRot: Linux Bug so bad Linus Dives Into Code to Fix It

Linus Torvalds in SCUBA gearTorvalds feels the pressure, fixes lazy locks.

A critical vulnerability in the Linux kernel caused Linus Torvalds (pictured) to get his hands dirty. Late last month, a flurry of patches appeared with said honcho’s name attached. Let’s just say: Eyebrows were raised.

Only now do we know why. In today’s SB Blogwatch, we race to condition that hair.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A song made of artists singing “Hey.”

Maple Tree Side Effects

What’s the craic? Bill Toulas reports—“New StackRot Linux kernel flaw allows privilege escalation”:

Linux versions 6.1 through 6.4
A serious vulnerability affecting multiple Linux kernel versions … could be triggered with “minimal capabilities.” [It] is being referred to as StackRot … and can be used to compromise the kernel and elevate privileges.

Creating a fix took almost two weeks due to its complexity, and Linus Torvalds led the effort. [StackRot] affects the kernel’s memory management subsystem—a component in charge of implementing the virtual memory and demand paging, memory allocation for the kernel’s needs and the user space programs, as well as mapping files into the processes’ address space.

StackRot impacts all kernel configurations on Linux versions 6.1 through 6.4. … 6.1 has been approved as the long-term support (LTS) version since February. However, not all major Linux distributions have adopted it. For instance, Ubuntu 22.04.2 LTS … ships with Linux kernel version 5.19. On the other hand, Debian 12 … comes with Linux kernel 6.1.

Good that it was caught before it was exploited. Jai Vijayan urges no breath-holding—“Exploit Code on the Way”:

Exploit code will soon become available for a critical vulnerability in the Linux kernel. … A response team, led by Linux creator Linus Torvalds, worked about two weeks on developing a set of patches [which] have since been backported to kernels 6.1.37, 6.2.11, and 6.4.1.

StackRot pertains to the Linux kernel’s handling of stack expansion, a mechanism for automatically growing or expanding the stack memory of a running process. [The] fix for the flaw … modifies the kernel’s user mode stack expansion code to prevent the use-after-free condition from happening.

Horse’s mouth? Ruihan Li—“CVE-2023-3269”:

Essential vulnerability details
The StackRot vulnerability has been present in the Linux kernel since version 6.1 when the VMA tree structure was changed from red-black trees to maple trees. … Maple trees are RCU-safe [but] their intricate nature adds complexity to the codebase and introduces the … vulnerability.

The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges.

In compliance with the policy of the linux-distros list … all the essential vulnerability details have been provided here. The complete exploit code … will be made publicly available no later than the end of July.

What did our favorite Finnish kernel captain do? Linus Torvalds avoids swearing—“Merge branch ‘expand-stack’”:

It’s a bit painful
This modifies our user mode stack expansion code to always take the mmap_lock for writing. … It’s actually something we always technically should have done, but because we didn’t strictly need it, we were being lazy … until Ruihan Li pointed out that now that the vma layout uses the maple tree code … the locking really is broken. Oops.

It’s a bit painful. … I want to actually move all the stack expansion code to a whole new file of its own … but since this will have to be backported to the initial maple tree vma introduction anyway, I tried to keep the patches fairly minimal.

This explains the unexplained pile of patches two weeks ago. stormcrow can see clearly from atop Linus’s shoulders:

You know it’s important when the King (I use the term platonic-affectionately as a benevolent dictator) takes a hand at fixing the problem rather than leaving it to others.

Crisis averted? u/IAmAnAudity agrees:

So glad to have Ruihan and Linus on this so quickly.

Wait. Pause. How big of a deal is this, really? redback contextualizes thuswise:

A serious bug in a major component in a common operating system. It’s certainly … newsworthy.

Well, OK then—check your kernel patch levels. But heed this warning from Aissen:

FYI, there are already follow-up patches in 6.1.38, 6.3.12 and 6.4.2. This is often the case when bugfixes happen in a rush and with limited testing. So if you haven’t started integrating, just make the jump to the latest version.

Meanwhile, Radtraveller wonders who watches the watchers:

So … who vets and approves Linus’s changes?

And Finally:

Albert and friends

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Paul Fenwick (cc:by-sa; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi