Linux Kernel version 6.3 has officially reached its end of life. But before you panic, let’s talk about what this means for you and your Linux system. It’s time for an upgrade!
The Linux community faces a critical moment as Linux Kernel 6.3 reaches its end of life and a significant vulnerability is discovered. With the prompt action of the Linux kernel team, patches have been developed and backported, ensuring the security of affected systems. It is imperative that users heed the call to upgrade to Linux 6.4 to safeguard their systems from potential attacks.
The announcement comes amidst the discovery of a critical vulnerability, dubbed StackRot (CVE-2023-3269), that affects Linux kernel versions 6.1 through 6.4. Attackers can exploit this vulnerability to escalate privileges on compromised systems.
Security researcher Ruihan Li of Peking University in China uncovered the vulnerability, describing it as a pervasive issue that affects almost all Linux kernel configurations. Li emphasized that triggering the vulnerability requires minimal capabilities, making it a concerning threat to Linux users.
In response to the discovery, a dedicated team, led by Linux creator Linus Torvalds, worked tirelessly for two weeks to develop a set of patches addressing the vulnerability. The fix was merged into Linus’ tree during the merge window for Linux kernel 6.5 on June 28th. Li stated about the fix, “The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July.”
StackRot’s vulnerability revolves around the Linux kernel’s handling of stack expansion—a mechanism that automatically increases the stack memory of a running process. Li explained that the flaw arises due to a memory management function in the Linux kernel’s data structure for managing virtual memory spaces. This flaw results in use-after-free-by-RCU (UAFBR) issues, combining the use-after-free vulnerability with the Read-Copy-Update (RCU) mechanism for synchronizing shared data.
Use-after-free vulnerabilities pose a serious threat as they allow attackers to insert arbitrary code into freed, yet still used, memory space. Exploiting such vulnerabilities is challenging due to a delay in memory deallocation caused by RCU callbacks. However, StackRot represents a first-of-its-kind successful exploitation of a UAFBR bug. According to Li, there are currently no publicly available exploits targeting use-after-free-by-RCU bugs, making this discovery particularly noteworthy.
To address the vulnerability, the Linux kernel team, spearheaded by Torvalds, modified the kernel’s user mode stack expansion code to prevent the occurrence of the use-after-free condition. Torvalds admitted, “It’s actually something we always technically should have done, but because we didn’t strictly need [it], we were being lazy (‘opportunistic’ sounds so much better, doesn’t it?) about things.”
As a result of their efforts, the patches have been backported to kernels 6.1.37, 6.2.11, and 6.4.1, effectively resolving the StackRot bug on July 1st. However, with Linux Kernel 6.3 reaching its end of life, users are strongly encouraged to upgrade to Linux 6.4, which includes the necessary fixes to mitigate the vulnerability.