Bug 2215268 (CVE-2023-3269)

Summary: CVE-2023-3269 kernel: distros-[DirtyVMA] Privilege escalation via non-RCU-protected VMA traversal
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-05 23:01:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2219916, 2221550, 2221551, 2221552, 2221553, 2221554, 2221555, 2221556, 2221557, 2221558    
Bug Blocks: 2215253    

Description Rohit Keshri 2023-06-15 09:04:00 UTC 
A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges. 

The BUG is introduced in conjunction with the introduction of the maple tree in kernel v6.1.

The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues.

Upstream fix:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9471f1f2f50282b9e8f59198ec6bb738b4ccc009
Comment 1 Guilherme de Almeida Suckevicz 2023-07-05 18:35:25 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2219916]
Comment 2 Product Security DevOps Team 2023-07-05 23:01:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-3269
Comment 3 Rohit Keshri 2023-07-07 15:30:52 UTC 
There was no shipped RHEL kernel seen affected with this problem.

The StackRot vulnerability has been present in the Linux kernel since version 6.1 when the VMA tree structure was changed from red-black trees to maple trees.