CVE-2021-36084 Overview
CVE-2021-36084 is a use-after-free vulnerability in the CIL (Common Intermediate Language) compiler component of SELinux 3.2. The flaw exists within the __cil_verify_classperms function, which is called from __cil_verify_classpermission and __cil_pre_verify_helper. This memory corruption vulnerability could allow an attacker with local access to cause a denial of service condition by providing specially crafted CIL policy files that trigger the use-after-free condition during policy compilation.
Critical Impact
Local attackers can exploit this use-after-free vulnerability in SELinux's CIL compiler to cause application crashes and potential denial of service when processing malicious CIL policy files.
Affected Products
- SELinux Project SELinux version 3.2
- Fedora Project Fedora 35
- Systems utilizing SELinux CIL compiler for policy compilation
Discovery Timeline
- 2021-07-01 - CVE-2021-36084 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-36084
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption issue where memory is accessed after it has been freed. In the context of SELinux's CIL compiler, the vulnerable code path involves the __cil_verify_classperms function which improperly handles memory associated with class permissions lists during policy verification. When processing certain CIL policy constructs, the compiler may attempt to access memory that has already been deallocated, leading to undefined behavior.
The vulnerability was discovered through automated fuzzing by OSS-Fuzz (Issue #31065), which identified the problematic memory access pattern in the CIL policy verification routines. The attack requires local access and user interaction (processing a malicious CIL file), limiting its immediate exploitability but still presenting a risk in environments where CIL policies are compiled from untrusted sources.
Root Cause
The root cause lies in improper memory management within the cil_reset_classpermission function in libsepol/cil/src/cil_reset_ast.c. When resetting a class permission structure, the original code called cil_reset_classperms_list() which would reset the list contents but leave the list structure intact. This created a situation where the classperms list could be used after its contents had been effectively invalidated, causing the use-after-free condition when the verification functions attempted to traverse the list.
Attack Vector
The attack vector is local, requiring an attacker to supply a maliciously crafted CIL policy file to the SELinux CIL compiler. The exploitation scenario involves:
- Crafting a CIL policy file that triggers the vulnerable code path in __cil_verify_classperms
- Having the target system process this file through the CIL compiler (secilc or integrated policy compilation)
- The use-after-free condition is triggered during policy verification, causing memory corruption
The following patch demonstrates how the SELinux project addressed this vulnerability:
return;
}
- cil_reset_classperms_list(cp->classperms);
+ cil_list_destroy(&cp->classperms, CIL_FALSE);
}
static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
Source: GitHub SELinux Commit
The fix replaces the cil_reset_classperms_list() call with cil_list_destroy(), which properly destroys the classperms list and its associated memory, preventing the use-after-free condition from occurring.
Detection Methods for CVE-2021-36084
Indicators of Compromise
- Unexpected crashes or segmentation faults in the secilc CIL compiler process
- Core dumps containing stack traces referencing __cil_verify_classperms, __cil_verify_classpermission, or __cil_pre_verify_helper
- Anomalous CIL policy files with unusual classpermission constructs in compilation directories
Detection Strategies
- Monitor for crashes in SELinux policy compilation processes, particularly secilc and related tools
- Implement file integrity monitoring on CIL policy source directories to detect introduction of suspicious policy files
- Use AddressSanitizer (ASan) builds of SELinux tools in development and testing environments to catch use-after-free conditions
Monitoring Recommendations
- Enable core dump collection and analysis for SELinux compilation processes
- Monitor system logs for repeated policy compilation failures
- Implement alerting on unexpected terminations of secilc or policy compilation workflows
How to Mitigate CVE-2021-36084
Immediate Actions Required
- Update SELinux to a patched version that includes commit f34d3d30c8325e4847a6b696fe7a3936a8a361f3
- Review and restrict access to CIL policy compilation tools to trusted users only
- Avoid processing CIL policy files from untrusted or unknown sources
- Apply vendor-specific patches from Fedora, Debian, or NetApp as applicable to your environment
Patch Information
The vulnerability has been addressed in the official SELinux repository through commit f34d3d30c8325e4847a6b696fe7a3936a8a361f3. Distribution-specific patches are available through:
- Fedora Package Announcement for Fedora 35
- Debian LTS Security Announcement for Debian systems
- NetApp Security Advisory for affected NetApp products
Workarounds
- Restrict execution permissions for CIL compilation tools to administrative users only
- Implement mandatory code review for all CIL policy files before compilation
- Use containerized or sandboxed environments when compiling CIL policies from untrusted sources
# Restrict secilc to root/admin users only
chmod 750 /usr/bin/secilc
chown root:wheel /usr/bin/secilc
# Verify SELinux version includes the fix
rpm -q libsepol | grep -E "[0-9]+\.[0-9]+"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
