CVE-2021-36087 Overview
CVE-2021-36087 is an Out-of-Bounds Read vulnerability affecting the CIL (Common Intermediate Language) compiler in SELinux 3.2. The vulnerability exists in the ebitmap_match_any function, which is called indirectly from cil_check_neverallow. This flaw occurs due to insufficient validation of statements within optional blocks during policy compilation, leading to a heap-based buffer over-read condition.
Critical Impact
An attacker with local access could exploit this vulnerability to cause a denial of service condition by triggering the buffer over-read, potentially crashing the CIL compiler during policy compilation.
Affected Products
- SELinux Project SELinux 3.2
- Fedora Project Fedora 35
- Systems utilizing SELinux CIL compiler for policy compilation
Discovery Timeline
- 2021-07-01 - CVE-2021-36087 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-36087
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-bounds Read), a memory safety issue that occurs when the CIL compiler processes malformed or crafted SELinux policy files. The root cause lies in the ebitmap_match_any function's failure to properly validate the boundaries of bitmap data structures when processing statements within optional blocks.
The vulnerability was discovered through fuzz testing as part of the OSS-Fuzz project (Issue #32675). During normal operation, the CIL compiler parses and validates SELinux policy rules, including neverallow statements that define forbidden access patterns. When an invalid statement exists within an optional block, the cil_check_neverallow function invokes ebitmap_match_any without adequate bounds checking, causing the compiler to read beyond the allocated heap buffer.
The local attack vector requires an attacker to provide a maliciously crafted CIL policy file to the compiler. While exploitation does not allow arbitrary code execution or data exfiltration, it can disrupt security policy compilation processes, potentially affecting system administration workflows on SELinux-enabled systems.
Root Cause
The vulnerability stems from insufficient input validation within the CIL compiler's optional block processing logic. When the compiler encounters statements in an optional block, it should validate that all referenced elements exist and have proper bounds. The missing checks allow the ebitmap_match_any function to iterate beyond valid memory boundaries when processing bitmap operations related to neverallow rule verification.
Attack Vector
The attack requires local access to provide a crafted CIL policy file to the SELinux compiler. The attacker must be able to invoke the secilc compiler (the standalone CIL compiler) or trigger policy compilation through system administration tools.
The exploitation flow involves:
- Crafting a malicious CIL policy file containing invalid statements within optional blocks
- Submitting the file for compilation via secilc or policy build processes
- The compiler processes the optional block and invokes cil_check_neverallow
- The ebitmap_match_any function reads beyond allocated heap memory
- The compiler crashes, causing denial of service
For technical details on the vulnerability mechanism and the specific code paths involved, refer to the OSS-Fuzz vulnerability report and the SELinux security commit.
Detection Methods for CVE-2021-36087
Indicators of Compromise
- Unexpected crashes or segmentation faults in the secilc process during policy compilation
- Core dumps from SELinux policy compilation tools referencing ebitmap_match_any or cil_check_neverallow
- Anomalous CIL policy files with unusual optional block structures in policy directories
Detection Strategies
- Monitor for crashes in SELinux compilation processes using system logging and crash reporting tools
- Implement file integrity monitoring on CIL policy directories to detect unauthorized modifications
- Review audit logs for repeated policy compilation failures from the same source
- Deploy memory sanitizers (AddressSanitizer) in development environments to catch out-of-bounds read attempts
Monitoring Recommendations
- Enable crash reporting and analysis for secilc and related SELinux tools
- Monitor system logs for segmentation fault signals from policy compilation processes
- Set up alerting for multiple consecutive policy compilation failures
- Review policy source files for structural anomalies before compilation
How to Mitigate CVE-2021-36087
Immediate Actions Required
- Update SELinux to a patched version containing commit 340f0eb7f3673e8aacaf0a96cbfcd4d12a405521
- Restrict access to policy compilation tools to trusted administrators only
- Validate the source and integrity of CIL policy files before compilation
- Monitor for and investigate any unexpected policy compilation failures
Patch Information
The SELinux Project has addressed this vulnerability in commit 340f0eb7f3673e8aacaf0a96cbfcd4d12a405521. This fix adds proper validation checks for statements within optional blocks before processing them in ebitmap_match_any.
Distribution-specific patches are available:
Workarounds
- Restrict access to SELinux policy compilation tools using file permissions
- Implement policy file review processes to validate CIL files before compilation
- Use containerization or sandboxing when compiling untrusted policy files
- Consider pre-validation of policy files using static analysis tools
# Restrict secilc access to root only
chmod 750 /usr/bin/secilc
chown root:root /usr/bin/secilc
# Verify SELinux version for patch status
rpm -q selinux-policy-devel 2>/dev/null || dpkg -l selinux-policy-dev 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
