CVE-2021-46971: Linux Kernel Vulnerability Resolved in perf/core - Fixing Unconditional security_locked_down() Call

Summary: The Linux kernel vulnerability (CVE-2021-46971) related to an unconditional security_locked_down() call in perf/core has been resolved. This article discusses the issue and provides a code snippet and relevant links for understanding and implementing the fix.

Vulnerability Background

In the Linux kernel, a vulnerability known as CVE-2021-46971 was identified which could cause unneeded security checks and audit records, specifically when using the SELinux's lockdown hook implementation with the perf subsystem. This issue occurs when querying the lockdown state unconditionally in the perf subsystem, even if the result is only used when the PERF_SAMPLE_REGS_INTR bit is set in attr.sample_type.

Exploit Details

The exploit involves the interaction of the unconditional querying of the lockdown state within the perf subsystem of the Linux kernel and the SELinux's lockdown hook implementation. SELinux implements the locked_down hook by checking whether the current process's type has the corresponding lockdown class permission ("integrity" or "confidentiality") allowed in the policy. When using the perf subsystem, the call to the security_locked_down() function happens unconditionally, meaning the lockdown permissions check and audit record are generated even when the access control decision would be ignored.

Code Snippet: Fixing the vulnerability

To fix this issue, the code should check sample_type first and only call the security_locked_down() function when the result of this call would be honored. Here is a code snippet demonstrating the change:

-       if (security_locked_down(LOCKDOWN_PERF)) {
+       if ((attr.sample_type & PERF_SAMPLE_REGS_INTR) &&
+           security_locked_down(LOCKDOWN_PERF)) {
                ret = -EPERM;
                goto out_put;
        }

References

The original git commit detailing the patch for this vulnerability can be found here.

The CVE-2021-46971 advisory can be found here.

Additional information related to Linux kernel lockdown mode, its implications, and operations can be found in the following references:

1. Linux kernel lockdown and UEFI Secure Boot
2. SELinux and mandatory access control enforcement

Conclusion

With the fix for CVE-2021-46971 now in place, the Linux kernel has resolved a longstanding issue involving the unconditional call to the security_locked_down() function. By checking the sample_type first and only calling the security_locked_down() function when its result is needed, this vulnerability is now mitigated, thereby improving the overall security of using the perf subsystem with SELinux enabled systems. System administrators and developers are advised to review and apply this patch to ensure the security of their Linux environments.

Timeline

Published on: 02/27/2024 19:04:07 UTC
Last modified on: 02/28/2024 14:06:45 UTC