gsd-2021-46971
Vulnerability from gsd
Modified
2024-02-28 06:03
Details
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Fix unconditional security_locked_down() call
Currently, the lockdown state is queried unconditionally, even though
its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in
attr.sample_type. While that doesn't matter in case of the Lockdown LSM,
it causes trouble with the SELinux's lockdown hook implementation.
SELinux implements the locked_down hook with a check whether the current
task's type has the corresponding "lockdown" class permission
("integrity" or "confidentiality") allowed in the policy. This means
that calling the hook when the access control decision would be ignored
generates a bogus permission check and audit record.
Fix this by checking sample_type first and only calling the hook when
its result would be honored.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-46971"
],
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix unconditional security_locked_down() call\n\nCurrently, the lockdown state is queried unconditionally, even though\nits result is used only if the PERF_SAMPLE_REGS_INTR bit is set in\nattr.sample_type. While that doesn\u0027t matter in case of the Lockdown LSM,\nit causes trouble with the SELinux\u0027s lockdown hook implementation.\n\nSELinux implements the locked_down hook with a check whether the current\ntask\u0027s type has the corresponding \"lockdown\" class permission\n(\"integrity\" or \"confidentiality\") allowed in the policy. This means\nthat calling the hook when the access control decision would be ignored\ngenerates a bogus permission check and audit record.\n\nFix this by checking sample_type first and only calling the hook when\nits result would be honored.",
"id": "GSD-2021-46971",
"modified": "2024-02-28T06:03:57.357203Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@kernel.org",
"ID": "CVE-2021-46971",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "b0c8fdc7fdb7",
"version_value": "b246759284d6"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "affected",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.117",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.35",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.19",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
}
]
}
}
]
},
"vendor_name": "Linux"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix unconditional security_locked_down() call\n\nCurrently, the lockdown state is queried unconditionally, even though\nits result is used only if the PERF_SAMPLE_REGS_INTR bit is set in\nattr.sample_type. While that doesn\u0027t matter in case of the Lockdown LSM,\nit causes trouble with the SELinux\u0027s lockdown hook implementation.\n\nSELinux implements the locked_down hook with a check whether the current\ntask\u0027s type has the corresponding \"lockdown\" class permission\n(\"integrity\" or \"confidentiality\") allowed in the policy. This means\nthat calling the hook when the access control decision would be ignored\ngenerates a bogus permission check and audit record.\n\nFix this by checking sample_type first and only calling the hook when\nits result would be honored."
}
]
},
"generator": {
"engine": "bippy-b01c2a820106"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.kernel.org/stable/c/b246759284d6a2bc5b6f1009caeeb3abce2ec9ff",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/b246759284d6a2bc5b6f1009caeeb3abce2ec9ff"
},
{
"name": "https://git.kernel.org/stable/c/4348d3b5027bc3ff6336368b6c60605d4ef8e1ce",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/4348d3b5027bc3ff6336368b6c60605d4ef8e1ce"
},
{
"name": "https://git.kernel.org/stable/c/f5809ca4c311b71bfaba6d13f4e39eab0557895e",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/f5809ca4c311b71bfaba6d13f4e39eab0557895e"
},
{
"name": "https://git.kernel.org/stable/c/c7b0208ee370b89d20486fae71cd9abb759819c1",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/c7b0208ee370b89d20486fae71cd9abb759819c1"
},
{
"name": "https://git.kernel.org/stable/c/08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix unconditional security_locked_down() call\n\nCurrently, the lockdown state is queried unconditionally, even though\nits result is used only if the PERF_SAMPLE_REGS_INTR bit is set in\nattr.sample_type. While that doesn\u0027t matter in case of the Lockdown LSM,\nit causes trouble with the SELinux\u0027s lockdown hook implementation.\n\nSELinux implements the locked_down hook with a check whether the current\ntask\u0027s type has the corresponding \"lockdown\" class permission\n(\"integrity\" or \"confidentiality\") allowed in the policy. This means\nthat calling the hook when the access control decision would be ignored\ngenerates a bogus permission check and audit record.\n\nFix this by checking sample_type first and only calling the hook when\nits result would be honored."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: perf/core: corrige la llamada incondicional a security_locked_down() Actualmente, el estado de bloqueo se consulta incondicionalmente, aunque su resultado se usa solo si el bit PERF_SAMPLE_REGS_INTR est\u00e1 establecido en attr.sample_type. Si bien eso no importa en el caso del Lockdown LSM, causa problemas con la implementaci\u00f3n del gancho de bloqueo de SELinux. SELinux implementa el gancho lock_down comprobando si el tipo de tarea actual tiene el correspondiente permiso de clase de \"bloqueo\" (\"integridad\" o \"confidencialidad\") permitido en la pol\u00edtica. Esto significa que llamar al enlace cuando se ignorar\u00eda la decisi\u00f3n de control de acceso genera una verificaci\u00f3n de permisos y un registro de auditor\u00eda falsos. Solucione este problema verificando sample_type primero y solo llamando al gancho cuando se respete su resultado."
}
],
"id": "CVE-2021-46971",
"lastModified": "2024-02-28T14:06:45.783",
"metrics": {},
"published": "2024-02-27T19:04:07.343",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/4348d3b5027bc3ff6336368b6c60605d4ef8e1ce"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/b246759284d6a2bc5b6f1009caeeb3abce2ec9ff"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/c7b0208ee370b89d20486fae71cd9abb759819c1"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/f5809ca4c311b71bfaba6d13f4e39eab0557895e"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
}
}
}
Loading...