CVE-2021-46971: perf/core: Fix unconditional security_locked_down() call
First published: Tue Feb 27 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix unconditional security_locked_down() call Currently, the lockdown state is queried unconditionally, even though its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in attr.sample_type. While that doesn't matter in case of the Lockdown LSM, it causes trouble with the SELinux's lockdown hook implementation. SELinux implements the locked_down hook with a check whether the current task's type has the corresponding "lockdown" class permission ("integrity" or "confidentiality") allowed in the policy. This means that calling the hook when the access control decision would be ignored generates a bogus permission check and audit record. Fix this by checking sample_type first and only calling the hook when its result would be honored.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux kernel | >=5.4<5.4.117 | |
| Linux kernel | >=5.5<5.10.35 | |
| Linux kernel | >=5.11<5.11.19 | |
| Linux kernel | >=5.12<5.12.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/b246759284d6a2bc5b6f1009caeeb3abce2ec9ff
- https://git.kernel.org/stable/c/4348d3b5027bc3ff6336368b6c60605d4ef8e1ce
- https://git.kernel.org/stable/c/f5809ca4c311b71bfaba6d13f4e39eab0557895e
- https://git.kernel.org/stable/c/c7b0208ee370b89d20486fae71cd9abb759819c1
- https://git.kernel.org/stable/c/08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b
Frequently Asked Questions
What is the severity of CVE-2021-46971?
CVE-2021-46971 has been classified as a moderate severity vulnerability in the Linux kernel.
How do I fix CVE-2021-46971?
To fix CVE-2021-46971, update your Linux kernel to a version that is patched, specifically above 5.4.117, 5.10.35, 5.11.19, or 5.12.2.
What systems are affected by CVE-2021-46971?
CVE-2021-46971 affects specific versions of the Linux kernel between certain versions including versions 5.4 through 5.4.117, 5.5 through 5.10.35, 5.11 through 5.11.19, and 5.12 through 5.12.2.
What impact does CVE-2021-46971 have on my system?
CVE-2021-46971 can potentially allow unauthorized access or modification under certain conditions due to improper handling of the lockdown state.
Is there any known exploit for CVE-2021-46971?
As of now, there are no known active exploits for CVE-2021-46971 reported in the wild.
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.4
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.12