CVE-2021-47128: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") added an implementation of the locked_down LSM hook to SELinux, with the aim to restrict which domains are allowed to perform operations that would breach lockdown. This is indirectly also getting audit subsystem involved to report events. The latter is problematic, as reported by Ondrej and Serhei, since it can bring down the whole system via audit: 1) The audit events that are triggered due to calls to security_locked_down() can OOM kill a machine, see below details [0]. 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit() when trying to wake up kauditd, for example, when using trace_sched_switch() tracepoint, see details in [1]. Triggering this was not via some hypothetical corner case, but with existing tools like runqlat & runqslower from bcc, for example, which make use of this tracepoint. Rough call sequence goes like: rq_lock(rq) -> -------------------------+ trace_sched_switch() -> | bpf_prog_xyz() -> +-> deadlock selinux_lockdown() -> | audit_log_end() -> | wake_up_interruptible() -> | try_to_wake_up() -> | rq_lock(rq) --------------+ What's worse is that the intention of 59438b46471a to further restrict lockdown settings for specific applications in respect to the global lockdown policy is completely broken for BPF. The SELinux policy rule for the current lockdown check looks something like this: allow <who> <who> : lockdown { <reason> }; However, this doesn't match with the 'current' task where the security_locked_down() is executed, example: httpd does a syscall. There is a tracing program attached to the syscall which triggers a BPF program to run, which ends up doing a bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does the permission check against 'current', that is, httpd in this example. httpd has literally zero relation to this tracing program, and it would be nonsensical having to write an SELinux policy rule against httpd to let the tracing helper pass. The policy in this case needs to be against the entity that is installing the BPF program. For example, if bpftrace would generate a histogram of syscall counts by user space application: bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' bpftrace would then go and generate a BPF program from this internally. One way of doing it [for the sake of the example] could be to call bpf_get_current_task() helper and then access current->comm via one of bpf_probe_read_kernel{,_str}() helpers. So the program itself has nothing to do with httpd or any other random app doing a syscall here. The BPF program _explicitly initiated_ the lockdown check. The allow/deny policy belongs in the context of bpftrace: meaning, you want to grant bpftrace access to use these helpers, but other tracers on the system like my_random_tracer _not_. Therefore fix all three issues at the same time by taking a completely different approach for the security_locked_down() hook, that is, move the check into the program verification phase where we actually retrieve the BPF func proto. This also reliably gets the task (current) that is trying to install the BPF tracing program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since we're moving this out of the BPF helper's fast-path which can be called several millions of times per second. The check is then also in line with other security_locked_down() hooks in the system where the enforcement is performed at open/load time, for example, open_kcore() for /proc/kcore access or module_sig_check() for module signatures just to pick f ---truncated---
AI Analysis
Technical Summary
CVE-2021-47128 is a vulnerability in the Linux kernel related to the implementation of SELinux lockdown permission checks, specifically affecting the Berkeley Packet Filter (BPF) subsystem. The vulnerability stems from a flawed implementation of the locked_down Linux Security Module (LSM) hook within SELinux, introduced by commit 59438b46471a. This hook was designed to restrict operations that could breach lockdown policies, including those triggered by audit subsystem events. However, the interaction between SELinux lockdown checks and the audit subsystem can cause severe system stability issues, including out-of-memory (OOM) kills and deadlocks. The deadlock arises from a circular locking dependency involving the run queue lock (rq_lock), the audit daemon (kauditd), and SELinux permission checks during BPF program execution triggered by tracepoints such as trace_sched_switch(). Additionally, the SELinux policy enforcement is broken for BPF programs because the lockdown permission check is performed against the 'current' task context (e.g., an unrelated application like httpd making a syscall) rather than the actual entity installing the BPF program (e.g., bpftrace). This misalignment means that legitimate BPF tracing programs may be incorrectly denied permissions unless the policy is impractically written against unrelated processes. The fix involves moving the lockdown permission check from the BPF helper fast-path (called millions of times per second) to the BPF program verification phase, where the actual task installing the BPF program can be accurately identified. This approach prevents the OOM and deadlock issues and aligns enforcement with other lockdown checks performed at open/load time. This vulnerability affects Linux kernel versions containing the problematic commit and impacts systems using SELinux lockdown with BPF tracing tools such as bpftrace, BCC, perf, and systemtap. While no known exploits are reported in the wild, the vulnerability can cause denial-of-service conditions and potentially disrupt critical monitoring and tracing operations.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with SELinux lockdown enabled and utilizing BPF-based tracing or monitoring tools. The impact includes potential system instability due to OOM kills and deadlocks, leading to denial of service on critical infrastructure, servers, or endpoints. Organizations relying on BPF for performance monitoring, security auditing, or troubleshooting may experience disruptions or loss of visibility, impairing incident response and operational continuity. Given the widespread use of Linux in enterprise servers, cloud environments, and embedded systems across Europe, the vulnerability could affect sectors such as finance, telecommunications, government, and critical infrastructure. The deadlock and OOM conditions could also be exploited to cause targeted disruptions or as part of a broader attack chain. However, exploitation requires the ability to trigger BPF programs and audit events, which may be restricted by existing access controls. The absence of known exploits suggests limited immediate threat but underscores the need for timely patching to prevent potential denial-of-service attacks and maintain system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47128 as soon as they become available from trusted sources or Linux distribution vendors. This patch moves the SELinux lockdown check to the BPF program verification phase, resolving the OOM and deadlock issues. 2. Temporarily disable SELinux lockdown mode if feasible and if the risk of disabling lockdown is acceptable, to avoid triggering the buggy lockdown permission checks. 3. Limit the use of BPF tracing tools (bpftrace, BCC, perf, systemtap) to trusted administrators and restrict their execution to prevent unprivileged users from installing BPF programs. 4. Monitor audit logs and system metrics for signs of excessive memory usage or deadlocks related to audit subsystem or BPF tracing activities. 5. Implement strict SELinux policies that explicitly allow only authorized tracing tools to load BPF programs, minimizing the attack surface. 6. In environments where patching is delayed, consider disabling or restricting the audit subsystem's interaction with SELinux lockdown to reduce the risk of OOM or deadlock. 7. Regularly update Linux kernel and security modules to incorporate fixes and improvements related to lockdown and BPF subsystems. 8. Conduct thorough testing of BPF-based monitoring tools in controlled environments after patching to ensure compatibility and stability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Italy, Spain, Poland
CVE-2021-47128: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") added an implementation of the locked_down LSM hook to SELinux, with the aim to restrict which domains are allowed to perform operations that would breach lockdown. This is indirectly also getting audit subsystem involved to report events. The latter is problematic, as reported by Ondrej and Serhei, since it can bring down the whole system via audit: 1) The audit events that are triggered due to calls to security_locked_down() can OOM kill a machine, see below details [0]. 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit() when trying to wake up kauditd, for example, when using trace_sched_switch() tracepoint, see details in [1]. Triggering this was not via some hypothetical corner case, but with existing tools like runqlat & runqslower from bcc, for example, which make use of this tracepoint. Rough call sequence goes like: rq_lock(rq) -> -------------------------+ trace_sched_switch() -> | bpf_prog_xyz() -> +-> deadlock selinux_lockdown() -> | audit_log_end() -> | wake_up_interruptible() -> | try_to_wake_up() -> | rq_lock(rq) --------------+ What's worse is that the intention of 59438b46471a to further restrict lockdown settings for specific applications in respect to the global lockdown policy is completely broken for BPF. The SELinux policy rule for the current lockdown check looks something like this: allow <who> <who> : lockdown { <reason> }; However, this doesn't match with the 'current' task where the security_locked_down() is executed, example: httpd does a syscall. There is a tracing program attached to the syscall which triggers a BPF program to run, which ends up doing a bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does the permission check against 'current', that is, httpd in this example. httpd has literally zero relation to this tracing program, and it would be nonsensical having to write an SELinux policy rule against httpd to let the tracing helper pass. The policy in this case needs to be against the entity that is installing the BPF program. For example, if bpftrace would generate a histogram of syscall counts by user space application: bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' bpftrace would then go and generate a BPF program from this internally. One way of doing it [for the sake of the example] could be to call bpf_get_current_task() helper and then access current->comm via one of bpf_probe_read_kernel{,_str}() helpers. So the program itself has nothing to do with httpd or any other random app doing a syscall here. The BPF program _explicitly initiated_ the lockdown check. The allow/deny policy belongs in the context of bpftrace: meaning, you want to grant bpftrace access to use these helpers, but other tracers on the system like my_random_tracer _not_. Therefore fix all three issues at the same time by taking a completely different approach for the security_locked_down() hook, that is, move the check into the program verification phase where we actually retrieve the BPF func proto. This also reliably gets the task (current) that is trying to install the BPF tracing program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since we're moving this out of the BPF helper's fast-path which can be called several millions of times per second. The check is then also in line with other security_locked_down() hooks in the system where the enforcement is performed at open/load time, for example, open_kcore() for /proc/kcore access or module_sig_check() for module signatures just to pick f ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47128 is a vulnerability in the Linux kernel related to the implementation of SELinux lockdown permission checks, specifically affecting the Berkeley Packet Filter (BPF) subsystem. The vulnerability stems from a flawed implementation of the locked_down Linux Security Module (LSM) hook within SELinux, introduced by commit 59438b46471a. This hook was designed to restrict operations that could breach lockdown policies, including those triggered by audit subsystem events. However, the interaction between SELinux lockdown checks and the audit subsystem can cause severe system stability issues, including out-of-memory (OOM) kills and deadlocks. The deadlock arises from a circular locking dependency involving the run queue lock (rq_lock), the audit daemon (kauditd), and SELinux permission checks during BPF program execution triggered by tracepoints such as trace_sched_switch(). Additionally, the SELinux policy enforcement is broken for BPF programs because the lockdown permission check is performed against the 'current' task context (e.g., an unrelated application like httpd making a syscall) rather than the actual entity installing the BPF program (e.g., bpftrace). This misalignment means that legitimate BPF tracing programs may be incorrectly denied permissions unless the policy is impractically written against unrelated processes. The fix involves moving the lockdown permission check from the BPF helper fast-path (called millions of times per second) to the BPF program verification phase, where the actual task installing the BPF program can be accurately identified. This approach prevents the OOM and deadlock issues and aligns enforcement with other lockdown checks performed at open/load time. This vulnerability affects Linux kernel versions containing the problematic commit and impacts systems using SELinux lockdown with BPF tracing tools such as bpftrace, BCC, perf, and systemtap. While no known exploits are reported in the wild, the vulnerability can cause denial-of-service conditions and potentially disrupt critical monitoring and tracing operations.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with SELinux lockdown enabled and utilizing BPF-based tracing or monitoring tools. The impact includes potential system instability due to OOM kills and deadlocks, leading to denial of service on critical infrastructure, servers, or endpoints. Organizations relying on BPF for performance monitoring, security auditing, or troubleshooting may experience disruptions or loss of visibility, impairing incident response and operational continuity. Given the widespread use of Linux in enterprise servers, cloud environments, and embedded systems across Europe, the vulnerability could affect sectors such as finance, telecommunications, government, and critical infrastructure. The deadlock and OOM conditions could also be exploited to cause targeted disruptions or as part of a broader attack chain. However, exploitation requires the ability to trigger BPF programs and audit events, which may be restricted by existing access controls. The absence of known exploits suggests limited immediate threat but underscores the need for timely patching to prevent potential denial-of-service attacks and maintain system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47128 as soon as they become available from trusted sources or Linux distribution vendors. This patch moves the SELinux lockdown check to the BPF program verification phase, resolving the OOM and deadlock issues. 2. Temporarily disable SELinux lockdown mode if feasible and if the risk of disabling lockdown is acceptable, to avoid triggering the buggy lockdown permission checks. 3. Limit the use of BPF tracing tools (bpftrace, BCC, perf, systemtap) to trusted administrators and restrict their execution to prevent unprivileged users from installing BPF programs. 4. Monitor audit logs and system metrics for signs of excessive memory usage or deadlocks related to audit subsystem or BPF tracing activities. 5. Implement strict SELinux policies that explicitly allow only authorized tracing tools to load BPF programs, minimizing the attack surface. 6. In environments where patching is delayed, consider disabling or restricting the audit subsystem's interaction with SELinux lockdown to reduce the risk of OOM or deadlock. 7. Regularly update Linux kernel and security modules to incorporate fixes and improvements related to lockdown and BPF subsystems. 8. Conduct thorough testing of BPF-based monitoring tools in controlled environments after patching to ensure compatibility and stability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-04T18:12:48.839Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9dfa
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/27/2025, 1:03:08 PM
Last updated: 8/11/2025, 1:18:12 AM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.