CVE-2021-36087: The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called...

The analysis focused on commit 340f0eb7f3673e8aacaf0a96cbfcd4d12a405521, which provides fixes for the CIL compiler. The vulnerability CVE-2021-36087 describes a heap-based buffer over-read in ebitmap_match_any, caused by issues in handling CIL policy, specifically with 'optional' blocks leading to a malformed Abstract Syntax Tree (AST).

The identified functions, __cil_build_ast_node_helper and __cil_resolve_ast_node_helper, are directly modified by the patch. These functions are part of the CIL compiler's AST building and resolution phases, respectively. The patch introduces stricter checks to prevent certain CIL statements (like tunable declarations, in-statements, blocks, blockabstracts, or macro definitions) from being used within 'optional' blocks.

The vulnerability, in this context, stems from the absence of these checks in the pre-patch versions of these functions. This lack of validation allowed the processing of specially crafted CIL policies that would result in a malformed AST. This malformed AST, when further processed by other parts of the compiler (like cil_tree_get_next_path() as mentioned in the commit, or cil_check_neverallow leading to ebitmap_match_any as per the CVE), would trigger the actual memory corruption or null dereference.

Therefore, __cil_build_ast_node_helper and __cil_resolve_ast_node_helper are identified as vulnerable because, in their unpatched state, they improperly processed potentially malicious input (CIL policy), creating the conditions that lead to the documented vulnerability. The patch evidence directly shows the corrective actions (added checks) taken in these functions. The second commit bad0a746e9f4cf260dedba5828d9645d50176aac only contains documentation changes and does not introduce or fix code vulnerabilities.