CVE-2021-36084: 
NixOS vulnerability analysis and mitigation

CVE-2021-36084 is a security vulnerability discovered in SELinux 3.2's CIL (Common Intermediate Language) compiler. The vulnerability involves a use-after-free issue in the cilverifyclassperms function, which is called from cilverifyclasspermission and _cilpreverifyhelper. The issue was initially discovered and reported through OSS-Fuzz on February 19, 2021, and was publicly disclosed on June 30, 2021 (CVE-MITRE, OSS-FUZZ).

The vulnerability is classified as a heap-use-after-free issue that occurs during the verification of class permissions in the SELinux CIL compiler. The bug manifests when the classperms list of a classpermission rule is processed, where the list is created and filled during classpermissionset rules processing. The technical issue stems from the fact that the list doesn't own any part of the data and shouldn't retain it when reset. The vulnerability has been assigned a CVSS 3.1 base score of 3.3 (Low), with attack vector being Local, attack complexity Low, and requiring user interaction (UBUNTU).

The vulnerability has a Low severity impact, primarily affecting the availability of the system. According to the CVSS scoring, there are no direct impacts on confidentiality or integrity. The issue only affects the compilation of SELinux policy, and systems using AppArmor as their default Linux Security Module (LSM) are not affected (UBUNTU).

A fix was implemented through a commit that modifies the handling of the classperms list in the CIL compiler. The solution involves destroying the classperms list (without destroying the data in it) when resetting a classpermission rule. The fix is available in updated versions of the libsepol package across various distributions (SELINUX-COMMIT).