Skip to content

[F] Add modprobe config to mitigate dirtyfrag & copyfail#1

Open
Misaka13514 wants to merge 1 commit into
mainfrom
patch
Open

[F] Add modprobe config to mitigate dirtyfrag & copyfail#1
Misaka13514 wants to merge 1 commit into
mainfrom
patch

Conversation

@Misaka13514

@Misaka13514 Misaka13514 commented May 8, 2026

Copy link
Copy Markdown
Member

Mitigate CVE-2026-43284 CVE-2026-43500 https://dirtyfrag.io
https://github.com/V4bel/dirtyfrag

Mitigate CVE-2026-31431 https://copy.fail
https://github.com/theori-io/copy-fail-CVE-2026-31431

nixos-rebuild switch后,无需重启系统,运行以下命令来卸载可能已经加载内核模块:

sudo rmmod esp4 esp6 rxrpc algif_aead

检查模块是否正确无法加载

$ cat /etc/modprobe.d/nixos.conf
# Mitigate https://dirtyfrag.io
# https://github.com/V4bel/dirtyfrag
install esp4 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install esp6 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install rxrpc /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false

# Mitigate CVE-2026-31431 https://copy.fail
# https://github.com/theori-io/copy-fail-CVE-2026-31431
install algif_aead /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false

$ sudo modprobe esp4
modprobe: ERROR: Error running install command '/nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false' for module esp4: retcode 1
modprobe: ERROR: could not insert 'esp4': Invalid argument

boot.blacklistedKernelModules是不够用的,因为它的效果是这样的

cat /etc/modprobe.d/nixos.conf
blacklist algif_aead
blacklist esp4
blacklist esp6
blacklist rxrpc

模块仍然可以被加载

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds host-level kernel module load restrictions via modprobe config on ctvp to reduce exposure to the referenced DirtyFrag and CopyFail vulnerabilities.

Changes:

  • Introduces boot.extraModprobeConfig entries that prevent loading esp4, esp6, rxrpc, and algif_aead.
  • Documents the mitigations with links to the related advisories/repos.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread hosts/ctvp.nix Outdated
Comment thread hosts/ctvp.nix Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread hosts/ctvp.nix Outdated
Comment thread hosts/ctvp.nix

@sauricat sauricat left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we don't have auto ci/cd, even it be merged to main branch you still have to manually update the server config via nixos-rebuild boot.

Have you tested on the server?

@sauricat

sauricat commented May 8, 2026

Copy link
Copy Markdown
Member

不对不对,为什么不用 boot.blacklistedKernelModules
之前用了后来改了的意思是?

@Misaka13514

Copy link
Copy Markdown
Member Author

Have you tested on the server?

Tested the patch on my NixOS server

Also tested this config can be built

$ nix run nixpkgs#nix-diff -- $(nix build --no-link --print-out-paths github:one-among-us/appservers/main#nixosConfigurations.ctvp.config.system.build.toplevel) $(nix build --no-link --print-out-paths github:one-among-us/appservers/patch#nixosConfigurations.ctvp.config.system.build.toplevel)
- /nix/store/97bb0r78ycl65jgy0g97ywdvqx4ndsx8-nixos-system-ctvp-26.05.20260427.1c3fe55:{out}
+ /nix/store/p4pksh13q910biqicnxqjjm1x6s5y74k-nixos-system-ctvp-26.05.20260427.1c3fe55:{out}
• The input derivation named `activate` differs
  - /nix/store/y58fw0slgq67bqvyr4j6p5r2jx3mhv62-activate.drv:{out}
  + /nix/store/bwwgwfdlhrhb9qaqd0k9r54i3vk2glpw-activate.drv:{out}
  • The input derivation named `etc` differs
    - /nix/store/9swh57yjf358lafbcwcv0n0h3l0xkl4b-etc.drv:{out}
    + /nix/store/4q6jaqdyrxkmwjzbylq57al5hlh14yk0-etc.drv:{out}
    • The input derivation named `etc-modprobe.d-nixos.conf` differs
      - /nix/store/wvfbhf3m9spbbi7drd3iahsv8nl3qhn0-etc-modprobe.d-nixos.conf.drv:{out}
      + /nix/store/6fhrwl0463d0gr5bp5ynwgs3xdnmr4f3-etc-modprobe.d-nixos.conf.drv:{out}
      • The set of input derivation names do not match:
          + coreutils-9.10
      • The environments do not match:
          text=''

          # Mitigate https://dirtyfrag.io
          # https://github.com/V4bel/dirtyfrag
          install esp4 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
          install esp6 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
          install rxrpc /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false

          # Mitigate CVE-2026-31431 https://copy.fail
          # https://github.com/theori-io/copy-fail-CVE-2026-31431
          install algif_aead /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false


      ''
    • Skipping environment comparison
  • Skipping environment comparison
• The input derivation named `boot.json` differs
  - /nix/store/5dfn8bpypy56hyx1cbaxfa4yhfgs1239-boot.json.drv:{out}
  + /nix/store/3s3lzk31wwq5yfbr1ir5y8191dlyz357-boot.json.drv:{out}
  • The input derivation named `initrd-linux-6.18.24` differs
    - /nix/store/fk75p9h9pa5dlsvfx398lp1cwmi7w3k5-initrd-linux-6.18.24.drv:{out}
    + /nix/store/sp16f34zy2p9faan0zrpqvp3gj0nzvia-initrd-linux-6.18.24.drv:{out}
    • Input derivations differ but have already been compared
        etc-modprobe.d-nixos.conf
    • Skipping environment comparison
  • Skipping environment comparison
• Input derivations differ but have already been compared
    etc
    initrd-linux-6.18.24
• Skipping environment comparison

I have updated my PR description. Ready to merge.

@Misaka13514

Copy link
Copy Markdown
Member Author

不对不对,为什么不用 boot.blacklistedKernelModules 之前用了后来改了的意思是?

使用blacklist后,https://github.com/V4bel/dirtyfrag 失效,但是我怀疑修改exp后可能可以通过其它方法加载内核模块,因为sudo modprobe还可以成功加载

@sauricat

sauricat commented May 8, 2026 via email

Copy link
Copy Markdown
Member

@Misaka13514

Misaka13514 commented May 8, 2026

Copy link
Copy Markdown
Member Author

怀疑修改exp后可能可以通过其它方法加载内核模块

演示如下

atri@homura ~/flake (main)> cat nixosModules/common/security.nix
{ pkgs, ... }:
{
  boot.extraModprobeConfig = ''
    # Mitigate https://dirtyfrag.io
    # https://github.com/V4bel/dirtyfrag
    install esp4 ${pkgs.coreutils}/bin/false
    install esp6 ${pkgs.coreutils}/bin/false
    install rxrpc ${pkgs.coreutils}/bin/false

    # Mitigate CVE-2026-31431 https://copy.fail
    # https://github.com/theori-io/copy-fail-CVE-2026-31431
    # install algif_aead ${pkgs.coreutils}/bin/false
  '';

  boot.blacklistedKernelModules = [ "algif_aead" ];
}
atri@homura ~/flake (main)> cat /etc/modprobe.d/nixos.conf
blacklist algif_aead
blacklist ip_tables

# Mitigate https://dirtyfrag.io
# https://github.com/V4bel/dirtyfrag
install esp4 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install esp6 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install rxrpc /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false

# Mitigate CVE-2026-31431 https://copy.fail
# https://github.com/theori-io/copy-fail-CVE-2026-31431
# install algif_aead /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false



atri@homura ~/flake (main)> sudo rmmod algif_aead
rmmod: ERROR: Module algif_aead is not currently loaded
atri@homura ~/flake (main) [1]> lsmod | grep algif_aead
atri@homura ~/flake (main) [0|1]> modprobe algif_aead
modprobe: ERROR: could not insert 'algif_aead': Operation not permitted
atri@homura ~/flake (main) [1]> sudo -u nobody python3 -c "
                                import socket
                                s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
                                s.bind(('aead', 'gcm(aes)'))
                                "
atri@homura ~/flake (main)> lsmod | grep algif_aead
algif_aead             12288  0
af_alg                 32768  1 algif_aead

而使用当前的方法是可以阻止加载的

atri@homura ~/flake (main)> cat /etc/modprobe.d/nixos.conf
blacklist ip_tables

# Mitigate https://dirtyfrag.io
# https://github.com/V4bel/dirtyfrag
install esp4 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install esp6 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install rxrpc /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false

# Mitigate CVE-2026-31431 https://copy.fail
# https://github.com/theori-io/copy-fail-CVE-2026-31431
install algif_aead /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false



atri@homura ~/flake (main)> sudo rmmod algif_aead
atri@homura ~/flake (main)> sudo -u nobody python3 -c "
                            import socket
                            s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
                            s.bind(('aead', 'gcm(aes)'))
                            "
Traceback (most recent call last):
  File "<string>", line 4, in <module>
    s.bind(('aead', 'gcm(aes)'))
    ~~~~~~^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory
atri@homura ~/flake (main) [1]> lsmod | grep algif_aead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants