[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81766":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":10,"openIssues":12,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":13,"stars7d":13,"stars30d":13,"stars90d":13,"forks30d":13,"starsTrendScore":13,"compositeScore":14,"rankGlobal":8,"rankLanguage":8,"license":15,"archived":16,"fork":16,"defaultBranch":17,"hasWiki":16,"hasPages":16,"topics":18,"createdAt":8,"pushedAt":8,"updatedAt":19,"readmeContent":20,"aiSummary":21,"trendingCount":13,"starSnapshotCount":13,"syncStatus":12,"lastSyncTime":22,"discoverSource":23},81766,"copy-fail-destroyer","NorskHelsenett\u002Fcopy-fail-destroyer","NorskHelsenett",null,"Go",23,6,2,0,39.54,"Apache License 2.0",false,"main",[],"2026-06-12 04:01:35","# copy-fail-destroyer\n\nA Kubernetes DaemonSet agent that detects and remediates [CVE-2026-31431](https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-31431) (\"Copy Fail\") and [Dirty Frag](https:\u002F\u002Fgithub.com\u002FV4bel\u002Fdirtyfrag) — Linux kernel page-cache write vulnerabilities allowing unprivileged root escalation.\n\n### Copy Fail (CVE-2026-31431)\n\nAn `algif_aead` in-place logic flaw allowing unprivileged page-cache writes via the `AF_ALG` socket interface.\n\n### Dirty Frag\n\nTwo chained page-cache write vulnerabilities:\n\n- **xfrm-ESP Page-Cache Write**: `esp_input()` bypasses `skb_cow_data()` for non-linear skbs, allowing in-place crypto on attacker-pinned page-cache pages. Requires `esp4`\u002F`esp6` modules + user namespace privileges. Introduced in kernel 4.10 (2017).\n- **RxRPC Page-Cache Write**: `rxkad_verify_packet_1()` performs in-place `pcbc(fcrypt)` decrypt on page-cache frags. Requires `rxrpc` module but **no namespace privileges**. Introduced in kernel 6.4 (2023).\n\nThe exploit chains both variants — if one is blocked, the other fills the gap. A system is vulnerable if **either** module is reachable.\n\n## What it does\n\nOn each node the agent runs a loop every 5 minutes that:\n\n1. **Checks the kernel version** against all known patched stable branches.\n2. **Probes attack-surface modules**:\n   - **Copy Fail**: attempts to create and bind an `AF_ALG` socket to `aead` \u002F `authenc(hmac(sha256),cbc(aes))` — the exact algorithm the exploit targets. Safe and non-destructive.\n   - **Dirty Frag**: checks whether `esp4`, `esp6`, or `rxrpc` modules are loaded or available on disk. Does **not** create sockets that would trigger module autoloading.\n3. **Remediates** based on the configured `REMEDIATION_MODE` (see below).\n4. **Exposes Prometheus metrics** so you can alert and track status across the fleet.\n\n## Remediation modes\n\nSet via the `REMEDIATION_MODE` environment variable (or `remediationMode` in the Helm chart):\n\n| Mode | Behaviour |\n|---|---|\n| `unload` (default) | Unloads the `algif_aead`, `esp4`, `esp6`, and `rxrpc` kernel modules via `delete_module` |\n| `blacklist` | Unloads the modules **and** writes modprobe blacklist rules to prevent auto-reload |\n| `disabled` | Detect and report only — no remediation is performed |\n\n## Prometheus metrics\n\nAll metrics are exposed on `:9100\u002Fmetrics`.\n\n| Metric | Description |\n|---|---|\n| `cve_2026_31431_kernel_needs_patching` | `1` if the kernel version is not patched for CVE-2026-31431 |\n| `cve_2026_31431_vulnerable` | `1` if the kernel is vulnerable to CVE-2026-31431 **and** the module is reachable |\n| `cve_2026_31431_module_reachable` | `1` if the `AF_ALG` aead algorithm can be bound |\n| `cve_2026_31431_remediation_applied` | `1` if the `algif_aead` module was successfully unloaded |\n| `dirty_frag_vulnerable` | `1` if the kernel is vulnerable to Dirty Frag (ESP or RxRPC) **and** modules are reachable |\n| `dirty_frag_kernel_needs_patching` | `1` if the kernel version is not patched for Dirty Frag (either variant) |\n| `dirty_frag_esp_module_reachable` | `1` if `esp4` or `esp6` is loaded or available on disk |\n| `dirty_frag_rxrpc_module_reachable` | `1` if `rxrpc` is loaded or available on disk |\n| `dirty_frag_remediation_applied` | `1` if Dirty Frag module mitigations have been applied |\n\n## Patched kernel versions\n\n### CVE-2026-31431 (Copy Fail)\n\n- `7.0+` (mainline)\n- `6.19.12+`, `6.18.22+`\n- Kernels before `4.14` are not affected (bug introduced in 4.14)\n\n### Dirty Frag\n\n- **ESP variant**: introduced in kernel `4.10` (`cac2661c53f3`, 2017). Patch merged into netdev tree 2026-05-07 (`f4c50a4034e6`). No stable release contains the fix yet.\n- **RxRPC variant**: introduced in kernel `6.4` (`2dc334f1a63a`, 2023). Patch submitted but **not merged upstream** as of 2026-05-08.\n- No CVE assigned. Version checks will be updated when distros backport patches.\n\n## Project structure\n\n```\ncmd\u002Fdestroyer\u002Fmain.go          # Entry point — metrics server, check loop, remediation\npkg\u002Fdetector\u002F\n  cve202631431.go              # CVE-2026-31431 (Copy Fail) detection\n  dirtyfrag.go                 # Dirty Frag detection (ESP + RxRPC variants)\n  probe_linux.go               # AF_ALG module probe (Linux)\n  probe_other.go               # Probe stub (non-Linux)\n  probe_dirtyfrag_linux.go     # ESP, RxRPC, user namespace probes (Linux)\n  probe_dirtyfrag_other.go     # Probe stubs (non-Linux)\n  remediate_linux.go           # algif_aead unload via delete_module (Linux)\n  remediate_other.go           # Remediation stub (non-Linux)\n  remediate_dirtyfrag_linux.go # esp4\u002Fesp6\u002Frxrpc unload + blacklist (Linux)\n  remediate_dirtyfrag_other.go # Remediation stubs (non-Linux)\ndeploy\u002Fnamespace.yaml          # Namespace with Pod Security Admission policy\ndeploy\u002Fdaemonset.yaml          # Kubernetes DaemonSet manifest\nDockerfile                     # Multi-stage build (scratch final image)\n```\n\n## Building\n\n```bash\n# Native\ngo build .\u002Fcmd\u002Fdestroyer\n\n# Linux cross-compile (for container image)\nCGO_ENABLED=0 GOOS=linux go build -o destroyer .\u002Fcmd\u002Fdestroyer\n```\n\n## Container image\n\n```bash\ndocker build -t copy-fail-destroyer .\n```\n\n## Deployment\n\nThe agent requires a privileged security context to unload kernel modules and probe `AF_ALG` sockets. The root filesystem is read-only.\n\n### Raw manifests\n\n```bash\nkubectl apply -f deploy\u002Fnamespace.yaml\nkubectl apply -f deploy\u002Fdaemonset.yaml\n```\n\n### Helm\n\n```bash\nhelm install copy-fail-destroyer oci:\u002F\u002Fghcr.io\u002Fnorskhelsenett\u002Fhelm\u002Fcopy-fail-destroyer \\\n  --namespace copy-fail-destroyer --create-namespace\n```\n\nOverride the remediation mode:\n\n```bash\nhelm install copy-fail-destroyer oci:\u002F\u002Fghcr.io\u002Fnorskhelsenett\u002Fhelm\u002Fcopy-fail-destroyer \\\n  --namespace copy-fail-destroyer --create-namespace \\\n  --set remediationMode=disabled\n```\n\n### ArgoCD\n\nAn Application manifest is provided at `deploy\u002Fargocd-application.yaml`. Edit `targetRevision` to pin a chart version:\n\n```bash\nkubectl apply -f deploy\u002Fargocd-application.yaml\n```\n\nThe DaemonSet includes Prometheus scrape annotations (`prometheus.io\u002Fscrape: \"true\"`, port `9100`).\n\n### Prometheus Operator\n\nIf you use the Prometheus Operator, deploy the `PodMonitor` to have metrics scraped automatically:\n\n```bash\n# Raw manifest\nkubectl apply -f deploy\u002Fpodmonitor.yaml\n\n# Or via Helm\nhelm install copy-fail-destroyer oci:\u002F\u002Fghcr.io\u002Fnorskhelsenett\u002Fhelm\u002Fcopy-fail-destroyer \\\n  --namespace copy-fail-destroyer --create-namespace \\\n  --set metrics.podMonitor.enabled=true\n```\n\nAlert rules (`PrometheusRule`) for Alertmanager are also available:\n\n```bash\n# Raw manifest\nkubectl apply -f deploy\u002Fprometheusrule.yaml\n\n# Or via Helm with extra alert labels\nhelm install copy-fail-destroyer oci:\u002F\u002Fghcr.io\u002Fnorskhelsenett\u002Fhelm\u002Fcopy-fail-destroyer \\\n  --namespace copy-fail-destroyer --create-namespace \\\n  --set metrics.prometheusRule.enabled=true \\\n  --set metrics.prometheusRule.extraAlertLabels.team=platform\n```\n\nThree alerts are defined:\n\n| Alert | Severity | Description |\n|---|---|---|\n| `CopyFailVulnerable` | critical | Kernel is vulnerable **and** AF_ALG module is reachable |\n| `CopyFailKernelNeedsPatching` | warning | Kernel version is unpatched (module may be mitigated) |\n| `CopyFailRemediationFailed` | warning | Module still reachable after remediation attempt |\n| `DirtyFragVulnerable` | critical | Kernel is vulnerable **and** ESP or RxRPC modules are reachable |\n| `DirtyFragKernelNeedsPatching` | warning | Kernel version is unpatched for Dirty Frag |\n| `DirtyFragRemediationFailed` | warning | Dirty Frag modules still reachable after remediation attempt |\n\n## CI\u002FCD\n\nA GitHub Actions workflow (`.github\u002Fworkflows\u002Fbuild.yaml`) triggers on versioned tags (`v*`). It:\n\n1. Runs `go test .\u002F...`\n2. Builds the Linux binary\n3. Builds and pushes a container image to `ghcr.io\u002Fnorskhelsenett\u002Fcopy-fail-destroyer`\n4. Packages and pushes the Helm chart to `oci:\u002F\u002Fghcr.io\u002Fnorskhelsenett\u002Fhelm\u002Fcopy-fail-destroyer`\n\nTags are derived from the Git tag — e.g. pushing `v1.2.3` produces image tags `1.2.3` and `1.2`.\n\n```bash\ngit tag v1.0.0\ngit push origin v1.0.0\n```","copy-fail-destroyer 是一个 Kubernetes DaemonSet 代理，用于检测和修复 Linux 内核中的 CVE-2026-31431 和 Dirty Frag 漏洞，这些漏洞允许非特权用户提升至 root 权限。该项目通过定期检查内核版本、探测攻击面模块（如 AF_ALG、esp4\u002Fesp6 和 rxrpc）并根据配置的修复模式进行自动卸载或黑名单处理来实现防护。此外，它还提供了 Prometheus 指标以帮助监控集群状态。适用于需要增强容器安全性的 Kubernetes 环境，尤其是那些关注于防止内核级漏洞利用的场景。","2026-06-11 04:06:19","CREATED_QUERY"]