dirtyfrag Puppet Mitigation

The current mess in the Linux world is dirtyfrag. A new LPE bug using Kernel modules but the twist here is someone broke the normal embargo to let systems patch, so there’s currently no published packages with fixed versions.

If you’re like me and adopt the Cattle Not Pets philosophy, you’re running some kind of configuration management system, and that makes it easy to roll out the fixes listed. I made this quick class that I applied to my machines:

# Patches for dirty frag
# https://github.com/V4bel/dirtyfrag
class base::dirtyfrag {
  file { '/etc/modprobe.d/dirtyfrag.conf':
    owner   => 'root',
    group   => 'root',
    content => @(EOF),
      install esp4 /bin/false
      install esp6 /bin/false
      install rxrpc /bin/false
    | EOF
    mode    => '0644',
    notify  => [
      Exec['dirtyfrag rmmod']
    ]
  }

  exec { 'dirtyfrag rmmod':
    command     => '/usr/sbin/rmmod esp4 esp6 rxrpc',
    refreshonly => true,
    notify      => [
      Exec['dirtyfrag clear']
    ],
    # If the module is not loaded, this will return 1.
    returns     => [
      0,
      1
    ]
  }

  exec { 'dirtyfrag clear':
    command     => '/bin/sh -c "echo 3 > /proc/sys/vm/drop_caches"',
    refreshonly => true,
  }
}

Apply this class to a machine to create the modprobe config, unload the modules, and clear contaminated memory to patch the system without rebooting. When things are patched, update the file to be absent and it’ll clean itself up too.

Disclaimer

Obviously test this in your environment. On my machines, this worked to prevent the PoC published on GitHub from working, but that’s not a certain thing on every machine.