FFS again??
-
FFS again?? https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
If you have a modular kernel, blocking loading of modules esp4 and esp6 (IPsec
) in modprobe.d config should mitigate.Given that this is the second time, a system-global seccomp filter blocking all splice-type syscalls/syscall-flags would probably be safer.
-
FFS again?? https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
If you have a modular kernel, blocking loading of modules esp4 and esp6 (IPsec
) in modprobe.d config should mitigate.Given that this is the second time, a system-global seccomp filter blocking all splice-type syscalls/syscall-flags would probably be safer.
@dalias okay, I'm not a kernel person, should we be applying the mitigation described here, or something similar? https://github.com/V4bel/dirtyfrag Or do I go back to MacOS until there's a fix?
-
@dalias okay, I'm not a kernel person, should we be applying the mitigation described here, or something similar? https://github.com/V4bel/dirtyfrag Or do I go back to MacOS until there's a fix?
@emma Looking. I think this is the same vuln.
-
@emma Looking. I think this is the same vuln.
@emma Yes, it's the same, and the mitigation is exactly what I was recommending.
-
FFS again?? https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
If you have a modular kernel, blocking loading of modules esp4 and esp6 (IPsec
) in modprobe.d config should mitigate.Given that this is the second time, a system-global seccomp filter blocking all splice-type syscalls/syscall-flags would probably be safer.
@dalias Is splice even useful nowadays?
-
@dalias Is splice even useful nowadays?
@alwayscurious Yes, if you're trying to run a business with millions of concurrent users efficiently rather than just paying AWS obscene amounts of money and passing on the cost to your customers.
For any ordinary desktop or server applications though? No, it's useless premature optimization, and now known to be extremely unsafe in how it's implemented.
-
@alwayscurious Yes, if you're trying to run a business with millions of concurrent users efficiently rather than just paying AWS obscene amounts of money and passing on the cost to your customers.
For any ordinary desktop or server applications though? No, it's useless premature optimization, and now known to be extremely unsafe in how it's implemented.
@dalias @alwayscurious splice is the only zero-copy mechanism available to normal users. I would hate to disable it. I'd rather disable the kernel modules one by one (for now, only relatively obscure stuff has been revealed to be broken; this may change in the future).
-
@dalias @alwayscurious splice is the only zero-copy mechanism available to normal users. I would hate to disable it. I'd rather disable the kernel modules one by one (for now, only relatively obscure stuff has been revealed to be broken; this may change in the future).
@dalias @alwayscurious (by "normal users" I mean "people who haven't yet studied the arcane magicks of io_uring)
-
R relay@relay.infosec.exchange shared this topic
