fix: blacklist rxrpc/esp4/esp6 modules to mitigate DirtyFrag LPE (#8475)

djsly · Copilot · Copilot · djsly · commit 55356758db3f · 2026-05-08T12:06:03.000-04:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/e2e/validation.go b/e2e/validation.go
@@ -88,7 +88,7 @@ func ValidateCommonLinux(ctx context.Context, s *Scenario) {
 	_ = execScriptOnVMForScenarioValidateExitCode(ctx, s, "sudo curl http://168.63.129.16:32526/vmSettings", 0, "curl to wireserver failed")
 
 	validateWireServerBlocked(ctx, s)
-	ValidateAlgifAeadMitigation(ctx, s)
+	ValidateVulnerableKernelModulesDisabled(ctx, s)
 
 	// base NBC templates define a mock service principal profile that we can still use to test
 	// the correct bootstrapping logic: https://github.com/Azure/AgentBaker/blob/master/e2e/node_config.go#L438-L441
diff --git a/e2e/validators.go b/e2e/validators.go
@@ -2254,42 +2254,44 @@ func ValidateCollectWindowsLogsScript(ctx context.Context, s *Scenario) {
 		"collect-windows-logs.ps1 failed or did not produce a zip file")
 }
 
-// ValidateAlgifAeadMitigation verifies CVE-2026-31431 mitigation is active:
-// the algif_aead kernel module must be blocked via modprobe config, not loaded,
-// and modprobe must refuse to load it.
-func ValidateAlgifAeadMitigation(ctx context.Context, s *Scenario) {
+// ValidateVulnerableKernelModulesDisabled verifies that kernel modules with known
+// LPE vulnerabilities are blocked via modprobe config, not loaded, and cannot be loaded.
+// Covers: CVE-2026-31431 (algif_aead), DirtyFrag (esp4, esp6, rxrpc).
+// To add a new CVE mitigation, append the module name to the list below.
+func ValidateVulnerableKernelModulesDisabled(ctx context.Context, s *Scenario) {
 	s.T.Helper()
 
-	// Flatcar uses a different kernel module setup
 	if s.VHD.Flatcar {
-		s.T.Log("Skipping algif_aead validation: not applicable for Flatcar")
+		s.T.Log("Skipping vulnerable kernel module validation: not applicable for Flatcar")
 		return
 	}
 
 	script := strings.Join([]string{
-		`# Check modprobe config blocks the module`,
-		`if ! grep -qs 'install algif_aead /bin/false' /etc/modprobe.d/*.conf 2>/dev/null; then`,
-		`  echo "FAIL: algif_aead disable rule not found in /etc/modprobe.d/*.conf"`,
-		`  exit 1`,
-		`fi`,
-		`echo "PASS: modprobe config blocks algif_aead"`,
-		``,
-		`# Check module is not loaded`,
-		`if grep -qE '^algif_aead ' /proc/modules 2>/dev/null; then`,
-		`  echo "FAIL: algif_aead module is loaded"`,
-		`  exit 1`,
-		`fi`,
-		`echo "PASS: algif_aead module is not loaded"`,
-		``,
-		`# Check modprobe refuses to load it`,
-		`if sudo modprobe algif_aead 2>/dev/null; then`,
-		`  echo "FAIL: modprobe algif_aead succeeded, should be blocked"`,
-		`  sudo rmmod algif_aead 2>/dev/null || true`,
-		`  exit 1`,
-		`fi`,
-		`echo "PASS: modprobe algif_aead correctly refused"`,
+		`failed=0`,
+		`for mod in algif_aead esp4 esp6 rxrpc; do`,
+		`  if ! grep -qsE "^install ${mod} /bin/false" /etc/modprobe.d/*.conf 2>/dev/null; then`,
+		`    echo "FAIL: ${mod} disable rule not found in /etc/modprobe.d/*.conf"`,
+		`    failed=1`,
+		`  else`,
+		`    echo "PASS: modprobe config blocks ${mod}"`,
+		`  fi`,
+		`  if grep -qE "^${mod} " /proc/modules 2>/dev/null; then`,
+		`    echo "FAIL: ${mod} module is loaded"`,
+		`    failed=1`,
+		`  else`,
+		`    echo "PASS: ${mod} module is not loaded"`,
+		`  fi`,
+		`  if sudo modprobe "${mod}" 2>/dev/null; then`,
+		`    echo "FAIL: modprobe ${mod} succeeded, should be blocked"`,
+		`    sudo modprobe -r "${mod}" 2>/dev/null || true`,
+		`    failed=1`,
+		`  else`,
+		`    echo "PASS: modprobe ${mod} correctly refused"`,
+		`  fi`,
+		`done`,
+		`exit $failed`,
 	}, "\n")
 
 	execScriptOnVMForScenarioValidateExitCode(ctx, s, script, 0,
-		"CVE-2026-31431 (algif_aead) mitigation validation failed")
+		"Vulnerable kernel module mitigation validation failed (algif_aead/esp4/esp6/rxrpc)")
 }
diff --git a/parts/linux/cloud-init/artifacts/cse_main.sh b/parts/linux/cloud-init/artifacts/cse_main.sh
@@ -50,6 +50,28 @@ get_ubuntu_release() {
     lsb_release -r -s 2>/dev/null || echo ""
 }
 
+# Disable a single kernel module with a known LPE vulnerability.
+# Writes a modprobe blacklist rule and unloads the module if loaded.
+# Applies to existing VHDs that don't yet have the fix baked into modprobe-CIS.conf.
+# Safe to run unconditionally — idempotent (overwrites with same content if already present).
+# Defined in cse_main.sh (not sourced) to support scriptless provisioning.
+#
+# Usage: disableVulnerableKernelModule <module_name> <description>
+disableVulnerableKernelModule() {
+    local mod="$1"
+    local desc="$2"
+
+    printf '# %s\ninstall %s /bin/false\nblacklist %s\n' "$desc" "$mod" "$mod" > "/etc/modprobe.d/disable-${mod}.conf"
+
+    if grep -q "^${mod} " /proc/modules 2>/dev/null; then
+        if modprobe -r "$mod" 2>/dev/null; then
+            echo "${desc}: successfully unloaded ${mod}"
+        else
+            echo "${desc}: failed to unload ${mod} (in use), reboot required for full mitigation"
+        fi
+    fi
+}
+
 # ====== BASE PREP: BASE IMAGE PREPARATION ======
 # This stage prepares the base VHD image with all necessary components and configurations.
 # IMPORTANT: This stage must NOT join the node to the cluster.
@@ -284,21 +306,14 @@ EOF
 
     logs_to_events "AKS.CSE.ensureSysctl" ensureSysctl || exit $ERR_SYSCTL_RELOAD
 
-    # CVE-2026-31431 (Copy Fail): Mitigate algif_aead LPE vulnerability.
-    # Affects Ubuntu 20.04/22.04/24.04 and AzureLinux 3.0 (kernel >=4.15).
+    # Disable kernel modules with known LPE vulnerabilities (CVE-2026-31431, DirtyFrag).
     # Applies to existing VHDs that don't yet have the modprobe-CIS.conf fix baked in.
-    # Safe to run unconditionally — idempotent if already mitigated.
-    if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then
-        if ! grep -qs "algif_aead" /etc/modprobe.d/*.conf 2>/dev/null; then
-            printf "install algif_aead /bin/false\nblacklist algif_aead\n" > /etc/modprobe.d/disable-algif_aead.conf
-        fi
-        if grep -q '^algif_aead ' /proc/modules 2>/dev/null; then
-            if rmmod algif_aead 2>/dev/null; then
-                echo "CVE-2026-31431: successfully unloaded algif_aead module"
-            else
-                echo "CVE-2026-31431: failed to unload algif_aead (in use), reboot required for full mitigation"
-            fi
-        fi
+    # To add a new CVE mitigation, add a disableVulnerableKernelModule call below.
+    if isUbuntu "$OS" || isMarinerOrAzureLinux "$OS"; then
+        disableVulnerableKernelModule "algif_aead" "CVE-2026-31431 (Copy Fail)"
+        disableVulnerableKernelModule "esp4" "DirtyFrag (xfrm-ESP page-cache write)"
+        disableVulnerableKernelModule "esp6" "DirtyFrag (xfrm-ESP6 page-cache write)"
+        disableVulnerableKernelModule "rxrpc" "DirtyFrag (RxRPC page-cache write, bypasses AppArmor userns)"
     fi
 
     if ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT"; then
diff --git a/parts/linux/cloud-init/artifacts/modprobe-CIS.conf b/parts/linux/cloud-init/artifacts/modprobe-CIS.conf
@@ -29,3 +29,14 @@ blacklist usb-storage
 # until kernel fix is available. See https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
 install algif_aead /bin/false
 blacklist algif_aead
+# DirtyFrag / CopyFail2: Disable xfrm ESP and RxRPC modules to mitigate page-cache
+# write LPE vulnerabilities. rxrpc path bypasses AppArmor userns restrictions.
+# AKS platform components do not require kernel IPsec ESP/XFRM or AFS/RxRPC.
+# Disabling these modules prevents workloads that rely on those protocols from working
+# on the node. See https://github.com/V4bel/dirtyfrag
+install esp4 /bin/false
+blacklist esp4
+install esp6 /bin/false
+blacklist esp6
+install rxrpc /bin/false
+blacklist rxrpc
diff --git a/spec/parts/linux/cloud-init/artifacts/cse_main_disable_modules_spec.sh b/spec/parts/linux/cloud-init/artifacts/cse_main_disable_modules_spec.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env shellspec
+
+# Unit tests for disableVulnerableKernelModule() in cse_main.sh
+
+Describe 'disableVulnerableKernelModule()'
+    MODPROBE_DIR=""
+    PROC_MODULES=""
+
+    setup() {
+        MODPROBE_DIR="$(mktemp -d)"
+        PROC_MODULES="$(mktemp)"
+        # Source only the function by extracting it
+        eval "$(sed -n '/^disableVulnerableKernelModule()/,/^}/p' parts/linux/cloud-init/artifacts/cse_main.sh | \
+            sed "s|/etc/modprobe.d|${MODPROBE_DIR}|g; s|/proc/modules|${PROC_MODULES}|g")"
+    }
+
+    cleanup() {
+        rm -rf "$MODPROBE_DIR"
+        rm -f "$PROC_MODULES"
+    }
+
+    BeforeEach 'setup'
+    AfterEach 'cleanup'
+
+    # Mock modprobe -r
+    modprobe() { return 0; }
+
+    It 'creates a config file for a single module'
+        When call disableVulnerableKernelModule "algif_aead" "CVE-2026-31431 (Copy Fail)"
+        The file "${MODPROBE_DIR}/disable-algif_aead.conf" should be exist
+        The contents of file "${MODPROBE_DIR}/disable-algif_aead.conf" should include "install algif_aead /bin/false"
+        The contents of file "${MODPROBE_DIR}/disable-algif_aead.conf" should include "blacklist algif_aead"
+        The contents of file "${MODPROBE_DIR}/disable-algif_aead.conf" should include "CVE-2026-31431"
+    End
+
+    It 'creates separate config files per module'
+        When call disableVulnerableKernelModule "esp4" "DirtyFrag ESP4"
+        The file "${MODPROBE_DIR}/disable-esp4.conf" should be exist
+        The contents of file "${MODPROBE_DIR}/disable-esp4.conf" should include "install esp4 /bin/false"
+        The contents of file "${MODPROBE_DIR}/disable-esp4.conf" should include "blacklist esp4"
+    End
+
+    It 'is idempotent — running twice produces same content'
+        first_run() {
+            disableVulnerableKernelModule "rxrpc" "DirtyFrag RxRPC"
+            cat "${MODPROBE_DIR}/disable-rxrpc.conf"
+        }
+        second_run() {
+            disableVulnerableKernelModule "rxrpc" "DirtyFrag RxRPC"
+            cat "${MODPROBE_DIR}/disable-rxrpc.conf"
+        }
+        When call first_run
+        The output should eq "$(second_run)"
+    End
+
+    It 'attempts to unload a loaded module'
+        loaded_test() {
+            echo "rxrpc 425984 0" > "$PROC_MODULES"
+            disableVulnerableKernelModule "rxrpc" "DirtyFrag RxRPC"
+        }
+        When call loaded_test
+        The output should include "successfully unloaded rxrpc"
+    End
+
+    It 'does not attempt unload when module is not loaded'
+        not_loaded_test() {
+            : > "$PROC_MODULES"
+            disableVulnerableKernelModule "rxrpc" "DirtyFrag RxRPC"
+        }
+        When call not_loaded_test
+        The output should not include "unloaded"
+    End
+End
diff --git a/vhdbuilder/packer/test/linux-vhd-content-test.sh b/vhdbuilder/packer/test/linux-vhd-content-test.sh
@@ -1262,35 +1262,41 @@ testNfsServerService() {
   echo "$test:Finish"
 }
 
-# CVE-2026-31431 (Copy Fail): Verify algif_aead kernel module is disabled.
-# The modprobe-CIS.conf should contain "install algif_aead /bin/false" which
-# prevents the module from loading. Verify the config is present, the module
-# is not loaded, and that attempting to load it fails.
-testAlgifAeadDisabled() {
-  local test="testAlgifAeadDisabled"
+# Verify all kernel modules with known LPE vulnerabilities are disabled.
+# Covers: CVE-2026-31431 (algif_aead), DirtyFrag (esp4, esp6, rxrpc).
+# To add a new CVE mitigation, append the module to the loop below.
+testVulnerableKernelModulesDisabled() {
+  local test="testVulnerableKernelModulesDisabled"
   echo "$test:Start"
 
-  # Verify modprobe config blocks the module
-  if ! grep -qs "install algif_aead /bin/false" /etc/modprobe.d/*.conf 2>/dev/null; then
-    err "$test" "algif_aead disable rule not found in /etc/modprobe.d/*.conf"
-    return 1
-  fi
-  echo "$test: modprobe config correctly blocks algif_aead"
+  local failed=0
+  for mod in algif_aead esp4 esp6 rxrpc; do
+    if ! grep -qsE "^install ${mod} /bin/false" /etc/modprobe.d/*.conf 2>/dev/null; then
+      err "$test" "${mod} disable rule not found in /etc/modprobe.d/*.conf"
+      failed=1
+    else
+      echo "$test: modprobe config correctly blocks ${mod}"
+    fi
 
-  # Verify the module is not currently loaded
-  if grep -qE '^algif_aead ' /proc/modules 2>/dev/null; then
-    err "$test" "algif_aead kernel module is loaded despite being disabled"
-    return 1
-  fi
-  echo "$test: algif_aead module is not loaded"
+    if grep -qE "^${mod} " /proc/modules 2>/dev/null; then
+      err "$test" "${mod} kernel module is loaded despite being disabled"
+      failed=1
+    else
+      echo "$test: ${mod} module is not loaded"
+    fi
+
+    if modprobe "${mod}" 2>/dev/null; then
+      err "$test" "modprobe ${mod} succeeded — module should be blocked"
+      modprobe -r "${mod}" 2>/dev/null || true
+      failed=1
+    else
+      echo "$test: modprobe ${mod} correctly refused to load"
+    fi
+  done
 
-  # Verify that attempting to load the module fails
-  if modprobe algif_aead 2>/dev/null; then
-    err "$test" "modprobe algif_aead succeeded — module should be blocked"
-    rmmod algif_aead 2>/dev/null || true
+  if [ "$failed" -ne 0 ]; then
     return 1
   fi
-  echo "$test: modprobe algif_aead correctly refused to load"
 
   echo "$test:Finish"
 }
@@ -2377,4 +2383,4 @@ testInspektorGadgetAssets
 testPackageDownloadURLFallbackLogic
 testFileOwnership $OS_SKU
 testDiskQueueServiceIsActive
-testAlgifAeadDisabled
+testVulnerableKernelModulesDisabled
