Dirty Frag vs. Copy Fail mitigation - need to understand the difference
https://askubuntu.com/questions/1566732/dirty-frag-vs-copy-fail-mitigation-need-to-understand-the-difference
I have been lurking on StackExchange for years, finally made an account a year ago, so this is my first post. I understand that there are standards to be upheld when posting questions, so I hope I will raise to those standards with mine.
Server scope: Azure-deployed VMs
Server versions:
Ubuntu Server 22.04.5 LTS (kernel 6.8.0-1052-azure)
Ubuntu Server 20.04.6 LTS (kernel 5.15.0-1089-azure)
Did I searched for and read relevant articles ? Yes, every single relevant one from vetted sources.
When Copy Fail came out, I was tasked with manual mitigation. According to Ubuntu blog article for Copy Fail, the mitigation was:
# Drop this into /etc/modprobe.d/disable-algif_aead.conf
install algif_aead /bin/false
After that, I was to check if modules are loaded, if yes, remove them, and then I performed a preventative reboot, because I was authorized to do so.
Somehow, with Dirty Frag, this is no longer enough. According to Ubuntu blog article for Dirty Frag, I am to do this:
# Drop this into /etc/modprobe.d/dirty-frag.conf
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
And then, additionally, I have to run:
update-initramfs -u -k all
After that, same steps as for Copy Fail.
So my first question here: I would like to understand why is suddenly initramfs update required ? Are ESP4/ESP6/RXRPC that deep in kernel that I have to alter the image from which the server boots ? I understand that if initramfs update fails, I will be in a world of hurt. While backups will be in place, I would rather not kill the server.
Furthermore, according to Mitigation section on Github post for Dirty Frag, simply dropping in the same config, removing mods if active, and then dropping cache is enough. So i.e. the same thing that I did for Copy Fail, except the additional step for cache drop.
Second question here: official article on Github from the person who found Dirty Frag is different from official Ubuntu recommendation. Why ?
I am the Linux admin here, so I should know this stuff, but in this case, I simply don't know or understand, what is the difference, and who do I trust here - do I trust the person who discovered the vulnerability and produced the steps for it, or do I trust the OS distribution vendor with their directions from their blog post ?
Thank you.