Conversation

Notices

1. Embed this notice
   Rich Felker (dalias@hachyderm.io)'s status on Thursday, 30-Apr-2026 06:26:43 JST Rich Felker

   socket(AF_ALG, SOCK_SEQPACKET, 0) = -1 EAFNOSUPPORT (Address family not supported by protocol)

   😎

   • Embed this notice
     William D. Jones (cr1901@mastodon.social)'s status on Thursday, 30-Apr-2026 06:48:45 JST William D. Jones

     in reply to

     @dalias Ahhh, someone here (that's not you :P) mentioned that musl is unaffected...

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 30-Apr-2026 06:48:45 JST Rich Felker

     in reply to

     • William D. Jones

     @cr1901 I think that's false; it's a kernel vuln. What's unaffected is a self-compiled kernel with all the garbage attack surface options turned off at compile-time. 😁

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 30-Apr-2026 06:51:48 JST Rich Felker

     in reply to

     Contrary to the implications of the (poor) vuln announcement and PoC, systems without suid binaries are NOT immune to https://copy.fail/

     The vuln allows modifying anything in page cache, so an attacker can just modify the .text of any existing program running with privileges they shouldn't have.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 30-Apr-2026 06:53:04 JST Rich Felker

     in reply to

     The recommended mitigation of blocking load of the affected module (or better yet, the whole af_alg subsystem) does work and does not require any updating/rebooting/risk of breakage from update.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 30-Apr-2026 07:06:12 JST Rich Felker

     in reply to

     Speaking of blocking the whole af_alg subsystem... I should really do an audit of the scope of niche, non-essential features like AF_ALG that give userspace large attack surface for the kernel, and put together a recommended set of recommended Kconfig, modprobe.d rules, seccomp rules, etc. that cut off access to them entirely.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 30-Apr-2026 07:07:38 JST Rich Felker

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan That looks right. I don't have it set on my self-built kernels.

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 30-Apr-2026 07:07:40 JST Haelwenn /элвэн/ :triskell:

     in reply to

     @dalias And if I'm reading kernel source right, this is controlled by CONFIG_CRYPTO_USER_API

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 30-Apr-2026 07:14:33 JST Rich Felker

     in reply to

     For what I mean by niche, AF_ALG (offering crypto acceleration and kernelspace software implementations of crypto algorithms) absolutely makes sense for low-cpu-power embedded devices with crypto accelerators, and for some high-cryptographic-load servers.

     It makes absolutely no sense for desktop or ordinary server usage, where even without vulns like copy.fail, all it's doing is giving your key material far more exposure by marking it as key material and passing it around different execution domains.

   • Embed this notice
     Royce Williams (tychotithonus@infosec.exchange)'s status on Thursday, 30-Apr-2026 13:23:55 JST Royce Williams

     in reply to

     @dalias generally true, except as written it may silently fail:

     https://infosec.exchange/@tychotithonus/116490466168316767