#!/bin/sh

# Linux Vulnerability Mitigation
# Copyright (C) 2026 Daniel Baumann <daniel@debian.org>
#
# SPDX-License-Identifier: PD
#
# This program is free software: you have unlimited permission
# to copy, distribute and modify it.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

set -e

CVE="CVE-2026-31431"
DATE="2026-04-29"
NAME="Copy Fail"
URL="https://copy.fail"

case "${1}" in
	check)
		if [ -e "/etc/modprobe.d/${CVE}.conf" ]
		then
			# installed
			exit 0
		else
			# removed
			exit 1
		fi
		;;

	status)
		LINUX_CURRENT="$(uname -r | grep -Eo '^[0-9.]+')"
		LINUX_FIXED="7.0.5"

		if [ "$(printf '%s\n%s' "${LINUX_CURRENT}" "${LINUX_FIXED}" | sort -V | head -n1)" = "${LINUX_FIXED}" ]
		then
			# fixed
			exit 0
		fi

		if lsmod | grep -qs algif_aead
		then
			# vulnerable
			exit 2
		else
			# mitigated
			exit 1
		fi
		;;

	install)
		mkdir -p /etc/modprobe.d

cat > "/etc/modprobe.d/${CVE}.conf" << EOF
# /etc/modprobe.d/${CVE}.conf

# Name: ${NAME}
# Date: ${DATE}
# URL:  ${URL}

blacklist algif_aead
install algif_aead /bin/false
EOF

		rmmod algif_aead > /dev/null 2>&1 || true

		echo 3 > /proc/sys/vm/drop_caches
		;;

	remove)
		rm -f "/etc/modprobe.d/${CVE}.conf"
		rmdir /etc/modprobe.d > /dev/null 2>&1 || true
		;;
esac
