[OpenAFS] dirtyflag vulnerability and OpenAFS

[Michael Meffie]

Hello,

This message aims to clarify the impact of the recently disclosed "Dirty Frag"
vulnerability on systems using OpenAFS.

Here is our current understanding of the situation:

1. The OpenAFS kernel module itself is not affected by this specific class of
vulnerability. This is because OpenAFS does not currently use the Linux
kernel's socket buffer management system (`struct sk_buff`), which is the
component affected by disclosed issues.

2. The recommended mitigation steps involve disabling the `esp4`, `esp6`, and
`rxrpc` kernel modules. These actions will not negatively impact the
functionality of the OpenAFS kernel module. However, they will affect the Linux
native kAFS filesystem and any other applications that rely on the `AF_RXRPC`
socket type.

3. It is important to understand that using OpenAFS does not prevent a system
from being vulnerable to this issue. The vulnerabilities lies within the Linux
kernel's ipsec and rxrpc encryption code paths. We strongly recommend that all
users apply the necessary kernel updates and mitigations as they become
available.

Best regards,
Michael

-- 
Michael Meffie <mmeffie@sinenomine.net>