#!/bin/sh

# Linux Vulnerability Mitigation
# Copyright (C) 2026 Daniel Baumann <daniel@debian.org>
#
# SPDX-License-Identifier: PD
#
# This program is free software: you have unlimited permission
# to copy, distribute and modify it.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

set -e

CVE="pintheft"
DATE="2026-05-19"
NAME="pintheft"
URL="https://github.com/v12-security/pocs/tree/main/pintheft"

case "${1}" in
	check)
		if [ -e "/etc/modprobe.d/${CVE}.conf" ]
		then
			# installed
			exit 0
		else
			# removed
			exit 1
		fi
		;;

	status)
		LINUX_CURRENT="$(uname -r | grep -Eo '^[0-9.]+')"
		LINUX_FIXED=""

		if [ "$(printf '%s\n%s' "${LINUX_CURRENT}" "${LINUX_FIXED}" | sort -V | head -n1)" = "${LINUX_FIXED}" ]
		then
			# fixed
			exit 0
		fi

		if lsmod | grep -qs rds_tcp || lsmod | grep -qs rds
		then
			# vulnerable
			exit 2
		else
			# mitigated
			exit 1
		fi
		;;

	install)
		mkdir -p /etc/modprobe.d

cat > "/etc/modprobe.d/${CVE}.conf" << EOF
# /etc/modprobe.d/${CVE}.conf

# Name: ${NAME}
# Date: ${DATE}
# URL:  ${URL}

blacklist rds
install rds /bin/false

blacklist rds_tcp
install rds_tcp /bin/false

EOF

		rmmod rds_tcp > /dev/null 2>&1 || true
		rmmod rds > /dev/null 2>&1 || true

		echo 3 > /proc/sys/vm/drop_caches
		;;

	remove)
		rm -f "/etc/modprobe.d/${CVE}.conf"
		rmdir /etc/modprobe.d > /dev/null 2>&1 || true
		;;
esac
