A flaw has been discovered in the Linux kernel memory deduplication mechanism.

Previous research has shown that memory deduplication can be attacked by exploiting the Copy-on-Write (COW) mechanism.

However, the max page sharing[1] of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create another side channel.

When the attacker and the victim share the same host and the default setting of KSM is "max page sharing=256", the attacker maps 256 memory of the same pages it wants to learn and waits.
He can then time the unmap to see if it merges with the victim's page.

The reason the unmapping time depends on whether it merges with the victim's page is that additional physical pages are created beyond the KSM's "max page share".

Through these operations, the attacker leaks the victim's page.

We have confirmed that the target Linux kernel versions are 4.4.0-96.119 through 5.15.0-58-generic, and we expect later versions to be possible.

The research, titled "Exploiting Memory Page Management in KSM for Remote Memory Deduplication Attack," was presented at The 24th World Conference on Information Security Applications (WISA), 2023 [2] and will be published by Springer this year [3].


- Reference -
[1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513
[2] https://wisa.or.kr/accepted
[3] https://link.springer.com/conference/wisa

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0564
https://bugzilla.redhat.com/show_bug.cgi?id=2258514