Bugzilla – Bug 1202680
VUL-0: CVE-2021-3714: kernel-source,kernel-source-rt,kernel-source-azure: Remote Page Deduplication Attacks
Last modified: 2023-03-02 15:31:56 UTC
rh#1931327 A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged. This attack can leak targeted information if an attacker is wiling to write an exploit for the services running. References: https://bugzilla.redhat.com/show_bug.cgi?id=1931327 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3714 https://www.cve.org/CVERecord?id=CVE-2021-3714 https://arxiv.org/pdf/2111.08553.pdf https://access.redhat.com/security/cve/CVE-2021-3714 https://arxiv.org/abs/2111.08553
Honestly, I find this threat rather contrieved but looking at the paper they seem to have achieved rather interesting results with this. I'm not sure we can be doing anything about this in the kernel though. It is more about policies sysadmins decide to follow. Anyway, not my call to decide. Let me add Michal here. Michal, feel free to reassign to virtualization guys if they are better fit. Thanks!
Well, KSM is known to be unsafe for these reasons for quite some time. In general it is discouraged to enable it for any security sensitive applications. Although we enable CONFIG_KSM, no pages are merged unless there is an explicit MADV_SHAREABLE. As Jack pointed out, there is not much actionable from the kernel itself. We could disable CONFIG_KSM but that would cut also sensible usecases off.
Ping Claudio?
Hello, just disabling CONFIG_KSM is not currently possible, we have major customers actively using it (BMW), despite our feedback on its drawbacks. We should probably inform better the customers on the security implications of using same page merging, due to these possible timing attacks, but otherwise we should probably keep the feature, or start an activity with all our major customers collecting information on KSM usage with the goal of retiring it in the long term, it is not something that can be done without customer feedback. Thanks, Claudio
Adding Dario into Cc who actively works on the qemu-ksm package. Dario, do you know if we enable KSM on any product by default, please?
(In reply to Petr Mladek from comment #10) > Adding Dario into Cc who actively works on the qemu-ksm package. > > Dario, do you know if we enable KSM on any product by default, please? > As far as I know, it's not. In fact, we have a systemd service for that, and it's not being enabled in the various presets. And the kernel default should be "0", which means "stop ksmd from running but keep merged pages, must be changed to 1 to activate KSM"
Thanks a lot Dario. I think that makes it INVALID/WONTFIX then. As stated in comment 3. KSM should be used with care. Disabling KSM would break legit usecases as well and we do not enable this by default in our usual virtualization solutions so there is nothing actionable. I will leave out whether INVALID or WONTFIX is a better match in this context.