4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-49882
README.md
Rendering markdown...
POC / ksm_key_agreement
⬇ Raw GitHub ✕ Close 
ELF>�@@8
@'&@@@��00ee000���L�\�\d��L�\�\��88800hhhDDS�td88800P�td�<�<�<$$Q�tdR�td�L�\�\PP/lib64/ld-linux-x86-64.so.2 GNU���GNU(]ߔ��'���~ �{���U!GNU'�'����e�m9N�o >
�������� |V,]�
cb���� hv�u� `�"putsperrorclock_gettime__stack_chk_fail__printf_chkfree__isoc23_fscanfputcharmunmappollfopenpthread_joinusleep__isoc23_strtolpthread_creategetpidoptarg__fprintf_chk__libc_start_mainpreadgetoptsrand__cxa_finalizecallocfclosememsetioctlsignalmadvisesyscallmmaplibc.so.6GLIBC_2.3.4GLIBC_2.4GLIBC_2.17GLIBC_2.38GLIBC_2.34GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable"ti	,ii
8���B���M���Xui	c�\��\p``�_�_�_�_"�_( `'�^�^�^�^�^�^�^	_
___
 _(_0_8_@_H_P_X_`_h_p_x_�_�_�_�_�_�_ �_!�_#�_$�_%�_&��H��H��OH��t��H����5�N�%�N@��h���f���h����f���h����f���h���f���h���f���h���f���h���f���h�r���f���h�b���f���h	�R���f���h
�B���f���h�2���f���h�"���f���h
����f���h����f���h��f���h���f���h����f���h����f���h���f���h���f���h���f���h���f���h�r���f���h�b���f���h�R���f���h�B���f���h�2���f���h�"���f���h����f���h����f���h��f���h ���f���h!����f����%�MfD���%^LfD���%VLfD���%NLfD���%FLfD���%>LfD���%6LfD���%.LfD���%&LfD���%LfD���%LfD���%LfD���%LfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%�KfD���%~KfD���%vKfD���%nKfD���%fKfD���%^KfD���%VKfDH�=��t�������H�=/�`�����H�=��R���H�{H�������;�O����H�=���H�=q�(����;�1�������H�=J�
�����H�=S����;������H�=b���H�}H���n����H�=!�����H�D$(dH+%(uH��8H�=�[]A\A]A^A_����i���f���AWE1�AVE1�AUL�-�ATL�%�&U��SH��H���D$L��H�މ��`����������b��wIc�L�>��DH�;�(H��1�[]A\A]A^A_��A���A���H�=	J�
1��]����D$�w���A��l���A��a���H�=�#�B���H�={$�6���H�=�$�*���H�=�$����H�5G�����A��t!A��t,A���7����|$D���[�.����|$D�������D���]�������1�I��^H��H���PTE1�1�H�=������H�f.�H�=IH�
IH9�tH��HH��t	�����H�=�HH�5�HH)�H��H��?H��H�H�tH��HH��t��fD�����=�Hu+UH�=rHH��tH�=vH����d�����H]������w�������BH��AUATUSH��hdH�%(H�D$X�H��t\H��H�l$L�d$D��d�H���D$�D$�����~�;� L�����H�� u�|$t0��G��u�H�D$XdH+%(��H��h1�[]A\A]�D�C L�l$0�L���C �
���f��HiD$0ʚ;HD$8D$HH�C(H�D$ H%�H�D$0�s����;L���(�H�D$81�H�D$@����H�|$8�j����M���������SH�5�H��dH�%(H�D$1�����H��tHH��H��1�H�T$H�5��=�����t�D$����H���h����D$H�T$dH+%(uH��[Ã����T���@��U��H�5{SH���X���H��t,H��H�É�H�f1��x���H������1�H��[]Ã���f���ATH�=.L�%%US���L��H�=3���H���}���H�ù�H��H�-�1�H������H�����L��H�=����H��H��t2�H��H��1�����H���^���H�=�"���1�[]A\�����fD��SH�5}H�=��X���H��t'H��H��1ɾH�f1��x���H������1�[Ã�[����AUL�-'ATI��L��UH��H�=�SH��dH�%(H�D$1����H����H��H��1�H�T$H�5��T�����t�D$����H�������D$�EL��H�=v���H��H��t^H��H�T$H�5�1�������t�D$����H���6����D$A�$E��H�T$dH+%(uH��[]A\A]Ã������A�$��������fD��UH���SH���CH��XdH�%(H�D$H1��a����������foo ��H��1�H�D$�?��)$�����������H�kE1�A�����H��"�1����H�CH���������;H�D$ H�T$ 1��� �H�l$(H�D$8H�D$0�k������&����C 1�H�{H��H�C(H�������������H�T$HdH+%(uH��X[]����ff.���SH��H�1��C�3���H�{H�s�v����;[���ff.���AUE1�A������"AT�A��UH��S��Hc�H��H�_H��1�H���m���H�EH��������H�ǺH���?������q���L�m�L�����H�EH��t&D��L��H�501������1�H��[]A\A]�H�}H���������fD��USH��H��H�?H��t H�k�
H��H�����H�;H���k���H�{H��[]�,�ff.����@��H��H�H�H��H�G�H���H��H)������H��@����Hc�H�f���1������1H�� ��H�� H	�H	�1�H)�H������f���U1�SH��H�=�H��dH�%(H�D$1�����x^H����H��H����������H��u4���H�$H��H��?H��>��!�H�T$dH+%(uH��[]�D���������g�����G f�H��(�G�G����ff.���USH��H��H�(H��t!H�k0�
H��H����H�{(H����H�{8H��[]�z�f.����2@S��t�\�[����1��Y�H����1؉�����?�)�[���@�����I�����4��)Ɖ����Hc��L��@��H�I�H(H�H��H�yH�H��H���H)������H�L9�ủ��f.�����I��E1�Hc�L��@M�Y(I�1��A��у�A���1H�� H�� ��H	�H	�H)�H���A��H��L9�u�1�A�����f���ATI��I��U��SH��������A��+��H���a���A�$��t��E��IŃ���H��C []A\�@��AU��1�ATI���US��H�5��kH����؃�I���~*1�L�-�DA�L��1�H����9��H���
[]A\A]�x����SH��H�5�H��1����H�=�f�H�=�Z�H�=��N�H�=7�B�H�=S�6�H�=o�*�H�5�1���"�H�=D��H�=U��H�=f���H�=���H�=����H�=����H�=E��H�=C��H�ڿ1�H�5F��H�=���H��H�59[�1���f���AWAVAUATUH�-�SH��8�<$H�=�dH�%(H�D$(1��8�H��H�=���H��t9H��H��1�H�T$$H�5�����t�D$$����H���&��|$$��H��
H�5�
�1����H�=�
�����������H��H�=��	�H��H����H��H�T$$H�51��w���t�D$$����H�����D$$�D$H��H�=���H��H����H��H�T$$H�5�1��)���t�D$$����H���T��D$$�D$�L$�T$�1�H�5���E1�A�����1��"����2�E1�A�����1��"���I����H�D$I����Y�H����O���BL����H�\$���BL�t$$L�-�
H��������L����H�ߺ1۾���H�=5�@��D$L�d$���D$��H��H�=6
�y�I��H���GH��L��1�L�������t�D$$����L����D�d$$H��H�=
�4�I��H���
H��L��1�L������t�D$$����L�����D�|$$�$��u
i�����=3333w5H��D��E��ڋL$E���H�5�)�D��P�D$A)�1��g�XZD9|$�:�������t��9������L�d$H�=~��1A�$�щ���1H�� ��H�� 1�H	�H	�E1�A�����H)ʾ�"H�պ�$�I��H���������I�}L��I�EH��I���H)������H�1A�E�щ���1H�� ��H�� �H	�H	�H�51�H��H��H)��v�1�H�ڿH�5�`�H����f��H*�H����f���H*��^�H�56
�H۸��H9�rjH�=s��H�=������L�����H�|$�����H�D$(dH+%(�H��8L��[]A\A]A^A_���H�=���H�=����fDH��H��f��H���H	��H*��X��3����H��H��f�H���H	��H*��X�����H�!	H�5��1��&��Y����H�=		L�d$������f.�H�D$(dH+%(u0H��8H�=e[]A\A]A^A_���A���������A�������������D$��������D$�����'������AWAVAUATU��S��H�=_H��xdH�%(H�D$h1��^���H�5m1���Y������f�H�|$H��D$@)D$ )D$0�����A�L�l$ L�|$H�=@���H�=\����D$��<�fD��tfL���L$D��H�5_1����E��A��A9�}�6E�f���tqH�T$L��D��L�������D$��t��D$L����u�D��E��Шu�D�D$D��ٿH�51�D�t$A���D�D�L$A9�|�f.�H�=���T$�ٿH�5o1�����L�����H�\$HH��t$H�l$PH�ߺ
H��H����H��H�����H�D$hdH+%(udH�|$XH��x[]A\A]A^A_�k�H�D$hdH+%(u9H�=�H��x[]A\A]A^A_�n�fDH�D$hdH+%(u	H�=�����f.���AWAVAUATU��S��H�=O
H��xdH�%(H�D$h1���H�5_
1��ڿ�	�f�H�|$H��D$@)D$ )D$0�t���dA�L�l$ L�|$H�=]
���D$��=����tfL���L$D��H�5O
1����E��A��A9�}w��3E�f���tiH�T$L��D��L�����D$��t��D$L�\��u�D��E��Шu�D�D$D��ٿH�5
1�D�t$A����D�L$A9�|�f�H�=
����T$�ٿH�5*
1������L����H�\$HH��t$H�l$PH�ߺ
H��H�����H��H����H�D$hdH+%(uEH�|$XH��x[]A\A]A^A_�;�H�D$hdH+%(uH��xH�=�[]A\A]A^A_�>��y���H��H���r%dw[KSM] Enabling KSM.../sys/kernel/mm/ksm/runuserfaultfdUFFDIO_APImmapUFFDIO_REGISTERpthread_createMADV_MERGEABLE/proc/self/pagemapKey (%d bits): %02xUsage: %s [options]

Options:  -v          Verbose output  -h          Show this help
Requirements:
Example:  # Party A (run first):  sudo %s -s
  sudo %s -r
disabled[Test] KSM status: %s
[Test] Enabling KSM...enabled[Test] Pages merged![Test] Ratio: %.2fx
YESNO[Sender] Failed to enable KSM[Sender] Failed to initialize[Sender] Merged pages: %d/%d
srtb:vh/sys/kernel/mm/ksm/sleep_millisecsFailed to set KSM sleep interval[KSM] KSM enabled with 20ms scan interval/sys/kernel/mm/ksm/pages_shared/sys/kernel/mm/ksm/pages_sharing[KSM Channel] Initialized %zu pages for %d-bit key

KSM Timing Side-Channel Key AgreementExploits CVE-2025-40040 for covert key exchange  -s          Sender mode (Party A)  -r          Receiver mode (Party B)  -t          Test KSM timing locally  -b BITS     Number of key bits (default: %d)
  - Root access (for KSM control)  - Kernel with CVE-2025-40040 (VM_MERGEABLE as 0x80000000)  - KSM enabled in kernel config  # Party B (run on same host or co-located VM):[Test] Testing KSM page merging timing...
[Test] Failed to enable KSM. Run as root.[Test] KSM stats - Shared: %d, Sharing: %d

[Test] Waiting for KSM to merge identical pages...[Test] Scan %d: Shared=%d (+%d), Sharing=%d (+%d)

[Test] Measuring write timing (merged vs unmerged)...[Test] Write to merged page:   %lu cycles
[Test] Write to unmerged page: %lu cycles

[Test] SUCCESS: KSM timing side-channel is detectable![Test] Merged pages have significantly higher write latency.
[Test] WARNING: Timing difference may be too small.[Test] Try adjusting threshold or wait longer for merging.[Sender] Starting key agreement (Party A)...[Sender] Will derive %d-bit shared key

[Sender] Starting key derivation...[Sender] (Run receiver on same host simultaneously)
[Sender] Bit %d: pattern=%d, merged=%s
[Sender] Progress: %d/%d bits (%d merged)

[Sender] Key derivation complete![Receiver] Starting key agreement (Party B)...[Receiver] Will derive %d-bit shared key

[Receiver] Failed to initialize[Receiver] Starting key derivation...[Receiver] Bit %d: pattern=%d, merged=%s
[Receiver] Progress: %d/%d bits (%d merged)

[Receiver] Key derivation complete![Receiver] Merged pages: %d/%d
╔════════════════════════════════════════════════════════════════╗║  KSM Timing Side-Channel Key Agreement                         ║║  Exploits CVE-2025-40040 (VM_MERGEABLE flag bug)               ║╚════════════════════════════════════════════════════════════════╝
��������������������������������������������������������������;$#���X��������������$z�����������@��@0���@���p�����$@��P����@���@���`�<��X`���������@���@�T`�|��� ��������p�(��Dp����XzRx����&D$40��0FJw�?9*3$"\8��t0�� �x��8�t��0F�B�A �A(�D��
(C ABBF �h��|E�K `
AA(���NE�J�D s
AAA,,����F�O�A ��
ABA\h��" ���xL��IE�~
AD8�|���F�I�G �K(�D@�
(A ABBA(�@��E�I�Lp�
AAA���hp����2E�h84@���F�P�I �D(�N0q
(A ABBAp���.0����$����DE�A�G pAA����<��������7(�$���E�C�N0j
AAF���%$0���FE�A�G rAAX���LK�J
Khx��f�h��g(����\F�G�C �HAB4����xF�F�I �A(�P0B(F ABB@�E�p D��F�B�B �B(�A0�H8�Dp�xa�OxAp�
8I0A(B BBBL�
8H0A(B BBBE4����/p������T
8H0A(B BBBEd�x�FF�B�B �B(�A0�C8�M��
8A0A(B BBBH[
8A0A(B BBBKd4`�F�B�B �B(�A0�C8�M��
8A0A(B BBBHT
8H0A(B BBBEH���XF�E�E �I(�H0�C8�GPA
8C0A(B BBBH�p"
X-�\�\���o���
��^0(
�	���o���o�	���o�od	���o�\0@P`p�������� 0@P`p�������� 0@`GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0L����pXYPM
�!�6tyN!D�	'	&K�Oint8s��	-6�	�3	�A	�s�	��	�=Z	�s	�:	�!
�0�0�'��
1��
3s�
6	�n
7	��
8	�x
9	� 	
:	�(�
;	�0n
<	�8v
=	�@�
@	�H�
A	�P:
B	�X
D�`
F�h�
Hsp�
Ist�
J�x
MR��
NY�
O���
Q���
Y
��1
[���
\��
]���
^	D��
_
*��
`s��
b���P�
+9�
�
1��26
�9.
�9�
�1��26
!� N�
�!�\
��
�'OPZ	���o�6QJ88��:�+;1��267J>c0�)`0�8���8�
�!�R�$� H�
�SsfKGR=�,
*P"�Awb�x"t��u
3�v
3�yM"|�ufd}
"��L�
3to�
3len�
3"��	�
3end�
3"�/B�
3/�
39�
3Ast�zb�~����������'� l�YmBo/p9qarg�/'���api�3��3o�3:M	3(len3:1 VT��
3o3:(�(dst3(src3(len3�3%' h!6'�$�fd&	s'l(lB�9z	`"0�	U��	s��D��*�W��z w��(h��C��D�*Y
�
sD� aC@��(key�
�	�	s ���(1��26D-�������s�X�1s��[sQsQ�
�I�=m=H�s��EL=s;K?�=Ee���L��
O'��sD*�*�5O�#	sD*�*�-��L	sD*��csl	�sa	s�	�sF�%F�#j	^s�	D*sa�s�	W�	
D��s�	�	

F
W!�	
�!


TD 
DLs;
D*�9Dj
D*sss�$fs�
s{C�
,	!s�
�

)��
sD**� �sD**��,sD*dsQQ�s6
��dsQ�s6��s�Q�s;���D�*s�s6*�D�**4s	s�;�n��1s<s�#�sRUZ�Qss�b���)��spX�T��s���>6��	sb`�	stp��	s��opt�	s��=A�l
<OA#�T0Q:]ABB�
lA��N�HU	:]ANN
lA��Z�HU	�:]AZZYlA��f�HU	;]Aff	�lA�r�HU	`;�1�UvTsQ}�G'��U2T	��,U���T�T?U���T��U#w�P+�,�s��%sVLGka����~k�	s��*+�bit�s��?$n�
s��~$^�s��~]A,,�
WlA��,�U2T	`9Q|
]A�,X�
�lA
�,�U2T	�9Q��~�RsX��~�J,�.U}T|Q��~R
]A}+��#lA%#�+�HU	�8]A�+�+�}lA97�+�U2T	�8Qs,3�+�+%�	>3QO
	A�+��0Aca$AtrA���+�5U��T

]A�+�RlA���+�HU	89]A�,�,��lA���,�HU	�9]A�,�,�lA���,�U2T	�9Q��~�Rs
3�,k�� 3��~5�,k��5��3�5�,$�	�5�,�	�UsTvQ=�, 
UsTv%%-�W-�J
]A(-��	lA+R-�HU	9�,k-U}Ts#=�)F���s2$��#s�sGka����~k�	s��*��bit�s��$n�
s��~$^�s��~]A�)�)�
/lA1/�)�U2T	88Q|
]AS*��
�lAIG\*�U2T	`8Q��~�RsX��~�*�.U}T|Q��~R
]A-)f��lAa_2)�HU	x7]A2)2)�UlAusG)�U2T	�7Qs,3T)T)%�	�>3��
	AT)v��0A��$A��A��y)�5U��T

]A�)��*lA���)�HU	�7]A�)�)�ylA���)�HU	8]Ap*p*��lA��|*�HU	�8]A|*|*�+lA�*�U2T	�1Q��~�Rs
3�*��� 3($~5�*���5A?3�5�*$�	�5SQ�*�	�UsTvQ=�* 
UsTv%�*�F+�J]A�*�*�	)lAb`
]A(+��	^lAvt%"+�HL)�<�*k-U}TsV�2��G'�2s���7	s���B	s��BsQO�H*h^#ID��+KDt1t�]Ut2w���,x�3{D6.*��]Y*6�i^ssT;_
s��C_s��
�;h%t`	@�;���;		�?h%����?4	0	�	�?d	\	�?��w%siU	�2Tv�%R�U|T}Q~�%<U|4�?�%���?�	�	�	�?�	�	�?���%sU	�2Tv�%R)UT}Q~�%<U
]A&�c
�lA�	�	9&�U2T	�5QsR|X|���Y
]A�(�i
�lA�	�	�(�HU	�1S&VU1
�?X#�7��?

�	�? 

�?��g#seU	!0Tv�#R�UsT	0Q���#<Us
]AS#�4�lA6
4
X#�HU	�4
]A�#�8plAL
H
�#�BU2T	Z1Q	Q1z(�U2T	Z1Q	�1]A�#�#;	�lAv
t
�#�HU	q1
�;�#�C@ �;�
�
�;�
�
�?�#����?�
�
�	�?�
�?���#sYU	�2Tv	$R�UsT	0Q��$<Us4�?&$��?#	�?QK�?��5$s�U	�2TvW$R) UsT	0Q��l$<Us]At$t$D� lAnl�$�U2T	P5Q���R���	A�$�$T!0A��$A��A���$&LU|TBQ
�
	A�$&Uz!0A��$A��A��%&LU��TBQ
�]AD%D%[�!lA��P%�HU	�5]Ak&k&q"lA�w&�HU	�5
@w&�tS"�	#@	-@#!
@�&�w�"�	#@20	-@A?	A�&�&/}�"0APN$Ab`Auq
@�&
#	#@��	-@��
@�&�
R#	#@��	-@��
]A%'*��#lA��*'�U2T	(6Qv]A*'*'��#lA��@'�U2T	X6Qs
]A@'@�B$lA���'�U2T	�1]A�'�'�	�$lA#
!
�'�HU	7]A�'�'�	�$lA7
5
�'�HU	87]A�'�'�	/%lAK
I
�'�HU	�6]A�'�'�	~%lA_
]
(�HU	�6
]A�(S=
�%lAs
q
+�(�HU	 5�#�<�$;
&U0T
�Q3R"X	�Y0�$;
6&U0T
�Q3R"X	�Y00%�	Z&U|T
�Q<D%�	�&U��T
�Q<�&;
�&U0T
Q3R"X	�Y0�' 
�&U|T
��' 
�&U��T
�H�' 

'T
�(�JHb	9'U	O0g�J#�"�k-���
�

]A"p�'lA�
�
"�U2T	�0Qs]A""(lA�
�
*"�HU	(3]A*"*"d(lA�
�
6"�HU	P3]A6"6"�(lA�
�
B"�HU	�0]AB"B" )lAN"�HU	�3]AN"N"!Q)lA$"Z"�HU	�3]AZ"Z""�)lA86f"�HU	�3]Af"f"#�)lALJ~"�U2T	�3Q
]A~"~"$J*lAdb�"�HU	�0]A�"�"%�*lAxv�"�HU	�0]A�"�"&�*lA���"�HU	1]A�"�"'7+lA���"�HU	(4]A�"�"(�+lA���"�HU	P4]A�"�")�+lA���"�HU	�4]A�"�"*$,lA���"�HU	1]A�"�"+s,lA���"�HU	1]A�"�",�,lA�"�U2T	51Qs]A�"�"--lA#�HU	�4]A#�.,lA
C1�+#�U2T	C1Q�U#^�!x��.&key�.4.(sZP*:	.is��]A�!J	lA���!�U2T}
]A�!!W.lA���!�U2T	�0Qs]A�!],lA�P+�!	PU:
�#N� !\�{/&ka�+{/����3s��n�C�^�Q�@:	s`\�	s�}8!71E/UsTvE!m`/U�O!�/UsTv
�)��s� g�71&ka�1{/����9s��k�	s���i�s��W� :-	�
s��D(5� � �]0<E5:5X�4� � (�
�4$"	�451	5sq	5��	5��
@� �e
�0�	#@��	-@��@� h
	#@��	-@
)	�s@ f��2&ka�0{/��8s5/��	sSQ��
�d`�i�s��	�
s����D
X5o ��	^2p5+)c5@<	Ao 	�O0A\Z$AnlA��(5o ��E5��:5��)��s�L�3$b�s	,` � ��2U0 �( �7 �=��,35ka�-{/6��sJ35ka�){/)�us����4�u%D��fdw	s�-�z�-�{�$I|��P�	s%��	sTN
l@�Iw64�@��{@���L	U	�0T0
�@\~	�4<�@�@���@���@��#	UvT�PQ8Rs3$)j
�4Uv]j
i�J6Q_s#5.�_D>t1a�>t2a�>pb#5-3j�
�6:	SDS55chSS5.	S's
�=�M~5.�MD.�M$�=�B�55chB)S5Y-{E*�	�5TvQ=% 
TvZI	#s��^7&ch#%S5��#-s3){&*oe]A��=�6lA����U2T	�2Q}R|s;
�6U0TsQ3R"X	�Y0��	�6TsQ<���6U}T4� 
7Ts	*7U	s0" 
B7Ts3	U	O0#=�2��7&ctx#�7��
�	�7T0 
%"j

UI��s���9Jctx� �7��[��,*3)7api����7reg�����
A8U
CT/�c8T?��Q��X;
�8U0TvQ3R"X	�Y0���8T� �Q����	�8UsT0Q	�Rs��J�	� 
9Tv�j
�	F9U	D0�j
�	r9U	80	�9U	O0j
K��D�0��;Jarg�Doectx��77msg�t��*�;7pfd����~\ret�
s��]x��:B� V���?�@�$:@
@����
U1T}���:U1T
���:T�(�Q}���@,�
';�@���@���@��;T|Q 48@-�_@��S@��G@�(UvT1Qd�J?��s�;;��C�%�KX�s�I��<4p?����?~? �	�?<6/zA��g�<�AWU�Aqm�UsT2Q	2R0�s�<U	!0T		0�<UsIlrsc�p?]A�yt=lA����HU	0p?��w	>�?��~?���	�?/zAg�=�A86�ARN$UsT2QvRD�s�=U	(2T|,<Usp?,�}	�>�?jf~?���	�?��/zACCg�>�A���A��ZUsT2QvR1;s�>U	!0T|b<Us/]Abb�5?lA��n�HU	x2�	T?U	P2�	U	�1?vbs�?3b!�^valb+sfd?�Vs�?3V �fXval[	s__O���?`sigOsUL�H�@tsJ)L	A�8@loC=hiC= �%sl@�%Q�%$�%0s c)s�@1)��)s �$��@�$s�$D$&*�$8� �	A�s�D%* �9D=A�9D�9sC	9*68�s]A.[�� �TszA(T � �Ms�AM(M<��?|�WB�?
	�?.(�?�d%sBU�UT	0CR1BUsT	0Q�dX<IBUs|�Jp?�N�4C~?KG�?jb	�?��zA�Sg�B�A���A���UsT2Q	2Rv�sCU�UT		0�<Us�;����D�;���;�?��D�?:6�	�?hb�?�D
s�CU	�2T},R�CUsT	0Q�DA<Us/�?HHF��D�?��	�?���?�DWs{DU	�2T}uR�DUsT	0Q�D�<Us��J~5�D�&E�5��3�5 E	�5��%4�X5@<��Ec5��,p5T	ADO0A$AA2,(5���E,:5UE5RN�4�7��F,�4U	�4mi	5��	5��	5��
@� e
UF 	#@	-@$"@�6h
6	#@31	-@B@,3p%�G>3UO
	Atl��F0Aus$A��A��+��5U�U#(T
3�F��G 3��~5���5��3�5�!�G	�5����	�GTvQ=� 
Tv%�����╔════════════════════════════════════════════════════════════════╗
@(J�H║  KSM Timing Side-Channel Key Agreement                         ║
J�H║  Exploits CVE-2025-40040 (VM_MERGEABLE flag bug)               ║
���╚════════════════════════════════════════════════════════════════╝

2�0[Receiver] Starting key agreement (Party B)...
)�'[Receiver] Starting key derivation...
(�&
[Receiver] Key derivation complete!
a==#�![Receiver] Failed to initialize
0�.[Sender] Starting key agreement (Party A)...
'�%[Sender] Starting key derivation...
8�6[Sender] (Run receiver on same host simultaneously)

&�$
[Sender] Key derivation complete!
!�[Sender] Failed to enable KSM
!�[Sender] Failed to initialize
�[Test] Pages merged!
.�,[Test] Testing KSM page merging timing...

�[Test] Enabling KSM...
@��6�4[Test] Waiting for KSM to merge identical pages...
:�8
[Test] Measuring write timing (merged vs unmerged)...
8�6
[Test] WARNING: Timing difference may be too small.
>�<[Test] Try adjusting threshold or wait longer for merging.
;�9
[Test] SUCCESS: KSM timing side-channel is detectable!
@�>[Test] Merged pages have significantly higher write latency.
-�+[Test] Failed to enable KSM. Run as root.
*�(
KSM Timing Side-Channel Key Agreement
3�1Exploits CVE-2025-40040 for covert key exchange

�
Options:
'�%  -s          Sender mode (Party A)
)�'  -r          Receiver mode (Party B)
)�'  -t          Test KSM timing locally
 �  -v          Verbose output
 �  -h          Show this help
�
Requirements:
%�#  - Root access (for KSM control)
?�=  - Kernel with CVE-2025-40040 (VM_MERGEABLE as 0x80000000)
$�"  - KSM enabled in kernel config

�
Example:
�  # Party A (run first):
4�2  # Party B (run on same host or co-located VM):
�
@VL�[KSM] Enabling KSM...
-�+[KSM] KSM enabled with 20ms scan interval
I~1�BH}IH}
:;9I81R�BX!YW6	41�B
1R�BUX!YW:;9I4:!;9I�B
!IUH}:;9I.?:;9'I<:!;9I�B$>
:;9I81R�BUX!YW4:!;9I�B1R�BUX!YW41.1@z
:;9I.?:;9n'I<
:;9I8.?:;9'I<4:!;9I .?:;9!'I !4!7I":;9#.?:!;9!'@z$4:!;9I%H}�&:!;9I�B':;9!(
:;9I8).?:!;9!'I@z*U+H}�,1-4:!;9I.:;9I/1R�BX!YW0&I1I2!I/3141R�BUX!YW5:!;9I6.?:;9'I 74:!;9I85I9<::!;9!;.?:;9!
'<<1=.?:!;9!' !>4:!;9I?.?:!;9!'I !@.?<n:!;!A:!;9B4:!;9IC:!;9!	D:!;9!IE.?:;9'I<F.?:!;9!'<G4:!;9!IHH}�I.?:!;9!'IU@zJ:!;9I�BK.?:!;9'I@zL.:!;9!'I !M%UNO$>P:;9Q:;9R4:;9I?<S'T'IU.?:;9n'I<V.?:;9'U@zWX1R�BXYWYZ.?:;9'IU@z[:;9I�B\4:;9I�B]^:;9I_.?:;9'@z`:;9Ia.?<n��
Hkx����!)2ENW�`gnv����������� .	��K
��.�
�~��	�
�~.��	��~�
�~JX	�	L�~
��	jst�
o&�<��
g�Y �'L��&� �X"U
M2 �'Z
] y�
_ y.
�Y��XYsJ�Y�	X%X)��KzX<4�K=sYY
jXff
�X�/f<JK`
c.tt
c.X!k��f
X��e!Zf
 X�R
�-/XX	�KZ#] /�f
.X� . \ <$�Lf4tLX<4LJt4X�IY�	X%X)��J
/=H!Z	X%X)��J0K0<=X.I<<.7V�0���VLVJ�X/��	S	�SO	X�K�L�	x.	`x�n	X�u	��	��J  �K >J
-�Y�/.K3�3S��KKM.<XL�	��K]�~
��/X .	y<�s�K�<	Y	KW	K��KXK�}
�J
�}<J���\K-<!<=
<K�}�J�}</�</=�}/��}!J.J! �f* @���}X�.�}Jt�J��}X�M
�}J����}
X	�-k\!K>HL./	t�Yxt�K�}�
�}t�JJ
�}X��X	�K����J	Y	KW	K���JX� ��Kd"NY=	~�X	JY�Y=
X	O)]	fY

X
�|�X	��	��~�}!�t�
�|tJ�-�^�t=
	��~!t	��~�}�J�}J/�<==�}/��}JJ!���<�-
t
X8�
�L�>[U?[
�P	H![	q!?	U?ZK  .	XK�|�
�|.�J
�|XX�
�|Jt$�:
�|JX�
$�f	��|	�
�|X��
�|JX*�J�|�
�|J�XJ
�|.��K�|�
�| ��
�|<tX��|
���|
���|
���|
���|
���|
���|
t��|
���|
���|
���|
���|
���|
���|
���|
���|
X��|
���|
��
�| �	 #��|��tX
�|<t���|
X��|��	X%X)����|�
��	�|
�	�
X��|I!�	X%X)���0H!�	X%X)���1��|
����>X[B�{
 ��{
	!�
_���!�)��{
��
&
	wt�|I!�	��%X)��X0H!�	��%X)��X1	��
u�{

�J
�{<
�X
�{J
��
�{. .	�	�)qX	<X)qX�X�{
���{&�.�{XK�=�{/��{!J.J�!�{.�f�?�?X��{
�����{&�.�{XK�=�{/��{!J.J
!oX
f��
�{<�<>�{
X��{
X��{%� 
�{X)��
�{<��	\�{
�	��{
����=I�.JI	v��{
�	��{
���%(�{(
��
�|f�
��{
X
��S�|
��
�{J�t
�{�X����{X��	)�
�{ t�J��{
X��{
J�	X��~�}
�J�
�}���X���{&�	�
�{X���{
��
&	&�	�
K�{t
�
�<5v&��	K0�	!
[sM
=;
�{f
���{&�
�{J�5�&��{
���{
����}�X	Y	Y�	K���J��}J�	��{
f�X 
�{��	��{
����
�{ t�J��{
X��{
J��}�}
�J�
�}���X���{&�	�
�{X��
&	&�	�
K�zt
�
�<5v&��	K0�	!
[sM
=;
�zf
���z&�
�{J�5�&t�z
���z
����}�X	Y	Y�	K���J��|J�	��{
��
�zJ�t  
�z�X�	��	t�	��	�.��u	r.g��ut	��	.�u	�.��yX��X��.	�J�tJ	�fX	p�Kz	19	/;	�yt	�2�2�	�<)<�t 
`�
gs�
	��}
.J
�	tX���z
���z
���z
���z
��	Z�Z�Z�__streamstartmunmaprevents__ssize_t__fmt_IO_codecvt_IO_save_end__u16uffdio_range__clockid_t__u8merged_count_IO_write_baserunning_lockksm_channel_trandom_bitpthread_create_IO_save_basevaddr__poll_chk_warn__read_aliasuffd_msgbit_index_chain__u32_cur_column__printf_chk__uint8_t__pathatoirun_senderusleep__pread_chk__nptrinitializedour_bitwrite_sysfs_int__builtin_memset__fprintf_chk_IO_markermainfeatioctlget_ns_IO_FILEbit_posremove_IO_wide_dataksm_channel_cleanup__u64unsigned char_freeres_listfcloseunmerged_cycles__syscall_slong_tfrommeasure_page_mergedgetpidksm_enablerun_receivercheck_page_shared_pagemap__read_chk_warn_IO_lock_tsignalkey_agreement_cleanupprog_IO_read_ptrnum_pagesmmapfeatures_markerskey_agreement_propose_bitregion1region2region3sharedreserved1__builtin_putcharprint_keyuffd_context_tlast_fault_timepread__uint64_tpthread_t_flags2address_IO_read_baseuffd_unused2__open_aliasremapchannel__size__isoc23_strtol__timeoutGNU C17 13.3.0 -mtune=generic -march=x86-64 -g -O2 -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -fcf-protectionargc_old_offsetpollfdargv__bufgetoptverboseswapped__chlong long intptid__useconds_t_IO_write_endpage_idxuffdio_copy__builtin_putskey_agreement_tuffd_cleanuppthread_attr_teventsignal_handler_IO_buf_basetotal_size__open_too_many_argsperroruffd_setup__pad5pattern_bit__int128 unsignedtest_ksm_timing__fd_flagspoll__nfdsuffdio_apibyte_idxnum_bitspresent__read_chkcallocuffdio_register__pid_tentrytimespecksm_disable__poll_chklong long unsigned int__off_t__offsetpagefault__poll_alias_freeres_bufshared_before__fds__time_t__open_missing_modeksm_get_statsfork_IO_backup_base_shortbuf__nbytes__int128__align__off64_t__stack_chk_failkey_agreement_roundfopennfds_tioctls_IO_buf_endksm_runsharing_beforeprint_usagefprintf__s64short inttv_nsecfault_countread_sysfs_int_vtable_offset__destkey_agreement_check_mergedhandler_thread__sighandler_treserved2reserved3sharingsrand__isoc23_fscanfpthread_join_IO_read_endsyscallfill_page__pread_alias_filenooptargreservedpatternuffd_handler__oflagfreeshort unsigned int__pread_chk_warnkey_agreement_initbits_agreedrdtsc_IO_write_ptrclock_gettimeget_page__lenksm_channel_inittv_sec__open_2madviseksm_key_agreement.c/home/vlad/Desktop/convert_channel_bug_exploitation/usr/include/x86_64-linux-gnu/bits/usr/include/usr/lib/gcc/x86_64-linux-gnu/13/include/usr/include/x86_64-linux-gnu/bits/types/usr/include/asm-generic/usr/include/linux/usr/include/x86_64-linux-gnu/sysunistd.hpoll2.hstdio2.hstring_fortified.hfcntl2.hstdlib.hstddef.hstruct_FILE.hstdio.hclockid_t.htime_t.hstruct_timespec.hpthreadtypes.hstdint-uintn.hsignal.hint-ll64.huserfaultfd.hpoll.hgetopt_core.htime.hunistd-decl.hmman.hpthread.hioctl.hstdio2-decl.h<built-in>p3U3pVpy�U�y�Vp3T3oSoy�T�y�St/0�t/
���Pt/0�u�1��P��PB��GN��HZ��Hf�7IP+U�S���U���S���U�P+1T1�V���T���V���T��+0�#��~@I��~Sw��~����~�+0�@\@I|�S�\��|�,
`9��,
�9�}+�J�+
�8��+%��~��+  ��+ 0��+ ��~��+�:J�,�eJ�,
�9��,M]MV��~��,V����,V%--��J)U�S���U���S���U���S���U�)1T1�V���T���V���T���V���T��)0�"��~?H��~Rv��~����~�)0�?\?H|�R�\��|��)
88�S*
`8�-)��J2)
�7�T)%��~�T)  �T) 0�T) ��~��)��J�)�Kf*�RK|*
�1��*M]MV��~��*V����*V�*�zK"+��K ##U#�����
�U��
������U�����8/���#���	�	��&$��������	�	���	�	���	�	��8/��t$P�$�
����
����
����
��8/
���$P�\��������������\8\*/\�$%P%�������������P8P/���&q���� $t����!�r���� $t����!�w|q���� $t����!�|�r���� $t����!��&q���� $p����!�w{q���� $p����!��&Q�V��V�&
P
�]��U��]%'RS��SP%0��S��s���S��S��S�%�\��\��\�%_e%�������e%�������e%H
�2���
�2�z%PU3\��P�%E
�2���
�2��%PU3_��P&3
�5��(��KX#B
!0�g#
P
3SS#��K�#
Z1��	�	
Z1��#�
L�#����
�
���#����
�
���#N
�2��
�

�2��#P<S�
�
P&$N
�2��	�	
�2�8$P<S�	�	Pt$
P5��$
���$B��$\�$#
���$#B��$#��D%�/Lk&�gL�&T�&Q�&P�&Q�&/
��&/���&
P
/]�&T�&Q�&P�&Q%'
(6�*'
X6�@'A
�1���
�1��'��L�'��L�'�M�'�ZM�(4��M"UQ�S��Q���U�"
�0�"��M*"��M6"�,NB"�;NN"�dNZ"��Nf"
�3�~"��N�"��N�"��N�"�O�"�9O�"�zO�"��O�"��O�"
51��"��O�!Uq\qx�U��!T*Q*<S<Cpy�Cx�T��!0�0S05s��!
�0��!'
�0� !UXSX\�U� !TYVY\�T� !Q$Z$\�Q� !R[\[\�R�S!&v8�&)�T8�S!&	v8�&)
�T8�� UgY� Tg�T�� 
0�
]X� 
0�� I[� y(�� [� q���� $u����!�r���� $u����!�� q���� $p����!�� I[� *q���� $p����!r���� $u����!�� U� Q� P� Q@ /U/fX@ TQf�T�V PTV q�P�T�V 0�'q�T>$ $ &<%�'Hq�T>$ $ &
<%�o �T2$q�T>$ $ &<%"�7�T2$q�T>$ $ &
<%"�o x(q"�#Ro /�T�o x(q"�#R	o /
�	o /�T��	o x(q"�#Ro �T2$q�T>$ $ &<%"�o x(��U3S3��U�� P AVXaUabV-p?%�q?%��P?%�-p>%1�q>%1�	�P>%1��0��
�0�8�T�P�PV0;U;�V���U���V
.V0>T>�\���T���\
.\ijSjm
|2$ $ &<$�mp�T2$ $ &<$�p�S
.S�
�2��U-S-2�U��U�S���U���S�hS�
T
�V���T���V�hV�3U3�S���U���S���U�(P, �,\,s	d�	1�	V�C0��C
!0��P+S,/P�
2��PS��P�AD���D��D��A
(2���
(2��
(2��"P"2S��P�P
2�PS,61�IN1�,6
!0�IN
!0�>P$S7<PC
2�CPSb�-P$U$|�U�%
P
7SMPP�UN�U��THVHI�T�INV�P*S14P�
2��PS� U �V���U���V�T�\���T���\@
�2���
�2�
P;S��PHF
�2�ZP4S�U>S>D�U�V@U/R/<�U�D7
�D7t��DU+R+7�U��T�T��
q���� $t����!�
r���� $t����!��q���� $p����!��3U�*q���� $p����!r���� $t����!��T�Q�P�QpU$uX�$%�U�t �t0�tUuX��U@S@F�U��
u(�
<s(�<B�U#(��V��Jz��
.=

{
&4����"�	�O,6IN��>@C�/o�����h0�
.D7�	 #��
!&
t�	7=BV Mj 4j 4j 4o � 
S� 
"%� 
�!"'�!E�!�!	"#
 #�8/-#+m<#�#�	�	�#��
�
8�#N�
�
8&$N�	�	�$#
%.0F�����
%F�������
%^���
%^����%E��&!5�(w&�&�&"%�&'"@'(47A�(%*) T) �)�)((0��)4\s���6*!+�*CQY��+$b+ �+ �+�+$��+)Qh���n,!+�,CQY��(-%*��+��p��	� �'`/�"?�hO
.e,`s8/����0�p�(`��\����\���C�*�\3�<F�^\��j{�� r `���
�2-`4G|V@<`X-f�� !\���0����I��� g5�L)F"@ f<�SK]p`}P+�� `�p%�� �`�0��-H�S�Dg0`v�&l�0y `��pX�������%�!x/B�NRd�Fz`��"� � #���7�"�LScrt1.o__abi_tagksm_key_agreement.crunningksm_enable.colduffd_setup.coldksm_channel_init.coldinitialized.0test_ksm_timing.coldcrtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entry__FRAME_END___DYNAMIC__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE_ksm_get_statsfree@GLIBC_2.2.5putchar@GLIBC_2.2.5__libc_start_main@GLIBC_2.34_ITM_deregisterTMCloneTable__isoc23_fscanf@GLIBC_2.38puts@GLIBC_2.2.5clock_gettime@GLIBC_2.17uffd_cleanupgetpid@GLIBC_2.2.5_edatafclose@GLIBC_2.2.5read_sysfs_intfill_page_fini__stack_chk_fail@GLIBC_2.4mmap@GLIBC_2.2.5key_agreement_roundget_pageksm_channel_initmemset@GLIBC_2.2.5ksm_disableioctl@GLIBC_2.2.5key_agreement_check_mergedrandom_bitrun_senderkey_agreement_propose_bitsignal_handlersrand@GLIBC_2.2.5calloc@GLIBC_2.2.5__data_startrun_receiversignal@GLIBC_2.2.5optarg@GLIBC_2.2.5key_agreement_initsyscall@GLIBC_2.2.5__gmon_start____dso_handle_IO_stdin_usedcheck_page_shared_pagemaptime@GLIBC_2.2.5__isoc23_strtol@GLIBC_2.38uffd_setupksm_channel_cleanup_enduffd_handler__bss_startmunmap@GLIBC_2.2.5main__printf_chk@GLIBC_2.3.4poll@GLIBC_2.2.5pthread_create@GLIBC_2.34madvise@GLIBC_2.2.5ksm_enablefopen@GLIBC_2.2.5perror@GLIBC_2.2.5print_keygetopt@GLIBC_2.2.5write_sysfs_intpread@GLIBC_2.2.5key_agreement_cleanup__TMC_END____fprintf_chk@GLIBC_2.3.4print_usage_ITM_registerTMCloneTabletest_ksm_timingmeasure_page_mergedpthread_join@GLIBC_2.34__cxa_finalize@GLIBC_2.2.5usleep@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str.debug_line_str.debug_loclists.debug_rnglists#8806hh$I�� W���o��(a���i���q���od	d	R~���o�	�	p�(
(
��B0��  0�PP�`` �����X-X-
�00���<�<$��=�=���\�L��\�L��\�L���^�NP`P `P 0P+?PP)�P]P5�IC5�O0H�r	Z0��9j��z������	%	@�0p�