CVE-2023-46835

Name
CVE-2023-46835
Description
The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@xen.org https://xenbits.xenproject.org/xsa/advisory-445.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:* xen == None == None

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xen 3.19-main 4.18.2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
xen 3.18-main 4.17.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
xen 3.17-main 4.16.6-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
xen 3.16-main 4.16.6-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
xen 3.20-main 4.18.2-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
xen edge-main 4.18.2-r2 Natanael Copa <ncopa@alpinelinux.org> fixed