{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46835", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-10-27T07:55:35.331Z", "datePublished": "2024-01-05T16:34:49.531Z", "dateUpdated": "2024-09-04T19:39:59.020Z"}, "containers": {"cna": {"title": "x86/AMD: mismatch in IOMMU quarantine page table levels", "datePublic": "2023-11-14T12:00:00Z", "descriptions": [{"lang": "en", "value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A device in quarantine mode can access data from previous quarantine\npage table usages, possibly leaking data used by previous domains that\nalso had the device assigned.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-445"}]}], "configurations": [{"lang": "en", "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"}], "workarounds": [{"lang": "en", "value": "Not passing through physical devices to guests will avoid the\nvulnerability.\n\nNot using quarantine scratch-page mode will avoid the vulnerability,\nbut could result in other issues.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:34:49.531Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.879Z"}, "title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-12T04:00:28.791183Z", "id": "CVE-2023-46835", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T19:39:59.020Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.879Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46835", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-12T04:00:28.791183Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T19:39:54.875Z"}}], "cna": {"title": "x86/AMD: mismatch in IOMMU quarantine page table levels", "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A device in quarantine mode can access data from previous quarantine\npage table usages, possibly leaking data used by previous domains that\nalso had the device assigned.\n"}]}], "affected": [{"vendor": "Xen", "product": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-445"}], "defaultStatus": "unknown"}], "datePublic": "2023-11-14T12:00:00Z", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}], "workarounds": [{"lang": "en", "value": "Not passing through physical devices to guests will avoid the\nvulnerability.\n\nNot using quarantine scratch-page mode will avoid the vulnerability,\nbut could result in other issues.\n"}], "descriptions": [{"lang": "en", "value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"}], "configurations": [{"lang": "en", "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:34:49.531Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46835", "state": "PUBLISHED", "dateUpdated": "2024-09-04T19:39:59.020Z", "dateReserved": "2023-10-27T07:55:35.331Z", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "datePublished": "2024-01-05T16:34:49.531Z", "assignerShortName": "XEN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2B9CCC2-BAC5-4A65-B8D4-4B71EBBA0C2F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"}, {"lang": "es", "value": "La configuraci\u00f3n actual de las tablas de p\u00e1ginas de cuarentena supone que el dominio de cuarentena (dom_io) se ha inicializado con un ancho de direcci\u00f3n de DEFAULT_DOMAIN_ADDRESS_WIDTH (48) y, por lo tanto, 4 niveles de tabla de p\u00e1ginas. Sin embargo, al ser dom_io un dominio PV, los niveles de tablas de p\u00e1ginas IOMMU AMD-Vi se basan en la direcci\u00f3n RAM m\u00e1xima (conectable en caliente) y, por lo tanto, en sistemas sin RAM por encima de la marca de 512 GB, solo se configuran 3 niveles de tablas de p\u00e1ginas en IOMMU. En sistemas sin RAM por encima del l\u00edmite de 512 GB, amd_iommu_quarantine_init() configurar\u00e1 tablas de p\u00e1ginas para la p\u00e1gina temporal con 4 niveles, mientras que IOMMU se configurar\u00e1 para usar solo 3 niveles, lo que dar\u00e1 como resultado que el \u00faltimo directorio de la tabla de p\u00e1ginas (PDE) se convierta efectivamente en una entrada de la tabla de p\u00e1ginas (PTE) y, por lo tanto, un dispositivo en modo de cuarentena obtiene acceso de escritura a la p\u00e1gina destinada a ser una PDE. Debido a esta discrepancia en el nivel de la tabla de p\u00e1ginas, la p\u00e1gina receptora a la que el dispositivo tiene acceso de lectura/escritura ya no se borra entre las asignaciones de dispositivos, lo que posiblemente provoque fugas de datos."}], "id": "CVE-2023-46835", "lastModified": "2024-11-21T08:29:23.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-05T17:15:11.147", "references": [{"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}