CVE-2023-46835 Affecting xen package, versions <4.17.2-r4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE320-XEN-7012725
- published 23 May 2024
- disclosed 5 Jan 2024
Introduced: 5 Jan 2024
CVE-2023-46835 Open this link in a new tabHow to fix?
Upgrade Alpine:3.20 xen to version 4.17.2-r4 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream xen package and not the xen package as distributed by Alpine.
See How to fix? for Alpine:3.20 relevant fixed versions and status.
The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.
However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU.
On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE.
Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.