CVE-2023-46835 Affecting xen-tools-xendomains-wait-disk package, versions <4.17.2_08-150500.3.15.1


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES155-XENTOOLSXENDOMAINSWAITDISK-6069776
  • published18 Nov 2023
  • disclosed17 Nov 2023

Introduced: 17 Nov 2023

CVE-2023-46835  (opens in a new tab)

How to fix?

Upgrade SLES:15.5 xen-tools-xendomains-wait-disk to version 4.17.2_08-150500.3.15.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xen-tools-xendomains-wait-disk package and not the xen-tools-xendomains-wait-disk package as distributed by SLES. See How to fix? for SLES:15.5 relevant fixed versions and status.

The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.

However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU.

On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE.

Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.

CVSS Scores

version 3.1