CVE-2023-46835

x86/AMD: mismatch in IOMMU quarantine page table levels

Description

The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.

Remediation

Workaround:

  • Not passing through physical devices to guests will avoid the vulnerability. Not using quarantine scratch-page mode will avoid the vulnerability, but could result in other issues.
5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Vendor Advisory xenproject.org
Affected: Xen Xen
Published at:
Updated at:

References

Link Tags
https://xenbits.xenproject.org/xsa/advisory-445.html patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2023-46835?
CVE-2023-46835 has been scored as a medium severity vulnerability.
How to fix CVE-2023-46835?
As a workaround for remediating CVE-2023-46835: Not passing through physical devices to guests will avoid the vulnerability. Not using quarantine scratch-page mode will avoid the vulnerability, but could result in other issues.
Is CVE-2023-46835 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-46835 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-46835?
CVE-2023-46835 affects Xen Xen.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.