CVE-2021-28696

IOMMU page mapping issues on x86 T[his CNA information record relates to
multiple CVEs; the text explains which aspects/vulnerabilities correspond
to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of
memory which should be left untranslated, which typically means these
addresses should pass the translation phase unaltered. While these are
typically device specific ACPI properties, they can also be specified to
apply to a range of devices, or even all devices. On all systems with such
regions Xen failed to prevent guests from undoing/replacing such mappings
(CVE-2021-28694). On AMD systems, where a discontinuous range is specified
by firmware, the supposedly-excluded middle range will also be
identity-mapped (CVE-2021-28695). Further, on AMD systems, upon
de-assigment of a physical device from a guest, the identity mappings would
be left in place, allowing a guest continued access to ranges of memory
which it shouldn’t have access to anymore (CVE-2021-28696).

Notes