Lucene search

K
xenXen ProjectXSA-347
HistoryOct 20, 2020 - 11:49 a.m.

unsafe AMD IOMMU page table updates

2020-10-2011:49:00
Xen Project
xenbits.xen.org
17

0.0004 Low

EPSS

Percentile

13.8%

ISSUE DESCRIPTION

AMD IOMMU page table entries are updated in a step by step manner, without regard to them being potentially in use by the IOMMU. Therefore it was possible that the IOMMU would read and then use a half-updated entry. Furthermore, updates to Device Table entries lacked suitable ordering enforcement for certain steps involved in these updates.
In both case the specific outcome heavily depends on how exactly the compiler translated the affected pieces of code.

IMPACT

A malicious guest might be able to cause data corruption and data leaks. Host or guest Denial of Service (DoS), and privilege escalation, cannot be ruled out.

VULNERABLE SYSTEMS

All Xen versions are potentially vulnerable.
Only x86 systems with AMD, Hygon, or compatible IOMMU hardware are vulnerable. Arm systems as well as x86 systems with VT-d hardware or without any IOMMUs in use are not vulnerable.
Only x86 guests which have physical devices passed through to them can leverage the vulnerability.