IOMMU page mapping issues on x86

ISSUE DESCRIPTION

Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices.
On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694).
On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695).
Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn’t have access to anymore (CVE-2021-28696).

IMPACT

The precise impact is system specific, but can - on affected systems - be any or all of privilege escalation, denial of service, or information leaks.

VULNERABLE SYSTEMS

The vulnerability is only exploitable by guests granted access to physical devices (ie, via PCI passthrough).
All versions of Xen are affected.
Only x86 systems with IOMMUs and with firmware specifying memory regions to be identity mapped are affected. Other x86 systems are not affected.
Whether a particular system whose ACPI tables declare such memory region(s) is actually affected cannot be known without knowing when and/or how these regions are used. For example, if these regions were used only during system boot, there would not be any vulnerability. The necessary knowledge can only be obtained from, collectively, the hardware and firmware manufacturers.
On Arm hardware IOMMU use is not security supported. Accordingly, we have not undertaken an analysis of these issues for Arm systems.