{"id":"CVE-2023-46835","details":"The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n","modified":"2026-01-27T04:19:25.501691Z","published":"2024-01-05T17:15:11Z","withdrawn":"2026-01-27T04:19:25.501691Z","related":["SUSE-SU-2023:4466-1","SUSE-SU-2023:4475-1","SUSE-SU-2023:4476-1","SUSE-SU-2023:4484-1","SUSE-SU-2023:4485-1","SUSE-SU-2023:4486-1","SUSE-SU-2023:4945-1","openSUSE-SU-2024:13442-1"],"references":[{"type":"FIX","url":"https://xenbits.xenproject.org/xsa/advisory-445.html"}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}