CVE-2021-47035 in Linux
Summary
by MITRE • 02/28/2024
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Remove WO permissions on second-level paging entries
When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as the PRESENT bit (implying Read permission) should always set. When using second level, we still give separate permissions that allows WriteOnly which seems inconsistent and awkward. We want to have consistent behavior. After moving to 1st level, we don't want things to work sometimes, and break if we use 2nd level for the same mappings. Hence remove this configuration.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/20/2025
The vulnerability identified as CVE-2021-47035 resides within the Linux kernel's IOMMU (Input-Output Memory Management Unit) implementation, specifically affecting the VT-d (Virtualization Technology for Directed I/O) subsystem. This issue stems from an inconsistency in how page table permissions are handled between first-level and second-level paging mechanisms within the IOMMU translation process. The vulnerability impacts systems utilizing Intel VT-d technology for device virtualization and I/O memory management, potentially affecting cloud environments, virtualized servers, and any platform relying on hardware-assisted IOMMU functionality for security isolation between virtual machines and physical hardware resources.
The technical flaw manifests in the kernel's handling of page table entries where the second-level paging mechanism incorrectly allows Write-Only (WO) permissions on page table entries. In the first-level page table translation, the kernel correctly enforces that only Read-Only and Read-Write permissions are supported, with Write-Only permissions explicitly excluded because the PRESENT bit must always be set to imply Read permission. However, the second-level paging implementation maintained separate permission configurations that permitted Write-Only access patterns, creating an inconsistent behavior model. This inconsistency could lead to unexpected operational states where certain memory mappings would function correctly under first-level translation but fail or behave unpredictably when the same mappings are processed through second-level translation mechanisms.
The operational impact of this vulnerability extends beyond simple permission inconsistencies, potentially creating security implications within virtualized environments where IOMMU isolation is critical. When systems transition between first-level and second-level paging mechanisms for IOVA (I/O Virtual Address) translation, the inconsistent permission handling could result in memory access violations, privilege escalation opportunities, or unexpected device behavior in virtualized deployments. This vulnerability particularly affects cloud infrastructure providers and enterprise environments that rely heavily on VT-d for hardware isolation between tenant VMs, as it undermines the expected consistency of IOMMU memory protection policies. The inconsistency could also complicate debugging and system stability, as applications and drivers may experience intermittent failures when IOMMU translation pathways switch between different paging mechanisms.
The resolution implemented addresses this inconsistency by removing Write-Only permissions from second-level paging entries, thereby establishing uniform behavior across both first-level and second-level translation mechanisms. This change aligns the second-level paging implementation with the established first-level behavior, ensuring that the same memory mappings will function consistently regardless of which paging mechanism is employed. The fix directly addresses the root cause by eliminating the contradictory permission model that allowed Write-Only access patterns in second-level entries, thus maintaining the fundamental principle that PRESENT bits should always imply Read permission. This remediation follows security best practices by reducing the attack surface through consistent permission enforcement and aligns with CWE-691 (Insufficient Control Flow Management) and ATT&CK technique T1068 (Local Privilege Escalation) by preventing potential exploitation vectors that could arise from inconsistent memory access controls. Organizations should apply this kernel update to ensure consistent IOMMU behavior and maintain the expected security boundaries in virtualized environments.