CVE-2021-28704: 
NixOS vulnerability analysis and mitigation

CVE-2021-28704 affects Xen versions 4.7 onwards and involves populate-on-demand (PoD) operations on misaligned Guest Frame Numbers (GFNs). The vulnerability was discovered by Jan Beulich of SUSE and disclosed in November 2021. It specifically affects x86 HVM and PVH guests started in PoD mode, which occurs when a guest's configuration specifies a 'maxmem' value larger than the 'memory' value (Xen Advisory).

The vulnerability stems from the implementation of hypercalls for PoD not enforcing proper alignment of base page frame numbers when specified with certain page orders. Specifically, the XENMEM_decrease_reservation operation allows guests to control P2M aspects of individual pages via hypercalls that can act on ranges of pages specified via page orders, resulting in a power-of-2 number of pages. The implementation fails to enforce proper alignment requirements, while some PoD handling code assumes such alignment (Xen Advisory). The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability can allow malicious or buggy guest kernels to mount a Denial of Service (DoS) attack affecting the entire system. Additionally, privilege escalation and information leaks cannot be ruled out as potential impacts (Xen Advisory).

As a workaround, systems can avoid starting x86 HVM or PVH guests in populate-on-demand mode. For permanent remediation, patches were released for affected versions, including specific patches for Xen 4.15.x and 4.14.x through 4.12.x (Xen Advisory). Multiple distributions have released security updates, including Debian with version 4.14.3+32-g9de3671772-1~deb11u1 (Debian Advisory).