From fbc146f31e226237f12b7451a4dfdab7aa908a4d Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Tue, 9 Sep 2025 22:45:20 +1000 Subject: [PATCH 1/2] xen: patch with XSA-472 Mutiple vulnerabilities in the Viridian interface There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. Signed-off-by: Fernando Rodrigues (cherry picked from commit 2648215258ade8d8d7ec33229395f596becae3c3) Signed-off-by: Fernando Rodrigues --- pkgs/by-name/xe/xen/package.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix index d09f0fc9fbd3..b565f186902a 100644 --- a/pkgs/by-name/xe/xen/package.nix +++ b/pkgs/by-name/xe/xen/package.nix @@ -1,5 +1,6 @@ { buildXenPackage, + fetchpatch, python3Packages, }: @@ -8,4 +9,20 @@ buildXenPackage.override { inherit python3Packages; } { version = "4.19.3"; rev = "077419f04a3125c58dcf9724c954f98d1e927392"; hash = "sha256-e9aPLgzNVxUn7WnLbBHwFIN02DAObfA24VjiqdiP+jA="; + + patches = [ + # XSA 472 + (fetchpatch { + url = "https://xenbits.xen.org/xsa/xsa472-1.patch"; + hash = "sha256-6k/X7KFno9uBG0mUtJxl7TMavaRs2Xlj9JlW9ai6p0k="; + }) + (fetchpatch { + url = "https://xenbits.xen.org/xsa/xsa472-2.patch"; + hash = "sha256-BisdztU9Wa5nIGmHo4IikqYPHdEhBehHaNqj1IuBe6I="; + }) + (fetchpatch { + url = "https://xenbits.xen.org/xsa/xsa472-3.patch"; + hash = "sha256-rikOofQeuLNMBkdQS3xzmwh7BlgMOTMSsQcAOEzNOso="; + }) + ]; } From f6fd7105b5abe86345a2cdb7fede22e1c55dbc5f Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Tue, 9 Sep 2025 22:50:34 +1000 Subject: [PATCH 2/2] xen: patch with XSA-473 This patch only affects ARM, but it's better than setting ARM as knownVulnerabilities. Arm issues with page refcounting There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145. Signed-off-by: Fernando Rodrigues (cherry picked from commit 15968113a2e0eeb0e75e39000080ada3475c0cb2) --- pkgs/by-name/xe/xen/package.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix index b565f186902a..f8478b497a28 100644 --- a/pkgs/by-name/xe/xen/package.nix +++ b/pkgs/by-name/xe/xen/package.nix @@ -24,5 +24,15 @@ buildXenPackage.override { inherit python3Packages; } { url = "https://xenbits.xen.org/xsa/xsa472-3.patch"; hash = "sha256-rikOofQeuLNMBkdQS3xzmwh7BlgMOTMSsQcAOEzNOso="; }) + + # XSA 473 + (fetchpatch { + url = "https://xenbits.xen.org/xsa/xsa473-1.patch"; + hash = "sha256-594tTalWcGJSLj3++4QB/ADkHH1qJNrdvg7FG6kOuB8="; + }) + (fetchpatch { + url = "https://xenbits.xen.org/xsa/xsa473-2.patch"; + hash = "sha256-tGuIGxJFBXbckIruSUeTyrM6GabdIj6Pr3cVxeDvNNY="; + }) ]; }