Skip to content

xen: patch with XSA-467#385642

Merged
LeSuisse merged 1 commit intoNixOS:masterfrom
SigmaSquadron:push-woywqztxsrxs
Mar 1, 2025
Merged

xen: patch with XSA-467#385642
LeSuisse merged 1 commit intoNixOS:masterfrom
SigmaSquadron:push-woywqztxsrxs

Conversation

@SigmaSquadron
Copy link
Copy Markdown
Contributor

@SigmaSquadron SigmaSquadron commented Feb 27, 2025

When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.

The passing through of certain kinds of devices to an unprivileged guest can result in a Denial of Service (DoS) affecting the entire host.

Note: Normal usage of such devices by a privileged domain can also
trigger the issue. In such a scenario, the deadlock is not
considered a security issue, but just a plain bug.

Systems with Intel IOMMU hardware (VT-d) are affected. Systems using AMD or non-x86 hardware are not affected.

Only systems where certain kinds of devices are passed through to an unprivileged guest are vulnerable.

https://xenbits.xenproject.org/xsa/advisory-467.html

Things done

  • Built on platform(s)
    • x86_64-linux
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@SigmaSquadron
xen: patch with XSA-467
5af1d19 
When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe. This can lead to a deadlock.

The passing through of certain kinds of devices to an unprivileged guest
can result in a Denial of Service (DoS) affecting the entire host.

Note: Normal usage of such devices by a privileged domain can also
      trigger the issue.  In such a scenario, the deadlock is not
      considered a security issue, but just a plain bug.

Systems with Intel IOMMU hardware (VT-d) are affected.  Systems using
AMD or non-x86 hardware are not affected.

Only systems where certain kinds of devices are passed through to an
unprivileged guest are vulnerable.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
@SigmaSquadron SigmaSquadron added 1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. labels Feb 27, 2025
@SigmaSquadron SigmaSquadron requested review from a team, CertainLach and hehongbo February 27, 2025 20:54
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. labels Feb 27, 2025
@SigmaSquadron
Copy link
Copy Markdown
Contributor Author

SigmaSquadron commented Feb 27, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 385642

x86_64-linux

⏩ 1 package marked as broken and skipped:
  • qubes-core-vchan-xen
❌ 3 packages failed to build:
  • htcondor
  • python313Packages.guestfs
  • python313Packages.guestfs.dist
✅ 60 packages built:
  • appvm
  • collectd
  • diffoscope
  • diffoscope.dist
  • diffoscope.man
  • docker-machine-kvm2
  • fdroidserver
  • fdroidserver.dist
  • gnome-boxes
  • libguestfs
  • libguestfs.guestfsd
  • librenms
  • libvirt
  • libvirt-glib
  • libvirt-glib.dev
  • libvirt-glib.devdoc
  • libvmi
  • libvmi.dev
  • libvmi.lib
  • mgmt
  • minikube
  • multipass
  • perl538Packages.SysVirt
  • perl538Packages.SysVirt.devdoc
  • perl540Packages.SysVirt
  • perl540Packages.SysVirt.devdoc
  • prometheus-libvirt-exporter
  • python312Packages.guestfs
  • python312Packages.guestfs.dist
  • python312Packages.libvirt
  • python312Packages.libvirt.dist
  • xen (python312Packages.xen)
  • xen.boot (python312Packages.xen.boot)
  • xen.dev (python312Packages.xen.dev)
  • xen.doc (python312Packages.xen.doc)
  • xen.man (python312Packages.xen.man)
  • python313Packages.libvirt
  • python313Packages.libvirt.dist
  • python313Packages.xen
  • python313Packages.xen.boot
  • python313Packages.xen.dev
  • python313Packages.xen.doc
  • python313Packages.xen.man
  • qemu_xen
  • qemu_xen.debug
  • qemu_xen.doc
  • qemu_xen.ga
  • rubyPackages.ruby-libvirt (rubyPackages_3_3.ruby-libvirt)
  • rubyPackages_3_1.ruby-libvirt
  • rubyPackages_3_2.ruby-libvirt
  • rubyPackages_3_4.ruby-libvirt
  • vagrant
  • virt-manager
  • virt-manager-qt
  • virt-top
  • virt-v2v
  • virt-viewer
  • virtnbdbackup
  • virtnbdbackup.dist
  • xen-guest-agent

@wegank wegank added the 12.approvals: 2 This PR was reviewed and approved by two persons. label Feb 28, 2025
LeSuisse
LeSuisse approved these changes Mar 1, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@LeSuisse LeSuisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minimal security patch, nixpkgs-review looks good.

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 385642

x86_64-linux

⏩ 1 package marked as broken and skipped:
  • qubes-core-vchan-xen
❌ 3 packages failed to build:
  • htcondor
  • python313Packages.guestfs
  • python313Packages.guestfs.dist
✅ 60 packages built:
  • appvm
  • collectd
  • diffoscope
  • diffoscope.dist
  • diffoscope.man
  • docker-machine-kvm2
  • fdroidserver
  • fdroidserver.dist
  • gnome-boxes
  • libguestfs
  • libguestfs.guestfsd
  • librenms
  • libvirt
  • libvirt-glib
  • libvirt-glib.dev
  • libvirt-glib.devdoc
  • libvmi
  • libvmi.dev
  • libvmi.lib
  • mgmt
  • minikube
  • multipass
  • perl538Packages.SysVirt
  • perl538Packages.SysVirt.devdoc
  • perl540Packages.SysVirt
  • perl540Packages.SysVirt.devdoc
  • prometheus-libvirt-exporter
  • python312Packages.guestfs
  • python312Packages.guestfs.dist
  • python312Packages.libvirt
  • python312Packages.libvirt.dist
  • xen (python312Packages.xen)
  • xen.boot (python312Packages.xen.boot)
  • xen.dev (python312Packages.xen.dev)
  • xen.doc (python312Packages.xen.doc)
  • xen.man (python312Packages.xen.man)
  • python313Packages.libvirt
  • python313Packages.libvirt.dist
  • python313Packages.xen
  • python313Packages.xen.boot
  • python313Packages.xen.dev
  • python313Packages.xen.doc
  • python313Packages.xen.man
  • qemu_xen
  • qemu_xen.debug
  • qemu_xen.doc
  • qemu_xen.ga
  • rubyPackages.ruby-libvirt (rubyPackages_3_3.ruby-libvirt)
  • rubyPackages_3_1.ruby-libvirt
  • rubyPackages_3_2.ruby-libvirt
  • rubyPackages_3_4.ruby-libvirt
  • vagrant
  • virt-manager
  • virt-manager-qt
  • virt-top
  • virt-v2v
  • virt-viewer
  • virtnbdbackup
  • virtnbdbackup.dist
  • xen-guest-agent

@LeSuisse LeSuisse merged commit e318dab into NixOS:master Mar 1, 2025
30 checks passed
@SigmaSquadron SigmaSquadron deleted the push-woywqztxsrxs branch March 2, 2025 01:36
@SigmaSquadron SigmaSquadron mentioned this pull request Aug 9, 2025
Closed
This was referenced May 15, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LeSuisse LeSuisse LeSuisse approved these changes

+2 more reviewers

@hehongbo hehongbo hehongbo approved these changes

@CertainLach CertainLach CertainLach approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@SigmaSquadron @hehongbo @LeSuisse @CertainLach @wegank