Skip to content

[release-24.11] xen: manual backport of XSAs #467 & #469#407311

Merged
LeSuisse merged 2 commits intoNixOS:release-24.11from
SigmaSquadron:push-ytqpnlszkusn
May 16, 2025
Merged

[release-24.11] xen: manual backport of XSAs #467 & #469#407311
LeSuisse merged 2 commits intoNixOS:release-24.11from
SigmaSquadron:push-ytqpnlszkusn

Conversation

@SigmaSquadron
Copy link
Contributor

@SigmaSquadron SigmaSquadron commented May 15, 2025
edited
Loading

Manual backport of #385642 and #406506.

Things done

  • Built on platform(s)
    • x86_64-linux
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@SigmaSquadron
xen: patch with XSA-467
4d01612 
When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe. This can lead to a deadlock.

The passing through of certain kinds of devices to an unprivileged guest
can result in a Denial of Service (DoS) affecting the entire host.

Note: Normal usage of such devices by a privileged domain can also
      trigger the issue.  In such a scenario, the deadlock is not
      considered a security issue, but just a plain bug.

Systems with Intel IOMMU hardware (VT-d) are affected.  Systems using
AMD or non-x86 hardware are not affected.

Only systems where certain kinds of devices are passed through to an
unprivileged guest are vulnerable.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>

(cherry picked from commit 5af1d19)
@SigmaSquadron
xen: patch with XSA-469
4afab2e 
Researchers at VU Amsterdam have released Training Solo, detailing
several speculative attacks which bypass current protections.

One issue, which Intel has named Indirect Target Selection, is a bug in
the hardware support for prediction-domain isolation.  The mitigation
for this involves both microcode and software changes in Xen.

For more details, see:
1.  https://vusec.net/projects/training-solo
2.  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html

Another issue discussed in the Training Solo paper pertains to
classic-BPF.  Xen does not have any capability similar to BPF filters,
so is not believed to be affected by this issue.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>

(cherry picked from commit c29710d)
@github-actions github-actions bot added 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. 4.workflow: backport This targets a stable branch labels May 15, 2025
@SigmaSquadron SigmaSquadron mentioned this pull request May 15, 2025
Merged
8 tasks
@LeSuisse LeSuisse added the 1.severity: security Issues which raise a security issue, or PRs that fix one label May 15, 2025
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. labels May 15, 2025
@SigmaSquadron SigmaSquadron requested review from a team, CertainLach, digitalrane and hehongbo May 15, 2025 11:03
@SigmaSquadron
Copy link
Contributor Author

SigmaSquadron commented May 15, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 407311

x86_64-linux

⏩ 1 package marked as broken and skipped:
  • qubes-core-vchan-xen
✅ 60 packages built:
  • appvm
  • collectd
  • diffoscope
  • diffoscope.dist
  • diffoscope.man
  • docker-machine-kvm2
  • fdroidserver
  • fdroidserver.dist
  • garble
  • gnome-boxes
  • htcondor
  • libguestfs
  • libguestfs.guestfsd
  • librenms
  • libvirt
  • libvirt-glib
  • libvirt-glib.dev
  • libvirt-glib.devdoc
  • libvmi
  • libvmi.dev
  • libvmi.lib
  • mgmt
  • minikube
  • multipass
  • perl538Packages.SysVirt
  • perl538Packages.SysVirt.devdoc
  • perl540Packages.SysVirt
  • perl540Packages.SysVirt.devdoc
  • python311Packages.guestfs
  • python311Packages.guestfs.dist
  • python311Packages.libvirt
  • python311Packages.libvirt.dist
  • python311Packages.xen
  • python311Packages.xen.boot
  • python311Packages.xen.dev
  • python311Packages.xen.doc
  • python311Packages.xen.man
  • python312Packages.guestfs
  • python312Packages.guestfs.dist
  • python312Packages.libvirt
  • python312Packages.libvirt.dist
  • xen (python312Packages.xen)
  • xen.boot (python312Packages.xen.boot)
  • xen.dev (python312Packages.xen.dev)
  • xen.doc (python312Packages.xen.doc)
  • xen.man (python312Packages.xen.man)
  • qemu_xen
  • qemu_xen.debug
  • qemu_xen.ga
  • rubyPackages.ruby-libvirt (rubyPackages_3_3.ruby-libvirt)
  • rubyPackages_3_1.ruby-libvirt
  • rubyPackages_3_2.ruby-libvirt
  • rubyPackages_3_4.ruby-libvirt
  • vagrant
  • virt-manager
  • virt-manager-qt
  • virt-top
  • virt-v2v
  • virt-viewer
  • xen-guest-agent

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label May 15, 2025
@LeSuisse
Copy link
Member

LeSuisse commented May 16, 2025

Confirmed nixpkgs-review builds, let's merge.

@LeSuisse LeSuisse merged commit d6c9326 into NixOS:release-24.11 May 16, 2025
40 of 41 checks passed
@SigmaSquadron SigmaSquadron deleted the push-ytqpnlszkusn branch May 16, 2025 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@digitalrane digitalrane Awaiting requested review from digitalrane digitalrane was automatically assigned from NixOS/xen-project

@CertainLach CertainLach Awaiting requested review from CertainLach CertainLach was automatically assigned from NixOS/xen-project

1 more reviewer

@hehongbo hehongbo hehongbo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SigmaSquadron @LeSuisse @hehongbo @wegank