From 4d0161235249ce2ebc16f51a7fb8878d749c2866 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Thu, 27 Feb 2025 17:45:48 -0300 Subject: [PATCH 1/2] xen: patch with XSA-467 When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. The passing through of certain kinds of devices to an unprivileged guest can result in a Denial of Service (DoS) affecting the entire host. Note: Normal usage of such devices by a privileged domain can also trigger the issue. In such a scenario, the deadlock is not considered a security issue, but just a plain bug. Systems with Intel IOMMU hardware (VT-d) are affected. Systems using AMD or non-x86 hardware are not affected. Only systems where certain kinds of devices are passed through to an unprivileged guest are vulnerable. Signed-off-by: Fernando Rodrigues (cherry picked from commit 5af1d19112213970bfec2319514b17aa3ac868c2) --- pkgs/by-name/xe/xen/package.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix index b77a181c3c136..8383d175ad1ac 100644 --- a/pkgs/by-name/xe/xen/package.nix +++ b/pkgs/by-name/xe/xen/package.nix @@ -12,6 +12,10 @@ buildXenPackage.override { inherit python3Packages; } { url = "https://lore.kernel.org/xen-devel/e2caa6648a0b6c429349a9826d8fbc4338222482.1733766758.git.andrii.sultanov@cloud.com/raw"; hash = "sha256-JC1ueXuC1Jdi2gtUsjOHmTeEx56zjotMMLde5vBonxc="; }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa467.patch"; + hash = "sha256-O2IwfRo6BnXAO04xjKmOyrV6J6Q1mAVLHWNCxqIEQGU="; + }) ]; rev = "ccf400846780289ae779c62ef0c94757ff43bb60"; hash = "sha256-s0eCBCd6ybl+kLtXCC6E1sk++w7txXn/B/Cg5acQFfY="; From 4afab2e126ae55991a893c03f2fa7ecc89621c19 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Mon, 12 May 2025 14:09:17 -0300 Subject: [PATCH 2/2] xen: patch with XSA-469 Researchers at VU Amsterdam have released Training Solo, detailing several speculative attacks which bypass current protections. One issue, which Intel has named Indirect Target Selection, is a bug in the hardware support for prediction-domain isolation. The mitigation for this involves both microcode and software changes in Xen. For more details, see: 1. https://vusec.net/projects/training-solo 2. https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html Another issue discussed in the Training Solo paper pertains to classic-BPF. Xen does not have any capability similar to BPF filters, so is not believed to be affected by this issue. Signed-off-by: Fernando Rodrigues (cherry picked from commit c29710d4ad60296481c0702da4790a2250f2a7ed) --- pkgs/by-name/xe/xen/package.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix index 8383d175ad1ac..e5fffebe293b4 100644 --- a/pkgs/by-name/xe/xen/package.nix +++ b/pkgs/by-name/xe/xen/package.nix @@ -16,6 +16,34 @@ buildXenPackage.override { inherit python3Packages; } { url = "https://xenbits.xenproject.org/xsa/xsa467.patch"; hash = "sha256-O2IwfRo6BnXAO04xjKmOyrV6J6Q1mAVLHWNCxqIEQGU="; }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.19-01.patch"; + hash = "sha256-YUcp9QI49RM/7WCxYzpzppv+vKtyl/NvLy6rIX5hVMw="; + }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.19-02.patch"; + hash = "sha256-FTtEGAPFYxsun38hLhVMKJ1TFJOsTMK3WWPkO0R/OHg="; + }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.19-03.patch"; + hash = "sha256-UkYMSpUgFvr4GJPXLgQsCyppGkNbeiFMyCZORK5tfmA="; + }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.19-04.patch"; + hash = "sha256-lpiDPSHi+v2VfaWE9kp4+hveZKTzojD1F+RHsOtKE3A="; + }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.19-05.patch"; + hash = "sha256-EKo9a5STX0mTRopoThe3+6gCWat+3XbguLr9QgMheZs="; + }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.19-06.patch"; + hash = "sha256-HU+4apyTZNIFZ9cySOEtNh0JBJDG3LjDLwMvQYq0src="; + }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.19-07.patch"; + hash = "sha256-9S85nkQ9Nn0cMzyRe4KGrFUaLggVxXBeKhoFF4R0y78="; + }) ]; rev = "ccf400846780289ae779c62ef0c94757ff43bb60"; hash = "sha256-s0eCBCd6ybl+kLtXCC6E1sk++w7txXn/B/Cg5acQFfY=";