[Backport release-25.05] xen: patch with XSA-475

[SigmaSquadron]

Xen Security Advisory 475

x86: Incorrect input sanitisation in Viridian hypercalls

Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs.

• CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format.

• CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.
• Fits backport requirements.

---

Add a 👍 reaction to pull requests you find important.

[github-actions]

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

Sometimes it is not possible to cherry-pick exactly the same patch.
This most frequently happens when resolving merge conflicts.
The range-diff will help to review the resolution of conflicts.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Warning

Difference between 5740f71 and original 901ddad may warrant inspection.

Show diff

@@ Commit message
 
     Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
 
+    (cherry picked from commit 901ddad0838f69134e863579d140b2d0d28db46e)
+
  ## pkgs/by-name/xe/xen/package.nix ##
-@@ pkgs/by-name/xe/xen/package.nix: stdenv.mkDerivation (finalAttrs: {
+@@ pkgs/by-name/xe/xen/package.nix: buildXenPackage.override { inherit python3Packages; } {
        url = "https://xenbits.xen.org/xsa/xsa473-2.patch";
        hash = "sha256-tGuIGxJFBXbckIruSUeTyrM6GabdIj6Pr3cVxeDvNNY=";
      })
 +
 +    # XSA 475
 +    (fetchpatch {
-+      url = "https://xenbits.xen.org/xsa/xsa475-1.patch";
++      url = "https://xenbits.xen.org/xsa/xsa475-4.19-1.patch";
 +      hash = "sha256-Bzvtr12g+7+M9jY9Nt2jd41CwYTL+h2fuwzJFsxroio=";
 +    })
 +    (fetchpatch {
-+      url = "https://xenbits.xen.org/xsa/xsa475-2.patch";
-+      hash = "sha256-7MKtDAJpihpfcBK+hyBFGCP6gHWs2cdgTks8B439b2s=";
++      url = "https://xenbits.xen.org/xsa/xsa475-4.19-2.patch";
++      hash = "sha256-257GucAOUoK0gNSDglU7F+qvaT47FebFPW8hYzMp9XE=";
 +    })
    ];
- 
-   outputs = [
+ }

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

[SigmaSquadron]

ugh the commit hash is 901ddad on master

i'll fix it in a few hours.

Xen 4.19 (on NixOS stable) has a different set of patches from 4.20 (on NixOS unstable). The builder is also different, given that the Xen builder on stable is on build-support, and the unstable builder is in by-name.