From 5740f717d1c69229b2f23b21c302a34839dbbdaf Mon Sep 17 00:00:00 2001
From: Fernando Rodrigues <alpha@sigmasquadron.net>
Date: Tue, 21 Oct 2025 22:57:19 +1100
Subject: [PATCH] xen: patch with XSA-475

                  Xen Security Advisory #475

       x86: Incorrect input sanitisation in Viridian hypercalls

Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats.  Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.

 * CVE-2025-58147.  Hypercalls using the HV_VP_SET Sparse format can
   cause vpmask_set() to write out of bounds when converting the bitmap
   to Xen's format.

 * CVE-2025-58148.  Hypercalls using any input format can cause
   send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
   vCPU pointer.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>

(cherry picked from commit 901ddad0838f69134e863579d140b2d0d28db46e)
---
 pkgs/by-name/xe/xen/package.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix
index f8478b497a28c..911203c94f70d 100644
--- a/pkgs/by-name/xe/xen/package.nix
+++ b/pkgs/by-name/xe/xen/package.nix
@@ -34,5 +34,15 @@ buildXenPackage.override { inherit python3Packages; } {
       url = "https://xenbits.xen.org/xsa/xsa473-2.patch";
       hash = "sha256-tGuIGxJFBXbckIruSUeTyrM6GabdIj6Pr3cVxeDvNNY=";
     })
+
+    # XSA 475
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa475-4.19-1.patch";
+      hash = "sha256-Bzvtr12g+7+M9jY9Nt2jd41CwYTL+h2fuwzJFsxroio=";
+    })
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa475-4.19-2.patch";
+      hash = "sha256-257GucAOUoK0gNSDglU7F+qvaT47FebFPW8hYzMp9XE=";
+    })
   ];
 }