xen: patch with XSA-467

When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. The passing through of certain kinds of devices to an unprivileged guest can result in a Denial of Service (DoS) affecting the entire host. Note: Normal usage of such devices by a privileged domain can also trigger the issue. In such a scenario, the deadlock is not considered a security issue, but just a plain bug. Systems with Intel IOMMU hardware (VT-d) are affected. Systems using AMD or non-x86 hardware are not affected. Only systems where certain kinds of devices are passed through to an unprivileged guest are vulnerable. Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
rstats-on-nix · Feb 27, 2025 · 5af1d19 · 5af1d19
1 parent dade3cb
commit 5af1d19
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix
@@ -12,6 +12,10 @@ buildXenPackage.override { inherit python3Packages; } {
       url = "https://lore.kernel.org/xen-devel/e2caa6648a0b6c429349a9826d8fbc4338222482.1733766758.git.andrii.sultanov@cloud.com/raw";
       hash = "sha256-JC1ueXuC1Jdi2gtUsjOHmTeEx56zjotMMLde5vBonxc=";
     })
+    (fetchpatch {
+      url = "https://xenbits.xenproject.org/xsa/xsa467.patch";
+      hash = "sha256-O2IwfRo6BnXAO04xjKmOyrV6J6Q1mAVLHWNCxqIEQGU=";
+    })
   ];
   rev = "ccf400846780289ae779c62ef0c94757ff43bb60";
   hash = "sha256-s0eCBCd6ybl+kLtXCC6E1sk++w7txXn/B/Cg5acQFfY=";