From 5af1d19112213970bfec2319514b17aa3ac868c2 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Thu, 27 Feb 2025 17:45:48 -0300 Subject: [PATCH] xen: patch with XSA-467 When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. The passing through of certain kinds of devices to an unprivileged guest can result in a Denial of Service (DoS) affecting the entire host. Note: Normal usage of such devices by a privileged domain can also trigger the issue. In such a scenario, the deadlock is not considered a security issue, but just a plain bug. Systems with Intel IOMMU hardware (VT-d) are affected. Systems using AMD or non-x86 hardware are not affected. Only systems where certain kinds of devices are passed through to an unprivileged guest are vulnerable. Signed-off-by: Fernando Rodrigues --- pkgs/by-name/xe/xen/package.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix index b77a181c3c1361..8383d175ad1ace 100644 --- a/pkgs/by-name/xe/xen/package.nix +++ b/pkgs/by-name/xe/xen/package.nix @@ -12,6 +12,10 @@ buildXenPackage.override { inherit python3Packages; } { url = "https://lore.kernel.org/xen-devel/e2caa6648a0b6c429349a9826d8fbc4338222482.1733766758.git.andrii.sultanov@cloud.com/raw"; hash = "sha256-JC1ueXuC1Jdi2gtUsjOHmTeEx56zjotMMLde5vBonxc="; }) + (fetchpatch { + url = "https://xenbits.xenproject.org/xsa/xsa467.patch"; + hash = "sha256-O2IwfRo6BnXAO04xjKmOyrV6J6Q1mAVLHWNCxqIEQGU="; + }) ]; rev = "ccf400846780289ae779c62ef0c94757ff43bb60"; hash = "sha256-s0eCBCd6ybl+kLtXCC6E1sk++w7txXn/B/Cg5acQFfY=";