head 1.2; access; symbols pkgsrc-2025Q4:1.1.0.4 pkgsrc-2025Q4-base:1.1 pkgsrc-2025Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2026.03.17.20.43.02; author bouyer; state dead; branches; next 1.1; commitid m6e2Bm7Yvv7LZmyG; 1.1 date 2025.10.21.13.14.33; author bouyer; state Exp; branches 1.1.2.1; next ; commitid cdEGcSGvbrWZerfG; 1.1.2.1 date 2025.10.21.13.14.33; author maya; state dead; branches; next 1.1.2.2; commitid nqPCtcg2DNrKOrfG; 1.1.2.2 date 2025.10.21.14.57.54; author maya; state Exp; branches; next ; commitid nqPCtcg2DNrKOrfG; desc @@ 1.2 log @Update xenkernel418 and xentools418 to 20260317 Changes since 20250701: mostly bug fixes and small improvements on some hardware, including security fixes up to XSA481 @ text @$NetBSD: patch-xsa475-1,v 1.1 2025/10/21 13:14:33 bouyer Exp $ From: Teddy Astie Subject: x86/viridian: Enforce bounds check in vpmask_set() Callers can pass vp/mask values which exceed the size of vpmask->mask. Ensure we only set bits which are within bounds. This is XSA-475 / CVE-2025-58147. Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush hypercalls") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c index a41a70e37a29..41e93ef20fb2 100644 --- xen/arch/x86/hvm/viridian/viridian.c.orig +++ xen/arch/x86/hvm/viridian/viridian.c @@@@ -562,7 +562,8 @@@@ static void vpmask_set(struct hypercall_vpmask *vpmask, unsigned int vp, if ( mask & 1 ) { - ASSERT(vp < HVM_MAX_VCPUS); + if ( vp >= HVM_MAX_VCPUS ) + break; __set_bit(vp, vpmask->mask); } @ 1.1 log @xenkernel418, xenkernel420: add upstream patches fixing xsa475. Bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: $ @ 1.1.2.1 log @file patch-xsa475-1 was added on branch pkgsrc-2025Q3 on 2025-10-21 14:57:54 +0000 @ text @d1 28 @ 1.1.2.2 log @Pullup ticket #7016 - requested by bouyer sysutils/xenkernel418: Security fix sysutils/xenkernel420: Security fix Revisions pulled up: - sysutils/xenkernel418/Makefile 1.6 - sysutils/xenkernel418/distinfo 1.9 - sysutils/xenkernel418/patches/patch-xsa475-1 1.1 - sysutils/xenkernel418/patches/patch-xsa475-2 1.1 - sysutils/xenkernel420/Makefile 1.2 - sysutils/xenkernel420/distinfo 1.2 - sysutils/xenkernel420/patches/patch-xsa475-1 1.1 - sysutils/xenkernel420/patches/patch-xsa475-2 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Oct 21 13:14:33 UTC 2025 Modified Files: pkgsrc/sysutils/xenkernel418: Makefile distinfo pkgsrc/sysutils/xenkernel420: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel418/patches: patch-xsa475-1 patch-xsa475-2 pkgsrc/sysutils/xenkernel420/patches: patch-xsa475-1 patch-xsa475-2 Log Message: xenkernel418, xenkernel420: add upstream patches fixing xsa475. Bump PKGREVISION @ text @a0 28 $NetBSD: patch-xsa475-1,v 1.1 2025/10/21 13:14:33 bouyer Exp $ From: Teddy Astie Subject: x86/viridian: Enforce bounds check in vpmask_set() Callers can pass vp/mask values which exceed the size of vpmask->mask. Ensure we only set bits which are within bounds. This is XSA-475 / CVE-2025-58147. Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush hypercalls") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c index a41a70e37a29..41e93ef20fb2 100644 --- xen/arch/x86/hvm/viridian/viridian.c.orig +++ xen/arch/x86/hvm/viridian/viridian.c @@@@ -562,7 +562,8 @@@@ static void vpmask_set(struct hypercall_vpmask *vpmask, unsigned int vp, if ( mask & 1 ) { - ASSERT(vp < HVM_MAX_VCPUS); + if ( vp >= HVM_MAX_VCPUS ) + break; __set_bit(vp, vpmask->mask); } @