head 1.2; access; symbols pkgsrc-2025Q4:1.1.0.4 pkgsrc-2025Q4-base:1.1 pkgsrc-2025Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2026.03.17.20.43.02; author bouyer; state dead; branches; next 1.1; commitid m6e2Bm7Yvv7LZmyG; 1.1 date 2025.10.21.13.14.33; author bouyer; state Exp; branches 1.1.2.1; next ; commitid cdEGcSGvbrWZerfG; 1.1.2.1 date 2025.10.21.13.14.33; author maya; state dead; branches; next 1.1.2.2; commitid nqPCtcg2DNrKOrfG; 1.1.2.2 date 2025.10.21.14.57.54; author maya; state Exp; branches; next ; commitid nqPCtcg2DNrKOrfG; desc @@ 1.2 log @Update xenkernel418 and xentools418 to 20260317 Changes since 20250701: mostly bug fixes and small improvements on some hardware, including security fixes up to XSA481 @ text @$NetBSD: patch-xsa475-2,v 1.1 2025/10/21 13:14:33 bouyer Exp $ From: Teddy Astie Subject: x86/viridian: Enforce bounds check in send_ipi() Callers can pass in a vpmask which exceeds d->max_vcpus. Prevent out-of-bound reads of d->vcpu[]. This is XSA-475 / CVE-2025-58148. Fixes: 728acba1ba4a ("viridian: use hypercall_vpmask in hvcall_ipi()") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c index 41e93ef20fb2..d45751365fde 100644 --- xen/arch/x86/hvm/viridian/viridian.c.orig +++ xen/arch/x86/hvm/viridian/viridian.c @@@@ -577,26 +577,6 @@@@ static void vpmask_fill(struct hypercall_vpmask *vpmask) bitmap_fill(vpmask->mask, HVM_MAX_VCPUS); } -static unsigned int vpmask_first(const struct hypercall_vpmask *vpmask) -{ - return find_first_bit(vpmask->mask, HVM_MAX_VCPUS); -} - -static unsigned int vpmask_next(const struct hypercall_vpmask *vpmask, - unsigned int vp) -{ - /* - * If vp + 1 > HVM_MAX_VCPUS then find_next_bit() will return - * HVM_MAX_VCPUS, ensuring the for_each_vp ( ... ) loop terminates. - */ - return find_next_bit(vpmask->mask, HVM_MAX_VCPUS, vp + 1); -} - -#define for_each_vp(vpmask, vp) \ - for ( (vp) = vpmask_first(vpmask); \ - (vp) < HVM_MAX_VCPUS; \ - (vp) = vpmask_next(vpmask, vp) ) - static unsigned int vpmask_nr(const struct hypercall_vpmask *vpmask) { return bitmap_weight(vpmask->mask, HVM_MAX_VCPUS); @@@@ -813,7 +793,7 @@@@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector) if ( nr > 1 ) cpu_raise_softirq_batch_begin(); - for_each_vp ( vpmask, vp ) + for_each_set_bit ( vp, vpmask->mask, currd->max_vcpus ) { struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]); @ 1.1 log @xenkernel418, xenkernel420: add upstream patches fixing xsa475. Bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: $ @ 1.1.2.1 log @file patch-xsa475-2 was added on branch pkgsrc-2025Q3 on 2025-10-21 14:57:54 +0000 @ text @d1 54 @ 1.1.2.2 log @Pullup ticket #7016 - requested by bouyer sysutils/xenkernel418: Security fix sysutils/xenkernel420: Security fix Revisions pulled up: - sysutils/xenkernel418/Makefile 1.6 - sysutils/xenkernel418/distinfo 1.9 - sysutils/xenkernel418/patches/patch-xsa475-1 1.1 - sysutils/xenkernel418/patches/patch-xsa475-2 1.1 - sysutils/xenkernel420/Makefile 1.2 - sysutils/xenkernel420/distinfo 1.2 - sysutils/xenkernel420/patches/patch-xsa475-1 1.1 - sysutils/xenkernel420/patches/patch-xsa475-2 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Oct 21 13:14:33 UTC 2025 Modified Files: pkgsrc/sysutils/xenkernel418: Makefile distinfo pkgsrc/sysutils/xenkernel420: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel418/patches: patch-xsa475-1 patch-xsa475-2 pkgsrc/sysutils/xenkernel420/patches: patch-xsa475-1 patch-xsa475-2 Log Message: xenkernel418, xenkernel420: add upstream patches fixing xsa475. Bump PKGREVISION @ text @a0 54 $NetBSD: patch-xsa475-2,v 1.1 2025/10/21 13:14:33 bouyer Exp $ From: Teddy Astie Subject: x86/viridian: Enforce bounds check in send_ipi() Callers can pass in a vpmask which exceeds d->max_vcpus. Prevent out-of-bound reads of d->vcpu[]. This is XSA-475 / CVE-2025-58148. Fixes: 728acba1ba4a ("viridian: use hypercall_vpmask in hvcall_ipi()") Signed-off-by: Teddy Astie Reviewed-by: Andrew Cooper diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c index 41e93ef20fb2..d45751365fde 100644 --- xen/arch/x86/hvm/viridian/viridian.c.orig +++ xen/arch/x86/hvm/viridian/viridian.c @@@@ -577,26 +577,6 @@@@ static void vpmask_fill(struct hypercall_vpmask *vpmask) bitmap_fill(vpmask->mask, HVM_MAX_VCPUS); } -static unsigned int vpmask_first(const struct hypercall_vpmask *vpmask) -{ - return find_first_bit(vpmask->mask, HVM_MAX_VCPUS); -} - -static unsigned int vpmask_next(const struct hypercall_vpmask *vpmask, - unsigned int vp) -{ - /* - * If vp + 1 > HVM_MAX_VCPUS then find_next_bit() will return - * HVM_MAX_VCPUS, ensuring the for_each_vp ( ... ) loop terminates. - */ - return find_next_bit(vpmask->mask, HVM_MAX_VCPUS, vp + 1); -} - -#define for_each_vp(vpmask, vp) \ - for ( (vp) = vpmask_first(vpmask); \ - (vp) < HVM_MAX_VCPUS; \ - (vp) = vpmask_next(vpmask, vp) ) - static unsigned int vpmask_nr(const struct hypercall_vpmask *vpmask) { return bitmap_weight(vpmask->mask, HVM_MAX_VCPUS); @@@@ -813,7 +793,7 @@@@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector) if ( nr > 1 ) cpu_raise_softirq_batch_begin(); - for_each_vp ( vpmask, vp ) + for_each_set_bit ( vp, vpmask->mask, currd->max_vcpus ) { struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]); @