main/xen: add mitigations for XSA-467

2026-05-04 12:01:41 +02:00 · 2025-03-02 23:21:18 +00:00 · 2025-03-02 23:21:18 +00:00 · 12cee7e4ea
commit 12cee7e4ea
parent 161757bd23
2 changed files with 104 additions and 1 deletions
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xen
 pkgver=4.19.1
-pkgrel=0
+pkgrel=1
 pkgdesc="Xen hypervisor"
 url="https://www.xenproject.org/"
 arch="x86_64 armv7 aarch64"
@ -379,6 +379,8 @@ options="!strip"
 #   4.19.0-r1:
 #     - CVE-2024-45818 XSA-463
 #     - CVE-2024-45819 XSA-464
+#   4.19.1-r1:
+#     - CVE-2025-1713 XSA-467

 case "$CARCH" in
 x86*)
@ -405,6 +407,8 @@ _IPXE_GIT_TAG=1d1cf74a5e58811822bee4b3da3cff7282fcdfca

 source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz

+	xsa467.patch
+
 	qemu-xen_paths.patch

 	hotplug-vif-vtrill.patch
@ -647,6 +651,7 @@ qemu_openrc() {

 sha512sums="
 6971d07d4eafd40186f35cf6de235badbdf0e1640974693b8fbd415876c46634094178a6157e6dfdc16af885c70ff3b7a72be35a88dcc63daf36e6eb08f9b17b  xen-4.19.1.tar.gz
+42500cc604091d86311505836eabfa906bf583bba85caf8e1207b1048d7fd037f5a6691355958d7f7538e4a2aaab8060ed2dee6c76456d8e4d10d7969543edbf  xsa467.patch
 fe3c253d03e1962ca4dd6bccd2e51817075450f51aa66e8ab9673bdd5a530dc08f1ed7817a1271ada028b0c34162f37cd6b24d84334403767caacd8206284cbb  qemu-xen_paths.patch
 1c9cb24bf67a2e84466572198315d5501627addf1ccd55d8d83df8d77d269a6696cd45e4a55601495168284e3bff58fb39853f56c46aaddd14f6191821678cf6  hotplug-vif-vtrill.patch
 8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812  hotplug-Linux-iscsi-block-handle-lun-1.patch
--- a/main/xen/xsa467.patch
+++ b/main/xen/xsa467.patch
@ -0,0 +1,98 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: IOMMU/x86: the bus-to-bridge lock needs to be acquired IRQ-safe
+
+The function's use from set_msi_source_id() is guaranteed to be in an
+IRQs-off region. While the invocation of that function could be moved
+ahead in msi_msg_to_remap_entry() (doesn't need to be in the IOMMU-
+intremap-locked region), the call tree from map_domain_pirq() holds an
+IRQ descriptor lock. Hence all use sites of the lock need become IRQ-
+safe ones.
+
+In find_upstream_bridge() do a tiny bit of tidying in adjacent code:
+Change a variable's type to unsigned and merge a redundant assignment
+into another variable's initializer.
+
+This is XSA-467 / CVE-2025-1713.
+
+Fixes: 476bbccc811c ("VT-d: fix MSI source-id of interrupt remapping")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+
+--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
+@@ -354,20 +354,21 @@ static struct pci_dev *alloc_pdev(struct
+     switch ( pdev->type = pdev_type(pseg->nr, bus, devfn) )
+     {
+         unsigned int cap, sec_bus, sub_bus;
+        unsigned long flags;
+ 
+         case DEV_TYPE_PCIe2PCI_BRIDGE:
+         case DEV_TYPE_LEGACY_PCI_BRIDGE:
+             sec_bus = pci_conf_read8(pdev->sbdf, PCI_SECONDARY_BUS);
+             sub_bus = pci_conf_read8(pdev->sbdf, PCI_SUBORDINATE_BUS);
+ 
+-            spin_lock(&pseg->bus2bridge_lock);
+            spin_lock_irqsave(&pseg->bus2bridge_lock, flags);
+             for ( ; sec_bus <= sub_bus; sec_bus++ )
+             {
+                 pseg->bus2bridge[sec_bus].map = 1;
+                 pseg->bus2bridge[sec_bus].bus = bus;
+                 pseg->bus2bridge[sec_bus].devfn = devfn;
+             }
+-            spin_unlock(&pseg->bus2bridge_lock);
+            spin_unlock_irqrestore(&pseg->bus2bridge_lock, flags);
+             break;
+ 
+         case DEV_TYPE_PCIe_ENDPOINT:
+@@ -437,16 +438,17 @@ static void free_pdev(struct pci_seg *ps
+     switch ( pdev->type )
+     {
+         unsigned int sec_bus, sub_bus;
+        unsigned long flags;
+ 
+         case DEV_TYPE_PCIe2PCI_BRIDGE:
+         case DEV_TYPE_LEGACY_PCI_BRIDGE:
+             sec_bus = pci_conf_read8(pdev->sbdf, PCI_SECONDARY_BUS);
+             sub_bus = pci_conf_read8(pdev->sbdf, PCI_SUBORDINATE_BUS);
+ 
+-            spin_lock(&pseg->bus2bridge_lock);
+            spin_lock_irqsave(&pseg->bus2bridge_lock, flags);
+             for ( ; sec_bus <= sub_bus; sec_bus++ )
+                 pseg->bus2bridge[sec_bus] = pseg->bus2bridge[pdev->bus];
+-            spin_unlock(&pseg->bus2bridge_lock);
+            spin_unlock_irqrestore(&pseg->bus2bridge_lock, flags);
+             break;
+ 
+         default:
+@@ -1053,8 +1055,9 @@ enum pdev_type pdev_type(u16 seg, u8 bus
+ int find_upstream_bridge(u16 seg, u8 *bus, u8 *devfn, u8 *secbus)
+ {
+     struct pci_seg *pseg = get_pseg(seg);
+-    int ret = 0;
+-    int cnt = 0;
+    int ret = 1;
+    unsigned long flags;
+    unsigned int cnt = 0;
+ 
+     if ( *bus == 0 )
+         return 0;
+@@ -1065,8 +1068,7 @@ int find_upstream_bridge(u16 seg, u8 *bu
+     if ( !pseg->bus2bridge[*bus].map )
+         return 0;
+ 
+-    ret = 1;
+-    spin_lock(&pseg->bus2bridge_lock);
+    spin_lock_irqsave(&pseg->bus2bridge_lock, flags);
+     while ( pseg->bus2bridge[*bus].map )
+     {
+         *secbus = *bus;
+@@ -1080,7 +1082,7 @@ int find_upstream_bridge(u16 seg, u8 *bu
+     }
+ 
+ out:
+-    spin_unlock(&pseg->bus2bridge_lock);
+    spin_unlock_irqrestore(&pseg->bus2bridge_lock, flags);
+     return ret;
+ }
+