main/xen: add mitigations for XSA-475 & XSA-476

main/xen/APKBUILD

@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=xen
 pkgver=4.18.5
-pkgrel=2
+pkgrel=3
 pkgdesc="Xen hypervisor"
 url="https://www.xenproject.org/"
 arch="x86_64 armv7 aarch64"
@@ -393,6 +393,10 @@ options="!strip"
 #     - CVE-2025-58143 XSA-472
 #     - CVE-2025-58144 XSA-473
 #     - CVE-2025-58145 XSA-473
+#   4.18.5-r3:
+#     - CVE-2025-58147 XSA-475
+#     - CVE-2025-58148 XSA-475
+#     - CVE-2025-58149 XSA-476
 
 case "$CARCH" in
 x86*)
@@ -471,6 +475,9 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
 	xsa472-3.patch
 	xsa473-4.18-1.patch
 	xsa473-4.18-2.patch
+	xsa475-4.19-1.patch
+	xsa475-4.19-2.patch
+	xsa476-4.20.patch
 
 	xenstored.initd
 	xenstored.confd
@@ -788,6 +795,9 @@ ea3ccb9b512da0949675dc5bddbb71b93c9c7bfde6613b8771d36f5ced317a11df17e5ac22f7fad6
 ed5102a81725f066f3533c72ff3f109334d451b394a258889644537b1eddec6978252bbc2a5304e3c6e3660c2ba4f9a4bdc8512c8317df41f52803c1bba42456  xsa472-3.patch
 7466ae0d94361701f5b38438e84d7ba6ff711eda71a51658018cc34a76c2d1f661d25aae588bfe599e761a98a1a86371976800e8485df4c76a6cbf1aad0fdc41  xsa473-4.18-1.patch
 8b8f33d7cf470257d34a0b83e03a0694d0460df55400841573a61a9e1769cc1593bdb553c28dba5b88347c521537cb065bf1c509816a5bf9c8d958ee1933f9b0  xsa473-4.18-2.patch
+0b17e2cbaf4250c07707e6ab553db904519912a15970808bbda2839e574ee3e1f5bec07be26d8780eed38e3176516ee3de13e5daeeb81793e94b2228b161036b  xsa475-4.19-1.patch
+6b96a64dc6173fef198c9b3ae794877c4f314dd4ebe6b16065a1a8f568d64d39b43d895ecb12b984b189e3686236a3c6f0ccbecdaa9161098f16e57c4e28f21e  xsa475-4.19-2.patch
+8bfafa10128bd2742250819b3e74991af556e17886fca18021ad8338ed1d3b37d06c39c9b5bedc2f26d82887d1aa1650371658378958e55db4bedae8b5171dbb  xsa476-4.20.patch
 9430940692d6bfb58b1438e0f5f84cb703fbca9ce9cc157a1313ab1ceff63222a1ae31c991543b20c8fc84300df2b22f4614b27bbff32f82e17f27fcd953143c  xenstored.initd
 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0  xenstored.confd
 1dd04f4bf1890771aa7eef0b6e46f7139487da0907d28dcdbef9fbe335dcf731ca391cfcb175dd82924f637a308de00a69ae981f67348c34f04489ec5e5dc3b7  xenconsoled.initd

main/xen/xsa475-4.19-1.patch

@@ -0,0 +1,26 @@
+From: Teddy Astie <teddy.astie@vates.tech>
+Subject: x86/viridian: Enforce bounds check in vpmask_set()
+
+Callers can pass vp/mask values which exceed the size of vpmask->mask.  Ensure
+we only set bits which are within bounds.
+
+This is XSA-475 / CVE-2025-58147.
+
+Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush hypercalls")
+Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
+index a41a70e37a29..41e93ef20fb2 100644
+--- a/xen/arch/x86/hvm/viridian/viridian.c
++++ b/xen/arch/x86/hvm/viridian/viridian.c
+@@ -562,7 +562,8 @@ static void vpmask_set(struct hypercall_vpmask *vpmask, unsigned int vp,
+ 
+         if ( mask & 1 )
+         {
+-            ASSERT(vp < HVM_MAX_VCPUS);
++            if ( vp >= HVM_MAX_VCPUS )
++                break;
+             __set_bit(vp, vpmask->mask);
+         }
+ 

main/xen/xsa475-4.19-2.patch

@@ -0,0 +1,52 @@
+From: Teddy Astie <teddy.astie@vates.tech>
+Subject: x86/viridian: Enforce bounds check in send_ipi()
+
+Callers can pass in a vpmask which exceeds d->max_vcpus.  Prevent out-of-bound
+reads of d->vcpu[].
+
+This is XSA-475 / CVE-2025-58148.
+
+Fixes: 728acba1ba4a ("viridian: use hypercall_vpmask in hvcall_ipi()")
+Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
+index 41e93ef20fb2..d45751365fde 100644
+--- a/xen/arch/x86/hvm/viridian/viridian.c
++++ b/xen/arch/x86/hvm/viridian/viridian.c
+@@ -577,26 +577,6 @@ static void vpmask_fill(struct hypercall_vpmask *vpmask)
+     bitmap_fill(vpmask->mask, HVM_MAX_VCPUS);
+ }
+ 
+-static unsigned int vpmask_first(const struct hypercall_vpmask *vpmask)
+-{
+-    return find_first_bit(vpmask->mask, HVM_MAX_VCPUS);
+-}
+-
+-static unsigned int vpmask_next(const struct hypercall_vpmask *vpmask,
+-                                unsigned int vp)
+-{
+-    /*
+-     * If vp + 1 > HVM_MAX_VCPUS then find_next_bit() will return
+-     * HVM_MAX_VCPUS, ensuring the for_each_vp ( ... ) loop terminates.
+-     */
+-    return find_next_bit(vpmask->mask, HVM_MAX_VCPUS, vp + 1);
+-}
+-
+-#define for_each_vp(vpmask, vp) \
+-	for ( (vp) = vpmask_first(vpmask); \
+-	      (vp) < HVM_MAX_VCPUS; \
+-	      (vp) = vpmask_next(vpmask, vp) )
+-
+ static unsigned int vpmask_nr(const struct hypercall_vpmask *vpmask)
+ {
+     return bitmap_weight(vpmask->mask, HVM_MAX_VCPUS);
+@@ -813,7 +793,7 @@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector)
+     if ( nr > 1 )
+         cpu_raise_softirq_batch_begin();
+ 
+-    for_each_vp ( vpmask, vp )
++    for_each_set_bit ( vp, vpmask->mask, currd->max_vcpus )
+     {
+         struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]);
+ 

main/xen/xsa476-4.20.patch

@@ -0,0 +1,57 @@
+From: Jiqian Chen <Jiqian.Chen@amd.com>
+Subject: tools/libs/light: fix BAR memory address truncation
+
+64-bit BAR memory address is truncated when removing a passthrough
+pci device from guest since it uses "unsigned int".
+
+So, change to use 64-bit type to fix this problem.
+
+This is XSA-476 / CVE-2025-58149.
+
+Fixes: b0a1af61678b ("libxenlight: implement pci passthrough")
+Signed-off-by: Jiqian Chen <Jiqian.Chen@amd.com>
+Release-Acked-by: Oleksii Kurochko <oleksii.kurochko@gmail.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Acked-by: Anthony PERARD <anthony.perard@vates.tech>
+
+diff --git a/tools/libs/light/libxl_pci.c b/tools/libs/light/libxl_pci.c
+index 1647fd6f4756..7af602224aba 100644
+--- a/tools/libs/light/libxl_pci.c
++++ b/tools/libs/light/libxl_pci.c
+@@ -2179,7 +2179,7 @@ static void pci_remove_detached(libxl__egc *egc,
+ {
+     STATE_AO_GC(prs->aodev->ao);
+     libxl_ctx *ctx = libxl__gc_owner(gc);
+-    unsigned int start = 0, end = 0, flags = 0, size = 0;
++    uint64_t start = 0, end = 0, flags = 0, size = 0;
+     int  irq = 0, i, stubdomid = 0;
+     const char *sysfs_path;
+     FILE *f;
+@@ -2209,7 +2209,8 @@ static void pci_remove_detached(libxl__egc *egc,
+     }
+ 
+     for (i = 0; i < PROC_PCI_NUM_RESOURCES; i++) {
+-        if (fscanf(f, "0x%x 0x%x 0x%x\n", &start, &end, &flags) != 3)
++        if (fscanf(f, "0x%"SCNx64" 0x%"SCNx64" 0x%"SCNx64"\n",
++                   &start, &end, &flags) != 3)
+             continue;
+         size = end - start + 1;
+         if (start) {
+@@ -2218,7 +2219,7 @@ static void pci_remove_detached(libxl__egc *egc,
+                                                  size, 0);
+                 if (rc < 0)
+                     LOGED(ERROR, domid,
+-                          "xc_domain_ioport_permission error 0x%x/0x%x",
++                          "xc_domain_ioport_permission error %#"PRIx64"/%#"PRIx64,
+                           start,
+                           size);
+             } else {
+@@ -2228,7 +2229,7 @@ static void pci_remove_detached(libxl__egc *egc,
+                                                 0);
+                 if (rc < 0)
+                     LOGED(ERROR, domid,
+-                          "xc_domain_iomem_permission error 0x%x/0x%x",
++                          "xc_domain_iomem_permission error %#"PRIx64"/%#"PRIx64,
+                           start,
+                           size);
+             }