CVS commit: pkgsrc/sysutils

["Manuel Bouyer" <bouyer%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bouyer
Date:           Tue Oct 21 13:14:33 UTC 2025

Modified Files:
        pkgsrc/sysutils/xenkernel418: Makefile distinfo
        pkgsrc/sysutils/xenkernel420: Makefile distinfo
Added Files:
        pkgsrc/sysutils/xenkernel418/patches: patch-xsa475-1 patch-xsa475-2
        pkgsrc/sysutils/xenkernel420/patches: patch-xsa475-1 patch-xsa475-2

Log Message:
xenkernel418, xenkernel420: add upstream patches fixing xsa475.
Bump PKGREVISION


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 pkgsrc/sysutils/xenkernel418/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/xenkernel418/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-1 \
    pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-2
cvs rdiff -u -r1.1 -r1.2 pkgsrc/sysutils/xenkernel420/Makefile \
    pkgsrc/sysutils/xenkernel420/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-1 \
    pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/sysutils/xenkernel418/Makefile
diff -u pkgsrc/sysutils/xenkernel418/Makefile:1.5 pkgsrc/sysutils/xenkernel418/Makefile:1.6
--- pkgsrc/sysutils/xenkernel418/Makefile:1.5   Tue Jul  1 16:55:06 2025
+++ pkgsrc/sysutils/xenkernel418/Makefile       Tue Oct 21 13:14:33 2025
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.5 2025/07/01 16:55:06 bouyer Exp $
+# $NetBSD: Makefile,v 1.6 2025/10/21 13:14:33 bouyer Exp $
 # VERSION is set in version.mk as it is shared with other packages
-#PKGREVISION=        1
+
+PKGREVISION=        1
 
 XENKERNEL:=
 .include        "../../sysutils/xentools418/version.mk"

Index: pkgsrc/sysutils/xenkernel418/distinfo
diff -u pkgsrc/sysutils/xenkernel418/distinfo:1.8 pkgsrc/sysutils/xenkernel418/distinfo:1.9
--- pkgsrc/sysutils/xenkernel418/distinfo:1.8   Tue Jul  1 16:55:06 2025
+++ pkgsrc/sysutils/xenkernel418/distinfo       Tue Oct 21 13:14:33 2025
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2025/07/01 16:55:06 bouyer Exp $
+$NetBSD: distinfo,v 1.9 2025/10/21 13:14:33 bouyer Exp $
 
 BLAKE2s (xen418/xen-438bb1285f470e2f385c0ea917ac9787d56aa8d3.tar.gz) = 8855fa3b76ab86c24949a2862231fba25c9c6877ef6f9628ee6dff96be8c7094
 SHA512 (xen418/xen-438bb1285f470e2f385c0ea917ac9787d56aa8d3.tar.gz) = 3147bec66da25757885b8561f578d1267801c04c5b0d85493c2856aa17f01b4bd29d924e611b3aabd39a5b3c51f6374474d5768c13d54f0fb3e98f6b053f9aeb
@@ -12,3 +12,5 @@ SHA1 (patch-xen_arch_x86_extable.c) = f6
 SHA1 (patch-xen_arch_x86_mm_p2m.c) = 6e9b84dc8448eca9677f184e720bbfcb3c6d314e
 SHA1 (patch-xen_arch_x86_traps.c) = 9548d6476e2fb5898d2958c10eaf2fd1e424d9c5
 SHA1 (patch-xen_tools_check-endbr.sh) = a7268ee5ff11f21fdc5b0bc213498a1923b693be
+SHA1 (patch-xsa475-1) = 7211ad0099e1c1554aed49169ef0949d0304073e
+SHA1 (patch-xsa475-2) = 9d0bd2fbf9ff446df229bc47d54951098278577c

Index: pkgsrc/sysutils/xenkernel420/Makefile
diff -u pkgsrc/sysutils/xenkernel420/Makefile:1.1 pkgsrc/sysutils/xenkernel420/Makefile:1.2
--- pkgsrc/sysutils/xenkernel420/Makefile:1.1   Fri Aug 22 09:00:11 2025
+++ pkgsrc/sysutils/xenkernel420/Makefile       Tue Oct 21 13:14:33 2025
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.1 2025/08/22 09:00:11 bouyer Exp $
+# $NetBSD: Makefile,v 1.2 2025/10/21 13:14:33 bouyer Exp $
 # VERSION is set in version.mk as it is shared with other packages
-#PKGREVISION=        1
+
+PKGREVISION=        1
 
 XENKERNEL:=
 .include        "../../sysutils/xentools420/version.mk"
Index: pkgsrc/sysutils/xenkernel420/distinfo
diff -u pkgsrc/sysutils/xenkernel420/distinfo:1.1 pkgsrc/sysutils/xenkernel420/distinfo:1.2
--- pkgsrc/sysutils/xenkernel420/distinfo:1.1   Fri Aug 22 09:00:11 2025
+++ pkgsrc/sysutils/xenkernel420/distinfo       Tue Oct 21 13:14:33 2025
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.1 2025/08/22 09:00:11 bouyer Exp $
+$NetBSD: distinfo,v 1.2 2025/10/21 13:14:33 bouyer Exp $
 
 BLAKE2s (xen420/xen-ea5025554e982bd377f85b899b6d151e5ef33d1e.tar.gz) = 6732d2e90841860347e6b7a86b0ebd6cc6073aa8140ce0f61a8fbe6c7d7f4ad0
 SHA512 (xen420/xen-ea5025554e982bd377f85b899b6d151e5ef33d1e.tar.gz) = b02e57832885b45f7795ef47b5f518d2da2f649fa5f019da73b2846dd1546fedbe61c5c4c91404fe851449ad9b4e8df0336b26a9a2363620648e13658d07afa3
@@ -11,3 +11,5 @@ SHA1 (patch-xen_arch_x86_boot_build32.ld
 SHA1 (patch-xen_arch_x86_extable.c) = f64b956be1167901a60bf9be1abd98dbfaffb100
 SHA1 (patch-xen_arch_x86_mm_p2m.c) = 6e9b84dc8448eca9677f184e720bbfcb3c6d314e
 SHA1 (patch-xen_tools_check-endbr.sh) = a7268ee5ff11f21fdc5b0bc213498a1923b693be
+SHA1 (patch-xsa475-1) = db692de22f07d86de8b4a692f45a646927af3fdf
+SHA1 (patch-xsa475-2) = 38adcfb0f0ea809dab99b919788a45a0b5a5c779

Added files:

Index: pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-1
diff -u /dev/null pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-1:1.1
--- /dev/null   Tue Oct 21 13:14:33 2025
+++ pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-1 Tue Oct 21 13:14:33 2025
@@ -0,0 +1,28 @@
+$NetBSD: patch-xsa475-1,v 1.1 2025/10/21 13:14:33 bouyer Exp $
+
+From: Teddy Astie <teddy.astie%vates.tech@localhost>
+Subject: x86/viridian: Enforce bounds check in vpmask_set()
+
+Callers can pass vp/mask values which exceed the size of vpmask->mask.  Ensure
+we only set bits which are within bounds.
+
+This is XSA-475 / CVE-2025-58147.
+
+Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush hypercalls")
+Signed-off-by: Teddy Astie <teddy.astie%vates.tech@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
+index a41a70e37a29..41e93ef20fb2 100644
+--- xen/arch/x86/hvm/viridian/viridian.c.orig
++++ xen/arch/x86/hvm/viridian/viridian.c
+@@ -562,7 +562,8 @@ static void vpmask_set(struct hypercall_vpmask *vpmask, unsigned int vp,
+ 
+         if ( mask & 1 )
+         {
+-            ASSERT(vp < HVM_MAX_VCPUS);
++            if ( vp >= HVM_MAX_VCPUS )
++                break;
+             __set_bit(vp, vpmask->mask);
+         }
+ 
Index: pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-2
diff -u /dev/null pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-2:1.1
--- /dev/null   Tue Oct 21 13:14:33 2025
+++ pkgsrc/sysutils/xenkernel418/patches/patch-xsa475-2 Tue Oct 21 13:14:33 2025
@@ -0,0 +1,54 @@
+$NetBSD: patch-xsa475-2,v 1.1 2025/10/21 13:14:33 bouyer Exp $
+
+From: Teddy Astie <teddy.astie%vates.tech@localhost>
+Subject: x86/viridian: Enforce bounds check in send_ipi()
+
+Callers can pass in a vpmask which exceeds d->max_vcpus.  Prevent out-of-bound
+reads of d->vcpu[].
+
+This is XSA-475 / CVE-2025-58148.
+
+Fixes: 728acba1ba4a ("viridian: use hypercall_vpmask in hvcall_ipi()")
+Signed-off-by: Teddy Astie <teddy.astie%vates.tech@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
+index 41e93ef20fb2..d45751365fde 100644
+--- xen/arch/x86/hvm/viridian/viridian.c.orig
++++ xen/arch/x86/hvm/viridian/viridian.c
+@@ -577,26 +577,6 @@ static void vpmask_fill(struct hypercall_vpmask *vpmask)
+     bitmap_fill(vpmask->mask, HVM_MAX_VCPUS);
+ }
+ 
+-static unsigned int vpmask_first(const struct hypercall_vpmask *vpmask)
+-{
+-    return find_first_bit(vpmask->mask, HVM_MAX_VCPUS);
+-}
+-
+-static unsigned int vpmask_next(const struct hypercall_vpmask *vpmask,
+-                                unsigned int vp)
+-{
+-    /*
+-     * If vp + 1 > HVM_MAX_VCPUS then find_next_bit() will return
+-     * HVM_MAX_VCPUS, ensuring the for_each_vp ( ... ) loop terminates.
+-     */
+-    return find_next_bit(vpmask->mask, HVM_MAX_VCPUS, vp + 1);
+-}
+-
+-#define for_each_vp(vpmask, vp) \
+-      for ( (vp) = vpmask_first(vpmask); \
+-            (vp) < HVM_MAX_VCPUS; \
+-            (vp) = vpmask_next(vpmask, vp) )
+-
+ static unsigned int vpmask_nr(const struct hypercall_vpmask *vpmask)
+ {
+     return bitmap_weight(vpmask->mask, HVM_MAX_VCPUS);
+@@ -813,7 +793,7 @@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector)
+     if ( nr > 1 )
+         cpu_raise_softirq_batch_begin();
+ 
+-    for_each_vp ( vpmask, vp )
++    for_each_set_bit ( vp, vpmask->mask, currd->max_vcpus )
+     {
+         struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]);
+ 

Index: pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-1
diff -u /dev/null pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-1:1.1
--- /dev/null   Tue Oct 21 13:14:33 2025
+++ pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-1 Tue Oct 21 13:14:33 2025
@@ -0,0 +1,28 @@
+$NetBSD: patch-xsa475-1,v 1.1 2025/10/21 13:14:33 bouyer Exp $
+
+From: Teddy Astie <teddy.astie%vates.tech@localhost>
+Subject: x86/viridian: Enforce bounds check in vpmask_set()
+
+Callers can pass vp/mask values which exceed the size of vpmask->mask.  Ensure
+we only set bits which are within bounds.
+
+This is XSA-475 / CVE-2025-58147.
+
+Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush hypercalls")
+Signed-off-by: Teddy Astie <teddy.astie%vates.tech@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
+index c0be24bd2210..703f9ac8bcc1 100644
+--- xen/arch/x86/hvm/viridian/viridian.c.orig
++++ xen/arch/x86/hvm/viridian/viridian.c
+@@ -562,7 +562,8 @@ static void vpmask_set(struct hypercall_vpmask *vpmask, unsigned int vp,
+ 
+         if ( mask & 1 )
+         {
+-            ASSERT(vp < HVM_MAX_VCPUS);
++            if ( vp >= HVM_MAX_VCPUS )
++                break;
+             __set_bit(vp, vpmask->mask);
+         }
+ 
Index: pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-2
diff -u /dev/null pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-2:1.1
--- /dev/null   Tue Oct 21 13:14:33 2025
+++ pkgsrc/sysutils/xenkernel420/patches/patch-xsa475-2 Tue Oct 21 13:14:33 2025
@@ -0,0 +1,54 @@
+$NetBSD: patch-xsa475-2,v 1.1 2025/10/21 13:14:33 bouyer Exp $
+
+From: Teddy Astie <teddy.astie%vates.tech@localhost>
+Subject: x86/viridian: Enforce bounds check in send_ipi()
+
+Callers can pass in a vpmask which exceeds d->max_vcpus.  Prevent out-of-bound
+reads of d->vcpu[].
+
+This is XSA-475 / CVE-2025-58148.
+
+Fixes: 728acba1ba4a ("viridian: use hypercall_vpmask in hvcall_ipi()")
+Signed-off-by: Teddy Astie <teddy.astie%vates.tech@localhost>
+Reviewed-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+
+diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
+index 703f9ac8bcc1..f79cffcb3767 100644
+--- xen/arch/x86/hvm/viridian/viridian.c.orig
++++ xen/arch/x86/hvm/viridian/viridian.c
+@@ -577,26 +577,6 @@ static void vpmask_fill(struct hypercall_vpmask *vpmask)
+     bitmap_fill(vpmask->mask, HVM_MAX_VCPUS);
+ }
+ 
+-static unsigned int vpmask_first(const struct hypercall_vpmask *vpmask)
+-{
+-    return find_first_bit(vpmask->mask, HVM_MAX_VCPUS);
+-}
+-
+-static unsigned int vpmask_next(const struct hypercall_vpmask *vpmask,
+-                                unsigned int vp)
+-{
+-    /*
+-     * If vp + 1 > HVM_MAX_VCPUS then find_next_bit() will return
+-     * HVM_MAX_VCPUS, ensuring the for_each_vp ( ... ) loop terminates.
+-     */
+-    return find_next_bit(vpmask->mask, HVM_MAX_VCPUS, vp + 1);
+-}
+-
+-#define for_each_vp(vpmask, vp) \
+-      for ( (vp) = vpmask_first(vpmask); \
+-            (vp) < HVM_MAX_VCPUS; \
+-            (vp) = vpmask_next(vpmask, vp) )
+-
+ static unsigned int vpmask_nr(const struct hypercall_vpmask *vpmask)
+ {
+     return bitmap_weight(vpmask->mask, HVM_MAX_VCPUS);
+@@ -813,7 +793,7 @@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector)
+     if ( nr > 1 )
+         cpu_raise_softirq_batch_begin();
+ 
+-    for_each_vp ( vpmask, vp )
++    bitmap_for_each ( vp, vpmask->mask, currd->max_vcpus )
+     {
+         struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]);
+