Unverified Commit 26482152 authored Sep 09, 2025 by Fernando Rodrigues

xen: patch with XSA-472



Mutiple vulnerabilities in the Viridian interface

There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:

 1. A NULL pointer dereference in the updating of the reference TSC area.
    This is CVE-2025-27466.

 2. A NULL pointer dereference by assuming the SIM page is mapped when
    a synthetic timer message has to be delivered.  This is
    CVE-2025-58142.

 3. A race in the mapping of the reference TSC page, where a guest can
    get Xen to free a page while still present in the guest physical to
    machine (p2m) page tables.  This is CVE-2025-58143.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>

parent 97d71870

pkgs/by-name/xe/xen/package.nix

+15 −0

Original line number	Diff line number	Diff line
		@@ -3,6 +3,7 @@
		stdenv,
		testers,
		fetchgit,
		fetchpatch,
		replaceVars,

		# Xen
		@@ -184,6 +185,20 @@ stdenv.mkDerivation (finalAttrs: {
		./0001-makefile-efi-output-directory.patch

		(replaceVars ./0002-scripts-external-executable-calls.patch scriptDeps)

		# XSA 472
		(fetchpatch {
		url = "https://xenbits.xen.org/xsa/xsa472-1.patch";
		hash = "sha256-6k/X7KFno9uBG0mUtJxl7TMavaRs2Xlj9JlW9ai6p0k=";
		})
		(fetchpatch {
		url = "https://xenbits.xen.org/xsa/xsa472-2.patch";
		hash = "sha256-BisdztU9Wa5nIGmHo4IikqYPHdEhBehHaNqj1IuBe6I=";
		})
		(fetchpatch {
		url = "https://xenbits.xen.org/xsa/xsa472-3.patch";
		hash = "sha256-rikOofQeuLNMBkdQS3xzmwh7BlgMOTMSsQcAOEzNOso=";
		})
		];

		outputs = [

Admin message