Unverified Commit d8ad1e5a authored Mar 17, 2026 by Fernando Rodrigues

xen: patch with XSA-481



            Xen Security Advisory CVE-2026-23555 / XSA-481
                               version 2

                 Xenstored DoS by unprivileged domain

Any guest issuing a Xenstore command accessing a node using the
(illegal) node path "/local/domain/", will crash xenstored due to a
clobbered error indicator in xenstored when verifying the node path.

Note that the crash is forced via a failing assert() statement in
xenstored. In case xenstored is being built with NDEBUG #defined,
an unprivileged guest trying to access the node path "/local/domain/"
will result in it no longer being serviced by xenstored, other guests
(including dom0) will still be serviced, but xenstored will use up
all cpu time it can get.

Any unprivileged domain can cause xenstored to crash, causing a
DoS (denial of service) for any Xenstore action. This will result
in an inability to perform further domain administration on the host.

In case xenstored has been built with NDEBUG defined, an unprivileged
domain can force xenstored to be 100% busy, but without harming
xenstored functionality for other guests otherwise.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>

parent a8cdacff

pkgs/by-name/xe/xen/package.nix

+6 −0

Original line number	Diff line number	Diff line
		@@ -204,6 +204,12 @@ stdenv.mkDerivation (finalAttrs: {
		hash = "sha256-mHoY+Y8klwLYOo4LZCwYcNsB1BcBbSa1nQOn3NueDdI=";
		})

		# XSA #481
		(fetchpatch {
		url = "https://xenbits.xenproject.org/xsa/xsa481.patch";
		hash = "sha256-QpRXS4rFuML2TawH7yhUmg8U4C1ATt4xiLLs91duuO8=";
		})

		# patch `libxl` to search for `qemu-system-i386` properly. (Before 4.21)
		(fetchpatch {
		url = "https://github.com/xen-project/xen/commit/f6281291704aa356489f4bd927cc7348a920bd01.diff?full_index=1";