xen: patch with XSA-490

Released a while ago. We had difficulties adding it to Nixpkgs at the time as
our Xen needed to be updated to the .3 release.

            Xen Security Advisory CVE-2025-54518 / XSA-490

                   x86: CPU Opcode Cache corruption

AMD have disclosed a potential vulnerability in certain CPUs which can
cause instructions to execute at a higher privilege.

For more information, see:
  https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html

Code of any privilege could escalate to a higher privilege, including
userspace to kernel, and guest to host.

https://xenbits.xen.org/xsa/advisory-490.html

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit a343770e93)
This commit is contained in:
Fernando Rodrigues 2026-06-04 14:29:42 +10:00 committed by github-actions[bot]
commit c5efc36baa

View file

@ -210,6 +210,12 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-QttKWdmWC6Zn5k2hd6RIMCpLWv71HB/A9mCbDP+i8to=";
})
# XSA #490
(fetchpatch {
url = "https://xenbits.xenproject.org/xsa/xsa490-4.21.patch";
hash = "sha256-PF4zNeaS8aXHBNKLcgjVBUqmREg+nvdyHyLlhX2YBiw=";
})
# patch `libxl` to search for `qemu-system-i386` properly. (Before 4.21)
(fetchpatch {
url = "https://github.com/xen-project/xen/commit/f6281291704aa356489f4bd927cc7348a920bd01.diff?full_index=1";