WSL and other container-brained-but-not-really systems may not want a kernel,
and now that bootspec is no longer optional, this pulls one in anyway.
(cherry picked from commit 1fdf8fd586)
as is, plover has a desktop entry in the source tree but it is not
actually shipped in nixpkgs. we place it in the standard
$out/share/applications directory so it can be found by e.g. launchers.
(cherry picked from commit 7097b20ea1)
Xen Security Advisory CVE-2026-42488 / XSA-494
version 3
x86: mismatched mapcache metadata
Some shadow paging errors paths will switch the page-tables without
updating the currently running vCPU reference. This causes a mismatch
between the loaded page-tables and the mapcache metadata which can lead
to corruption of the mapcache.
Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks.
https://xenbits.xen.org/xsa/advisory-494.html
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit c8ec62ac39)
ARM-only issue. Despite us not supporting Aarch64 Xen on NixOS, it costs us
nothing to add the patches.
Xen Security Advisory CVE-2025-10263 / XSA-493
version 2
Arm: Completion of memory accesses not guaranteed by completion of a TLBI
A hardware issue has been identified in certain Arm CPU designs. A
broadcast TLBI on one PE may complete before affected memory accesses
on another PE are globally observed. This may permit bypass of Stage 1
translation, Stage 2 translation, or GPT protection.
The erratum occurs when all of the following conditions are met:
- A PE (PEx) executes a store.
- Another PE (PEy) executes a TLBI instruction which applies to
Stage 1 only information, Stage 1 and 2 information, or GPT
information (but not Stage 2 only information), applies to the
Inner Shareable or Outer Shareable domain containing PEx, and
affects at least one of the bytes accessed by PEx's store.
- PEy executes a DSB instruction which is sufficient to complete the
TLBI instruction.
- Complex micro-architectural conditions occur.
When all conditions are met, PEy's DSB may complete before the global
observation of a portion of PEx's store which was affected by the TLB
invalidation. This store may complete at a later time, after memory
accesses which are ordered after the DSB.
The relevant TLB entries are invalidated correctly before the
completion of the DSB. This erratum does not affect reads.
For more details, please refer to the Arm Security Center:
https://developer.arm.com/Arm%20Security%20Center
A malicious guest may be able to write to memory it no longer has
permission to write to, after Xen has modified Stage 2 translation to
forbid writes to that location. This could allow a guest to escalate
its privileges to that of the hypervisor.
https://xenbits.xen.org/xsa/advisory-493.html
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 542f4fed39)
Xen Security Advisory CVE-2026-42489,CVE-2026-42490 / XSA-492
version 3
domctl lock open to abuse
To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
A less privileged entity may stall an equally or more privileged entity,
potentially leading to a Denial od Service (DoS) of up to the entire
host.
https://xenbits.xen.org/xsa/advisory-492.html
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 3d1d9bee16)
Xen Security Advisory CVE-2026-42487 / XSA-491
version 2
x86 HVM I/O port list traversal
HVM guest I/O port accesses are subject to either emulation or at least
translation. Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time. Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.
A device model of a HVM guest can cause a hypervisor crash, causing a
Denial of Service (DoS) of the entire host. Privilege escalation and
information leaks cannot be ruled out.
https://xenbits.xen.org/xsa/advisory-491.html
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit 1629ccf012)
Released a while ago. We had difficulties adding it to Nixpkgs at the time as
our Xen needed to be updated to the .3 release.
Xen Security Advisory CVE-2025-54518 / XSA-490
x86: CPU Opcode Cache corruption
AMD have disclosed a potential vulnerability in certain CPUs which can
cause instructions to execute at a higher privilege.
For more information, see:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html
Code of any privilege could escalate to a higher privilege, including
userspace to kernel, and guest to host.
https://xenbits.xen.org/xsa/advisory-490.html
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
(cherry picked from commit a343770e93)