Overview

File 68f77801-Viridian-bounds-check-in-vpmask_set.patch of Package xen.41885

# Commit 36e90c4ef1f2667dc8159c634fb00d393fc2d857
# Date 2025-10-21 14:09:37 +0200
# Author Teddy Astie <teddy.astie@vates.tech>
# Committer Jan Beulich <jbeulich@suse.com>
x86/viridian: Enforce bounds check in vpmask_set()

Callers can pass vp/mask values which exceed the size of vpmask->mask.  Ensure
we only set bits which are within bounds.

This is XSA-475 / CVE-2025-58147.

Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush hypercalls")
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/hvm/viridian/viridian.c
+++ b/xen/arch/x86/hvm/viridian/viridian.c
@@ -562,7 +562,8 @@ static void vpmask_set(struct hypercall_
 
         if ( mask & 1 )
         {
-            ASSERT(vp < HVM_MAX_VCPUS);
+            if ( vp >= HVM_MAX_VCPUS )
+                break;
             __set_bit(vp, vpmask->mask);
         }
openSUSE Build Service is sponsored by
Places