Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2026-01-29 17:44:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen" Thu Jan 29 17:44:17 2026 rev:371 rq:1329731 version:4.21.0_04 Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2025-11-21 16:54:45.745516146 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1995/xen.changes 2026-01-29 17:45:00.913511262 +0100 @@ -1,0 +2,22 @@ +Wed Jan 28 14:20:05 MST 2026 - [email protected] + +- bsc#1257399 - Package xen doesn't build with glibc 2.43 + glibc2.43-fixes.patch + +------------------------------------------------------------------- +Thu Jan 15 10:40:05 MST 2026 - [email protected] + +- bsc#1256745 - VUL-0: CVE-2025-58150: xen: x86: buffer overrun + with shadow paging + tracing (XSA-477) + xsa477.patch +- bsc#1256747 - VUL-0: CVE-2026-23553: xen: x86: incomplete IBPB + for vCPU isolation (XSA-479) + xsa479.patch + +------------------------------------------------------------------- +Thu Nov 20 09:16:24 MST 2025 - [email protected] + +- Drop x86-ioapic-ack-default.patch + Upstream changes make this patch unnecessary. + +------------------------------------------------------------------- Old: ---- x86-ioapic-ack-default.patch New: ---- glibc2.43-fixes.patch xsa477.patch xsa479.patch ----------(Old B)---------- Old: - Drop x86-ioapic-ack-default.patch Upstream changes make this patch unnecessary. ----------(Old E)---------- ----------(New B)---------- New:- bsc#1257399 - Package xen doesn't build with glibc 2.43 glibc2.43-fixes.patch New: with shadow paging + tracing (XSA-477) xsa477.patch - bsc#1256747 - VUL-0: CVE-2026-23553: xen: x86: incomplete IBPB New: for vCPU isolation (XSA-479) xsa479.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.ZfR6Hi/_old 2026-01-29 17:45:05.369699437 +0100 +++ /var/tmp/diff_new_pack.ZfR6Hi/_new 2026-01-29 17:45:05.377699775 +0100 @@ -1,7 +1,7 @@ # # spec file for package xen # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -125,7 +125,7 @@ BuildRequires: python-rpm-macros Provides: installhint(reboot-needed) -Version: 4.21.0_02 +Version: 4.21.0_04 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0-only @@ -160,6 +160,8 @@ # For xen-libs Source99: baselibs.conf # Upstream patches +Patch1: xsa477.patch +Patch2: xsa479.patch # EMBARGOED security fixes # Our platform specific patches Patch400: xen-destdir.patch @@ -188,10 +190,10 @@ Patch467: libxl.LIBXL_HOTPLUG_TIMEOUT.patch # Hypervisor and PV driver Patches Patch600: xen.bug1026236.suse_vtsc_tolerance.patch -Patch601: x86-ioapic-ack-default.patch Patch602: xenwatchdogd-restart.patch Patch621: xen.build-compare.doc_html.patch # Build patches +Patch800: glibc2.43-fixes.patch URL: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define pyver %(python3 -c "import sys; print(sys.version.rpartition('.')[0])") ++++++ glibc2.43-fixes.patch ++++++ References: bsc#1257399 - Package xen doesn't build with glibc 2.43 Ignore instances of, error: assignment discards "const" qualifier from pointer target type [-Werror=discarded-qualifiers] There are three instances in libxl_cpuid.c and one in libxl_internal.c Index: xen-4.21.0-testing/tools/libs/light/libxl_cpuid.c =================================================================== --- xen-4.21.0-testing.orig/tools/libs/light/libxl_cpuid.c +++ xen-4.21.0-testing/tools/libs/light/libxl_cpuid.c @@ -407,6 +407,8 @@ int libxl_cpuid_parse_config(libxl_cpuid return 2; } +#pragma GCC diagnostic ignored "-Wdiscarded-qualifiers" + /* parse a single list item from the legacy Python xend syntax, where * the strings for each register were directly exposed to the user. * Used for maintaining compatibility with older config files Index: xen-4.21.0-testing/tools/libs/light/libxl_internal.c =================================================================== --- xen-4.21.0-testing.orig/tools/libs/light/libxl_internal.c +++ xen-4.21.0-testing/tools/libs/light/libxl_internal.c @@ -293,6 +293,8 @@ char *libxl__strndup(libxl__gc *gc, cons return s; } +#pragma GCC diagnostic ignored "-Wdiscarded-qualifiers" + char *libxl__dirname(libxl__gc *gc, const char *s) { char *c = strrchr(s, '/'); ++++++ xsa477.patch ++++++ From: Jan Beulich <[email protected]> Subject: x86/shadow: don't overrun trace_emul_write_val Guests can do wider-than-PTE-size writes on page tables. The tracing helper variable, however, only offers space for a single PTE (and it is being switched to the more correct type right here). Therefore bound incoming write sizes to the amount of space available. To not leave dead code (which is a Misra concern), drop the now unused guest_pa_t as well. Also move and adjust GUEST_PTE_SIZE: Derive it rather than using hard- coded numbers, and put it in the sole source file where it's actually needed. This then also addresses a Misra rule 20.9 ("All identifiers used in the controlling expression of #if or #elif preprocessing directives shall be #define'd before evaluation") violation: GUEST_PAGING_LEVELS is #define'd only in multi.c. This is XSA-477 / CVE-2025-58150. Fixes: 9a86ac1aa3d2 ("xentrace 5/7: Additional tracing for the shadow code") Signed-off-by: Jan Beulich <[email protected]> Reviewed-by: Andrew Cooper <[email protected]> --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -1970,15 +1970,15 @@ static void sh_prefetch(struct vcpu *v, #if GUEST_PAGING_LEVELS == 4 typedef u64 guest_va_t; -typedef u64 guest_pa_t; #elif GUEST_PAGING_LEVELS == 3 typedef u32 guest_va_t; -typedef u64 guest_pa_t; #else typedef u32 guest_va_t; -typedef u32 guest_pa_t; #endif +/* Size (in bytes) of a guest PTE */ +#define GUEST_PTE_SIZE sizeof(guest_l1e_t) + /* Shadow trace event with GUEST_PAGING_LEVELS folded into the event field. */ static void sh_trace(uint32_t event, unsigned int extra, const void *extra_data) { @@ -2048,11 +2048,14 @@ static void __maybe_unused sh_trace_gfn_ static DEFINE_PER_CPU(guest_va_t,trace_emulate_initial_va); static DEFINE_PER_CPU(int,trace_extra_emulation_count); #endif -static DEFINE_PER_CPU(guest_pa_t,trace_emulate_write_val); +static DEFINE_PER_CPU(guest_l1e_t, trace_emulate_write_val); static void cf_check trace_emulate_write_val( const void *ptr, unsigned long vaddr, const void *src, unsigned int bytes) { + if ( bytes > sizeof(this_cpu(trace_emulate_write_val)) ) + bytes = sizeof(this_cpu(trace_emulate_write_val)); + #if GUEST_PAGING_LEVELS == 3 if ( vaddr == this_cpu(trace_emulate_initial_va) ) memcpy(&this_cpu(trace_emulate_write_val), src, bytes); @@ -2077,13 +2080,16 @@ static inline void sh_trace_emulate(gues /* * For GUEST_PAGING_LEVELS=3 (PAE paging), guest_l1e is 64 while * guest_va is 32. Put it first to avoid padding. + * + * Note: .write_val is an arbitrary set of written bytes, possibly + * misaligned and possibly spanning the next gl1e. */ guest_l1e_t gl1e, write_val; guest_va_t va; uint32_t flags:29, emulation_count:3; } d = { .gl1e = gl1e, - .write_val.l1 = this_cpu(trace_emulate_write_val), + .write_val = this_cpu(trace_emulate_write_val), .va = va, #if GUEST_PAGING_LEVELS == 3 .emulation_count = this_cpu(trace_extra_emulation_count), @@ -2672,7 +2677,7 @@ static int cf_check sh_page_fault( paging_unlock(d); put_gfn(d, gfn_x(gfn)); - this_cpu(trace_emulate_write_val) = 0; + this_cpu(trace_emulate_write_val) = (guest_l1e_t){}; #if SHADOW_OPTIMIZATIONS & SHOPT_FAST_EMULATION early_emulation: --- a/xen/arch/x86/mm/shadow/private.h +++ b/xen/arch/x86/mm/shadow/private.h @@ -120,14 +120,6 @@ enum { TRCE_SFLAG_OOS_FIXUP_EVICT, }; - -/* Size (in bytes) of a guest PTE */ -#if GUEST_PAGING_LEVELS >= 3 -# define GUEST_PTE_SIZE 8 -#else -# define GUEST_PTE_SIZE 4 -#endif - /****************************************************************************** * Auditing routines */ ++++++ xsa479.patch ++++++ From: Roger Pau Monné <[email protected]> Subject: x86/spec-ctrl: Fix incomplete IBPB flushing during context switch The previous logic attempted to skip an IBPB in the case of vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolation between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. Do the flush unconditionally when switching to a vCPU different than the idle one. Note there's no need to explicitly gate the IBPB to next domain != idle, as the context where the IBPB is issued is subject to that condition already unless the pCPU is going offline, at which point we don't really care to issue an extra IBPB. Also add a comment with the reasoning why the IBPB needs to be in context_switch() rather than __context_switch(). This is XSA-479 / CVE-2026-23553. Fixes: a2ed643ed783 ("x86/ctxt: Issue a speculation barrier between vcpu contexts") Reported-by: David Kaplan <[email protected]> Signed-off-by: Roger Pau Monné <[email protected]> Reviewed-by: Jan Beulich <[email protected]> --- xen/arch/x86/domain.c | 36 +++++++++--------------------------- 1 file changed, 9 insertions(+), 27 deletions(-) --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -2204,33 +2204,15 @@ void context_switch(struct vcpu *prev, s ctxt_switch_levelling(next); - if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) ) - { - static DEFINE_PER_CPU(unsigned int, last); - unsigned int *last_id = &this_cpu(last); - - /* - * Squash the domid and vcpu id together for comparison - * efficiency. We could in principle stash and compare the struct - * vcpu pointer, but this risks a false alias if a domain has died - * and the same 4k page gets reused for a new vcpu. - */ - unsigned int next_id = (((unsigned int)nextd->domain_id << 16) | - (uint16_t)next->vcpu_id); - BUILD_BUG_ON(MAX_VIRT_CPUS > 0xffff); - - /* - * When scheduling from a vcpu, to idle, and back to the same vcpu - * (which might be common in a lightly loaded system, or when - * using vcpu pinning), there is no need to issue IBPB, as we are - * returning to the same security context. - */ - if ( *last_id != next_id ) - { - spec_ctrl_new_guest_context(); - *last_id = next_id; - } - } + /* + * Issue an IBPB when scheduling a different vCPU if required. + * + * IBPB clears the RSB/RAS/RAP, but that's fine as we leave this + * function via reset_stack_and_call_ind() rather than via a RET + * instruction. + */ + if ( opt_ibpb_ctxt_switch ) + spec_ctrl_new_guest_context(); /* Update the top-of-stack block with the new speculation settings. */ info->scf =
