xen: patch with XSA-467

When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe. This can lead to a deadlock.

The passing through of certain kinds of devices to an unprivileged guest
can result in a Denial of Service (DoS) affecting the entire host.

Note: Normal usage of such devices by a privileged domain can also
      trigger the issue.  In such a scenario, the deadlock is not
      considered a security issue, but just a plain bug.

Systems with Intel IOMMU hardware (VT-d) are affected.  Systems using
AMD or non-x86 hardware are not affected.

Only systems where certain kinds of devices are passed through to an
unprivileged guest are vulnerable.

Signed-off-by: Fernando Rodrigues <[email protected]>

Author: SigmaSquadron

pkgs/by-name/xe/xen/package.nix

@@ -12,6 +12,10 @@ buildXenPackage.override { inherit python3Packages; } {
       url = "https://lore.kernel.org/xen-devel/e2caa6648a0b6c429349a9826d8fbc4338222482.1733766758.git.andrii.sultanov@cloud.com/raw";
       hash = "sha256-JC1ueXuC1Jdi2gtUsjOHmTeEx56zjotMMLde5vBonxc=";
     })
+    (fetchpatch {
+      url = "https://xenbits.xenproject.org/xsa/xsa467.patch";
+      hash = "sha256-O2IwfRo6BnXAO04xjKmOyrV6J6Q1mAVLHWNCxqIEQGU=";
+    })
   ];
   rev = "ccf400846780289ae779c62ef0c94757ff43bb60";
   hash = "sha256-s0eCBCd6ybl+kLtXCC6E1sk++w7txXn/B/Cg5acQFfY=";