From: Teddy Astie <teddy.astie@vates.tech>
Subject: x86/viridian: Enforce bounds check in vpmask_set()

Callers can pass vp/mask values which exceed the size of vpmask->mask.  Ensure
we only set bits which are within bounds.

This is XSA-475 / CVE-2025-58147.

Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush hypercalls")
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
index a41a70e37a29..41e93ef20fb2 100644
--- a/xen/arch/x86/hvm/viridian/viridian.c
+++ b/xen/arch/x86/hvm/viridian/viridian.c
@@ -562,7 +562,8 @@ static void vpmask_set(struct hypercall_vpmask *vpmask, unsigned int vp,
 
         if ( mask & 1 )
         {
-            ASSERT(vp < HVM_MAX_VCPUS);
+            if ( vp >= HVM_MAX_VCPUS )
+                break;
             __set_bit(vp, vpmask->mask);
         }