[CVE-2011-4347] kvm device assignment permissions checks (part 2)

Andy Whitcroft apw at canonical.com
Mon Mar 12 14:06:34 UTC 2012

	It was found that kvm_vm_ioctl_assign_device function did not check
	if the user requesting assignment was privileged or not. Together
	with /dev/kvm being 666, unprivileged user could assign unused
	pci devices, or even devices that were in use and whose resources
	were not properly claimed by the respective drivers.  Please note
	that privileged access was still needed to re-program the device
	to for example issue DMA requests. This is typically achieved by
	touching files on sysfs filesystem. These files are usually not
	accessible to unprivileged users.  As a result, local user could
	use this flaw to crash the system.

It seems that there are actually two patches required to completely
close this flaw, this update carries the second patch.  This issue only
applied to lucid and later, and fixes for this have hit precise already
via mainline.  ARM is unaffected as KVM does not apply there.  Following
this email are three patches.  The first (for lucid) is a trivial backport
tracking code location changes.  The second (for maverick and natty) is
a trivial backport tracking the introduction of the KVM documentation.
The third (for oneiric) is a simple cherry-pick.  In all cases the code
change applied without reject.

Proposing for lucid, maverick, natty, and oneiric.


More information about the kernel-team mailing list