Ack: Re: [CVE-2011-4347] kvm device assignment permissions checks (part 2)
Herton Ronaldo Krzesinski
herton.krzesinski at canonical.com
Mon Mar 12 14:43:43 UTC 2012
On Mon, Mar 12, 2012 at 02:06:34PM +0000, Andy Whitcroft wrote:
> It was found that kvm_vm_ioctl_assign_device function did not check
> if the user requesting assignment was privileged or not. Together
> with /dev/kvm being 666, unprivileged user could assign unused
> pci devices, or even devices that were in use and whose resources
> were not properly claimed by the respective drivers. Please note
> that privileged access was still needed to re-program the device
> to for example issue DMA requests. This is typically achieved by
> touching files on sysfs filesystem. These files are usually not
> accessible to unprivileged users. As a result, local user could
> use this flaw to crash the system.
> It seems that there are actually two patches required to completely
> close this flaw, this update carries the second patch. This issue only
> applied to lucid and later, and fixes for this have hit precise already
> via mainline. ARM is unaffected as KVM does not apply there. Following
> this email are three patches. The first (for lucid) is a trivial backport
> tracking code location changes. The second (for maverick and natty) is
> a trivial backport tracking the introduction of the KVM documentation.
> The third (for oneiric) is a simple cherry-pick. In all cases the code
> change applied without reject.
> Proposing for lucid, maverick, natty, and oneiric.
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
More information about the kernel-team