ACK w/cmnt: [CVE-2011-4347] kvm device assignment permissions checks (part 2)

Andy Whitcroft apw at
Mon Mar 12 18:15:13 UTC 2012

On Mon, Mar 12, 2012 at 03:19:32PM +0100, Stefan Bader wrote:
> On 12.03.2012 15:06, Andy Whitcroft wrote:
> > CVE-2011-4347
> > 	It was found that kvm_vm_ioctl_assign_device function did not check
> > 	if the user requesting assignment was privileged or not. Together
> > 	with /dev/kvm being 666, unprivileged user could assign unused
> > 	pci devices, or even devices that were in use and whose resources
> > 	were not properly claimed by the respective drivers.  Please note
> > 	that privileged access was still needed to re-program the device
> > 	to for example issue DMA requests. This is typically achieved by
> > 	touching files on sysfs filesystem. These files are usually not
> > 	accessible to unprivileged users.  As a result, local user could
> > 	use this flaw to crash the system.
> > 
> > It seems that there are actually two patches required to completely
> > close this flaw, this update carries the second patch.  This issue only
> > applied to lucid and later, and fixes for this have hit precise already
> > via mainline.  ARM is unaffected as KVM does not apply there.  Following
> > this email are three patches.  The first (for lucid) is a trivial backport
> > tracking code location changes.  The second (for maverick and natty) is
> > a trivial backport tracking the introduction of the KVM documentation.
> > The third (for oneiric) is a simple cherry-pick.  In all cases the code
> > change applied without reject.
> > 
> > Proposing for lucid, maverick, natty, and oneiric.
> > 
> > -apw
> > 
> Patch against code looks ok. Just minor nitpick that the maverick/natty backport
> dropping the documentation change is marked as cherry pick.

Bah, I updated that the first time, then had to regenerate the patches
and missed it the second time.  It should have been a backport though a
minor one.


More information about the kernel-team mailing list