ACK w/cmnt: [CVE-2011-4347] kvm device assignment permissions checks (part 2)
Andy Whitcroft
apw at canonical.com
Mon Mar 12 18:15:13 UTC 2012
On Mon, Mar 12, 2012 at 03:19:32PM +0100, Stefan Bader wrote:
> On 12.03.2012 15:06, Andy Whitcroft wrote:
> > CVE-2011-4347
> > It was found that kvm_vm_ioctl_assign_device function did not check
> > if the user requesting assignment was privileged or not. Together
> > with /dev/kvm being 666, unprivileged user could assign unused
> > pci devices, or even devices that were in use and whose resources
> > were not properly claimed by the respective drivers. Please note
> > that privileged access was still needed to re-program the device
> > to for example issue DMA requests. This is typically achieved by
> > touching files on sysfs filesystem. These files are usually not
> > accessible to unprivileged users. As a result, local user could
> > use this flaw to crash the system.
> >
> > It seems that there are actually two patches required to completely
> > close this flaw, this update carries the second patch. This issue only
> > applied to lucid and later, and fixes for this have hit precise already
> > via mainline. ARM is unaffected as KVM does not apply there. Following
> > this email are three patches. The first (for lucid) is a trivial backport
> > tracking code location changes. The second (for maverick and natty) is
> > a trivial backport tracking the introduction of the KVM documentation.
> > The third (for oneiric) is a simple cherry-pick. In all cases the code
> > change applied without reject.
> >
> > Proposing for lucid, maverick, natty, and oneiric.
> >
> > -apw
> >
> Patch against code looks ok. Just minor nitpick that the maverick/natty backport
> dropping the documentation change is marked as cherry pick.
Bah, I updated that the first time, then had to regenerate the patches
and missed it the second time. It should have been a backport though a
minor one.
-apw
More information about the kernel-team
mailing list