It was found that kvm_vm_ioctl_assign_device function did not check
if the user requesting assignment was privileged or not. Together
with /dev/kvm being 666, unprivileged user could assign unused
pci devices, or even devices that were in use and whose resources
were not properly claimed by the respective drivers. Please note
that privileged access was still needed to re-program the device
to for example issue DMA requests. This is typically achieved by
touching files on sysfs filesystem. These files are usually not
accessible to unprivileged users. As a result, local user could
use this flaw to crash the system.
Following this email are two patches. The first is for lucid and is a
backport from the upstream commit following the code back to an older
filename. The second is for maverick, natty, and oneiric and is also a
minor backport from the upstream commit, dropping the documentation
updates for the older releases.
Proposing for lucid, maverick, natty and oneiric.
kernel-team mailing list