It was found that kvm_vm_ioctl_assign_device function did not check
if the user requesting assignment was privileged or not. Together
with /dev/kvm being 666, unprivileged user could assign unused
pci devices, or even devices that were in use and whose resources
were not properly claimed by the respective drivers. Please note
that privileged access was still needed to re-program the device
to for example issue DMA requests. This is typically achieved by
touching files on sysfs filesystem. These files are usually not
accessible to unprivileged users. As a result, local user could
use this flaw to crash the system.
It seems that there are actually two patches required to completely
close this flaw, this update carries the second patch. This issue only
applied to lucid and later, and fixes for this have hit precise already
via mainline. ARM is unaffected as KVM does not apply there. Following
this email are three patches. The first (for lucid) is a trivial backport
tracking code location changes. The second (for maverick and natty) is
a trivial backport tracking the introduction of the KVM documentation.
The third (for oneiric) is a simple cherry-pick. In all cases the code
change applied without reject.
Proposing for lucid, maverick, natty, and oneiric.
kernel-team mailing list