CVE-2011-4347

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 3.1.10

Description The issue is related to the kvm vm ioctl assign device function in the KVM subsystem, which does not verify permission to access PCI configuration space and BAR resources. This allows host OS users to assign PCI devices and cause a denial of service (host OS crash) via a KVM ASSIGN PCI DEVICE operation. It is noted that privileged access is still needed to re-program the device, typically achieved by accessing files on the sysfs filesystem, which are usually not accessible to unprivileged users. As a result, a local user could use this flaw to crash the system.

Recommendations To resolve the issue, update the Linux kernel to version 3.1.10 or later. As a temporary workaround, consider restricting access to the kvm vm ioctl assign device function to prevent unauthorized assignment of PCI devices. Additionally, limit access to the sysfs filesystem to prevent re-programming of devices.