CVE-2014-3690: KVM DoS triggerable by malicious host userspace

[Andy Lutomirski <luto () amacapital net>]

[sorry for somewhat late notice -- I didn't notice that the patch was
public until just now]

KVM has a bug that allows malicious host user code that can open the
/dev/kvm device on a VMX (Intel) machine to DoS the system.  (In my
proof of concept, the DoS is a rather spectacular failure of the whole
system, although I haven't checked whether the kernel panics.  A more
refined exploit *might* be able to kill targetted user processes, but
it would be tricky and is subject to possibly unavoidable races that
are likely to take down the whole system.)

This is *not* triggerable by a guest, although a guest that can
compromise its host QEMU could use this bug to take down everything
else running on the host.

I would guess that all kernels that support VMX are vulnerable, but I
haven't tested old kernels.

The fix is here:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a

PoC available upon request, and I'll post it publicly in a few days,
because it's kind of fun to watch the fireworks.

--Andy