A flaw was found in the way iommu mapping failures were handled in kvm_iommu_map_pages() function in the Linux kernel. A privileged user in the guest could use this flaw to crash the host in case the guest has access to passed in device. Acknowledgements: Red Hat would like to thank Jack Morgenstein of Mellanox for reporting this issue; the security impact of this issue was discovered by Michael Tsirkin of Red Hat.
Upstream fix: http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7
Statement: This issue did not affect the Linux kernel versions as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kvm updates for Red Hat Enterprise Linux 5 and Linux kernel updates for Red Hat Enterprise Linux 6 may address this issue.
IssueDescription: A flaw was found in the way the Linux kernel's kvm_iommu_map_pages() function handled IOMMU mapping failures. A privileged user in a guest with an assigned host device could use this flaw to crash the host.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1392 https://rhn.redhat.com/errata/RHSA-2014-1392.html