A bug has been found in the way guest pv_eoi updates were handled before entering the guests. Upon synchronizing LAPIC to the guest's VAPIC, kvm_write_guest_cached() (and thus copy_to_user()) could be called with interrupts disabled. A local unprivileged user in the guest could potentially use this flaw to crash the host.
Statement: This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2. This issue does not affect the versions of KVM package as shipped with Red Hat Enterprise Linux 5.
Acknowledgements: Red Hat would like to thank IBM for reporting this issue.
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:0907 https://rhn.redhat.com/errata/RHSA-2013-0907.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0911 https://rhn.redhat.com/errata/RHSA-2013-0911.html