| From the Red Hat bugzilla [1], [2], [3]:
[1] Reported by Steve Grubb, if a process increases permissions using fcaps all of the dangerous personality flags which are cleared for suid apps should also be cleared. Thus programs given priviledge with fcaps will continue to have address space randomization enabled even if the parent tried to disable it to make it easier to attack. (CVE-2012-2123)
[2] Currently we do not validate the vector length before calling
get_user_pages_fast(), host stack could be easily overflowed by malicious guest driver who gives us a descriptors with length greater than MAX_SKB_FRAGS.
A privileged guest user could use this flaw to induce stack overflow on the
host with attacker non-controlled data (some bits can be guessed, as it will be pointers to kernel memory) but with attacker controlled length. (CVE-2012-2119)
[3] KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory using get_user_pages and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu.
The problem is that those pages are now never unpinned and continue to have an increased reference count. This is therefore a potential page leak from the kvm kernel module. (CVE-2012-2121) | 