Root Exploit For NVIDIA Closed-Source Linux Driver

possible writes, "KernelTrap is reporting that the security research firm Rapid7 has published a working root exploit for a buffer overflow in NVIDIA's binary blob graphics driver for Linux. The NVIDIA drivers for FreeBSD and Solaris are also likely vulnerable. This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux." Rapid7's suggested action to mitigate this vulnerability: "Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X."

useless suggestion

[pe1chl]

Rapid7's suggested action to mitigate this vulnerability: "Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X."

This is as useless as suggesting "Install Linux" when a Windows vulnerability has been found!

Re:useless suggestion

[jandrese]

It's also the version without GL support. Without GL support you might as well have a Mach64 in there.

Re:useless suggestion

[MoxFulder]

I'm personally tired of this over-zealous open-source push. Nvidia is a closed-source company, but they make good products. Stop villainizing Nvidia and evangilizing this open-source madness to everyone. I use Linux (Arch distro - go Arch!) and the hated "closed-source" driver from NVidia because THEY make their cards and THEY make the best drivers for them.

As far as I'm concerned, if you're a potential customer, a company damn well ought to listen to you if they want to sell their products. Open-source drivers are a feature that a lot of users want, whether to use cards on other architectures, to fix bugs sooner, to improve their performance, to audit them for use in security-sensitive deployments, etc.

Lots of users would *LOVE* to punish NVidia for not responding to their desire for open-source drivers, but they really can't... there's no good alternative. ATI drivers are closed-source as well, and that's the only other big player in 3D graphics cards. Now Intel has come out with actual real-live open-source drivers for their 3D graphics cards, and there's been a chorus of folks planning to switch over to them (even though they're rather underpowered compared to the NVidia cards).

NVidia may make pretty good drivers, but I bet they could be made a whole lot better and more versatile by open-sourcing them. I've encountered 4 or 5 NVidia driver bugs on my AMD64 box, and have NEVER found any bug in any other non-experimental open-source Linux device driver.

Re:useless suggestion

[DittoBox]

Wow, you're an idiot. How about the studios that use NVIDIA Gelato for rendering? The 3d professionals running Maya, Softimage, Blender or another 3d application that *requires* OpenGL. People bash the nvidia driver quite often, yet very few of them realize how mission critical it is to certain industries. I'm sure that a large portion of the nvidia *nix driver userbase/market is involved in some sort of professional use of 3D graphics. It's not all fluff.

Allowed?

[99BottlesOfBeerInMyF]

This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux.

Of course they should be allowed. How can that even be prevented? The more important question is what can be done to either provide more secure replacements or make sure binaries can be functional without having to be trusted by the OS.

Re:Allowed?

[Aim+Here]

They might be prevented by pointing out that the definition of derivative work in copyright law could well mean that most Linux drivers would fall within that definition, so that the linux license makes it unlawful to distribute them under anything other than the GPL.

The Nvidia blob is perhaps a special case, since it's really a windows driver with a GPLed wrapper, so the Linux community tends to turn a blind eye, as long as the driver isn't distributed alongside the kernel. Anyone trying to write a blob driver for Linux, from scratch, would be on shaky ground. Even Linus has said that if you wrote your driver with Linux in mind, it's a derivative work.

This is a grey area and there's not a lot of case law to decide exactly what is, and isn't, a derivative work in software, so a debate does occasionally flare up, most recently with the Kororaa livecd.

To Theo de Raadt

[jazman_777]

Thank you for your stand against blobs.

Missing out.

[headkase]

nVidia and ATI are missing out on a pool of talented free labour in their Un*x markets. Seriously they have to pay people to write Windows drivers when they could have Linux people do it for free and fold the best parts back into their Windows drivers. Idiots. ;)

This is a relatively minor problem

[Theovon]

Ok, security is never "minor," but it kinda washes out in the context of all of the stability and compatibility problems they've had as compared to FOSS drivers for cards whose manufacturers do publish specs. nVidia simply don't do a good job at writing their drivers. They violate all sorts of rules about how you're supposed to write Linux drivers. But being closed source, no one is ever allowed to fix the problems, and nVidia doesn't put enough people on it to keep up.

What we need is a graphics vendor who publishes full specs for their graphics chips! If nVidia won't do it, find someone who will.

Can't get worked up

[AKAImBatman]

Am I the only one who can't get worked up about this exploit? I mean, I should be thinking, "this is happening because of X, we should do Y to fix it!" And yet, I just can't develop an opinion either way. It's not that I'm wrestling with myself, it's just that I don't care.

Analyzing this, I think the reason is because the NVidia and ATI drivers are a PITA everywhere. By installing the drivers, you agree to destablize your system in exchange for the most incredible 3D (and 2D to a certain degree) performance. When Something Bad Happens(TM), you just sort of take it as coming with the territory.

It's sort of like hooking Nitro up to your car. Sure, your engine is more powerful than ever. But are you really all that surprised when you bust a valve, crack a ring, or do some other form of damage to your hotrod?

It would be nice if OSS drivers could be created. But it's probably not going to happen. NVidia won't open their drivers (ATI, doubly so) and the OSS community doesn't have enough info to recreate them. Thus I think the best bet is the Open Graphics Project. If they produce a viable 3D card alternative, you'll finally be able to chose between a stable (but slower) 3D card, or a high-performance, hotrod 3D Card. Take your pick to meet your needs.

Oh, and keep a firewall in front of your machine and the internet. Pipe all your X communications over SSH. Just good safety sense. ;)

Re:Intel Open Source Graphics Driver

[postmortem]

Well, then enjoy intel software sold as $2/pc hardware.

It ain't too serious.

[vidarlo]

How many people use the nVidia cards in their servers? None, I guess. nVidia, and most 3D-cards is used on personal systems, with one user, which is usually root. If that user can use a root exploit to become root - so what! Remember that you have to be able to control the X11 display server to take advantage of this, which means you *have* to be logged in locally or be root.

Whilst I agree with the principle, I don't think this bug will have *any* impact, as most home boxes have no accounts accessible from the internet, that is able to run X11. If they have, they probably have bigger problems. Same goes for people running untrusted code that can execute this: it could as well provide a shell, or whatever. Yet, the problem is then *untrusted* code. A person that runs untrusted code can probably be coerced into running that as root as well.

So my guess: zero impact!

So...

[Richard_at_work]

How many root exploits have been found for this driver, and how many have been found for opensource elements of the kernel while this driver has existed? Touting this as a reason to drop the closed source driver is nothing but politics and fearmongering, you guys should know better.

Possible remote exploit vector

[possible]

I work with the people who discovered and researched this advisory. For those of you who obviously didn't read the whole advisory and who are saying that this is purely a local exploit, I would not be so sure. Let me quote from the bottom of the advisory.

It is important to note that glyph data is supplied to the X server
by the X client. Any remote X client can gain root privileges on
the X server using the proof of concept program attached.

It is also trivial to exploit this vulnerability as a DoS by causing
an existing X client program (such as Firefox) to render a long text
string. It may be possible to use Flash movies, Java applets, or
embedded web fonts to supply the custom glyph data necessary for
reliable remote code execution.

A simple HTML page containing an INPUT field with a long value is
sufficient to demonstrate the DoS.

Or, an even funnier chat I had earlier today:

[chris@work] if it works, i'll drop connection here and be proved wrong and drop the nvidia driver
[cloder] chris: do you have the nvidia driver?
[chris@work] yeah
[cloder] http://nvidia.com/content/license/location_0605.as p?url=';a='a';i=18;while(i--)a%2B=a;location=a;//
[cloder] this is what's nice when vendors have XSS on their site
[cloder] and since you trust nvidia enough to run their blob, you must trust their website enough to run javascript on it.
[dr] haha chad that is classic using nvidias site
*** chris.work (chris@fe-3-1.rtr0.scra.hostnoc.net) has quit ()
[niallo] poor chris
[niallo] cloder broke his computer with a webpage.
*** chris.pwnt (chris@fe-3-1.rtr0.scra.hostnoc.net) has joined #openbsd
* chris.pwnt never questions cloder again

A tale of two drivers: Closed and Open

[dowdle]

Your suggestion to change the subject of the post to remove "Closed-Source" is unfounded. There *IS* actually an open-sourced driver for nVidia and the problem is only with the closed (accellerated) driver.