Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

Posted by Unknown on from the rms-gazes-upon-you-smugly dept.

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

7 of 180 comments (clear)

  1. A view to a kill. by Anonymous Coward · · Score: 2, Interesting

    Shouldn't the VGA window be a window into the video memory, or at least configuration registers?

    1. Re:A view to a kill. by MightyMartian · · Score: 3, Interesting

      So how does Windows deal with restricting where this window can be remapped?

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  2. Hoooo boy... by Tarlus · · Score: 4, Interesting

    With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.

    --
    /* No Comment */
  3. Re:Who did he send it to at Nvidia? by ZeroSumHappiness · · Score: 4, Interesting

    If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.

  4. meh by ThorGod · · Score: 4, Interesting

    Not too long ago Intel had a firmware exploit in their processors.

    I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.

    Here's hoping they keep trucking along at it, even with what Linus' said and now this.

    --
    PS: I don't reply to ACs.
  5. Re:works here by Ken_g6 · · Score: 3, Interesting

    Doesn't work for me on Linux Mint Debian Edition with Xfce, nVidia driver version x86_64-290.10:

    uname -a | sed -e 's/^[^0-9]*//'
    3.2.0-2-amd64 #1 SMP Sun Mar 4 22:48:17 UTC 2012 x86_64 GNU/Linux

    lsb_release -a
    LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch
    Distributor ID: LinuxMint
    Description: Linux Mint Xfce Edition
    Release: 1
    Codename: debian

    ./nvid-root
    [*] IDT offset at 0xffffffff8172a000
    [*] Abusing nVidia...
    [*] CVE-2012-YYYY
    [*] 64-bits Kernel found at ofs 0
    [*] Using IDT entry: 220 (0xffffffff8172adc0)
    [*] Enhancing gate entry...
    [*] Triggering payload...
    Killed

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500504] Oops: 0000 [#1] SMP

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500641] Stack:

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500658] Call Trace:

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500675] Code: Bad RIP value.

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500684] CR2: ffffffff81a00000

    --
    (T>t && O(n)--) == sqrt(666)
  6. Put the whole driver on the video card! by FranTaylor · · Score: 3, Interesting

    There's plenty of horsepower on the card

    Platform-agnostic api, super-duper-thin wrapper libaries

    It also solves all the whinging about binary blobs