Forgot your password?
typodupeerror
Security Linux

Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole 180

Posted by Unknown Lamer
from the rms-gazes-upon-you-smugly dept.
An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public." The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.
This discussion has been archived. No new comments can be posted.

Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole

Comments Filter:
  • A view to a kill. (Score:2, Interesting)

    by Anonymous Coward on Wednesday August 01, 2012 @01:34PM (#40844961)

    Shouldn't the VGA window be a window into the video memory, or at least configuration registers?

  • Hoooo boy... (Score:5, Interesting)

    by Tarlus (1000874) on Wednesday August 01, 2012 @01:37PM (#40845025)

    With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.

  • by ZeroSumHappiness (1710320) on Wednesday August 01, 2012 @02:02PM (#40845467)

    If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.

  • meh (Score:5, Interesting)

    by ThorGod (456163) on Wednesday August 01, 2012 @02:11PM (#40845659) Journal

    Not too long ago Intel had a firmware exploit in their processors.

    I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.

    Here's hoping they keep trucking along at it, even with what Linus' said and now this.

  • Re:works here (Score:4, Interesting)

    by Ken_g6 (775014) on Wednesday August 01, 2012 @02:40PM (#40846123) Homepage

    Doesn't work for me on Linux Mint Debian Edition with Xfce, nVidia driver version x86_64-290.10:

    uname -a | sed -e 's/^[^0-9]*//'
    3.2.0-2-amd64 #1 SMP Sun Mar 4 22:48:17 UTC 2012 x86_64 GNU/Linux

    lsb_release -a
    LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch
    Distributor ID: LinuxMint
    Description: Linux Mint Xfce Edition
    Release: 1
    Codename: debian

    ./nvid-root
    [*] IDT offset at 0xffffffff8172a000
    [*] Abusing nVidia...
    [*] CVE-2012-YYYY
    [*] 64-bits Kernel found at ofs 0
    [*] Using IDT entry: 220 (0xffffffff8172adc0)
    [*] Enhancing gate entry...
    [*] Triggering payload...
    Killed

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500504] Oops: 0000 [#1] SMP

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500641] Stack:

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500658] Call Trace:

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500675] Code: Bad RIP value.

    Message from syslogd@qcomp at Aug 1 12:30:52 ...
      kernel:[148805.500684] CR2: ffffffff81a00000

  • Re:A view to a kill. (Score:4, Interesting)

    by MightyMartian (840721) on Wednesday August 01, 2012 @02:51PM (#40846311) Journal

    So how does Windows deal with restricting where this window can be remapped?

  • by FranTaylor (164577) on Wednesday August 01, 2012 @04:12PM (#40847521)

    There's plenty of horsepower on the card

    Platform-agnostic api, super-duper-thin wrapper libaries

    It also solves all the whinging about binary blobs

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Working...