Proprietary Nvidia Linux Driver Contains Privilege Escalation Hole 180
An anonymous reader writes "The Nvidia binary driver has been exploited by an anonymous hacker, who reported it to nvidia months ago and it was never fixed. Now the exploit was made public."
The one releasing the exploit (relayed to him anonymously) is David Arlie, well known X hacker. The bug lets the attacker write to any part of memory on the system by shifting the VGA window; the attached exploit uses this to attain superuser privileges. It appears that this has been known to Nvidia for at least a month.
A view to a kill. (Score:2, Interesting)
Shouldn't the VGA window be a window into the video memory, or at least configuration registers?
Hoooo boy... (Score:5, Interesting)
With all the recent controversy and Linus and other members of the FOSS community flipping Nvidia the bird over the issue of keeping their driver closed, they're certainly going to take this news and run with it.
Re:Who did he send it to at Nvidia? (Score:5, Interesting)
If you're not surprised then I hope it's because you expect Nvidia to be shite. Microsoft, as policy (though possibly not practice), fully evaluates any possible security exploits submitted because they assume that among the cranks who've already broken through the airlock there might be a real security exploit. This is expensive but necessary. If Nvidia can't do the same then I'll have to seriously consider my choices next time I'm buying a card.
meh (Score:5, Interesting)
Not too long ago Intel had a firmware exploit in their processors.
I still appreciate the effort Nvidia's made to support their cards on OSes such as linux and BSD over the years. I'll still only EVER buy nvidia cards because of their driver support.
Here's hoping they keep trucking along at it, even with what Linus' said and now this.
Re:works here (Score:4, Interesting)
Doesn't work for me on Linux Mint Debian Edition with Xfce, nVidia driver version x86_64-290.10:
uname -a | sed -e 's/^[^0-9]*//'
3.2.0-2-amd64 #1 SMP Sun Mar 4 22:48:17 UTC 2012 x86_64 GNU/Linux
lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch
Distributor ID: LinuxMint
Description: Linux Mint Xfce Edition
Release: 1
Codename: debian
./nvid-root
[*] IDT offset at 0xffffffff8172a000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff8172adc0)
[*] Enhancing gate entry...
[*] Triggering payload...
Killed
Message from syslogd@qcomp at Aug 1 12:30:52 ...
kernel:[148805.500504] Oops: 0000 [#1] SMP
Message from syslogd@qcomp at Aug 1 12:30:52 ...
kernel:[148805.500641] Stack:
Message from syslogd@qcomp at Aug 1 12:30:52 ...
kernel:[148805.500658] Call Trace:
Message from syslogd@qcomp at Aug 1 12:30:52 ...
kernel:[148805.500675] Code: Bad RIP value.
Message from syslogd@qcomp at Aug 1 12:30:52 ...
kernel:[148805.500684] CR2: ffffffff81a00000
Re:A view to a kill. (Score:4, Interesting)
So how does Windows deal with restricting where this window can be remapped?
Put the whole driver on the video card! (Score:4, Interesting)
There's plenty of horsepower on the card
Platform-agnostic api, super-duper-thin wrapper libaries
It also solves all the whinging about binary blobs