Root Exploit For NVIDIA Closed-Source Linux Driver

possible writes, "KernelTrap is reporting that the security research firm Rapid7 has published a working root exploit for a buffer overflow in NVIDIA's binary blob graphics driver for Linux. The NVIDIA drivers for FreeBSD and Solaris are also likely vulnerable. This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux." Rapid7's suggested action to mitigate this vulnerability: "Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X."

useless suggestion

[pe1chl]

Rapid7's suggested action to mitigate this vulnerability: "Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X."

This is as useless as suggesting "Install Linux" when a Windows vulnerability has been found!

Re:useless suggestion

[Anonymous Coward]

stfu. Say first post next time like normal people.

Re:

[Azarael]

At least there is a way to avoid the problem. Half the time I can't be even bothered to install the driver and get x reconfigured properly. It is concerning to see that it can be exploited through a remote website though(according to Rapid7).

Re:

[renoX]

I fully agree since the open source nv driver didn't work for my GeForce6600 (Kubuntu 6.06TS).

As an aside, I wonder why there isn't some kind of 'backup X' configuration with the vesa driver for those who have a problem with their driver?
At first I made a mistake and used fbdriver instead of the vesa driver trying to have X running to be able to use a web browser to get the closed source driver, this was frustrating, especially as Kubuntu starts with some kind of image during the boot, so I knew that it was

Re:

[drinkypoo]

As an aside, I wonder why there isn't some kind of 'backup X' configuration with the vesa driver for those who have a problem with their driver?

There is. It's called creating a simple config with the vesa driver. All servers look in the same place for their config file by default so there's not any good way to do this beyond providing you with a config file that will give you a failsafe. The X server can't be counted on to detect if its output is what it ought to be, so there's no automated way it could

Re:

[cortana]

Wait for Xorg 7.2. Input and Output hotplugging may just eliminate the X server's config file forever!

Re:

[Caligari]

Seeing as there is no source code, and NVidia do not appear to have released a fix, using the Open Source X driver appears to be the only viable solution. Do you have a better suggestion? You are at the mercy of your proprietary vendor.

Re:better suggestion

[Psykechan]

Do you have a better suggestion?

Well duh! Our only course of action is to bitch about it on /.

Of course this now gives me some ammo against the Linux+nVidia fans I personally know. As Nelson Muntz would say: "Ha ha".

Re:

[Vellmont]

This is as useless as suggesting "Install Linux" when a Windows vulnerability has been found!

Not really. You assume that this is somehow incredibly difficult. In actuallity the difficult part has already been done. That happened when the end user installed the binary only nVidia driver. Going back to the driver
supplied by the distribution should be easy by comparison.

Sure you're not going to get the 3-D performance benefits, but you'll at least not get your machine rooted.

Re:useless suggestion

[JensenDied]

FTFA

NVIDIA released the 1.0-9625
Comment posted by Anonymous (not verified) on Monday, October 16, 2006 - 13:22

NVIDIA released the 1.0-9625 driver which fixes this bug last month: http://www.nzone.com/object/nzone_downloads_rel70b etadriver.html [nzone.com]

Its a bit ironic how these Rapid7 guys are foaming at the mouth about NVIDIA's awareness of the issue when Rapid7 wasn't even aware that its been fixed for weeks now.

Re:useless suggestion

[cortana]

The drivers on that page are "BETA". Not released.

It is interesting that when someone holds back the disclosure of a vulnerability in Microsoft software they are praised for practicing "responsible disclosure", but when these Rapid7 people do the same they are accused of foaming at the mouth needlessly since a fixed driver is allegedly already released.

Re:

[diegocgteleline.es]

Actually, this is a good idea. The kernel-side binary blob that nvidia uses is used mostly for 3d operations: You don't really use it in your day-to-day desktop experience

The one "acceleration" that the X.org 2d desktops use is mostly render (for doing font AA, etc). But the X.org 2d drivers can provide that without using kernel drivers.

The propietary module provides you a alternative and propietary 2d driver, but's its possible to use the nv one, which was written also by nvidia i think. I don't know if it

Re:useless suggestion

[jandrese]

It's also the version without GL support. Without GL support you might as well have a Mach64 in there.

Re:

[Anonymous Coward]

Ironically, the mach64 driver is not built by default because it also has security issues

One more reason to use OpenGraphics.org card

[billybob2]

The OpenGraphics.org [opengraphics.org] project will release a 3D OpenGL enabled graphics card [duskglow.com] with full specifications and schematics so that FOSS developers can write open source drivers for Linux and BSDs. The consumer graphics card [duskglow.com] (code-named OGA) will be release after a development board [duskglow.com] (code-named OGD1) is produced. The key step is to make enough revenue (around $2 million) from selling the multi-function development board to fund the mass production of the consumer card.

Unless there is a wealthy individual / corporation out there who is willing to invest in order to manufacture this card earlier. The FOSS-friendly card will surely have a big appeal in Linux circles.

Re:

[kelnos]

Personally, I don't care so much about the HW-accelerated GL support the nvidia binary driver supplies. I only use it for the 2D acceleration (which, ironically, I usually don't use as it renders my system somewhat unstable). So for some of us, switching to the open source 'nv' driver is quite feasible.

Re:

[Rei]

Good for you. Back in the real world, a large number of people, probably in the millions, use the NVidia driver because of GL. As a consequence, saying Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X." is useless.

It's only sort of a remote exploit

[spun]

FTFA: This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page).

So we have three possible routes to privilege escalation. One, the person already has shell access. This is rather rare these days. In any case, you can restrict access to X to only those people you trust or can hold accountable. Two, a remote X client. Who allows remote X connections these days? Require shell access with X connection tunneling through SSH and see #1, above.

Three

Re:

[ebyrob]

...the best that an attacker can accomplish is a DoS for as long as you are visiting that site...

Then perhaps you can explain why this isn't a working javascript exploit proof of concept:
(Taken from a post further down this very page)

http://nvidia.com/content/license/location_0605.as p?url=';a='a';i=18;while(i--)a%2B=a;location=a;// [nvidia.com]

I mean... if the overflow is that easy, wouldn't someone adept at hitting the right targets in memory be able to do a lot worse with nothing more than javascript?

Re:

[Trogre]

Unfortunately you will also have no multi-monitor support and no VBLANK synching. This means no HTPC and no dual-screen setups.

Re:

[golgotha007]

Yes, but he'll also have a system that won't crash its X server every hour or so.

I don't think you understand how this exploit works:

This exploit cannot be remotely executed. It requires a user to be logged into their account on the machine they want to infect. In other words, for those of us with linux workstations (only one user account), this exploit doesn't affect us at all.

The only type of machine this exploit targets are machines with multiple untrusted user accounts. I can't imagine why someone wo

Matrox source driver (mga) for G550 does 3D

[Anonymous Coward]

>> It's also the version without GL support. Without GL support you might as well have a Mach64 in there.

Well since you mention Matrox, get their G550 which has both GL support *and* open drivers. :-)

The Matrox G550 PCIe card works perfectly with the pure open-source mga driver that comes as standard with all recent kernels. I've been using it in my Dell 2800 server, and its record of reliability is 100%.

Matrox even boldly proclaim their Linux source driver support on the box. That's quite unusual!

The

Re:

[mibus]

It's also the version without GL support. Without GL support you might as well have a Mach64 in there.

And dual-head.

Quite useless.

[Anonymous Coward]

Also the ones without openGL performance. Remind me why I bought a high-performance 3D card again.

Re:useless suggestion

[MoxFulder]

I'm personally tired of this over-zealous open-source push. Nvidia is a closed-source company, but they make good products. Stop villainizing Nvidia and evangilizing this open-source madness to everyone. I use Linux (Arch distro - go Arch!) and the hated "closed-source" driver from NVidia because THEY make their cards and THEY make the best drivers for them.

As far as I'm concerned, if you're a potential customer, a company damn well ought to listen to you if they want to sell their products. Open-source drivers are a feature that a lot of users want, whether to use cards on other architectures, to fix bugs sooner, to improve their performance, to audit them for use in security-sensitive deployments, etc.

Lots of users would *LOVE* to punish NVidia for not responding to their desire for open-source drivers, but they really can't... there's no good alternative. ATI drivers are closed-source as well, and that's the only other big player in 3D graphics cards. Now Intel has come out with actual real-live open-source drivers for their 3D graphics cards, and there's been a chorus of folks planning to switch over to them (even though they're rather underpowered compared to the NVidia cards).

NVidia may make pretty good drivers, but I bet they could be made a whole lot better and more versatile by open-sourcing them. I've encountered 4 or 5 NVidia driver bugs on my AMD64 box, and have NEVER found any bug in any other non-experimental open-source Linux device driver.

Re:

[10Ghz]

Of course NVIDIA has the every right to license their drivers however they please. It's their driver and their product after all. That said, we also have the right to complain about their choice of licenses, and we have the right to buy something else. So why are you (and others like you) complaining? How does it harm you if some people complain about NVIDIA's drivers? It doesn't. People have the right to complain, and the reason they are complaining about is a valid one, even though it might not matter to

Re:

[cortana]

Good companies do not hide the existence of a vulnerability in their products that allows a remote attacker to execute arbitrary code on a machine as root for two years.

Re:

[LordSnooty]

Trade secrets are money makers, and you can't definitively say that opening their source wouldn't give away some trade secrets or algorithms that keep NVidia at the cutting edge of video card production.

If only the money made from trade secrets could be outweighed by the money lost through a class action suit against Nvidia for r00ting a phalanx of machines...

A tale of two drivers: Closed and Open

[dowdle]

Your suggestion to change the subject of the post to remove "Closed-Source" is unfounded. There *IS* actually an open-sourced driver for nVidia and the problem is only with the closed (accellerated) driver.

I've always doubted the 'trade secrets' argument

[Weaselmancer]

I mean, it's not like anyone out there actually has a disassembler or anything. If there was anything worth digging for in their binary drivers, someone would have disassembled that bit and posted it as code already.

Re:

[NitsujTPU]

They might want to play video games.

Re:

[Rei]

Exactly. Why is it that people assume that Linux users aren't gamers? Some play mainstream games under emulation. My partner is a gaming nut who loves all of the free games you can get with apt or yum. And despite the common perception, there are a lot of fun Linux games out there.

Re:

[DittoBox]

Wow, you're an idiot. How about the studios that use NVIDIA Gelato for rendering? The 3d professionals running Maya, Softimage, Blender or another 3d application that *requires* OpenGL. People bash the nvidia driver quite often, yet very few of them realize how mission critical it is to certain industries. I'm sure that a large portion of the nvidia *nix driver userbase/market is involved in some sort of professional use of 3D graphics. It's not all fluff.

Allowed?

[99BottlesOfBeerInMyF]

This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux.

Of course they should be allowed. How can that even be prevented? The more important question is what can be done to either provide more secure replacements or make sure binaries can be functional without having to be trusted by the OS.

Re:Allowed?

[Aim Here]

They might be prevented by pointing out that the definition of derivative work in copyright law could well mean that most Linux drivers would fall within that definition, so that the linux license makes it unlawful to distribute them under anything other than the GPL.

The Nvidia blob is perhaps a special case, since it's really a windows driver with a GPLed wrapper, so the Linux community tends to turn a blind eye, as long as the driver isn't distributed alongside the kernel. Anyone trying to write a blob driver for Linux, from scratch, would be on shaky ground. Even Linus has said that if you wrote your driver with Linux in mind, it's a derivative work.

This is a grey area and there's not a lot of case law to decide exactly what is, and isn't, a derivative work in software, so a debate does occasionally flare up, most recently with the Kororaa livecd.

Re:Allowed?

[JesseMcDonald]

If I distribute something (closed source) that is dynamically linked against a certain GPL library, but I never distributed any GPL code, the GPL doesn't apply to me for that work, I need no authorization to distribute something that merely can potentially utilize a GPL program in a closely tied way.

The argument goes that a driver developed specifically for Linux is a derived work of the Linux kernel, and thus is subject to the conditions of the GPL. IANAL, but it seems to be a fairly sound argument. There is an explicit waiver for the standard user-space interfaces (so applications are not automatically considered derivative works), but no such waiver exists for the Linux-specific kernel interfaces. nVidia gets around this by (a) using an open-source wrapper, so their real driver doesn't use any of the Linux kernel interfaces directly, and (b) using the same driver code on Linux and Windows (so the driver isn't entirely dependent on Linux).

This has nothing to do with whether there is aggregation or dynamic linking, and everything to with whether the module is dependent on the GPL'd kernel API.

Re:

[Aim Here]

"I don't think they can be considered a "derivative work" because really they add functionality to the kernel, not take functionality from it"

Adding functionality has nothing to do with copyright law. If you don't believe me, add some binary-only functionality to gcc or emacs and see how long it takes for Eben Moglen to get on your phone.

"besides there's too many other backdoor ways of getting round it"

Well you can shift your blob down into firmware or up into userspace. I think the kernel devs would be hap

Re:

[drinkypoo]

The more important question is what can be done to either provide more secure replacements or make sure binaries can be functional without having to be trusted by the OS.

We're talking about a graphics driver here. It pretty much has to execute in kernel mode. you know, where you can do anything you want on the system? Sure, we could have a userspace graphics driver, but it would still need a kernel mode driver stub and it would be substantially slower, which is not really an option for most people.

Re:

[99BottlesOfBeerInMyF]

We're talking about a graphics driver here. It pretty much has to execute in kernel mode. you know, where you can do anything you want on the system? Sure, we could have a userspace graphics driver, but it would still need a kernel mode driver stub and it would be substantially slower, which is not really an option for most people.

With the current design of the Linux kernel + userspace, I agree, but I'm unconvinced that that has to be the case. I see inherent stumbling blocks to untrusted video drivers,

None of you dickheads know what you are on about..

[QuantumG]

This is a buffer overflow in the closed-source Nvidia X11 driver, not the kernel modules. As far as I'm aware, Nvidia has no binary blobs that get loaded into the Linux kernel. ATI does, but Nvidia doesn't, all their kernel modules are open source.

And for the record, X11 drivers run in userland, as root so they can access hardware ports directly. There's no real reason for them to require root, except that allowing any process to access hardware ports will undermine the security and stability of the syst

Re:

[iamacat]

It pretty much has to execute in kernel mode

Why? Once VRAM and memory-mapped registered are brought into the processes' address space, why shouldn't most of the code run in user mode and, say, read IRQs from some /dev interface? Then it can allocate 1GB texture cache and rarely used portions of it can still get paged out if another process needs the memory more.

Re:

[frank_adrian314159]

The more important question is what can be done to either provide more secure replacements or make sure binaries can be functional without having to be trusted by the OS.

Wait for Hurd, because the micro-kernel approach makes sure that drivers run in isolation?

Yes, I know that this is put in a flambaitic manner, but is there any better reason to make sure your kernel consists of as little as possible? Even if the server that handles the device crashes, the rest of your system won't be compromised. The per

To Theo de Raadt

[jazman_777]

Thank you for your stand against blobs.

Re:

[grub]

You beat me to it. This is now 2 (or 3?) exploits thanks to binary blobs that OpenBSD is immune to.

Re:

[jandrese]

Yep, although woe be to you if you want some fast 3D support in OpenBSD.

Re:

[LWATCDR]

Except that Open Source isn't exploit free.
OpenBSD had a root level exploit in 2000.
Many applications that run on OpenBSD have had exploits in them including SSH.

Seems kind of harsh to bent all selfrightous over one exploit. I hope nVidia patches it soon.

Re:

[QuantumG]

Seems kind of harsh to bent all selfrightous over one exploit. I hope nVidia patches it soon.

And that's the problem. The fact that people have been complaining about this for two years, and havn't even put together a binary patch for it, suggests to me that the "we don't have source" argument, although valid, is just an excuse for making yourself a victim. I wish I had heard about this two years ago because I would have made a binary patch and made sure everyone knew they had to install it. But I guess t

Re:

[Sloppy]

What's really nice is that this shows that OpenBSD's policy is not just about an impractical "damn fool idealistic crusdade." If you don't have the source, you can't audit it. You don't know if it's safe or not, and OpenBSD's mission really is about safety, not "merely" (*cough*) freedom. Blobs aren't just undesirable on some idealistic scale; they're untrustworthy on a very practical scale. High five to Theo.

Open vs. Closed yet again...

[ZephyrXero]

I'm a huge fan of all thing open source/free software...but I also remember that it's the developer's choice if they want to go open or not. I don't personally understand what "trade secrets" nVidia has to hide by keeping their drivers closed off from the public, but it's still their choice. Unfortunately the open source alternative "nv" driver that comes with X is pretty much worthless if you want to do anything involving 3D. The best situation for those who don't want to use proprietary drivers is to go o

Re:

[purpledinoz]

Well, if you opened the source, then you can see the tweaks and short-cuts that were made to make the video card run fast... the competition can use this against them... I'm sure ATI and nVidia both have their fair share of short-cuts in their drivers.

Re:

[ZephyrXero]

God forbid fair competition where the actual hardware's merit has to stand on it's own ;)

Re:

[purpledinoz]

The driver is part of the whole product. Comparing just pure hardware would be like comparing just the engine of two cars. It doesn't mean that the car with the bigger engine is faster. You have to take into account the transmission, total weight of the car, aerodynamics, etc...

Besides, the consumer wins when nVidia/ATI optimizes their drivers, even if their optimizations may be game specific, or is some sort of shortcut. In the end, the games run faster.

Re:

[mcbridematt]

I don't personally understand what "trade secrets" nVidia has to hide by keeping their drivers closed off from the public, but it's still their choice.

Open source graphics drivers are a potential goldmine for patent lawsuits. nVidia has accused ATi of driver reverse engineering in the past, so its not going to happen.

Personally I don't care - as long as they work.

Re:

[swngnmonk]

My theory (admittedly without evidence) is market segmentation, on both ATI's and NVidia's parts. It's something that has been done for years in the tech community, across many different kinds of products.

In effect, given the costs of production, it would be a lot cheaper for both ATI and NVidia to make a single GPU, and use binary drivers to enable/disable additional pipelines, texture processing units, etc, than it would be to actually make a series of different GPUs that have those capabilities. It wou

Re:

[Aadain2001]

While the core idea of your's is not wrong, what you are suggesting would actually cost more. While a lot of silicon manufacturers (Intel, AMD, IBM, ATI, Nvidia, etc) do have some features that they can turn "off" when they want to sell a part cheaper than the fully enabled product, I very much doubt that they have a significant number of them. Remember, these are not software features we are talking about, in which the product is the same size (roughly) on the CD as the full version. In silicon manufact

How serious, really?

[XanC]

I'm not calling into question the value of open drivers. But it seems that most people using nvidia's blob are running on desktop machines, either single-user or within the family. It would seem unlikely that these users are granting remote X sessions to untrustworthy people.

Re:

[bunions]

exactly. Unless you're allowing remote x sessions (and if you are, you deserve what you get), this is a nonissue. Oh, and that "malicious webpage" thing? All it'll do is crash X. So did Firefox for a while, and we all ran it anyway.

Missing out.

[headkase]

nVidia and ATI are missing out on a pool of talented free labour in their Un*x markets. Seriously they have to pay people to write Windows drivers when they could have Linux people do it for free and fold the best parts back into their Windows drivers. Idiots. ;)

Re:

[nuzak]

Writing device drivers isn't exactly like writing a skin for a PHP forum application. There is a rather small pool of talented device driver writers with the appropriate skills for graphics hardware, and nVidia feels that they employ enough of them. More is not better.

I somehow doubt it

[Sycraft-fu]

Quite often, something free is worth what you paid for it. nVidia has absolutely first rate drivers and while it's nice to think that there's millions of talented driver writers out there just waiting for a chance to make good drivers, that's just not the case. Writing good drivers isn't easy, that's one of the reasons nVidia is so popular with many is their top notch team does such a good job of it.

Also, they just can't. They have licensed code in their drivers that can't be opened up. Want real OpenGL? Well than you takes what you gets. OpenGL isn't free to hardware developers. It's $25,000 to $100,000, plus royalties for distribution and it does come with terms and conditions on it's release. There's also licenses on patented code like S3TC in there.

Now if the Linux community wanted to develop their own graphics API that was unencumbered, then maybe you could convince the companies to open their code up. However if you want a full featured GL driver, you are going to need to deal with closed source, at least form nVidia and ATi since they've both already signed licenses on it.

Re:

[dhasenan]

That's the cost of claiming conformance to the OpenGL standard--I'm not sure how legal that is--or using OpenGL trademarks; or for closed-source implementations by hardware developers, or for implementations by hardware developers for closed-source platforms.

Check the SGI OpenGL FAQ [sgi.com] for more information. It's ambiguous as to whether an open source driver project would require the fee; however, since the fees are associated closely with closed-source development, I'm guessing that there would be no additiona

This is a relatively minor problem

[Theovon]

Ok, security is never "minor," but it kinda washes out in the context of all of the stability and compatibility problems they've had as compared to FOSS drivers for cards whose manufacturers do publish specs. nVidia simply don't do a good job at writing their drivers. They violate all sorts of rules about how you're supposed to write Linux drivers. But being closed source, no one is ever allowed to fix the problems, and nVidia doesn't put enough people on it to keep up.

What we need is a graphics vendor who publishes full specs for their graphics chips! If nVidia won't do it, find someone who will.

Intel Open Source Graphics Driver

[platyk]

This is one reason I think I'll stop using NVIDIA chips and start using Intel chipset graphics hardware in the future. http://intellinuxgraphics.org/ [intellinuxgraphics.org]

Re:

[postmortem]

Well, then enjoy intel software sold as $2/pc hardware.

Re:

[sofar]

I beg to differ: http://e1000.sf.net/ [sf.net]

HW makers should produce multiple drivers

[davidwr]

Hardware vendors, be they printers, video cards, or what-not, should work to 2 sets of specs:

A high-performance, possibly proprietary, specification that gives them a definate edge over their competitors. If they want to ship binary-only drivers that's fine.

A possibly-lesser-performance specification that does "the basics" - everything a typical device of its type can do. This specification should be public, preferably with open-source drivers. Even without drivers, those who need to can write drivers from the specification. For a high-end video card, this should be everything that a low- or medium-end card could do. For an all-in-one printer, this should include basic full-color printing at "typical for its technology" resolutions, basic full-color scanning at "typical for its technology" resolutions, and b&w and color faxing. For a high-end sound card, this should include at least 2-channel sound. For a communications device, it should include all internationally-accepted standards that the device supports, but need not include the most efficient or highest-performance embodiment of those standards.

Most important is full disclosure:
Any device that doesn't provide a full, published specification of "everything" must disclose the limits of the published specifications, so buyers will know exactly what they are buying: a device that, should problems be found with the drivers, or when used with operating systems without supported drivers, is limited to a specified downgraded functionality.

Re:

[Ant P.]

It's called VESA. There's a driver for that in X.Org already.

Can't get worked up

[AKAImBatman]

Am I the only one who can't get worked up about this exploit? I mean, I should be thinking, "this is happening because of X, we should do Y to fix it!" And yet, I just can't develop an opinion either way. It's not that I'm wrestling with myself, it's just that I don't care.

Analyzing this, I think the reason is because the NVidia and ATI drivers are a PITA everywhere. By installing the drivers, you agree to destablize your system in exchange for the most incredible 3D (and 2D to a certain degree) performance. When Something Bad Happens(TM), you just sort of take it as coming with the territory.

It's sort of like hooking Nitro up to your car. Sure, your engine is more powerful than ever. But are you really all that surprised when you bust a valve, crack a ring, or do some other form of damage to your hotrod?

It would be nice if OSS drivers could be created. But it's probably not going to happen. NVidia won't open their drivers (ATI, doubly so) and the OSS community doesn't have enough info to recreate them. Thus I think the best bet is the Open Graphics Project [duskglow.com]. If they produce a viable 3D card alternative, you'll finally be able to chose between a stable (but slower) 3D card, or a high-performance, hotrod 3D Card. Take your pick to meet your needs.

Oh, and keep a firewall in front of your machine and the internet. Pipe all your X communications over SSH. Just good safety sense. ;)

Re:

[Theovon]

In reality, for most desktop use, the difference between an open graphics card (based on their design specs) and a high-end nVidia card is how much time the GPU spends idle. Most X11 apps just aren't the least bit taxing on the GPU. Only if you throw a high-end game at it will you notice any difference. Keeping in mind that the FPGA version of the OGP memory controller is already spec'd to run at 200Mhz (DDR400 x 128 bits = 6.4GiB/sec), when they go to ASIC, they'll have phenominal performance.

Re:

[bfree]

NVidia won't open their drivers (ATI, doubly so)

They don't have to open their drivers, they could do as ATI did previously with the r200 and provide the information required to create a driver (either openly or to a closed group who will sign nda's over it and release an open driver).

It ain't too serious.

[vidarlo]

How many people use the nVidia cards in their servers? None, I guess. nVidia, and most 3D-cards is used on personal systems, with one user, which is usually root. If that user can use a root exploit to become root - so what! Remember that you have to be able to control the X11 display server to take advantage of this, which means you *have* to be logged in locally or be root.

Whilst I agree with the principle, I don't think this bug will have *any* impact, as most home boxes have no accounts accessible from the internet, that is able to run X11. If they have, they probably have bigger problems. Same goes for people running untrusted code that can execute this: it could as well provide a shell, or whatever. Yet, the problem is then *untrusted* code. A person that runs untrusted code can probably be coerced into running that as root as well.

So my guess: zero impact!

Re:

[Caligari]

Get a clue. Recent Sun amd64 servers ship with the vulnerable NVIDIA blob under Solaris (which is also probably vulnerable).

Re:

[chill]

From the actual advisory:

"This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page)."

Re:

[smash]

I login and do everything as root on my desktop machine. Without referring to any potential mistakes or accidents, please give me a good reason why I shouldn't use root..

Because an exploit for *any* software you run has full access to your system? If you run as root, the cracker merely needs to alter the execution of your program and they're in with full priviledges.

If you don't run as root, they have a far smaller selection of programs (basically daemons or drivers) that will potentially get them remo

So...

[Richard_at_work]

How many root exploits have been found for this driver, and how many have been found for opensource elements of the kernel while this driver has existed? Touting this as a reason to drop the closed source driver is nothing but politics and fearmongering, you guys should know better.

Re:So...

[Aim Here]

The problem is not that a root exploit exists. Shit happens. Those can be fixed and the world moves on.

The problem is that all users of Nvidia graphics cards are helpless to make their machines safe because Nvidia has control over the source code. If Nvidia says 'Screw you' or goes bankrupt, then their users are screwed. Had they GPLed their driver, then someone else could have fixed it.

And that's exactly what's happened in this case.

If you read the TFA, you'll see that NVidia has known about this bug for TWO GODDAMN YEARS already and NOT fixed it. Surely that's one big 'SCREW YOU' to the Linux, Solaris and BSD communities right there.

Fixed weeks ago

[Planeflux]

Apparently, the bug/exploit was fixed in the 9625 beta release. http://www.nzone.com/object/nzone_downloads_rel70b etadriver.html [nzone.com]

1600x1200 w/ DVI in the 'nv' driver, please?

[AcidPenguin9873]

The reason I use the closed-source binary blob driver is because the 'nv' driver can't program my flat-panel monitor to accept a 1600x1200 DVI signal. I have to use my glorious 20.1" panel in 1280x1024 mode or hook up the old VGA cable to get a 1600x1200 signal. Here's the thread about how the 'nv' driver depends on the video card BIOS to program up the flat panel registers:

https://bugs.freedesktop.org/show_bug.cgi?id=3654 [freedesktop.org]

"The "nv" driver currently can't change the BIOS-programmed display timings. Unf

Oh, give me a f*ckin' break!

[Qbertino]

So this is gonna fuel the debate wether binary drivers are ok or not? WTF? Wether drivers are binary or not has absolutely *NOTHING* to do with wether there's an exploit or not. This is only gonna be abused by the 'all FOSS at all costs' faction. Linux and OSS owe a great deal of their success in recent years due to the all-out 100% fully official support of Linux by Nvidia. Knowing Nvidia they'll have a fix out at least as fast as any OSS project. Cut them some slack allready. It's not that everthing else

neighbors watch out

[wes33]

Hey ... my neighbor runs linux with an nvidia card. And he was showing me some fancy 3d stuff that my xp can't do. So I can hardly wait to turn the tables and take over his system. So what is step 1 ...

Oh, I see, first I have to break into his house :(

Couldn't use nVidia's driver anyway.

[hullabalucination]

It wouldn't render fonts correctly for me unless I turned off the render acceleration, and even then fonts wouldn't render under WINE.

Much as I'd like to have the acceleration features of the card, I can't until nVidia figures out how to get their drivers relatively bug-free with FreeType and Xorg R7. That might take a while, so I'll just have to bide my time with the stock "nv" driver. Google Earth will be incredibly slow for me until that time:

"Google Earth is now downloading the entire planet to your

Fixed in 1.0-9xxx driver releases

[lfriedman]

Please note that this exploit is already fixed/resolved in the 1.0-9625 beta driver:
http://www.nzone.com/object/nzone_downloads_rel70b etadriver.html [nzone.com]

as well as the 1.0-9626 QuadroPlex driver:
http://www.nvidia.com/object/linux_display_ia32_1. 0-9626.html [nvidia.com]
http://www.nvidia.com/object/linux_display_amd64_1 .0-9626.html [nvidia.com]

Thanks

Possible remote exploit vector

[possible]

I work with the people who discovered and researched this advisory. For those of you who obviously didn't read the whole advisory and who are saying that this is purely a local exploit, I would not be so sure. Let me quote from the bottom of the advisory.

It is important to note that glyph data is supplied to the X server
by the X client. Any remote X client can gain root privileges on
the X server using the proof of concept program attached.

It is also trivial to exploit this vulnerability as a DoS by causing
an existing X client program (such as Firefox) to render a long text
string. It may be possible to use Flash movies, Java applets, or
embedded web fonts to supply the custom glyph data necessary for
reliable remote code execution.

A simple HTML page containing an INPUT field with a long value is
sufficient to demonstrate the DoS.

Or, an even funnier chat I had earlier today:

[chris@work] if it works, i'll drop connection here and be proved wrong and drop the nvidia driver
[cloder] chris: do you have the nvidia driver?
[chris@work] yeah
[cloder] http://nvidia.com/content/license/location_0605.as p?url=';a='a';i=18;while(i--)a%2B=a;location=a;//
[cloder] this is what's nice when vendors have XSS on their site
[cloder] and since you trust nvidia enough to run their blob, you must trust their website enough to run javascript on it.
[dr] haha chad that is classic using nvidias site
*** chris.work (chris@fe-3-1.rtr0.scra.hostnoc.net) has quit ()
[niallo] poor chris
[niallo] cloder broke his computer with a webpage.
*** chris.pwnt (chris@fe-3-1.rtr0.scra.hostnoc.net) has joined #openbsd
* chris.pwnt never questions cloder again

OS nv driver does not support dual-head

[red_crayon]

I have never gotten dual-head support
out of the OS nv driver; the nVidia
closed-source drivers work for dual
head workstations.

As has been mentioned, why get an nVidia
card for your server? And this may be a
moot point for single-user workstations.

But do not assume that the nv driver is
a panacea.

A Free/Open driver for nVidia is being developed

[vortimax]

The nouveau project is actively working on a free software driver for nVidia cards that will hopefully replace the nv driver one of these days. They could use some help.

http://nouveau.freedesktop.org/wiki/ [freedesktop.org]
http://wiki.x.org/wiki/nv [x.org]

nVidia Programmers

[NullProg]

Ignoring the argument of Binary vs OSS drivers for a minute.

The root of this problem is 'C'. The nVidia programmers have way too much power. Buffer overruns, string comparisons, memory access, pointer arithmetic. These features need to be banned from modern computing.

Just last week over prune juice, I was telling Linus, Theo, and Dave Cutler why they should only allow C#/Java/Python based video drivers in their kernels.

Enjoy,

Local escalation

[Builder]

A lot of people really seem to miss the point about exploits that can only be used locally... These are still every bit as serious as remote exploits!

If you follow best practices, you'll probably end up with a system where any vulnerability only leads to access as a user. But when there are local root exploits available, you can escalate that user access to root access and hide your rootkits there.

So with this Nvidia bug, the real risk is that another service gets compromised and the attacker then uses this exploit to get root. Once they have root, they can install rootkits, etc.

The beta drivers seem ok

[smoker2]

I'm running xorg 6.8.2-37.FC4.49.2.1 on FC4 with kernel 2.6.17-1.2142
I have just installed NVIDIA-Linux-x86-1.0-9625 and it seems ok so far. I've visited a few of the troublesome links with firefox 1.5.0.7 and it's not crashed X yet. I was using NVIDIA-Linux-x86-1.0-8762 before the update, and several times I've had X crap out on me. I don't believe I was r00ted though, after reading about the glyph problems. It can also be triggered by a long "get" request, or long lines of text in a form field. I was using TinyMCE [moxiecode.com] when it first happened to me. Here's a test url that supposedly crashes X from firefox - http://comptune.com/calc.php?methos=POST&base1=10& base2=10&S1=50&S2=3553&func=bcpow&base3=10&places= 500 [comptune.com] from this thread [nvnews.net] on the nVidia forums.
I didn't check this before the update though, so it may not be conclusive.

My main complaint about the whole issue is that I only found out because it was posted here. I don't have time to go checking for updates and exploits for all my different drivers and software, that's why yum runs from cron every night. It would have been nice if somebody (nVidia) had posted that a new version was available that fixed potential security holes, or even had a version checker built in to notify me of an update.

Re:on the bright side...

[Tester]

There is already a 9625 beta driver available in nvidia's nzone.

Re:

[OmegaBlac]

Actually Nvidia updated the driver last week and it is now at 9626.
http://www.nvidia.com/object/linux_display_ia32_1. 0-9626.html [nvidia.com]

And the first comment in the linked KernelTrap reports that this problem was fixed. I'm not sure if that is true though as I haven't verified it myself.

Re:

[Captain Sarcastic]

Leave the holes in the open and they will thing they are a trap. Thats my motto

For as long as I have lived, I have seen some unusual mottoes, but this one takes the cake.

Re:

[eln]

Requiring that software must be open source in order to run on Linux would pretty much kill Linux in the business world. While that may be acceptable to you, it probably isn't acceptable to the many thousands of people who have either invested heavily in Linux on the business side or who make a living supporting and/or coding for Linux.

Re:

[Ossifer]

This is why I always said that all software for a FOSS operating system should be just that... OPEN.

Shouldn't this rather be a matter of choice for the user (i.e. system installer/admin)? If I want to muck about with my system, potentially causing myself damage in the process, why do you want to stop me?

The Linux community gains more from individual freedom than from dogmatic declarations and limitations...

Re:

[Mattintosh]

But if it was required (by legal or technological means), then you couldn't call it "FOSS", as it would be neither free nor open. True freedom requires that you allow someone to close the source if you want. True openness requires that you make the system open enough for someone to add a closed BLOB driver.

BTW, "binary BLOB" makes about as much sense as "ATM machine".

Re:

[chill]

From the actual advisory:

"This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page)."

That part wasn't in the /. summary.

Re:

[entrylevel]

The exploit involves executing C code which uses the buffer overflow to replace the address of the free() function in your running copy of Xorg. I'm not saying it's impossible, but how is a web page going to make a Linux web browser execute arbitrary C code? ...

OK, I read a bit further, looks like you just need to create a malformed glyph in an embedded font. Not at all difficult to do with Java, Flash, or just plain HTML (or so I've heard, never seen an embedded HTML font in the wild). Damnit. Back to eLin

This is an obvious fraud

[drinkypoo]

Theo LOVES to say "I told you so"

Re:

[WilliamSChips]

They could contribute to the existing open-source drivers though. They did that with forcedeth.

Re:

[idontgno]

Free software users need to unite and say NO to binary blobs! Lets kick this crud out of our operating systems!

In the interests of full disclosure, don't forget to mention that you're saying NO to a lot of capability with your principled stand. You already understand this, I'm sure, and what you're losing (i.e., accelerated 3d) you obviously can do without. But for some, that's not negotiable.

I'd be curious to understand what you envision as the way forward from this. If we successfully "kick this crud ou

Re:

[Ant P.]

I have the perfect solution:

Trade in your video card for a second-hand AGP Radeon 9x00. You get fast mostly working 3D, open source drivers, and the binary lock-in nazis don't get a single penny of your money.