Root Exploit For NVIDIA Closed-Source Linux Driver 548
possible writes, "KernelTrap is reporting that the security research firm Rapid7 has published a working root exploit for a buffer overflow in NVIDIA's binary blob graphics driver for Linux. The NVIDIA drivers for FreeBSD and Solaris are also likely vulnerable. This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux." Rapid7's suggested action to mitigate this vulnerability: "Disable the binary blob driver and use the open-source 'nv' driver that is included by default with X."
Re:To Theo de Raadt (Score:2, Informative)
You beat me to it. This is now 2 (or 3?) exploits thanks to binary blobs that OpenBSD is immune to.
Re:on the bright side... (Score:5, Informative)
Re:So? Who cares? (Score:3, Informative)
"This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page)."
That part wasn't in the
Fixed weeks ago (Score:5, Informative)
Re:useless suggestion (Score:5, Informative)
1600x1200 w/ DVI in the 'nv' driver, please? (Score:2, Informative)
https://bugs.freedesktop.org/show_bug.cgi?id=3654 [freedesktop.org]
"The "nv" driver currently can't change the BIOS-programmed display timings. Unfortunately, this is not something that we can fix right now."
This just sucks, IMHO.
Re:So... (Score:5, Informative)
The problem is that all users of Nvidia graphics cards are helpless to make their machines safe because Nvidia has control over the source code. If Nvidia says 'Screw you' or goes bankrupt, then their users are screwed. Had they GPLed their driver, then someone else could have fixed it.
And that's exactly what's happened in this case.
If you read the TFA, you'll see that NVidia has known about this bug for TWO GODDAMN YEARS already and NOT fixed it. Surely that's one big 'SCREW YOU' to the Linux, Solaris and BSD communities right there.
Fixed in 1.0-9xxx driver releases (Score:2, Informative)
http://www.nzone.com/object/nzone_downloads_rel70
as well as the 1.0-9626 QuadroPlex driver:
http://www.nvidia.com/object/linux_display_ia32_1
http://www.nvidia.com/object/linux_display_amd64_
Thanks
Re:useless suggestion (Score:3, Informative)
Re:useless suggestion (Score:5, Informative)
It is interesting that when someone holds back the disclosure of a vulnerability in Microsoft software they are praised for practicing "responsible disclosure", but when these Rapid7 people do the same they are accused of foaming at the mouth needlessly since a fixed driver is allegedly already released.
Re:So? Who cares? (Score:3, Informative)
OK, I read a bit further, looks like you just need to create a malformed glyph in an embedded font. Not at all difficult to do with Java, Flash, or just plain HTML (or so I've heard, never seen an embedded HTML font in the wild). Damnit. Back to eLinks for me!
Re:Allowed? (Score:4, Informative)
The argument goes that a driver developed specifically for Linux is a derived work of the Linux kernel, and thus is subject to the conditions of the GPL. IANAL, but it seems to be a fairly sound argument. There is an explicit waiver for the standard user-space interfaces (so applications are not automatically considered derivative works), but no such waiver exists for the Linux-specific kernel interfaces. nVidia gets around this by (a) using an open-source wrapper, so their real driver doesn't use any of the Linux kernel interfaces directly, and (b) using the same driver code on Linux and Windows (so the driver isn't entirely dependent on Linux).
This has nothing to do with whether there is aggregation or dynamic linking, and everything to with whether the module is dependent on the GPL'd kernel API.
OS nv driver does not support dual-head (Score:3, Informative)
out of the OS nv driver; the nVidia
closed-source drivers work for dual
head workstations.
As has been mentioned, why get an nVidia
card for your server? And this may be a
moot point for single-user workstations.
But do not assume that the nv driver is
a panacea.
Re:useless suggestion (Score:3, Informative)
A Free/Open driver for nVidia is being developed (Score:3, Informative)
http://nouveau.freedesktop.org/wiki/ [freedesktop.org]
http://wiki.x.org/wiki/nv [x.org]
I somehow doubt it (Score:5, Informative)
Also, they just can't. They have licensed code in their drivers that can't be opened up. Want real OpenGL? Well than you takes what you gets. OpenGL isn't free to hardware developers. It's $25,000 to $100,000, plus royalties for distribution and it does come with terms and conditions on it's release. There's also licenses on patented code like S3TC in there.
Now if the Linux community wanted to develop their own graphics API that was unencumbered, then maybe you could convince the companies to open their code up. However if you want a full featured GL driver, you are going to need to deal with closed source, at least form nVidia and ATi since they've both already signed licenses on it.
Matrox source driver (mga) for G550 does 3D (Score:3, Informative)
Well since you mention Matrox, get their G550 which has both GL support *and* open drivers.
The Matrox G550 PCIe card works perfectly with the pure open-source mga driver that comes as standard with all recent kernels. I've been using it in my Dell 2800 server, and its record of reliability is 100%.
Matrox even boldly proclaim their Linux source driver support on the box. That's quite unusual!
The card also has the distinction of being the only graphics card in existence that can run in a PCIe slot of 8 lanes or fewer, as it's a 1-lane card (all other PCIe graphics cards use 16 lanes), which means that it will work in traditional "server" chassis that tend to have 1/2/4/8-lane PCIe only.
And it's cheap and fanless too! I'm pretty impressed with it.
Re:useless suggestion (Score:3, Informative)
Re:I somehow doubt it (Score:3, Informative)
Check the SGI OpenGL FAQ [sgi.com] for more information. It's ambiguous as to whether an open source driver project would require the fee; however, since the fees are associated closely with closed-source development, I'm guessing that there would be no additional charge.
One more reason to use OpenGraphics.org card (Score:5, Informative)
Unless there is a wealthy individual / corporation out there who is willing to invest in order to manufacture this card earlier. The FOSS-friendly card will surely have a big appeal in Linux circles.
Re:oh joy, THIS discussion again. (Score:2, Informative)
Re:useless suggestion (Score:2, Informative)
http://www.nvnews.net/vbulletin/showthread.php?t=
http://www.nvidia.com/object/linux_display_ia32_1
Re:useless suggestion (Score:3, Informative)
And dual-head.
The beta drivers seem ok (Score:5, Informative)
I have just installed NVIDIA-Linux-x86-1.0-9625 and it seems ok so far. I've visited a few of the troublesome links with firefox 1.5.0.7 and it's not crashed X yet. I was using NVIDIA-Linux-x86-1.0-8762 before the update, and several times I've had X crap out on me. I don't believe I was r00ted though, after reading about the glyph problems. It can also be triggered by a long "get" request, or long lines of text in a form field. I was using TinyMCE [moxiecode.com] when it first happened to me. Here's a test url that supposedly crashes X from firefox - http://comptune.com/calc.php?methos=POST&base1=10
I didn't check this before the update though, so it may not be conclusive.
My main complaint about the whole issue is that I only found out because it was posted here. I don't have time to go checking for updates and exploits for all my different drivers and software, that's why yum runs from cron every night. It would have been nice if somebody (nVidia) had posted that a new version was available that fixed potential security holes, or even had a version checker built in to notify me of an update.
9xxx drivers (Score:1, Informative)
Well, the "nv" drivers not only aren't beta, they are prealpha and prehistoric as they don't have any kind
of hardware acceleration. still the beta 9xxxx drivers are a better workaround (and they're already in use
in all the bleeding edge systems because of glx_texture_from_pixmap support : compiz/beryl without need of XGL)
Re:It's only sort of a remote exploit (Score:3, Informative)
Then perhaps you can explain why this isn't a working javascript exploit proof of concept:
(Taken from a post further down this very page)
http://nvidia.com/content/license/location_0605.a
I mean... if the overflow is that easy, wouldn't someone adept at hitting the right targets in memory be able to do a lot worse with nothing more than javascript?