Bug 7086

Summary: Update request: nvidia-current-295.71-1.mga2, CVE-2012-4225
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: stormi-mageia, sysadmin-bugs
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure mga2-64-OK mga2-32-OK
Source RPM: nvidia-current-295.71-1.mga2 CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 6914    

Description Thomas Backlund 2012-08-16 22:27:58 CEST 
There is now a new nvidia-current to validate
(this affects mga1 too, but I will make a separate request for that due to different packages and changes)


Advisory:
NVIDIA received notification of a security exploit that uses NVIDIA UNIX device files to map and program registers to redirect the VGA window. Through the VGA window, the exploit can access any region of physical system memory. This arbitrary memory access can be further exploited, for example, to escalate user privileges. (CVE-2012-4225)

Because any user with read and write access to the NVIDIA device files (which is needed to execute applications that use the GPU) could potentially exploit this vulnerability to gain access to arbitrary system memory, this vulnerability is classified as high risk by NVIDIA.

NVIDIA is resolving this problem by blocking user-space access to registers that control redirection of the VGA window. Further, NVIDIA is also blocking user-space access to registers that control GPU-internal microcontrollers, which could be used to achieve a similar exploit.

This updates nvidia-current to 295.71 wich is not vulnerable.

The updated packages also moves libnvidia-ml.so.1 from nvidia-current-cuda-opencl to x11-driver-video-nvidia-current as it is needed by 
/usr/bin/nvidia-smi

An updated ldetect-lst is also provided for the added nvidia hw pci ids support



RPMS:
core:
ldetect-lst-0.1.303.1-1.mga2
ldetect-lst-devel-0.1.303.1-1.mga2
nonfree:
dkms-nvidia-current-295.71-1.mga2.nonfree
nvidia-current-cuda-opencl-295.71-1.mga2.nonfree
nvidia-current-devel-295.71-1.mga2.nonfree
nvidia-current-doc-html-295.71-1.mga2.nonfree
nvidia-current-kernel-3.3.8-desktop-2.mga2-295.71-1.mga2.nonfree
nvidia-current-kernel-3.3.8-desktop586-2.mga2-295.71-1.mga2.nonfree
nvidia-current-kernel-3.3.8-netbook-2.mga2-295.71-1.mga2.nonfree
nvidia-current-kernel-3.3.8-server-2.mga2-295.71-1.mga2.nonfree
nvidia-current-kernel-desktop586-latest-295.71-1.mga2.nonfree
nvidia-current-kernel-desktop-latest-295.71-1.mga2.nonfree
nvidia-current-kernel-netbook-latest-295.71-1.mga2.nonfree
nvidia-current-kernel-server-latest-295.71-1.mga2.nonfree
x11-driver-video-nvidia-current-295.71-1.mga2.nonfree


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4225
http://nvidia.custhelp.com/app/answers/detail/a_id/3140


from SRPMS:
nonfree/updates_testing nvidia-current-295.71-1.mga2.nonfree
nonfree/updates_testing kmod-nvidia-current-295.71-1.mga2.nonfree
core/updates_testing ldetect-lst-0.1.303.1-1.mga2
Thomas Backlund 2012-08-16 22:29:30 CEST

Status: NEW => ASSIGNED
Blocks: (none) => 6914

Thomas Backlund 2012-08-16 23:34:43 CEST

Blocks: (none) => 7087

Thomas Backlund 2012-08-16 23:35:34 CEST

Blocks: 7087 => (none)

Samuel Verschelde 2012-08-16 23:46:26 CEST

CC: (none) => stormi
Severity: normal => major

Comment 1 claire robinson 2012-08-20 15:49:33 CEST 
Seems to be a PoC here: http://www.securityfocus.com/bid/54772/exploit

Not tested yet.
Comment 2 claire robinson 2012-08-20 16:11:09 CEST 
Testing x86_64

Kernel is from testing

$ rpm -qa "kernel-desktop*"
kernel-desktop-latest-3.3.8-2.mga2
kernel-desktop-3.3.8-2.mga2-1-1.mga2
kernel-desktop-devel-latest-3.3.8-2.mga2
kernel-desktop-devel-3.3.8-2.mga2-1-1.mga2

$ rpm -qa "nvidia*"
nvidia-current-kernel-desktop-latest-295.49-6.mga2.nonfree
nvidia-current-kernel-3.3.8-desktop-2.mga2-295.49-6.mga2.nonfree
nvidia-current-doc-html-295.49-2.mga2.nonfree

Card: Nvidia 8500GT

Confirmed vulnerable with PoC 

$ mkdir test
$ cd test
$ wget http://www.securityfocus.com/data/vulnerabilities/exploits/54772.c
$ gcc 54772.c 
$ ls
54772.c  a.out*

$ ./a.out 
[*] IDT offset at 0xffffffff81b65000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff81b65dc0)
[*] Enhancing gate entry...
[*] Triggering payload...
[*] Hiding evidence...
[*] Have root, will travel..
sh-4.2# touch /root/test
sh-4.2# ls -l /root/test
-rw-r--r-- 1 root root 0 Aug 20 14:51 /root/test
sh-4.2# exit
exit

Confirmed the current package for libnvidia-ml.so.1

$ urpmf nvidia-current-cuda-opencl | grep libnvidia-ml.so.1 
nvidia-current-cuda-opencl:/usr/lib/nvidia-current/libnvidia-ml.so.1
nvidia-current-cuda-opencl:/usr/lib64/nvidia-current/libnvidia-ml.so.1

$ urpmf x11-driver-video-nvidia-current | grep libnvidia-ml.so.1
$ 

I'll check again when updated.

Whiteboard: (none) => has_procedure

Comment 3 Samuel Verschelde 2012-08-20 16:15:35 CEST 
Works well on Mageia 2 x86_64 with following hardware:

01:00.0 VGA compatible controller: nVidia Corporation GT218 [GeForce 310] (rev a2) (prog-if 00 [VGA controller])
        Kernel driver in use: nvidia
 
Confirming not vulnerable to POC.
Comment 4 claire robinson 2012-08-20 17:10:25 CEST 
After update. Confirmed CVE closed and lib moved.

$ ./a.out 
[*] IDT offset at 0xffffffff81b65000
[*] Abusing nVidia...
$ 


# urpmf --media "Nonfree Updates Testing" nvidia-current-cuda-opencl | grep libnvidia-ml.so.1
# urpmf --media "Nonfree Updates Testing" x11-driver-video-nvidia-current | grep libnvidia-ml.so.1
x11-driver-video-nvidia-current:/usr/lib/nvidia-current/libnvidia-ml.so.1
x11-driver-video-nvidia-current:/usr/lib64/nvidia-current/libnvidia-ml.so.1

$ nvidia-smi -L
GPU 0: GeForce 8500 GT (UUID: N/A)
$ nvidia-smi
Mon Aug 20 15:51:09 2012       
+------------------------------------------------------+                       
| NVIDIA-SMI 3.295.71   Driver Version: 295.71         |                       
|-------------------------------+----------------------+----------------------+
| Nb.  Name                     | Bus Id        Disp.  | Volatile ECC SB / DB |
| Fan   Temp   Power Usage /Cap | Memory Usage         | GPU Util. Compute M. |
|===============================+======================+======================|
| 0.  GeForce 8500 GT           | 0000:01:00.0  N/A    |       N/A        N/A |
|  30%   70 C  N/A   N/A /  N/A |   7%   74MB / 1023MB |  N/A      Default    |
|-------------------------------+----------------------+----------------------|
| Compute processes:                                               GPU Memory |
|  GPU  PID     Process name                                       Usage      |
|=============================================================================|
|  0.           Not Supported                                                 |
+-----------------------------------------------------------------------------+

$ nvidia-smi --dtd

shows alot of info lines but many are just (#PCDATA), unsure if that is correct or not.

Flash works OK with hardware acceleration enabled. Followed flightgear tutorial as far as starting the engine.

Testing complete x86_64

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 5 claire robinson 2012-08-23 12:51:24 CEST 
Testing complete mga2 i586

Validating

Advisory and srpms in comment 0

Could sysadmin please push from core and nonfree updates testing to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Comment 6 Thomas Backlund 2012-08-23 15:20:52 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0238

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED