There is now a new nvidia-current to validate (this affects mga1 too, but I will make a separate request for that due to different packages and changes) Advisory: NVIDIA received notification of a security exploit that uses NVIDIA UNIX device files to map and program registers to redirect the VGA window. Through the VGA window, the exploit can access any region of physical system memory. This arbitrary memory access can be further exploited, for example, to escalate user privileges. (CVE-2012-4225) Because any user with read and write access to the NVIDIA device files (which is needed to execute applications that use the GPU) could potentially exploit this vulnerability to gain access to arbitrary system memory, this vulnerability is classified as high risk by NVIDIA. NVIDIA is resolving this problem by blocking user-space access to registers that control redirection of the VGA window. Further, NVIDIA is also blocking user-space access to registers that control GPU-internal microcontrollers, which could be used to achieve a similar exploit. This updates nvidia-current to 295.71 wich is not vulnerable. The updated packages also moves libnvidia-ml.so.1 from nvidia-current-cuda-opencl to x11-driver-video-nvidia-current as it is needed by /usr/bin/nvidia-smi An updated ldetect-lst is also provided for the added nvidia hw pci ids support RPMS: core: ldetect-lst-0.1.303.1-1.mga2 ldetect-lst-devel-0.1.303.1-1.mga2 nonfree: dkms-nvidia-current-295.71-1.mga2.nonfree nvidia-current-cuda-opencl-295.71-1.mga2.nonfree nvidia-current-devel-295.71-1.mga2.nonfree nvidia-current-doc-html-295.71-1.mga2.nonfree nvidia-current-kernel-3.3.8-desktop-2.mga2-295.71-1.mga2.nonfree nvidia-current-kernel-3.3.8-desktop586-2.mga2-295.71-1.mga2.nonfree nvidia-current-kernel-3.3.8-netbook-2.mga2-295.71-1.mga2.nonfree nvidia-current-kernel-3.3.8-server-2.mga2-295.71-1.mga2.nonfree nvidia-current-kernel-desktop586-latest-295.71-1.mga2.nonfree nvidia-current-kernel-desktop-latest-295.71-1.mga2.nonfree nvidia-current-kernel-netbook-latest-295.71-1.mga2.nonfree nvidia-current-kernel-server-latest-295.71-1.mga2.nonfree x11-driver-video-nvidia-current-295.71-1.mga2.nonfree References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4225 http://nvidia.custhelp.com/app/answers/detail/a_id/3140 from SRPMS: nonfree/updates_testing nvidia-current-295.71-1.mga2.nonfree nonfree/updates_testing kmod-nvidia-current-295.71-1.mga2.nonfree core/updates_testing ldetect-lst-0.1.303.1-1.mga2
Status: NEW => ASSIGNEDBlocks: (none) => 6914
Blocks: (none) => 7087
Blocks: 7087 => (none)
CC: (none) => stormiSeverity: normal => major
Seems to be a PoC here: http://www.securityfocus.com/bid/54772/exploit Not tested yet.
Testing x86_64 Kernel is from testing $ rpm -qa "kernel-desktop*" kernel-desktop-latest-3.3.8-2.mga2 kernel-desktop-3.3.8-2.mga2-1-1.mga2 kernel-desktop-devel-latest-3.3.8-2.mga2 kernel-desktop-devel-3.3.8-2.mga2-1-1.mga2 $ rpm -qa "nvidia*" nvidia-current-kernel-desktop-latest-295.49-6.mga2.nonfree nvidia-current-kernel-3.3.8-desktop-2.mga2-295.49-6.mga2.nonfree nvidia-current-doc-html-295.49-2.mga2.nonfree Card: Nvidia 8500GT Confirmed vulnerable with PoC $ mkdir test $ cd test $ wget http://www.securityfocus.com/data/vulnerabilities/exploits/54772.c $ gcc 54772.c $ ls 54772.c a.out* $ ./a.out [*] IDT offset at 0xffffffff81b65000 [*] Abusing nVidia... [*] CVE-2012-YYYY [*] 64-bits Kernel found at ofs 0 [*] Using IDT entry: 220 (0xffffffff81b65dc0) [*] Enhancing gate entry... [*] Triggering payload... [*] Hiding evidence... [*] Have root, will travel.. sh-4.2# touch /root/test sh-4.2# ls -l /root/test -rw-r--r-- 1 root root 0 Aug 20 14:51 /root/test sh-4.2# exit exit Confirmed the current package for libnvidia-ml.so.1 $ urpmf nvidia-current-cuda-opencl | grep libnvidia-ml.so.1 nvidia-current-cuda-opencl:/usr/lib/nvidia-current/libnvidia-ml.so.1 nvidia-current-cuda-opencl:/usr/lib64/nvidia-current/libnvidia-ml.so.1 $ urpmf x11-driver-video-nvidia-current | grep libnvidia-ml.so.1 $ I'll check again when updated.
Whiteboard: (none) => has_procedure
Works well on Mageia 2 x86_64 with following hardware: 01:00.0 VGA compatible controller: nVidia Corporation GT218 [GeForce 310] (rev a2) (prog-if 00 [VGA controller]) Kernel driver in use: nvidia Confirming not vulnerable to POC.
After update. Confirmed CVE closed and lib moved. $ ./a.out [*] IDT offset at 0xffffffff81b65000 [*] Abusing nVidia... $ # urpmf --media "Nonfree Updates Testing" nvidia-current-cuda-opencl | grep libnvidia-ml.so.1 # urpmf --media "Nonfree Updates Testing" x11-driver-video-nvidia-current | grep libnvidia-ml.so.1 x11-driver-video-nvidia-current:/usr/lib/nvidia-current/libnvidia-ml.so.1 x11-driver-video-nvidia-current:/usr/lib64/nvidia-current/libnvidia-ml.so.1 $ nvidia-smi -L GPU 0: GeForce 8500 GT (UUID: N/A) $ nvidia-smi Mon Aug 20 15:51:09 2012 +------------------------------------------------------+ | NVIDIA-SMI 3.295.71 Driver Version: 295.71 | |-------------------------------+----------------------+----------------------+ | Nb. Name | Bus Id Disp. | Volatile ECC SB / DB | | Fan Temp Power Usage /Cap | Memory Usage | GPU Util. Compute M. | |===============================+======================+======================| | 0. GeForce 8500 GT | 0000:01:00.0 N/A | N/A N/A | | 30% 70 C N/A N/A / N/A | 7% 74MB / 1023MB | N/A Default | |-------------------------------+----------------------+----------------------| | Compute processes: GPU Memory | | GPU PID Process name Usage | |=============================================================================| | 0. Not Supported | +-----------------------------------------------------------------------------+ $ nvidia-smi --dtd shows alot of info lines but many are just (#PCDATA), unsure if that is correct or not. Flash works OK with hardware acceleration enabled. Followed flightgear tutorial as far as starting the engine. Testing complete x86_64
Whiteboard: has_procedure => has_procedure mga2-64-OK
Testing complete mga2 i586 Validating Advisory and srpms in comment 0 Could sysadmin please push from core and nonfree updates testing to updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0238
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED