Security issue in NVIDIA UNIX device files to map and program registers to redirect the VGA window

Bug #1033452 reported by Alberto Milone
276
This bug affects 9 people
Affects Status Importance Assigned to Milestone
nvidia-graphics-drivers (Ubuntu)
Fix Released
Critical
Alberto Milone
Lucid
Fix Released
Undecided
Marc Deslauriers
Natty
Fix Released
Undecided
Marc Deslauriers
Oneiric
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Critical
Marc Deslauriers
Quantal
Fix Released
Critical
Alberto Milone
nvidia-graphics-drivers-updates (Ubuntu)
Fix Released
Critical
Alberto Milone
Lucid
Fix Released
Undecided
Marc Deslauriers
Natty
Fix Released
Undecided
Marc Deslauriers
Oneiric
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Critical
Marc Deslauriers
Quantal
Fix Released
Critical
Alberto Milone

Bug Description

NVIDIA received notification of a security exploit that uses NVIDIA UNIX device files to map and program registers to redirect the VGA window. Through the VGA window, the exploit can access any region of physical system memory. This arbitrary memory access can be further exploited, for example, to escalate user privileges.

Here is the email by Dave Airlie on the issue:
http://permalink.gmane.org/gmane.comp.security.full-disclosure/86747

Nvidia's announcement:
http://nvidia.custhelp.com/app/answers/detail/a_id/3140

Changed in nvidia-graphics-drivers (Ubuntu Precise):
status: New → In Progress
Changed in nvidia-graphics-drivers-updates (Ubuntu):
status: New → In Progress
Changed in nvidia-graphics-drivers-updates (Ubuntu Precise):
status: New → In Progress
Changed in nvidia-graphics-drivers (Ubuntu Precise):
importance: Undecided → Critical
Changed in nvidia-graphics-drivers-updates (Ubuntu):
importance: Undecided → Critical
Changed in nvidia-graphics-drivers-updates (Ubuntu Precise):
importance: Undecided → Critical
Changed in nvidia-graphics-drivers (Ubuntu Precise):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-updates (Ubuntu):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-updates (Ubuntu Precise):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers (Ubuntu Lucid):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nvidia-graphics-drivers (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in nvidia-graphics-drivers (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in nvidia-graphics-drivers (Ubuntu Precise):
assignee: Alberto Milone (albertomilone) → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-updates - 304.32-0ubuntu1

---------------
nvidia-graphics-drivers-updates (304.32-0ubuntu1) quantal; urgency=low

  * debian/control.in, debian/rules:
    - Switch from cdbs to debhelper.
  * New upstream release:
    - Fixed security issue that allowed an exploit to
      use NVIDIA UNIX device files to map and program
      registers to redirect the VGA window. Through the
      VGA window, the exploit could access any region of
      physical system memory. This arbitrary memory
      access could then be further exploited, for
      example, to escalate user privileges (LP: #1033452).
    - Added support for xserver ABI 13 (xorg-server 1.13).
    - Fixed a bug that caused RRSetOutputPrimary requests
      to incorrectly generate BadValue errors when
      setting the primary output to None. This caused
      gnome-settings-daemon to crash after changing the
      screen configuration in response to a display
      hotplug or the display change hot-key being pressed.
    - Fixed a problem where RENDER Glyphs operations
      would exhibit severe performance issues in certain
      cases, such as when used with gradients by Cairo
      and Chromium.
    - Fixed a bug that caused X to hang when resuming
      certain DisplayPort display devices (such as Apple
      brand mini-DisplayPort to dual-link DVI adapters)
      from power-saving mode.
    - Added support for the following GPU: Tesla K10
    - Fixed a bug that caused an X screen to be extended
      to Quadro SDI Output devices by default. An X
      screen will still use an SDI Output device if it
      is the only display device available. To use a SDI
      Output device on an X screen with other display
      devices available, include the SDI Output device
      with either the "UseDisplayDevice" or "MetaMode"
      X configuration options.
    - Updated X11 modeline validation such that modes
      not defined in a display device's EDID are
      discarded if the EDID 1.3 "GTF Supported" flag is
      unset or if the EDID 1.4 "Continuous Frequency"
      flag is unset. The new "AllowNonEdidModes" token
      for the ModeValidation X configuration option can
      be used to disable this new check.
    - Fixed a bug, introduced in the 295.xx release
      series, with EDID detection on some laptop
      internal panels. This bug caused the laptop
      internal panel to show six small copies of the
      desktop.
    - Added support for FXAA, Fast Approximate
      Anti-Aliasing.
 -- Alberto Milone <email address hidden> Mon, 06 Aug 2012 12:04:20 +0200

Changed in nvidia-graphics-drivers-updates (Ubuntu Quantal):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers-updates (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in nvidia-graphics-drivers-updates (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in nvidia-graphics-drivers-updates (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in nvidia-graphics-drivers-updates (Ubuntu Precise):
assignee: Alberto Milone (albertomilone) → Marc Deslauriers (mdeslaur)
security vulnerability: no → yes
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers - 302.32-0ubuntu1

---------------
nvidia-graphics-drivers (302.32-0ubuntu1) quantal; urgency=low

  * debian/control.in, debian/rules:
    - Switch from cdbs to debhelper.
  * New upstream release:
    - Fixed security issue that allowed an exploit to
      use NVIDIA UNIX device files to map and program
      registers to redirect the VGA window. Through the
      VGA window, the exploit could access any region of
      physical system memory. This arbitrary memory
      access could then be further exploited, for
      example, to escalate user privileges (LP: #1033452).
    - Added support for xserver ABI 13 (xorg-server 1.13).
    - Fixed a bug that caused RRSetOutputPrimary requests
      to incorrectly generate BadValue errors when
      setting the primary output to None. This caused
      gnome-settings-daemon to crash after changing the
      screen configuration in response to a display
      hotplug or the display change hot-key being pressed.
    - Fixed a problem where RENDER Glyphs operations
      would exhibit severe performance issues in certain
      cases, such as when used with gradients by Cairo
      and Chromium.
    - Fixed a bug that caused X to hang when resuming
      certain DisplayPort display devices (such as Apple
      brand mini-DisplayPort to dual-link DVI adapters)
      from power-saving mode.
    - Added support for the following GPU: Tesla K10
    - Fixed a bug that caused an X screen to be extended
      to Quadro SDI Output devices by default. An X
      screen will still use an SDI Output device if it
      is the only display device available. To use a SDI
      Output device on an X screen with other display
      devices available, include the SDI Output device
      with either the "UseDisplayDevice" or "MetaMode"
      X configuration options.
    - Updated X11 modeline validation such that modes
      not defined in a display device's EDID are
      discarded if the EDID 1.3 "GTF Supported" flag is
      unset or if the EDID 1.4 "Continuous Frequency"
      flag is unset. The new "AllowNonEdidModes" token
      for the ModeValidation X configuration option can
      be used to disable this new check.
    - Fixed a bug, introduced in the 295.xx release
      series, with EDID detection on some laptop
      internal panels. This bug caused the laptop
      internal panel to show six small copies of the
      desktop.
    - Added support for FXAA, Fast Approximate
      Anti-Aliasing.
 -- Alberto Milone <email address hidden> Mon, 06 Aug 2012 12:56:47 +0200

Changed in nvidia-graphics-drivers (Ubuntu Quantal):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers (Ubuntu Natty):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers (Ubuntu Oneiric):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers (Ubuntu Precise):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers-updates (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers-updates (Ubuntu Natty):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers-updates (Ubuntu Oneiric):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers-updates (Ubuntu Precise):
status: In Progress → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.