heap overflows in nvidia driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nvidia-graphics-drivers (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Hello,
While I haven't had time to prove these out, they seem to be problems.
1) Race, available only to uid 0 (but uid 0 should not mean ring-0 access): /proc/driver/
nv_procfs_
writer 1: bytes_left = (NV_PROC_
writer 1: ...
writer 1: copy_from_
writer 2: bytes_left = (NV_PROC_
writer 1: nvfp->off += count;
writer 2: ...
writer 2: proc_buffer = &((char *)nvfp-
writer 2: copy_from_
writer 2's count was checked against nvfp->off before it was moved, and writer 2's proc_buffer is now offset by nvfp->off, allowing a write past the end of the heap buffer, by at most NV_PROC_
2) Heap overflow in control device ioctl: minimum size of the ioctl buffer is not checked for NV_ESC_CARD_INFO, which will write 50 bytes per device to the allocated kernel buffer (which was sized to the input buffer), before attempting to then write it back to the user buffer. With a minimum 1 byte buffer, this is a 49 byte overflow, since the rm_api->magic check doesn't actually abort the ioctl.
I expect there are additional heap overflows in the rm_ioctl function since it is not passed arg_size as a parameter, but I didn't have time to examine the binary module. Seems like enforcing a minimum allocation size when calling rm_ioctl would be the simplest fix.
3) Kernel heap contents leak race in ioctl handler: the ioctl will copy the contents of kernel heap back to the user buffer even on failure. By racing the ioctl with a change in VMA protections, it should be possible to extract uncleared kernel heap memory:
thread 1: set VMA for arg_ptr to PROT_NONE
thread 1: NV_KMALLOC(
thread 1: copy_from_
thread 2: set VMA for arg_ptr to PROT_WRITE
thread 1: if (arg_copy != NULL) ... copy_to_
Changed in nvidia-graphics-drivers (Ubuntu): | |
importance: | Undecided → High |
status: | New → Triaged |
visibility: | private → public |
@Alberto, please escalate with NVIDIA as soon as possible.