[SecurityRoadmap] parts of desktop visible when screen is locked (nvidia, intel)

Bug #394691 reported by LimCore
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnome-screensaver (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

When running screen saver, attacker having physical access to the LOCKED computer, can see what was on our screen that we locked (i.e. important document, email with passwords, etc etc).

1. run screensaver
2. move the mouse

This bug brings back so many memories!
I remember reporting it around 2008, and also in 2007 (in debian probably).

* Drivers: seen it on Intel GFX (i945, and GM960) ; and on nvidia

* X software: back in 2007 I definatelly didnt used no compiz/bery/etc (it was on Debian then) . Now on Ubuntu I seen it with the default settings, on nvidia binary driver.

Triggering: this occured very often if I had 2 monitors (laptop + external VGA) in other resolution.
Now, on PC, I seen it so far 1 during 3 days, will test more.

Ubuntu 9.04 amd64, nvidia driver, gnome default.

Probably running fullscreen programs or switching otherwise the resolution is a factor to reproduce this problem.

Revision history for this message
LimCore (limcore) wrote :
LimCore (limcore)
visibility: private → public
LimCore (limcore)
description: updated
tags: added: screensaver security
removed: dnf fail snail
summary: - [9.04 amd64 + nvidia = FAIL] security hole in screensaver
+ Security hole in screensaver! Exposes screen/desktop image even if
+ screen is LOCKED. nvidia, intel gfx; Old bug.
Changed in ubuntu:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Isaac Dupree (idupree) wrote : Re: Security hole in screensaver! Exposes screen/desktop image even if screen is LOCKED. nvidia, intel gfx; Old bug.

is this dup of / related to bug #220226 ?

Revision history for this message
LimCore (limcore) wrote :

That bug #220226 seems to be a combination of
1. this bug (not clearing entire screen)
2. and nvidia (mostly) showing unitiliaized memory bug (which I also reported)

Revision history for this message
LimCore (limcore) wrote :

This happens still;

One case to trigger it, is for first play some fullscreen game that switches resolution.

Then also I use VT7, -8, -9 (several X sessions).

In such use case, around 1 in 10 uses, the bug appears.

Revision history for this message
LimCore (limcore) wrote :

Guys, an easy (trivial!) solution would be to just make the screensaver always clear some huge area, not just the eare which it /thinks/ is vissible.

I guess something like...
- rectfill(screen, 0, 0, screen_w, screen_h, 0);
+ rectfill(screen, 0, 0, 99999, 99999, 0);

or better: min(screen_w,99999) so we are year 2020 compatible here ;)

Revision history for this message
LimCore (limcore) wrote :

max(...)

Revision history for this message
LimCore (limcore) wrote :

This happens still.

Exploit in damn screensaver is known for at least 3 months (I also seen and probably reported, as did others, such problems year+ ago).

Is there some contest for longest-unpatched-exploit?

While it is fun to be able to access co'workers / students / family members / etc LOCKED desktop to see what was on the screen, I guess this should be fixed. Or not?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

It would help if we could reproduce the issue.

Could you please give detailed steps, including which game and graphics modes that are needed to reproduce this?

Changed in ubuntu:
status: Confirmed → Incomplete
Revision history for this message
LimCore (limcore) wrote :

It happens on nividias (tested afair something like 5200fx, 7200? and gts 220?), it also happens on intels (various i945-like).

To trigger it:
1. Wait until screen saver starts (the default black one)
2. Move mouse, you will see that the black rectangle covers only PART of the screen (from 0,0 top-left, to some other point)

This happens sometimes, it seems that it helps if:
1. you are using few VTs, like VT-7, VT-9 - login as second desktop user at same time (switch user)
2. you are changing video resolutions (start some fullscreen program, best a 3d game and switch resolutions a bit)
3. it also helps a lot if you use 2 outputs like LVDS + VGA on linux (then, on intell, it happens very often).

If it doesnt happen then try again later.
It happens around 1 per few days of using (switching desktops/resolutions few times a day)
It happens more often afair on the dual headed laptops (2 displays different resolution)

In either way, there should be some naive code like I written previously, with rectangle drawing or something right?
So just change it to always draw a HUGE rectangle, because the problem apparently is because screen saver has the wrong (old, smaller) dimensions of the screen remembered!

Just make it draw huge rect and done.

Or better, why is so naive implementation used, there should be something dedicated in X server, like stoping rendering of all other windows or something (in example, the clock keeps running / refreshing if it "sticks out" from the too-small black rectangle of screensaver. Why it refreshes at all?!)

Revision history for this message
LimCore (limcore) wrote :

Confirmed on 2 laptops and 3 pc's. All laptops where using LVDS+VGA and switching resolutions;
Or PCs where using 2 desktop users VT7, VT9, starting full screen programs, switching between the desktops and resolutions.

Changed in ubuntu:
status: Incomplete → Confirmed
Revision history for this message
LimCore (limcore) wrote :

So... can we just put there code to always at each occasion clear entire background with a big rectangle?

Or is there some reason to keep this security bug around?

Local access = silent access to see part of content of screen before lock.

Revision history for this message
LimCore (limcore) wrote :

Ok I will try to resolve this problem (but fell free to apply a fix if you have it ready)

Changed in ubuntu:
assignee: nobody → LimCore (limcore)
Revision history for this message
Sense Egbert Hofstede (sense) wrote :

Thank you for helping with making Ubuntu better by reporting this bug. The reason this bug didn't get a lot of attention is probably because it was reported without a package. It is most likely an issue in GNOME Screensaver, so I'm assigning it to that package to make sure the right people can find the bug.

I can't confirm this myself, my graphics card is an nVidia as well.
Is there anything specific to your installation that could cause this? I would also like to know if you could provide any other information regarding the cause of the bug and the method for reproducing this bug on other systems.

It doesn't seem likely to me, but could it in any way be related to the following bug reported against GNOME: <https://bugzilla.gnome.org/show_bug.cgi?id=593616>?

I'm unassigning you because it has been more than a month since you've assigned yourself to this bug. Please don't let this prevent you from contributing solutions.

affects: ubuntu → gnome-screensaver (Ubuntu)
Changed in gnome-screensaver (Ubuntu):
assignee: LimCore (limcore) → nobody
status: Confirmed → Incomplete
summary: - Security hole in screensaver! Exposes screen/desktop image even if
- screen is LOCKED. nvidia, intel gfx; Old bug.
+ parts of desktop visible when screen is locked (nvidia, intel)
Revision history for this message
Pedro Villavicencio (pedro) wrote : parts of desktop visible when screen is locked (nvidia, intel)

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

Changed in gnome-screensaver (Ubuntu):
status: Incomplete → Invalid
summary: - parts of desktop visible when screen is locked (nvidia, intel)
+ [SecurityRoadmap] parts of desktop visible when screen is locked
+ (nvidia, intel)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.