nvidia driver has buffer overflows

i can't reproduce, on upto date dapper.

what firefox extension and plugins do you have?
what graphics card and driver do you have?
are you using xgl?

can you post your /etc/X11/xorg.conf and /var/log/Xorg.0.log

Well, it was not reproduceable e.g. with fluxbox, but with Gnome.

Firefox version: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060513 Ubuntu/dapper Firefox/1.5.0.3

Firefox extensions shouldn't be too important as the crash also happens in Epiphany (Gecko-based): EditCSS, English (GB) language park, Leo Search

Graphics card: 0000:01:00.0 VGA compatible controller: nVidia Corporation NV28 [GeForce4 Ti 4800 SE] (rev a1)

Driver: nvidia non-free drivers 1.0.8756+2.6.15.10-2

No Xgl usage, plain X started by gdm.

My xorg.conf; I don't think that it helps, though

Xorg.0.log does not contain any data about the crash, sadly enough. The log just stops.

does it happen when using the 'nv' driver?

Heh. Good observation, no it does not. Only with the nvidia driver.

X should not crash due to any faulty input.

Using another page (https://launchpad.net/people/waeckerlin/+codesofconduct) on Kubuntu Dapper up-to-date, I can reproduce the error - X crashes completely and instantly:
firefox 2&> log.txt
X Error: BadDevice, invalid or uninitialized input device 169
  Major opcode: 147
  Minor opcode: 3
  Resource id: 0x0
Failed to open device
X Error: BadDevice, invalid or uninitialized input device 169
  Major opcode: 147
  Minor opcode: 3
  Resource id: 0x0
Failed to open device
The application 'Gecko' lost its connection to the display :0.0;
most likely the X server was shut down or you killed/destroyed
the application.

When I use nv instead of nvidia everything works fine so it must be same problem though with another page.

could you test with the new versions at http://people.ubuntu.com/~adconrad/new_video/

I installed linux-restricted-modules-2.6.15-23-386_2.6.15.11-1_i386.deb and nvidia-glx_1.0.8762+2.6.15.11-1_i386.deb from the page you mentioned: yes, it still crashes.
Contrary to my comment above the site http://ftp-master.debian.org/rene-daily.txt makes X crash too - I just have to wat 2seconds.

It only happens with firefox, but not with konqueror btw.

Happens to me when I try to sign the newer Code of Conduct!

I run Firefox, and go to Launchpad. I click my name, and then "Codes of Conduct".

If I think click "See or sign new code of conduct releases", blammo; X is gone, the NVIDIA logo comes up, and GDM reloads the login screen.

Possibly useful information discovered. After crashing mine tonight in the same way as in my last comment, I used ctrl-alt-f1 to log in textually and see what processes were lying around. Then I attempted to go back to X via ctrl-alt-f7, and discovered that X had restarted on VT 8 instead of 7, and 7 was showing this:

*** glibc detected *** free(): invalid next size (normal): 0x0000000000997c0 ***

Typo in that; should be:

*** glibc detected *** free(): invalid next size (normal): 0x00000000009976c0 ***

I can confirm with Mirjam on the exact same link. X will reset or reboot the X portion and not the whole computer when accessing the code of conduct.

I can confirm as well. it's not just firefox - I use the web developer toolbar and have it open up source code in Gedit (which I assume then becomes a separate process?). Gedit also crashes the system in the exact same way. I resorted to gedit as View-Source was causing this issue every time.

Only occurs with Nvidia drivers installed.

Nothing new, or helpful I guess, I'm only adding this comment so I can stay informed with changes to this bug report.

I can also confirm it. For me, it happens at http://www.croczilla.com/svg/samples/butterfly/text_view?obj=butterfly.svg when scrolling right.

It also happens for me from within update-manager when selecting an update to vim-doc (could be in relation to the changes part of the window, but I am not sure). I am running Dapper, but the update for vim-doc comes from Edgy.

i've also had this occur in both the code of conduct page @ launchpad and in update-manager (i believe it was when browsing changelogs from within the gnome applet).

What's about this one it crashes the xserver, too:
 http ://madwifi.org/report/1?format=tab&USER=anonymous

Code:
gerhard@ubuntu:~$ cat 1|wc -c
506526
gerhard@ubuntu:~$ cat 1|wc -m
506526
gerhard@ubuntu:~$ cat 1|wc -l
284
gerhard@ubuntu:~$ cat 1|wc -w
69157
gerhard@ubuntu:~$ ls -lh 1
-rw-r--r-- 1 gerhard gerhard 495K Jul 31 22:19 1
~$ file 1
1: UTF-8 Unicode English text, with very long lines, with CRLF line terminators

content (first line, some chars):
__color__ ticket summary component version milestone type owner created _changetime _description _reporter
1 710 Can't find card --- HAL status 13 madwifi: other v0.9.0 defect 1150949741 1150949741 I have a Thinkpad R40 and I still do not get the WiFi worked. Seems to be an IBM dual band 11ab WiFi wireless mini pci adapter: {{{ lingen:/usr/src # lspci -n | grep "Class 0200" 02:02.0 Class 0200: 168c:0012 (rev 01) 02:08.0 Class 0200: 8086:103d (rev 81) (IBM dual band 11ab WiFi wireless mini pci adapter) }}} I use SuSE Linux 10.0 (Kernel 2.6.13-15.8-default) The problem: After installing the madwifi-modules (with some problems due to the kernel configuration of SuSE Sad ), I get the modules compiled and loaded, but then nothing happens: No WiFi-LED [...]

epiphany and mozilla did not crash the xserver. I use nvidia too. I'm on dapper.

Find more Information (german) here:
http://www.firefox-browser.de/forum/viewtopic.php?p=285579#285579

BTW: konqueror didn't crash either.

Are the upstream debvelopers take notice on this?
Is this bug also reported in ff bugzilla and the nvidia BTS?

Nvidia mentioned, that this is a known issue, and that they will resolve it in the first 1.0-9xxx series driver release:
http://www.nvnews.net/vbulletin/showthread.php?t=74379

Is there any chance, to fix (work around) this issue in firefox? Because it doesn't appear in mozilla and epiphany so far as I see.

It's the nvidia bug 239065, and it's also reproducable by Fedora Core 5.

http://www.nvnews.net/vbulletin/showthread.php?t=73033&highlight=ubuntu+gedit

It will be resolved in the next nvidia release.

I just upgraded to 1.0-8774 using http://www.albertomilone.eu/europeo/nvidia_scripts1.html and this bug seems to have been fixed.

I can view http://ftp-master.debian.org/rene-daily.txt and http://www.croczilla.com/svg/samples/butterfly/text_view?obj=butterfly.svg and scroll to the right, and X doesn't crash.

Then, I think, it's time for a new updated nvidia-kernel-source!

gerhard@ubuntu:~$ apt-cache policy nvidia-kernel-source
nvidia-kernel-source:
  Installed: 1.0.8762+2.6.15.11-3
  Candidate: 1.0.8762+2.6.15.11-3
  Version table:
 *** 1.0.8762+2.6.15.11-3 0
        500 http://security.ubuntu.com dapper-security/multiverse Packages
        100 /var/lib/dpkg/status
     1.0.8762+2.6.15.11-1 0
        500 http://archive.ubuntu.com dapper/multiverse Packages
gerhard@ubuntu:~$ dpkg -l *nvidia*|grep `uname -r`
ii nvidia-kernel-2.6.17.8-rt8 1.0.8762-0ubuntu3+1 NVIDIA binary kernel module for Linux 2.6.17

Because 1.0.8762 got still the same problem! And I don't want to delete the restricted kernel modules by a script: http://www.albertomilone.eu/europeo/nvidia_scripts1.html

I was browsing a page at ubuntuforums.org today, and the whole OS crashed. I was just about to file a bug report, but this looks similar. The attached html file will do the trick. Can anyone re-produce this? Does it look like the same bug?

Yep; crash city, Ubuntu 6.06 LS with all patches current as of five minutes before I tested your page.

I upgraded to the newest nvidia drivers (see post above https://launchpad.net/distros/ubuntu/+bug/46034/comments/24)

It would be nice if there was a deb package for the new nvidia driver, so that other people could easily test it to see if it fixes this bug.

I'd suggest that you give this new driver a try. I am very relieved to be able to work on my pc again. It doesn't crash daily like it used to.

My Xserver crashed also with from debian.org:
http://madwifi.org/report/1?format=tab&USER=anonymous

But that was the debian package and on a 2.6.17.8-rt8 kernel with Ingo Molnars RT patch (wich is for 2.6.17 not 2.6.17.8, I patched it 'by hand', not very secure though).

I'll might find some time to test with the standard kernel, I don't know.
A deb for testing would be nice, though. Nevertheless I doubt, that it's fixed in 1.0-8774.
The nvidia staff said, that they'll fix it in the first 1.0-9xxx series driver release (see link above, in my earlier post).

Err - It should be:
My Xserver crashed also with 1.0-8774 from debian.org:

sorry

Does not occur from dapper stable cd, but if I update I get system freeze.

I reported this (coudn't find this bug before, sorry) as bug #62492 and posted some details I managed to collect there.

How do you mark duplicate bugs in this thing, by the way?

I hope that the 1.0-9xxx series nvidia drivers will become stable before the edgy release. I want to see the 1.0-9xxx nvidia drivers in edgy...

According to the info in http://download2.rapid7.com/r7-0025/ this bug is a bit more serious & is exploitable. I don't know of any fixed nvidia binary driver at this time.

The 9xxx series, currently in beta, are said to be fixed.

It might be a good idea to upload nvidia-glx 87.76 [1]. The 96.25 drivers are still in beta. The only change between 87.76 and the version now in edgy is the fix for the exploitable buffer overflow.

As this bug was highly publicised, and a fix is available, it could damage PR if edgy were to release with the vulnerability (even though the proprietary drivers are not installed by default).

[1] http://www.nvidia.com/object/linux_display_amd64_1.0-8776.html

Hi! Thanks for the note. Yes, a new linux-restricted-modules will be built shortly with the 8776 version.

What is the stance on this issue?

Also what does do in regards to dapper users?

After edgy is released, we will issue security updates for edgy and dapper. No updates are needed for hoary and breezy, which are not affected by this problem.

Kees Cook wrote:
> After edgy is released, we will issue security updates for edgy and
> dapper. No updates are needed for hoary and breezy, which are not
> affected by this problem.
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2006-5379
>
> ** Also affects: linux-restricted-modules-2.6.15 (Ubuntu)
> Importance: Undecided
> Status: Unconfirmed
>
I think it would be nice for PR if this was fixed before the release.

Otherwise, I can hear comparisons of ubuntu & windows about issuing
updates right after a release.

It is too late to fix this for the release, which is already in progress. An update will be available via the normal security update channels as with any other vulnerability.

For any brave people interested in beta testing the updated nvidia driver, please see:

https://lists.ubuntu.com/archives/ubuntu-devel/2006-November/022177.html

Barring any problems, the new driver should be released shortly.

I tested the exploit with the old and new packages, general reboot/X server start, and a 3D game (neverball) with the new drivers. No regressions.

Platform: amd64/edgy

Many users of the forums have tested my packages (which include driver 8776) for both Ubuntu Edgy and Dapper and no problems have been reported.

you can have a look at my thread here:
http://ubuntuforums.org/showthread.php?t=255929

I have added:
deb http://people.ubuntu.com/~kees/testing/ ./

to my sources.list to test the packages.
With aptitude dist-upgrade i get:

--------------------------------------------------------------------------------------
The following packages are BROKEN:
  nvidia-glx [1.0.8762+2.6.15.11-5 -> 1.0.8776+2.6.17.6-1]
The following packages will be upgraded:
  linux-restricted-modules-2.6.15-27-k7 [2.6.15.11-5 -> 2.6.15.12-1]
  linux-restricted-modules-common [2.6.15.11-5 -> 2.6.17.6-1]
3 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 12.0MB of archives. After unpacking 81.9kB will be used.
The following packages have unmet dependencies:
  nvidia-glx: Depends: libatk1.0-0 (>= 1.12.1) but 1.11.4-0ubuntu1 is installed.
              Depends: libc6 (>= 2.4-1) but 2.3.6-0ubuntu20 is installed.
              Depends: libglib2.0-0 (>= 2.12.0) but 2.10.3-0ubuntu1 is installed.
              Depends: libgtk2.0-0 (>= 2.10.3) but 2.8.20-0ubuntu1 is installed.
              Depends: libpango1.0-0 (>= 1.14.5) but 1.12.3-0ubuntu3 is installed.
Resolving dependencies...
The following actions will resolve these dependencies:

Upgrade the following packages:
nvidia-glx [1.0.8762+2.6.15.11-5 (dapper-security, dapper-security, now) -> 1.0.8776+2.6.15.12-1 (<NULL>)]

Score is -40

Accept this solution? [Y/n/q/?]
--------------------------------------------------------------------------------------

Here i have a dapper with linux-k7

$ aptitude show linux-k7
Package: linux-k7
New: yes
State: installed
Automatically installed: no
Version: 2.6.15.25

On 11/1/06, Kees Cook <email address hidden> wrote:
> For any brave people interested in beta testing the updated nvidia
> driver, please see:
>
> https://lists.ubuntu.com/archives/ubuntu-devel/2006-November/022177.html
>
> Barring any problems, the new driver should be released shortly.
>

Unmet dependencies on Dapper / AMD64 with package nvidia-glx:

The following packages have unmet dependencies:
  nvidia-glx: Depends: libatk1.0-0 (>= 1.12.1) but 1.11.4-0ubuntu1 is
to be installed
              Depends: libc6 (>= 2.4-1) but 2.3.6-0ubuntu20 is to be installed
              Depends: libglib2.0-0 (>= 2.12.0) but 2.10.3-0ubuntu1 is
to be installed
              Depends: libgtk2.0-0 (>= 2.10.3) but 2.8.20-0ubuntu1 is
to be installed
              Depends: libpango1.0-0 (>= 1.14.5) but 1.12.3-0ubuntu3
is to be installed
E: Broken packages

Ah, I think the problem here is that the Edgy .debs are being seen by the Dapper folks. I will modify the deb paths...

For Dapper, use:

  deb http://people.ubuntu.com/~kees/test-lrm-2.6.15.12-1/ ./

For Edgy, use:

  deb http://people.ubuntu.com/~kees/test-lrm-2.6.17.6-1/ ./

Apologies for the confusion!

> Apologies for the confusion!

No problem. I like to have fun ;)

Today i tested these "new" repo and everything is working here.
good work.

PS.
Platform: linux-k7/dapper

USN-377-1
man, did you read this post through some kind of a temporal abnormity?

this is faaast ;)

USN-377-1 published.

On 11/2/06, Kees Cook <email address hidden> wrote:
> Ah, I think the problem here is that the Edgy .debs are being seen by
> the Dapper folks. I will modify the deb paths...
>
> For Dapper, use:
>
> deb http://people.ubuntu.com/~kees/test-lrm-2.6.15.12-1/ ./
>

Installation successful. None of the test cases listed for this bug
cause any problems.

Dapper / AMD64

is bug # 70195 related to this?