Comment 11 for bug 1039916

The blacklisted entry was introduced by the latest security patch to the nvidia drivers.

nvidia-graphics-drivers-updates (295.49-0ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: privilege escalation via kernel memory access
    - debian/dkms/patches/blacklist-vga-pmu-registers.patch: blacklist
      more offsets in nv.{c,h}.
    - debian/dkms.conf{.in}: added new patch.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Sun, 05 Aug 2012 09:49:25 -0400

The code:

diff -ur kernel/nv.h kernel/nv.h
--- kernel/nv.h 2012-08-02 18:19:37.000000000 -0700
+++ kernel/nv.h 2012-08-02 18:19:37.000000000 -0700
@@ -448,7 +448,20 @@

 #define IS_BLACKLISTED_REG_OFFSET(nv, offset, length) \
              ((IS_REG_RANGE_WITHIN_MAPPING(nv, 0x1000, 0x1000, offset, length)) ||\
- (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x700000, 0x100000, offset, length)))
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x84000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x85000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x86000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x87000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x89000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0xa0000, 0x20000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x104000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x105000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x10a000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x1c2000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x1c3000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x618000, 0x2000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x627000, 0x1000, offset, length)) ||\
+ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x700000, 0x100000, offset, length)))

 /* duplicated from nvos.h for external builds */
 #ifndef NVOS_AGP_CONFIG_DISABLE_AGP