root escalation via /dev/nvidia0
Bug #959842 reported by
Bryce Harrington
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nvidia-graphics-drivers (Ubuntu) |
Fix Released
|
Critical
|
Alberto Milone | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Critical
|
Alberto Milone | ||
nvidia-graphics-drivers-173 (Ubuntu) |
Fix Released
|
Undecided
|
Alberto Milone | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Alberto Milone | ||
nvidia-graphics-drivers-173-updates (Ubuntu) |
Fix Released
|
Undecided
|
Alberto Milone | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Alberto Milone | ||
nvidia-graphics-drivers-updates (Ubuntu) |
Fix Released
|
Undecided
|
Alberto Milone | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Alberto Milone |
Bug Description
It was raised to me just now that there is a security issue with /dev/nvidia0 where an unprivileged account can access kernel memory and gain root access. An example exploit is attached.
Related branches
lp:ubuntu/oneiric-security/nvidia-graphics-drivers-updates
- Bob Bib (community): Approve
- Ubuntu Development Team: Pending requested
-
Diff: 102 lines (+50/-2)6 files modifieddebian/changelog (+12/-0)
debian/control (+1/-1)
debian/control.in (+1/-1)
debian/dkms.conf (+1/-0)
debian/dkms.conf.in (+1/-0)
debian/dkms/patches/blacklist-register-mapping.patch (+34/-0)
CVE References
Changed in nvidia-graphics-drivers (Ubuntu): | |
milestone: | none → ubuntu-12.04 |
Changed in nvidia-graphics-drivers-updates (Ubuntu Precise): | |
assignee: | nobody → Alberto Milone (albertomilone) |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-updates (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-updates (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-updates (Ubuntu Oneiric): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-173 (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-173 (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-173 (Ubuntu Oneiric): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-173-updates (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-173-updates (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-173-updates (Ubuntu Oneiric): | |
status: | New → Fix Released |
Changed in nvidia-graphics-drivers-173 (Ubuntu Precise): | |
assignee: | nobody → Alberto Milone (albertomilone) |
status: | New → Confirmed |
Changed in nvidia-graphics-drivers-173-updates (Ubuntu Precise): | |
assignee: | nobody → Alberto Milone (albertomilone) |
status: | New → Confirmed |
To post a comment you must log in.
The previous code apparently is written for 64-bit.
Attached is my (probably wrong) attempt at making it work on 32-bit.
Output:
bryce@porlock:~$ gcc ./nvidia_exploit.c -o nvidia_exploit ; ./nvidia_exploit
Card type: 0x92200a2, chip 92
627
c34500b4 488
Linux kernel found at 70000
bryce@porlock:~$ gcc ./nvidia_exploit.c -o nvidia_exploit ; ./nvidia_exploit
Card type: 0x92200a2, chip 92
627
c34500b4 488
Linux kernel found at 70000
I've no idea whether the c34500b4 488 numbers correspond to something pertaining to the kernel, but those were the only numbers that got printed out.