All supported releases have been bumped to the 304.x drivers, so this is fix now. Closing.
** Changed in: nvidia-graphics-drivers (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to nvidia-graphics-drivers in Ubuntu. https://bugs.launchpad.net/bugs/979373 Title: heap overflows in nvidia driver Status in “nvidia-graphics-drivers” package in Ubuntu: Fix Released Bug description: Hello, While I haven't had time to prove these out, they seem to be problems. 1) Race, available only to uid 0 (but uid 0 should not mean ring-0 access): /proc/driver/nvidia/registry is vulnerable to a write race that can result in a limited heap overflow. nv_procfs_write_registry does not perform locking on nvfp->off, so two writers (of the same fd) could race to confuse the bytes_left and proc_buffer locations, leading to heap overflow: writer 1: bytes_left = (NV_PROC_WRITE_BUFFER_SIZE - nvfp->off - 1); writer 1: ... writer 1: copy_from_user(proc_buffer, buffer, count)) writer 2: bytes_left = (NV_PROC_WRITE_BUFFER_SIZE - nvfp->off - 1); writer 1: nvfp->off += count; writer 2: ... writer 2: proc_buffer = &((char *)nvfp->data)[nvfp->off]; writer 2: copy_from_user(proc_buffer, buffer, count) writer 2's count was checked against nvfp->off before it was moved, and writer 2's proc_buffer is now offset by nvfp->off, allowing a write past the end of the heap buffer, by at most NV_PROC_WRITE_BUFFER_SIZE (64k) - 2 bytes. 2) Heap overflow in control device ioctl: minimum size of the ioctl buffer is not checked for NV_ESC_CARD_INFO, which will write 50 bytes per device to the allocated kernel buffer (which was sized to the input buffer), before attempting to then write it back to the user buffer. With a minimum 1 byte buffer, this is a 49 byte overflow, since the rm_api->magic check doesn't actually abort the ioctl. I expect there are additional heap overflows in the rm_ioctl function since it is not passed arg_size as a parameter, but I didn't have time to examine the binary module. Seems like enforcing a minimum allocation size when calling rm_ioctl would be the simplest fix. 3) Kernel heap contents leak race in ioctl handler: the ioctl will copy the contents of kernel heap back to the user buffer even on failure. By racing the ioctl with a change in VMA protections, it should be possible to extract uncleared kernel heap memory: thread 1: set VMA for arg_ptr to PROT_NONE thread 1: NV_KMALLOC(arg_copy, arg_size); thread 1: copy_from_user(arg_copy, arg_ptr, arg_size) <- fails and jumps to "done" thread 2: set VMA for arg_ptr to PROT_WRITE thread 1: if (arg_copy != NULL) ... copy_to_user(arg_ptr, arg_copy, arg_size) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers/+bug/979373/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp