All supported releases have been bumped to the 304.x drivers, so this is
fix now. Closing.
** Changed in: nvidia-graphics-drivers (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to nvidia-graphics-drivers in Ubuntu.
https://bugs.launchpad.net/bugs/979373
Title:
heap overflows in nvidia driver
Status in “nvidia-graphics-drivers” package in Ubuntu:
Fix Released
Bug description:
Hello,
While I haven't had time to prove these out, they seem to be problems.
1) Race, available only to uid 0 (but uid 0 should not mean ring-0 access):
/proc/driver/nvidia/registry is vulnerable to a write race that can result in a
limited heap overflow.
nv_procfs_write_registry does not perform locking on nvfp->off, so two
writers (of the same fd) could race to confuse the bytes_left and proc_buffer
locations, leading to heap overflow:
writer 1: bytes_left = (NV_PROC_WRITE_BUFFER_SIZE - nvfp->off - 1);
writer 1: ...
writer 1: copy_from_user(proc_buffer, buffer, count))
writer 2: bytes_left = (NV_PROC_WRITE_BUFFER_SIZE - nvfp->off - 1);
writer 1: nvfp->off += count;
writer 2: ...
writer 2: proc_buffer = &((char *)nvfp->data)[nvfp->off];
writer 2: copy_from_user(proc_buffer, buffer, count)
writer 2's count was checked against nvfp->off before it was moved,
and writer 2's proc_buffer is now offset by nvfp->off, allowing a
write past the end of the heap buffer, by at most
NV_PROC_WRITE_BUFFER_SIZE (64k) - 2 bytes.
2) Heap overflow in control device ioctl: minimum size of the ioctl buffer is
not checked for NV_ESC_CARD_INFO, which will write 50 bytes per device to the
allocated kernel buffer (which was sized to the input buffer), before
attempting to then write it back to the user buffer. With a minimum 1 byte
buffer, this is a 49 byte overflow, since the rm_api->magic check doesn't
actually abort the ioctl.
I expect there are additional heap overflows in the rm_ioctl function
since it is not passed arg_size as a parameter, but I didn't have time
to examine the binary module. Seems like enforcing a minimum
allocation size when calling rm_ioctl would be the simplest fix.
3) Kernel heap contents leak race in ioctl handler: the ioctl will copy the
contents of kernel heap back to the user buffer even on failure. By racing the
ioctl with a change in VMA protections, it should be possible to extract
uncleared kernel heap memory:
thread 1: set VMA for arg_ptr to PROT_NONE
thread 1: NV_KMALLOC(arg_copy, arg_size);
thread 1: copy_from_user(arg_copy, arg_ptr, arg_size) <- fails and jumps to
"done"
thread 2: set VMA for arg_ptr to PROT_WRITE
thread 1: if (arg_copy != NULL) ... copy_to_user(arg_ptr, arg_copy, arg_size)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers/+bug/979373/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
