Apparent root hole in nVidia drivers, what to do?

[Robster]

Hi,

As is being widely publicised (slashdot, kerneltrap), there is a buffer overflow vulnerability in nVidia drivers prior to the 9000 series.

The Rapid7 advisory and the comment threads to the above articles are a bit full of "binary drivers are evil" crud, and not very informative about what people should be doing about it.

Running the 962(5|6) drivers is not an option, as they are beta, buggy, and not ready for everyday use. So, what does that leave? Is disabling the Render extension enough? Or should we really be running the nv driver until this is fixed?

I would also really like some better communication. Is this remotely exploitable to run code (it seems that local access is needed, and the best you can do remotely is a DOS)? Does this make another 8000-series stable driver release worthwhile, and if so, how soon could that be done? Has nVidia really known about it for 2 years without fixing it?

A frank and open discussion of this issue from nVidia would be very welcome, and would go a long way to shutting up the "open source your drivers / publish your specs" trolls. So come on nVidia, get to it!

[netllama]

Disabling RenderAccel:
Option "RenderAccel" "False"
will serve as a workaround for those who are not comfortable with running a 1.0-962x driver.

As noted above, both 1.0-9625 & 1.0-9626 already have this vulnerability fixed.

Thanks,
Lonni

[ricercar]

Kudos the the fast NVIDIA response.

[evilghost]

Lonni is this bug the same thing we were seeing with Firefox crashing when visiting certain sites as referenced by the below thread?:

http://www.nvnews.net/vbulletin/show...hlight=firefox

http://www.nvnews.net/vbulletin/show...ghlight=239065 is the original thread when Lonni evidently logged the bug.

[cdrw]

actually response was not that fast: this bug was known to nvidia since 2004, however as most distros have X remote session disabled by default, then unless you are using it, you are safe.

[gsgatlin]

Thanks a lot for the quick response. Pushing out changes to all my
xorg.conf files that use NVidia with that "RenderAccel" "False" option. Great work.

[pe1chl]

Quote:

Originally Posted by gsgatlin

Thanks a lot for the quick response. Pushing out changes to all my
xorg.conf files that use NVidia with that "RenderAccel" "False" option. Great work.

This is meant sarcastic, isn't it?

[Gumboot]

Quote:

Originally Posted by pe1chl

This is meant sarcastic, isn't it?

Life isn't so hard without Render accelation. Unless you're using a lot of GTK stuff, but if you do that you obviously want to suffer.

[gsgatlin]

Quote:

Originally Posted by pe1chl

This is meant sarcastic, isn't it?

Actually no.

I am not a nazi on this stuff about open source. While I think Open Source generally produces better code I also understand the patent issues, etc. that NVidia's lawyers have to deal with. I tried the program "glxgears" with the Quadro FX cards in our DELL precision 380s with Option "RenderAccel" "False" in xorg.conf and its still pretty damn fast. Doing that was easier on 300 boxes than downgrading to "nv." I am glad NVidia at least supports Linux and hopefully they will continue to do so. I didn't see a way on a red hat EL4 box how to even get the parameters the sample exploit needed without being root but I didn't spend a whole lot of time on it either...

[Robster]

Aha!

http://www.nvnews.net/vbulletin/showthread.php?t=78521 is exactly what I was hoping to see from nVidia.

Thanks a lot guys, the speed and completeness of the response are indeed admirable.

[zifnab]

Good. The latest stable driver has been updated.
I have a Geforce-2 card at home for which I need the legacy driver. Will this driver be updated as well?

[Gumboot]

Quote:

Originally Posted by Robster

http://www.nvnews.net/vbulletin/showthread.php?t=78521 is exactly what I was hoping to see from nVidia.

Brilliant. They've "released" a statement, but the page they point to requires some kind of login.