| |||||||||||||
|
| |||||||||||||
Write to NVIDIAWrite to NVIDIAPosted Oct 17, 2006 1:37 UTC (Tue) by einstein (subscriber, #2052)In reply to: Write to NVIDIA by cortana Parent article: Local root exploit in NVidia driver
> I ask that anyone who wants to see an end to NVIDIA's proprietary video drivers also let them know that you care about this issue.
I would hate to see an end to nvidia's drivers, as they are currently the best video drivers available for linux at any price. I'd love it if there was any OSS driver that could match the nvidia performance, but it's just not the case at present. Let's at least admit that these nvidia people do know a thing or two about graphics programming.
And let's not kid ourselves, we've seen vulnerability reports every week for various open source programs, libraries and drivers. It's a bit ironic that the one time it's the nvidia driver, we hear all the comments about the evils of closed drivers - the fact that it's already fixed makes no odds to these folks, I suppose.
* See the release notes for the 1.0-9626 driver - which I'm running at present
(Log in to post comments)
Write to NVIDIA Posted Oct 17, 2006 3:03 UTC (Tue) by drag (subscriber, #31333) [Link] There is no way to know it's fixed.
Nothing in the Nvidia changelog mentioned anything about the offending bug.
The only thing we know is that the exploit code in it's current form probably will not work. The nvidia devs didn't mention anything until after this stuff has been made public and we don't know if they closed the hole or not.
It looks a lot more the statement like damage control then actually a company concerned about fixing a security problem.
The shoker is the length of time it's taken for this problem to be realy made public. The issue has been around since 2004 and it wasn't until July 2006 until a nvidia developer in their forums acknowledged it was a problem and gave it a bug report number.
As for the quality of OSS drivers...
The OSS developers haven't realy been given a chance to show what they can or cannot due. With the Intel stuff they have to sign NDAs so only a small number of developers are working on it, but the results are actually pretty nice so far.
I would expect that developers working from within Nvidia with direct access to any and all documentation and having the developer's ear have a bit of a unfair advantage compared to developers that have Nvidia and ATI actively working AGAINST them making drivers and forcing them to reverse engineer the drivers.
I think that the fact that R300 DRI drivers work nearly as well as they do is a testiment to the fact that F/OSS developers CAN write good 3d drivers. Sure they are slow and have limited features, but non-the-less they work and are stable. I think that this a quite of a acheivement considuring that they are made from reverse engineering stuff.
Some perspective for the timeline.. Posted Oct 17, 2006 7:15 UTC (Tue) by nhippi (subscriber, #34640) [Link] > The shoker is the length of time it's taken for this problem to be realy made public. The issue has been around since 2004 and it wasn't until July 2006 until a nvidia developer in their forums acknowledged it was a problem and gave it a bug report number.
I hate binary drivers as much as the next guy, but you are not being fair here.
The 2004 report was on xorg bugzilla, but it wasn't reported against nvidia drivers, instead against org/Server/General. A nvidia (propertiary) section was added later to xorg bugzilla, but nobody took the time to dig through bugzilla to search what to reassign to that category.
Nobody reported or tagged it as security issue until recently.
When it was reported to nvnews forums nvidia started promptly working on it.
It was rather a fault of bug reporting process than evidence of evilness of propiertary application development. People who report bugs are lost - they don't know where to report, how to give all information developers need and so-on. Developers hate administrative tasks such as digging and reassiging bugs in bugzilla..
Some perspective for the timeline.. Posted Oct 17, 2006 8:12 UTC (Tue) by nim-nim (subscriber, #34454) [Link] >> The shoker is the length of time it's taken for this problem to be realy>> made public. The issue has been around since 2004 and it wasn't until July >> 2006 until a nvidia developer in their forums acknowledged it was a problem >> and gave it a bug report number.
> I hate binary drivers as much as the next guy, but you are not being fair
> The 2004 report was on xorg bugzilla, but it wasn't reported against nvidia
And remind us again why nvidia was not reading xorg bugzilla in 2004?
... right, out-of-tree binary drivers and development team dissociated from the FOSS community
Some perspective for the timeline.. Posted Oct 26, 2006 13:46 UTC (Thu) by jond (subscriber, #37669) [Link] The distributions only switched to X.org from XFree86 in mid-2004 (Debian's first release with X.org instead of XFree86 is due /this/ december). It is hardly suprising that Nvidia wasn't reading every bug in the X.org bugzilla before the dust had settled.
Write to NVIDIA Posted Oct 17, 2006 3:52 UTC (Tue) by dang (subscriber, #310) [Link] No irony about it. It isn't the *fact* that there is a bug. Every bit of sofware has bugs. It isn't even that it is a bug of high severity. Rather it is that apparently the bug of the highest severity was known and neither acknowledged nor fixed for so very long. Whatever one thinks about binary drivers, one can't well like this sort of lapse is responsibility.
Write to NVIDIA Posted Oct 17, 2006 3:53 UTC (Tue) by rqosa (guest, #24136) [Link] > And let's not kid ourselves, we've seen vulnerability reports every week for various open source programs, libraries and drivers. But those vulnerabilities usually get fixed faster.
Write to NVIDIA Posted Oct 17, 2006 4:22 UTC (Tue) by bignose (subscriber, #40) [Link] > I would hate to see an end to nvidia's drivers, as they are currently the> best video drivers available for linux at any price.
I hate to see all that good knowledge locked up inside a proprietary driver, and want an end to their proprietary nature.
> I'd love it if there was any OSS driver that could match the nvidia
I'd love it if any proprietary driver was independently auditable and openly documented like *all* free software drivers. But that's just not the case.
> Let's at least admit that these nvidia people do know a thing or two
I freely admit that nvidia people know a thing or two about graphics programming. I don't see any necessary connection with "knowing a thing or two about graphics programming" and "unable to release information needed for free software dirvers".
> And let's not kid ourselves, we've seen vulnerability reports every week
That's a good thing, because those vulnerabilities are revealed very soon after they're discovered. Security vulnerabilities in non-free software are treated as a PR problem, and are covered up for as long as the holder can get away with it.
> the fact that it's already fixed
How can we know it's fixed at all? The only people who can say anything about that have a direct interest in not letting anyone know of any problems.
A free-software driver can be independently verified when it gets fixed, by people who have a direct interest in finding remaining problems. Not so for non-free drivers.
Write to NVIDIA Posted Oct 17, 2006 5:12 UTC (Tue) by elanthis (subscriber, #6227) [Link] "I'd love it if any proprietary driver was independently auditable and openly documented like *all* free software drivers. But that's just not the case."
By "just not the case" I assume you must be refering to all free software drivers being openly documented and independently auditable. A great many drivers, graphics/X drivers and otherwise, are either filled with black voodoo that nobody but the author understands (and who is under NDA) or functions as little more than a loading mechanism to push a binary blob of firmware to the hardware.
Write to NVIDIA Posted Oct 17, 2006 5:59 UTC (Tue) by bignose (subscriber, #40) [Link] > A great many drivers, graphics/X drivers and otherwise, are either filled> with black voodoo that nobody but the author understands (and who is under > NDA) or functions as little more than a loading mechanism to push a binary > blob of firmware to the hardware.
Then those drivers are also non-free.
Yes, many such drivers are mistakenly distributed under the GPL or other free software licenses. While a free software license is necessary to make the software free, it's not sufficient. Software for which the source code is not freely distributable is non-free.
What drivers are truely Libre? Posted Oct 17, 2006 16:15 UTC (Tue) by smoogen (subscriber, #97) [Link]
I wonder what drivers are truely free in the sense that is wanted by people. My experience that a lot of the voodoo with hardware starts with the manufacturer who found what values worked for them and have no idea what happens if you change bit 37 to 1 beyond it blew up Jo in testings monitor.
Write to NVIDIA Posted Oct 17, 2006 5:53 UTC (Tue) by AJWM (guest, #15888) [Link] > nvidia's drivers, as they are currently the best video drivers available for linux at any price.
What part of "root exploit" did you miss? That automatically disqualifies them from even running for "best video driver".
> Let's at least admit that these nvidia people do know a thing or two about graphics programming.
Okay, these Nvidia people know a thing or two about graphics programming. (Of course, it helps that they have access to the specs and nobody else does). Apparently they don't know much about secure programming or preventing buffer overflows.
> it's already fixed
How do you know it's fixed? Do the release notes specifically mention a fix for a root exploit? Did you review the source code? Oh, wait...
Write to NVIDIA Posted Oct 17, 2006 6:22 UTC (Tue) by cate (subscriber, #1359) [Link] The open source programs have more security advisory because people check the sources and send bug report. It is rare to found an exploit before upstream fix bugs. In closed source you will have only the later category.
Performance is not a valid reason to qualify "best driver". Is is simpler to ignore some races and some cases to gain a lot of performance, but at the end is not correct on some cases, then you will have some crash or lock every day/week/month/year? I prefer "safe" over "preformance"
Write to NVIDIA Posted Oct 17, 2006 9:47 UTC (Tue) by NAR (subscriber, #1313) [Link] The open source programs have more security advisory because people check the sources and send bug report. It is rare to found an exploit before upstream fix bugs.I seem to recall that even Debian servers were compromised by a previously unknown local root exploit based on a kernel bug - and probably the kernel gets the most peer review, so the situation could be only worse for other projects. Anyway, I believe that the number of critical bugs does not depend directly on the methodology of development, it depends on the skill of the developers and their deadlines.
Write to NVIDIA Posted Oct 17, 2006 10:04 UTC (Tue) by cate (subscriber, #1359) [Link] The exploits of Debian server, IIRC, was two kernel bugs. IIRC one was discovered with forensic of the debian exploit. So I agree, also open sources have zero-day exploits.But IIRC there was some studies about drivers, and the majority of binary drivers was coded in a very very bad manner (and not only Linux drivers).
Linux have specialized people with good kernel skills in design, features and common problems. Unfortunately the hardware designers lack of people with in-deep known. (Maybe "our" editor books helps to fill the gap)
Anyway there are a lot of security problem in a lot of open source programs. And I think for a cultural reason.
Write to NVIDIA Posted Oct 17, 2006 14:39 UTC (Tue) by ajross (subscriber, #4563) [Link]
"nvidia's drivers, as they are currently the best video drivers available for linux at any price."... This is an apples-to-oranges argument. The NVIDIA drivers are "best" to some folks because they are fast, stable, and very featureful. They are they only drivers available under linux that have the features (OpenGL extensions & 2.0 shaders) you get with the windows drivers, period. To people doing 3D development under linux (most of us at www.flightgear.org, for example), they are honestly the only reasonable choice. Bugs in the ATI and x.org drivers appear regularly. There's a very common one right now (we see it routinely on IRC, not sure which distros are affected) where trying to run an indirect GL client when an improper xorg.conf setup causes a client crash. People not doing 3D development don't likely care about the output of glxinfo and just want their 2D desktop and the occasional (pre-compiled and tested by someone else) 3D program to be stable and work. These folks can get acceptable use out of the existing free drivers. But to pretend that that makes them "just as good" as the NVIDIA drivers is a little delusional. They aren't. Now, does that make it "OK" that NVIDIA's drivers are non-free, or excuse the root hole? Of course not. But please don't confuse the issue by arguing two things at the same time. NVIDIA's drivers have features that some of us need, and that are simply not yet available from free software.
Write to NVIDIA Posted Oct 17, 2006 16:00 UTC (Tue) by AJWM (guest, #15888) [Link] > To people doing 3D development under linux (most of us at www.flightgear.org, for example), they are honestly the only reasonable choice.
Horsepucky. The open source ati drivers are just fine for running flightgear, and as far as development goes, it doesn't matter what graphics you have for compiling. Might make a slight difference if you're building models, but I doubt it.
I will freely admit that you do need a decent 3D card and drivers to run FlightGear -- I replaced my ancient generic PCI video card (1 frame per second) with an ATI 9250-based, 256MB AGP card (typically about 40 fps, higher at night ;-), with everything else the same) for that very reason.
> NVIDIA's drivers have features that some of us need,
Need? Really? Want, perhaps. Especially if you're doing development rather than running applications -- fast compilers aside, developers (of mass audience apps) shouldn't be targeting bleeding edge hardware, it skews their perspective. Come up with creative solutions to make the app fast/dazzling/whatever on mediocre hardware and you'll make more people happy. (Personally as far as FlightGear goes, I'd just as soon see less effort spent on making clouds look more real, and more done on making the scenery look more like the places I've actually flown, or at least make the documentation better so that I can figure out how to incorporate photos into the scenery myself. Although to be honest I haven't spent a lot of time on that yet.)
|
|
||||||||||||