LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Write to NVIDIA

Write to NVIDIA

Posted Oct 17, 2006 3:03 UTC (Tue) by drag (subscriber, #31333)
In reply to: Write to NVIDIA by einstein
Parent article: Local root exploit in NVidia driver

There is no way to know it's fixed.

Nothing in the Nvidia changelog mentioned anything about the offending bug.

The only thing we know is that the exploit code in it's current form probably will not work. The nvidia devs didn't mention anything until after this stuff has been made public and we don't know if they closed the hole or not.

It looks a lot more the statement like damage control then actually a company concerned about fixing a security problem.

The shoker is the length of time it's taken for this problem to be realy made public. The issue has been around since 2004 and it wasn't until July 2006 until a nvidia developer in their forums acknowledged it was a problem and gave it a bug report number.

As for the quality of OSS drivers...

The OSS developers haven't realy been given a chance to show what they can or cannot due. With the Intel stuff they have to sign NDAs so only a small number of developers are working on it, but the results are actually pretty nice so far.

I would expect that developers working from within Nvidia with direct access to any and all documentation and having the developer's ear have a bit of a unfair advantage compared to developers that have Nvidia and ATI actively working AGAINST them making drivers and forcing them to reverse engineer the drivers.

I think that the fact that R300 DRI drivers work nearly as well as they do is a testiment to the fact that F/OSS developers CAN write good 3d drivers. Sure they are slow and have limited features, but non-the-less they work and are stable. I think that this a quite of a acheivement considuring that they are made from reverse engineering stuff.

(Log in to post comments)

Some perspective for the timeline..

Posted Oct 17, 2006 7:15 UTC (Tue) by nhippi (subscriber, #34640) [Link]

> The shoker is the length of time it's taken for this problem to be realy made public. The issue has been around since 2004 and it wasn't until July 2006 until a nvidia developer in their forums acknowledged it was a problem and gave it a bug report number.

I hate binary drivers as much as the next guy, but you are not being fair here.

The 2004 report was on xorg bugzilla, but it wasn't reported against nvidia drivers, instead against org/Server/General. A nvidia (propertiary) section was added later to xorg bugzilla, but nobody took the time to dig through bugzilla to search what to reassign to that category.

Nobody reported or tagged it as security issue until recently.

When it was reported to nvnews forums nvidia started promptly working on it.

It was rather a fault of bug reporting process than evidence of evilness of propiertary application development. People who report bugs are lost - they don't know where to report, how to give all information developers need and so-on. Developers hate administrative tasks such as digging and reassiging bugs in bugzilla..

Some perspective for the timeline..

Posted Oct 17, 2006 8:12 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

>> The shoker is the length of time it's taken for this problem to be realy
>> made public. The issue has been around since 2004 and it wasn't until July
>> 2006 until a nvidia developer in their forums acknowledged it was a problem
>> and gave it a bug report number.

> I hate binary drivers as much as the next guy, but you are not being fair
> here.

> The 2004 report was on xorg bugzilla, but it wasn't reported against nvidia
> drivers, instead against org/Server/General.

And remind us again why nvidia was not reading xorg bugzilla in 2004?

... right, out-of-tree binary drivers and development team dissociated from the FOSS community

Some perspective for the timeline..

Posted Oct 26, 2006 13:46 UTC (Thu) by jond (subscriber, #37669) [Link]

The distributions only switched to X.org from XFree86 in mid-2004 (Debian's first release with X.org instead of XFree86 is due /this/ december). It is hardly suprising that Nvidia wasn't reading every bug in the X.org bugzilla before the dust had settled.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds