LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Privilege escalation vulnerability in the NVidia binary driver

Privilege escalation vulnerability in the NVidia binary driver

Posted Aug 1, 2012 23:01 UTC (Wed) by THe_ZiPMaN (subscriber, #27460)
In reply to: Privilege escalation vulnerability in the NVidia binary driver by corbet
Parent article: Privilege escalation vulnerability in the NVidia binary driver

On Debian Unstable/Experimental, with kernel from siduction version 3.5-0.towo-siduction-amd64 and nvidia drivers from experimental version 304.30-1 it doesn't work...

$ ./a.out
[*] IDT offset at 0xffffffff8172a000
[*] Abusing nVidia...
[*] CVE-2012-YYYY
[*] 64-bits Kernel found at ofs 0
[*] Using IDT entry: 220 (0xffffffff8172adc0)
[*] Enhancing gate entry...
[*] Triggering payload...
Killed

On dmesg I can see...

[59253.807679] BUG: unable to handle kernel paging request at ffffffff81a00000
[59253.807690] IP: [<00000000004016a7>] 0x4016a6
[59253.807704] PGD 160d067 PUD 1611063 PMD 0
[59253.807711] Oops: 0000 [#1] PREEMPT SMP
[59253.807717] CPU 3
[59253.807720] Modules linked in:<4>[59253.807826] xt_NFQUEUE<4>[59253.807943] battery ac button processor ext4 crc16 jbd2 mbcache btrfs libcrc32c zlib_deflate dm_mod sg sd_mod crc_t10dif mmc_block crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 aes_generic cryptd ahci libahci firewire_ohci libata sdhci_pci firewire_core crc_itu_t scsi_mod e1000e sdhci mmc_core ehci_hcd usbcore usb_common [last unloaded: scsi_wait_scan]
[59253.807989]
[59253.807993] Pid: 15945, comm: a.out Tainted: P O 3.5-0.towo-siduction-amd64 #1 Dell Inc. Latitude E6510
[59253.808000] RIP: 0010:[<00000000004016a7>] [<00000000004016a7>] 0x4016a6
[59253.808011] RSP: 0000:ffff8801d1161d08 EFLAGS: 00010006
[59253.808015] RAX: ffffffff81a00000 RBX: 00000000000003e8 RCX: 00007f6f600b4767
[59253.808018] RDX: 00007f6f6038ce10 RSI: 00000000000003e8 RDI: 00000000000003e8
[59253.808021] RBP: ffff8801d1161fc8 R08: 2e2e2e64616f6c79 R09: 00007f6f6058d700
[59253.808024] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400ca0
[59253.808027] R13: 00007fffc1be7cb0 R14: 0000000000000000 R15: 0000000000000000
[59253.808031] FS: 00007f6f6058d700(0000) GS:ffff88022fcc0000(0000) knlGS:0000000000000000
[59253.808035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[59253.808038] CR2: ffffffff81a00000 CR3: 0000000123308000 CR4: 00000000000007e0
[59253.808042] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[59253.808045] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[59253.808049] Process a.out (pid: 15945, threadinfo ffff8801d1160000, task ffff880220cfcf10)
[59253.808051] Stack:
[59253.808054] 00000000000003e8 00000000000003e8 0000000220484025 00007f6f600b4780
[59253.808061] ffff880222733f00 ffffea00064c0ef0 0000000000000000 ffff88019303b5a0
[59253.808068] 0000000000000028 00000000000000aa 00007f6f600b4000 ffffea0008812100
[59253.808074] Call Trace:
[59253.808087] [<ffffffff810bb2c3>] ? handle_pte_fault+0x2b8/0x7bc
[59253.808095] [<ffffffff812043b7>] ? pty_write+0x48/0x53
[59253.808101] [<ffffffff810b87c8>] ? pte_offset_kernel+0xc/0x38
[59253.808109] [<ffffffff8102b04e>] ? do_page_fault+0x274/0x2f2
[59253.808116] [<ffffffff8110ef90>] ? fsnotify+0x257/0x2a9
[59253.808122] [<ffffffff81051027>] ? __wake_up+0x35/0x46
[59253.808130] [<ffffffff810e5531>] ? vfs_write+0xaf/0xf8
[59253.808138] [<ffffffff8132ec39>] ? system_call_fastpath+0x16/0x1b
[59253.808140] Code: Bad RIP value.
[59253.808145] RIP [<00000000004016a7>] 0x4016a6
[59253.808155] RSP <ffff8801d1161d08>
[59253.808158] CR2: ffffffff81a00000
[59253.808162] ---[ end trace a7ace442feb7e225 ]---

It seems to me that it's fixed at least with my combination of kernel/drivers.

(Log in to post comments)

Privilege escalation vulnerability in the NVidia binary driver

Posted Aug 1, 2012 23:15 UTC (Wed) by corbet (editor, #1) [Link]

That is an oops listing. That doesn't say "fixed" to me at all; it says "the exploit doesn't quite work with this particular version of the kernel and the driver".

Privilege escalation vulnerability in the NVidia binary driver

Posted Aug 2, 2012 7:51 UTC (Thu) by THe_ZiPMaN (subscriber, #27460) [Link]

Yes, that was what I meant :)

Privilege escalation vulnerability in the NVidia binary driver

Posted Aug 10, 2012 8:48 UTC (Fri) by aigarius (subscriber, #7329) [Link]

The particular exploit code is not working anymore, but because there is an actual oops this means that the actual bug is not fixed and competent hackers can write a new exploit on the same bug. Or at least try to.

Privilege escalation vulnerability in the NVidia binary driver

Posted Aug 2, 2012 6:37 UTC (Thu) by Ricky123321 (guest, #86057) [Link]

Got the exact same behavior here on Squeeze but with kernel 3.2.0 amd64 and nvidia 295.59, both from the backports.

:(

Privilege escalation vulnerability in the NVidia binary driver

Posted Aug 2, 2012 10:42 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

note the faulting insn: RIP: 0010:[<00000000004016a7>]

it's code in the *kernel's* code segment with a *userland* address (PaX/KERNEXEC and CR4.SMEP stop exactly this kind of exploit method, but this looks like a powerful bug, it could be exploited other ways). that is, the kernel is executing userland provided code, that's already proof for privilege escalation and the oops is due to the exploit's kernel payload not being bullet proof (something that's not hard to fix up, if that's your game).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds