Nvidia is no longer in the console business, but for some reason the company decided to make a point about low…
Graphics chip maker Nvidia released a new version of its Unix driver on Friday in order to address a high-risk vulnerability that can be exploited by local users to gain root privileges on Linux systems.
The privilege escalation vulnerability fixed in the new 304.32 version of the Nvidia Unix driver 304.32 was publicly disclosed last Wednesday by Dave Airlie, a principal engineer in the graphics team at Linux vendor Red Hat.
The public disclosure was done at the request of an anonymous researcher who originally discovered the flaw and after Nvidia failed to respond to a private report about the vulnerability, Airlie said in an email sent to the Full Disclosure mailing list.
Airlie’s message also included proof-of-concept exploit code created by the anonymous researcher to demonstrate the vulnerability.
“We contacted Nvidia via their advertised security alias in June,” Airlie said Friday via email. “It appears there were some process issues on their end that may have meant our email didn’t get noticed.”
The vulnerability is present in the Nvidia Unix driver 295.59 and earlier versions, but the proof-of-concept exploit was designed for 64-bit Linux systems.
On Friday, Nvidia confirmed the existence of the vulnerability and released version 304.32 of the Nvidia Unix driver for Linux, FreeBSD and Solaris operating systems in order to address it. The new version also includes other changes that the company believes will prevent similar exploits in the future.
“Because any user with read and write access to the NVIDIA device files (which is needed to execute applications that use the GPU) could potentially exploit this vulnerability to gain access to arbitrary system memory, this vulnerability is classified as high risk by NVIDIA,” the company said in a technical support article.
However, despite the new release, the company still offers version 295.59 as primary download on its Unix drivers page.
In order to address the problem for users who can’t or don’t want to upgrade to the new driver version, the company also released a patch that can be applied manually to older drivers. Deploying it requires installing an older patch for a different vulnerability first.
However, unlike the new 304.32 version of the driver, the manual patch will break compatibility with the Linux CUDA debugger, a tool used by developers to debug code written for Nvidia’s CUDA hardware acceleration technology.
Linux vendors might release patched versions of older NVIDIA drivers that have been tested with different versions of their Linux distributions as well. These can be obtained through their respective update channels.
NVIDIA has fixed the vulnerability in its proprietary graphics driver for Unix systems that was publicly disclosed by Linux kernel and X.org developer Dave Airlie a few days ago; apparently, NVIDIA had already known about the hole for a month. To close it, the company has, along with other drivers, released driver version 304.32, which is being deployed via Nvidia’s knowledge base.
The new driver version is available for Linux as well as FreeBSD and Solaris, because earlier versions of the drivers for these systems are also affected. NVIDIA explained that the new version prevents attackers from using the same trickery to obtain root privileges that was used by the exploit Airlie released a few days ago; the new drivers also block user-space access to certain GPU registers which could be compromised in a similar way.
On its main driver page, NVIDIA continues to offer drivers that still contain the vulnerability; the company plans to close the hole in driver series 295, which is to be released this week. A source code patch for driver series 195, and 256 to 304, is available for those who are unable or unwilling to update to the new version. The patch fixes the hole by applying changes to the open source kernel module code; together with a proprietary driver component, this module is then compiled to create a kernel module that is suitable for the user’s Linux kernel.
Apple may have kicked the personal computer habit, but it can’t seem to get rid of the PC guys it used to hang out with.
We’ll find out how big a taste Monday. While Apple knows how to keep a secret, the Cupertino, Calif., company’s Macintosh computers are locked into Intel’s upgrade cycle.
To keep up, Apple will have to adopt the Intel ‘Ivy Bridge’ processors being snapped up by its competitors for Macs that will almost certainly be unveiled Monday at its annual developer conference in San Francisco.
A bigger mystery: how big a bite will Apple take of graphics chip specialist Nvidia’s latest offering?
Nvidia’s new ‘Kepler’ architecture can do more work, with less power, than competitor AMD’s offerings, says independent analyst Patrick Moorhead, and Nvidia is targeting a version of the new chip at thin and light notebooks such as Apple’s MacBook.
The challenge: Nvidia is also struggling with a shortage of manufacturing capacity at the contract manufacturer it relies on to crank out its processors, and Intel is building more graphics capabilities into the processors it sells for notebook computers.
How much of Apple’s Macintosh lineup will AMD, which plays a leading role in Apple’s Mac lineup now, retain?
We’ll know Monday who got the better of this technical tug-of-war.
Longer term, of course, Apple may not need to keep paying Intel or Nvidia forever.
Apple designs its iPhone and iPad processors are based on designs licensed from UK design house ARM. ARM-based chips can’t keep up with Intel in personal computers, yet; but they’re getting better.
Both Intel and Nvidia, plan on sticking around, however. Both companies are looking to longtime Apple rival Microsoft to break into the tablet business, with both companies pushing mobile processors capable of running the next version of Microsoft’s Windows software.