Bug#894338: nvidia-graphics-drivers: CVE-2018-6249, CVE-2018-6253: null pointer dereference and infinite recursion due to malformed shader
Luca Boccassi
bluca at debian.org
Fri Mar 30 14:20:37 UTC 2018
On Fri, 2018-03-30 at 15:12 +0100, Luca Boccassi wrote:
> On Fri, 2018-03-30 at 13:10 +0100, Luca Boccassi wrote:
> > On Thu, 2018-03-29 at 12:54 +0100, Luca Boccassi wrote:
> > > Control: found -1 384.111-4
> > > Control: found -1 390.42-1Control: notfound -1 384.111
> > >
> > > On Thu, 2018-03-29 at 11:11 +0100, Luca Boccassi wrote:
> > > > Source: nvidia-graphics-drivers
> > > > Version: 384.111
> > > > Severity: serious
> > > > Tags: security upstream
> > > >
> > > > http://nvidia.custhelp.com/app/answers/detail/a_id/4649
> > > >
> > > > CVE-2018-6249
> > > >
> > > > NVIDIA GPU Display Driver contains a vulnerability in kernel
> > > > mode
> > > > layer
> > > > handler where a NULL pointer dereference may lead to denial of
> > > > service
> > > > or potential escalation of privileges.
> > > >
> > > > CVE-2018-6253
> > > >
> > > > NVIDIA GPU Display Driver contains a vulnerability in the
> > > > DirectX
> > > > and
> > > > OpenGL Usermode drivers where a specially crafted pixel shader
> > > > can
> > > > cause infinite recursion leading to denial of service.
> > > >
> > > > Fixed versions:
> > > >
> > > > R390 390.46
> > > > R384 384.125
> > >
> > > Andreas,
> > >
> > > I've tested 384.130 on Stretch and it seems to be working fine
> > > (I've
> > > only build-tested 390.48).
> > >
> > > Is it worth going through backports or shall we just go directly
> > > to
> > > stretch-p-u given the CVE?
> >
> > Sounds like I spoke too soon - I only tested the non-glvnd
> > installation. The glvnd one is borken (even with the symlink fix):
> >
> > Mar 30 12:57:41 luca-desktop gnome-session[1152]: /usr/lib/gnome-
> > session/gnome-session-check-accelerated-gl-helper: error while
> > loading shared libraries: libGL.so.1: cannot open shared object
> > file:
> > No such file or directory
> > Mar 30 12:57:41 luca-desktop gnome-session[1152]: gnome-session-
> > check-accelerated: GL Helper exited with code 32512
> > Mar 30 12:57:41 luca-desktop gnome-shell[1173]: Unable to
> > initialize
> > Clutter: Unable to initialize the Clutter backend: no available
> > drivers found.
> > Mar 30 12:57:41 luca-desktop gnome-shell[1173]: Unable to
> > initialize
> > Clutter.
> > Mar 30 12:57:41 luca-desktop gnome-session[1152]: gnome-session-
> > binary[1152]: WARNING: App 'org.gnome.Shell.desktop' exited with
> > code
> > 1
> > Mar 30 12:57:41 luca-desktop gnome-session-binary[1152]: WARNING:
> > App
> > 'org.gnome.Shell.desktop' exited with code 1
> > Mar 30 12:57:41 luca-desktop gnome-shell[1176]: Unable to
> > initialize
> > Clutter: Unable to initialize the Clutter backend: no available
> > drivers found.
> > Mar 30 12:57:41 luca-desktop gnome-shell[1176]: Unable to
> > initialize
> > Clutter.
> > Mar 30 12:57:41 luca-desktop gnome-session[1152]: gnome-session-
> > binary[1152]: WARNING: App 'org.gnome.Shell.desktop' exited with
> > code
> > 1
> > Mar 30 12:57:41 luca-desktop gnome-session[1152]: gnome-session-
> > binary[1152]: WARNING: App 'org.gnome.Shell.desktop' respawning too
> > quickly
> > Mar 30 12:57:41 luca-desktop gnome-session-binary[1152]: WARNING:
> > App
> > 'org.gnome.Shell.desktop' exited with code 1
> > Mar 30 12:57:41 luca-desktop gnome-session-binary[1152]:
> > Unrecoverable failure in required component org.gnome.Shell.desktop
> > Mar 30 12:57:41 luca-desktop gnome-session-binary[1152]: WARNING:
> > App
> > 'org.gnome.Shell.desktop' respawning too quickly
> > Mar 30 12:57:41 luca-desktop gnome-session[1152]: Unable to init
> > server: Could not connect: Connection refused
> > Mar 30 12:57:41 luca-desktop kernel: gnome-session-f[1178]:
> > segfault
> > at 0 ip 00007fa9db697e19 sp 00007ffebc6e5cb0 error 4 in libgtk-
> > 3.so.0.2200.11[7fa9db3b5000+700000]
> >
> > Did I forget to update some path? In glx-alternatives perhaps?
>
> I had forgot to update glx-alt to the version in backports, d'oh. But
> after doing so Gnome still fails to start, with a different error:
>
> Mar 30 15:10:49 luca-desktop org.gnome.Shell.desktop[1209]: libGL
> error: No matching fbConfigs or visuals found
> Mar 30 15:10:49 luca-desktop org.gnome.Shell.desktop[1209]: libGL
> error: failed to load driver: swrast
> Mar 30 15:10:49 luca-desktop org.gnome.Shell.desktop[1209]: X Error
> of failed request: GLXBadContext
> Mar 30 15:10:49 luca-desktop org.gnome.Shell.desktop[1209]: Major
> opcode of failed request: 154 (GLX)
> Mar 30 15:10:49 luca-desktop org.gnome.Shell.desktop[1209]: Minor
> opcode of failed request: 6 (X_GLXIsDirect)
> Mar 30 15:10:49 luca-desktop org.gnome.Shell.desktop[1209]: Serial
> number of failed request: 95
> Mar 30 15:10:49 luca-desktop org.gnome.Shell.desktop[1209]: Current
> serial number in output stream: 94
It's due to the updated glx-alternative-foo sets the libGL.so.1 symlink
to Mesa, even when update-glx --glx nvidia is used:
lrwxrwxrwx 1 root root 48 Mar 30 15:02 /etc/alternatives/glx--libGL.so.1-i386-linux-gnu -> /usr/lib/mesa-diverted/i386-linux-gnu/libGL.so.1
lrwxrwxrwx 1 root root 50 Mar 30 15:02 /etc/alternatives/glx--libGL.so.1-x86_64-linux-gnu -> /usr/lib/mesa-diverted/x86_64-linux-gnu/libGL.so.1
I guess that was done for glvnd? But this happens with the stretch-
backports version too, is that right?
Changing those symlinks manually to the nvidia version fixes the
problem.
Andreas, what should we do here for Stretch? If we update stretch to
384.130 we'll need the new glx-alternative too as they updated the
SONAMEs (a bit strange for an LTS branch), but as-is it will be borken,
unless I'm missing something.
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20180330/95b24e72/attachment-0001.sig>
More information about the pkg-nvidia-devel
mailing list