Bug#913467: nvidia-graphics-drivers: CVE‑2018‑6260: access to application data processed on the GPU through a side channel exposed by the GPU performance counters
Samuel Thibault
sthibault at debian.org
Sat Feb 23 10:48:07 GMT 2019
Control: severity -1 important
Hello,
Andreas Beckmann, le mer. 20 févr. 2019 12:41:10 +0100, a ecrit:
> On 2019-02-19 17:42, Moritz Muehlenhoff wrote:
> >> Unfortunately we have no idea - NVIDIA's security tracker was never
> >> updated after the initial mention of the CVE:
> >>
> >> https://nvidia.custhelp.com/app/answers/detail/a_id/4738
> >
> > Ack, we can revisit once more information is available.
>
> There was an upstream changelog entries that appeared for the 340.xx
> series in the 410.93 release:
>
> - Added a new kernel module parameter,
> NVreg_RestrictProfilingToAdminUsers,
> to allow restricting the use of GPU performance counters to system
> administrators only.
>
> but that was not announced afaik. That change should be in sid (410.xx)
> and experimental (415.xx) (but there haven't been 340/390 releases
> since). But the entry is again missing from the 418.xx beta upstream
> changelog, which could either indicate a missing upstream merge or a
> revert ...
At least in the meanwhile users have a way to avoid the issue, so
downgrading the bug severity.
(personally, I believe users shouldn't ever trust these GPUs for
security, and it's not a question of software)
Samuel
More information about the pkg-nvidia-devel
mailing list