NVIDIA today put out an official Security Bulletin, noting multiple flaws found in their Windows and Linux drivers. The good news is that drivers are already out that fix the problems, which I’ll detail below.
Here’s all those that affect Linux, brace yourself, there’s quite a few of them:
CVE‑2022‑34670 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure.
CVE‑2022‑42263 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure.
CVE‑2022‑34676 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑42264 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service.
CVE‑2022‑34674 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak.
CVE‑2022‑34678 – NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service.
CVE‑2022‑34679 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service.
CVE‑2022‑34680 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service.
CVE‑2022‑34677 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering.
CVE‑2022‑34682 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service.
CVE‑2022‑42257 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service.
CVE‑2022‑42265 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering.
CVE‑2022‑34684 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure.
CVE‑2022‑42254 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure.
CVE‑2022‑42258 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure.
CVE‑2022‑42255 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑42256 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑34673 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑42259 – NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service.
There’s also a few for NVIDIA VGPU and they affect Tesla too. There’s also some that only affect Windows, this isn’t a Linux-specific thing but a lot of them are just in their Linux drivers.
As mentioned, the good news is that drivers are already out that solve them. For GeForce users you want minimum driver versions 525.60.11, 515.86.01, 510.108.03, 470.161.03 or 390.157. For RTX, Quadro or NVS you want a minimum driver version of 525.60.11, 515.86.01, 510.108.03, 470.161.03 or 390.157. To put it very simply, if you’re not using the very latest NVIDIA drivers in whatever series — update now, all previous versions are vulnerable to the drivers released on November 22nd.
Going by the bulletin page, the issues were public on November 28 but they’ve seemingly only just actually put out the security bulletin email.
Article taken from GamingOnLinux.com.
