Vigil@nce - NVIDIA UNIX GPU Driver: buffer overflow of NoScanout
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a buffer overflow in NoScanout mode of
NVIDIA UNIX GPU Driver, in order to trigger a denial of service,
and possibly to execute code.
– Impacted products: Unix (platform)
– Severity: 2/4
– Creation date: 04/04/2013
DESCRIPTION OF THE VULNERABILITY
The NoScanout mode of the NVIDIA driver for X Window is for
example enabled with the following configuration directive:
Option "UseDisplayDevice" "none"
Users, who are connected to the X server, can change the mouse
cursor. It is defined in an array containing ARGB (Alpha, Red,
Green, Blue) values for each pixel. This array has for example a
size of 64x64 or 256x256 pixels.
However, in NoScanout mode, if the array is too large, an overflow
occurs in the NVIDIA driver.
An attacker can therefore generate a buffer overflow in NoScanout
mode of NVIDIA UNIX GPU Driver, in order to trigger a denial of
service, and possibly to execute code with root (X Window)
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/NVIDIA-UNIX-GPU-Driver-buffer-overflow-of-NoScanout-12603