CUDA drivers/Linux security hole

2011.01.25

Credit: gran classic chem

Risk: Low

Local: Yes

Remote: No

CVE: CVE-2011-0636

CWE: CWE-200

CVSS Base Score: 2.1/10

Impact Subscore: 2.9/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

Hello,
We have recently found serious security breach in CUDA Linux drivers:
http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9e
a936bHW-7675-1380-00.htm
http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9e
a936bHW-7676-1022+00.htm
In brief, driver maps pinned memory to user space but does not initialize it to zero. As an example, our simplest "proof of concept" program was able to read large fragments of files being written or read by other users.
Kind regards,
Alex Granovsky
Firefly Project
http://classic.chem.msu.su/gran/firefly/

References:

http://xforce.iss.net/xforce/xfdb/64710

http://www.securitytracker.com/id?1024962

http://www.securityfocus.com/bid/45717

http://www.securityfocus.com/archive/1/archive/1/515591/100/0/threaded

http://secunia.com/advisories/42859

http://osvdb.org/70420

http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9ea936bHW-7676-1022+00.htm184d

http://classic.chem.msu.su/cgi-bin/ceilidh.exe/gran/gamess/forum/?C35e9ea936bHW-7675-1380-00.htm

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CUDA drivers/Linux security hole

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.