Re: Security hole: unsecure and strange behaviour of xorg
On Thu, Aug 13, 2009 at 10:41:20PM +0200, Hans-J. Ullrich wrote:
> Dear security team,
> since some time I watch a strange behaviour: contents of the last desktop are
> still somewhere in the RAM or videoram and are strangely not deleted, when I
> change to another windcow manager or reboot.
> Just before I start kdm or a new window manager, I see a puzzled content from
> the desktop before
> An example: when I ran XFCE, then rebooted, and want to start KDE, I see kdm,
> then the splash screen of KDE, then the contents of the XFCE-desktop, then KDE
> The only way to get rid of this, is to completely put off all powersources
> (including put off battery of the notebook) and start again.
> IMO this is strange, as this fragments of the old desktops might block somehow
> maybe, and they are of course a security hole.
> Reason? When those desktop datas are still in the memory after a reboot, they
> can of course be read by attackers. Those datas may leave unwanted
> informations, for example you can see, whom I follow at twitter, who am I
> myself and many other infos, which can be recognized from a desktop.
> As I told: shutting down a notebook does not delete them!!!
> A stolen notebook might show lots of unwanted informations. And besides, I do
> not know, how easy it is to get access to these datas, as they are still there
> BEFORE X starts, and BEFORE a NEW windowmanager will overwrite these datas.
> IMO this is a great security whole! A patch would be, to make sure, all datas
> from videoram are deleted, when no x-server is running any more.
> Would be nice, if someone could give some background information to this
> Thanks for reading this.
The nvidia binary driver at least does this. I don't know if any
others do. I think only certain versions do it and probably only on
certain video cards. I guess some systems don't reset video ram on
reboots and such.
Now if turning off the machine (not suspend or hibernate) doesn't clear
it, then I am confused because I have no idea where this data is being
Don't forget however that ram can hold its data for many minutes without
power, just not reliably. So it is quite possible to turn off the
machine for 5 minutes and still have the majority of the video ram
It seems intel is affected too from what I can find on google.
Some indications seem to point to 107_fedora_dont_backfill_bg_none.patch
being the problem (it was intended to speed thinks up by avoiding a
framebuffer access that would be soon overwritten with new data anyhow,
but caused ugly visual artifacts). I don't see that patch in debian's
xorg though, so that doesn't seem to explain it.