Bug#668780: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release managers,
we would like to update the nvidia-graphics-drivers [non-free] package
in squeeze. There are two security patches from NVIDIA to be applied,
but since there is no security support for non-free, we target s-p-u.
Furthermore I updated bug-script and bug-control to collect more useful
information in bug reports.
* Security fix (backported from 195.36.31-7). (Closes: #609338)
Apply upstream patch NVIDIA_kernel-260.19.34-778465.diff to fix
information leak in the kernel module: kernel memory was returned
uninitialized to user space.
* CVE-2012-0946 (backported from 295.40-1):
Add upstream patch nvidia-blacklist-register-mapping-195.diff:
Closed a security vulnerability which made it possible for attackers to
reconfigure GPUs to gain access to arbitrary system memory. For further
details, see: http://nvidia.custhelp.com/app/answers/detail/a_id/3109
* Let the bug-script collect detailed information about OpenGL and NVIDIA
libraries and their symlinks, diversions and alternatives currently found
on the system. Also list files remaining from using the nvidia-installer.
Report status of more related packages.
As a followup to this update the nvidia-graphics-modules package
(prebuilt binary kernel modules) needs to be updated, too.
Andreas
Index: debian/bug-script
===================================================================
--- debian/bug-script (.../tags/195.36.31-6) (revision 2917)
+++ debian/bug-script (.../branches/195.36.31-squeeze) (revision 2917)
@@ -2,25 +2,80 @@
PATH=/sbin:$PATH
-cat << EOF >&3
-uname -a:
-`uname -a`
+export LC_ALL=C
-/proc/version:
-`cat /proc/version`
+exec >&3
-EOF
+echo "uname -a:"
+uname -a
+echo
-test ! -e /proc/driver/nvidia/version || cat << EOF >&3
-/proc/driver/nvidia/version:
-`cat /proc/driver/nvidia/version`
+echo "/proc/version:"
+cat /proc/version
+echo
-EOF
+if [ -e /proc/driver/nvidia/version ]; then
+ echo "/proc/driver/nvidia/version:"
+ cat /proc/driver/nvidia/version
+ echo
+fi
if (lspci --version) > /dev/null 2>&1; then
- echo "lspci 'VGA compatible controller [0300]':" >&3
+ echo "lspci 'VGA compatible controller [0300]':"
for device in `lspci -mn | awk '{ if ($2 == "\"0300\"") { print $1 } }'`; do
- LC_ALL=C lspci -vvnn -s $device >&3
+ LC_ALL=C lspci -vvnn -s $device
done
fi
+if [ -x /bin/dmesg ]; then
+ echo "dmesg:"
+ dmesg | grep -iE 'nvidia|nvrm|agp|vga'
+ echo
+fi
+
+echo "OpenGL and NVIDIA library files installed:"
+ls -l /etc/alternatives/glx* \
+ /etc/alternatives/nvidia* \
+ /etc/alternatives/*libGL* \
+ /usr/lib/libGL.* \
+ /usr/lib/libGLcore* \
+ /usr/lib/libnvidia* \
+ /usr/lib/*-linux-gnu/libGL.* \
+ /usr/lib/*-linux-gnu/libGLcore* \
+ /usr/lib/*-linux-gnu/libnvidia* \
+ /usr/lib32/libGL.* \
+ /usr/lib32/libGLcore* \
+ /usr/lib32/libnvidia* \
+ 2>/dev/null
+
+ls -la /usr/lib/nvidia/ \
+ /usr/lib/nvidia/*/ \
+ /usr/lib/*-linux-gnu/nvidia/ \
+ /usr/lib/*-linux-gnu/nvidia/*/ \
+ /usr/lib/mesa-diverted/ \
+ /usr/lib/mesa-diverted/*-linux-gnu/ \
+ /usr/lib32/nvidia/ \
+ /usr/lib32/nvidia/diversions/ \
+ /etc/X11/{xorg,nvidia}.conf \
+ /etc/X11/xorg.conf.d \
+ /var/log/Xorg.*.log* \
+ 2>/dev/null
+echo
+
+echo "Files from nvidia-installer:"
+ls -la /usr/bin/nvidia-installer /usr/bin/nvidia-uninstall /var/lib/nvidia 2>/dev/null
+echo
+
+echo "Config and logfiles:"
+echo
+for file in /etc/X11/xorg.conf /etc/X11/xorg.conf.d/*.conf $(ls -dt /var/log/Xorg.*.log* 2>/dev/null | head -n 1)
+do
+ if [ -f "$file" ] && [ -r "$file" ]; then
+ echo "<<<<<<<<<< $file >>>>>>>>>>"
+ cat "$file"
+ echo "^^^^^^^^^^ $file ^^^^^^^^^^"
+ echo
+ fi
+done
+
+exit 0
Index: debian/bug-control.in
===================================================================
--- debian/bug-control.in (.../tags/195.36.31-6) (revision 2917)
+++ debian/bug-control.in (.../branches/195.36.31-squeeze) (revision 2917)
@@ -1,3 +1,3 @@
-report-with: nvidia-glx#LEGACY# nvidia-kernel#LEGACY#-dkms nvidia-kernel#LEGACY#-source
+report-with: nvidia-glx#LEGACY# libgl1-nvidia#LEGACY#-glx xserver-xorg-video-nvidia#LEGACY# nvidia-alternative#LEGACY# nvidia-kernel#LEGACY#-dkms nvidia-kernel#LEGACY#-source glx-alternative-nvidia
-package-status: nvidia-glx#LEGACY# nvidia-kernel#LEGACY#-dkms nvidia-kernel#LEGACY#-source nvidia-kernel-common xserver-xorg xserver-xorg-core binutils binutils-gold linux-headers-2.6
+package-status: nvidia-glx#LEGACY# nvidia-kernel#LEGACY#-dkms nvidia-kernel#LEGACY#-source nvidia-glx-any libgl1-nvidia-glx-any libgl1-nvidia-glx-ia32-any xserver-xorg-video-nvidia-any nvidia-settings nvidia-xconfig nvidia-support nvidia-kernel-common xserver-xorg xserver-xorg-core linux-headers linux-headers-2.6 libdrm-nouveau1 libdrm-nouveau1a xserver-xorg-video-nouveau
Index: debian/copyright
===================================================================
--- debian/copyright (.../tags/195.36.31-6) (revision 2917)
+++ debian/copyright (.../branches/195.36.31-squeeze) (revision 2917)
@@ -17,7 +17,7 @@
Files: debian/*
Copyright: 2001-2010 Randall Donald <rdonald@debian.org>
- 2009-2010 Andreas Beckmann <debian@abeckmann.de>
+ 2009-2012 Andreas Beckmann <debian@abeckmann.de>
2010 Russ Allbery <rra@debian.org>
Based on packages by Christopher Cheney.
License: GPL-2+
Index: debian/module/debian/patches/NVIDIA_kernel-260.19.34-778465.diff
===================================================================
--- debian/module/debian/patches/NVIDIA_kernel-260.19.34-778465.diff (.../tags/195.36.31-6) (revision 0)
+++ debian/module/debian/patches/NVIDIA_kernel-260.19.34-778465.diff (.../branches/195.36.31-squeeze) (revision 2917)
@@ -0,0 +1,66 @@
+Origin: upstream, http://developer.download.nvidia.com/misc/patches/sysmem_clear_on_allocation/sysmem_clear_on_allocation.zip
+Description: system memory clear on allocation
+ [From 260.19.36 upstream release notes:]
+ Updated the NVIDIA kernel module to ensure that all system memory allocated
+ by it for use with GPUs or within user-space components of the NVIDIA driver
+ stack is initialized to zero.
+Bug-Securityfocus: http://www.securityfocus.com/archive/1/515591/30/0
+Bug-Debian: http://bugs.debian.org/609338
+Applied-Upstream: 260.19.34
+Last-Updated: 2011-02-13
+
+README for system memory clear on allocation patch
+
+This feature is turned on by default in NVIDIA drivers v260.19.34 and later.
+
+
+This patch has not been exhaustively tested again previous driver releases, but is expected to work for all v260.19.xx drivers and may work with older R260 and R195 drivers as well.
+
+
+To apply the patch to driver versions older than v260.19.34, follow the instructions below:
+
+
+ # sh /path/to/NVIDIA-Linux-x86-260.19.34.run \
+ --apply-patch /path/to/NVIDIA_kernel-260.19.34-778465.diff
+ ...
+ # sh ./NVIDIA-Linux-x86-260.19.34-custom.run
+
+
+The `--apply-patch` command line option extracts the .run file, applies the patch, and then rebuilds the .run file, appending `-custom' to the file name.
+
+
+The example shown above is for x86, but the process is the same for x86-64.
+
+diff -ru kernel/nv-vm.c kernel.778465/nv-vm.c
+--- kernel/nv-vm.c 2011-01-10 00:00:09.000000000 -0800
++++ kernel.778465/nv-vm.c 2011-01-12 15:20:32.512362735 -0800
+@@ -431,6 +431,9 @@
+ nvl = NV_GET_NVL_FROM_NV_STATE(nv);
+ dev = nvl->dev;
+ gfp_mask = (dev->dma_mask > 0xffffffff) ? NV_GFP_KERNEL : NV_GFP_DMA32;
++#if defined(__GFP_ZERO)
++ gfp_mask |= __GFP_ZERO;
++#endif
+
+ // allocate and prep contiguous pages up front if necessary
+ if (NV_ALLOC_MAPPING_CONTIG(at->flags))
+@@ -455,6 +458,9 @@
+ "memory\n");
+ return -1;
+ }
++#if !defined(__GFP_ZERO)
++ memset(virt_addr, 0, (at->num_pages * PAGE_SIZE));
++#endif
+
+ #if defined(NV_SG_MAP_BUFFERS)
+ // for amd 64-bit platforms, remap pages to make them 32-bit addressable
+@@ -485,6 +491,9 @@
+ "NVRM: VM: nv_vm_malloc_pages: failed to allocate a page\n");
+ goto failed;
+ }
++#if !defined(__GFP_ZERO)
++ memset(virt_addr, 0, PAGE_SIZE);
++#endif
+ }
+
+ phys_addr = nv_get_kern_phys_address(virt_addr);
Index: debian/module/debian/patches/series
===================================================================
--- debian/module/debian/patches/series (.../tags/195.36.31-6) (revision 2917)
+++ debian/module/debian/patches/series (.../branches/195.36.31-squeeze) (revision 2917)
@@ -1,3 +1,5 @@
+NVIDIA_kernel-260.19.34-778465.diff
+nvidia-blacklist-register-mapping-195.diff -p3
use-nv-kernel.o.ARCH.patch
conditionally-include-linux_version.h.patch
2.6.36-ioctl.patch
Index: debian/module/debian/patches/nvidia-blacklist-register-mapping-195.diff
===================================================================
--- debian/module/debian/patches/nvidia-blacklist-register-mapping-195.diff (.../tags/195.36.31-6) (revision 0)
+++ debian/module/debian/patches/nvidia-blacklist-register-mapping-195.diff (.../branches/195.36.31-squeeze) (revision 2917)
@@ -0,0 +1,34 @@
+diff -ur usr/src/nv/nv.c usr/src/nv/nv.c
+--- usr/src/nv/nv.c 2012-04-05 14:45:07.000000000 -0500
++++ usr/src/nv/nv.c 2012-04-05 14:45:07.000000000 -0500
+@@ -2548,6 +2548,12 @@
+ /* NV reg space */
+ if (IS_REG_OFFSET(nv, NV_VMA_OFFSET(vma), NV_VMA_SIZE(vma)))
+ {
++ if (IS_BLACKLISTED_REG_OFFSET(nv, NV_VMA_OFFSET(vma), NV_VMA_SIZE(vma)))
++ {
++ status = -EINVAL;
++ goto done;
++ }
++
+ if (nv_encode_caching(&vma->vm_page_prot,
+ NV_MEMORY_UNCACHED,
+ NV_MEMORY_TYPE_REGISTERS))
+diff -ur kernel/nv.h kernel/nv.h
+--- usr/src/nv/nv.h 2012-04-05 14:45:07.000000000 -0500
++++ usr/src/nv/nv.h 2012-04-05 14:45:07.000000000 -0500
+@@ -430,6 +430,14 @@
+ ((offset) >= (nv)->agp.address) && \
+ (((offset) + ((length)-1)) <= (nv)->agp.address + ((nv)->agp.size-1)))
+
++#define IS_REG_RANGE_WITHIN_MAPPING(nv, roffset, rlength, moffset, mlength) \
++ (((moffset) <= ((nv)->regs->address + ((roffset) + (rlength)-1))) &&\
++ (((moffset) + (mlength)-1) >= ((nv)->regs->address + (roffset))))
++
++#define IS_BLACKLISTED_REG_OFFSET(nv, offset, length) \
++ ((IS_REG_RANGE_WITHIN_MAPPING(nv, 0x1000, 0x1000, offset, length)) ||\
++ (IS_REG_RANGE_WITHIN_MAPPING(nv, 0x700000, 0x100000, offset, length)))
++
+ /* duplicated from nvos.h for external builds */
+ #ifndef NVOS_AGP_CONFIG_DISABLE_AGP
+ # define NVOS_AGP_CONFIG_DISABLE_AGP (0x00000000)
Index: debian/changelog
===================================================================
--- debian/changelog (.../tags/195.36.31-6) (revision 2917)
+++ debian/changelog (.../branches/195.36.31-squeeze) (revision 2917)
@@ -1,3 +1,21 @@
+nvidia-graphics-drivers (195.36.31-6squeeze1) stable-proposed-updates; urgency=medium
+
+ * Security fix (backported from 195.36.31-7). (Closes: #609338)
+ Apply upstream patch NVIDIA_kernel-260.19.34-778465.diff to fix
+ information leak in the kernel module: kernel memory was returned
+ uninitialized to user space.
+ * CVE-2012-0946 (backported from 295.40-1):
+ Add upstream patch nvidia-blacklist-register-mapping-195.diff:
+ Closed a security vulnerability which made it possible for attackers to
+ reconfigure GPUs to gain access to arbitrary system memory. For further
+ details, see: http://nvidia.custhelp.com/app/answers/detail/a_id/3109
+ * Let the bug-script collect detailed information about OpenGL and NVIDIA
+ libraries and their symlinks, diversions and alternatives currently found
+ on the system. Also list files remaining from using the nvidia-installer.
+ Report status of more related packages.
+
+ -- Andreas Beckmann <debian@abeckmann.de> Fri, 13 Apr 2012 22:15:27 +0200
+
nvidia-graphics-drivers (195.36.31-6) unstable; urgency=low
* If both original and diverted file exist when removing obsolete
Reply to: