Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 942031 (CVE-2024-0126) - <x11-drivers/nvidia-drivers-{535.216.01:0/535,550.127.05:0/550} + nvidia-drivers:{0/525,0/560}: one vulnerability (CVE-2024-0126)
Summary: <x11-drivers/nvidia-drivers-{535.216.01:0/535,550.127.05:0/550} + nvidia-driv...
Status: RESOLVED FIXED
Alias: CVE-2024-0126
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: Gentoo Security
URL: https://nvidia.custhelp.com/app/answe...
Whiteboard: A1 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-23 20:02 UTC by Ionen Wolkens
Modified: 2024-12-14 11:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ionen Wolkens gentoo-dev 2024-10-23 20:02:43 UTC
CVE-2024-0126:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Typically I describe the vulnerability in the summary when there is only one, but NVIDIA's description doesn't say much about it other than it could be bad.

To clarify status of the various branches:

0/525 and 0/560 are not mentioned by NVIDIA, but as far as I'm aware both are now unsupported branches and so are ignored by these pages. Should be safe to assume they are vulnerable and both branches will be dropped and users will have to switch to another.

0/470 is not mentioned, but is still supported. In theory *should* mean that it is not affected, being a legacy driver it's also quite different so it may be lacking what introduced this.. not that we have details to know for sure.

0/390 and 0/vulkan are permanently masked with a security notice and are not considered here.

The never affected 0/565 branch is due to replace 0/560 but given it is a beta it will not be keyworded at the moment (see bug #941991 comment #1), so ~arch users will be made to go back to the 0/550 production branch. They can otherwise opt-in 0/565 if they wish through package.accept_keywords which is likely to work better than buggy 0/560 if anything.

TODO summary:
  To drop:
  - nvidia-drivers-525.147.05-r1 (will be done soon)
  - nvidia-drivers-535.183.01-r1 (needs new stable)
  - nvidia-drivers-550.120 (needs new stable)
  - nvidia-drivers-560.35.03-r1 (will be done soon)
  To stabilize:
  - nvidia-drivers-535.216.01
  - nvidia-drivers-550.127.05
  (likely give it a week or so)
Comment 1 Larry the Git Cow gentoo-dev 2024-10-23 20:25:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a48d3dd0e2bd00466e892e3cd68125cc52d182d

commit 7a48d3dd0e2bd00466e892e3cd68125cc52d182d
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-10-23 20:10:59 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-10-23 20:24:44 +0000

    x11-drivers/nvidia-drivers: drop vuln 525.147.05-r1, 560.35.03-r1
    
    Both branch are unsupported and so did not get security updates.
    560 had short support due to being a New Feature Branch (NFB).
    
    Users of ~testing 560.35.03-r1 are expected to downgrade to the
    (newer) 550.127.05 version which is the next stable candidate if
    no problems.
    
    If for one reason or another the 550 branch was problematic for a user,
    they may optionally want to opt-in the ~565.57.01 beta instead which is
    not vulnerable (we do not keyword betas, see bug #941991 comment #1 --
    but it can be manually accepted).
    
    Users of 525.x are on their own, if *really* need that version and
    cannot upgrade due to regressions then will have to keep it in a local
    overlay. Alternatively the still supported 470.x may still be usable.
    
    (there are still other vulnerable versions to drop but these are
    awaiting stabilizations)
    
    Bug: https://bugs.gentoo.org/942031
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/Manifest                |  16 -
 .../nvidia-drivers-470.223.02-gpl-pfn_valid.patch  |  62 ---
 ...ia-drivers-525.116.04-clang-unused-option.patch |  17 -
 .../files/nvidia-drivers-525.147.05-gcc14.patch    |  32 --
 .../nvidia-drivers-525.147.05-r1.ebuild            | 585 --------------------
 .../nvidia-drivers-560.35.03-r1.ebuild             | 592 ---------------------
 6 files changed, 1304 deletions(-)
Comment 2 anna 2024-10-24 22:35:11 UTC
I was blindsided by being downgraded to 550 all of the sudden (sure, pebkac for not realizing what was going on while updating my system but I don't think it's reasonable to expect anyone to remember all the ridiculous numbers and tracks of the version numbers nvidia drivers are on), I have no idea why these drivers would be considered acceptable never mind a sane stable option. After the "update" to 550, logging in to plasma wayland would completely kill the video, and I had to use my steam deck to look up the problem and ssh in to my computer to troubleshoot this and make these changes. After getting it to work, explicit sync support is gone and playing games with it is a headache-inducing nightmare. I just figured out how to get 565 working and it is the experience I expect.

I know things are done a certain way or whatever but suddenly rugpulling working drivers with the pile of garbage that is the 550 drivers was a very hostile experience and it would be appreciated if a much less obnoxious way forward was found for dealing with this issue.
Comment 3 anna 2024-10-24 22:38:36 UTC
My apologies, I left out what the fix was to be able to even use my system at all with the drivers. If anyone else is having this problem, I had to add the following to the kernel boot parameters to be able to log in to plasma wayland:

nvidia_drm.modeset=1 nvidia_drm.fbdev=1
Comment 4 Paul Zander 2024-10-24 23:01:14 UTC
(In reply to anna from comment #2)
> I just figured out how to get 565 working and it is the experience I expect.
All on your own. No outside help.

And as I said before. They are stable under X.

The required kernel parameters are part of the pkg_postinst messages.
> "With USE=wayland, this version of nvidia-drivers sets nvidia-drm.modeset=1"
> "in '/etc/modprobe.d/nvidia.conf'. This feature is considered"
> "experimental but is required for wayland."
> 
> "If you experience issues, either disable wayland or edit nvidia.conf."
> "Of note, may possibly cause issues with SLI and Reverse PRIME."

And also clearly documented in /etc/modprobe.d/nvidia.conf. And only require reading dispatch-conf output.

> # Kernel Mode Setting (notably needed for fbdev and wayland).
> # Enabling may possibly cause issues with SLI and Reverse PRIME.
> #options nvidia-drm modeset=1

So calling this rugpulling seems a bit dishonest when you ignore all the available information.
Comment 5 anna 2024-10-25 00:32:23 UTC
Yes, simply avoid all the landmines in a minefield you don't know you're in and no problems! Don't ask why the minefield is there in the first place.

I would MAYBE feel chastised if there was a news item I had failed to read or something, as is common for much less breaking changes than this. 

I don't want to get things too heated, that's what nvidia wants to deflect blame for their own garbage drivers. I really don't think it's too much to ask to make something that is such a breaking change just a little bit more obvious. I'm not trying to say I did everything right, obviously I missed a few things, but that's my entire point here. The consequences of the decisions made here were felt acutely by me and rather than just taking it and saying nothing, I wanted to note that this was an awful experience and I would have appreciated a bit more signposting, and the assumption that the 550 drivers were newer and therefore a saner choice is just flat out incorrect. I don't believe I'm the only one who has been on this driver series because pre-explicit sync, the nvidia drivers have been anywhere from a borderline to an outright unusuable nightmare. Suddenly your graphical session doesn't work because in a flood of updates you didn't realize it was telling you to go back to using an unsupported, "idunno i guess you have to do this ? dont 5get to remove it later ha ha" workaround in your kernel commandline because I was shunted to a so-called "stable" version was an EXTREMELY bad experience on top of what was already a nightmare about bad times past suddenly becoming real again.

It sounds like I had missed that there were some security updates and a new driver track to switch to, which is also what I'm pointing out. Should there not be a way to inform those on these beta tracks when a new one is started? Isn't the eselect news there for informing us of these kinds of things? The whole point of the news articles is to inform you there is a new choice that needs to be made, of which this is. I REALLY don't think it's too much to ask to use the "there is a new choice to be made" announcement facility in the here-are-all-your-choices distro.
Comment 6 Larry the Git Cow gentoo-dev 2024-10-30 07:29:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b00539aae584ddae6e8f27509c05b83ae42e0eaf

commit b00539aae584ddae6e8f27509c05b83ae42e0eaf
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-10-30 07:12:48 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-10-30 07:28:25 +0000

    x11-drivers/nvidia-drivers: drop vulnerable 535.183.01-r1, 550.120
    
    All done wrt bug #942031.
    
    Bug: https://bugs.gentoo.org/942031
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/Manifest                |  16 -
 .../nvidia-drivers-535.183.01-r1.ebuild            | 585 ---------------------
 .../nvidia-drivers/nvidia-drivers-550.120.ebuild   | 576 --------------------
 3 files changed, 1177 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2722d77aed0b35704f9191ba3e30c3df3d280d47

commit 2722d77aed0b35704f9191ba3e30c3df3d280d47
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-10-30 07:11:22 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-10-30 07:11:22 +0000

    x11-drivers/nvidia-drivers: stabilize 550.127.05 for amd64
    
    Bug: https://bugs.gentoo.org/942031
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-550.127.05.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35945d80d1992dbb008035e4004ed0face09c11d

commit 35945d80d1992dbb008035e4004ed0face09c11d
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-10-30 07:11:09 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-10-30 07:11:09 +0000

    x11-drivers/nvidia-drivers: stabilize 535.216.01 for amd64
    
    Bug: https://bugs.gentoo.org/942031
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-535.216.01.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Ionen Wolkens gentoo-dev 2024-11-19 19:50:08 UTC
(In reply to Ionen Wolkens from comment #0)
> 0/470 is not mentioned, but is still supported. In theory *should* mean that
> it is not affected, being a legacy driver it's also quite different so it
> may be lacking what introduced this.. not that we have details to know for
> sure.
Actually, I was wrong here.. I was pretty sure this still had a few years of support but seems support ended in September 2024... I guess it's time to have it go the way of 390.x and mask it. It is *likely* affected after all with no replacement for people with older hardware beside switching to nouveau.
Comment 8 Larry the Git Cow gentoo-dev 2024-11-19 20:34:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d304ef99938e7d27b96cf8dfec07b2facd0de50

commit 2d304ef99938e7d27b96cf8dfec07b2facd0de50
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-11-19 20:22:24 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-11-19 20:33:31 +0000

    profiles: mask nvidia-drivers:0/470 EOL branch
    
    Much like we already for (still-in-tree) 0/390, mask message
    is mostly an updated copy/paste. I was under the impression
    EOL wasn't already reached but no... and there are already
    known security issues wrt bug #942031.
    
    As noted in the mask message, users are free to unmask for
    the time being but should be aware that it could be removed
    anytime (late 2026, or early 2027 are only a tentative dates).
    
    So, before then should either switch to nouveau, try to get
    new hardware, or be prepared to be on your own to keep using
    these drivers (much like formerly removed 340.x), some overlays
    may possibly support these but well.
    
    Bug: https://bugs.gentoo.org/942031
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 profiles/package.mask | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
Comment 9 Larry the Git Cow gentoo-dev 2024-12-14 11:02:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=75999cf3645e45cf60bdeaf1621c235c071cf08b

commit 75999cf3645e45cf60bdeaf1621c235c071cf08b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-12-14 11:01:53 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-12-14 11:02:33 +0000

    [ GLSA 202412-20 ] NVIDIA Drivers: Privilege Escalation
    
    Bug: https://bugs.gentoo.org/942031
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202412-20.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)