An exploit has been found in the NVIDIA binary Linux X driver that allows an attacker to execute arbitrary code as root. The bug can be exploited remotely simply by visiting a malicious web page in a vulnerable X client. A proof-of-concept exploit is available. The open source “nv” driver is not effected by this exploit.

The overflow stems from a problem with how the XRender extension handles rendering glyphs to the screen. Any local or remote X client can gain root access using the exploit available above and using a short sequence of user generated glyphs, for example in Firefox using Flash, Java applets or embedded web fonts, the NVIDIA binary driver can be tricked into writing into an arbitrary location in memory allowing execution of code with root privileges. A simple HTML input field with a long value can exploit this causing a DoS.

There are reports that the problem is fixed in the latest Beta drivers and the open source “nv” driver is not effected. You should be able to revert to the “nv” driver by replacing the “nvidia” with “nv” under the driver section in your X config.

This exploit once again raises the issue of having, proprietary closed source code, unaudited by peer review, present in the kernel. Had this problem been found in an open source piece of code, a patch would be available within hours, if not minutes and the risk would be negated. There have been many calls for NVIDIA, going back to 2000, to open up the kernel module in question before and this will only add to those calls, but to be honest, I can’t see it happening anytime soon, they just wail on about trade secrets and the advantage their competitors (or competitor) would gain from this. I’m hoping that NVIDIA would like to prove me wrong!