NVIDIA has fixed the vulnerability in its proprietary graphics driver for Unix systems that was publicly disclosed by Linux kernel and X.org developer Dave Airlie a few days ago; apparently, NVIDIA had already known about the hole for a month. To close it, the company has, along with other drivers, released driver version 304.32, which is being deployed via NVIDIA’s knowledge base.
The new driver version is available for Linux as well as FreeBSD and Solaris, because earlier versions of the drivers for these systems are also affected. NVIDIA explained that the new version prevents attackers from using the same trickery to obtain root privileges that was used by the exploit Airlie released a few days ago; the new drivers also block user-space access to certain GPU registers which could be compromised in a similar way.
On its main driver page, NVIDIA continues to offer drivers that still contain the vulnerability; the company plans to close the hole in driver series 295, which is to be released this week. A source code patch for driver series 195, and 256 to 304, is available for those who are unable or unwilling to update to the new version. The patch fixes the hole by applying changes to the open source kernel module code; together with a proprietary driver component, this module is then compiled to create a kernel module that is suitable for the user’s Linux kernel.