NVIDIA UNIX driver -- ARGB cursor buffer overflow in "NoScanout" mode

2013-03-27T00:00:00
ID 1431F2D6-A06E-11E2-B9E0-001636D274F3
Type freebsd
Reporter FreeBSD
Modified 2013-03-27T00:00:00

Description

NVIDIA Unix security team reports:

When the NVIDIA driver for the X Window System is operated in "NoScanout" mode, and an X client installs an ARGB cursor that is larger than the expected size (64x64 or 256x256, depending on the driver version), the driver will overflow a buffer. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution. Because the X server runs as setuid root in many configurations, an attacker could potentially use this vulnerability in those configurations to gain root privileges.