CVE-2014-5332: TEGRA LINUX KERNEL NVMAP VULNERABILITY
This technical bulletin provides information about security vulnerability in Linux implementations, including those provided with NVIDIA® Vibrante™ Linux releases. A possible momentary memory use-after-free bug in NVMap can allow unprivileged user‑mode software to gain root access.
Vulnerability Description:
A momentary use-after-free vulnerability in the NVMap component allows a fixed single bit to clear data in a recycled memory structure. To take advantage of this vulnerability, an attacker needs to exploit the race condition that exists between the conversion of the FD to a handle structure pointer (one point in time) and the ref count increment of the handle structure (another point in time), and force the handle memory structure to be recycled in a kernel process where the fixed bit can be leveraged for exploit.
NVIDIA is not aware of any exploits that attempt to leverage this vulnerability.
Exploit Scope and Risk:
With sufficient effort and winning the race conditions, a single bit modification in the appropriate kernel structure can be leveraged into a privilege escalation of kernel, allowing for kernel compromise.
Overall CVSS Score |
6.0 |
Impact Subscore |
10.0 |
Confidentiality: Complete |
(C:C) |
Integrity: Complete |
(I:C) |
Availability: Complete |
(A:C) |
Exploitability Subscore |
1.5 |
Access Vector: Local |
(AV:L) |
Access Complexity: High |
(AC:H) |
Authentication: Single |
(Au:S) |
Temporal Subscore |
4.7 |
Exploitability: Proof of Concept Code |
(E:POC) |
Remediation Level: Official fix |
(RL:OF) |
Report Confidence: Confirmed |
(RC:C) |
NVIDIA is not aware of any public exploits that attempt to leverage this vulnerability.
Vulnerable Configurations:
The following releases have this vulnerability and are based on the Tegra Linux Kernel version 3.10.
Android
2014-01-23 Tegra BSP Release (19r11) |
2014-02-06 Tegra BSP Release (19r12) |
2014-02-20 Tegra BSP Release (19r13) |
2014-03-06 Tegra BSP Release (19r14) |
2014-03-20 Tegra BSP Release (19r15) |
2014-04-07 Tegra BSP Release (19r15.1) |
2014-05-02 Tegra BSP Release (19r16) |
2014-10-28 Tegra BSP Release (19r17) |
2014-02-20 Tegra BSP Release (20r1) |
2014-03-06 Tegra BSP Release (20r2) |
2014-03-20 Tegra BSP Release (20r3) |
2014-04-03 Tegra BSP Release (20r4) |
2014-04-17 Tegra BSP Release (20r5) |
2014-05-01 Tegra BSP Release (20r6) |
2014-05-15 Tegra BSP Release (20r7) |
2014-05-29 Tegra BSP Release (20r8) |
2014-09-03 Tegra BSP Release (21r7) |
ChromeOS
Chrome OS R36 |
Chrome OS R37 |
Vulnerability Discovery:
NVIDIA was alerted to this issue by Lee Campbell, Chrome Security, Google.
Resolution:
NVIDIA has released code fixes to upstream repositories and device vendors. NVIDIA recommends contacting the vendor of your device about any appropriate software updates.