NVIDIA distributions of Linux contain a vulnerability in nvdla_emu_task_submit, where unvalidated input may allow a local attacker to cause stack-based buffer overflow in kernel code, which may lead to escalation of privileges, compromised integrity and confidentiality, and denial of service.
NVIDIA GPU drivers on Linux systems are vulnerable to a stack-based buffer overflow, allowing a local attacker to gain privilege escalation, compromise data integrity and confidentiality, and cause a denial-of-service. Exploiting this vulnerability could grant an attacker complete control over the affected system. This vulnerability stems from improper input validation within the nvdla_emu_task_submit function.
Step 1: Trigger Preparation: The attacker identifies a target system running a vulnerable NVIDIA driver version.
Step 2: Input Crafting: The attacker crafts a malicious input, specifically designed to exploit the nvdla_emu_task_submit function. This input contains data that, when processed, will overflow a buffer on the stack. The crafted input includes a payload designed to overwrite the return address of the function.
Step 3: Payload Delivery: The attacker submits the crafted input to the vulnerable nvdla_emu_task_submit function, typically through a device driver interface or a related system call.
Step 4: Buffer Overflow: The nvdla_emu_task_submit function processes the malicious input. Due to the lack of input validation, the data overflows the allocated buffer on the stack, overwriting adjacent memory regions, including the return address.
Step 5: Code Execution: When the nvdla_emu_task_submit function returns, the overwritten return address directs the program to execute the attacker's injected code (the payload).
Step 6: Privilege Escalation: The attacker's injected code executes with kernel-level privileges, allowing them to escalate their privileges, compromise system integrity, confidentiality, and potentially cause a denial of service.
The vulnerability lies within the nvdla_emu_task_submit function in NVIDIA's Linux GPU drivers. This function is responsible for handling tasks related to the NVIDIA Deep Learning Accelerator (NVDLA). The root cause is a stack-based buffer overflow due to insufficient bounds checking on user-supplied input. Specifically, the function fails to properly validate the size or content of data passed to it, allowing an attacker to write beyond the allocated buffer on the stack. This overwrites critical data, including potentially the return address, enabling arbitrary code execution. The attacker can craft a malicious input that, when processed by nvdla_emu_task_submit, overwrites the stack, leading to control of the program's execution flow and ultimately, privilege escalation. The lack of input validation allows for the overflow, making it possible to overwrite sensitive data on the stack, leading to arbitrary code execution within the kernel context. This can lead to a complete system compromise.