SECURITY PATCHES FOR CVE-2012-0946 IN THE NVIDIA LINUX DRIVER Q: What do the nvidia-blacklist-register-mapping-*.diff files do? A: The files that accompany this README can be used to patch the NVIDIA Linux driver to protect against vulnerability CVE-2012-0946. The vulnerability is described at: http://nvidia.custhelp.com/app/answers/detail/a_id/3109 Q: Do I need to apply this patch? A: Updated driver versions that close the vulnerability are available for download at http://www.nvidia.com/object/unix.html. If you already installed driver version 295.40, then no further action is necessary. The vulnerability is also fixed in newer drivers from releases 295 and later. If you are using an older driver, and are not able to upgrade to a driver version which contains the security fix, then the provided patches can be used to apply the security fix to your existing driver. Note that driver versions 295.40 and later contain additional changes beyond this patch, which allow the CUDA debugger to work correctly after fixing the security vulnerability, i.e., applying the patch closes the security vulnerability, but the patched driver will be incompatible with the CUDA debugger. Q: Where do I get the patch? A: The patch files should have accompanied this README file. If you received a copy of this README without the patch files, you can download them from: ftp://download.nvidia.com/XFree86/patches/security/CVE-2012-0946 Q: How do I apply the patch? A: Applying the patch is simple: just follow these easy steps: 1) Select and download the correct version of the patch for your driver. There are three separate versions of the patch: a) nvidia-blacklist-register-mapping-290-295.diff: for drivers from releases 290 and 295 MD5 aff18975d955e0a6f929a3b72d2c2202 SHA1 7c30a3147df02ab6018c593aac3ca70bcaf04ac5 b) nvidia-blacklist-register-mapping-256-285.diff: for drivers from releases 256 through 285 (inclusive) MD5 4ff4f7eccf32db9f2a08c50ded8903af SHA1 a97726f01a348550480ea9891f6c140ab8091b91 c) nvidia-blacklist-register-mapping-195.diff: for drivers from release 195 and earlier (There were no releases between 195 and 256.) MD5 458c680cced29bf63c3c1e61bd714eb9 SHA1 87d1e5aae1254b6146b2ad201e68bd12a0b73936 2) Locate your original .run installer file, or download a new copy. If you no longer have the installer file for your driver version, obtain a new copy from one of the following locations: http://www.nvidia.com/object/unix.html (archives section) ftp://download.nvidia.com/XFree86/ 3) Apply the patch to the driver installer. This is done using the "--apply-patch" commandline option, which takes the path to the patch file as an argument. As an example, to apply the patch to the installer for driver version 256.35 (32 bit), run: $ sh /path/to/NVIDIA-Linux-x86-256.35.run --apply-patch \ /path/to/nvidia-blacklist-register-mapping-256-285.diff This package will create a new installer package file with a name ending in "-custom.run". This file can be used to install the patched driver. 4) Run the patched installer. Run the custom installer that was created in step 3. Continuing from the example above: # sh /path/to/NVIDIA-Linux-x86-256.35-custom.run The custom installer will work just like the normal installer, and can take the same commandline options. As usual when installing the NVIDIA driver, this installer will need to be run as root, and while the GPU is not in use by X or any other application.