`nvidia-dbus.conf ` lead to high security concerns

I’m using Nvidia Linux driver 510.73.05. And found that the nvidia-dbus.conf contains the following configurations:

<allow send_requested_reply="true"/>
<allow receive_requested_reply="true"/>

This will lead to all the dbus services on the OS can be called without explicit permissions.

BTW, dbus itself has had the same security issue before, see 18229 – send_requested_reply="true" allows all non-reply messages for details.

1 Like

I have NVIDIA drivers 510.73.05 installed and I don’t have this file. Could it come from your distro/packager?

The absolute path is /usr/share/dbus-1/system.d/nvidia-dbus.conf.

I’m using the package from the Arch community repo.

But you can find the nvidia-dbus.conf if you extract the driver downloaded from
https://www.nvidia.com/Download/driverResults.aspx/188994/en-us

I have a full installation, the file is not here.

The absolute path on my system is /usr/share/dbus-1/system.d/nvidia-dbus.conf. I posted the wrong path in my previous reply.

And I downloaded NVIDIA-Linux-x86_64-510.73.05.run from the official download site. Extracted it with the command sh ./NVIDIA-Linux-x86_64-510.73.05.run --extract-only, then I can found the nvidia-dbus.conf inside the extracted folder.

~/Downloads/NVIDIA-Linux-x86_64-510.73.05
❯ ls -lh nvidia-dbus.conf             
-rw-r--r-- 1 kevin kevin 254  5月 7日 13:17 nvidia-dbus.conf
~/Downloads/NVIDIA-Linux-x86_64-510.73.05

❯ cat nvidia-dbus.conf 
<busconfig>
  <type>system</type>
  <policy context="default">
    <allow own="nvidia.powerd.client"/>
    <allow own="nvidia.powerd.server"/>
    <allow send_requested_reply="true"/>
    <allow receive_requested_reply="true"/>
  </policy>
</busconfig>

I will try to install it in a VM to see whether the official driver would install the nvidia-dbus.conf or not.

find /  -xdev -type f | grep dbus | grep nvidia
./usr/share/doc/NVIDIA_GLX-1.0/nvidia-dbus.conf

Only in docs and it’s not used. Also this file does not match what you’ve got installed. Blame your packager.

The packager installed the nvidia-dbus.conf in the dbus config folder.

https://github.com/archlinux/svntogit-packages/blob/c3c4a88ae527da814f20aa4aafc247227ee7b77d/trunk/PKGBUILD#L225

Will report it to the packager manager.

It’s part of the Dynamic Boost feature,

https://download.nvidia.com/XFree86/Linux-x86_64/510.73.05/README/dynamicboost.html

Even if it’s not present by default it still needs to be implemented in a secure way.

Issue logged to the packager as well. FS#74894 : package nvidia-utils contains high security concerns.

As others have already mentioned it’s part of the Dynamic Boost feature as stated in the docs so no matter if a packager installs the file or the official docs advises people to do so (to my understanding the docs are also the main source for packagers) the outcome would be the same and the issue has to be fixed on the nvidia side to ship a sane nvidia-dbus.conf with their installer which does not implicate any security issues. Note: On Exherbo Linux our nvidia-drivers package also installed this file (due to this issue temporarily disabled …)

FYI, this should be addressed by the latest round of NVIDIA driver security releases: Security Bulletin: NVIDIA GPU Display Driver - August 2022 | NVIDIA
This issue was assigned CVE‑2022‑31608.

I think the proper content for nvidia-dbus.conf is:

<busconfig>
  <type>system</type>
  <policy context="default">
    <allow own="nvidia.powerd.client"/>
    <allow own="nvidia.powerd.server"/>
    <allow send_requested_reply="true" send_type="method_return"/>
    <allow send_requested_reply="true" send_type="error"/>
    <allow receive_requested_reply="true" receive_type="method_return"/>
    <allow receive_requested_reply="true" receive_type="error"/>
    <allow send_destination="nvidia.powerd.server"/>
    <allow receive_sender="nvidia.powerd.client"/>
  </policy>
</busconfig>
1 Like