Does Nvidia driver update apply only to specific Linux kernel versions

LenHoff · 07-06-2017, 01:36 PM

Information is a little sparse & for future reference I'm trying to understand info listed in Mint updater (or how Nvidia's security info is presented).

Mint's updater - nvidia-graphics-drivers-340 (340.102-0ubuntu0.16.04.1) xenial, cites CVE-2017-0318 (LP: #1659586). Which I read https://nvd.nist.gov/vuln/detail/CVE...scriptionTitle.

Mint's updater also indicates 340.102 applied patches to kernel 4.9. & 4.10., but it doesn't indicate if CVE-2017-0318 applies to earlier kernel versions. (Again, trying to understand how this data is presented).

Find Nvidia's page for CVE-2017-0318 (LP: #1659586) - here: http://www.nvidia.com/object/product-security.html, and the link that includes info on CVE-2017-0318 (http://nvidia.custhelp.com/app/answers/detail/a_id/4398)...

...it also mentions *CVE-2017-0309,* further down the page (http://nvidia.custhelp.com/app/answers/detail/a_id/4398) under "Affected Products" - appears to affect Linux + (in my case) GeForce.

But CVE-0309 isn't mentioned anywhere else for the 340.102 driver (that I see), but the table on Nvidia's site seems to indicate CVE-0309 also affected GeForce running the 340.x driver branch.
Really can't make sense of it.
Maybe -0309 applies to an earlier driver series - before 340.x? - but how to decipher this data?

I can't tell if CVE-2017-0309 applies to GeForce *and* kernel 4.40.x. Did Mint updater just leave out info on CVE -0309 and / or which kernels are affected, or are kernel versions irrelevant here?

The Nvidia table farther down on http://nvidia.custhelp.com/app/answers/detail/a_id/4398, for "Fixes > Linux", lists Products (specifically GeForce), the OS and "1st Version Including the Fix."
I don't know which driver branches listed apply to GeForce. It appears possibly all? IF SO, why isn't CVE-2017-0309 mentioned in the 340.102 update?

Do ALL the CVEs at top of that page (incl. 2017-0309) apply to ALL GeForce, using any of the 5 listed driver branches: R378, R375, R340, R304?

Thanks.

AwesomeMachine · 07-07-2017, 08:09 PM

Because it's an upstream fix. Nvidia uses unified driver architecture. So, if it fixes the driver all the drivers are fixed. But you might want to just copy and paste your post to the nVidia forum on nVidia.com.

LenHoff · 07-18-2017, 01:47 PM

AwesomeMachine,
You may be right, but "if it fixes the driver all the drivers are fixed," seems cloudy whether all newer unified drivers would affect all older devices, making it pointless to update, in some cases.

I'll try Nvidia forum or support.
Lots of new drivers state the changes & fixes only apply to certain features - not just for Nvidia.

All "GFX" models may technically use the same 340.xx driver series, but some driver changes may only affect later or higher end models. Mfg's explanations are often confusing.

AwesomeMachine · 07-18-2017, 04:25 PM

The idea is to fix the vulnerability for all currently supported and affected devices. Nvidia is not going to fix the problem for only some of its supported products. If the fix is still needed in driver updates--which it may or may not be--nvidia must include it for all the affected devices.

Otherwise they'd get a horrible reputation! Newer driver versions don't support the oldest devices of older driver versions. If the driver is fixed, it's fixed for all the devices it supports. Anything else would be sheer chaos!

The same version of the driver receives numerous updates. So, it's not only later versions that are updated. And, unless you are at risk for the type of attack in CVE-2017-0318, then I wouldn't worry about it, because you must be specifically targeted for it to happen.