CVE-2022-21816 NVIDIA vGPU software vulnerability details (7th Feb, 2022)

Preface: In addition to the traditional CVE risk level criteria, the critical level of vulnerability risk will depend on the processing technique.

Background: NVIDIA vGPU software is a graphics virtualization platform that provides virtual machines (VMs) access to NVIDIA GPU technology. In order to fulfill design objective, it is necessary enable an GPUDirect RDMA connection to NVIDIA GPUs on Linux. GPUDirect RDMA is a technology introduced in Kepler-class GPUs and CUDA 5.0 that enables a direct path for data exchange between the GPU and a third-party peer device using standard features of PCI Express. Examples of third-party devices are: network interfaces, video acquisition devices, storage adapters.

To add GPUDirect RDMA support to a device driver, a small amount of address mapping code within the kernel driver must be modified. This code typically resides near existing calls to get_user_pages().

Vulnerability details: NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia[.]ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.

In computing, remote direct memory access (RDMA) is a direct memory access from the memory of one computer into that of another without involving either one’s operating system. It is assumed that the software does not restrict or erroneously restrict access to resources by unauthorized actors. As a result, it allows vulnerabilities to occur. For more details, please refer to the attached diagram.

Impact: Affected Vendor/Software: URL Logo NVIDIA – NVIDIA Virtual GPU Software and NVIDIA Cloud Gaming version vGPU version 13.x (prior to 13.2), version 11.x (prior to 11.7) and version 8.x (prior 8.10).

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.