diff options
author | Olivier Fourdan <ofourdan@redhat.com> | 2023-03-13 11:08:47 +0100 |
---|---|---|
committer | Olivier Fourdan <ofourdan@redhat.com> | 2023-03-29 13:34:11 +0200 |
commit | 26ef545b3502f61ca722a7a3373507e88ef64110 (patch) | |
tree | 6fa51c493cb58ed90287dd6fe5f012335414524e | |
parent | 6153c71cfb4698f1a416266564ecc748e4a25f2c (diff) |
ZDI-CAN-19866/CVE-2023-1393
If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.
Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
-rw-r--r-- | composite/compwindow.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/composite/compwindow.c b/composite/compwindow.c index 4e2494b86..b30da589e 100644 --- a/composite/compwindow.c +++ b/composite/compwindow.c @@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) ret = (*pScreen->DestroyWindow) (pWin); cs->DestroyWindow = pScreen->DestroyWindow; pScreen->DestroyWindow = compDestroyWindow; + + /* Did we just destroy the overlay window? */ + if (pWin == cs->pOverlayWin) + cs->pOverlayWin = NULL; + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ return ret; } |