composite: Fix use-after-free of the COWHEAD master

ZDI-CAN-19866/CVE-2023-1393 If a client explicitly destroys the compositor overlay window (aka COW), we would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Make sure to clear the CompScreen pointer to the COW when the latter gets destroyed explicitly by the client. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Adam Jackson <ajax@redhat.com>
author: Olivier Fourdan <ofourdan@redhat.com> 2023-03-13 11:08:47 +0100
committer: Olivier Fourdan <ofourdan@redhat.com> 2023-03-29 13:34:11 +0200
commit: 26ef545b3502f61ca722a7a3373507e88ef64110 (patch)
tree: 6fa51c493cb58ed90287dd6fe5f012335414524e
parent: 6153c71cfb4698f1a416266564ecc748e4a25f2c (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/composite/compwindow.c b/composite/compwindow.c
index 4e2494b86..b30da589e 100644
--- a/composite/compwindow.c
+++ b/composite/compwindow.c
@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
     ret = (*pScreen->DestroyWindow) (pWin);
     cs->DestroyWindow = pScreen->DestroyWindow;
     pScreen->DestroyWindow = compDestroyWindow;
+
+    /* Did we just destroy the overlay window? */
+    if (pWin == cs->pOverlayWin)
+        cs->pOverlayWin = NULL;
+
 /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
     return ret;
 }
author	Olivier Fourdan <ofourdan@redhat.com>	2023-03-13 11:08:47 +0100
committer	Olivier Fourdan <ofourdan@redhat.com>	2023-03-29 13:34:11 +0200
commit	26ef545b3502f61ca722a7a3373507e88ef64110 (patch)
tree	6fa51c493cb58ed90287dd6fe5f012335414524e
parent	6153c71cfb4698f1a416266564ecc748e4a25f2c (diff)