composite: Fix use-after-free of the COW

ZDI-CAN-19866/CVE-2023-1393 If a client explicitly destroys the compositor overlay window (aka COW), we would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Make sure to clear the CompScreen pointer to the COW when the latter gets destroyed explicitly by the client. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit 26ef545b3502f61ca722a7a3373507e88ef64110)
author: Olivier Fourdan <ofourdan@redhat.com> 2023-03-13 11:08:47 +0100
committer: Olivier Fourdan <ofourdan@redhat.com> 2023-03-29 14:20:26 +0200
commit: fb51d5dd53b02422ea3b6f36bd017488d41f472d (patch)
tree: 662f723a1d5f917fa9edecd9bf5bb0a58f7a9c77
parent: 6bed5cfd515b9634ecf73fb884e4ec3388e8b7eb (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/composite/compwindow.c b/composite/compwindow.c
index 73a1871a0..9a651636e 100644
--- a/composite/compwindow.c
+++ b/composite/compwindow.c
@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
     ret = (*pScreen->DestroyWindow) (pWin);
     cs->DestroyWindow = pScreen->DestroyWindow;
     pScreen->DestroyWindow = compDestroyWindow;
+
+    /* Did we just destroy the overlay window? */
+    if (pWin == cs->pOverlayWin)
+        cs->pOverlayWin = NULL;
+
 /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
     return ret;
 }
author	Olivier Fourdan <ofourdan@redhat.com>	2023-03-13 11:08:47 +0100
committer	Olivier Fourdan <ofourdan@redhat.com>	2023-03-29 14:20:26 +0200
commit	fb51d5dd53b02422ea3b6f36bd017488d41f472d (patch)
tree	662f723a1d5f917fa9edecd9bf5bb0a58f7a9c77
parent	6bed5cfd515b9634ecf73fb884e4ec3388e8b7eb (diff)