| From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001 |
| From: Olivier Fourdan <ofourdan@redhat.com> |
| Date: Mon, 13 Mar 2023 11:08:47 +0100 |
| Subject: [PATCH] composite: Fix use-after-free of the COW |
| |
| ZDI-CAN-19866/CVE-2023-1393 |
| |
| If a client explicitly destroys the compositor overlay window (aka COW), |
| we would leave a dangling pointer to that window in the CompScreen |
| structure, which will trigger a use-after-free later. |
| |
| Make sure to clear the CompScreen pointer to the COW when the latter gets |
| destroyed explicitly by the client. |
| |
| This vulnerability was discovered by: |
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
| |
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |
| Reviewed-by: Adam Jackson <ajax@redhat.com> |
| |
| Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110] |
| CVE: CVE-2023-1393 |
| Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> |
| --- |
| composite/compwindow.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| diff --git a/composite/compwindow.c b/composite/compwindow.c |
| index 4e2494b86b..b30da589e9 100644 |
| --- a/composite/compwindow.c |
| +++ b/composite/compwindow.c |
| @@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) |
| ret = (*pScreen->DestroyWindow) (pWin); |
| cs->DestroyWindow = pScreen->DestroyWindow; |
| pScreen->DestroyWindow = compDestroyWindow; |
| + |
| + /* Did we just destroy the overlay window? */ |
| + if (pWin == cs->pOverlayWin) |
| + cs->pOverlayWin = NULL; |
| + |
| /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ |
| return ret; |
| } |
| -- |
| GitLab |
| |