|
1
|
+From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001
|
|
2
|
+From: Olivier Fourdan <ofourdan@redhat.com>
|
|
3
|
+Date: Mon, 13 Mar 2023 11:08:47 +0100
|
|
4
|
+Subject: [PATCH xserver] composite: Fix use-after-free of the COW
|
|
5
|
+
|
|
6
|
+ZDI-CAN-19866/CVE-2023-1393
|
|
7
|
+
|
|
8
|
+If a client explicitly destroys the compositor overlay window (aka COW),
|
|
9
|
+we would leave a dangling pointer to that window in the CompScreen
|
|
10
|
+structure, which will trigger a use-after-free later.
|
|
11
|
+
|
|
12
|
+Make sure to clear the CompScreen pointer to the COW when the latter gets
|
|
13
|
+destroyed explicitly by the client.
|
|
14
|
+
|
|
15
|
+This vulnerability was discovered by:
|
|
16
|
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
17
|
+
|
|
18
|
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
19
|
+Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
20
|
+---
|
|
21
|
+ composite/compwindow.c | 5 +++++
|
|
22
|
+ 1 file changed, 5 insertions(+)
|
|
23
|
+
|
|
24
|
+--- a/composite/compwindow.c
|
|
25
|
++++ b/composite/compwindow.c
|
|
26
|
+@@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin)
|
|
27
|
+ ret = (*pScreen->DestroyWindow) (pWin);
|
|
28
|
+ cs->DestroyWindow = pScreen->DestroyWindow;
|
|
29
|
+ pScreen->DestroyWindow = compDestroyWindow;
|
|
30
|
++
|
|
31
|
++ /* Did we just destroy the overlay window? */
|
|
32
|
++ if (pWin == cs->pOverlayWin)
|
|
33
|
++ cs->pOverlayWin = NULL;
|
|
34
|
++
|
|
35
|
+ /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
|
|
36
|
+ return ret;
|
|
37
|
+ } |