Skip to content
Snippets Groups Projects
Commit 26ef545b authored by Olivier Fourdan's avatar Olivier Fourdan :tools:
Browse files

composite: Fix use-after-free of the COW 


ZDI-CAN-19866/CVE-2023-1393

If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson's avatarAdam Jackson <ajax@redhat.com>
parent 6153c71c
No related branches found
No related tags found
1 merge request!1103composite: Fix use-after-free of the COW
Hide whitespace changes
Inline Side-by-side
Showing
with 5 additions and 0 deletions
composite/compwindow.c
+ 5
0
View file @ 26ef545b
...@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) ...@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
ret = (*pScreen->DestroyWindow) (pWin); ret = (*pScreen->DestroyWindow) (pWin);
cs->DestroyWindow = pScreen->DestroyWindow; cs->DestroyWindow = pScreen->DestroyWindow;
pScreen->DestroyWindow = compDestroyWindow; pScreen->DestroyWindow = compDestroyWindow;
/* Did we just destroy the overlay window? */
if (pWin == cs->pOverlayWin)
cs->pOverlayWin = NULL;
/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
return ret; return ret;
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment