Skip to content

Commit

Permalink
composite: Fix use-after-free of the COW
Browse files Browse the repository at this point in the history 
ZDI-CAN-19866/CVE-2023-1393

If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
  • Loading branch information
@ofourdan @dcommander
ofourdan authored and dcommander committed Sep 14, 2023
1 parent 5af580c commit 8f2101c
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions unix/Xvnc/programs/Xserver/composite/compwindow.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin)
ret = (*pScreen->DestroyWindow) (pWin);
cs->DestroyWindow = pScreen->DestroyWindow;
pScreen->DestroyWindow = compDestroyWindow;

/* Did we just destroy the overlay window? */
if (pWin == cs->pOverlayWin)
cs->pOverlayWin = NULL;

/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
return ret;
}
Expand Down

0 comments on commit 8f2101c

Please sign in to comment.