From 8f2101c788484b352e398d6afaf2d1a80fe31f59 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Mon, 13 Mar 2023 11:08:47 +0100 Subject: [PATCH] composite: Fix use-after-free of the COW ZDI-CAN-19866/CVE-2023-1393 If a client explicitly destroys the compositor overlay window (aka COW), we would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Make sure to clear the CompScreen pointer to the COW when the latter gets destroyed explicitly by the client. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan Reviewed-by: Adam Jackson --- unix/Xvnc/programs/Xserver/composite/compwindow.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/unix/Xvnc/programs/Xserver/composite/compwindow.c b/unix/Xvnc/programs/Xserver/composite/compwindow.c index 54b4e6ac4..8db9d033b 100644 --- a/unix/Xvnc/programs/Xserver/composite/compwindow.c +++ b/unix/Xvnc/programs/Xserver/composite/compwindow.c @@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin) ret = (*pScreen->DestroyWindow) (pWin); cs->DestroyWindow = pScreen->DestroyWindow; pScreen->DestroyWindow = compDestroyWindow; + + /* Did we just destroy the overlay window? */ + if (pWin == cs->pOverlayWin) + cs->pOverlayWin = NULL; + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ return ret; }