wok-current view xorg-server/stuff/CVE-2023-1393.patch @ rev 25634

Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
author Stanislas Leduc <shann@slitaz.org>
date Sun Jan 14 08:12:37 2024 +0000 (20 months ago)
parents
children
line source
1 From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
2 From: Olivier Fourdan <ofourdan@redhat.com>
3 Date: Mon, 13 Mar 2023 11:08:47 +0100
4 Subject: [PATCH] composite: Fix use-after-free of the COW
5
6 ZDI-CAN-19866/CVE-2023-1393
7
8 If a client explicitly destroys the compositor overlay window (aka COW),
9 we would leave a dangling pointer to that window in the CompScreen
10 structure, which will trigger a use-after-free later.
11
12 Make sure to clear the CompScreen pointer to the COW when the latter gets
13 destroyed explicitly by the client.
14
15 This vulnerability was discovered by:
16 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
17
18 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
19 Reviewed-by: Adam Jackson <ajax@redhat.com>
20 ---
21 composite/compwindow.c | 5 +++++
22 1 file changed, 5 insertions(+)
23
24 diff --git a/composite/compwindow.c b/composite/compwindow.c
25 index 4e2494b86b..b30da589e9 100644
26 --- a/composite/compwindow.c
27 +++ b/composite/compwindow.c
28 @@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
29 ret = (*pScreen->DestroyWindow) (pWin);
30 cs->DestroyWindow = pScreen->DestroyWindow;
31 pScreen->DestroyWindow = compDestroyWindow;
32 +
33 + /* Did we just destroy the overlay window? */
34 + if (pWin == cs->pOverlayWin)
35 + cs->pOverlayWin = NULL;
36 +
37 /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
38 return ret;
39 }
40 --
41 GitLab
42