Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
xorg-x11-server.32147
U_xserver-composite-Fix-use-after-free-of-the-C...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_xserver-composite-Fix-use-after-free-of-the-COW.patch of Package xorg-x11-server.32147
From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan <ofourdan@redhat.com> Date: Mon, 13 Mar 2023 11:08:47 +0100 Subject: [PATCH xserver] composite: Fix use-after-free of the COW ZDI-CAN-19866/CVE-2023-1393 If a client explicitly destroys the compositor overlay window (aka COW), we would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. Make sure to clear the CompScreen pointer to the COW when the latter gets destroyed explicitly by the client. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Adam Jackson <ajax@redhat.com> --- composite/compwindow.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/composite/compwindow.c b/composite/compwindow.c index 4e2494b86..b30da589e 100644 --- a/composite/compwindow.c +++ b/composite/compwindow.c @@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) ret = (*pScreen->DestroyWindow) (pWin); cs->DestroyWindow = pScreen->DestroyWindow; pScreen->DestroyWindow = compDestroyWindow; + + /* Did we just destroy the overlay window? */ + if (pWin == cs->pOverlayWin) + cs->pOverlayWin = NULL; + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ return ret; } -- 2.40.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor