mirror of
https://github.com/X11Libre/xserver.git
synced 2026-03-26 21:14:36 +00:00
564ccf2ce9
PointerWindows[] keeps a reference to the last window our sprite entered - changes are usually handled by CheckMotion(). If we switch between screens via XWarpPointer our dev->spriteInfo->sprite->win is set to the new screen's root window. If there's another window at the cursor location CheckMotion() will trigger the right enter/leave events later. If there is not, it skips that process and we never trigger LeaveWindow() - PointerWindows[] for the device still refers to the previous window. If that window is destroyed we have a dangling reference that will eventually cause a use-after-free bug when checking the window hierarchy later. To trigger this, we require: - two protocol screens - XWarpPointer to the other screen's root window - XDestroyWindow before entering any other window This is a niche bug so we hack around it by making sure we reset the PointerWindows[] entry so we cannot have a dangling pointer. This doesn't handle Enter/Leave events correctly but the previous code didn't either. CVE-2023-5380, ZDI-CAN-21608 This vulnerability was discovered by: Sri working with Trend Micro Zero Day Initiative Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Adam Jackson <ajax@redhat.com>