mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 17:30:02 +01:00
3e290b3c7c
PointerWindows[] keeps a reference to the last window our sprite
entered - changes are usually handled by CheckMotion().
If we switch between screens via XWarpPointer our
dev->spriteInfo->sprite->win is set to the new screen's root window.
If there's another window at the cursor location CheckMotion() will
trigger the right enter/leave events later. If there is not, it skips
that process and we never trigger LeaveWindow() - PointerWindows[] for
the device still refers to the previous window.
If that window is destroyed we have a dangling reference that will
eventually cause a use-after-free bug when checking the window hierarchy
later.
To trigger this, we require:
- two protocol screens
- XWarpPointer to the other screen's root window
- XDestroyWindow before entering any other window
This is a niche bug so we hack around it by making sure we reset the
PointerWindows[] entry so we cannot have a dangling pointer. This
doesn't handle Enter/Leave events correctly but the previous code didn't
either.
CVE-2023-5380, ZDI-CAN-21608
This vulnerability was discovered by:
Sri working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 564ccf2ce9)
67 lines
2.6 KiB
C
67 lines
2.6 KiB
C
/*
|
|
* Copyright © 2008 Red Hat, Inc.
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice (including the next
|
|
* paragraph) shall be included in all copies or substantial portions of the
|
|
* Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
|
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
|
* DEALINGS IN THE SOFTWARE.
|
|
*
|
|
* Authors: Peter Hutterer
|
|
*
|
|
*/
|
|
|
|
#ifdef HAVE_DIX_CONFIG_H
|
|
#include <dix-config.h>
|
|
#endif
|
|
|
|
#ifndef ENTERLEAVE_H
|
|
#define ENTERLEAVE_H
|
|
|
|
#include <dix.h> /* DoFocusEvents() */
|
|
|
|
extern void DoEnterLeaveEvents(DeviceIntPtr pDev,
|
|
int sourceid,
|
|
WindowPtr fromWin, WindowPtr toWin, int mode);
|
|
|
|
extern void EnterLeaveEvent(DeviceIntPtr mouse,
|
|
int type,
|
|
int mode, int detail, WindowPtr pWin, Window child);
|
|
|
|
extern void CoreEnterLeaveEvent(DeviceIntPtr mouse,
|
|
int type,
|
|
int mode,
|
|
int detail, WindowPtr pWin, Window child);
|
|
extern void DeviceEnterLeaveEvent(DeviceIntPtr mouse,
|
|
int sourceid,
|
|
int type,
|
|
int mode,
|
|
int detail, WindowPtr pWin, Window child);
|
|
extern void DeviceFocusEvent(DeviceIntPtr dev,
|
|
int type,
|
|
int mode,
|
|
int detail ,
|
|
WindowPtr pWin);
|
|
|
|
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
|
|
|
|
extern void CoreFocusEvent(DeviceIntPtr kbd,
|
|
int type, int mode, int detail, WindowPtr pWin);
|
|
|
|
extern void SetFocusIn(DeviceIntPtr kbd, WindowPtr win);
|
|
|
|
extern void SetFocusOut(DeviceIntPtr dev);
|
|
#endif /* _ENTERLEAVE_H_ */
|