From c726ceacc1a39c56d2b054ac5f35798d0c3640d7 Mon Sep 17 00:00:00 2001 From: Martin Weber Date: Tue, 21 Jul 2020 18:24:41 +0200 Subject: [PATCH] hw/xfree86: Avoid cursor use after free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit During a VT-Switch a raw pointer to the shared cursor object is saved which is then freed (in case of low refcount) by a call to xf86CursorSetCursor with argument pCurs = NullCursor. This leads to a dangling pointer which can follow in a use after free. This fix ensures that there is a shared handle saved for the VT-Switch cycle. Reviewed-by: Michel Dänzer (cherry picked from commit 7ae221ad5774756766dc78a73d71f4163ac7b1c6) --- hw/xfree86/ramdac/xf86CursorRD.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c index afcce5353..ee1d98916 100644 --- a/hw/xfree86/ramdac/xf86CursorRD.c +++ b/hw/xfree86/ramdac/xf86CursorRD.c @@ -212,7 +212,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable) xf86CursorScreenKey); if (!enable && ScreenPriv->CurrentCursor != NullCursor) { - CursorPtr currentCursor = ScreenPriv->CurrentCursor; + CursorPtr currentCursor = RefCursor(ScreenPriv->CurrentCursor); xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x, ScreenPriv->y); @@ -231,6 +231,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable) */ xf86CursorSetCursor(pDev, pScreen, ScreenPriv->SavedCursor, ScreenPriv->x, ScreenPriv->y); + UnrefCursor(ScreenPriv->SavedCursor); ScreenPriv->SavedCursor = NULL; } }