xserver: Branch 'master'

Wed Jun 24 08:06:49 UTC 2020

hw/xfree86/ramdac/xf86CursorRD.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

New commits:
commit 7ae221ad5774756766dc78a73d71f4163ac7b1c6
Author: Martin Weber <martin.weber at secunet.com>
Date:   Fri Jun 19 16:51:15 2020 +0200

    hw/xfree86: Avoid cursor use after free
    
    During a VT-Switch a raw pointer to the shared cursor object
    is saved which is then freed (in case of low refcount) by a call to
    xf86CursorSetCursor with argument pCurs = NullCursor.
    This leads to a dangling pointer which can follow in a use after free.
    
    This fix ensures that there is a shared handle saved for the VT-Switch cycle.
    
    Reviewed-by: Michel Dänzer <mdaenzer at redhat.com>

diff --git a/hw/xfree86/ramdac/xf86CursorRD.c b/hw/xfree86/ramdac/xf86CursorRD.c
index afcce5353..ee1d98916 100644
--- a/hw/xfree86/ramdac/xf86CursorRD.c
+++ b/hw/xfree86/ramdac/xf86CursorRD.c
@@ -212,7 +212,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
                                                xf86CursorScreenKey);
 
     if (!enable && ScreenPriv->CurrentCursor != NullCursor) {
-        CursorPtr currentCursor = ScreenPriv->CurrentCursor;
+        CursorPtr currentCursor = RefCursor(ScreenPriv->CurrentCursor);
 
         xf86CursorSetCursor(pDev, pScreen, NullCursor, ScreenPriv->x,
                             ScreenPriv->y);
@@ -231,6 +231,7 @@ xf86CursorEnableDisableFBAccess(ScrnInfoPtr pScrn, Bool enable)
          */
         xf86CursorSetCursor(pDev, pScreen, ScreenPriv->SavedCursor,
                             ScreenPriv->x, ScreenPriv->y);
+        UnrefCursor(ScreenPriv->SavedCursor);
         ScreenPriv->SavedCursor = NULL;
     }
 }
