libinput Dangling Pointer Vulnerability in Lua Plugin Handling Allowing Information Disclosure

A dangling pointer vulnerability has been identified in libinput, which can be exploited by an attacker who can deploy a Lua plugin file in certain system directories. This vulnerability arises when a garbage collection cleanup function is invoked, leaving behind a pointer that can be logged to system logs. If the memory location referenced by the pointer is reused, it could lead to unauthorized exposure of sensitive data. For this vulnerability to be exploited, Lua plugins must be enabled in libinput and loaded by the compositor.

Impact

Exploitation of this vulnerability could result in unauthorized information disclosure by allowing sensitive data to be read from memory.

Reproduction

To reproduce this vulnerability, a Lua plugin must be created and deployed in one of the directories that libinput loads plugins from, such as '/usr/share/libinput/plugins', '/etc/libinput/plugins', or possibly XDG_CONFIG_HOME/libinput/plugins. Once the plugin is in place, it can be loaded by a compositor that supports this feature, such as Mutter 50. If libinput is compiled with the option to autoload plugins, the deployed Lua plugin will be loaded automatically. The plugin can then be crafted to invoke a garbage collection cleanup, creating a dangling pointer that can be logged and potentially exploited.