Goodixmoc: Fix use-after-free when receive an incorrect CRC

Link: https://gitlab.freedesktop.org/libfprint/libfprint/-/issues/694 Resolves: RHEL-102592
2026-01-14 17:45:32 +08:00 · 2026-01-14 17:45:32 +08:00 · d047f562b3
commit d047f562b3
parent 795ede62fe
3 changed files with 33 additions and 3 deletions
--- a/0001-goodixmoc-fix-crash-in-exit-callback-handler.patch
+++ b/0001-goodixmoc-fix-crash-in-exit-callback-handler.patch
@ -1,7 +1,7 @@
 From da42268911c3fc9f591783e0c3cdd4511930612a Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <benjamin@sipsolutions.net>
 Date: Thu, 24 Jul 2025 08:39:54 +0200
-Subject: [PATCH] goodixmoc: fix crash in exit callback handler
+Subject: [PATCH 03/26] goodixmoc: fix crash in exit callback handler

 If the button shield command cannot be executed due to an underlying
 error then resp is NULL. Avoid the crash by adding the appropriate
@ -28,5 +28,5 @@ index 33e137f..659722a 100644
   self->is_power_button_shield_on = false;
   gx_fp_release_interface (self, error);
 -- 
-2.51.1
+2.52.0

--- a/0002-goodixmoc-goodix-set-transfer-ssm-to-NULL.patch
+++ b/0002-goodixmoc-goodix-set-transfer-ssm-to-NULL.patch
@ -0,0 +1,28 @@
+From 147ce697f1e02e28107c1229628547b2f30df3ce Mon Sep 17 00:00:00 2001
+From: Kate Hsuan <hpa@redhat.com>
+Date: Thu, 8 Jan 2026 15:51:33 +0800
+Subject: [PATCH] goodixmoc/goodix: set transfer->ssm to NULL
+
+Upstream status: RHEL-only
+
+transfer->ssm was freed when invoking fpi_ssm_mark_failed(), so assign NULL to it.
+---
+ libfprint/drivers/goodixmoc/goodix.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libfprint/drivers/goodixmoc/goodix.c b/libfprint/drivers/goodixmoc/goodix.c
+index 976675b..ded48f5 100644
+--- a/libfprint/drivers/goodixmoc/goodix.c
+++ b/libfprint/drivers/goodixmoc/goodix.c
+@@ -172,6 +172,8 @@ fp_cmd_receive_cb (FpiUsbTransfer *transfer,
+       fpi_ssm_mark_failed (transfer->ssm,
+                            fpi_device_error_new_msg (FP_DEVICE_ERROR_PROTO,
+                                                      "Package crc read failed"));
+      /* fpi_ssm_mark_failed and fpi_ssm_mark_completed frees the transfer->ssm, so set transfer->ssm to NULL. */
+      transfer->ssm = NULL;
+     }
+ 
+   gx_proto_crc32_calc (transfer->buffer, PACKAGE_HEADER_SIZE + header.len, (uint8_t *) &crc32_calc);
+-- 
+2.52.0
+
--- a/libfprint.spec
+++ b/libfprint.spec
@ -10,7 +10,9 @@ Source0:        https://gitlab.freedesktop.org/libfprint/libfprint/-/archive/v%{
 ExcludeArch:    s390 s390x

 # https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/da42268911c3fc9f591783e0c3cdd4511930612a
-Patch00001:     0001-goodixmoc-fix-crash-in-exit-callback-handler.patch
+Patch0001:      0001-goodixmoc-fix-crash-in-exit-callback-handler.patch
+# RHEL-only
+Patch0002:      0002-goodixmoc-goodix-set-transfer-ssm-to-NULL.patch

 BuildRequires:  meson
 BuildRequires:  gcc