CVE-2023-53523

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: gs_usb: fix time stamp counter initialization<br /> <br /> If the gs_usb device driver is unloaded (or unbound) before the<br /> interface is shut down, the USB stack first calls the struct<br /> usb_driver::disconnect and then the struct net_device_ops::ndo_stop<br /> callback.<br /> <br /> In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more<br /> RX&amp;#39;ed CAN frames are send from the USB device to the host. Later in<br /> gs_can_close() a reset control message is send to each CAN channel to<br /> remove the controller from the CAN bus. In this race window the USB<br /> device can still receive CAN frames from the bus and internally queue<br /> them to be send to the host.<br /> <br /> At least in the current version of the candlelight firmware, the queue<br /> of received CAN frames is not emptied during the reset command. After<br /> loading (or binding) the gs_usb driver, new URBs are submitted during<br /> the struct net_device_ops::ndo_open callback and the candlelight<br /> firmware starts sending its already queued CAN frames to the host.<br /> <br /> However, this scenario was not considered when implementing the<br /> hardware timestamp function. The cycle counter/time counter<br /> infrastructure is set up (gs_usb_timestamp_init()) after the USBs are<br /> submitted, resulting in a NULL pointer dereference if<br /> timecounter_cyc2time() (via the call chain:<br /> gs_usb_receive_bulk_callback() -&gt; gs_usb_set_timestamp() -&gt;<br /> gs_usb_skb_set_timestamp()) is called too early.<br /> <br /> Move the gs_usb_timestamp_init() function before the URBs are<br /> submitted to fix this problem.<br /> <br /> For a comprehensive solution, we need to consider gs_usb devices with<br /> more than 1 channel. The cycle counter/time counter infrastructure is<br /> setup per channel, but the RX URBs are per device. Once gs_can_open()<br /> of _a_ channel has been called, and URBs have been submitted, the<br /> gs_usb_receive_bulk_callback() can be called for _all_ available<br /> channels, even for channels that are not running, yet. As cycle<br /> counter/time counter has not set up, this will again lead to a NULL<br /> pointer dereference.<br /> <br /> Convert the cycle counter/time counter from a "per channel" to a "per<br /> device" functionality. Also set it up, before submitting any URBs to<br /> the device.<br /> <br /> Further in gs_usb_receive_bulk_callback(), don&amp;#39;t process any URBs for<br /> not started CAN channels, only resubmit the URB.