Linux Kernel gs_usb Driver Timestamp Counter Initialization Vulnerability

A vulnerability in the Linux kernel's gs_usb device driver can lead to a NULL pointer dereference. This issue occurs when the driver is unloaded before the interface is properly shut down, creating a race condition. During this window, the USB device can still receive and queue CAN frames to be sent to the host. The current version of the candlelight firmware does not clear this queue during a reset command. When the gs_usb driver is reloaded, it resumes sending these queued frames, but the hardware timestamp function has not been properly initialized, causing a NULL pointer dereference. This vulnerability affects Linux kernel versions prior to the patch commit 210a8cffc9c1b044281c0a868485c870c9c11374.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a crash of the gs_usb driver.

Reproduction

To reproduce this vulnerability, unload the gs_usb driver before shutting down the interface. This can be done by disconnecting the USB device while the driver is still active. Once the driver is unloaded, rebind it. The driver will attempt to send CAN frames that were queued during the reset process, but the timestamping functionality will not be ready, leading to a NULL pointer dereference.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree. Users should upgrade to the latest version.