Linux Kernel gs_usb Buffer Access Vulnerability

A vulnerability in the Linux kernel's gs_usb driver can lead to improper handling of data in the gs_usb_receive_bulk_callback function. This issue arises because the length of the data following the header in the received URB (USB Request Block) depends on the flags in the gs_host_frame structure and the active features of the device, such as timestamping. The vulnerability has been addressed by introducing a new function, gs_usb_get_minimum_length, to ensure that the required amount of data is received before it is accessed. The fix involves only copying the data that has been successfully received to the socket buffer (skb).

Impact

Exploitation of this vulnerability could result in accessing data that has not been properly received, potentially leading to incorrect or corrupted information being processed by the application.

Reproduction

The vulnerability can be reproduced by using a GS_USB CAN device with the Linux kernel version that contains the vulnerability. When the device sends data, the gs_usb_receive_bulk_callback function is called. If the actual length of the received data is less than the minimum required length, which is determined by the flags in the gs_host_frame and the device features, the callback will incorrectly process the data, leading to the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found on the official Linux kernel website.