Linux Kernel GS_USB Driver Header Access Vulnerability

A vulnerability has been identified in the Linux kernel's GS_USB driver, specifically in the 'gs_usb_receive_bulk_callback' function. The issue arises because the driver does not properly check the length of the received data before accessing the header of the 'gs_host_frame' structure. This oversight can lead to incorrect data handling. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability could potentially be exploited to cause a denial of service by mismanaging the data received from USB CAN devices, which could disrupt normal operations or cause the system to handle errors improperly.

Reproduction

The vulnerability can be reproduced by sending a USB packet to a device using the GS_USB CAN driver that is shorter than the expected minimum length. This can be done by configuring a CAN device to send incomplete packets or by using a tool that allows for the manipulation of USB data packets. When the 'gs_usb_receive_bulk_callback' function processes the incoming data, it will attempt to access the header of the 'gs_host_frame' structure without verifying that the entire header has been received, leading to improper data handling.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable repository.