CVE-2023-53523

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-53523
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53523.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53523
Downstream
Related
Published
2025-10-01T11:46:09Z
Modified
2025-10-16T17:58:37.380080Z
Summary
can: gs_usb: fix time stamp counter initialization
Details

In the Linux kernel, the following vulnerability has been resolved:

can: gs_usb: fix time stamp counter initialization

If the gsusb device driver is unloaded (or unbound) before the interface is shut down, the USB stack first calls the struct usbdriver::disconnect and then the struct netdeviceops::ndo_stop callback.

In gsusbdisconnect() all pending bulk URBs are killed, i.e. no more RX'ed CAN frames are send from the USB device to the host. Later in gscanclose() a reset control message is send to each CAN channel to remove the controller from the CAN bus. In this race window the USB device can still receive CAN frames from the bus and internally queue them to be send to the host.

At least in the current version of the candlelight firmware, the queue of received CAN frames is not emptied during the reset command. After loading (or binding) the gsusb driver, new URBs are submitted during the struct netdeviceops::ndoopen callback and the candlelight firmware starts sending its already queued CAN frames to the host.

However, this scenario was not considered when implementing the hardware timestamp function. The cycle counter/time counter infrastructure is set up (gsusbtimestampinit()) after the USBs are submitted, resulting in a NULL pointer dereference if timecountercyc2time() (via the call chain: gsusbreceivebulkcallback() -> gsusbsettimestamp() -> gsusbskbset_timestamp()) is called too early.

Move the gsusbtimestamp_init() function before the URBs are submitted to fix this problem.

For a comprehensive solution, we need to consider gsusb devices with more than 1 channel. The cycle counter/time counter infrastructure is setup per channel, but the RX URBs are per device. Once gscanopen() of _a channel has been called, and URBs have been submitted, the gsusbreceivebulkcallback() can be called for all available channels, even for channels that are not running, yet. As cycle counter/time counter has not set up, this will again lead to a NULL pointer dereference.

Convert the cycle counter/time counter from a "per channel" to a "per device" functionality. Also set it up, before submitting any URBs to the device.

Further in gsusbreceivebulkcallback(), don't process any URBs for not started CAN channels, only resubmit the URB.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
45dfa45f52e66f8eee30a64b16550a9c47915044
Fixed
210a8cffc9c1b044281c0a868485c870c9c11374
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
45dfa45f52e66f8eee30a64b16550a9c47915044
Fixed
5886e4d5ecec3e22844efed90b2dd383ef804b3a

Affected versions

v6.*

v6.0
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.5-rc1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.4.7