CVE-2023-53523
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2026-04-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: fix time stamp counter initialization If the gs_usb device driver is unloaded (or unbound) before the interface is shut down, the USB stack first calls the struct usb_driver::disconnect and then the struct net_device_ops::ndo_stop callback. In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more RX'ed CAN frames are send from the USB device to the host. Later in gs_can_close() a reset control message is send to each CAN channel to remove the controller from the CAN bus. In this race window the USB device can still receive CAN frames from the bus and internally queue them to be send to the host. At least in the current version of the candlelight firmware, the queue of received CAN frames is not emptied during the reset command. After loading (or binding) the gs_usb driver, new URBs are submitted during the struct net_device_ops::ndo_open callback and the candlelight firmware starts sending its already queued CAN frames to the host. However, this scenario was not considered when implementing the hardware timestamp function. The cycle counter/time counter infrastructure is set up (gs_usb_timestamp_init()) after the USBs are submitted, resulting in a NULL pointer dereference if timecounter_cyc2time() (via the call chain: gs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() -> gs_usb_skb_set_timestamp()) is called too early. Move the gs_usb_timestamp_init() function before the URBs are submitted to fix this problem. For a comprehensive solution, we need to consider gs_usb devices with more than 1 channel. The cycle counter/time counter infrastructure is setup per channel, but the RX URBs are per device. Once gs_can_open() of _a_ channel has been called, and URBs have been submitted, the gs_usb_receive_bulk_callback() can be called for _all_ available channels, even for channels that are not running, yet. As cycle counter/time counter has not set up, this will again lead to a NULL pointer dereference. Convert the cycle counter/time counter from a "per channel" to a "per device" functionality. Also set it up, before submitting any URBs to the device. Further in gs_usb_receive_bulk_callback(), don't process any URBs for not started CAN channels, only resubmit the URB.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2026-04-06
Generated
2026-05-07
AI Q&A
2025-10-01
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53523
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's gs_usb device driver for CAN bus communication. When the driver is unloaded before the interface is shut down, a race condition can happen where the USB device still queues CAN frames to send to the host after the driver has killed pending USB requests. The hardware timestamp function was initialized too late, causing a NULL pointer dereference when processing these queued frames. The fix involves initializing the timestamp function before submitting USB requests and converting the timestamp setup from per channel to per device to avoid this issue.


How can this vulnerability impact me? :

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or system instability when the gs_usb driver is unloaded improperly. This can disrupt CAN bus communication and potentially cause denial of service on systems relying on this driver for CAN network operations.


What immediate steps should I take to mitigate this vulnerability?

Unload or avoid unbinding the gs_usb device driver before the interface is properly shut down. Ensure that the gs_usb_timestamp_init() function is called before submitting any URBs to the device, which is addressed in the fixed version of the Linux kernel. Updating the Linux kernel to a version that includes this fix will mitigate the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart