CVE-2022-50564

Vulnerability

Overview

CVE-2022-50564 is a mismatch between the declared return type (int) of the s390/netiucv driver's netiucv_tx() function and the expected return type (netdev_tx_t) as defined by the ndo_start_xmit callback in struct net_device_ops. This discrepancy was flagged by clang's Control Flow Integrity (kCFI) enforcement under CONFIG_CFI_CLANG, which validates indirect call targets against the expected function pointer prototype during kernel runtime [1].

Attack

Surface and Exploitation

No direct user input or network exposure is required; the vulnerability lies purely in the driver's implementation. An attacker could only potentially trigger the issue if they are able to load or interact with the netiucv device driver (e.g., by attaching an IUCV network device). However, the bug manifests as a kernel panic or thread termination when an attempted indirect call to netiucv_tx() fails the CFI check. This does not require special authentication beyond ordinary access to utilize the IUCV device [1].

Impact

If the s390 architecture were to enable ARCH_SUPPORTS_CFI_CLANG in the future, this mismatched function prototype would cause a runtime CFI failure, resulting in either a kernel panic or the killing of the affected thread. Such a failure could be leveraged by an attacker to crash the system (denial of service) or potentially bypass kCFI protections designed to mitigate ROP attacks [1]. In the current kernel version where CFI is not yet enabled on s390, the warning serves as a quality-of-code issue with no exploitable runtime impact.

Mitigation

The fix adjusts the return type of netiucv_tx() from int to netdev_tx_t and removes an obsolete comment block. The patch has been applied to the Linux kernel stable trees via commit dfbf0122ea1b and others [3]. Users are advised to update to a kernel version containing this patch to prevent future CFI failures on s390.