Linux Kernel Clang kCFI Compatibility Vulnerability in s390 LCS Driver

A vulnerability exists in the Linux kernel's s390 LCS (Logical Channel Support) driver, related to function pointer type mismatches that can disrupt Clang's kernel control flow integrity (kCFI) checks. This issue arises because the LCS driver's packet transmission function, 'lcs_start_xmit', is incorrectly defined to return an 'int' instead of the expected 'netdev_tx_t' type. When Clang's kCFI is enabled, such discrepancies can lead to runtime errors, causing either a kernel panic or the termination of a thread. Although this vulnerability does not currently have a direct impact, it could pose a risk if the s390 architecture adopts Clang's CFI support in the future.

Impact

The vulnerability could cause a kernel panic or terminate a thread at runtime, disrupting system operations. Furthermore, it could lead to a failure in Clang's kernel control flow integrity checks, which are designed to mitigate return-oriented programming (ROP) attacks.

Reproduction

The vulnerability can be reproduced by compiling the Linux kernel with Clang, while the s390 architecture is configured to support kernel control flow integrity. The compilation will generate warnings about incompatible function pointer types in the LCS driver, indicating that the driver's function return type does not match the expected prototype. These warnings can be treated as errors, causing the compilation to fail, or they may be ignored, allowing the kernel to be built successfully. However, if the resulting kernel is run with the s390 architecture selected, the mismatch will lead to a runtime error, either crashing the kernel or killing a thread.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can upgrade to the latest version of the stable Linux kernel to apply the fix.