CVE-2022-50307 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
s390/cio: fix out-of-bounds access on cio_ignore free
The channel-subsystem-driver scans for newly available devices whenever device-IDs are removed from the cio_ignore list using a command such as:
echo free >/proc/cio_ignore
Since an I/O device scan might interfer with running I/Os, commit 172da89ed0ea ("s390/cio: avoid excessive path-verification requests") introduced an optimization to exclude online devices from the scan.
The newly added check for online devices incorrectly assumes that an I/O-subchannel's drvdata points to a struct io_subchannel_private. For devices that are bound to a non-default I/O subchannel driver, such as the vfio_ccw driver, this results in an out-of-bounds read access during each scan.
Fix this by changing the scan logic to rely on a driver-independent online indication. For this we can use struct subchannel->config.ena, which is the driver's requested subchannel-enabled state. Since I/Os can only be started on enabled subchannels, this matches the intent of the original optimization of not scanning devices where I/O might be running.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability CVE-2022-50307 represents a critical out-of-bounds memory access flaw within the Linux kernel's s390 channel I/O subsystem, specifically affecting the cio_ignore device management functionality. This issue manifests when the channel-subsystem-driver performs device scanning operations after device IDs are removed from the cio_ignore list through the /proc/cio_ignore interface. The flaw stems from an incorrect assumption made during an optimization introduced in commit 172da89ed0ea, which aimed to prevent excessive path-verification requests during I/O device scans. The optimization was designed to exclude online devices from the scanning process, thereby preventing interference with running I/O operations, but it introduced a fundamental flaw in the underlying logic that governs device state determination.
The technical root cause of this vulnerability lies in the improper dereferencing of driver-specific data structures within the I/O subchannel management code. When the system attempts to determine whether a device is online for the purpose of optimization, it incorrectly assumes that an I/O subchannel's drvdata pointer directly references a struct io_subchannel_private structure. This assumption fails catastrophically when devices are bound to non-default I/O subchannel drivers such as the vfio_ccw driver, which maintain different internal data structures. The resulting out-of-bounds read access occurs during each device scan operation, creating a persistent memory corruption vulnerability that could potentially be exploited by malicious actors to gain unauthorized access to system resources or cause system instability. This flaw directly maps to CWE-125: Out-of-Bounds Read, which is classified as a memory safety vulnerability in the Common Weakness Enumeration catalog.
The operational impact of this vulnerability extends beyond simple memory corruption, as it affects the fundamental reliability of the Linux kernel's channel I/O subsystem on IBM s390 systems. The vulnerability is particularly concerning because it triggers during routine device management operations, meaning that any system administrator performing device removal or reconfiguration tasks could inadvertently trigger the out-of-bounds access. This creates a persistent risk for systems running critical workloads where device management operations are frequent, potentially leading to system crashes, data corruption, or denial of service conditions. The flaw is especially problematic in enterprise environments where mainframe systems using s390 architecture are deployed, as these systems often require high availability and reliability. From an ATT&CK framework perspective, this vulnerability could be leveraged in the privilege escalation or defense evasion phases, as it represents a kernel-level memory corruption that could be exploited to gain elevated privileges or disrupt system operations.
The fix implemented for CVE-2022-50307 addresses the root cause by modifying the scan logic to rely on a driver-independent indicator of device online status. Specifically, the solution utilizes struct subchannel->config.ena, which represents the driver's requested subchannel-enabled state rather than driver-specific data structures. This approach ensures that the optimization logic correctly identifies whether I/O operations might be in progress, since I/Os can only be initiated on enabled subchannels. The solution maintains the original intent of the optimization while eliminating the memory safety issue, as it removes the dependency on potentially invalid driver-specific data structures. This fix aligns with the principle of using standardized kernel interfaces for state determination, which is consistent with best practices for kernel development and security hardening. The resolution demonstrates a proper approach to vulnerability remediation by addressing the fundamental architectural flaw rather than applying superficial patches, thereby maintaining system stability while preserving the intended performance optimization.