[Kernel-packages] [Bug 2125053] [NEW] UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer dereference

Thu, 18 Sep 2025 03:20:47 -0700 

Public bug reported:

[Impact]

In the UBUNTU SAUCE VXLAN implementation for fan, in
'vxlan_fan_add_map()' a memory chunk is allocated to hold the a fan_map
structure. However, the return of 'kmalloc()' is not checked, therefore
it can lead to a NULL pointer dereference on allocation failure.

---
static int vxlan_fan_add_map(struct vxlan_dev *vxlan, struct ifla_fan_map *map)
{
[...]
        fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
        fan_map->underlay = map->underlay;
---

[Fix]

The fix is a simple check whether the memory allocation failed and
return an error if so. The function doesn't perform any other operation
prior to calling 'kmalloc()' that needs to be rolled back on error,
therefore it can simply return -ENOMEM.

---
  fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
+        if (!fan_map)
+                return -ENOMEM;
---

[Test plan]

I have not tested the fix functionally, as the issue is hard to
reproduce. This code path is exercised by  the 'ubuntu_fan_smoke_test'
regression tests.

[Where problems could occur]

The fix is straightforward, however if issues are to occur they will
happen while creating new fan interface.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  [Impact]
  
  In the UBUNTU SAUCE VXLAN implementation for fan, in
  'vxlan_fan_add_map()' a memory chunk is allocated to hold the a fan_map
- structure. However, the return of 'kmalloc()' is not check, therefore it
- can lead to a NULL pointer dereference on allocation failure.
+ structure. However, the return of 'kmalloc()' is not checked, therefore
+ it can lead to a NULL pointer dereference on allocation failure.
  
  ---
  static int vxlan_fan_add_map(struct vxlan_dev *vxlan, struct ifla_fan_map 
*map)
  {
  [...]
-         fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
-         fan_map->underlay = map->underlay;
+         fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
+         fan_map->underlay = map->underlay;
  ---
  
  [Fix]
  
  The fix is a simple check whether the memory allocation failed and
  return an error if so. The function doesn't perform any other operation
  prior to calling 'kmalloc()' that needs to be rolled back on error,
  therefore it can simply return -ENOMEM.
  
  ---
-       fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
+   fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
  +     if (!fan_map)
  +             return -ENOMEM;
  ---
  
  [Test plan]
  
  I have not tested the fix functionally, as the issue is hard to
  reproduce. This code path is exercised by  the 'ubuntu_fan_smoke_test'
  regression tests.
  
  [Where problems could occur]
  
  The fix is straightforward, however if issues are to occur they will
  happen while creating new fan interface.

** Description changed:

  [Impact]
  
  In the UBUNTU SAUCE VXLAN implementation for fan, in
  'vxlan_fan_add_map()' a memory chunk is allocated to hold the a fan_map
  structure. However, the return of 'kmalloc()' is not checked, therefore
  it can lead to a NULL pointer dereference on allocation failure.
  
  ---
  static int vxlan_fan_add_map(struct vxlan_dev *vxlan, struct ifla_fan_map 
*map)
  {
  [...]
          fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
          fan_map->underlay = map->underlay;
  ---
  
  [Fix]
  
  The fix is a simple check whether the memory allocation failed and
  return an error if so. The function doesn't perform any other operation
  prior to calling 'kmalloc()' that needs to be rolled back on error,
  therefore it can simply return -ENOMEM.
  
  ---
    fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
- +     if (!fan_map)
- +             return -ENOMEM;
+ +        if (!fan_map)
+ +                return -ENOMEM;
  ---
  
  [Test plan]
  
  I have not tested the fix functionally, as the issue is hard to
  reproduce. This code path is exercised by  the 'ubuntu_fan_smoke_test'
  regression tests.
  
  [Where problems could occur]
  
  The fix is straightforward, however if issues are to occur they will
  happen while creating new fan interface.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2125053

Title:
  UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer
  dereference

Status in linux package in Ubuntu:
  New

Bug description:
  [Impact]

  In the UBUNTU SAUCE VXLAN implementation for fan, in
  'vxlan_fan_add_map()' a memory chunk is allocated to hold the a
  fan_map structure. However, the return of 'kmalloc()' is not checked,
  therefore it can lead to a NULL pointer dereference on allocation
  failure.

  ---
  static int vxlan_fan_add_map(struct vxlan_dev *vxlan, struct ifla_fan_map 
*map)
  {
  [...]
          fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
          fan_map->underlay = map->underlay;
  ---

  [Fix]

  The fix is a simple check whether the memory allocation failed and
  return an error if so. The function doesn't perform any other
  operation prior to calling 'kmalloc()' that needs to be rolled back on
  error, therefore it can simply return -ENOMEM.

  ---
    fan_map = kmalloc(sizeof(*fan_map), GFP_KERNEL);
  +        if (!fan_map)
  +                return -ENOMEM;
  ---

  [Test plan]

  I have not tested the fix functionally, as the issue is hard to
  reproduce. This code path is exercised by  the 'ubuntu_fan_smoke_test'
  regression tests.

  [Where problems could occur]

  The fix is straightforward, however if issues are to occur they will
  happen while creating new fan interface.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2125053/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to