From nobody Thu Apr 2 15:37:44 2026 Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E33023AB8D for ; Wed, 11 Feb 2026 05:50:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770789049; cv=none; b=NfmGXLU7TEM8sRWe9n6ifZ2RDatUJUe0zv55OuWy3YXnlnizsVsjAbvMwSk36WvKD9ND0zefxy6yLmv1KBe1WVwFS6GC79MaHThUaJu7H0piWyS6HzJGlSACOyHQmBK1/OrosXbP3q37e3aOAownUzFaYIIjcxGeApCsQg2Rm+M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770789049; c=relaxed/simple; bh=uVxfduJ9hrQCeQtRqiZKyqA69JTVglVIrNvJ/tHgMwI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dwlwC+1agfijf47Xs+BqEeVzXMMnXqcRR7FoTtIZi8igBgYb2WLILIoVJ6jQ1Mn6UPs8shjymYInyLg5/ePjBrKQlCD8IBCMcjzMzUHJxdZbBgiLNh2JcuMnCCN8QVl1otLwjAjGLobYgNEayHKUJJe2B3gclknodd+Ybyv5fLA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fk0NrTG3; arc=none smtp.client-ip=209.85.215.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fk0NrTG3" Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-c6e1837e053so228687a12.0 for ; Tue, 10 Feb 2026 21:50:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770789047; x=1771393847; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=j/6pkAHIj9F6wIg9mEEcLvUsK9XzM95fb9c/+NnfMZA=; b=fk0NrTG3c429je4SrRbYb7FyvPtN9votd3UH66Fdb5BGQbx/mTJBn2sEr+//utXe5u QQpLM2Clfifev2LXgn78R0paS+jIb9cS6J6LTewVtwi2ntyRa4C8JOqMrfZVokIiAAsp zFE9M/7HBp1w3OZgh55w/pF68BmaLmbVP2iCvGzVYuRc+k14eiqN8OS99HQIvYLycl32 ENyLbzxdyT7c3+b6ZaUErDUYYFKARA56mGUHsKEiZWIPm1XEj+8BsQgtwER5WXz/RF5U 3JKlsUhoiGzKb6kvSrrbLS5i64hpCRby2K3rK0jOJS272HXYJHW44qo3JoEquspjpLjI 5xnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770789047; x=1771393847; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=j/6pkAHIj9F6wIg9mEEcLvUsK9XzM95fb9c/+NnfMZA=; b=aVoMa7HnByX9YiRB9SE06z8pP1dU9nLfx/AMHb8Dvbd+hxgAHUmxa0ioq3Pl7f52cA momAG6vF1zTMK4E+FFpUCiDvq9tESu54eClMwnC0tbqm4/avvFB5mqkKjfi2Dxc0lV1J VTyI9zSzWLMO0/PlXVZAMofaoiYGtTeHB+/8vC/tgSfebskEWXKrxgQZ6wlOwYXSkrt9 p1aQXPJ0TozMzWt+VjCC0RT0zPPjSJJ1rll7dnbyCNwYi9MRotJw+1T/Fq7Iqf8NAGL0 rUv8f9C0v7pPnepCRbiWWr6uJWH/j8V5ZUvIciUJOkQEQ98Y69GTPpw9/YzqHY/bauzX asng== X-Forwarded-Encrypted: i=1; AJvYcCWvdp51w4coitlEk+kkU8D6ik1tXt/RUYPpr8mB8FrdrRG0SUW6aCL5bHq+rl7ICZeo6+7Z6lDrWj2lqJI=@vger.kernel.org X-Gm-Message-State: AOJu0Yz9Ki+N61192MrMPAePXE/MF+JFahanGUtxAktAfqKHvzWWM0jW lMu0tbKUqSA5asEajIXWS8m/OSamSqQaf8L0Uu6fwcWwamj1y4dTpFTA X-Gm-Gg: AZuq6aLk8pUWsdd9IYfdBwyn1qbhZM/cb9hPyI8U7FaPduNLYg3oaO5EQbiecfbJQkL OC9KA6vVOUyVaq+f0+MElTKNI8HT4dP4HvVKcwTuA4E1tEKI3bX1OSsSqcarve2XX1MboA+4N2w EFbBmE02680e+lJLD0A/31hgTv7ayAVHQiyjWt0hfSrA+7ZcO1Hu0zGKC3Uf69TCsdAO+UeSrlP cfIBvGrM4dsJo09Dt7xr24knD3avCO4t8jR+s01y0FMlcPPlqiXljhBV6jWfvo2Il3yrodKNnt+ XjjRlcCeFSNN+tkLt7joTQiooG2NnMbQKbJYzFRm9eXYz5E7QyxGTog/wvd6FEquAD2sAE3W5fx yiSUJIsY9Qw3lPiQwe8bF9mE9FbpEAJdQ7v+0LauvXt9D24H3HxPpHoZ4NPbLKOXV/xU3E1lJpT YPMhx2dQT7tG7aR3YAwM8Bi3BI94CDaKQzp2KNY8v2gYg6 X-Received: by 2002:a17:90b:5823:b0:356:2c7b:c026 with SMTP id 98e67ed59e1d1-3567f85cfc7mr876477a91.23.1770789047491; Tue, 10 Feb 2026 21:50:47 -0800 (PST) Received: from user-System-Product-Name.. ([210.121.152.246]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c6e197f91b5sm864428a12.28.2026.02.10.21.50.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Feb 2026 21:50:47 -0800 (PST) From: YunJe Shin X-Google-Original-From: YunJe Shin To: Hannes Reinecke , Christoph Hellwig , Sagi Grimberg , Chaitanya Kulkarni Cc: Keith Busch , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, ioerts@kookmin.ac.kr Subject: [PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090) Date: Wed, 11 Feb 2026 14:50:03 +0900 Message-ID: <20260211055036.2675866-1-ioerts@kookmin.ac.kr> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" AUTH_SEND negotiation expects at least one DH-HMAC-CHAP protocol descriptor= .=20 Reject payloads shorter than that to avoid out-of-bounds reads. [ 1224.388831] Call Trace: [ 1224.388833] [ 1224.388834] dump_stack_lvl+0x53/0x70 [ 1224.388839] print_report+0xd0/0x660 [ 1224.388843] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 1224.388847] ? kasan_save_track+0x14/0x30 [ 1224.388851] ? nvmet_execute_auth_send+0x1d24/0x2090 [ 1224.388854] kasan_report+0xce/0x100 [ 1224.388857] ? nvmet_execute_auth_send+0x1d24/0x2090 [ 1224.388860] nvmet_execute_auth_send+0x1d24/0x2090 [ 1224.388863] ? __pfx_inet_recvmsg+0x10/0x10 [ 1224.388868] ? sock_recvmsg+0x178/0x220 [ 1224.388871] nvmet_tcp_io_work+0x1709/0x2200 [ 1224.388875] ? __pfx_nvmet_tcp_io_work+0x10/0x10 [ 1224.388878] process_one_work+0x5e7/0xfe0 [ 1224.388882] ? assign_work+0x11d/0x370 [ 1224.388885] worker_thread+0x446/0xd00 [ 1224.388888] ? __pfx_worker_thread+0x10/0x10 [ 1224.388891] ? __pfx_worker_thread+0x10/0x10 [ 1224.388894] kthread+0x2c6/0x3b0 [ 1224.388896] ? recalc_sigpending+0x15c/0x1e0 [ 1224.388900] ? __pfx_kthread+0x10/0x10 [ 1224.388902] ret_from_fork+0x38d/0x5c0 [ 1224.388906] ? __pfx_ret_from_fork+0x10/0x10 [ 1224.388909] ? __switch_to+0xb13/0xea0 [ 1224.388912] ? __switch_to_asm+0x39/0x70 [ 1224.388916] ? __switch_to_asm+0x33/0x70 [ 1224.388918] ? __pfx_kthread+0x10/0x10 [ 1224.388920] ret_from_fork_asm+0x1a/0x30 [ 1224.388924] [ 1224.388925] [ 1224.403207] Allocated by task 670: [ 1224.403446] kasan_save_stack+0x33/0x60 [ 1224.403723] kasan_save_track+0x14/0x30 [ 1224.403987] __kasan_kmalloc+0x8f/0xa0 [ 1224.404286] __kmalloc_noprof+0x18e/0x480 [ 1224.404631] nvmet_execute_auth_send+0x3be/0x2090 [ 1224.405016] nvmet_tcp_io_work+0x1709/0x2200 [ 1224.405356] process_one_work+0x5e7/0xfe0 [ 1224.405695] worker_thread+0x446/0xd00 [ 1224.405996] kthread+0x2c6/0x3b0 [ 1224.406256] ret_from_fork+0x38d/0x5c0 [ 1224.406578] ret_from_fork_asm+0x1a/0x30 [ 1224.406907] [ 1224.407035] The buggy address belongs to the object at ffff88800a6537c0 [ 1224.407035] which belongs to the cache kmalloc-8 of size 8 [ 1224.407998] The buggy address is located 0 bytes to the right of [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8) [ 1224.409014] [ 1224.409155] The buggy address belongs to the physical page: [ 1224.409669] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0= xffff88800a653a00 pfn:0xa653 [ 1224.410401] flags: 0x100000000000200(workingset|node=3D0|zone=3D1) [ 1224.410895] page_type: f5(slab) [ 1224.411160] raw: 0100000000000200 ffff888007441500 ffff888007440210 ffff= 888007440210 [ 1224.411787] raw: ffff88800a653a00 0000000000800050 00000000f5000000 0000= 000000000000 [ 1224.412412] page dumped because: kasan: bad access detected [ 1224.412866] [ 1224.413006] Memory state around the buggy address: [ 1224.413391] ffff88800a653680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc= fc fc [ 1224.413963] ffff88800a653700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc= fc fc [ 1224.414544] >ffff88800a653780: fc fc fc fc fc fc fc fc 00 fc fc fc fa fc= fc fc [ 1224.415045] ^ [ 1224.415444] ffff88800a653800: fa fc fc fc fa fc fc fc 06 fc fc fc 07 fc= fc fc [ 1224.416028] ffff88800a653880: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc= fc fc [ 1224.416630] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication") Signed-off-by: Yunje Shin --- drivers/nvme/target/fabrics-cmd-auth.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/f= abrics-cmd-auth.c index 5946681cb0e3..2bcee44b3395 100644 --- a/drivers/nvme/target/fabrics-cmd-auth.c +++ b/drivers/nvme/target/fabrics-cmd-auth.c @@ -289,6 +289,15 @@ void nvmet_execute_auth_send(struct nvmet_req *req) goto done_failure1; if (data->auth_type =3D=3D NVME_AUTH_COMMON_MESSAGES) { if (data->auth_id =3D=3D NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) { + size_t min_len =3D sizeof(struct nvmf_auth_dhchap_negotiate_data) + + sizeof(struct nvmf_auth_dhchap_protocol_descriptor); + + if (tl < min_len) { + status =3D NVME_SC_INVALID_FIELD | NVME_STATUS_DNR; + req->error_loc =3D + offsetof(struct nvmf_auth_send_command, tl); + goto done_kfree; + } /* Restart negotiation */ pr_debug("%s: ctrl %d qid %d reset negotiation\n", __func__, ctrl->cntlid, req->sq->qid); --=20 2.43.0