From nobody Thu Apr 2 15:44:05 2026 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6539258EE0 for ; Wed, 11 Feb 2026 06:59:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770793179; cv=none; b=NQHH0c0MWR9K/EH2foTfdtlmdx/weqltnY8kxW/9JwPH5HmvoVBHHEa1po5EqOiq8T+d5jlV5er10ftG86zdwMRhf9Q2KFAnptv7roQUR5maWbG+bqYAdmFc+CZsfcj+dcBdnjHy0Oh9zli8M4mwNJh5vOe8a3Nl9LK9AdVI+T8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770793179; c=relaxed/simple; bh=TcN9qvCGViX1vssm6Urxr6U/1ACJ0jerBzGmOKMa6f0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=TWZWAC146M+HasrQccqIou5bJxklOJYBbhT78zASUicsfrAF0KND8eyAyZQfQKK05c19Q4oaHS1JLNcPoXrOLvn28wUgafc+eIlQGTlA7KovX05dPyZLq7nJlTC2QLKA5MuqWL/1cAAbObjibYOUkAhz9C4LRuOZlhezclSxCNM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=eWRNPseb; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eWRNPseb" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2aad1bb5058so18841115ad.0 for ; Tue, 10 Feb 2026 22:59:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770793177; x=1771397977; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=z5jwbj0c64SgbwGYjaTxpW4PddcaPKJ9bbwRvJtMhOs=; b=eWRNPseb/hbCzdlpl2YTbZs5gXXO+R+mzju2XVpavOtrPxl/JKrcv4ag/J1ddyHngw MLyb5TDfh8qTvUu5N1GSjQIXsrxZVY4h1ZNtHre6hiOQW7u251fkbt6GVsXbiv05hGKH 9/1I3UOFDcG3luMLWJLOUxoxNyxkiT6JELHlhD9k7JoZx7rHaigpciSZWAqHgnwCttlt AYj3ilW2pLNzYRSiXvrtZGIwyG7P0CZmOwX6ScfQ0YFz1Rr2Uv5/TeHc870Whx+rdjxV b44XgcT4TJY9xA+SlLRbnYMQ5ICa6IPEziaFpAuR31Al3pg57/PJgc0vaSsU0II3zgh2 Ss8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770793177; x=1771397977; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=z5jwbj0c64SgbwGYjaTxpW4PddcaPKJ9bbwRvJtMhOs=; b=hfBznAn7qYAQ5xgIIaFGPzXoVc26/DBB9bzlHNE7G4dYDnroOARRfeoez+Zkkww+2E Ac490n6am47J7Gv9FVOckJO7arIGwJMddmyzCfhAFWl6s19WBDy1Hfyiy3cBEQYuZxMq kM/kHjwPJXknTXB7FmYOIlK7dlnTP6Tb5eR5fDqW6aFB4m8VWvct669Xgr7CJ67niA8O n3G2d9yugtz/cnL/0XVIEZBQz0Hhcb+DmM6AMdkn9GOFXBrAB9FAhb3hqtJKsE650ZUJ lzx/Z7wZGdxvhFWA3fCmBD6xf2nhymcE7hVB8wJUDGloFZu87ap3RkiChpEVs+/DjawK aBDw== X-Forwarded-Encrypted: i=1; AJvYcCVxDrv/id5ZKMR8fxqOtktF9rmphW9zIc3wCjgt8h+zaxUMH5pDvbqFxN9VH/l/9Mc/MnFviGOgWtI91ZM=@vger.kernel.org X-Gm-Message-State: AOJu0YwGHTYh7BcdnT7DNe+AHI/vtwV4a3H9/sPe3YCHm+cfZ8IYbm88 h5Hkc8wPtmspgHyAoeLL//NDGkkf7QSCNnKZvI2w3EymvAf7bcWlY/wc X-Gm-Gg: AZuq6aL1resXOkzUx7E2MTvQls0ElEjnZzN2HTUjU58/r2YGp3ko5/ZiQaaI5OA9qWP VEJt+uM5ESsxtt1BZ+tsYc7wKZh6ZZBJ2tWyglrScMSCrhFnszhw+Pl4Z3IDxERiEbelkan+YRa RDhWKCWaWOHFm0lkBVvnm8zYzGcAIPbSJ7tzk7SMf51tuYH1n+TI3e9L4gLpy1elYJ2dEe0ppRi 23zWMwQOow6YroIAK4jmVStwGOhULG0ZIke6sxQFV/p2uNTQB0qMlMMcjxAy67OWXEis026u3w5 RMQ6TcrLkUThf73/HAd/8K/Cj75Okwbil96LFvKvTWQOr22fB6cnGx8x4F74w9Y9Acl5RoK8qH9 DVeJmzokoy+73vR7xRF74ofm/K4esQLu6Rw9xM01Ra+xGQ9vB4NZdq2xLqsK4s97PSOgUWBATyD lVTA/Qt5ck2SHPSqRW/iwv4dtopSIoPhtA0g44qc6IgjQX X-Received: by 2002:a17:902:fc4e:b0:2a7:5171:9222 with SMTP id d9443c01a7336-2a9519ae82amr151606075ad.49.1770793177357; Tue, 10 Feb 2026 22:59:37 -0800 (PST) Received: from user-System-Product-Name.. ([210.121.152.246]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ab298706c5sm12170205ad.33.2026.02.10.22.59.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Feb 2026 22:59:37 -0800 (PST) From: YunJe Shin X-Google-Original-From: YunJe Shin To: Hannes Reinecke , Christoph Hellwig , Sagi Grimberg , Chaitanya Kulkarni Cc: Keith Busch , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, ioerts@kookmin.ac.kr Subject: [PATCH] nvmet: auth: validate dhchap id list lengths(KASAN: slab-out-of-bounds) Date: Wed, 11 Feb 2026 15:58:18 +0900 Message-ID: <20260211065925.2878336-1-ioerts@kookmin.ac.kr> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Validate DH-HMAC-CHAP hash/DH list lengths before indexing the idlist halve= s to prevent out-of-bounds reads. KASAN report: [ 37.160829] Call Trace: [ 37.160831] [ 37.160832] dump_stack_lvl+0x5f/0x80 [ 37.160837] print_report+0xd1/0x640 [ 37.160842] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 37.160846] ? kfree+0x137/0x390 [ 37.160850] ? kasan_complete_mode_report_info+0x2a/0x200 [ 37.160854] kasan_report+0xe5/0x120 [ 37.160856] ? nvmet_execute_auth_send+0x19a9/0x1f00 [ 37.160860] ? nvmet_execute_auth_send+0x19a9/0x1f00 [ 37.160863] __asan_report_load1_noabort+0x18/0x20 [ 37.160866] nvmet_execute_auth_send+0x19a9/0x1f00 [ 37.160870] nvmet_tcp_io_work+0x17a8/0x2720 [ 37.160874] ? __pfx_nvmet_tcp_io_work+0x10/0x10 [ 37.160877] process_one_work+0x5e9/0x1020 [ 37.160881] ? __kasan_check_write+0x18/0x20 [ 37.160885] worker_thread+0x446/0xc80 [ 37.160889] ? __pfx_worker_thread+0x10/0x10 [ 37.160891] kthread+0x2d7/0x3c0 [ 37.160894] ? __pfx_kthread+0x10/0x10 [ 37.160897] ret_from_fork+0x39f/0x5d0 [ 37.160900] ? __pfx_ret_from_fork+0x10/0x10 [ 37.160903] ? __kasan_check_read+0x15/0x20 [ 37.160906] ? __switch_to+0xb45/0xf90 [ 37.160910] ? __switch_to_asm+0x39/0x70 [ 37.160914] ? __pfx_kthread+0x10/0x10 [ 37.160916] ret_from_fork_asm+0x1a/0x30 [ 37.160920] [ 37.160921]=20 [ 37.174141] Allocated by task 11: [ 37.174377] kasan_save_stack+0x3d/0x60 [ 37.174697] kasan_save_track+0x18/0x40 [ 37.175043] kasan_save_alloc_info+0x3b/0x50 [ 37.175420] __kasan_kmalloc+0x9c/0xa0 [ 37.175762] __kmalloc_noprof+0x197/0x480 [ 37.176117] nvmet_execute_auth_send+0x39e/0x1f00 [ 37.176529] nvmet_tcp_io_work+0x17a8/0x2720 [ 37.176912] process_one_work+0x5e9/0x1020 [ 37.177275] worker_thread+0x446/0xc80 [ 37.177616] kthread+0x2d7/0x3c0 [ 37.177906] ret_from_fork+0x39f/0x5d0 [ 37.178238] ret_from_fork_asm+0x1a/0x30 [ 37.178591]=20 [ 37.178735] The buggy address belongs to the object at ffff88800aecc800 [ 37.178735] which belongs to the cache kmalloc-96 of size 96 [ 37.179790] The buggy address is located 0 bytes to the right of [ 37.179790] allocated 72-byte region [ffff88800aecc800, ffff88800aecc84= 8) [ 37.180931]=20 [ 37.181079] The buggy address belongs to the physical page: [ 37.181572] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0= x0 pfn:0xaecc [ 37.182393] flags: 0x100000000000000(node=3D0|zone=3D1) [ 37.182819] page_type: f5(slab) [ 37.183080] raw: 0100000000000000 ffff888006c41280 dead000000000122 0000= 000000000000 [ 37.183730] raw: 0000000000000000 0000000000200020 00000000f5000000 0000= 000000000000 [ 37.184333] page dumped because: kasan: bad access detected [ 37.184783]=20 [ 37.184918] Memory state around the buggy address: [ 37.185315] ffff88800aecc700: fa fb fb fb fb fb fb fb fb fb fb fb fc fc= fc fc [ 37.185835] ffff88800aecc780: fa fb fb fb fb fb fb fb fb fb fb fb fc fc= fc fc [ 37.186336] >ffff88800aecc800: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc= fc fc [ 37.186839] ^ [ 37.187255] ffff88800aecc880: fa fb fb fb fb fb fb fb fb fb fb fb fc fc= fc fc [ 37.187763] ffff88800aecc900: fa fb fb fb fb fb fb fb fb fb fb fb fc fc= fc fc [ 37.188261] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 37.188938] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication") Signed-off-by: YunJe Shin Reviewed-by: Hannes Reinecke --- drivers/nvme/target/fabrics-cmd-auth.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/f= abrics-cmd-auth.c index 5946681cb0e3..8ad3255aec4a 100644 --- a/drivers/nvme/target/fabrics-cmd-auth.c +++ b/drivers/nvme/target/fabrics-cmd-auth.c @@ -36,6 +36,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, voi= d *d) struct nvmet_ctrl *ctrl =3D req->sq->ctrl; struct nvmf_auth_dhchap_negotiate_data *data =3D d; int i, hash_id =3D 0, fallback_hash_id =3D 0, dhgid, fallback_dhgid; + size_t idlist_half; =20 pr_debug("%s: ctrl %d qid %d: data sc_d %d napd %d authid %d halen %d dhl= en %d\n", __func__, ctrl->cntlid, req->sq->qid, @@ -72,6 +73,15 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, vo= id *d) NVME_AUTH_DHCHAP_AUTH_ID) return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD; =20 + /* + * idlist[0..idlist_half-1]: hash IDs + * idlist[idlist_half..]: DH group IDs + */ + idlist_half =3D sizeof(data->auth_protocol[0].dhchap.idlist) / 2; + if (data->auth_protocol[0].dhchap.halen > idlist_half || + data->auth_protocol[0].dhchap.dhlen > idlist_half) + return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD; + for (i =3D 0; i < data->auth_protocol[0].dhchap.halen; i++) { u8 host_hmac_id =3D data->auth_protocol[0].dhchap.idlist[i]; =20 @@ -98,7 +108,8 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, vo= id *d) dhgid =3D -1; fallback_dhgid =3D -1; for (i =3D 0; i < data->auth_protocol[0].dhchap.dhlen; i++) { - int tmp_dhgid =3D data->auth_protocol[0].dhchap.idlist[i + 30]; + int tmp_dhgid =3D + data->auth_protocol[0].dhchap.idlist[i + idlist_half]; =20 if (tmp_dhgid !=3D ctrl->dh_gid) { dhgid =3D tmp_dhgid; --=20 2.43.0