drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++--------- 1 file changed, 32 insertions(+), 16 deletions(-)
From: Yunje Shin <ioerts@kookmin.ac.kr>
AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
Validate the payload length before parsing the negotiate payload to avoid
out-of-bounds reads.
KASAN splat:
[ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
[ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
[ 1224.412412] page dumped because: kasan: bad access detected
Use struct_size() for minimum length computation and move the negotiate
restart flow into a helper so the call site stays compact.
Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
---
v2:
- use struct_size() for negotiate payload minimum length
- split negotiate handling into nvmet_restart_dhchap_auth() helper
- use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++---------
1 file changed, 32 insertions(+), 16 deletions(-)
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 5946681cb0e3..3773980bcb1c 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -231,6 +231,36 @@ u32 nvmet_auth_send_data_len(struct nvmet_req *req)
return le32_to_cpu(req->cmd->auth_send.tl);
}
+static bool nvmet_restart_dhchap_auth(struct nvmet_req *req, void *d, u32 tl)
+{
+ struct nvmet_ctrl *ctrl = req->sq->ctrl;
+ struct nvmf_auth_dhchap_negotiate_data *neg = d;
+ u8 dhchap_status;
+ size_t min_len = struct_size(neg, auth_protocol, 1);
+
+ if (tl < min_len) {
+ req->sq->dhchap_status = NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
+ req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
+ return false;
+ }
+
+ /* Restart negotiation */
+ pr_debug("%s: ctrl %d qid %d reset negotiation\n",
+ __func__, ctrl->cntlid, req->sq->qid);
+ if (!req->sq->qid) {
+ dhchap_status = nvmet_setup_auth(ctrl, req->sq);
+ if (dhchap_status) {
+ pr_err("ctrl %d qid 0 failed to setup re-authentication\n",
+ ctrl->cntlid);
+ req->sq->dhchap_status = dhchap_status;
+ req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
+ return false;
+ }
+ }
+ req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+ return true;
+}
+
void nvmet_execute_auth_send(struct nvmet_req *req)
{
struct nvmet_ctrl *ctrl = req->sq->ctrl;
@@ -289,22 +319,8 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
goto done_failure1;
if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
- /* Restart negotiation */
- pr_debug("%s: ctrl %d qid %d reset negotiation\n",
- __func__, ctrl->cntlid, req->sq->qid);
- if (!req->sq->qid) {
- dhchap_status = nvmet_setup_auth(ctrl, req->sq);
- if (dhchap_status) {
- pr_err("ctrl %d qid 0 failed to setup re-authentication\n",
- ctrl->cntlid);
- req->sq->dhchap_status = dhchap_status;
- req->sq->dhchap_step =
- NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
- goto done_kfree;
- }
- }
- req->sq->dhchap_step =
- NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+ if (!nvmet_restart_dhchap_auth(req, d, tl))
+ goto done_kfree;
} else if (data->auth_id != req->sq->dhchap_step)
goto done_failure1;
/* Validate negotiation parameters */
--
2.43.0On Thu, Feb 12, 2026 at 10:33:18AM +0900, YunJe Shin wrote:
> From: Yunje Shin <ioerts@kookmin.ac.kr>
>
> AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> Validate the payload length before parsing the negotiate payload to avoid
> out-of-bounds reads.
>
> KASAN splat:
> [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> [ 1224.412412] page dumped because: kasan: bad access detected
>
> Use struct_size() for minimum length computation and move the negotiate
> restart flow into a helper so the call site stays compact.
>
> Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> ---
> v2:
> - use struct_size() for negotiate payload minimum length
> - split negotiate handling into nvmet_restart_dhchap_auth() helper
> - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
>
> drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++---------
> 1 file changed, 32 insertions(+), 16 deletions(-)
> ...
> + size_t min_len = struct_size(neg, auth_protocol, 1);
Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
But the target code also enforces napd == 1, so it ends up being the same.
Reviewed-by: Chris Leech <cleech@redhat.com>
On Wed, Mar 11, 2026 at 5:47 AM Chris Leech <cleech@redhat.com> wrote: > Maybe this could have been struct_size(neg, auth_protocol, neg->napd)? > But the target code also enforces napd == 1, so it ends up being the same. > > Reviewed-by: Chris Leech <cleech@redhat.com> I hardcoded 1 rather than using neg->napd since napd comes from the wire — if a malicious host sends napd=0, struct_size() would only require the 8-byte header, and the subsequent access to auth_protocol[0] in nvmet_auth_negotiate() would still be out of bounds. Since the target enforces napd == 1 anyway, the end result is the same as you noted. Thanks Yunje Shin
Hi Keith,
Just following up on this patch. It fixes a network-reachable KASAN
slab-out-of-bounds in
nvmet_execute_auth_send().
Could this be queued for nvme-fixes?
Thanks,
Yunje Shin
On Wed, Mar 11, 2026 at 5:47 AM Chris Leech <cleech@redhat.com> wrote:
>
> On Thu, Feb 12, 2026 at 10:33:18AM +0900, YunJe Shin wrote:
> > From: Yunje Shin <ioerts@kookmin.ac.kr>
> >
> > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > Validate the payload length before parsing the negotiate payload to avoid
> > out-of-bounds reads.
> >
> > KASAN splat:
> > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > [ 1224.412412] page dumped because: kasan: bad access detected
> >
> > Use struct_size() for minimum length computation and move the negotiate
> > restart flow into a helper so the call site stays compact.
> >
> > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> > ---
> > v2:
> > - use struct_size() for negotiate payload minimum length
> > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> >
> > drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++---------
> > 1 file changed, 32 insertions(+), 16 deletions(-)
> > ...
> > + size_t min_len = struct_size(neg, auth_protocol, 1);
>
> Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
> But the target code also enforces napd == 1, so it ends up being the same.
>
> Reviewed-by: Chris Leech <cleech@redhat.com>
>
On 2/12/26 02:33, YunJe Shin wrote:
> From: Yunje Shin <ioerts@kookmin.ac.kr>
>
> AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> Validate the payload length before parsing the negotiate payload to avoid
> out-of-bounds reads.
>
> KASAN splat:
> [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> [ 1224.412412] page dumped because: kasan: bad access detected
>
> Use struct_size() for minimum length computation and move the negotiate
> restart flow into a helper so the call site stays compact.
>
> Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> ---
> v2:
> - use struct_size() for negotiate payload minimum length
> - split negotiate handling into nvmet_restart_dhchap_auth() helper
> - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
Hi,
Gentle ping on this patch.
I wanted to check if it can be queued.
Thanks,
Yunje Shin
On Thu, Feb 12, 2026 at 8:03 PM Hannes Reinecke <hare@suse.de> wrote:
>
> On 2/12/26 02:33, YunJe Shin wrote:
> > From: Yunje Shin <ioerts@kookmin.ac.kr>
> >
> > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > Validate the payload length before parsing the negotiate payload to avoid
> > out-of-bounds reads.
> >
> > KASAN splat:
> > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > [ 1224.412412] page dumped because: kasan: bad access detected
> >
> > Use struct_size() for minimum length computation and move the negotiate
> > restart flow into a helper so the call site stays compact.
> >
> > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> > ---
> > v2:
> > - use struct_size() for negotiate payload minimum length
> > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> >
> Reviewed-by: Hannes Reinecke <hare@suse.de>
>
> Cheers,
>
> Hannes
> --
> Dr. Hannes Reinecke Kernel Storage Architect
> hare@suse.de +49 911 74053 688
> SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
> HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
Hi Keith,
Could you take a look at this patch when you get a chance?
It fixes a KASAN slab-out-of-bounds in nvmet_execute_auth_send() by
validating the negotiate payload length before parsing.
Just wanted to check if this can be queued.
Thanks,
Yunje Shin
On Mon, Mar 9, 2026 at 12:12 AM yunje shin <yjshin0438@gmail.com> wrote:
>
> Hi,
> Gentle ping on this patch.
> I wanted to check if it can be queued.
>
> Thanks,
> Yunje Shin
>
> On Thu, Feb 12, 2026 at 8:03 PM Hannes Reinecke <hare@suse.de> wrote:
> >
> > On 2/12/26 02:33, YunJe Shin wrote:
> > > From: Yunje Shin <ioerts@kookmin.ac.kr>
> > >
> > > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > > Validate the payload length before parsing the negotiate payload to avoid
> > > out-of-bounds reads.
> > >
> > > KASAN splat:
> > > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > > [ 1224.412412] page dumped because: kasan: bad access detected
> > >
> > > Use struct_size() for minimum length computation and move the negotiate
> > > restart flow into a helper so the call site stays compact.
> > >
> > > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > > Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
> > > ---
> > > v2:
> > > - use struct_size() for negotiate payload minimum length
> > > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> > >
> > Reviewed-by: Hannes Reinecke <hare@suse.de>
> >
> > Cheers,
> >
> > Hannes
> > --
> > Dr. Hannes Reinecke Kernel Storage Architect
> > hare@suse.de +49 911 74053 688
> > SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
> > HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
© 2016 - 2026 Red Hat, Inc.