From nobody Tue Apr  7 13:09:45 2026
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com
 [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F2C619992C
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 05:25:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773379547; cv=none;
 b=oSlXg4vVrjIsW3K7BI4hCEktGiuIvpv2DQsMK4LaHDmybBheDZM/5v5D8jVRD6IXVdt8guTVvOXXaVLyKVjBHjhW24416DDloRxWfPpW2oIGS6rWtkHEI8LZvHVVf8imMF6kgcbynbnl2vufcb05T+s9zAg6y1sLLPPiGj2gPf4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773379547; c=relaxed/simple;
	bh=ghKXH+8FfYWOHHF3zhsd1LUrMkx5lrmNl/HeX2fIrVo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=KXPNFbDagkU8MUyzfWOgPsSWrSYdQtES2eGvozndQAluqry6zwUmkZGPGWfguHpBEDywAbmh3MXE8ystH/dzDHjKYlpdHwdHLDoLYqUlZKoyli0bFjrVAQMl9O56tuSlPKgkaqUaz9CM4f6AnA5xpH2t4F5k69sMDFFYC0QNtjU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=KSYrD4Cq; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="KSYrD4Cq"
Received: by mail-pf1-f171.google.com with SMTP id
 d2e1a72fcca58-829b8b6c4d0so1525168b3a.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Mar 2026 22:25:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1773379545; x=1773984345;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=hTxGLIuoUQlWALlWPaV5+5jytWPHVII3wottToiK6HE=;
        b=KSYrD4CqKFDZpDTkC5rY8cwon+t2riIEhshYbsFtB60gqOp0rB2x2Qxp2Dt0RkQssz
         zSweBgz8Lu0BjtEkd4YDHpl4X7fYvLpXOQj5c7J+hE3XQsZhXXj6jiTjsTTTMhqqP/e2
         4ShX7YLT1Pc45YGpIzBsgBGrv4/LBM6VUJZES35mPzPdJS2MQRw0Xnv2nc9Wx3GwHk/M
         eK0C419q/+sw4SdguJSFs5JRjwdo4fe00KX61aU/xi9OATmC9zevesNv7xQsKWQBPMfI
         Zbo37cQqI7Gg4DEC8lJMSexZnC+wytJcK33nt8LYqEhOcfW4EWoUsTwC0cPITm8C3X8r
         pyfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773379545; x=1773984345;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=hTxGLIuoUQlWALlWPaV5+5jytWPHVII3wottToiK6HE=;
        b=ryh8vZkS/3/mUFcHJgQsPfwywFFRbG552BYLEyYE0w3C0NHHiATfYeeBl52vYiDMr1
         pGyhG7qmPAYDNatVVhPt1O+8JKW+5PH7X2M1umE4ieq1GW995wK96dspL95cq3NX5wy2
         2dPiduFMizI04IrzlK9AdCmMbfKoiqmbRJ2j9iUhdjHQ1WPpxpPQK7JfDuw/tOehH2dC
         SyCiwhy2wHa1qY8+PQCU2+PnHNGuA9MFZ3/PxDIlVGBU46cMTU5P2mQlwjf6Y98LQNV7
         4MwMEzh6pYVk+6aF+Yq/rXAJNBkJpHY1536//q60bPFxGLieDgzTVEj7d95ABS18wcTW
         uP5A==
X-Forwarded-Encrypted: i=1;
 AJvYcCVjdBMjqi2+cv/uSY1LJasE+6jPxRlHm7kETRU+GO8qOWj5T5PnG3SigRiEkwcOTXmOXMePDS7I5J8FPb8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy3xGiLyD1YXTXFeiF1QEoUU30AvmLpDOCnbyLuhhBxynFgIBWt
	MmbWXdLQZR5GxmFe1xP/Tm/kTnDH2OzPDBaAKlIFX92RDqCS4GMhWwJn
X-Gm-Gg: ATEYQzyNfp/tWFD7NsYFUvrGn3orvi8h4lmkCJ78oz3arzwbsfYPG7piSN6MFHGvGCc
	bBu4m1D7vidntQTA4JMGLpVB7pXfRKpacjFCS1c3lk0Efjk18jmtqtY8iNxiE8FXAUwqMpjhOfc
	ZHf+N4NIEp175cR/7dHOVgYxGKfQGpaDsgJJnTo9szmWj9+xTncNfryENqoc3dt0gCyNNkKY0jJ
	TQZWqgf5VaCn0fBk9l2XPx/0EO5Vm0fsB04kJX1cmVguELfxXrVS1kVwCvS7DlvmCTQMHDfzolc
	g+0+ewdJzGYT4aKgkBSvX85EZa2ySaGedyb+Gch4bihYVPigwSs0RRflycSAdkzhnzzXDUlQvL1
	5shsQiMixeXIk2AaDo22bCJxotUhzUVSd0y3YnVlndmV77QmmvQFWAYPzy8q0O94v+Al2dKvanR
	BAvmAME3tljBEPF8GyIxzdvrkJiSZug3hf58bOoTR0Q4Ba
X-Received: by 2002:a05:6a00:896:b0:824:a20f:17a4 with SMTP id
 d2e1a72fcca58-82a19951991mr1876870b3a.64.1773379545452;
        Thu, 12 Mar 2026 22:25:45 -0700 (PDT)
Received: from user-System-Product-Name.. ([210.121.152.246])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82a073b1d29sm4591309b3a.63.2026.03.12.22.25.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 Mar 2026 22:25:45 -0700 (PDT)
From: YunJe Shin <yjshin0438@gmail.com>
X-Google-Original-From: YunJe Shin <ioerts@kookmin.ac.kr>
To: hare@suse.de,
	cleech@redhat.com
Cc: hch@lst.de,
	ioerts@kookmin.ac.kr,
	kbusch@kernel.org,
	kch@nvidia.com,
	linux-kernel@vger.kernel.org,
	linux-nvme@lists.infradead.org,
	sagi@grimberg.me,
	yjshin0438@gmail.com,
	stable@kernel.org
Subject: [PATCH v2] nvmet: auth: validate dhchap id list lengths
Date: Fri, 13 Mar 2026 14:24:09 +0900
Message-ID: <20260313052444.3865842-1-ioerts@kookmin.ac.kr>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <ec03d5ca-a26d-4427-823a-17c5709391f7@suse.de>
References: <ec03d5ca-a26d-4427-823a-17c5709391f7@suse.de>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yunje Shin <ioerts@kookmin.ac.kr>

The function nvmet_auth_negotiate() parses the idlist array in the
struct nvmf_auth_dhchap_protocol_descriptor payload. This array is 60
bytes and is logically divided into two 30-byte halves: the first half
for HMAC IDs and the second half for DH group IDs. The current code
uses a hardcoded +30 offset for the DH list, but does not validate
halen and dhlen against the per-half bounds. As a result, if a
malicious host sends halen or dhlen larger than 30, the loop can
read past the 60-byte array into adjacent slab memory, triggering a
KASAN slab-out-of-bounds read.

KASAN splat:
[    4.241646] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x=
19b8/0x2090
[    4.242874] Read of size 1 at addr ffff8881045754e8 by task kworker/1:1H=
/41
[    4.265342] The buggy address belongs to the cache kmalloc-96 of size 96
[    4.266291]  allocated 72-byte region [ffff8881045754a0, ffff8881045754e=
8)
[    4.270337] page dumped because: kasan: bad access detected

This patch fixes the issue by introducing NVME_AUTH_DHCHAP_MAX_HASH_IDS
and NVME_AUTH_DHCHAP_MAX_DH_IDS defined as 30, which explicitly indicates
the maximum boundaries allowed per NVMe specification. The lengths halen
and dhlen are validated against these boundaries before processing,
preventing the out-of-bounds reads.

Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
Cc: stable@kernel.org
Signed-off-by: Yunje Shin <ioerts@kookmin.ac.kr>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chris Leech <cleech@redhat.com>
---
v2:
    - Replaced the runtime 'sizeof' calculation (idlist_half) with explicit=20
      NVME_AUTH_DHCHAP_MAX_HASH_IDS and NVME_AUTH_DHCHAP_MAX_DH_IDS macros
      to clearly reflect the 30:30 split limit per Chris Leech's feedback.

 drivers/nvme/target/fabrics-cmd-auth.c | 11 ++++++++++-
 include/linux/nvme.h                   |  2 ++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/f=
abrics-cmd-auth.c
index 5946681cb0e3..acba4878a873 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -72,6 +72,14 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, vo=
id *d)
 	    NVME_AUTH_DHCHAP_AUTH_ID)
 		return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
=20
+	/*
+	 * idlist[0..29]: hash IDs
+	 * idlist[30..59]: DH group IDs
+	 */
+	if (data->auth_protocol[0].dhchap.halen > NVME_AUTH_DHCHAP_MAX_HASH_IDS ||
+	    data->auth_protocol[0].dhchap.dhlen > NVME_AUTH_DHCHAP_MAX_DH_IDS)
+		return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
+
 	for (i =3D 0; i < data->auth_protocol[0].dhchap.halen; i++) {
 		u8 host_hmac_id =3D data->auth_protocol[0].dhchap.idlist[i];
=20
@@ -97,7 +105,8 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, vo=
id *d)
 	dhgid =3D -1;
 	fallback_dhgid =3D -1;
 	for (i =3D 0; i < data->auth_protocol[0].dhchap.dhlen; i++) {
-		int tmp_dhgid =3D data->auth_protocol[0].dhchap.idlist[i + 30];
+		int tmp_dhgid =3D
+			data->auth_protocol[0].dhchap.idlist[i + NVME_AUTH_DHCHAP_MAX_HASH_IDS];
=20
 		if (tmp_dhgid !=3D ctrl->dh_gid) {
 			dhgid =3D tmp_dhgid;
diff --git a/include/linux/nvme.h b/include/linux/nvme.h
index b09dcaf5bcbc..ea0393ab16fc 100644
--- a/include/linux/nvme.h
+++ b/include/linux/nvme.h
@@ -1824,6 +1824,8 @@ struct nvmf_auth_dhchap_protocol_descriptor {
 	__u8		dhlen;
 	__u8		idlist[60];
 };
+#define NVME_AUTH_DHCHAP_MAX_HASH_IDS 30
+#define NVME_AUTH_DHCHAP_MAX_DH_IDS 30
=20
 enum {
 	NVME_AUTH_DHCHAP_AUTH_ID	=3D 0x01,
--=20
2.43.0