From nobody Mon Jun 8 05:25:27 2026 Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2F752036E9 for ; Sat, 6 Jun 2026 18:13:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780769605; cv=none; b=lJURvNxaAjsQiUDehz3/6Q0QGxyqO9TTnSwrLsKNrZEviPo6SMLt7AGluo70cSYi/OUGGNZpV+F6PsV04xqo92m4Dmtusg/X0Q9AyYCbYn0W4dvsPOiDYciXTGOyxWvsqKjB392ziUTHCxwJSCwE+8ThWVbjhadGPTKGLv1AgA0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780769605; c=relaxed/simple; bh=Tquiso9GPvwfaj1fp91T8xlb/7amivqMBSTUJFBrMKw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=q72F34zohefLsWdCEHbY86cBcnzpL3e2i3R3zmYtzUJdVDI2ep/5qllXKsGjKdFiALGgOSNl/f/+Y7ADgZ1lt2iWGmhlNWTYFq+rYZsxbwICI+Z6NgEpYdH30bfOlQgWrOSIBqT190GYkQkvLGbeXqk4jpMD8c+BoEGapzw5Pfg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Pq3SS6jn; arc=none smtp.client-ip=209.85.160.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Pq3SS6jn" Received: by mail-qt1-f169.google.com with SMTP id d75a77b69052e-5176d4c14f5so24908251cf.0 for ; Sat, 06 Jun 2026 11:13:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780769603; x=1781374403; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=vs9sOPs398rODDZTFwVgFO5RKpuWAqMg6hg4GuJ04No=; b=Pq3SS6jnGZJ7y6Q3DKF6JCVcAbUekn2BrsqFGEepDI8ENLkA8Y5SZfc/BthDTOBO8U fcwcLxdN71Yqahx67Y05Qv31zlRzDwb0+cLda39df3IgitVdpd9QWw5B3bD7uf2h3iyY 21hw+X+Sgn8pYXwQWTor5yVlF7uOHWyUFLERVe1p/p1vcvA/pIQlBBzSRp9fhvnwwFhF pnM/F15iD+CkZpKpI3KdHnDPPbwLgnmGaSeh2BBhyvE0BlJjjMjSxPopPFhbi1gjXSA+ LdpQ5pnHKl33e9uSt3iNQDTMXQfPEjEBDxF2kBsij3QsOIrmozztc9FhX49NhZdrw2mO lDKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780769603; x=1781374403; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vs9sOPs398rODDZTFwVgFO5RKpuWAqMg6hg4GuJ04No=; b=PIORoU0GQFexuGczOLgf58m0rw4Nby7XGL1CFwbLLyl24endJ782Dtg+3cVIbdIkYg W5WnjIOVWT8wQbyB9YckzOwzl2veYP7V6cORHtK1oMpHPrnfbeTjMLgHtGFu2INW7P8L IWGXYHdwYFYIHl4+M4mxnt4WphfZXcnAXskdUanFxL9pduH1LgEmPr07JHCD7ZJ9TE7E 0H2sg5AINiK92wU74ylZ70HVnSumJqgsSOccGMsThDAFaqNXJ/vslzbM5fcbeRd3M96f HAncwRLYuSonqxA4714NsWjmW7uABMiUGWTi4BiRReEUV+dDK7yhQb6gyDCVz7sa4AZU WPbg== X-Forwarded-Encrypted: i=1; AFNElJ+U13/1e+ybybn3KSNDXLOCJd/oRK36UdTDEtLGfoFxAzLihRDgHPLA03o5slpmF0qXYTcpIMqoB2Jn5Uk=@vger.kernel.org X-Gm-Message-State: AOJu0YwQDgj91DTaq7iLPcsi/0p6Q9RAPQI1pzY93Hi2F0xA8f5KSOqT R69qc7HyZn+u7yZ47L94BBvRSGlGJPBLytJhwayVuCZ34XRkZuaupcwCGJeCaRYk X-Gm-Gg: Acq92OHpXO5yFcguGqJtbRX63Rbp0Hyb5ZnL4t+Yj9Qb4MH8tQyzJY2v9IDXzheGE6o 2b7qc9r9nZN9RIf2boWY+VxKZ2P173eoNitLpwmhWC8qE+rwTafpY10VlxU9OIAg6ZgqqP1D/jc nBGXhUqATv74pTc9F30zsvGGQAtEOpG2c7Q0p4WhhToxNZZ/VAvQE100qwvX4WDUrJf0XgAKNbV 03lY7JkGYh42MhRrnlXUYfZfyQ6wygZ5Rn7AM2SU9Zw6k1BVcFuhC85YYp1Oazpv/m6OyDJy8cJ D6qEmFfq+GbZKTPDokfishX7au1HKSLp0z7wr1PShroxkaObDf/BWaeeBU/7ZDp28ko+/EC2gCX 6MvGunyOh0jJZqDLCmN3SzDdxYGfb4MJPygcQ0k9dFatXxg7lSN40q8Q4YhsOBLOKgqEAkgh8xC ENzFhrJyBsPrzYMXKXKG9QIoZhDcfkH/+XhO853E6gq6CXZFyFbGQ8MQJL80iz6oLDCS52CiDO3 9OuqFUXc0eHEVHt3DaTG7NGYFB+y04= X-Received: by 2002:a05:622a:4d09:b0:516:e290:991a with SMTP id d75a77b69052e-51795be8192mr140592791cf.40.1780769603612; Sat, 06 Jun 2026 11:13:23 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-51775da6f41sm104769301cf.22.2026.06.06.11.13.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Jun 2026 11:13:23 -0700 (PDT) From: Michael Bommarito To: Hannes Reinecke , Christoph Hellwig , Sagi Grimberg , Chaitanya Kulkarni Cc: Jens Axboe , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] nvmet-auth: reject short AUTH_RECEIVE buffers Date: Sat, 6 Jun 2026 14:13:06 -0400 Message-ID: <20260606181306.1651139-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" nvmet_execute_auth_receive() trusts the AUTH_RECEIVE allocation length after checking only that it is nonzero and matches the transfer length. In SUCCESS1 and FAILURE1/default states, that lets a remote NVMe-oF initiator reach fixed-size DHCHAP response builders with a kmalloc() buffer shorter than the response, so the builder writes past the allocation. Reject AUTH_RECEIVE commands whose allocation length is shorter than the response for the current state before allocating the buffer. Keep the existing CHALLENGE variable-length guard in nvmet_auth_challenge(). This is the AUTH_RECEIVE response-write counterpart to the separately posted AUTH_SEND read-side bounds fix in nvmet_auth_reply() [1]; the two paths do not overlap. Link: https://lore.kernel.org/all/f4aca9b14e74a7f7f8cd9620e13cc32a6a2b7746@= linux.dev/ [1] Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication") Cc: stable@vger.kernel.org Assisted-by: Codex:gpt-5-5-xhigh Signed-off-by: Michael Bommarito --- A temporary KUnit harness, not included in this patch, ran under UML with KASAN enabled. The stock run crashed in nvmet_execute_auth_receive() on the SUCCESS1 path with "memset: detected buffer overflow: 16 byte write of buffer size 1"; the patched run passed the same harness. The harness source is available on request. drivers/nvme/target/fabrics-cmd-auth.c | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/f= abrics-cmd-auth.c index f1e613e7c63e5..77c7b412a8691 100644 --- a/drivers/nvme/target/fabrics-cmd-auth.c +++ b/drivers/nvme/target/fabrics-cmd-auth.c @@ -487,11 +487,30 @@ u32 nvmet_auth_receive_data_len(struct nvmet_req *req) return le32_to_cpu(req->cmd->auth_receive.al); } =20 +static u32 nvmet_auth_receive_min_len(struct nvmet_req *req) +{ + struct nvmet_ctrl *ctrl =3D req->sq->ctrl; + u32 hash_len =3D 0; + + switch (req->sq->dhchap_step) { + case NVME_AUTH_DHCHAP_MESSAGE_CHALLENGE: + return 0; + case NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1: + if (req->sq->dhchap_c2) + hash_len =3D nvme_auth_hmac_hash_len(ctrl->shash_id); + + return sizeof(struct nvmf_auth_dhchap_success1_data) + hash_len; + default: + return sizeof(struct nvmf_auth_dhchap_failure_data); + } +} + void nvmet_execute_auth_receive(struct nvmet_req *req) { struct nvmet_ctrl *ctrl =3D req->sq->ctrl; void *d; u32 al; + u32 min_len; u16 status =3D 0; =20 if (req->cmd->auth_receive.secp !=3D NVME_AUTH_DHCHAP_PROTOCOL_IDENTIFIER= ) { @@ -524,6 +543,14 @@ void nvmet_execute_auth_receive(struct nvmet_req *req) return; } =20 + min_len =3D nvmet_auth_receive_min_len(req); + if (al < min_len) { + status =3D NVME_SC_INVALID_FIELD | NVME_STATUS_DNR; + req->error_loc =3D + offsetof(struct nvmf_auth_receive_command, al); + goto done; + } + d =3D kmalloc(al, GFP_KERNEL); if (!d) { status =3D NVME_SC_INTERNAL; --=20 2.53.0