From nobody Fri Dec 19 20:44:51 2025 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25C60188713 for ; Wed, 8 Jan 2025 09:34:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736328851; cv=none; b=hYM6Jiriau0fqUBCCLlR0owe/enyj2slkpcrNwZVeb66aG+Ov/ipzo4dqztb2a3WdETYK34fNNUO2rrFVH6N7aZKLwzr+k7/7qB71o5wgwSZTFOYrfvEJ/7Lh53bUJnwdWOFGesNvRb5xtsmhIVEc5Px9GaNc/eLWW1nQ8I87s4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736328851; c=relaxed/simple; bh=YEHRYqphhlHXIFjLhXf/Fqi8uitgFtuwyim62lLZhNk=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=UFNn2qfUJ7tYcK0DvtLuAvrDldr3OWdDYFpUsIvUrHeRvyCTiRoG0TW73X6BOasZ30ojfYY5AhwIk4rv70Kbm5oZ6cAW94y/ixBxYU8bwSMwfu/ZX0mVUBkTrGXHCEnVGxwK078PiQ0tgON0QEinPxq4sJOU5gTGCXySKQP8YbU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=GWfmduPt; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="GWfmduPt" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-388cae9eb9fso8682445f8f.3 for ; Wed, 08 Jan 2025 01:34:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1736328847; x=1736933647; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=1DjUCM/jbBSR6cK0gy/+/2U77r5hRrUDOcnrZNiR9wY=; b=GWfmduPt+da0vX5ejCxRsUAt08kvHdCohVnCUgrxdBWwCXFjMJQ/6ak0pkZtCjxt1G 3IE8ORWGbZLQ4wrAx4JDaIHGcbwRBzpZhwPJgjQukIBEpB7T52HVR9tdrrMBmcWLnXEE I1p8T+Dkns6S1rh9e90eYgkJBP1YiIA8cfh/jbPHbR/siDj93WjWdioq/Sk5z53O+wbZ zKey4zhsp7NShFLuNukY2gyA9iRW2uJPrizl8RFpH7boQNzUAIU4kIDNNhQwtxKY5SU5 VjCuV/BbSLSeXGa0dEkhgzEyQPHtUoYde8oKSdxum6Aj9KBhqBTZO8HPjHHrLLvgSMIB uxww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736328847; x=1736933647; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1DjUCM/jbBSR6cK0gy/+/2U77r5hRrUDOcnrZNiR9wY=; b=QOYTvh/CP+px+Dy6XgydHsMm3zw0jQuVkARc0mbchCrtRlabJmpvA4b3X2G4vcU0jU HkBmrioqmas7gmQ+2KpMyYlTar9ynumOHNCmqGT9lnSJhCpYSOCeOVvcFYufNPT8k7R6 KDx0JAYibhgNUmrA14tGB0pze+ezlHt8uiFgbTEIX/za+fx56oX/njmS93sp6Drf1jDo K/A+WXowEOA4Pw+s61hRGgtmivC8bggpXfYPw2+6qYzsC7u8flv0tiMPXKgLSGmY1w2r CoP26r1AJcQAfaRMYuh08kBc+GCkaZcNk6y5PxqO8ApmIYIwofptxdI4WUurPb0MjbJz CpLQ== X-Forwarded-Encrypted: i=1; AJvYcCUqRojg6/dHPT5Aa6BZZoscVzyk8sgqY78XFgQSpvDvDqY9NHzP+saXsVO8h+A9jfG0RAaDbl4AmSgzB/c=@vger.kernel.org X-Gm-Message-State: AOJu0YyEGUnxFRSy+W5jCnrQYrxJG89HorIvzLn6yt2SL8wnG1oP+D1e dhAai4vR60/ana5s3j1uJuCnzih7l/Tq8PTpSojt3V3J2Lkz0e73KslWDNFy9F0= X-Gm-Gg: ASbGncsFN86tXGxKvoNqsYYyU1UNi28gzfUH373pjerd5LM3TQZkpFYJQD/6nCTrYoZ XDf5WK6Cet19FggufWbNPudsf6HUt100TUicHWbGSfWNNGyas37CQaHdr2zY+KbnMkRTuQhSQf9 MuKPmWGsVP0+6zOve4Ph0whfpeQzCH5TfPmpqbRMBCCFPQg7ujuzOfc4F1hmN8IKvgWk8IOZEvl dXDFqClAR0CE5t8ng52J1Tgd/gjul9t5i3oOA7deVrQ6BZ9fJJmbjLfl+Hl4Q== X-Google-Smtp-Source: AGHT+IFIvyFGgaq0/LulwNY8T7dmzAp5swTnN2NutVuGddfkmNBlI6+QhCrQSOIBcI4yvN6nZlRY8A== X-Received: by 2002:a05:6000:712:b0:385:f3fb:46aa with SMTP id ffacd0b85a97d-38a87308c15mr1512201f8f.43.1736328847516; Wed, 08 Jan 2025 01:34:07 -0800 (PST) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-436e2da63eesm14430465e9.3.2025.01.08.01.34.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jan 2025 01:34:07 -0800 (PST) Date: Wed, 8 Jan 2025 12:34:04 +0300 From: Dan Carpenter To: Hannes Reinecke Cc: Christoph Hellwig , Sagi Grimberg , Chaitanya Kulkarni , Jens Axboe , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] nvmet-auth: fix length calculation in nvmet_auth_challenge() Message-ID: <2abae353-5e30-4dc5-a2cd-26dab4db93d0@stanley.mountain> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The "d" variable is a void pointer so sizeof(*d) is 1. It was supposed to be sizeof(*data) which is 16. The "data_size" is the data required to hold the data struct plus "hash_len" which is the length of the variable array at the end of the data struct. Plus the "ctrl->dh_keysize" which is the extra space after the end of the data struct. The "al" variable is actual length of the buffer. This mistake means that we will not zero the last 15 bytes. We likely copy data over these bytes so it may not be an issue. The main problem is that the check "if (al < data_size)" which ensures that we have allocated enough data is incorrect, potentially leading to memory corruption. Cc: stable@vger.kernel.org Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication") Signed-off-by: Dan Carpenter Reviewed-by: Sagi Grimberg --- I thought about changing the caller to use kzalloc() instead of kmalloc() to get rid of the memset(). But we need to calculate data_size anyway so moving the memset() doesn't really add very much. drivers/nvme/target/fabrics-cmd-auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/f= abrics-cmd-auth.c index 3f2857c17d95..aad113e17072 100644 --- a/drivers/nvme/target/fabrics-cmd-auth.c +++ b/drivers/nvme/target/fabrics-cmd-auth.c @@ -356,7 +356,7 @@ static int nvmet_auth_challenge(struct nvmet_req *req, = void *d, int al) struct nvmet_ctrl *ctrl =3D req->sq->ctrl; int ret =3D 0; int hash_len =3D nvme_auth_hmac_hash_len(ctrl->shash_id); - int data_size =3D sizeof(*d) + hash_len; + int data_size =3D sizeof(*data) + hash_len; =20 if (ctrl->dh_tfm) data_size +=3D ctrl->dh_keysize; --=20 2.45.2