From nobody Mon Jun 8 10:56:42 2026 Received: from out-189.mta0.migadu.com (out-189.mta0.migadu.com [91.218.175.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B554C35E922 for ; Fri, 29 May 2026 14:18:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.189 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780064325; cv=none; b=kP2zwkuwtCyDkPg9V9+1F9x1EY7rVp9iHa3f7s+jVMrw3J6TMQXMNLMOklO/T4PiDVvfyXsUjYu9Pvv5wq+/j02WuNoyAMmUznMO/dW2dVHHdvLAzQAx27gAe+XVOH0QLQBjbTpKR9/SyMDqfgqXmh4plOdWzXZ0kvSaWIXndDE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780064325; c=relaxed/simple; bh=3LDLVnW+oav4CAWclG/VmLzx2lxnvO+nEgCWJF3k2EA=; h=MIME-Version:Date:Content-Type:From:Message-ID:Subject:To:Cc; b=coPLzLKOVvlxlzQks3KZC65wsqKcbpqH341g5kVhcGJJYKLpRgZotqMzmiO2a3+liEoeTmDhGBWYR95jJ/6gF227a60vhYhOQkGFdWIBZ7sXuFiOkdwgTEszk+wa/Go0haqSnOIzQ4N0/WPTVUk78bViKohi06CUvFS5VFtN5wE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=g8PtUux1; arc=none smtp.client-ip=91.218.175.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="g8PtUux1" Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1780064321; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Old2ZBfu5/f6+8T0WIP99FhOmU/UUs/ZTf09PeYkFpA=; b=g8PtUux1KbEuz1rCh+RBoWjElpt4H5nmwuirbu97o6nWtzuQxFl3BI6Q+H+OsMfLPFSzeV 9wQt8SIormeF3P6HuRpFcac5dE5Q6C8o7FkuQro1XDK162lxe7JmZpq6O0GYFBw9qkrPg0 ifu4K1BbAFyNMpKNJwVHpG4NcfWd/xA= Date: Fri, 29 May 2026 14:18:39 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "Tianchu Chen" Message-ID: TLS-Required: No Subject: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length To: hare@suse.de, hch@lst.de, sagi@grimberg.me, kch@nvidia.com Cc: linux-kernel@vger.kernel.org, linux-nvme@lists.infradead.org X-Migadu-Flow: FLOW_OUT From: Tianchu Chen nvmet_auth_reply() accesses the variable-length rval[] array using attacker-controlled hl (hash length) and dhvlen (DH value length) fields without verifying they fit within the allocated buffer of tl bytes. A malicious NVMe-oF initiator can craft a DHCHAP_REPLY message with a small transfer length but large hl/dhvlen values, causing out-of-bounds heap reads when the target processes the DH public key (rval + 2*hl) or performs the host response memcmp. With DH authentication configured, the OOB pointer is passed directly to sg_init_one() and read by crypto_kpp_compute_shared_secret(), reaching up to 526 bytes past the buffer. This is exploitable pre-authentication. Add bounds validation ensuring sizeof(*data) + 2*hl + dhvlen <=3D tl before any access to the variable-length fields. Discovered by Atuin - Automated Vulnerability Discovery Engine. Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication") Cc: stable@vger.kernel.org Signed-off-by: Tianchu Chen Reviewed-by: Hannes Reinecke --- drivers/nvme/target/fabrics-cmd-auth.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/f= abrics-cmd-auth.c index f1e613e7c..0a85acf1e 100644 --- a/drivers/nvme/target/fabrics-cmd-auth.c +++ b/drivers/nvme/target/fabrics-cmd-auth.c @@ -132,13 +132,22 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req,= void *d) return 0; } =20 -static u8 nvmet_auth_reply(struct nvmet_req *req, void *d) +static u8 nvmet_auth_reply(struct nvmet_req *req, void *d, u32 tl) { struct nvmet_ctrl *ctrl =3D req->sq->ctrl; struct nvmf_auth_dhchap_reply_data *data =3D d; - u16 dhvlen =3D le16_to_cpu(data->dhvlen); + u16 dhvlen; u8 *response; =20 + if (tl < sizeof(*data)) + return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD; + + dhvlen =3D le16_to_cpu(data->dhvlen); + + /* Validate that hl and dhvlen fit within the transfer length */ + if (sizeof(*data) + 2 * (size_t)data->hl + dhvlen > tl) + return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD; + pr_debug("%s: ctrl %d qid %d: data hl %d cvalid %d dhvlen %u\n", __func__, ctrl->cntlid, req->sq->qid, data->hl, data->cvalid, dhvlen); @@ -338,7 +347,7 @@ void nvmet_execute_auth_send(struct nvmet_req *req) =20 switch (data->auth_id) { case NVME_AUTH_DHCHAP_MESSAGE_REPLY: - dhchap_status =3D nvmet_auth_reply(req, d); + dhchap_status =3D nvmet_auth_reply(req, d, tl); if (dhchap_status =3D=3D 0) req->sq->dhchap_step =3D NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1; --=20 2.51.0