lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260211055036.2675866-1-ioerts@kookmin.ac.kr>
Date: Wed, 11 Feb 2026 14:50:03 +0900
From: YunJe Shin <yjshin0438@...il.com>
To: Hannes Reinecke <hare@...e.de>,
	Christoph Hellwig <hch@....de>,
	Sagi Grimberg <sagi@...mberg.me>,
	Chaitanya Kulkarni <kch@...dia.com>
Cc: Keith Busch <kbusch@...nel.org>,
	linux-nvme@...ts.infradead.org,
	linux-kernel@...r.kernel.org,
	ioerts@...kmin.ac.kr
Subject: [PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload length(KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090)

AUTH_SEND negotiation expects at least one DH-HMAC-CHAP protocol descriptor. 
Reject payloads shorter than that to avoid out-of-bounds reads.

[ 1224.388831] Call Trace:
[ 1224.388833]  <TASK>
[ 1224.388834]  dump_stack_lvl+0x53/0x70
[ 1224.388839]  print_report+0xd0/0x660
[ 1224.388843]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 1224.388847]  ? kasan_save_track+0x14/0x30
[ 1224.388851]  ? nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.388854]  kasan_report+0xce/0x100
[ 1224.388857]  ? nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.388860]  nvmet_execute_auth_send+0x1d24/0x2090
[ 1224.388863]  ? __pfx_inet_recvmsg+0x10/0x10
[ 1224.388868]  ? sock_recvmsg+0x178/0x220
[ 1224.388871]  nvmet_tcp_io_work+0x1709/0x2200
[ 1224.388875]  ? __pfx_nvmet_tcp_io_work+0x10/0x10
[ 1224.388878]  process_one_work+0x5e7/0xfe0
[ 1224.388882]  ? assign_work+0x11d/0x370
[ 1224.388885]  worker_thread+0x446/0xd00
[ 1224.388888]  ? __pfx_worker_thread+0x10/0x10
[ 1224.388891]  ? __pfx_worker_thread+0x10/0x10
[ 1224.388894]  kthread+0x2c6/0x3b0
[ 1224.388896]  ? recalc_sigpending+0x15c/0x1e0
[ 1224.388900]  ? __pfx_kthread+0x10/0x10
[ 1224.388902]  ret_from_fork+0x38d/0x5c0
[ 1224.388906]  ? __pfx_ret_from_fork+0x10/0x10
[ 1224.388909]  ? __switch_to+0xb13/0xea0
[ 1224.388912]  ? __switch_to_asm+0x39/0x70
[ 1224.388916]  ? __switch_to_asm+0x33/0x70
[ 1224.388918]  ? __pfx_kthread+0x10/0x10
[ 1224.388920]  ret_from_fork_asm+0x1a/0x30
[ 1224.388924]  </TASK>
[ 1224.388925]
[ 1224.403207] Allocated by task 670:
[ 1224.403446]  kasan_save_stack+0x33/0x60
[ 1224.403723]  kasan_save_track+0x14/0x30
[ 1224.403987]  __kasan_kmalloc+0x8f/0xa0
[ 1224.404286]  __kmalloc_noprof+0x18e/0x480
[ 1224.404631]  nvmet_execute_auth_send+0x3be/0x2090
[ 1224.405016]  nvmet_tcp_io_work+0x1709/0x2200
[ 1224.405356]  process_one_work+0x5e7/0xfe0
[ 1224.405695]  worker_thread+0x446/0xd00
[ 1224.405996]  kthread+0x2c6/0x3b0
[ 1224.406256]  ret_from_fork+0x38d/0x5c0
[ 1224.406578]  ret_from_fork_asm+0x1a/0x30
[ 1224.406907]
[ 1224.407035] The buggy address belongs to the object at ffff88800a6537c0
[ 1224.407035]  which belongs to the cache kmalloc-8 of size 8
[ 1224.407998] The buggy address is located 0 bytes to the right of
[ 1224.407998]  allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
[ 1224.409014]
[ 1224.409155] The buggy address belongs to the physical page:
[ 1224.409669] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88800a653a00 pfn:0xa653
[ 1224.410401] flags: 0x100000000000200(workingset|node=0|zone=1)
[ 1224.410895] page_type: f5(slab)
[ 1224.411160] raw: 0100000000000200 ffff888007441500 ffff888007440210 ffff888007440210
[ 1224.411787] raw: ffff88800a653a00 0000000000800050 00000000f5000000 0000000000000000
[ 1224.412412] page dumped because: kasan: bad access detected
[ 1224.412866]
[ 1224.413006] Memory state around the buggy address:
[ 1224.413391]  ffff88800a653680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1224.413963]  ffff88800a653700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1224.414544] >ffff88800a653780: fc fc fc fc fc fc fc fc 00 fc fc fc fa fc fc fc
[ 1224.415045]                                               ^
[ 1224.415444]  ffff88800a653800: fa fc fc fc fa fc fc fc 06 fc fc fc 07 fc fc fc
[ 1224.416028]  ffff88800a653880: 07 fc fc fc 07 fc fc fc 07 fc fc fc 07 fc fc fc
[ 1224.416630] ==================================================================


Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
Signed-off-by: Yunje Shin <ioerts@...kmin.ac.kr>
---
 drivers/nvme/target/fabrics-cmd-auth.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 5946681cb0e3..2bcee44b3395 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -289,6 +289,15 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
 		goto done_failure1;
 	if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
 		if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
+			size_t min_len = sizeof(struct nvmf_auth_dhchap_negotiate_data) +
+				sizeof(struct nvmf_auth_dhchap_protocol_descriptor);
+
+			if (tl < min_len) {
+				status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
+				req->error_loc =
+					offsetof(struct nvmf_auth_send_command, tl);
+				goto done_kfree;
+			}
 			/* Restart negotiation */
 			pr_debug("%s: ctrl %d qid %d reset negotiation\n",
 				 __func__, ctrl->cntlid, req->sq->qid);
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ