lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260211160859.GA11869@lst.de>
Date: Wed, 11 Feb 2026 17:08:59 +0100
From: Christoph Hellwig <hch@....de>
To: YunJe Shin <yjshin0438@...il.com>
Cc: Hannes Reinecke <hare@...e.de>, Christoph Hellwig <hch@....de>,
	Sagi Grimberg <sagi@...mberg.me>,
	Chaitanya Kulkarni <kch@...dia.com>,
	Keith Busch <kbusch@...nel.org>, linux-nvme@...ts.infradead.org,
	linux-kernel@...r.kernel.org, ioerts@...kmin.ac.kr
Subject: Re: [PATCH] nvmet fabrics-cmd-auth.c : validate negotiate payload
 length(KASAN: slab-out-of-bounds in
 nvmet_execute_auth_send+0x1d24/0x2090)

On Wed, Feb 11, 2026 at 02:50:03PM +0900, YunJe Shin wrote:

> < snip>

Please don't spam the commit message with the entire backtrace.

> index 5946681cb0e3..2bcee44b3395 100644
> --- a/drivers/nvme/target/fabrics-cmd-auth.c
> +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> @@ -289,6 +289,15 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
>  		goto done_failure1;
>  	if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
>  		if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
> +			size_t min_len = sizeof(struct nvmf_auth_dhchap_negotiate_data) +
> +				sizeof(struct nvmf_auth_dhchap_protocol_descriptor);

This should be be using struct_size.  And all of this is way too long,
please use the chance to split this out into a helper:

		if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
			if (!nvmet_restart_dhchap_auth(req))
				goto done_kfree;
		} else if (data->auth_id != req->sq->dhchap_step)
		case 

		struct_

> +
> +			if (tl < min_len) {
> +				status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
> +				req->error_loc =
> +					offsetof(struct nvmf_auth_send_command, tl);
> +				goto done_kfree;
> +			}

None of the functions here uses nvme errors returns, but instead uses
dhchap_status.  Should this be NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD
instead?  (not really an expert on the dhchap status conventions,
maybe someone else can chime in)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ