[PATCH 2/9] nvme-keyring: add 'dhchap' key type

Shinichiro Kawasaki shinichiro.kawasaki at wdc.com
Mon Jun 2 17:32:26 PDT 2025 

On May 28, 2025 / 16:05, Hannes Reinecke wrote:
> Add a 'dhchap' keytype to store DH-HMAC-CHAP secret keys.
> Keys are stored with a 'user-type' compatible payload, such
> that one can use 'user_read()' to access the raw contents
> and the 'read()' callback to get the base64-encoded key
> data in the DH-HMAC-CHAP secret representation.
> 
> Signed-off-by: Hannes Reinecke <hare at kernel.org>
> ---
>  drivers/nvme/common/keyring.c | 266 ++++++++++++++++++++++++++++++++++
>  include/linux/nvme-keyring.h  |  22 ++-
>  2 files changed, 287 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
> index 32d16c53133b..a58c93c6d495 100644
> --- a/drivers/nvme/common/keyring.c
> +++ b/drivers/nvme/common/keyring.c
[...]
> +static int nvme_dhchap_psk_preparse(struct key_preparsed_payload *prep)
> +{
> +	struct user_key_payload *upayload;
> +	size_t datalen = prep->datalen, keylen;
> +	int ret;
> +	u32 crc;
> +	u8 version, hmac;
> +
> +	if (!prep->data) {
> +		pr_debug("%s: Empty data", __func__);
> +		prep->payload.data[0] = NULL;
> +		prep->quotalen = 0;
> +		return -EINVAL;
> +	}
> +
> +	if (sscanf(prep->data, "DHHC-%01hhu:%02hhu:%*s", &version, &hmac) != 2) {

I built the kernel at nvme-6.16 branch at git hash bf4d87cba2d7 applying
this series. Then I ran the blktests test case corresponding to this series,
and observed the BUG KASAN slab-out-of-bounds below [1].

The sscanf() above has three "%"s in the conversion format string, while it has
two following pointer arguments. I think this gap between the numbers of "%"s
and the pointer arguments causes the BUG. I removed "%*s" from the format
string, then the BUG looks disappearing.

[1]

Jun 03 08:48:30 testnode2 unknown: run blktests nvme/064 at 2025-06-03 08:48:30
Jun 03 08:48:30 testnode2 kernel: ==================================================================
Jun 03 08:48:30 testnode2 kernel: BUG: KASAN: slab-out-of-bounds in vsscanf+0xd55/0x2d20
Jun 03 08:48:30 testnode2 kernel: Read of size 1 at addr ffff888100a5303b by task keyctl/1116
Jun 03 08:48:30 testnode2 kernel: 
Jun 03 08:48:30 testnode2 kernel: CPU: 1 UID: 0 PID: 1116 Comm: keyctl Not tainted 6.15.0-rc3+ #43 PREEMPT(voluntary) 
Jun 03 08:48:30 testnode2 kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Jun 03 08:48:30 testnode2 kernel: Call Trace:
Jun 03 08:48:30 testnode2 kernel:  <TASK>
Jun 03 08:48:30 testnode2 kernel:  dump_stack_lvl+0x6a/0x90
Jun 03 08:48:30 testnode2 kernel:  print_report+0x174/0x554
Jun 03 08:48:30 testnode2 kernel:  ? __virt_addr_valid+0x208/0x430
Jun 03 08:48:30 testnode2 kernel:  ? vsscanf+0xd55/0x2d20
Jun 03 08:48:30 testnode2 kernel:  kasan_report+0xae/0x170
Jun 03 08:48:30 testnode2 kernel:  ? vsscanf+0xd55/0x2d20
Jun 03 08:48:30 testnode2 kernel:  vsscanf+0xd55/0x2d20
Jun 03 08:48:30 testnode2 kernel:  ? __pfx_vsscanf+0x10/0x10
Jun 03 08:48:30 testnode2 kernel:  sscanf+0xac/0xe0
Jun 03 08:48:30 testnode2 kernel:  ? __pfx_sscanf+0x10/0x10
Jun 03 08:48:30 testnode2 kernel:  ? lock_acquire+0x180/0x310
Jun 03 08:48:30 testnode2 kernel:  ? __pfx___might_resched+0x10/0x10
Jun 03 08:48:30 testnode2 kernel:  nvme_dhchap_psk_preparse+0xde/0x5a0 [nvme_keyring]
Jun 03 08:48:30 testnode2 kernel:  ? __pfx_nvme_dhchap_psk_preparse+0x10/0x10 [nvme_keyring]
Jun 03 08:48:30 testnode2 kernel:  ? __pfx_down_read+0x1/0x10
Jun 03 08:48:30 testnode2 kernel:  ? avc_has_perm+0xa6/0x160
Jun 03 08:48:30 testnode2 kernel:  ? lock_is_held_type+0x41/0x130
Jun 03 08:48:30 testnode2 kernel:  ? __pfx_avc_has_perm+0x10/0x10
Jun 03 08:48:30 testnode2 kernel:  __key_create_or_update+0x3f1/0xc60
Jun 03 08:48:30 testnode2 kernel:  ? __pfx___key_create_or_update+0x10/0x10
Jun 03 08:48:30 testnode2 kernel:  ? __pfx_lookup_user_key+0x10/0x10
Jun 03 08:48:30 testnode2 kernel:  ? lock_release+0x17d/0x2c0
Jun 03 08:48:30 testnode2 kernel:  key_create_or_update+0x10/0x20
Jun 03 08:48:30 testnode2 kernel:  __do_sys_add_key+0x1e5/0x300
Jun 03 08:48:30 testnode2 kernel:  ? __pfx___do_sys_add_key+0x10/0x10
Jun 03 08:48:30 testnode2 kernel:  ? fput_close_sync+0x100/0x170
Jun 03 08:48:30 testnode2 kernel:  do_syscall_64+0x93/0x190
Jun 03 08:48:30 testnode2 kernel:  ? do_syscall_64+0x9f/0x190
Jun 03 08:48:30 testnode2 kernel:  ? lockdep_hardirqs_on+0x78/0x100
Jun 03 08:48:30 testnode2 kernel:  ? do_syscall_64+0x9f/0x190
Jun 03 08:48:30 testnode2 kernel:  ? kasan_save_track+0x10/0x30
Jun 03 08:48:30 testnode2 kernel:  ? kasan_save_free_info+0x37/0x60
Jun 03 08:48:30 testnode2 kernel:  ? __kasan_slab_free+0x4b/0x70
Jun 03 08:48:30 testnode2 kernel:  ? kfree+0x13a/0x4b0
Jun 03 08:48:30 testnode2 kernel:  ? keyctl_describe_key+0x29c/0x420
Jun 03 08:48:30 testnode2 kernel:  ? do_syscall_64+0x93/0x190
Jun 03 08:48:30 testnode2 kernel:  ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
Jun 03 08:48:30 testnode2 kernel:  ? kasan_quarantine_put+0xd8/0x1e0
Jun 03 08:48:30 testnode2 kernel:  ? kasan_quarantine_put+0xd8/0x1e0
Jun 03 08:48:30 testnode2 kernel:  ? lockdep_hardirqs_on+0x78/0x100
Jun 03 08:48:30 testnode2 kernel:  ? kasan_quarantine_put+0xd8/0x1e0
Jun 03 08:48:30 testnode2 kernel:  ? kfree+0x13a/0x4b0
Jun 03 08:48:30 testnode2 kernel:  ? lock_release+0x17d/0x2c0
Jun 03 08:48:30 testnode2 kernel:  ? keyctl_describe_key+0x29c/0x420
Jun 03 08:48:30 testnode2 kernel:  ? key_put+0x25/0x280
Jun 03 08:48:30 testnode2 kernel:  ? syscall_exit_to_user_mode+0x8e/0x280
Jun 03 08:48:30 testnode2 kernel:  ? rcu_is_watching+0x11/0xb0
Jun 03 08:48:30 testnode2 kernel:  ? do_syscall_64+0x9f/0x190
Jun 03 08:48:30 testnode2 kernel:  ? lockdep_hardirqs_on+0x78/0x100
Jun 03 08:48:30 testnode2 kernel:  ? do_syscall_64+0x9f/0x190
Jun 03 08:48:30 testnode2 kernel:  ? lock_release+0x17d/0x2c0
Jun 03 08:48:30 testnode2 kernel:  ? do_user_addr_fault+0x4a2/0xa00
Jun 03 08:48:30 testnode2 kernel:  ? irqentry_exit_to_user_mode+0x84/0x270
Jun 03 08:48:30 testnode2 kernel:  ? rcu_is_watching+0x11/0xb0
Jun 03 08:48:30 testnode2 kernel:  entry_SYSCALL_64_after_hwframe+0x76/0x7e
Jun 03 08:48:30 testnode2 kernel: RIP: 0033:0x7f256cc0b95d
Jun 03 08:48:30 testnode2 kernel: Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 83 64 0f 00 f7 d8 64 89 01 48
Jun 03 08:48:30 testnode2 kernel: RSP: 002b:00007ffd307fd8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
Jun 03 08:48:30 testnode2 kernel: RAX: ffffffffffffffda RBX: 00007ffd307fdae0 RCX: 00007f256cc0b95d
Jun 03 08:48:30 testnode2 kernel: RDX: 00007ffd307fe63d RSI: 00007ffd307fe618 RDI: 00007ffd307fe611
Jun 03 08:48:30 testnode2 kernel: RBP: 00007ffd307fd8f0 R08: 000000000ae4be97 R09: 00007ffd307fd940
Jun 03 08:48:30 testnode2 kernel: R10: 000000000000003b R11: 0000000000000246 R12: 00007ffd307fe63d
Jun 03 08:48:30 testnode2 kernel: R13: 000000000000003b R14: 000055e2e6923cdb R15: 000055e2e69264b8
Jun 03 08:48:30 testnode2 kernel:  </TASK>
Jun 03 08:48:30 testnode2 kernel: 
Jun 03 08:48:30 testnode2 kernel: Allocated by task 1116:
Jun 03 08:48:30 testnode2 kernel:  kasan_save_stack+0x2c/0x50
Jun 03 08:48:30 testnode2 kernel:  kasan_save_track+0x10/0x30
Jun 03 08:48:30 testnode2 kernel:  __kasan_kmalloc+0xa6/0xb0
Jun 03 08:48:30 testnode2 kernel:  __kvmalloc_node_noprof+0x1c7/0x660
Jun 03 08:48:30 testnode2 kernel:  __do_sys_add_key+0x16d/0x300
Jun 03 08:48:30 testnode2 kernel:  do_syscall_64+0x93/0x190
Jun 03 08:48:30 testnode2 kernel:  entry_SYSCALL_64_after_hwframe+0x76/0x7e
Jun 03 08:48:30 testnode2 kernel: 
Jun 03 08:48:30 testnode2 kernel: The buggy address belongs to the object at ffff888100a53000
                                   which belongs to the cache kmalloc-64 of size 64
Jun 03 08:48:30 testnode2 kernel: The buggy address is located 0 bytes to the right of
                                   allocated 59-byte region [ffff888100a53000, ffff888100a5303b)
Jun 03 08:48:30 testnode2 kernel: 
Jun 03 08:48:30 testnode2 kernel: The buggy address belongs to the physical page:
Jun 03 08:48:30 testnode2 kernel: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a53
Jun 03 08:48:30 testnode2 kernel: ksm flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
Jun 03 08:48:30 testnode2 kernel: page_type: f5(slab)
Jun 03 08:48:30 testnode2 kernel: raw: 0017ffffc0000000 ffff8881000428c0 ffffea000445e340 dead000000000003
Jun 03 08:48:30 testnode2 kernel: raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
Jun 03 08:48:30 testnode2 kernel: page dumped because: kasan: bad access detected
Jun 03 08:48:30 testnode2 kernel: 
Jun 03 08:48:30 testnode2 kernel: Memory state around the buggy address:
Jun 03 08:48:30 testnode2 kernel:  ffff888100a52f00: 00 fc fc fc 00 fc fc fc 00 fc fc fc 00 fc fc fc
Jun 03 08:48:30 testnode2 kernel:  ffff888100a52f80: 00 fc fc fc 00 fc fc fc 00 fc fc fc 00 fc fc fc
Jun 03 08:48:30 testnode2 kernel: >ffff888100a53000: 00 00 00 00 00 00 00 03 fc fc fc fc fc fc fc fc
Jun 03 08:48:30 testnode2 kernel:                                         ^
Jun 03 08:48:30 testnode2 kernel:  ffff888100a53080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
Jun 03 08:48:30 testnode2 kernel:  ffff888100a53100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
Jun 03 08:48:30 testnode2 kernel: ==================================================================
Jun 03 08:48:30 testnode2 kernel: Disabling lock debugging due to kernel taint

More information about the Linux-nvme mailing list