[PATCH 2/9] nvme-keyring: add 'dhchap' key type
Hannes Reinecke
hare at suse.de
Mon Jun 2 23:11:03 PDT 2025
On 6/3/25 02:32, Shinichiro Kawasaki wrote:
> On May 28, 2025 / 16:05, Hannes Reinecke wrote:
>> Add a 'dhchap' keytype to store DH-HMAC-CHAP secret keys.
>> Keys are stored with a 'user-type' compatible payload, such
>> that one can use 'user_read()' to access the raw contents
>> and the 'read()' callback to get the base64-encoded key
>> data in the DH-HMAC-CHAP secret representation.
>>
>> Signed-off-by: Hannes Reinecke <hare at kernel.org>
>> ---
>> drivers/nvme/common/keyring.c | 266 ++++++++++++++++++++++++++++++++++
>> include/linux/nvme-keyring.h | 22 ++-
>> 2 files changed, 287 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
>> index 32d16c53133b..a58c93c6d495 100644
>> --- a/drivers/nvme/common/keyring.c
>> +++ b/drivers/nvme/common/keyring.c
> [...]
>> +static int nvme_dhchap_psk_preparse(struct key_preparsed_payload *prep)
>> +{
>> + struct user_key_payload *upayload;
>> + size_t datalen = prep->datalen, keylen;
>> + int ret;
>> + u32 crc;
>> + u8 version, hmac;
>> +
>> + if (!prep->data) {
>> + pr_debug("%s: Empty data", __func__);
>> + prep->payload.data[0] = NULL;
>> + prep->quotalen = 0;
>> + return -EINVAL;
>> + }
>> +
>> + if (sscanf(prep->data, "DHHC-%01hhu:%02hhu:%*s", &version, &hmac) != 2) {
>
> I built the kernel at nvme-6.16 branch at git hash bf4d87cba2d7 applying
> this series. Then I ran the blktests test case corresponding to this series,
> and observed the BUG KASAN slab-out-of-bounds below [1].
>
> The sscanf() above has three "%"s in the conversion format string, while it has
> two following pointer arguments. I think this gap between the numbers of "%"s
> and the pointer arguments causes the BUG. I removed "%*s" from the format
> string, then the BUG looks disappearing.
>
Well ... '%*s' translates as 'ignore following string argument'.
So there _might_ be an issue if there is no following string argument.
And actually this was meant to be a 'cheap' way of stripping and pending
newlines after the key.
Guess I'll rewrite that to actually strip the newline.
Thanks for testing.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list