[PATCH 2/9] nvme-keyring: add 'dhchap' key type

Hannes Reinecke hare at suse.de
Mon Jun 2 23:11:03 PDT 2025


On 6/3/25 02:32, Shinichiro Kawasaki wrote:
> On May 28, 2025 / 16:05, Hannes Reinecke wrote:
>> Add a 'dhchap' keytype to store DH-HMAC-CHAP secret keys.
>> Keys are stored with a 'user-type' compatible payload, such
>> that one can use 'user_read()' to access the raw contents
>> and the 'read()' callback to get the base64-encoded key
>> data in the DH-HMAC-CHAP secret representation.
>>
>> Signed-off-by: Hannes Reinecke <hare at kernel.org>
>> ---
>>   drivers/nvme/common/keyring.c | 266 ++++++++++++++++++++++++++++++++++
>>   include/linux/nvme-keyring.h  |  22 ++-
>>   2 files changed, 287 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
>> index 32d16c53133b..a58c93c6d495 100644
>> --- a/drivers/nvme/common/keyring.c
>> +++ b/drivers/nvme/common/keyring.c
> [...]
>> +static int nvme_dhchap_psk_preparse(struct key_preparsed_payload *prep)
>> +{
>> +	struct user_key_payload *upayload;
>> +	size_t datalen = prep->datalen, keylen;
>> +	int ret;
>> +	u32 crc;
>> +	u8 version, hmac;
>> +
>> +	if (!prep->data) {
>> +		pr_debug("%s: Empty data", __func__);
>> +		prep->payload.data[0] = NULL;
>> +		prep->quotalen = 0;
>> +		return -EINVAL;
>> +	}
>> +
>> +	if (sscanf(prep->data, "DHHC-%01hhu:%02hhu:%*s", &version, &hmac) != 2) {
> 
> I built the kernel at nvme-6.16 branch at git hash bf4d87cba2d7 applying
> this series. Then I ran the blktests test case corresponding to this series,
> and observed the BUG KASAN slab-out-of-bounds below [1].
> 
> The sscanf() above has three "%"s in the conversion format string, while it has
> two following pointer arguments. I think this gap between the numbers of "%"s
> and the pointer arguments causes the BUG. I removed "%*s" from the format
> string, then the BUG looks disappearing.
> 
Well ... '%*s' translates as 'ignore following string argument'.
So there _might_ be an issue if there is no following string argument.
And actually this was meant to be a 'cheap' way of stripping and pending
newlines after the key.
Guess I'll rewrite that to actually strip the newline.
Thanks for testing.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare at suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich



More information about the Linux-nvme mailing list