nvmet: pre-auth heap OOB read in DH-HMAC-CHAP authentication (data->hl unchecked in nvmet_auth_reply)
Keith Busch
kbusch at kernel.org
Tue Jun 2 01:50:38 PDT 2026
On Mon, Jun 01, 2026 at 08:32:37PM -0700, Jeremy Erazo wrote:
> @@ -119,6 +120,16 @@ static u8 nvmet_auth_reply(struct nvmet_req *req, void *d)
> __func__, ctrl->cntlid, req->sq->qid,
> data->hl, data->cvalid, dhvlen);
>
> + /* Confirm the transferred length actually contains the
> + * rval payload the message body advertises. The host
> + * response is hl bytes; with cvalid set, hl more bytes
> + * of challenge follow; with dhvlen set, dhvlen more
> + * bytes of DH value follow.
> + */
> + if (tl < sizeof(*data) + data->hl +
> + (data->cvalid ? data->hl : 0) + dhvlen)
> + return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
> +
I think the fix should change the ternary condition from data->cvalid to
(data->cvalid || dhvlen):
if (tl < sizeof(*data) + data->hl +
((data->cvalid || dhvlen) ? data->hl : 0) + dhvlen)
return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
But this is a bit of an eye-sore, so let's make this easier to read by
lifting the ternary computation outside the 'if' section and store the
result in a temporary variable.
More information about the Linux-nvme
mailing list