nvmet: pre-auth heap OOB read in DH-HMAC-CHAP authentication (data->hl unchecked in nvmet_auth_reply)
Keith Busch
kbusch at kernel.org
Tue Jun 2 01:56:58 PDT 2026
On Tue, Jun 02, 2026 at 09:50:38AM +0100, Keith Busch wrote:
> On Mon, Jun 01, 2026 at 08:32:37PM -0700, Jeremy Erazo wrote:
> > @@ -119,6 +120,16 @@ static u8 nvmet_auth_reply(struct nvmet_req *req, void *d)
> > __func__, ctrl->cntlid, req->sq->qid,
> > data->hl, data->cvalid, dhvlen);
> >
> > + /* Confirm the transferred length actually contains the
> > + * rval payload the message body advertises. The host
> > + * response is hl bytes; with cvalid set, hl more bytes
> > + * of challenge follow; with dhvlen set, dhvlen more
> > + * bytes of DH value follow.
> > + */
> > + if (tl < sizeof(*data) + data->hl +
> > + (data->cvalid ? data->hl : 0) + dhvlen)
> > + return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
> > +
>
> I think the fix should change the ternary condition from data->cvalid to
> (data->cvalid || dhvlen):
>
> if (tl < sizeof(*data) + data->hl +
> ((data->cvalid || dhvlen) ? data->hl : 0) + dhvlen)
> return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
>
> But this is a bit of an eye-sore, so let's make this easier to read by
> lifting the ternary computation outside the 'if' section and store the
> result in a temporary variable.
Oh wait, this is also a duplicate report:
https://lore.kernel.org/linux-nvme/f4aca9b14e74a7f7f8cd9620e13cc32a6a2b7746@linux.dev/
More information about the Linux-nvme
mailing list