[PATCH] nvmet-auth: reject short AUTH_RECEIVE buffers

Mon Jun 8 23:51:33 PDT 2026

On 6/6/26 20:13, Michael Bommarito wrote:
> nvmet_execute_auth_receive() trusts the AUTH_RECEIVE allocation length
> after checking only that it is nonzero and matches the transfer length.
> In SUCCESS1 and FAILURE1/default states, that lets a remote NVMe-oF
> initiator reach fixed-size DHCHAP response builders with a kmalloc()
> buffer shorter than the response, so the builder writes past the
> allocation.
> 
> Reject AUTH_RECEIVE commands whose allocation length is shorter than the
> response for the current state before allocating the buffer. Keep the
> existing CHALLENGE variable-length guard in nvmet_auth_challenge().
> 
> This is the AUTH_RECEIVE response-write counterpart to the separately
> posted AUTH_SEND read-side bounds fix in nvmet_auth_reply() [1]; the two
> paths do not overlap.
> 
> Link: https://lore.kernel.org/all/f4aca9b14e74a7f7f8cd9620e13cc32a6a2b7746@linux.dev/ [1]
> Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> Cc: stable at vger.kernel.org
> Assisted-by: Codex:gpt-5-5-xhigh
> Signed-off-by: Michael Bommarito <michael.bommarito at gmail.com>
> ---
> A temporary KUnit harness, not included in this patch, ran under UML
> with KASAN enabled. The stock run crashed in
> nvmet_execute_auth_receive() on the SUCCESS1 path with "memset:
> detected buffer overflow: 16 byte write of buffer size 1"; the patched
> run passed the same harness. The harness source is available on
> request.
> 
>   drivers/nvme/target/fabrics-cmd-auth.c | 27 ++++++++++++++++++++++++++
>   1 file changed, 27 insertions(+)
> 
> diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
> index f1e613e7c63e5..77c7b412a8691 100644
> --- a/drivers/nvme/target/fabrics-cmd-auth.c
> +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> @@ -487,11 +487,30 @@ u32 nvmet_auth_receive_data_len(struct nvmet_req *req)
>   	return le32_to_cpu(req->cmd->auth_receive.al);
>   }
>   
> +static u32 nvmet_auth_receive_min_len(struct nvmet_req *req)
> +{
> +	struct nvmet_ctrl *ctrl = req->sq->ctrl;
> +	u32 hash_len = 0;
> +
> +	switch (req->sq->dhchap_step) {
> +	case NVME_AUTH_DHCHAP_MESSAGE_CHALLENGE:
> +		return 0;
> +	case NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1:
> +		if (req->sq->dhchap_c2)
> +			hash_len = nvme_auth_hmac_hash_len(ctrl->shash_id);
> +
> +		return sizeof(struct nvmf_auth_dhchap_success1_data) + hash_len;
> +	default:
> +		return sizeof(struct nvmf_auth_dhchap_failure_data);
> +	}
> +}
> +
>   void nvmet_execute_auth_receive(struct nvmet_req *req)
>   {
>   	struct nvmet_ctrl *ctrl = req->sq->ctrl;
>   	void *d;
>   	u32 al;
> +	u32 min_len;
>   	u16 status = 0;
>   
>   	if (req->cmd->auth_receive.secp != NVME_AUTH_DHCHAP_PROTOCOL_IDENTIFIER) {
> @@ -524,6 +543,14 @@ void nvmet_execute_auth_receive(struct nvmet_req *req)
>   		return;
>   	}
>   
> +	min_len = nvmet_auth_receive_min_len(req);
> +	if (al < min_len) {
> +		status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
> +		req->error_loc =
> +			offsetof(struct nvmf_auth_receive_command, al);
> +		goto done;
> +	}
> +
>   	d = kmalloc(al, GFP_KERNEL);
>   	if (!d) {
>   		status = NVME_SC_INTERNAL;

Please move this check into nvmet_auth_receive_data_len().

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare at suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich