[PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)
Hannes Reinecke
hare at suse.de
Thu Feb 12 03:03:01 PST 2026
On 2/12/26 02:33, YunJe Shin wrote:
> From: Yunje Shin <ioerts at kookmin.ac.kr>
>
> AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> Validate the payload length before parsing the negotiate payload to avoid
> out-of-bounds reads.
>
> KASAN splat:
> [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> [ 1224.412412] page dumped because: kasan: bad access detected
>
> Use struct_size() for minimum length computation and move the negotiate
> restart flow into a helper so the call site stays compact.
>
> Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> Signed-off-by: Yunje Shin <ioerts at kookmin.ac.kr>
> ---
> v2:
> - use struct_size() for negotiate payload minimum length
> - split negotiate handling into nvmet_restart_dhchap_auth() helper
> - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
>
Reviewed-by: Hannes Reinecke <hare at suse.de>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list