[PATCH] nvmet-auth: validate reply message payload bounds against transfer length
Hannes Reinecke
hare at suse.de
Sun May 31 23:19:37 PDT 2026
On 5/29/26 16:18, Tianchu Chen wrote:
> From: Tianchu Chen <flynnnchen at tencent.com>
>
> nvmet_auth_reply() accesses the variable-length rval[] array using
> attacker-controlled hl (hash length) and dhvlen (DH value length) fields
> without verifying they fit within the allocated buffer of tl bytes.
>
> A malicious NVMe-oF initiator can craft a DHCHAP_REPLY message with a
> small transfer length but large hl/dhvlen values, causing out-of-bounds
> heap reads when the target processes the DH public key (rval + 2*hl) or
> performs the host response memcmp.
>
> With DH authentication configured, the OOB pointer is passed directly to
> sg_init_one() and read by crypto_kpp_compute_shared_secret(), reaching
> up to 526 bytes past the buffer. This is exploitable pre-authentication.
>
> Add bounds validation ensuring sizeof(*data) + 2*hl + dhvlen <= tl before
> any access to the variable-length fields.
>
> Discovered by Atuin - Automated Vulnerability Discovery Engine.
>
> Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
> Cc: stable at vger.kernel.org
> Signed-off-by: Tianchu Chen <flynnnchen at tencent.com>
> ---
> drivers/nvme/target/fabrics-cmd-auth.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
Reviewed-by: Hannes Reinecke <hare at kernel.org>
Cheers,
hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list