Re: [PATCH] nvmet: auth: validate dhchap id list lengths(KASAN: slab-out-of-bounds)

public inbox for linux-nvme@lists.infradead.org
 help / color / mirror / Atom feed

From: Chris Leech <cleech@redhat.com>
To: yunje shin <yjshin0438@gmail.com>
Cc: Hannes Reinecke <hare@suse.de>, Keith Busch <kbusch@kernel.org>,
	 Chaitanya Kulkarni <kch@nvidia.com>,
	Sagi Grimberg <sagi@grimberg.me>, Christoph Hellwig <hch@lst.de>,
	 linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
	ioerts@kookmin.ac.kr
Subject: Re: [PATCH] nvmet: auth: validate dhchap id list lengths(KASAN: slab-out-of-bounds)
Date: Tue, 10 Mar 2026 13:34:34 -0700	[thread overview]
Message-ID: <20260310-stoning-wolf-a5f45a779f3a@redhat.com> (raw)
In-Reply-To: <CAMX6_QE64ttVQ03CQP4ULECePiTwooy6OfqUk4_biz+_s=vpbA@mail.gmail.com>

On Wed, Mar 11, 2026 at 04:06:44AM +0900, yunje shin wrote:
> Thank you for the clarification regarding the 64-byte structural
> constraints. If this approach looks good to you, I will format it
> properly with an updated commit message and send out a formal v2
> patch.

Yes, that looks much better to me.  Thanks!

- Chris

> diff --git a/drivers/nvme/target/fabrics-cmd-auth.c
> b/drivers/nvme/target/fabrics-cmd-auth.c
> index 5946681cb0e3..acba4878a873 100644
> --- a/drivers/nvme/target/fabrics-cmd-auth.c
> +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> @@ -72,6 +72,14 @@ static u8 nvmet_auth_negotiate(struct nvmet_req
> *req, void *d)
>       NVME_AUTH_DHCHAP_AUTH_ID)
>   return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
> 
> + /*
> + * idlist[0..29]: hash IDs
> + * idlist[30..59]: DH group IDs
> + */
> + if (data->auth_protocol[0].dhchap.halen > NVME_AUTH_DHCHAP_MAX_HASH_IDS ||
> +     data->auth_protocol[0].dhchap.dhlen > NVME_AUTH_DHCHAP_MAX_DH_IDS)
> + return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
> +
>   for (i = 0; i < data->auth_protocol[0].dhchap.halen; i++) {
>   u8 host_hmac_id = data->auth_protocol[0].dhchap.idlist[i];
> 
> @@ -97,7 +105,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req
> *req, void *d)
>   dhgid = -1;
>   fallback_dhgid = -1;
>   for (i = 0; i < data->auth_protocol[0].dhchap.dhlen; i++) {
> - int tmp_dhgid = data->auth_protocol[0].dhchap.idlist[i + 30];
> + int tmp_dhgid = data->auth_protocol[0].dhchap.idlist[i +
> NVME_AUTH_DHCHAP_MAX_HASH_IDS];
> 
>   if (tmp_dhgid != ctrl->dh_gid) {
>   dhgid = tmp_dhgid;
> diff --git a/include/linux/nvme.h b/include/linux/nvme.h
> index b09dcaf5bcbc..ea0393ab16fc 100644
> --- a/include/linux/nvme.h
> +++ b/include/linux/nvme.h
> @@ -1824,6 +1824,8 @@ struct nvmf_auth_dhchap_protocol_descriptor {
>   __u8 dhlen;
>   __u8 idlist[60];
>  };
> +#define NVME_AUTH_DHCHAP_MAX_HASH_IDS 30
> +#define NVME_AUTH_DHCHAP_MAX_DH_IDS 30
> 
>  enum {
>   NVME_AUTH_DHCHAP_AUTH_ID = 0x01,
> -- 
> 2.43.0
> 
> Thanks
> Yunje Shin.
> 
> On Wed, Mar 11, 2026 at 3:07 AM Chris Leech <cleech@redhat.com> wrote:
> >
> > On Wed, Mar 11, 2026 at 02:52:36AM +0900, yunje shin wrote:
> > > Thanks for the review.
> > >
> > > Yes, I triggered the KASAN issue by injecting an invalid dhlen The
> > > reproduction steps are:
> > > 1. Connect to the NVMe/TCP target on port 4420 (ICReq + Fabrics CONNECT).
> > > 2. Send AUTH_SEND with a crafted NEGOTIATE payload where dhlen=200. 3.
> > > The kernel target code in nvmet_auth_negotiate() then iterates
> > >
> > >     for (i = 0; i < data->auth_protocol[0].dhchap.dhlen; i++) {
> > >         int tmp_dhgid = data->auth_protocol[0].dhchap.idlist[i + 30];
> > >
> > > With dhlen=200, this reads idlist[30..229], but idlist[] is only 60
> > > bytes (indices 0..59). The accesses at indices 60 and beyond read past
> > > the kmalloc'd slab object into adjacent slab memory, which KASAN
> > > catches as a slab-out-of-bounds read.
> >
> > Thank you, I appreciate understanding how this was triggered.
> >
> > > While the standard Linux NVMe host driver does use hardcoded halen=3
> > > and dhlen=6, the NVMe target is network-facing and must validate all
> > > fields from the wire. A malicious or non-standard host can send
> > > arbitrary values. The same applies to halen — if halen > 30, the
> > > first loop also reads out of bounds.
> >
> > Yes, this code absolutly should validate halen and dhlen bounds.
> >
> > > Regarding idlist_half — yes, idlist is currently a fixed 60-byte array
> > > and the DH offset is always 30. I derived it from sizeof(idlist)
> > > rather than hardcoding 30 so that the bounds check and the DH offset
> > > stay consistent with the array definition. If the struct ever changes,
> > > the validation adapts automatically instead of silently going stale.
> >
> > The 60-byte idlist (and 30:30 split) are part of the NVMe specification.
> > It's the maximum amount of space while keeping to a 64-byte struct.
> >
> > I'd rather see this made clearer with a define for the limit, but not
> > adding code that appears to calculate it at runtime.
> >
> > Thanks,
> > - Chris
> >
>

next prev parent reply	other threads:[~2026-03-10 20:35 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-11  6:58 [PATCH] nvmet: auth: validate dhchap id list lengths(KASAN: slab-out-of-bounds) YunJe Shin
2026-02-12  1:49 ` yunje shin
2026-02-18  4:04   ` yunje shin
2026-03-08 15:09     ` yunje shin
2026-03-09 18:04       ` Chris Leech
2026-03-10 17:48         ` yunje shin
2026-03-10 17:52           ` yunje shin
2026-03-10 18:07             ` Chris Leech
2026-03-10 19:06               ` yunje shin
2026-03-10 20:34                 ` Chris Leech [this message]
2026-03-12  7:01                 ` Hannes Reinecke
2026-03-13  5:24                   ` [PATCH v2] nvmet: auth: validate dhchap id list lengths YunJe Shin
2026-03-13 15:30                     ` Chris Leech
2026-03-17 14:51                     ` Christoph Hellwig
2026-03-17 16:55                       ` yunje shin
2026-03-20  7:49                         ` Christoph Hellwig
2026-03-20  8:13                           ` yunje shin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260310-stoning-wolf-a5f45a779f3a@redhat.com \
    --to=cleech@redhat.com \
    --cc=hare@suse.de \
    --cc=hch@lst.de \
    --cc=ioerts@kookmin.ac.kr \
    --cc=kbusch@kernel.org \
    --cc=kch@nvidia.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=sagi@grimberg.me \
    --cc=yjshin0438@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox