[PATCH] nvmet-auth: reject short AUTH_RECEIVE buffers

[Michael Bommarito <michael.bommarito@gmail.com>]

nvmet_execute_auth_receive() trusts the AUTH_RECEIVE allocation length
after checking only that it is nonzero and matches the transfer length.
In SUCCESS1 and FAILURE1/default states, that lets a remote NVMe-oF
initiator reach fixed-size DHCHAP response builders with a kmalloc()
buffer shorter than the response, so the builder writes past the
allocation.

Reject AUTH_RECEIVE commands whose allocation length is shorter than the
response for the current state before allocating the buffer. Keep the
existing CHALLENGE variable-length guard in nvmet_auth_challenge().

This is the AUTH_RECEIVE response-write counterpart to the separately
posted AUTH_SEND read-side bounds fix in nvmet_auth_reply() [1]; the two
paths do not overlap.

Link: https://lore.kernel.org/all/f4aca9b14e74a7f7f8cd9620e13cc32a6a2b7746@linux.dev/ [1]
Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
A temporary KUnit harness, not included in this patch, ran under UML
with KASAN enabled. The stock run crashed in
nvmet_execute_auth_receive() on the SUCCESS1 path with "memset:
detected buffer overflow: 16 byte write of buffer size 1"; the patched
run passed the same harness. The harness source is available on
request.

 drivers/nvme/target/fabrics-cmd-auth.c | 27 ++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index f1e613e7c63e5..77c7b412a8691 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -487,11 +487,30 @@ u32 nvmet_auth_receive_data_len(struct nvmet_req *req)
 	return le32_to_cpu(req->cmd->auth_receive.al);
 }
 
+static u32 nvmet_auth_receive_min_len(struct nvmet_req *req)
+{
+	struct nvmet_ctrl *ctrl = req->sq->ctrl;
+	u32 hash_len = 0;
+
+	switch (req->sq->dhchap_step) {
+	case NVME_AUTH_DHCHAP_MESSAGE_CHALLENGE:
+		return 0;
+	case NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1:
+		if (req->sq->dhchap_c2)
+			hash_len = nvme_auth_hmac_hash_len(ctrl->shash_id);
+
+		return sizeof(struct nvmf_auth_dhchap_success1_data) + hash_len;
+	default:
+		return sizeof(struct nvmf_auth_dhchap_failure_data);
+	}
+}
+
 void nvmet_execute_auth_receive(struct nvmet_req *req)
 {
 	struct nvmet_ctrl *ctrl = req->sq->ctrl;
 	void *d;
 	u32 al;
+	u32 min_len;
 	u16 status = 0;
 
 	if (req->cmd->auth_receive.secp != NVME_AUTH_DHCHAP_PROTOCOL_IDENTIFIER) {
@@ -524,6 +543,14 @@ void nvmet_execute_auth_receive(struct nvmet_req *req)
 		return;
 	}
 
+	min_len = nvmet_auth_receive_min_len(req);
+	if (al < min_len) {
+		status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
+		req->error_loc =
+			offsetof(struct nvmf_auth_receive_command, al);
+		goto done;
+	}
+
 	d = kmalloc(al, GFP_KERNEL);
 	if (!d) {
 		status = NVME_SC_INTERNAL;
-- 
2.53.0