From: "Tianchu Chen" <tianchu.chen@linux.dev>
To: "Christoph Hellwig" <hch@lst.de>
Cc: hare@suse.de, hch@lst.de, sagi@grimberg.me, kch@nvidia.com,
linux-kernel@vger.kernel.org, linux-nvme@lists.infradead.org
Subject: Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length
Date: Mon, 01 Jun 2026 08:58:18 +0000 [thread overview]
Message-ID: <c023c72aa183dd31fc9a2d7e9781c5551d5cdb9f@linux.dev> (raw)
In-Reply-To: <20260601071921.GB7582@lst.de>
June 1, 2026 at 3:19 PM, "Christoph Hellwig" <hch@lst.de mailto:hch@lst.de?to=%22Christoph%20Hellwig%22%20%3Chch%40lst.de%3E > wrote:
>
> On Fri, May 29, 2026 at 02:18:39PM +0000, Tianchu Chen wrote:
>
> >
> > From: Tianchu Chen <flynnnchen@tencent.com>
> >
> > nvmet_auth_reply() accesses the variable-length rval[] array using
> > attacker-controlled hl (hash length) and dhvlen (DH value length) fields
> > without verifying they fit within the allocated buffer of tl bytes.
> >
> > A malicious NVMe-oF initiator can craft a DHCHAP_REPLY message with a
> > small transfer length but large hl/dhvlen values, causing out-of-bounds
> > heap reads when the target processes the DH public key (rval + 2*hl) or
> > performs the host response memcmp.
> >
> > With DH authentication configured, the OOB pointer is passed directly to
> > sg_init_one() and read by crypto_kpp_compute_shared_secret(), reaching
> > up to 526 bytes past the buffer. This is exploitable pre-authentication.
> >
> > Add bounds validation ensuring sizeof(*data) + 2*hl + dhvlen <= tl before
> > any access to the variable-length fields.
> >
> > Discovered by Atuin - Automated Vulnerability Discovery Engine.
> >
> > Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
> > ---
> > drivers/nvme/target/fabrics-cmd-auth.c | 15 ++++++++++++---
> > 1 file changed, 12 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
> > index f1e613e7c..0a85acf1e 100644
> > --- a/drivers/nvme/target/fabrics-cmd-auth.c
> > +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> > @@ -132,13 +132,22 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
> > return 0;
> > }
> >
> > -static u8 nvmet_auth_reply(struct nvmet_req *req, void *d)
> > +static u8 nvmet_auth_reply(struct nvmet_req *req, void *d, u32 tl)
> > {
> > struct nvmet_ctrl *ctrl = req->sq->ctrl;
> > struct nvmf_auth_dhchap_reply_data *data = d;
> > - u16 dhvlen = le16_to_cpu(data->dhvlen);
> > + u16 dhvlen;
> > u8 *response;
> >
> > + if (tl < sizeof(*data))
> > + return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
> > +
> > + dhvlen = le16_to_cpu(data->dhvlen);
> > +
> > + /* Validate that hl and dhvlen fit within the transfer length */
> > + if (sizeof(*data) + 2 * (size_t)data->hl + dhvlen > tl)
> >
> Can't still still overflow? This should probably use struct_size
> to get the size up to and including the rval array, then
> use use checked subtractions from tl.
>
Thanks for the review.
I think the current patch doesn't actually allows overflow.
hl is a __u8 and dhvlen is a __le16. So the maximum value of
sizeof(*data) + 2 * (size_t)data->hl + dhvlen
is 66061, which is far below SIZE_MAX. It can't wrap.
About rewritting using struct_size: we still need to check
tl >= struct_size(data, rval, 0) first, which is exactly the same
as just using sizeof(*data) in current patch. Because we have to
confirm the header is fully present before we can even read
hl / dhvlen, which are the values that determine the minimum
required rval[] length.
So I believe the current patch already achieves the intended
goal of validating the payload against the buffer size,
using struct_size won't change the behavior.
That said, I'm happy to send a v2 that uses struct_size(data, rval, 0)
as the header anchor and then peels off the variable parts
with checked subtractions, if you prefer that style:
size_t size = struct_size(data, rval, 0); /* check the header is fully present */
if (tl < size)
return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
tl -= size;
/* rval[] carries: response (hl) + challenge (hl) + DH value (dhvlen) */
if (tl < 2 * (u32)data->hl)
return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
tl -= 2 * (u32)data->hl;
dhvlen = le16_to_cpu(data->dhvlen);
if (tl < dhvlen)
return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
Which one do you prefer? Just let me know which you'd prefer and I can send
a v2 if needed.
Best regards,
Tianchu
next prev parent reply other threads:[~2026-06-01 8:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 14:18 [PATCH] nvmet-auth: validate reply message payload bounds against transfer length Tianchu Chen
2026-06-01 6:19 ` Hannes Reinecke
2026-06-01 7:19 ` Christoph Hellwig
2026-06-01 8:58 ` Tianchu Chen [this message]
2026-06-01 14:49 ` Christoph Hellwig
2026-06-03 9:39 ` Keith Busch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c023c72aa183dd31fc9a2d7e9781c5551d5cdb9f@linux.dev \
--to=tianchu.chen@linux.dev \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kch@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox