Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)
From: yunje shin
Date: Tue Mar 10 2026 - 14:14:35 EST
Hi Keith,
Could you take a look at this patch when you get a chance?
It fixes a KASAN slab-out-of-bounds in nvmet_execute_auth_send() by
validating the negotiate payload length before parsing.
Just wanted to check if this can be queued.
Thanks,
Yunje Shin
On Mon, Mar 9, 2026 at 12:12 AM yunje shin <yjshin0438@xxxxxxxxx> wrote:
>
> Hi,
> Gentle ping on this patch.
> I wanted to check if it can be queued.
>
> Thanks,
> Yunje Shin
>
> On Thu, Feb 12, 2026 at 8:03 PM Hannes Reinecke <hare@xxxxxxx> wrote:
> >
> > On 2/12/26 02:33, YunJe Shin wrote:
> > > From: Yunje Shin <ioerts@xxxxxxxxxxxxx>
> > >
> > > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > > Validate the payload length before parsing the negotiate payload to avoid
> > > out-of-bounds reads.
> > >
> > > KASAN splat:
> > > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > > [ 1224.412412] page dumped because: kasan: bad access detected
> > >
> > > Use struct_size() for minimum length computation and move the negotiate
> > > restart flow into a helper so the call site stays compact.
> > >
> > > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > > Signed-off-by: Yunje Shin <ioerts@xxxxxxxxxxxxx>
> > > ---
> > > v2:
> > > - use struct_size() for negotiate payload minimum length
> > > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> > >
> > Reviewed-by: Hannes Reinecke <hare@xxxxxxx>
> >
> > Cheers,
> >
> > Hannes
> > --
> > Dr. Hannes Reinecke Kernel Storage Architect
> > hare@xxxxxxx +49 911 74053 688
> > SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
> > HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich