Re: [PATCH v2] nvmet-auth: validate negotiate payload length(BUG: KASAN: slab-out-of-bounds)
From: yunje shin
Date: Fri Mar 13 2026 - 02:08:12 EST
Hi Keith,
Just following up on this patch. It fixes a network-reachable KASAN
slab-out-of-bounds in
nvmet_execute_auth_send().
Could this be queued for nvme-fixes?
Thanks,
Yunje Shin
On Wed, Mar 11, 2026 at 5:47 AM Chris Leech <cleech@xxxxxxxxxx> wrote:
>
> On Thu, Feb 12, 2026 at 10:33:18AM +0900, YunJe Shin wrote:
> > From: Yunje Shin <ioerts@xxxxxxxxxxxxx>
> >
> > AUTH_SEND negotiation requires at least one DH-HMAC-CHAP protocol descriptor.
> > Validate the payload length before parsing the negotiate payload to avoid
> > out-of-bounds reads.
> >
> > KASAN splat:
> > [ 1224.388857] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x1d24/0x2090
> > [ 1224.407035] The buggy address belongs to the cache kmalloc-8 of size 8
> > [ 1224.407998] allocated 8-byte region [ffff88800a6537c0, ffff88800a6537c8)
> > [ 1224.412412] page dumped because: kasan: bad access detected
> >
> > Use struct_size() for minimum length computation and move the negotiate
> > restart flow into a helper so the call site stays compact.
> >
> > Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> > Signed-off-by: Yunje Shin <ioerts@xxxxxxxxxxxxx>
> > ---
> > v2:
> > - use struct_size() for negotiate payload minimum length
> > - split negotiate handling into nvmet_restart_dhchap_auth() helper
> > - use NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD instead of NVMe status
> >
> > drivers/nvme/target/fabrics-cmd-auth.c | 48 +++++++++++++++++---------
> > 1 file changed, 32 insertions(+), 16 deletions(-)
> > ...
> > + size_t min_len = struct_size(neg, auth_protocol, 1);
>
> Maybe this could have been struct_size(neg, auth_protocol, neg->napd)?
> But the target code also enforces napd == 1, so it ends up being the same.
>
> Reviewed-by: Chris Leech <cleech@xxxxxxxxxx>
>