Re: [PATCH v2] nvmet: auth: validate dhchap id list lengths

[Chris Leech]

On Fri, Mar 13, 2026 at 02:24:09PM +0900, YunJe Shin wrote:
> From: Yunje Shin <ioerts@xxxxxxxxxxxxx>
> 
> The function nvmet_auth_negotiate() parses the idlist array in the
> struct nvmf_auth_dhchap_protocol_descriptor payload. This array is 60
> bytes and is logically divided into two 30-byte halves: the first half
> for HMAC IDs and the second half for DH group IDs. The current code
> uses a hardcoded +30 offset for the DH list, but does not validate
> halen and dhlen against the per-half bounds. As a result, if a
> malicious host sends halen or dhlen larger than 30, the loop can
> read past the 60-byte array into adjacent slab memory, triggering a
> KASAN slab-out-of-bounds read.
> 
> KASAN splat:
> [    4.241646] BUG: KASAN: slab-out-of-bounds in nvmet_execute_auth_send+0x19b8/0x2090
> [    4.242874] Read of size 1 at addr ffff8881045754e8 by task kworker/1:1H/41
> [    4.265342] The buggy address belongs to the cache kmalloc-96 of size 96
> [    4.266291]  allocated 72-byte region [ffff8881045754a0, ffff8881045754e8)
> [    4.270337] page dumped because: kasan: bad access detected
> 
> This patch fixes the issue by introducing NVME_AUTH_DHCHAP_MAX_HASH_IDS
> and NVME_AUTH_DHCHAP_MAX_DH_IDS defined as 30, which explicitly indicates
> the maximum boundaries allowed per NVMe specification. The lengths halen
> and dhlen are validated against these boundaries before processing,
> preventing the out-of-bounds reads.
> 
> Fixes: db1312dd95488 ("nvmet: implement basic In-Band Authentication")
> Cc: stable@xxxxxxxxxx
> Signed-off-by: Yunje Shin <ioerts@xxxxxxxxxxxxx>
> Reviewed-by: Hannes Reinecke <hare@xxxxxxx>
> ---
> v2:
>     - Replaced the runtime 'sizeof' calculation (idlist_half) with explicit 
>       NVME_AUTH_DHCHAP_MAX_HASH_IDS and NVME_AUTH_DHCHAP_MAX_DH_IDS macros
>       to clearly reflect the 30:30 split limit per Chris Leech's feedback.

Reviewed-by: Chris Leech <cleech@xxxxxxxxxx>