Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length

Next message: Harry Yoo: "Re: [PATCH v3 1/2] mm/slub: introduce helpers for node partial slab state"
Previous message: Tariq Toukan: "[PATCH net-next V7 0/2] net/mlx5: Avoid payload in skb's linear part for better GRO-processing"
Next in thread: Christoph Hellwig: "Re: [PATCH] nvmet-auth: validate reply message payload bounds against transfer length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hannes Reinecke

Date: Mon Jun 01 2026 - 02:21:38 EST

On 5/29/26 16:18, Tianchu Chen wrote:

From: Tianchu Chen <flynnnchen@xxxxxxxxxxx>

nvmet_auth_reply() accesses the variable-length rval[] array using
attacker-controlled hl (hash length) and dhvlen (DH value length) fields
without verifying they fit within the allocated buffer of tl bytes.

A malicious NVMe-oF initiator can craft a DHCHAP_REPLY message with a
small transfer length but large hl/dhvlen values, causing out-of-bounds
heap reads when the target processes the DH public key (rval + 2*hl) or
performs the host response memcmp.

With DH authentication configured, the OOB pointer is passed directly to
sg_init_one() and read by crypto_kpp_compute_shared_secret(), reaching
up to 526 bytes past the buffer. This is exploitable pre-authentication.

Add bounds validation ensuring sizeof(*data) + 2*hl + dhvlen <= tl before
any access to the variable-length fields.

Discovered by Atuin - Automated Vulnerability Discovery Engine.

Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tianchu Chen <flynnnchen@xxxxxxxxxxx>
---
drivers/nvme/target/fabrics-cmd-auth.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)

Reviewed-by: Hannes Reinecke <hare@xxxxxxxxxx>

Cheers,

hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@xxxxxxx +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich