summaryrefslogtreecommitdiffstats
path: root/drivers/nvme/host/auth.c
diff options
context:
space:
mode:
authorMartin Wilck <mwilck@suse.com>2023-09-04 17:26:38 +0200
committerKeith Busch <kbusch@kernel.org>2023-10-10 17:06:06 +0200
commit4ae55a7dce04989f289d5c5c8c8e5c37adc36c71 (patch)
treee2b748477a682cfdc6b64b6fd5d5777dd39cc804 /drivers/nvme/host/auth.c
parentnvmet-tcp: Fix a possible UAF in queue intialization setup (diff)
downloadlinux-4ae55a7dce04989f289d5c5c8c8e5c37adc36c71.tar.xz
linux-4ae55a7dce04989f289d5c5c8c8e5c37adc36c71.zip
nvme-auth: use chap->s2 to indicate bidirectional authentication
Commit 546dea18c999 ("nvme-auth: check chap ctrl_key once constructed") replaced the condition "if (ctrl->ctrl_key)" (indicating bidirectional auth) by "if (chap->ctrl_key)", because ctrl->ctrl_key is a resource shared with sysfs. But chap->ctrl_key is set in nvme_auth_process_dhchap_challenge() depending on the DHVLEN in the DH-HMAC-CHAP Challenge message received from the controller, and will thus be non-NULL for every DH-HMAC-CHAP exchange, even if unidirectional auth was requested. This will lead to a protocol violation by sending a Success2 message in the unidirectional case (per NVMe base spec 2.0, the authentication transaction ends after the Success1 message for unidirectional auth). Use chap->s2 instead, which is non-zero if and only if the host requested bi-directional authentication from the controller. Fixes: 546dea18c999 ("nvme-auth: check chap ctrl_key once constructed") Signed-off-by: Martin Wilck <mwilck@suse.com> Reviewed-by: Daniel Wagner <dwagner@suse.de> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Keith Busch <kbusch@kernel.org>
Diffstat (limited to 'drivers/nvme/host/auth.c')
-rw-r--r--drivers/nvme/host/auth.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index daf5d144a8ea..064592a5d546 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -341,7 +341,7 @@ static int nvme_auth_process_dhchap_success1(struct nvme_ctrl *ctrl,
struct nvmf_auth_dhchap_success1_data *data = chap->buf;
size_t size = sizeof(*data);
- if (chap->ctrl_key)
+ if (chap->s2)
size += chap->hash_len;
if (size > CHAP_BUF_SIZE) {
@@ -825,7 +825,7 @@ static void nvme_queue_auth_work(struct work_struct *work)
goto fail2;
}
- if (chap->ctrl_key) {
+ if (chap->s2) {
/* DH-HMAC-CHAP Step 5: send success2 */
dev_dbg(ctrl->device, "%s: qid %d send success2\n",
__func__, chap->qid);