A malicious Hyper-V host or backend can crash a guest with a short SYNTH_HID_INITIAL_DEVICE_INFO message. mousevsc_on_receive_device_info() trusts the HID descriptor bLength and wDescriptorLength without checking that the received VMBus packet actually contains both byte ranges, so a truncated packet with an oversized report-descriptor length makes the guest read past the received packet while copying the descriptor. This matters most for a confidential guest, where the host is outside the trust boundary.
Patch 1 passes the received initial-device-info size into the parser and rejects descriptor lengths that exceed the packet. Patch 2 adds same-translation-unit KUnit coverage: a well-formed message that must still parse and the truncated/oversized message that must now be rejected. Reproduced with the KUnit/KASAN test: stock reads past the packet on the short message after the benign control passes; patched rejects it and both cases pass. Cc: [email protected] Michael Bommarito (2): HID: hyperv: validate initial device info bounds HID: hyperv: add KUnit coverage for device info bounds drivers/hid/Kconfig | 10 +++ drivers/hid/hid-hyperv.c | 144 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 144 insertions(+), 10 deletions(-) -- 2.53.0

