From: Michael Bommarito <[email protected]> Sent: Thursday, July 9, 2026 7:29 PM > > A malicious Hyper-V host or backend can crash a guest with a short > SYNTH_HID_INITIAL_DEVICE_INFO message. mousevsc_on_receive_device_info() > trusts the HID descriptor bLength and wDescriptorLength without checking > that the received VMBus packet actually contains both byte ranges, so a > truncated packet with an oversized report-descriptor length makes the > guest read past the received packet while copying the descriptor. This > matters most for a confidential guest, where the host is outside the trust > boundary.
For some additional background on the assumed threat model that underlies this kind of validation (and lack thereof), see [1]. This Hyper-V mouse driver has .allowed_in_isolated set to "false", so it is never loaded in a CoCo VM. In normal VMs, the threat model says that we trust the Hyper-V host not to provide bad values. But as I said in [1], I'm good with taking additional validations. But Wei Liu as the maintainer for the Hyper-V drivers is the person who should decide whether we want to take additional validations. If we take these additional validations, there's a separate question of whether to backport them to stable kernels. I'm inclined to *not* backport to avoid introducing churn (and the risk of breaking something) when it isn't fixing an observed or likely-to-happen problem. But Wei Liu should probably weigh in on that as well. [1] https://lore.kernel.org/linux-hyperv/sn6pr02mb4157d595b990a321bfa85b40d4...@sn6pr02mb4157.namprd02.prod.outlook.com/ Michael > > Patch 1 passes the received initial-device-info size into the parser and > rejects descriptor lengths that exceed the packet. Patch 2 adds > same-translation-unit KUnit coverage: a well-formed message that must > still parse and the truncated/oversized message that must now be rejected. > > Reproduced with the KUnit/KASAN test: stock reads past the packet on the > short message after the benign control passes; patched rejects it and both > cases pass. > > Cc: [email protected] > > Michael Bommarito (2): > HID: hyperv: validate initial device info bounds > HID: hyperv: add KUnit coverage for device info bounds > > drivers/hid/Kconfig | 10 +++ > drivers/hid/hid-hyperv.c | 144 ++++++++++++++++++++++++++++++++++++--- > 2 files changed, 144 insertions(+), 10 deletions(-) > > -- > 2.53.0

