A malicious Hyper-V host or backend can crash a guest with a short
SYNTH_HID_INITIAL_DEVICE_INFO message. mousevsc_on_receive_device_info()
trusts the HID descriptor bLength and wDescriptorLength without checking
that the received VMBus packet actually contains both byte ranges, so a
truncated packet with an oversized report-descriptor length makes the
guest read past the received packet while copying the descriptor. This
matters most for a confidential guest, where the host is outside the trust
boundary.
Patch 1 passes the received initial-device-info size into the parser and
rejects descriptor lengths that exceed the packet. Patch 2 adds
same-translation-unit KUnit coverage: a well-formed message that must
still parse and the truncated/oversized message that must now be rejected.
Reproduced with the KUnit/KASAN test: stock reads past the packet on the
short message after the benign control passes; patched rejects it and both
cases pass.
Cc: stable@vger.kernel.org
Michael Bommarito (2):
HID: hyperv: validate initial device info bounds
HID: hyperv: add KUnit coverage for device info bounds
drivers/hid/Kconfig | 10 +++
drivers/hid/hid-hyperv.c | 144 ++++++++++++++++++++++++++++++++++++---
2 files changed, 144 insertions(+), 10 deletions(-)
--
2.53.0