[PATCH 0/2] drm/hyperv: harden VMBus message parser input validation

Next message: Jonathan Cameron: "Re: [PATCH 1/2] iio: light: veml3328: add devicetree binding for new sensor"
Previous message: Berkant Koc: "[PATCH 2/2] drm/hyperv: validate VMBus packet size in receive callback"
Next in thread: Berkant Koc: "[PATCH 1/2] drm/hyperv: validate resolution_count from host VMBus message"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Berkant Koc

Date: Sun May 17 2026 - 09:11:00 EST

The hyperv synthetic video driver parses VMBus messages from the host
without bounding two host-controlled values that feed into fixed-size
buffers. Both items are input validation, not security bugs: the
Hyper-V host sits inside the trusted compute base under the default
Hyper-V threat-model. The patches still trim the inputs the driver
accepts at face value, matching the trajectory drivers/hv/ has
followed for Confidential-VMBus work where the host is no longer
fully trusted.

Patch 1 bounds resolution_count against
supported_resolution[SYNTHVID_MAX_RESOLUTION_COUNT]; the existing
default_resolution_index check is bypassable when both values
exceed 64.

Patch 2 forwards bytes_recvd from vmbus_recvpacket() into the
sub-handler so that vid_hdr.type and feature_chg.is_dirt_needed
are only read once the host actually delivered enough bytes, and
so that the init_buf memcpy uses the received length.

Sending as a plain patch series, not a security disclosure.
Compile-tested against drm-fixes (6916d5703ddf), static-only.

Berkant Koc (2):
drm/hyperv: validate resolution_count from host VMBus message
drm/hyperv: validate VMBus packet size in receive callback

drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)

base-commit: 6916d5703ddf9a38f1f6c2cc793381a24ee914c6
--
2.47.3