The hyperv synthetic video driver parses VMBus messages from the host without bounding two host-controlled values that feed into fixed-size buffers. Both items are input validation, not security bugs: the Hyper-V host sits inside the trusted compute base under the default Hyper-V threat-model. The patches still trim the inputs the driver accepts at face value, matching the trajectory drivers/hv/ has followed for Confidential-VMBus work where the host is no longer fully trusted.
Patch 1 bounds resolution_count against supported_resolution[SYNTHVID_MAX_RESOLUTION_COUNT]; the existing default_resolution_index check is bypassable when both values exceed 64. Patch 2 forwards bytes_recvd from vmbus_recvpacket() into the sub-handler so that vid_hdr.type and feature_chg.is_dirt_needed are only read once the host actually delivered enough bytes, and so that the init_buf memcpy uses the received length. Sending as a plain patch series, not a security disclosure. Compile-tested against drm-fixes (6916d5703ddf), static-only. Berkant Koc (2): drm/hyperv: validate resolution_count from host VMBus message drm/hyperv: validate VMBus packet size in receive callback drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) base-commit: 6916d5703ddf9a38f1f6c2cc793381a24ee914c6 -- 2.47.3
