diff options
| author | harputluoglu <71352211+harputluoglu@users.noreply.github.com> | 2020-09-23 12:31:39 +0200 |
|---|---|---|
| committer | Andrey Konovalov <andreyknvl@gmail.com> | 2020-10-02 22:02:01 +0200 |
| commit | 2653fa43f8cced3279808d74e5f712bf45ef7551 (patch) | |
| tree | 83168c6c18f5046146ea70d432d870f7213224bb /docs | |
| parent | 5910646c6c6fbb5e48801342677bff9c4609a2ea (diff) | |
docs/linux: add USB/IP Documentation
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/linux/external_fuzzing_usbip.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/docs/linux/external_fuzzing_usbip.md b/docs/linux/external_fuzzing_usbip.md new file mode 100644 index 000000000..496b23bb7 --- /dev/null +++ b/docs/linux/external_fuzzing_usbip.md @@ -0,0 +1,36 @@ +# **USB/IP Fuzzing for Linux Kernel** + +Syzkaller supports fuzzing the Linux kernel USB/IP subsystem externally. We can set up a virtual network and send USB/IP packets to the client kernel as they are being received from an external server. +USB/IP fuzzing needs USB/IP configurations to be enabled. You can find the list in the configurations part. + +Currently syzkaller only includes support for fuzzing the client side of USB/IP, which consists of 2 main parts: + +1. USB/IP pseudo-syscalls. +2. Syzkaller descriptions. + +### **Configurations** + +Following configurations should be enabled for USB/IP. + +``` +CONFIG_USBIP_CORE=y +CONFIG_USBIP_VHCI_HCD=y +CONFIG_USBIP_VHCI_HC_PORTS=8 +CONFIG_USBIP_VHCI_NR_HCS=8 +CONFIG_USBIP_HOST=y +CONFIG_USBIP_VUDC=y +CONFIG_USBIP_DEBUG=y +``` + +### **Pseudo-syscalls** + +Currently syzkaller defines one USB/IP pseudo-syscall and one USB/IP specific write syscall (see [this](/executor/common_linux.h) for the pseudo-syscall and [this](/sys/linux/usbip.txt) for its syzkaller descriptions): + +`syz_usbip_server_init` sets up USB/IP server. It creates a pair of connected socket and opens the `/sys/devices/platform/vhci_hcd.0/attach` file. Later, this pseudo-syscall writes the USB/IP client’s socket descriptor as well as port number used for USB/IP connection, USB device id and USB device speed into this file so that the USB/IP communication between client and server can start and client’s kernel can receive USB/IP packets from the server. + +`write$usbip_server` sends USB/IP packets to client by using server's socket descriptor. (Particularly, `USBIP_RET_SUBMIT` and `USBIP_RET_UNLINK` packets.) We assume that the server can send arbitrary USB/IP packets instead of emulating a real device. These packets end up in the client's kernel and get parsed there. + +### **Further Improvements** + +1. Fuzzing the server side of USB/IP. +2. Collect coverage from USB/IP kernel code. |