all: add basic USB fuzzing support

This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.

USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.

2 files changed, 11 insertions, 0 deletions

diff --git a/pkg/csource/gen.go b/pkg/csource/gen.go
index dc5c2a876..38d758436 100644
--- a/pkg/csource/gen.go
+++ b/pkg/csource/gen.go
@@ -32,6 +32,7 @@ func main() {
 		"common_test.h",
 		"common_kvm_amd64.h",
 		"common_kvm_arm64.h",
+		"common_usb.h",
 		"kvm.h",
 		"kvm.S.h",
 	} {
diff --git a/pkg/host/host_linux.go b/pkg/host/host_linux.go
index e8395511f..88ecf2d5a 100644
--- a/pkg/host/host_linux.go
+++ b/pkg/host/host_linux.go
@@ -201,6 +201,9 @@ func isSupportedSyzkall(sandbox string, c *prog.Syscall) (bool, string) {
 	case "syz_emit_ethernet", "syz_extract_tcp_res":
 		reason := checkNetworkInjection()
 		return reason == "", reason
+	case "syz_usb_connect", "syz_usb_disconnect", "syz_usb_control_io", "syz_usb_ep_write":
+		reason := checkUSBInjection()
+		return reason == "", reason
 	case "syz_kvm_setup_cpu":
 		switch c.Name {
 		case "syz_kvm_setup_cpu$x86":
@@ -634,6 +637,13 @@ func checkNetworkInjection() string {
 	return checkNetworkDevices()
 }
 
+func checkUSBInjection() string {
+	if err := osutil.IsAccessible("/sys/kernel/debug/usb-fuzzer"); err != nil {
+		return err.Error()
+	}
+	return ""
+}
+
 func checkNetworkDevices() string {
 	if _, err := exec.LookPath("ip"); err != nil {
 		return "ip command is not found"