aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--dashboard/config/upstream-usb.config2
-rwxr-xr-xdashboard/config/util.sh2
-rw-r--r--docs/linux/external_fuzzing_usb.md44
-rw-r--r--executor/common_usb.h175
-rw-r--r--pkg/csource/generated.go173
-rw-r--r--pkg/host/host_linux.go2
-rw-r--r--tools/syz-usbgen/keyboard.c167
7 files changed, 280 insertions, 285 deletions
diff --git a/dashboard/config/upstream-usb.config b/dashboard/config/upstream-usb.config
index a679c4075..50355190e 100644
--- a/dashboard/config/upstream-usb.config
+++ b/dashboard/config/upstream-usb.config
@@ -5235,7 +5235,7 @@ CONFIG_USB_GADGETFS=y
# CONFIG_USB_G_HID is not set
# CONFIG_USB_G_DBGP is not set
# CONFIG_USB_G_WEBCAM is not set
-CONFIG_USB_FUZZER=y
+CONFIG_USB_RAW_GADGET=y
CONFIG_TYPEC=y
CONFIG_TYPEC_TCPM=y
CONFIG_TYPEC_TCPCI=y
diff --git a/dashboard/config/util.sh b/dashboard/config/util.sh
index a39fe508c..490819c1f 100755
--- a/dashboard/config/util.sh
+++ b/dashboard/config/util.sh
@@ -42,7 +42,7 @@ function util_add_usb_bits {
scripts/config -e CONFIG_USB_GADGET
scripts/config -e CONFIG_USB_GADGETFS
scripts/config -e CONFIG_USB_DUMMY_HCD
- scripts/config -e CONFIG_USB_FUZZER
+ scripts/config -e CONFIG_USB_RAW_GADGET
make ${MAKE_VARS} olddefconfig
}
diff --git a/docs/linux/external_fuzzing_usb.md b/docs/linux/external_fuzzing_usb.md
index 9faa5c6c1..e77a64464 100644
--- a/docs/linux/external_fuzzing_usb.md
+++ b/docs/linux/external_fuzzing_usb.md
@@ -49,7 +49,7 @@ Syzkaller descriptions for USB fuzzing can be found [here](/sys/linux/vusb.txt).
1. Checkout the `usb-fuzzer` branch from https://github.com/google/kasan
-2. Configure the kernel (at the very least `CONFIG_USB_FUZZER=y` and `CONFIG_USB_DUMMY_HCD=y` need to be enabled).
+2. Configure the kernel (at the very least `CONFIG_USB_RAW_GADGET=y` and `CONFIG_USB_DUMMY_HCD=y` need to be enabled).
The easiest option is to use the [config](/dashboard/config/upstream-usb.config) from the syzbot USB fuzzing instance.
@@ -86,7 +86,7 @@ The instructions below describe a way to generate syzkaller USB IDs for all USB
2. Build and boot the kernel.
-3. Connect a USB HID device. In case you're using a `CONFIG_USB_FUZZER=y` kernel, use the provided [keyboard emulation program](/tools/syz-usbgen/keyboard.c).
+3. Connect a USB HID device. In case you're using a `CONFIG_USB_RAW_GADGET=y` kernel, use the provided [keyboard emulation program](/tools/syz-usbgen/keyboard.c).
4. Use [syz-usbgen](/tools/syz-usbgen/usbgen.go) script to update [syzkaller descriptions](/sys/linux/init_vusb_ids.go):
@@ -140,10 +140,10 @@ These instructions describe how to set this up on a Raspberry Pi Zero W, but any
// triggering interaction between multiple USB devices within the same program.
- char device[32];
- sprintf(&device[0], "dummy_udc.%llu", procid);
- - rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]);
- + rv = usb_fuzzer_init(fd, speed, "20980000.usb", "20980000.usb");
+ - rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]);
+ + rv = usb_raw_init(fd, speed, "20980000.usb", "20980000.usb");
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_init failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_init failed with %d\n", rv);
return rv;
diff --git a/executor/executor.cc b/executor/executor.cc
index 34949a01..1afcb288 100644
@@ -192,37 +192,37 @@ These instructions describe how to set this up on a Raspberry Pi Zero W, but any
13. Get Linux kernel headers following [this](https://github.com/notro/rpi-source/wiki).
-14. Download the fuzzer module:
+14. Download the USB Raw Gadget module:
``` bash
mkdir module
cd module
- wget https://raw.githubusercontent.com/google/kasan/usb-fuzzer/drivers/usb/gadget/fuzzer/fuzzer.c
- wget https://raw.githubusercontent.com/google/kasan/usb-fuzzer/include/uapi/linux/usb/fuzzer.h
+ wget https://raw.githubusercontent.com/google/kasan/usb-fuzzer/drivers/usb/gadget/raw/raw.c
+ wget https://raw.githubusercontent.com/google/kasan/usb-fuzzer/include/uapi/linux/usb/raw-gadget.h
```
Apply the following change:
``` c
- diff --git a/fuzzer.c b/fuzzer.c
+ diff --git a/raw.c b/raw.c
index 308c540..68d43b9 100644
- --- a/fuzzer.c
- +++ b/fuzzer.c
+ --- a/raw.c
+ +++ b/raw.c
@@ -17,7 +17,7 @@
#include <linux/usb/gadgetfs.h>
#include <linux/usb/gadget.h>
- -#include <uapi/linux/usb/fuzzer.h>
- +#include "fuzzer.h"
+ -#include <uapi/linux/usb/raw-gadget.h>
+ +#include "raw-gadget.h"
- #define DRIVER_DESC "USB fuzzer"
- #define DRIVER_NAME "usb-fuzzer-gadget"
+ #define DRIVER_DESC "USB Raw Gadget"
+ #define DRIVER_NAME "raw-gadget"
```
Add a `Makefile`:
``` make
- obj-m := fuzzer.o
+ obj-m := raw.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
@@ -231,7 +231,7 @@ These instructions describe how to set this up on a Raspberry Pi Zero W, but any
And build with `make`.
-15. Insert the module with `sudo insmod fuzzer.ko`.
+15. Insert the module with `sudo insmod raw.ko`.
16. Build and test the [keyboard emulator program](/tools/syz-usbgen/keyboard.c):
@@ -249,17 +249,17 @@ These instructions describe how to set this up on a Raspberry Pi Zero W, but any
index 2a6015d4..3ebd1e03 100644
--- a/tools/syz-usbgen/keyboard.c
+++ b/tools/syz-usbgen/keyboard.c
- @@ -95,8 +95,8 @@ int usb_fuzzer_open() {
- void usb_fuzzer_init(int fd, enum usb_device_speed speed) {
- struct usb_fuzzer_init arg;
+ @@ -95,8 +95,8 @@ int usb_raw_open() {
+ void usb_raw_init(int fd, enum usb_device_speed speed) {
+ struct usb_raw_init arg;
arg.speed = speed;
- arg.driver_name = "dummy_udc";
- arg.device_name = "dummy_udc.0";
+ arg.driver_name = "20980000.usb";
+ arg.device_name = "20980000.usb";
- int rv = ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
+ int rv = ioctl(fd, USB_RAW_IOCTL_INIT, &arg);
if (rv != 0) {
- perror("ioctl(USB_FUZZER_IOCTL_INIT)");
+ perror("ioctl(USB_RAW_IOCTL_INIT)");
```
17. You should now be able to execute syzkaller USB programs:
diff --git a/executor/common_usb.h b/executor/common_usb.h
index 026b2be6f..7b16f9849 100644
--- a/executor/common_usb.h
+++ b/executor/common_usb.h
@@ -74,112 +74,111 @@ static bool parse_usb_descriptor(char* buffer, size_t length, struct usb_device_
return true;
}
-enum usb_fuzzer_event_type {
- USB_FUZZER_EVENT_INVALID,
- USB_FUZZER_EVENT_CONNECT,
- USB_FUZZER_EVENT_DISCONNECT,
- USB_FUZZER_EVENT_SUSPEND,
- USB_FUZZER_EVENT_RESUME,
- USB_FUZZER_EVENT_CONTROL,
+enum usb_raw_event_type {
+ USB_RAW_EVENT_INVALID,
+ USB_RAW_EVENT_CONNECT,
+ USB_RAW_EVENT_DISCONNECT,
+ USB_RAW_EVENT_SUSPEND,
+ USB_RAW_EVENT_CONTROL,
};
-struct usb_fuzzer_event {
+struct usb_raw_event {
uint32 type;
uint32 length;
char data[0];
};
-struct usb_fuzzer_init {
+struct usb_raw_init {
uint64 speed;
const char* driver_name;
const char* device_name;
};
-struct usb_fuzzer_ep_io {
+struct usb_raw_ep_io {
uint16 ep;
uint16 flags;
uint32 length;
char data[0];
};
-#define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init)
-#define USB_FUZZER_IOCTL_RUN _IO('U', 1)
-#define USB_FUZZER_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_fuzzer_event)
-#define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 4, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
-#define USB_FUZZER_IOCTL_EP_DISABLE _IOW('U', 6, int)
-#define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 7, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP_READ _IOWR('U', 8, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 9)
-#define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 10, uint32)
-
-static int usb_fuzzer_open()
+#define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init)
+#define USB_RAW_IOCTL_RUN _IO('U', 1)
+#define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event)
+#define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
+#define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, int)
+#define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_CONFIGURE _IO('U', 9)
+#define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, uint32)
+
+static int usb_raw_open()
{
- return open("/sys/kernel/debug/usb-fuzzer", O_RDWR);
+ return open("/sys/kernel/debug/usb/raw-gadget", O_RDWR);
}
-static int usb_fuzzer_init(int fd, uint32 speed, const char* driver, const char* device)
+static int usb_raw_init(int fd, uint32 speed, const char* driver, const char* device)
{
- struct usb_fuzzer_init arg;
+ struct usb_raw_init arg;
arg.speed = speed;
arg.driver_name = driver;
arg.device_name = device;
- return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
+ return ioctl(fd, USB_RAW_IOCTL_INIT, &arg);
}
-static int usb_fuzzer_run(int fd)
+static int usb_raw_run(int fd)
{
- return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0);
+ return ioctl(fd, USB_RAW_IOCTL_RUN, 0);
}
-static int usb_fuzzer_event_fetch(int fd, struct usb_fuzzer_event* event)
+static int usb_raw_event_fetch(int fd, struct usb_raw_event* event)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EVENT_FETCH, event);
+ return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event);
}
-static int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io);
}
-static int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io);
}
#if SYZ_EXECUTOR || __NR_syz_usb_ep_write
-static int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io);
}
#endif
#if SYZ_EXECUTOR || __NR_syz_usb_ep_read
-static int usb_fuzzer_ep_read(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_READ, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP_READ, io);
}
#endif
-static int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
+static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc);
+ return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc);
}
-static int usb_fuzzer_ep_disable(int fd, int ep)
+static int usb_raw_ep_disable(int fd, int ep)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_DISABLE, ep);
+ return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep);
}
-static int usb_fuzzer_configure(int fd)
+static int usb_raw_configure(int fd)
{
- return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0);
+ return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0);
}
-static int usb_fuzzer_vbus_draw(int fd, uint32 power)
+static int usb_raw_vbus_draw(int fd, uint32 power)
{
- return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power);
+ return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power);
}
#define MAX_USB_FDS 6
@@ -246,7 +245,7 @@ static void set_interface(int fd, int n)
if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) {
for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) {
- int rv = usb_fuzzer_ep_disable(fd, ep);
+ int rv = usb_raw_ep_disable(fd, ep);
if (rv < 0) {
debug("set_interface: failed to disable endpoint %d\n", ep);
} else {
@@ -256,7 +255,7 @@ static void set_interface(int fd, int n)
}
if (n >= 0 && n < index->ifaces_num) {
for (ep = 0; ep < index->ifaces[n].eps_num; ep++) {
- int rv = usb_fuzzer_ep_enable(fd, &index->ifaces[n].eps[ep]);
+ int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep]);
if (rv < 0) {
debug("set_interface: failed to enable endpoint %d\n", ep);
} else {
@@ -274,14 +273,14 @@ static int configure_device(int fd)
if (!index)
return -1;
- int rv = usb_fuzzer_vbus_draw(fd, index->bMaxPower);
+ int rv = usb_raw_vbus_draw(fd, index->bMaxPower);
if (rv < 0) {
- debug("configure_device: usb_fuzzer_vbus_draw failed with %d\n", rv);
+ debug("configure_device: usb_raw_vbus_draw failed with %d\n", rv);
return rv;
}
- rv = usb_fuzzer_configure(fd);
+ rv = usb_raw_configure(fd);
if (rv < 0) {
- debug("configure_device: usb_fuzzer_configure failed with %d\n", rv);
+ debug("configure_device: usb_raw_configure failed with %d\n", rv);
return rv;
}
set_interface(fd, 0);
@@ -290,14 +289,14 @@ static int configure_device(int fd)
#define USB_MAX_PACKET_SIZE 1024
-struct usb_fuzzer_control_event {
- struct usb_fuzzer_event inner;
+struct usb_raw_control_event {
+ struct usb_raw_event inner;
struct usb_ctrlrequest ctrl;
char data[USB_MAX_PACKET_SIZE];
};
-struct usb_fuzzer_ep_io_data {
- struct usb_fuzzer_ep_io inner;
+struct usb_raw_ep_io_data {
+ struct usb_raw_ep_io inner;
char data[USB_MAX_PACKET_SIZE];
};
@@ -420,9 +419,9 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
debug("syz_usb_connect: device data:\n");
debug_dump_data(dev, dev_len);
- int fd = usb_fuzzer_open();
+ int fd = usb_raw_open();
if (fd < 0) {
- debug("syz_usb_connect: usb_fuzzer_open failed with %d\n", fd);
+ debug("syz_usb_connect: usb_raw_open failed with %d\n", fd);
return fd;
}
if (fd >= MAX_FDS) {
@@ -430,7 +429,7 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
debug("syz_usb_connect: too many open fds\n");
return -1;
}
- debug("syz_usb_connect: usb_fuzzer_open success\n");
+ debug("syz_usb_connect: usb_raw_open success\n");
struct usb_device_index* index = add_usb_index(fd, dev, dev_len);
if (!index) {
@@ -443,31 +442,31 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
// triggering interaction between multiple USB devices within the same program.
char device[32];
sprintf(&device[0], "dummy_udc.%llu", procid);
- int rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]);
+ int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]);
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_init failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_init failed with %d\n", rv);
return rv;
}
- debug("syz_usb_connect: usb_fuzzer_init success\n");
+ debug("syz_usb_connect: usb_raw_init success\n");
- rv = usb_fuzzer_run(fd);
+ rv = usb_raw_run(fd);
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_run failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_run failed with %d\n", rv);
return rv;
}
- debug("syz_usb_connect: usb_fuzzer_run success\n");
+ debug("syz_usb_connect: usb_raw_run success\n");
bool done = false;
while (!done) {
- struct usb_fuzzer_control_event event;
+ struct usb_raw_control_event event;
event.inner.type = 0;
event.inner.length = sizeof(event.ctrl);
- rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
+ rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event);
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_event_fetch failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_event_fetch failed with %d\n", rv);
return rv;
}
- if (event.inner.type != USB_FUZZER_EVENT_CONTROL)
+ if (event.inner.type != USB_RAW_EVENT_CONTROL)
continue;
debug("syz_usb_connect: bReqType: 0x%x (%s), bReq: 0x%x, wVal: 0x%x, wIdx: 0x%x, wLen: %d\n",
@@ -501,7 +500,7 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
}
}
- struct usb_fuzzer_ep_io_data response;
+ struct usb_raw_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
@@ -516,14 +515,14 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
if (event.ctrl.bRequestType & USB_DIR_IN) {
debug("syz_usb_connect: writing %d bytes\n", response.inner.length);
- rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response);
} else {
- rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response);
debug("syz_usb_connect: read %d bytes\n", response.inner.length);
debug_dump_data(&event.data[0], response.inner.length);
}
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_ep0_read/write failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_ep0_read/write failed with %d\n", rv);
return rv;
}
}
@@ -670,15 +669,15 @@ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, vola
struct vusb_descriptors* descs = (struct vusb_descriptors*)a1;
struct vusb_responses* resps = (struct vusb_responses*)a2;
- struct usb_fuzzer_control_event event;
+ struct usb_raw_control_event event;
event.inner.type = 0;
event.inner.length = USB_MAX_PACKET_SIZE;
- int rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
+ int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event);
if (rv < 0) {
- debug("syz_usb_control_io: usb_fuzzer_ep0_read failed with %d\n", rv);
+ debug("syz_usb_control_io: usb_raw_ep0_read failed with %d\n", rv);
return rv;
}
- if (event.inner.type != USB_FUZZER_EVENT_CONTROL) {
+ if (event.inner.type != USB_RAW_EVENT_CONTROL) {
debug("syz_usb_control_io: wrong event type: %d\n", (int)event.inner.type);
return -1;
}
@@ -718,7 +717,7 @@ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, vola
response_length = event.ctrl.wLength;
}
- struct usb_fuzzer_ep_io_data response;
+ struct usb_raw_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
@@ -738,14 +737,14 @@ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, vola
if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) {
debug("syz_usb_control_io: writing %d bytes\n", response.inner.length);
debug_dump_data(&response.data[0], response.inner.length);
- rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response);
} else {
- rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response);
debug("syz_usb_control_io: read %d bytes\n", response.inner.length);
debug_dump_data(&response.data[0], response.inner.length);
}
if (rv < 0) {
- debug("syz_usb_control_io: usb_fuzzer_ep0_read/write failed with %d\n", rv);
+ debug("syz_usb_control_io: usb_raw_ep0_read/write failed with %d\n", rv);
return rv;
}
@@ -763,7 +762,7 @@ static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volati
uint32 len = a2;
char* data = (char*)a3;
- struct usb_fuzzer_ep_io_data io_data;
+ struct usb_raw_ep_io_data io_data;
io_data.inner.ep = ep;
io_data.inner.flags = 0;
if (len > sizeof(io_data.data))
@@ -771,9 +770,9 @@ static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volati
io_data.inner.length = len;
NONFAILING(memcpy(&io_data.data[0], data, len));
- int rv = usb_fuzzer_ep_write(fd, (struct usb_fuzzer_ep_io*)&io_data);
+ int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data);
if (rv < 0) {
- debug("syz_usb_ep_write: usb_fuzzer_ep_write failed with %d\n", rv);
+ debug("syz_usb_ep_write: usb_raw_ep_write failed with %d\n", rv);
return rv;
}
@@ -791,16 +790,16 @@ static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatil
uint32 len = a2;
char* data = (char*)a3;
- struct usb_fuzzer_ep_io_data io_data;
+ struct usb_raw_ep_io_data io_data;
io_data.inner.ep = ep;
io_data.inner.flags = 0;
if (len > sizeof(io_data.data))
len = sizeof(io_data.data);
io_data.inner.length = len;
- int rv = usb_fuzzer_ep_read(fd, (struct usb_fuzzer_ep_io*)&io_data);
+ int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data);
if (rv < 0) {
- debug("syz_usb_ep_read: usb_fuzzer_ep_read failed with %d\n", rv);
+ debug("syz_usb_ep_read: usb_raw_ep_read failed with %d\n", rv);
return rv;
}
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 5e077f156..bd633e0aa 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -1936,112 +1936,111 @@ static bool parse_usb_descriptor(char* buffer, size_t length, struct usb_device_
return true;
}
-enum usb_fuzzer_event_type {
- USB_FUZZER_EVENT_INVALID,
- USB_FUZZER_EVENT_CONNECT,
- USB_FUZZER_EVENT_DISCONNECT,
- USB_FUZZER_EVENT_SUSPEND,
- USB_FUZZER_EVENT_RESUME,
- USB_FUZZER_EVENT_CONTROL,
+enum usb_raw_event_type {
+ USB_RAW_EVENT_INVALID,
+ USB_RAW_EVENT_CONNECT,
+ USB_RAW_EVENT_DISCONNECT,
+ USB_RAW_EVENT_SUSPEND,
+ USB_RAW_EVENT_CONTROL,
};
-struct usb_fuzzer_event {
+struct usb_raw_event {
uint32 type;
uint32 length;
char data[0];
};
-struct usb_fuzzer_init {
+struct usb_raw_init {
uint64 speed;
const char* driver_name;
const char* device_name;
};
-struct usb_fuzzer_ep_io {
+struct usb_raw_ep_io {
uint16 ep;
uint16 flags;
uint32 length;
char data[0];
};
-#define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init)
-#define USB_FUZZER_IOCTL_RUN _IO('U', 1)
-#define USB_FUZZER_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_fuzzer_event)
-#define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 4, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
-#define USB_FUZZER_IOCTL_EP_DISABLE _IOW('U', 6, int)
-#define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 7, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP_READ _IOWR('U', 8, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 9)
-#define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 10, uint32)
+#define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init)
+#define USB_RAW_IOCTL_RUN _IO('U', 1)
+#define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event)
+#define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
+#define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, int)
+#define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_CONFIGURE _IO('U', 9)
+#define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, uint32)
-static int usb_fuzzer_open()
+static int usb_raw_open()
{
- return open("/sys/kernel/debug/usb-fuzzer", O_RDWR);
+ return open("/sys/kernel/debug/usb/raw-gadget", O_RDWR);
}
-static int usb_fuzzer_init(int fd, uint32 speed, const char* driver, const char* device)
+static int usb_raw_init(int fd, uint32 speed, const char* driver, const char* device)
{
- struct usb_fuzzer_init arg;
+ struct usb_raw_init arg;
arg.speed = speed;
arg.driver_name = driver;
arg.device_name = device;
- return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
+ return ioctl(fd, USB_RAW_IOCTL_INIT, &arg);
}
-static int usb_fuzzer_run(int fd)
+static int usb_raw_run(int fd)
{
- return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0);
+ return ioctl(fd, USB_RAW_IOCTL_RUN, 0);
}
-static int usb_fuzzer_event_fetch(int fd, struct usb_fuzzer_event* event)
+static int usb_raw_event_fetch(int fd, struct usb_raw_event* event)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EVENT_FETCH, event);
+ return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event);
}
-static int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io);
}
-static int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io);
}
#if SYZ_EXECUTOR || __NR_syz_usb_ep_write
-static int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io);
}
#endif
#if SYZ_EXECUTOR || __NR_syz_usb_ep_read
-static int usb_fuzzer_ep_read(int fd, struct usb_fuzzer_ep_io* io)
+static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_READ, io);
+ return ioctl(fd, USB_RAW_IOCTL_EP_READ, io);
}
#endif
-static int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
+static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc);
+ return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc);
}
-static int usb_fuzzer_ep_disable(int fd, int ep)
+static int usb_raw_ep_disable(int fd, int ep)
{
- return ioctl(fd, USB_FUZZER_IOCTL_EP_DISABLE, ep);
+ return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep);
}
-static int usb_fuzzer_configure(int fd)
+static int usb_raw_configure(int fd)
{
- return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0);
+ return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0);
}
-static int usb_fuzzer_vbus_draw(int fd, uint32 power)
+static int usb_raw_vbus_draw(int fd, uint32 power)
{
- return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power);
+ return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power);
}
#define MAX_USB_FDS 6
@@ -2108,7 +2107,7 @@ static void set_interface(int fd, int n)
if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) {
for (ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) {
- int rv = usb_fuzzer_ep_disable(fd, ep);
+ int rv = usb_raw_ep_disable(fd, ep);
if (rv < 0) {
debug("set_interface: failed to disable endpoint %d\n", ep);
} else {
@@ -2118,7 +2117,7 @@ static void set_interface(int fd, int n)
}
if (n >= 0 && n < index->ifaces_num) {
for (ep = 0; ep < index->ifaces[n].eps_num; ep++) {
- int rv = usb_fuzzer_ep_enable(fd, &index->ifaces[n].eps[ep]);
+ int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep]);
if (rv < 0) {
debug("set_interface: failed to enable endpoint %d\n", ep);
} else {
@@ -2136,14 +2135,14 @@ static int configure_device(int fd)
if (!index)
return -1;
- int rv = usb_fuzzer_vbus_draw(fd, index->bMaxPower);
+ int rv = usb_raw_vbus_draw(fd, index->bMaxPower);
if (rv < 0) {
- debug("configure_device: usb_fuzzer_vbus_draw failed with %d\n", rv);
+ debug("configure_device: usb_raw_vbus_draw failed with %d\n", rv);
return rv;
}
- rv = usb_fuzzer_configure(fd);
+ rv = usb_raw_configure(fd);
if (rv < 0) {
- debug("configure_device: usb_fuzzer_configure failed with %d\n", rv);
+ debug("configure_device: usb_raw_configure failed with %d\n", rv);
return rv;
}
set_interface(fd, 0);
@@ -2152,14 +2151,14 @@ static int configure_device(int fd)
#define USB_MAX_PACKET_SIZE 1024
-struct usb_fuzzer_control_event {
- struct usb_fuzzer_event inner;
+struct usb_raw_control_event {
+ struct usb_raw_event inner;
struct usb_ctrlrequest ctrl;
char data[USB_MAX_PACKET_SIZE];
};
-struct usb_fuzzer_ep_io_data {
- struct usb_fuzzer_ep_io inner;
+struct usb_raw_ep_io_data {
+ struct usb_raw_ep_io inner;
char data[USB_MAX_PACKET_SIZE];
};
@@ -2281,9 +2280,9 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
debug("syz_usb_connect: device data:\n");
debug_dump_data(dev, dev_len);
- int fd = usb_fuzzer_open();
+ int fd = usb_raw_open();
if (fd < 0) {
- debug("syz_usb_connect: usb_fuzzer_open failed with %d\n", fd);
+ debug("syz_usb_connect: usb_raw_open failed with %d\n", fd);
return fd;
}
if (fd >= MAX_FDS) {
@@ -2291,7 +2290,7 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
debug("syz_usb_connect: too many open fds\n");
return -1;
}
- debug("syz_usb_connect: usb_fuzzer_open success\n");
+ debug("syz_usb_connect: usb_raw_open success\n");
struct usb_device_index* index = add_usb_index(fd, dev, dev_len);
if (!index) {
@@ -2301,31 +2300,31 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
debug("syz_usb_connect: add_usb_index success\n");
char device[32];
sprintf(&device[0], "dummy_udc.%llu", procid);
- int rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]);
+ int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]);
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_init failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_init failed with %d\n", rv);
return rv;
}
- debug("syz_usb_connect: usb_fuzzer_init success\n");
+ debug("syz_usb_connect: usb_raw_init success\n");
- rv = usb_fuzzer_run(fd);
+ rv = usb_raw_run(fd);
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_run failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_run failed with %d\n", rv);
return rv;
}
- debug("syz_usb_connect: usb_fuzzer_run success\n");
+ debug("syz_usb_connect: usb_raw_run success\n");
bool done = false;
while (!done) {
- struct usb_fuzzer_control_event event;
+ struct usb_raw_control_event event;
event.inner.type = 0;
event.inner.length = sizeof(event.ctrl);
- rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
+ rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event);
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_event_fetch failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_event_fetch failed with %d\n", rv);
return rv;
}
- if (event.inner.type != USB_FUZZER_EVENT_CONTROL)
+ if (event.inner.type != USB_RAW_EVENT_CONTROL)
continue;
debug("syz_usb_connect: bReqType: 0x%x (%s), bReq: 0x%x, wVal: 0x%x, wIdx: 0x%x, wLen: %d\n",
@@ -2359,7 +2358,7 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
}
}
- struct usb_fuzzer_ep_io_data response;
+ struct usb_raw_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
@@ -2374,14 +2373,14 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil
if (event.ctrl.bRequestType & USB_DIR_IN) {
debug("syz_usb_connect: writing %d bytes\n", response.inner.length);
- rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response);
} else {
- rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response);
debug("syz_usb_connect: read %d bytes\n", response.inner.length);
debug_dump_data(&event.data[0], response.inner.length);
}
if (rv < 0) {
- debug("syz_usb_connect: usb_fuzzer_ep0_read/write failed with %d\n", rv);
+ debug("syz_usb_connect: usb_raw_ep0_read/write failed with %d\n", rv);
return rv;
}
}
@@ -2528,15 +2527,15 @@ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, vola
struct vusb_descriptors* descs = (struct vusb_descriptors*)a1;
struct vusb_responses* resps = (struct vusb_responses*)a2;
- struct usb_fuzzer_control_event event;
+ struct usb_raw_control_event event;
event.inner.type = 0;
event.inner.length = USB_MAX_PACKET_SIZE;
- int rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event);
+ int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event);
if (rv < 0) {
- debug("syz_usb_control_io: usb_fuzzer_ep0_read failed with %d\n", rv);
+ debug("syz_usb_control_io: usb_raw_ep0_read failed with %d\n", rv);
return rv;
}
- if (event.inner.type != USB_FUZZER_EVENT_CONTROL) {
+ if (event.inner.type != USB_RAW_EVENT_CONTROL) {
debug("syz_usb_control_io: wrong event type: %d\n", (int)event.inner.type);
return -1;
}
@@ -2576,7 +2575,7 @@ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, vola
response_length = event.ctrl.wLength;
}
- struct usb_fuzzer_ep_io_data response;
+ struct usb_raw_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
@@ -2595,14 +2594,14 @@ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, vola
if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) {
debug("syz_usb_control_io: writing %d bytes\n", response.inner.length);
debug_dump_data(&response.data[0], response.inner.length);
- rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response);
} else {
- rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response);
+ rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response);
debug("syz_usb_control_io: read %d bytes\n", response.inner.length);
debug_dump_data(&response.data[0], response.inner.length);
}
if (rv < 0) {
- debug("syz_usb_control_io: usb_fuzzer_ep0_read/write failed with %d\n", rv);
+ debug("syz_usb_control_io: usb_raw_ep0_read/write failed with %d\n", rv);
return rv;
}
@@ -2620,7 +2619,7 @@ static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volati
uint32 len = a2;
char* data = (char*)a3;
- struct usb_fuzzer_ep_io_data io_data;
+ struct usb_raw_ep_io_data io_data;
io_data.inner.ep = ep;
io_data.inner.flags = 0;
if (len > sizeof(io_data.data))
@@ -2628,9 +2627,9 @@ static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volati
io_data.inner.length = len;
NONFAILING(memcpy(&io_data.data[0], data, len));
- int rv = usb_fuzzer_ep_write(fd, (struct usb_fuzzer_ep_io*)&io_data);
+ int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data);
if (rv < 0) {
- debug("syz_usb_ep_write: usb_fuzzer_ep_write failed with %d\n", rv);
+ debug("syz_usb_ep_write: usb_raw_ep_write failed with %d\n", rv);
return rv;
}
@@ -2648,16 +2647,16 @@ static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatil
uint32 len = a2;
char* data = (char*)a3;
- struct usb_fuzzer_ep_io_data io_data;
+ struct usb_raw_ep_io_data io_data;
io_data.inner.ep = ep;
io_data.inner.flags = 0;
if (len > sizeof(io_data.data))
len = sizeof(io_data.data);
io_data.inner.length = len;
- int rv = usb_fuzzer_ep_read(fd, (struct usb_fuzzer_ep_io*)&io_data);
+ int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data);
if (rv < 0) {
- debug("syz_usb_ep_read: usb_fuzzer_ep_read failed with %d\n", rv);
+ debug("syz_usb_ep_read: usb_raw_ep_read failed with %d\n", rv);
return rv;
}
diff --git a/pkg/host/host_linux.go b/pkg/host/host_linux.go
index c908ee411..c071a8cb9 100644
--- a/pkg/host/host_linux.go
+++ b/pkg/host/host_linux.go
@@ -546,7 +546,7 @@ func checkNetworkInjection() string {
}
func checkUSBInjection() string {
- if err := osutil.IsAccessible("/sys/kernel/debug/usb-fuzzer"); err != nil {
+ if err := osutil.IsAccessible("/sys/kernel/debug/usb/raw-gadget"); err != nil {
return err.Error()
}
return ""
diff --git a/tools/syz-usbgen/keyboard.c b/tools/syz-usbgen/keyboard.c
index eed256c52..ad2631d54 100644
--- a/tools/syz-usbgen/keyboard.c
+++ b/tools/syz-usbgen/keyboard.c
@@ -42,49 +42,49 @@ struct hid_descriptor {
/*----------------------------------------------------------------------*/
-enum usb_fuzzer_event_type {
- USB_FUZZER_EVENT_INVALID,
- USB_FUZZER_EVENT_CONNECT,
- USB_FUZZER_EVENT_DISCONNECT,
- USB_FUZZER_EVENT_SUSPEND,
- USB_FUZZER_EVENT_RESUME,
- USB_FUZZER_EVENT_CONTROL,
+enum usb_raw_event_type {
+ USB_RAW_EVENT_INVALID,
+ USB_RAW_EVENT_CONNECT,
+ USB_RAW_EVENT_DISCONNECT,
+ USB_RAW_EVENT_SUSPEND,
+ USB_RAW_EVENT_CONTROL,
};
-struct usb_fuzzer_event {
+struct usb_raw_event {
uint32_t type;
uint32_t length;
char data[0];
};
-struct usb_fuzzer_init {
+struct usb_raw_init {
uint64_t speed;
const char *driver_name;
const char *device_name;
};
-struct usb_fuzzer_ep_io {
+struct usb_raw_ep_io {
uint16_t ep;
uint16_t flags;
uint32_t length;
char data[0];
};
-#define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init)
-#define USB_FUZZER_IOCTL_RUN _IO('U', 1)
-#define USB_FUZZER_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_fuzzer_event)
-#define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 4, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
-#define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 7, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_EP_READ _IOWR('U', 8, struct usb_fuzzer_ep_io)
-#define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 9)
-#define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 10, uint32_t)
+#define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init)
+#define USB_RAW_IOCTL_RUN _IO('U', 1)
+#define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event)
+#define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
+#define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, int)
+#define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io)
+#define USB_RAW_IOCTL_CONFIGURE _IO('U', 9)
+#define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, uint32_t)
/*----------------------------------------------------------------------*/
-int usb_fuzzer_open() {
- int fd = open("/sys/kernel/debug/usb-fuzzer", O_RDWR);
+int usb_raw_open() {
+ int fd = open("/sys/kernel/debug/usb/raw-gadget", O_RDWR);
if (fd < 0) {
perror("open()");
exit(EXIT_FAILURE);
@@ -92,80 +92,80 @@ int usb_fuzzer_open() {
return fd;
}
-void usb_fuzzer_init(int fd, enum usb_device_speed speed) {
- struct usb_fuzzer_init arg;
+void usb_raw_init(int fd, enum usb_device_speed speed) {
+ struct usb_raw_init arg;
arg.speed = speed;
arg.driver_name = "dummy_udc";
arg.device_name = "dummy_udc.0";
- int rv = ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg);
- if (rv != 0) {
- perror("ioctl(USB_FUZZER_IOCTL_INIT)");
+ int rv = ioctl(fd, USB_RAW_IOCTL_INIT, &arg);
+ if (rv < 0) {
+ perror("ioctl(USB_RAW_IOCTL_INIT)");
exit(EXIT_FAILURE);
}
}
-void usb_fuzzer_run(int fd) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_RUN, 0);
- if (rv != 0) {
- perror("ioctl(USB_FUZZER_IOCTL_RUN)");
+void usb_raw_run(int fd) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_RUN, 0);
+ if (rv < 0) {
+ perror("ioctl(USB_RAW_IOCTL_RUN)");
exit(EXIT_FAILURE);
}
}
-void usb_fuzzer_event_fetch(int fd, struct usb_fuzzer_event *event) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_EVENT_FETCH, event);
- if (rv != 0) {
- perror("ioctl(USB_FUZZER_IOCTL_EVENT_FETCH)");
+void USB_RAW_EVENT_fetch(int fd, struct usb_raw_event *event) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event);
+ if (rv < 0) {
+ perror("ioctl(USB_RAW_IOCTL_EVENT_FETCH)");
exit(EXIT_FAILURE);
}
}
-void usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_ep_io *io) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, io);
- if (rv != 0) {
- perror("ioctl(USB_FUZZER_IOCTL_EP0_READ)");
+void usb_raw_ep0_read(int fd, struct usb_raw_ep_io *io) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_EP0_READ, io);
+ if (rv < 0) {
+ perror("ioctl(USB_RAW_IOCTL_EP0_READ)");
exit(EXIT_FAILURE);
}
}
-void usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io *io) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io);
- if (rv != 0) {
- perror("ioctl(USB_FUZZER_IOCTL_EP0_WRITE)");
+void usb_raw_ep0_write(int fd, struct usb_raw_ep_io *io) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io);
+ if (rv < 0) {
+ perror("ioctl(USB_RAW_IOCTL_EP0_WRITE)");
exit(EXIT_FAILURE);
}
}
-int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor *desc) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc);
+int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor *desc) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc);
if (rv < 0) {
- perror("ioctl(USB_FUZZER_IOCTL_EP_ENABLE)");
+ perror("ioctl(USB_RAW_IOCTL_EP_ENABLE)");
exit(EXIT_FAILURE);
}
return rv;
}
-int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io *io) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io);
+int usb_raw_ep_write(int fd, struct usb_raw_ep_io *io) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io);
if (rv < 0) {
- perror("ioctl(USB_FUZZER_IOCTL_EP_WRITE)");
+ perror("ioctl(USB_RAW_IOCTL_EP_WRITE)");
exit(EXIT_FAILURE);
}
return rv;
}
-void usb_fuzzer_configure(int fd) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0);
+void usb_raw_configure(int fd) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0);
if (rv < 0) {
- perror("ioctl(USB_FUZZER_IOCTL_CONFIGURED)");
+ perror("ioctl(USB_RAW_IOCTL_CONFIGURED)");
exit(EXIT_FAILURE);
}
}
-void usb_fuzzer_vbus_draw(int fd, uint32_t power) {
- int rv = ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power);
+void usb_raw_vbus_draw(int fd, uint32_t power) {
+ int rv = ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power);
if (rv < 0) {
- perror("ioctl(USB_FUZZER_IOCTL_VBUS_DRAW)");
+ perror("ioctl(USB_RAW_IOCTL_VBUS_DRAW)");
exit(EXIT_FAILURE);
}
}
@@ -483,21 +483,18 @@ void log_control_request(struct usb_ctrlrequest *ctrl) {
}
}
-void log_event(struct usb_fuzzer_event *event) {
+void log_event(struct usb_raw_event *event) {
switch (event->type) {
- case USB_FUZZER_EVENT_CONNECT:
+ case USB_RAW_EVENT_CONNECT:
printf("event: connect, length: %u\n", event->length);
break;
- case USB_FUZZER_EVENT_DISCONNECT:
+ case USB_RAW_EVENT_DISCONNECT:
printf("event: disconnect, length: %u\n", event->length);
break;
- case USB_FUZZER_EVENT_SUSPEND:
+ case USB_RAW_EVENT_SUSPEND:
printf("event: suspend, length: %u\n", event->length);
break;
- case USB_FUZZER_EVENT_RESUME:
- printf("event: resume, length: %u\n", event->length);
- break;
- case USB_FUZZER_EVENT_CONTROL:
+ case USB_RAW_EVENT_CONTROL:
printf("event: control, length: %u\n", event->length);
log_control_request((struct usb_ctrlrequest *)&event->data[0]);
break;
@@ -508,18 +505,18 @@ void log_event(struct usb_fuzzer_event *event) {
/*----------------------------------------------------------------------*/
-struct usb_fuzzer_control_event {
- struct usb_fuzzer_event inner;
+struct usb_raw_control_event {
+ struct usb_raw_event inner;
struct usb_ctrlrequest ctrl;
};
-struct usb_fuzzer_control_io {
- struct usb_fuzzer_ep_io inner;
+struct usb_raw_control_io {
+ struct usb_raw_ep_io inner;
char data[MAX_PACKET_SIZE];
};
-struct usb_fuzzer_keyboard_io {
- struct usb_fuzzer_ep_io inner;
+struct usb_raw_keyboard_io {
+ struct usb_raw_ep_io inner;
char data[8];
};
@@ -529,18 +526,18 @@ int keyboard_connect(int fd) {
bool done = false;
while (!done) {
- struct usb_fuzzer_control_event event;
+ struct usb_raw_control_event event;
event.inner.type = 0;
event.inner.length = sizeof(event.ctrl);
- struct usb_fuzzer_control_io response;
+ struct usb_raw_control_io response;
response.inner.ep = 0;
response.inner.flags = 0;
response.inner.length = 0;
- usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event *)&event);
- log_event((struct usb_fuzzer_event *)&event);
- if (event.inner.type != USB_FUZZER_EVENT_CONTROL)
+ USB_RAW_EVENT_fetch(fd, (struct usb_raw_event *)&event);
+ log_event((struct usb_raw_event *)&event);
+ if (event.inner.type != USB_RAW_EVENT_CONTROL)
continue;
switch (event.ctrl.bRequestType & USB_TYPE_MASK) {
@@ -582,9 +579,9 @@ int keyboard_connect(int fd) {
}
break;
case USB_REQ_SET_CONFIGURATION:
- ep = usb_fuzzer_ep_enable(fd, &usb_endpoint);
- usb_fuzzer_vbus_draw(fd, usb_config.bMaxPower);
- usb_fuzzer_configure(fd);
+ ep = usb_raw_ep_enable(fd, &usb_endpoint);
+ usb_raw_vbus_draw(fd, usb_config.bMaxPower);
+ usb_raw_configure(fd);
response.inner.length = 0;
goto reply;
case USB_REQ_GET_INTERFACE:
@@ -623,9 +620,9 @@ reply:
if (event.ctrl.wLength < response.inner.length)
response.inner.length = event.ctrl.wLength;
if (event.ctrl.bRequestType & USB_DIR_IN)
- usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io *)&response);
+ usb_raw_ep0_write(fd, (struct usb_raw_ep_io *)&response);
else
- usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io *)&response);
+ usb_raw_ep0_read(fd, (struct usb_raw_ep_io *)&response);
}
printf("endpoint: #%d\n", ep);
@@ -633,18 +630,18 @@ reply:
}
void keyboard_loop(int fd, int ep) {
- struct usb_fuzzer_keyboard_io io;
+ struct usb_raw_keyboard_io io;
io.inner.ep = ep;
io.inner.flags = 0;
io.inner.length = 8;
while (true) {
memcpy(&io.inner.data[0], "\x00\x00\x1b\x00\x00\x00\x00\x00", 8);
- int rv = usb_fuzzer_ep_write(fd, (struct usb_fuzzer_ep_io *)&io);
+ int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io *)&io);
printf("key down: %d\n", rv);
memcpy(&io.inner.data[0], "\x00\x00\x00\x00\x00\x00\x00\x00", 8);
- rv = usb_fuzzer_ep_write(fd, (struct usb_fuzzer_ep_io *)&io);
+ rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io *)&io);
printf("key up: %d\n", rv);
sleep(1);
@@ -652,9 +649,9 @@ void keyboard_loop(int fd, int ep) {
}
int main(int argc, char **argv) {
- int fd = usb_fuzzer_open();
- usb_fuzzer_init(fd, USB_SPEED_HIGH);
- usb_fuzzer_run(fd);
+ int fd = usb_raw_open();
+ usb_raw_init(fd, USB_SPEED_HIGH);
+ usb_raw_run(fd);
int ep = keyboard_connect(fd);
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 20:25:36 +0000