diff options
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common_usb.h | 55 | ||||
| -rw-r--r-- | executor/defs.h | 10 |
2 files changed, 54 insertions, 11 deletions
diff --git a/executor/common_usb.h b/executor/common_usb.h index fbb4e2128..11e92565c 100644 --- a/executor/common_usb.h +++ b/executor/common_usb.h @@ -5,6 +5,8 @@ // Implementation of syz_usb_* pseudo-syscalls. +#define USB_DEBUG 0 + #define USB_MAX_EP_NUM 32 struct usb_device_index { @@ -305,13 +307,13 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil if (event.ctrl.bRequestType & USB_DIR_IN) { NONFAILING(response_found = lookup_connect_response(descs, &index, &event.ctrl, &response_data, &response_length)); if (!response_found) { - debug("syz_usb_connect: unknown IN request\n"); + debug("syz_usb_connect: unknown control IN request\n"); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) != USB_TYPE_STANDARD || event.ctrl.bRequest != USB_REQ_SET_CONFIGURATION) { - fail("syz_usb_connect: unknown OUT request"); + fail("syz_usb_connect: unknown control OUT request"); return -1; } done = true; @@ -397,8 +399,8 @@ struct vusb_responses { struct vusb_response* resps[0]; } __attribute__((packed)); -static bool lookup_control_io_response(struct vusb_descriptors* descs, struct vusb_responses* resps, - struct usb_ctrlrequest* ctrl, char** response_data, uint32* response_length) +static bool lookup_control_response(struct vusb_descriptors* descs, struct vusb_responses* resps, + struct usb_ctrlrequest* ctrl, char** response_data, uint32* response_length) { int descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); int resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); @@ -456,6 +458,44 @@ static bool lookup_control_io_response(struct vusb_descriptors* descs, struct vu return false; } +#if USB_DEBUG +#include <linux/hid.h> +#include <linux/usb/cdc.h> +#include <linux/usb/ch11.h> +#include <linux/usb/ch9.h> + +static void analyze_control_request(struct usb_ctrlrequest* ctrl) +{ + switch (ctrl->bRequestType & USB_TYPE_MASK) { + case USB_TYPE_STANDARD: + switch (ctrl->bRequest) { + case USB_REQ_GET_DESCRIPTOR: + switch (ctrl->wValue >> 8) { + case USB_DT_DEVICE: + case USB_DT_CONFIG: + case USB_DT_STRING: + case HID_DT_REPORT: + case USB_DT_BOS: + case USB_DT_HUB: + case USB_DT_SS_HUB: + return; + } + } + break; + case USB_TYPE_CLASS: + switch (ctrl->bRequest) { + case USB_REQ_GET_INTERFACE: + case USB_REQ_GET_CONFIGURATION: + case USB_REQ_GET_STATUS: + case USB_CDC_GET_NTB_PARAMETERS: + return; + } + } + fail("analyze_control_request: unknown control request (0x%x, 0x%x, 0x%x)", + ctrl->bRequestType, ctrl->bRequest, ctrl->wValue); +} +#endif + static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; @@ -484,9 +524,12 @@ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, vola uint32 response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { - NONFAILING(response_found = lookup_control_io_response(descs, resps, &event.ctrl, &response_data, &response_length)); + NONFAILING(response_found = lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)); if (!response_found) { - debug("syz_usb_control_io: no response found\n"); +#if USB_DEBUG + analyze_control_request(&event.ctrl); +#endif + debug("syz_usb_control_io: unknown control IN request\n"); return -1; } } else { diff --git a/executor/defs.h b/executor/defs.h index 8aa9355a3..9be26a25e 100644 --- a/executor/defs.h +++ b/executor/defs.h @@ -70,7 +70,7 @@ #if GOARCH_386 #define GOARCH "386" -#define SYZ_REVISION "e6852411760a2a78058472eaf4813af2801ed202" +#define SYZ_REVISION "ccc2cdeb1bb485261e99acfaa2cdf88c89136043" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -80,7 +80,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "dcbebec84b823ea25f3b394a09856311b9dd1ca0" +#define SYZ_REVISION "3ad0caf28b47f3c27a8f69b938b8f93073f6611c" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -90,7 +90,7 @@ #if GOARCH_arm #define GOARCH "arm" -#define SYZ_REVISION "e1dc4882544d6442aef7732b455d7285ae1eb641" +#define SYZ_REVISION "0aea57e00bdd385a6598b158d35ac8f03cb3915b" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -100,7 +100,7 @@ #if GOARCH_arm64 #define GOARCH "arm64" -#define SYZ_REVISION "d2380e739438289715ad5793155eba1a5ec89c5b" +#define SYZ_REVISION "8cd19665e25b860288db2dbdc6ecd8638c78592b" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -110,7 +110,7 @@ #if GOARCH_ppc64le #define GOARCH "ppc64le" -#define SYZ_REVISION "3c6f9896b7cb868b391014be969a0359572922f5" +#define SYZ_REVISION "5e7246d3cadcc34a6acaa0542495c1056a555bef" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 |