diff options
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common.h | 5 | ||||
| -rw-r--r-- | executor/common_linux.h | 7 | ||||
| -rw-r--r-- | executor/common_usb.h | 132 | ||||
| -rw-r--r-- | executor/defs.h | 12 | ||||
| -rw-r--r-- | executor/executor.cc | 4 | ||||
| -rw-r--r-- | executor/syscalls.h | 18 |
6 files changed, 139 insertions, 39 deletions
diff --git a/executor/common.h b/executor/common.h index c79221de2..8591110be 100644 --- a/executor/common.h +++ b/executor/common.h @@ -41,7 +41,8 @@ NORETURN void doexit(int status) #if SYZ_EXECUTOR || SYZ_MULTI_PROC || SYZ_REPEAT && SYZ_CGROUPS || \ SYZ_NET_DEVICES || __NR_syz_mount_image || __NR_syz_read_part_table || \ - __NR_syz_usb_connect || (GOOS_freebsd || GOOS_openbsd || GOOS_netbsd) && SYZ_NET_INJECTION + __NR_syz_usb_connect || __NR_syz_usb_connect_ath9k || \ + (GOOS_freebsd || GOOS_openbsd || GOOS_netbsd) && SYZ_NET_INJECTION static unsigned long long procid; #endif @@ -138,7 +139,7 @@ static void kill_and_wait(int pid, int* status) #if !GOOS_windows #if SYZ_EXECUTOR || SYZ_THREADED || SYZ_REPEAT && SYZ_EXECUTOR_USES_FORK_SERVER || \ - __NR_syz_usb_connect + __NR_syz_usb_connect || __NR_syz_usb_connect_ath9k static void sleep_ms(uint64 ms) { usleep(ms * 1000); diff --git a/executor/common_linux.h b/executor/common_linux.h index ef071e9be..b62878f3c 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -72,7 +72,8 @@ static int event_timedwait(event_t* ev, uint64 timeout) #if SYZ_EXECUTOR || SYZ_REPEAT || SYZ_NET_INJECTION || SYZ_FAULT || SYZ_SANDBOX_NONE || \ SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID || \ - SYZ_FAULT || SYZ_LEAK || SYZ_BINFMT_MISC || (__NR_syz_usb_connect && USB_DEBUG) + SYZ_FAULT || SYZ_LEAK || SYZ_BINFMT_MISC || \ + ((__NR_syz_usb_connect || __NR_syz_usb_connect_ath9k) && USB_DEBUG) #include <errno.h> #include <fcntl.h> #include <stdarg.h> @@ -1443,11 +1444,11 @@ static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile lon } #endif -#if SYZ_EXECUTOR || SYZ_CLOSE_FDS || __NR_syz_usb_connect +#if SYZ_EXECUTOR || SYZ_CLOSE_FDS || __NR_syz_usb_connect || __NR_syz_usb_connect_ath9k #define MAX_FDS 30 #endif -#if SYZ_EXECUTOR || __NR_syz_usb_connect +#if SYZ_EXECUTOR || __NR_syz_usb_connect || __NR_syz_usb_connect_ath9k #include <errno.h> #include <fcntl.h> #include <linux/usb/ch9.h> diff --git a/executor/common_usb.h b/executor/common_usb.h index 34e3e3166..29196c2d0 100644 --- a/executor/common_usb.h +++ b/executor/common_usb.h @@ -28,7 +28,7 @@ struct usb_device_index { int iface_cur; }; -static bool parse_usb_descriptor(char* buffer, size_t length, struct usb_device_index* index) +static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; @@ -193,7 +193,7 @@ struct usb_info { static struct usb_info usb_devices[MAX_USB_FDS]; static int usb_devices_num; -static struct usb_device_index* add_usb_index(int fd, char* dev, size_t dev_len) +static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= MAX_USB_FDS) @@ -708,7 +708,7 @@ static void analyze_control_request(int fd, struct usb_ctrlrequest* ctrl) #endif // USB_DEBUG -#define USB_MAX_PACKET_SIZE 1024 +#define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; @@ -745,8 +745,8 @@ static const char default_lang_id[] = { 0x09, 0x04 // English (United States) }; -static bool lookup_connect_response(int fd, struct vusb_connect_descriptors* descs, struct usb_ctrlrequest* ctrl, - char** response_data, uint32* response_length) +static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, + char** response_data, uint32* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8 str_idx; @@ -807,30 +807,85 @@ static bool lookup_connect_response(int fd, struct vusb_connect_descriptors* des *response_length = descs->qual_len; return true; default: - fail("lookup_connect_response: no response"); - return false; + break; } break; default: - fail("lookup_connect_response: no response"); - return false; + break; } break; default: - fail("lookup_connect_response: no response"); - return false; + break; } + fail("lookup_connect_response_in: unknown request"); return false; } -static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) +#if SYZ_EXECUTOR || __NR_syz_usb_connect +static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, + const struct usb_ctrlrequest* ctrl, bool* done) { - uint64 speed = a0; - uint64 dev_len = a1; - char* dev = (char*)a2; - struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3; + switch (ctrl->bRequestType & USB_TYPE_MASK) { + case USB_TYPE_STANDARD: + switch (ctrl->bRequest) { + case USB_REQ_SET_CONFIGURATION: + *done = true; + return true; + default: + break; + } + break; + } + + fail("lookup_connect_response_out: unknown request"); + return false; +} +#endif + +#if SYZ_EXECUTOR || __NR_syz_usb_connect_ath9k + +// drivers/net/wireless/ath/ath9k/hif_usb.h +#define ATH9K_FIRMWARE_DOWNLOAD 0x30 +#define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 + +static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, + const struct usb_ctrlrequest* ctrl, bool* done) +{ + switch (ctrl->bRequestType & USB_TYPE_MASK) { + case USB_TYPE_STANDARD: + switch (ctrl->bRequest) { + case USB_REQ_SET_CONFIGURATION: + return true; + default: + break; + } + break; + case USB_TYPE_VENDOR: + switch (ctrl->bRequest) { + case ATH9K_FIRMWARE_DOWNLOAD: + return true; + case ATH9K_FIRMWARE_DOWNLOAD_COMP: + *done = true; + return true; + default: + break; + } + break; + } + + fail("lookup_connect_response_out_ath9k: unknown request"); + return false; +} +#endif + +typedef bool (*lookup_connect_response_t)(int fd, const struct vusb_connect_descriptors* descs, + const struct usb_ctrlrequest* ctrl, bool* done); + +static volatile long syz_usb_connect_impl(uint64 speed, uint64 dev_len, const char* dev, + const struct vusb_connect_descriptors* descs, lookup_connect_response_t lookup_connect_response_out) +{ debug("syz_usb_connect: dev: %p\n", dev); if (!dev) { debug("syz_usb_connect: dev is null\n"); @@ -902,26 +957,27 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil analyze_control_request(fd, &event.ctrl); #endif - bool response_found = false; char* response_data = NULL; uint32 response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { - NONFAILING(response_found = lookup_connect_response(fd, descs, &event.ctrl, &response_data, &response_length)); + bool response_found = false; + NONFAILING(response_found = lookup_connect_response_in(fd, descs, &event.ctrl, &response_data, &response_length)); if (!response_found) { debug("syz_usb_connect: unknown control IN request\n"); return -1; } } else { - if ((event.ctrl.bRequestType & USB_TYPE_MASK) != USB_TYPE_STANDARD || - event.ctrl.bRequest != USB_REQ_SET_CONFIGURATION) { - fail("syz_usb_connect: unknown control OUT request"); + if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { + debug("syz_usb_connect: unknown control OUT request\n"); return -1; } - done = true; + response_data = NULL; + response_length = event.ctrl.wLength; } - if (done) { + if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && + event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { debug("syz_usb_connect: configure_device failed with %d\n", rv); @@ -963,6 +1019,30 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil return fd; } +#if SYZ_EXECUTOR || __NR_syz_usb_connect +static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) +{ + uint64 speed = a0; + uint64 dev_len = a1; + const char* dev = (const char*)a2; + const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; + + return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); +} +#endif + +#if SYZ_EXECUTOR || __NR_syz_usb_connect_ath9k +static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) +{ + uint64 speed = a0; + uint64 dev_len = a1; + const char* dev = (const char*)a2; + const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; + + return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); +} +#endif + #if SYZ_EXECUTOR || __NR_syz_usb_control_io struct vusb_descriptor { uint8 req_type; @@ -990,7 +1070,7 @@ struct vusb_responses { struct vusb_response* resps[0]; } __attribute__((packed)); -static bool lookup_control_response(struct vusb_descriptors* descs, struct vusb_responses* resps, +static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32* response_length) { int descs_num = 0; @@ -1057,8 +1137,8 @@ static bool lookup_control_response(struct vusb_descriptors* descs, struct vusb_ static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; - struct vusb_descriptors* descs = (struct vusb_descriptors*)a1; - struct vusb_responses* resps = (struct vusb_responses*)a2; + const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; + const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; diff --git a/executor/defs.h b/executor/defs.h index c9130082b..4e322f80b 100644 --- a/executor/defs.h +++ b/executor/defs.h @@ -70,7 +70,7 @@ #if GOARCH_386 #define GOARCH "386" -#define SYZ_REVISION "f832cd200c5a04cc287d5ecfec6c0809d67776db" +#define SYZ_REVISION "33b5499ae4ba720a5aadcf47c08c27e96fb67832" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -80,7 +80,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "4b5ed0df871de3789a571c0c09b19ad73dda3540" +#define SYZ_REVISION "57e792b4f9c2dfd15302bc6d8af296a1ad069360" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -90,7 +90,7 @@ #if GOARCH_arm #define GOARCH "arm" -#define SYZ_REVISION "96efdcf2ba11790232e945e0efe0fd6a7e977178" +#define SYZ_REVISION "73ab90b4fe32667fb8aeeede21c4e40d90f162f3" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -100,7 +100,7 @@ #if GOARCH_arm64 #define GOARCH "arm64" -#define SYZ_REVISION "455cfc4efb593ddd12e1cb1ff4d0626f6e0b65fd" +#define SYZ_REVISION "89f29368f6fde3dc0f3b6681a6a51a0e2329992c" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -110,7 +110,7 @@ #if GOARCH_mips64le #define GOARCH "mips64le" -#define SYZ_REVISION "c1a069918945be53adbfb55852393e3447fb5af6" +#define SYZ_REVISION "8587350b245052b7ccf5ed9a0302a1a9cb79afc8" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -120,7 +120,7 @@ #if GOARCH_ppc64le #define GOARCH "ppc64le" -#define SYZ_REVISION "fb00bb615ecad858bb96e38ab5f8cbade9fdacea" +#define SYZ_REVISION "88f13870a768fc9d901f0b86e93664821fa28696" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 diff --git a/executor/executor.cc b/executor/executor.cc index 768081ad6..2b4fc505d 100644 --- a/executor/executor.cc +++ b/executor/executor.cc @@ -692,8 +692,8 @@ retry: if (strncmp(syscalls[call_num].name, "syz_usb", strlen("syz_usb")) == 0) prog_extra_cover_timeout = 500; if (strncmp(syscalls[call_num].name, "syz_usb_connect", strlen("syz_usb_connect")) == 0) { - prog_extra_timeout = 2000; - call_extra_timeout = 2000; + prog_extra_timeout = 3000; + call_extra_timeout = 3000; } if (strncmp(syscalls[call_num].name, "syz_usb_control_io", strlen("syz_usb_control_io")) == 0) call_extra_timeout = 300; diff --git a/executor/syscalls.h b/executor/syscalls.h index 410c1d816..6e4da44bb 100644 --- a/executor/syscalls.h +++ b/executor/syscalls.h @@ -5141,6 +5141,7 @@ const call_t syscalls[] = { {"syz_usb_connect$hid", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$printer", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$uac1", 0, (syscall_t)syz_usb_connect}, + {"syz_usb_connect_ath9k", 0, (syscall_t)syz_usb_connect_ath9k}, {"syz_usb_control_io", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ecm", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ncm", 0, (syscall_t)syz_usb_control_io}, @@ -5150,6 +5151,8 @@ const call_t syscalls[] = { {"syz_usb_disconnect", 0, (syscall_t)syz_usb_disconnect}, {"syz_usb_ep_read", 0, (syscall_t)syz_usb_ep_read}, {"syz_usb_ep_write", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep1", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep2", 0, (syscall_t)syz_usb_ep_write}, {"tee", 315}, {"tgkill", 270}, {"time", 13}, @@ -8492,6 +8495,7 @@ const call_t syscalls[] = { {"syz_usb_connect$hid", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$printer", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$uac1", 0, (syscall_t)syz_usb_connect}, + {"syz_usb_connect_ath9k", 0, (syscall_t)syz_usb_connect_ath9k}, {"syz_usb_control_io", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ecm", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ncm", 0, (syscall_t)syz_usb_control_io}, @@ -8501,6 +8505,8 @@ const call_t syscalls[] = { {"syz_usb_disconnect", 0, (syscall_t)syz_usb_disconnect}, {"syz_usb_ep_read", 0, (syscall_t)syz_usb_ep_read}, {"syz_usb_ep_write", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep1", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep2", 0, (syscall_t)syz_usb_ep_write}, {"tee", 276}, {"tgkill", 234}, {"time", 201}, @@ -11795,6 +11801,7 @@ const call_t syscalls[] = { {"syz_usb_connect$hid", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$printer", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$uac1", 0, (syscall_t)syz_usb_connect}, + {"syz_usb_connect_ath9k", 0, (syscall_t)syz_usb_connect_ath9k}, {"syz_usb_control_io", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ecm", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ncm", 0, (syscall_t)syz_usb_control_io}, @@ -11804,6 +11811,8 @@ const call_t syscalls[] = { {"syz_usb_disconnect", 0, (syscall_t)syz_usb_disconnect}, {"syz_usb_ep_read", 0, (syscall_t)syz_usb_ep_read}, {"syz_usb_ep_write", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep1", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep2", 0, (syscall_t)syz_usb_ep_write}, {"tee", 342}, {"tgkill", 268}, {"timer_create", 257}, @@ -15072,6 +15081,7 @@ const call_t syscalls[] = { {"syz_usb_connect$hid", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$printer", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$uac1", 0, (syscall_t)syz_usb_connect}, + {"syz_usb_connect_ath9k", 0, (syscall_t)syz_usb_connect_ath9k}, {"syz_usb_control_io", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ecm", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ncm", 0, (syscall_t)syz_usb_control_io}, @@ -15081,6 +15091,8 @@ const call_t syscalls[] = { {"syz_usb_disconnect", 0, (syscall_t)syz_usb_disconnect}, {"syz_usb_ep_read", 0, (syscall_t)syz_usb_ep_read}, {"syz_usb_ep_write", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep1", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep2", 0, (syscall_t)syz_usb_ep_write}, {"tee", 77}, {"tgkill", 131}, {"timer_create", 107}, @@ -18269,6 +18281,7 @@ const call_t syscalls[] = { {"syz_usb_connect$hid", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$printer", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$uac1", 0, (syscall_t)syz_usb_connect}, + {"syz_usb_connect_ath9k", 0, (syscall_t)syz_usb_connect_ath9k}, {"syz_usb_control_io", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ecm", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ncm", 0, (syscall_t)syz_usb_control_io}, @@ -18278,6 +18291,8 @@ const call_t syscalls[] = { {"syz_usb_disconnect", 0, (syscall_t)syz_usb_disconnect}, {"syz_usb_ep_read", 0, (syscall_t)syz_usb_ep_read}, {"syz_usb_ep_write", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep1", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep2", 0, (syscall_t)syz_usb_ep_write}, {"tee", 5265}, {"tgkill", 5225}, {"timer_create", 5216}, @@ -21572,6 +21587,7 @@ const call_t syscalls[] = { {"syz_usb_connect$hid", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$printer", 0, (syscall_t)syz_usb_connect}, {"syz_usb_connect$uac1", 0, (syscall_t)syz_usb_connect}, + {"syz_usb_connect_ath9k", 0, (syscall_t)syz_usb_connect_ath9k}, {"syz_usb_control_io", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ecm", 0, (syscall_t)syz_usb_control_io}, {"syz_usb_control_io$cdc_ncm", 0, (syscall_t)syz_usb_control_io}, @@ -21581,6 +21597,8 @@ const call_t syscalls[] = { {"syz_usb_disconnect", 0, (syscall_t)syz_usb_disconnect}, {"syz_usb_ep_read", 0, (syscall_t)syz_usb_ep_read}, {"syz_usb_ep_write", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep1", 0, (syscall_t)syz_usb_ep_write}, + {"syz_usb_ep_write$ath9k_ep2", 0, (syscall_t)syz_usb_ep_write}, {"tee", 284}, {"tgkill", 250}, {"time", 13}, |