| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
| |
Also simplify timeout related code a bit.
|
| |
|
|
|
| |
1. Change HID descriptions to allow devices to have two interrupt endpoints.
2. Remove unneeded responses to OUT control requests from descriptions.
3. Add some debugging code to detect and report missing descriptions.
|
| |
|
|
|
| |
We might not have any string descriptors provided at all, use a hardcoded
string in this case.
|
| |
|
|
|
| |
The kernel API has changed and now differentiates between IN and OUT
control requests.
|
| |
|
|
| |
syz_usb_ep_read reads data from USB endpoints other than #0.
|
| |
|
|
|
| |
This commit adds the necessary descriptions and executor adjustments to
enable targeted fuzzing of the enumeration process of USB HID devices.
|
| | |
|
| | |
|
| |
|
|
| |
Also move some code to helper functions.
|
| |
|
|
|
|
| |
Allow 2000 ms of waiting time for syz_usb_connect and and the same time for
the whole program is this syzkall is present. Allow 200 ms of waiting time
for syz_usb_disconnect. Remove sleep from syz_usb_control_io.
|
|
|
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
|
