| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Change the kernel patch and the syz-usbgen tool to split the extracted
USB IDs by the driver they belong to.
This will allow for a more precise patching of class/driver-specific
USB descriptors.
Also update USB IDs with Linux kernel 6.16.
|
| |
|
|
| |
Make it work on newer kernels.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I wanted to fuzz only one driver, so I've slightly changed
usb_ids.patch to print ids only for needed driver:
So, I got following vm log:
syzkaller login: [ 34.303492] hid: USBID: 0300da0b79810000000000000000000000
[ 34.303969] hid: USBID: 0300da0b79010000000000000000000000
[ 34.304454] hid: USBID: 0300da0b79f10000000000000000000000
[ 34.304988] hid: USBID: 0300b80779810000000000000000000000
[ 34.305455] hid: USBID: 0300f60d76000000000000000000000000
[ 34.305941] hid: USBID: 030001200f330000000000000000000000
[ 34.306406] hid: USBID: 0300012010330000000000000000000000
[ 34.306893] hid: USBID: 0300012011330000000000000000000000
[ 34.307364] hid: USBID: 030001201b330000000000000000000000
[ 34.307865] hid: USBID: 03006e0508400000000000000000000000
[ 34.308349] hid: USBID: 030057230c010000000000000000000000
[ 34.308847] hid: USBID: 0300572311010000000000000000000000
[ 34.309328] hid: USBID: 03004e2c02010000000000000000000000
[ 34.309826] hid: USBID: 0300050bf0180000000000000000000000
[ 34.310307] hid: USBID: 0300927311b80000000000000000000000
QEMU: Terminated
There is no HID devices in log at all. Old syz-usbgen generates
following init_vusb_ids.go:
// Code generated by tools/syz-usbgen. DO NOT EDIT.
// See docs/linux/external_fuzzing_usb.md
package linux
var usbIds = "\x03\x00\x01 \x0f3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\x01 \x103\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\x01 \x113\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\x01 \x1b3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\x05\v\xf0\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00N,\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00W#\f\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00W#\x11\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00n\x05\b@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\x92s\x11\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\xb8\ay\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\xda\vy\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\xda\vy\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\xda\vy\xf1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x03\x00\xf6\rv\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
var hidIds =
It obviously causes build errors:
sys/linux/init_vusb_ids.go:23:1: syntax error: unexpected EOF, expecting expression
make: *** [Makefile:172: mutate] Error 2
make: *** Waiting for unfinished jobs....
sys/linux/init_vusb_ids.go:23:1: syntax error: unexpected EOF, expecting expression
make: *** [Makefile:175: prog2c] Error 2
sys/linux/init_vusb_ids.go:23:1: syntax error: unexpected EOF, expecting expression
sys/linux/init_vusb_ids.go:23:1: syntax error: unexpected EOF, expecting expression
sys/linux/init_vusb_ids.go:23:1: syntax error: unexpected EOF, expecting expression
make: *** [Makefile:169: repro] Error 2
Fix it by adding empty string to output when len(ids) is
equal to zero
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous patch causes build error on top of v5.14:
error: ‘usb_bus_type’ undeclared (first use in this function); did you mean ‘hid_bus_type’?
2299 | bus_for_each_drv(&usb_bus_type, NULL, NULL, usb_device_id_dump_driver);
| ^~~~~~~~~~~~
| hid_bus_type
Fix it by including drivers/usb/core/usb.h where usb_bus_type declaration
is. Also, removed duplicate is_usb_device_driver definition, since it's
already in drivers/usb/core/usb.h.
Tested localy on qemu
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
|
| | |
|
| |
|
|
|
| |
Update the copyright checking script and more files
for the standard convention of marking auto-generated files.
|
| | |
|
| | |
|
| |
|
|
| |
The patches are being upstreamed and the interface has changed.
|
| |
|
|
| |
The patch doesn't properly work on some kernels, some ids might not be printed.
|
| |
|
|
| |
The number of reported event types changed.
|
| |
|
|
| |
The interface is being upstreamed and the name has changed.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/linux: extract USB HID ids
As it turns out the HID kernel subsystem registers only one USB driver that
checks that the interface of the connected device has HID class and then looks
up its own list of vendor/device ids to find a matching driver. This means
that we currently don't generate proper vendor/device ids for USB HID devices.
This patch updates the syz-usbgen tool to also extract USB HID vendor/device
ids from a running kernel and makes the generated descriptions for HID devices
to be patched using the extracted ids.
This patch also contains some minor improvements to USB descriptions
(better HID descriptions and more replies for some USB classes/drivers).
* sys/linux: run make generate
|
|
|
This commit adds syzkaller descriptions for USB fuzzing. The descriptions in
vusb.txt are written manually and cover different kinds of USB descriptors.
The descriptions in init_vusb_ids.go are generated automanitally by the
syz-usbgen tool and contain the vendor, device and some other IDs that
map to different USB drivers.
|
